diff --git a/README.md b/README.md index 1b42c7797..8ef26ca92 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # Homelab cluster with k3s and Flux This repo configures a single Kubernetes ([k3s](https://k3s.io)) cluster with [Ansible](https://www.ansible.com) and uses the GitOps tool [Flux](https://toolkit.fluxcd.io) to manage its state. diff --git a/docs/1-prerequisites.md b/docs/1-prerequisites.md deleted file mode 100644 index d61ae4aff..000000000 --- a/docs/1-prerequisites.md +++ /dev/null @@ -1,131 +0,0 @@ -# 📝 Prerequisites - -- [📝 Prerequisites](#-prerequisites) - - [💻 Nodes](#-nodes) - - [🛠 Tools](#-tools) - - [📝 Installation](#-installation) - - [✅ Set up go-task](#-set-up-go-task) - - [⚠️ Activate pre-commit](#️-activate-pre-commit) - - [💡 direnv](#-direnv) - - [💡 SOPS](#-sops) - - [🔐 Set up Age](#-set-up-age) - -## 💻 Nodes - -Provisioned with [pxe, ansible, and/or terraform](https://github.com/ahgraber/homelab-infra). - -## 🛠 Tools - -| Tool | Purpose | -| ------------------------------------------------------------------ | ------------------------------------------------------------------- | -| [ansible](https://www.ansible.com) | Automate actions against nodes (like installing k3s) | -| [kubectl](https://kubernetes.io/docs/tasks/tools/) | Allows you to run commands against Kubernetes clusters | -| [kustomize](https://kustomize.io/) | Template-free way to customize application configuration | -| [helm](https://helm.sh/) | Package manager for Kubernetes | -| [flux](https://toolkit.fluxcd.io/) | Operator that manages your k8s cluster based on your Git repository | -| [age](https://github.com/FiloSottile/age) | A simple, modern and secure encryption tool (and Go library) | -| [SOPS](https://github.com/mozilla/sops) | Encrypts k8s secrets with GnuPG | -| [direnv](https://github.com/direnv/direnv) | Exports env vars based on present working directory | -| [jq](https://stedolan.github.io/jq/) | Parse and edit json | -| [yq](https://github.com/mikefarah/yq) | Parse and edit yaml | -| [pre-commit](https://github.com/pre-commit/pre-commit) | Runs checks during `git commit` | -| [gitleaks](https://github.com/zricethezav/gitleaks) | Scan git repos (or files) for secrets | -| [k9s](https://k9scli.io/) | CLI-GUI for k8s clusters | -| [stern](https://github.com/stern/stern) | Multi pod and container log tailing for Kubernetes | -| [task](https://github.com/go-task/task) | A task runner / simpler Make alternative | -| [terraform](https://www.terraform.io/) | Infra as code provisioner | -| [weave gitops](https://docs.gitops.weave.works/docs/intro/) | Flux extension for gitops | - -## 📝 Installation - -## ✅ Set up [go-task](https://github.com/go-task/task) - -This repo uses task as a framework for setting things up. - -```sh -brew install go-task/tap/go-task -# install tools & utilities -task init -``` - -## ⚠️ Activate pre-commit - -[pre-commit](https://pre-commit.com/) is installed with `task init`. -[sops-pre-commit](https://github.com/k8s-at-home/sops-pre-commit) will check -to make sure you are not by accident committing your secrets un-encrypted. - -```sh -pre-commit install && pre-commit autoupdate -``` - -## 💡 direnv - -[direnv](https://github.com/direnv/direnv) allows persisting environmental -variables to a hidden `.envrc` file. - -After direnv is installed with `task init`, set up on the local repo path: - -```sh -# add direnv hooks -echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc -source ~/.zshrc - -# add .envrc and .env to gitignores (global, local) -git config --global core.excludesFile '~/.gitignore' -touch ~/.gitignore -echo '.envrc' >> ~/.gitignore -echo '.env' >> ~/.gitignore -echo '.envrc' >> .gitignore -echo '.env' >> .gitignore - -# remove .gitignored files -git ls-files -i --exclude-from=.gitignore | xargs git rm --cached - -# set up direnv config to whitelist folders for direnv -mkdir -p ~/.config/direnv -echo > direnv.toml << EOF -[whitelist] -prefix = [ "/path/to/folders/to/whitelist" ] -exact = [ "/path/to/envrc/to/whitelist" ] -EOF - -direnv reload -``` - -## 💡 SOPS - -The [SOPS VSCode Extension](https://github.com/signageos/vscode-sops) will automatically decrypt you -SOPS secrets when you click on the file in the editor and encrypt them when you save and exit the -file. - -## 🔐 Set up Age - -:round_pushpin: Here we will create a Age Private and Public key. Using SOPS with Age allows us to encrypt and decrypt secrets. - -1. Create a Age Private / Public Key - - ```sh - age-keygen -o age.agekey - ``` - -2. Set up the directory for the Age key and move the Age file to it - - ```sh - # mac - mkdir -p "${HOME}/Library/Application Support/sops/age" - mv age.agekey "${HOME}/Library/Application Support/sops/age/keys.txt" - # linux - mkdir -p "${HOME}/.config/sops/age/keys.txt" - mv age.agekey "${HOME}/.config/sops/age/keys.txt" - ``` - -3. Add the Age key file and public key to the local `.envrc` and reload - - ```sh - echo "export SOPS_AGE_KEY_FILE=(expand_path ${HOME}/.config/sops/age/keys.txt) >> .envrc - echo "export AGE_PUBLIC_KEY=\"$(grep public """${HOME}/.config/sops/age/keys.txt""" | awk '{ print $NF }')\"" >> .envrc - direnv allow . - ``` - - _Optional:_ Save keys to password manager or vault - _**Don't forget to delete the keys from the repo once saved elsewhere!!!**_ diff --git a/docs/2-install_k3s_with_ansible.md b/docs/2-install_k3s_with_ansible.md deleted file mode 100644 index ca93b8bd5..000000000 --- a/docs/2-install_k3s_with_ansible.md +++ /dev/null @@ -1,8 +0,0 @@ -# 📡 Installing k3s with Ansible - -k3s can be automatically installed via Terraform provisioner, or manually leverage the playbook. - -See [homelab-infra](https://github.com/ahgraber/homelab-infra) to use Ansible as a Terraform -provisioner to install k3s, or -[Ansible instructions](https://github.com/ahgraber/homelab-infra/blob/main/docs/3%20-%20ansible.md) -to manually run the playbook. diff --git a/docs/3-gitops_with_flux.md b/docs/3-gitops_with_flux.md deleted file mode 100644 index 5ea1b6ccf..000000000 --- a/docs/3-gitops_with_flux.md +++ /dev/null @@ -1,290 +0,0 @@ -# 🤖 GitOps (with Flux) - -- [🤖 GitOps (with Flux)](#-gitops-with-flux) - - [1. Create deploy key \& add to github](#1-create-deploy-key--add-to-github) - - [2. Export more environment variables for application configuration](#2-export-more-environment-variables-for-application-configuration) - - [3. Create required files based on ALL exported environment variables](#3-create-required-files-based-on-all-exported-environment-variables) - - [4. 🔍 **Verify** all the above files have the correct information present](#4--verify-all-the-above-files-have-the-correct-information-present) - - [5. 🔐 Encrypt secrets with SOPS](#5--encrypt-secrets-with-sops) - - [Create deploy key](#create-deploy-key) - - [Encrypting with SOPS](#encrypting-with-sops) - - [6. 🔍 **Verify** all the above files are **encrypted** with SOPS](#6--verify-all-the-above-files-are-encrypted-with-sops) - - [7. 📤 Push your changes to git](#7--push-your-changes-to-git) - - [8. ✅ Verify Flux can be installed](#8--verify-flux-can-be-installed) - - [9. 🚀 Install Flux](#9--install-flux) - - [10. ✅ Verify Flux](#10--verify-flux) - - [🔀 Manually sync Flux with your Git repository](#-manually-sync-flux-with-your-git-repository) - - [✅ Verify ingress](#-verify-ingress) - - [📣 Post installation](#-post-installation) - - [🌐 DNS](#-dns) - - [🤖 Renovate](#-renovate) - - [🪝 Github Webhook](#-github-webhook) - -> [Here](https://fluxcd.io/docs/flux-e2e/) is flux's explanation of its end-to-end commit flow. - -## 1. Create deploy key & add to github - -Generate key with: - -```sh -ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./cluster/github-deploy-key -q -P "" -``` - -Copy contents of `cluster/github-deploy-key.pub` to `deploy keys` section of github repo -`https://github.com///settings/keys` - -## 2. Export more environment variables for application configuration - -> _Note:_ Exported variables go into `./tmpl/...`, where there are exported to settings and secrets -> in the next step - -Here is a code blurb to quickly copy environmental variables into your .envrc. If using, **edit -before running or copying exports into .envrc** - -```sh -cat >> .envrc << EOF -### allow direnv to import .env files -dotenv_if_exists ./.env - -### Flux Config -export GITHUB_REPOSITORY="" -export GITHUB_USER="" -export GITHUB_TOKEN="" - -### network ip allocations (calico) -export NET_NODE_CIDR="10.2.118.0/24" -export NET_POD_CIDR="10.42.0.0/16" -export NET_SVC_CIDR="10.43.0.0/16" - -### Kube-Vip -export KUBE_VIP_ADDRESS="10.2.113.1" -export KUBE_VIP_IFACE="enp2s0" # "ens192" - -### K8s load-balancer IP allocations (metallb / kube-vip servicelb) -# Pick a range of unused IPs that are on the same network as your nodes -export LB_GATEWAY="10.2.113.2" -export LB_INGRESS="10.2.113.3" -export LB_AUTH="10.2.113.4" -# export LB_POSTGRES="10.2.113.5" -export LB_DEFAULT_RANGE="10.2.113.128-10.2.113.250" - -### Cluster secrets -export SECRET_ADMIN_USER="admin" -export