refactor: workflows & renovate

cluster/apps/networking/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - certificate
   - ingress-nginx
   - k8s-gateway
-  #- traefik
   - unifi

cluster/apps/networking/traefik/dashboard/ingress-route.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashboard
-  namespace: networking
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`traefik.${SECRET_CLUSTER_DOMAIN}`)
-      kind: Rule
-      priority: 10
-      services:
-        - name: api@internal
-          kind: TraefikService
-      middlewares:
-        - name: rfc1918
-  tls:
-    secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"

cluster/apps/networking/traefik/dashboard/kustomization.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ingress-route.yaml

cluster/apps/networking/traefik/helm-release.yaml

@@ -1,102 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: traefik
-  namespace: networking
-spec:
-  interval: 5m
-  chart:
-    spec:
-      # renovate: registryUrl=https://helm.traefik.io/traefik
-      chart: traefik
-      version: 10.9.1
-      sourceRef:
-        kind: HelmRepository
-        name: traefik-charts
-        namespace: flux-system
-      interval: 5m
-  values:
-
-    deployment:
-      kind: DaemonSet
-
-    service:
-      enabled: true
-      type: LoadBalancer
-      spec:
-        externalIPs:
-          - "${CLUSTER_LB_TRAEFIK}"
-        externalTrafficPolicy: Local
-
-    logs:
-      general:
-        format: json
-        level: DEBUG
-      access:
-        enabled: true
-        format: json
-
-    ingressClass:
-      enabled: false
-
-    ingressRoute:
-      dashboard:
-        enabled: false
-
-    globalArguments:
-      - "--api.insecure=true"
-      - "--serverstransport.insecureskipverify=true"
-      - "--providers.kubernetesingress.ingressclass=traefik"
-      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
-
-    additionalArguments:
-      - "--providers.kubernetesingress.ingressendpoint.ip=${CLUSTER_LB_TRAEFIK}"
-
-    ports:
-      traefik:
-        expose: true
-      web:
-        redirectTo: websecure
-      websecure:
-        tls:
-          enabled: true
-          options: "default"
-      metrics:
-        port: 8082
-        expose: true
-        exposedPort: 8082
-
-    tlsOptions:
-      default:
-        minVersion: VersionTLS12
-        maxVersion: VersionTLS13
-        sniStrict: true
-
-    pilot:
-      enabled: true
-      token: "${SECRET_TRAEFIK_PILOT_TOKEN}"
-
-    experimental:
-      plugins:
-        enabled: true
-
-    affinity:
-      podAntiAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                  - key: app.kubernetes.io/name
-                    operator: In
-                    values:
-                      - traefik
-              topologyKey: kubernetes.io/hostname
-
-    resources:
-      requests:
-        memory: 100Mi
-        cpu: 500m
-      limits:
-        memory: 500Mi

cluster/apps/networking/traefik/ingressclass.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  annotations:
-    ingressclass.kubernetes.io/is-default-class: "true"
-  name: traefik
-spec:
-  controller: traefik.io/ingress-controller

cluster/apps/networking/traefik/kustomization.yaml

@@ -1,11 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - helm-release.yaml
-  - ingressclass.yaml
-  - service-monitor.yaml
-  - tls-store
-  - dashboard
-  - middlewares
-  - prometheus-rules.yaml

cluster/apps/networking/traefik/middlewares/authelia.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: authelia
-  namespace: networking
-spec:
-  forwardAuth:
-    address: http://authelia.networking.svc.cluster.local./api/verify?rd=https://login.${SECRET_CLUSTER_DOMAIN}

cluster/apps/networking/traefik/middlewares/buffering-large.yaml

@@ -1,11 +0,0 @@
----
-# Sets the maximum request body to 2000Mb
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: buffering-large
-  namespace: networking
-spec:
-  buffering:
-    maxRequestBodyBytes: 2000000000
-    memRequestBodyBytes: 2000000

cluster/apps/networking/traefik/middlewares/buffering-medium.yaml

@@ -1,11 +0,0 @@
----
-# Sets the maximum request body to 200Mb
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: buffering-medium
-  namespace: networking
-spec:
-  buffering:
-    maxRequestBodyBytes: 200000000
-    memRequestBodyBytes: 2000000

cluster/apps/networking/traefik/middlewares/buffering-small.yaml

@@ -1,11 +0,0 @@
----
-# Sets the maximum request body to 20Mb
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: buffering-small
-  namespace: networking
-spec:
-  buffering:
-    maxRequestBodyBytes: 20000000
-    memRequestBodyBytes: 2000000

cluster/apps/networking/traefik/middlewares/forward-auth.yaml

@@ -1,11 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: forward-auth
-  namespace: networking
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-ips
-      - name: authelia

cluster/apps/networking/traefik/middlewares/kustomization.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - authelia.yaml
-  - buffering-large.yaml
-  - buffering-medium.yaml
-  - buffering-small.yaml
-  - ratelimit.yaml
-  - rfc1918.yaml
-  - redirect-path.yaml
-  - forward-auth.yaml

cluster/apps/networking/traefik/middlewares/ratelimit.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: ratelimit
-  namespace: networking
-spec:
-  rateLimit:
-    average: 10
-    period: "10s"

