♻️ flux kustomizations

2025-09-17 18:24:14 +02:00 · 2022-12-26 15:24:33 +01:00
parent b4572bf19a
commit ca31e11491
730 changed files with 6825 additions and 3766 deletions
--- a/kubernetes/apps/networking/ingress-nginx/app/clusterpolicy.yaml
+++ b/kubernetes/apps/networking/ingress-nginx/app/clusterpolicy.yaml
@@ -0,0 +1,99 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-auth-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress Auth Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates auth annotations on ingresses. When
+      the `auth.home.arpa/enabled` annotation is `true` it
+      applies the nginx auth annotations for use with Authelia.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: auth
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+              annotations:
+                auth.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(nginx.ingress.kubernetes.io/auth-method): GET
+              +(nginx.ingress.kubernetes.io/auth-url): |-
+                http://authelia.default.svc.cluster.local.:8888/api/verify
+              +(nginx.ingress.kubernetes.io/auth-signin): |-
+                https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
+              +(nginx.ingress.kubernetes.io/auth-response-headers): |-
+                Remote-User,Remote-Name,Remote-Groups,Remote-Email
+              +(nginx.ingress.kubernetes.io/auth-snippet): |
+                proxy_set_header X-Forwarded-Method $request_method;
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-external-dns-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress External-DNS Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates external-dns annotations on ingresses.
+      When the `external-dns.home.arpa/enabled` annotation is `true`
+      it applies the external-dns annotations for use with external
+      application access.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: external-dns
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+              annotations:
+                external-dns.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(external-dns.alpha.kubernetes.io/target): |-
+                services.${SECRET_DOMAIN}.
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-whitelist-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress Whitelist Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates annotations on ingresses. When
+      the `external-dns.home.arpa/enabled` annotation is not
+      set it applies the nginx annotations for use with only
+      internal application access.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: whitelist
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+      exclude:
+        any:
+          - resources:
+              annotations:
+                external-dns.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(nginx.ingress.kubernetes.io/whitelist-source-range): |-
+                10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
--- a/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml
+++ b/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+configMapGenerator:
+  - name: nginx-dashboard
+    files:
+      - nginx-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
+  - name: nginx-request-handling-performance-dashboard
+    files:
+      - nginx-request-handling-performance-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  labels:
+    grafana_dashboard: "true"
--- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml
+++ b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml
@@ -0,0 +1,137 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+  namespace: networking
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: 4.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
+  values:
+    controller:
+      replicaCount: 2
+      service:
+        type: LoadBalancer
+        loadBalancerIP: "${CLUSTER_LB_NGINX}"
+        externalTrafficPolicy: Local
+      publishService:
+        enabled: true
+      ingressClassResource:
+        default: true
+      config:
+        client-body-buffer-size: "100M"
+        client-body-timeout: 120
+        client-header-timeout: 120
+        custom-http-errors: 400,401,403,404,500,502,503,504
+        enable-brotli: "true"
+        enable-real-ip: "true"
+        hsts-max-age: "31449600"
+        keep-alive-requests: 10000
+        keep-alive: 120
+        proxy-body-size: "0"
+        proxy-buffer-size: "16k"
+        ssl-protocols: "TLSv1.3 TLSv1.2"
+        use-forwarded-headers: "true"
+        # crowdsec bouncer
+        # plugins: "crowdsec"
+        # lua-shared-dicts: "crowdsec_cache: 50m"
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+          namespace: default
+          namespaceSelector:
+            any: true
+      extraArgs:
+        default-ssl-certificate: |-
+          networking/${SECRET_CLUSTER_DOMAIN/./-}-tls
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: ingress-nginx
+              app.kubernetes.io/component: controller
+      # crowdsec bouncer
+      # extraVolumes:
+      # - name: crowdsec-bouncer-plugin
+      #   emptyDir: {}
+      # extraInitContainers:
+      # - name: init-clone-crowdsec-bouncer
+      #   image: crowdsecurity/lua-bouncer-plugin
+      #   tag: v0.1.11
+      #   imagePullPolicy: IfNotPresent
+      #   env:
+      #     - name: API_URL
+      #       value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
+      #     - name: API_KEY
+      #       value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
+      #     - name: DISABLE_RUN
+      #       value: "true"
+      #     - name: BOUNCER_CONFIG
+      #       value: "/crowdsec/crowdsec-bouncer.conf"
+      #   command:
+      #     - "/bin/sh"
+      #     - "-c"
+      #     - |
+      #       #!/bin/sh
+
+      #       sh /docker_start.sh
+      #       mkdir -p /lua_plugins/crowdsec/
+      #       cp -pr /crowdsec/* /lua_plugins/crowdsec/
+      #   volumeMounts:
+      #   - name: crowdsec-bouncer-plugin
+      #     mountPath: /lua_plugins
+      # extraVolumeMounts:
+      # - name: crowdsec-bouncer-plugin
+      #   mountPath: /etc/nginx/lua/plugins/crowdsec
+      #   subPath: crowdsec
+      # resources:
+      #   requests:
+      #     memory: 400Mi
+      #     cpu: 25m
+      #   limits:
+      #     memory: 1Gi
+    defaultBackend:
+      enabled: true
+      image:
+        repository: ghcr.io/tarampampam/error-pages
+        tag: 2.19.0
+      extraEnvs:
+        - name: TEMPLATE_NAME
+          value: l7-light
+        - name: SHOW_DETAILS
+          value: "true"
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/name
+                      operator: In
+                      values: ["ingress-nginx"]
+                    - key: app.kubernetes.io/component
+                      operator: In
+                      values: ["default-backend"]
+                topologyKey: kubernetes.io/hostname
--- a/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml
+++ b/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+resources:
+  - ./dashboard
+  - ./helmrelease.yaml
+  - ./clusterpolicy.yaml