cluster/apps/networking/traefik/middlewares/redirect-path.yaml

@@ -1,32 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-regex
-  namespace: networking
-spec:
-  redirectRegex:
-    regex: "^(https?://[^/]+/[a-z0-9_]+)$"
-    replacement: "${1}/"
-    permanent: true
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: strip-prefix-regex
-  namespace: networking
-spec:
-  stripPrefixRegex:
-    regex:
-      - "/[a-z0-9_]+"
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-path
-  namespace: networking
-spec:
-  chain:
-    middlewares:
-      - name: redirect-regex
-      - name: strip-prefix-regex

cluster/apps/networking/traefik/middlewares/rfc1918.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-ips
-  namespace: networking
-spec:
-  ipWhiteList:
-    sourceRange:
-      - 10.0.0.0/8
-      - 172.16.0.0/12
-      - 192.168.0.0/16
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918
-  namespace: networking
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-ips

cluster/apps/networking/traefik/prometheus-rules.yaml

@@ -1,72 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  labels:
-    app: traefik
-  name: traefik.rules
-  namespace: networking
-spec:
-  groups:
-    - name: traefik.rules
-      rules:
-        - alert: TraefikAbsent
-          annotations:
-            summary: "Traefik has disappeared from Prometheus service discovery."
-            description: "Ingresses will be down until the Traefik reverse proxy is back up."
-          expr: |
-            absent(up{job="traefik"})
-          for: 5m
-          labels:
-            severity: critical
-        - alert: TraefikConfigError
-          annotations:
-            summary: "Traefik config error."
-            description:
-              "Traefik has failed to load the config file. Check Traefik
-              logs for exact parsing error."
-          expr: |
-            traefik_config_last_reload_failure{job="traefik"} == 1
-          for: 5m
-          labels:
-            severity: critical
-        - alert: TraefikHighHttp4xxErrorRateService
-          annotations:
-            summary: "Traefik has a high HTTP 4xx error rate."
-            description:
-              "Traefik is reporting {{ $value | humanizePercentage }} of 4xx
-              errors on {{ $labels.exported_service }}"
-          expr: |
-            sum(rate(traefik_service_requests_total{code=~"4.*"}[1m])) by (exported_service)
-              /
-            sum(rate(traefik_service_requests_total[1m])) by (exported_service)
-              > .10
-          for: 5m
-          labels:
-            severity: critical
-        - alert: TraefikHighHttp5xxErrorRateService
-          annotations:
-            summary: "Traefik has a high HTTP 5xx error rate."
-            description:
-              "Traefik is reporting {{ $value | humanizePercentage }} of 5xx
-              errors on {{ $labels.exported_service }}"
-          expr: |
-            sum(rate(traefik_service_requests_total{code=~"5.*"}[1m])) by (exported_service)
-              /
-            sum(rate(traefik_service_requests_total[1m])) by (exported_service)
-              > .10
-          for: 5m
-          labels:
-            severity: critical
-        - alert: TraefikTooManyRequest
-          annotations:
-            summary: "Traefik has too many open connections"
-            description:
-              "Traefik is reporting {{ $value }} of open connections on entrypoint
-              {{ $labels.entrypoint }}"
-          expr: |
-            avg(traefik_entrypoint_open_connections{job="traefik"})
-              > 5
-          for: 5m
-          labels:
-            severity: critical

cluster/apps/networking/traefik/service-monitor.yaml

@@ -1,19 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: traefik
-  namespace: networking
-  labels:
-    app.kubernetes.io/name: traefik
-spec:
-  endpoints:
-    - path: /metrics
-      targetPort: metrics
-  jobLabel: traefik
-  namespaceSelector:
-    matchNames:
-      - networking
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: traefik

cluster/apps/networking/traefik/tls-store/default.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSStore
-metadata:
-  name: default
-  namespace: networking
-spec:
-  defaultCertificate:
-    secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"

cluster/apps/networking/traefik/tls-store/kustomization.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - default.yaml

cluster/base-custom/crds/external-snapshotter/crds.yaml

@@ -1,38 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: external-snapshotter-source
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://github.com./kubernetes-csi/external-snapshotter.git
-  ref:
-    tag: v4.1.0
-  ignore: |
-    # exclude all
-    /*
-    # include deploy crds dir
-    !/client/config/crd
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: external-snapshotter-crds
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: false
-  sourceRef:
-    kind: GitRepository
-    name: external-snapshotter-source
-  healthChecks:
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: volumesnapshotclasses.snapshot.storage.k8s.io
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: volumesnapshotcontents.snapshot.storage.k8s.io
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: volumesnapshots.snapshot.storage.k8s.io

cluster/base-custom/crds/external-snapshotter/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - crds.yaml

cluster/base-custom/crds/kustomization.yaml

@@ -2,7 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager
-  - external-snapshotter
   - kube-prometheus-stack
   - rook-ceph
-  - traefik

cluster/base-custom/crds/traefik/crds.yaml

@@ -1,57 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: traefik-crd-source
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://github.com./traefik/traefik-helm-chart.git
-  ref:
-    # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik
-    tag: v10.1.1
-  ignore: |
-    # exclude all
-    /*
-    # path to crds
-    !/traefik/crds/
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: traefik-crds
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: false
-  sourceRef:
-    kind: GitRepository
-    name: traefik-crd-source
-  healthChecks:
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: ingressroutes.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: ingressroutetcps.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: ingressrouteudps.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: middlewares.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: middlewaretcps.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: serverstransports.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: tlsoptions.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: tlsstores.traefik.containo.us
-    - apiVersion: apiextensions.k8s.io/v1
-      kind: CustomResourceDefinition
-      name: traefikservices.traefik.containo.us

cluster/base-custom/crds/traefik/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - crds.yaml