SECRET_ADMIN_EMAIL="" -export SECRET_DEFAULT_USER="" -export SECRET_DEFAULT_EMAIL="" -export SECRET_DEFAULT_PWD="" - -export SECRET_DEFAULT_PWD_BASE64='' - -export SECRET_DEFAULT_PWD_BCRYPT='' - -export SECRET_DOMAIN="" - -### Cloudflare API token for DNS certification -export SECRET_CLOUDFLARE_EMAIL="" -export SECRET_CLOUDFLARE_TOKEN="" -export SECRET_CLOUDFLARE_TUNNEL_TOKEN="" -export SECRET_CLOUDFLARE_TUNNEL_CREDS="" - -### Email -export SECRET_SMTP_ADDRESS="" -export SECRET_SMTP_USER="" -export SECRET_SMTP_PWD="" -export SECRET_SMTP_SRV="" -export SECRET_SMTP_PORT="" -EOF -``` - -## 3. Create required files based on ALL exported environment variables - -General procedure: - -```zsh -# reload all env variables -direnv allow . - -# create SOPS hook for secret encryption -envsubst < ./path/to/templatefile.yaml.tmpl >! ./path/to/outputfile.yaml -``` - -To run for all templates in repo: - -```sh -bash ./scripts/substitute.sh -``` - -## 4. 🔍 **Verify** all the above files have the correct information present - -## 5. 🔐 Encrypt secrets with SOPS - -> :round_pushpin: Variables defined in `cluster-secrets.yaml` and `cluster-settings.yaml` will be -> usable anywhere in your YAML manifests under `./cluster` - -### Create deploy key - -Create sops secret in `cluster/base/flux-system/github-deploy-key.sops.yaml` following -[template](../kubernetes/bootstrap/github-deploy-key.sops.yaml.example) - -### Encrypting with SOPS - -General procedure: - -```sh -# Encrypt SOPS secrets -sops --encrypt --in-place ./path/to/unencrypted_secrets.sops.yaml -``` - -To run for all templates in repo: - -```sh -bash ./scripts/sops.sh -``` - -## 6. 🔍 **Verify** all the above files are **encrypted** with SOPS - -## 7. 📤 Push your changes to git - -```sh -git add -A -git commit -m "initial commit" -git push -``` - -## 8. ✅ Verify Flux can be installed - -```sh -task cluster:verify -``` - -## 9. 🚀 Install Flux - -📍 Review [ClusterTasks](./../.taskfiles/ClusterTasks.yaml) for insight into specific commands that will be run! - -```sh -task cluster:install -``` - -## 10. ✅ Verify Flux - -```sh -# check flux installation -task cluster:pods -- -n flux-system - -# look at all resources -task cluster:resources -# or view per-resource -task cluster:gitrepositories -task cluster:kustomizations -task cluster:helmreleases -task cluster:helmrepositories -task cluster:pods -task cluster:certificates -task cluster:ingresses -``` - -## 🔀 Manually sync Flux with your Git repository - -> For objects that have been preinstalled with ansible, patching may be required to allow helm management -> eg. [tigera-operator](../kubernetes/apps/tigera-operator/give_helm_ownership.sh) - -```sh -task cluster:reconcile -``` - -## ✅ Verify ingress - -If your cluster is not accessible to outside world you can provide a dns override -for any service with an ingress in your router - -Head over to your browser and you _should_ be able to access the service - -## 📣 Post installation - -### 🌐 DNS - -📍 [external-dns](https://github.com/kubernetes-sigs/external-dns) will handle creating public DNS records. -By default, `echo-server` is the only public domain exposed on your Cloudflare domain. -In order to make additional applications public you must set an ingress annotation (see HelmRelease for `echo-server`). -Note: This is not required unless you need a record outside the purposes of your Kubernetes cluster (e.g. setting up MX records). - -[k8s_gateway](https://github.com/ori-edge/k8s_gateway) is deployed on the IP chosen for `${LB_GATEWAY}`. -In order to test DNS you can point your client's DNS to the `${LB_GATEWAY}` IP address and load a deployed app in your browser. - -You can also try debugging with the command `dig`, e.g. `dig @${LB_GATEWAY} .${SECRET_DOMAIN}` -and you should get a valid answer containing your `${LB_INGRESS}` IP address. - -If your router (or Pi-Hole, Adguard Home or whatever) supports conditional DNS forwarding (aka split-horizon DNS), -you may have DNS requests for `${SECRET_DOMAIN}` only point to the `${LB_GATEWAY}` IP address. -This will ensure only DNS requests for `${SECRET_DOMAIN}` will only get routed to your [k8s_gateway](https://github.com/ori-edge/k8s_gateway) -service, providing DNS resolution to your cluster applications/ingresses. - -To access services from the outside world, use Cloudflare Tunnels (formerly Argo Tunnel), -or port forward `80` and `443` in your router to the `${LB_INGRESS}` IP. -This _should_ provide access `https://echo-server.${BOOTSTRAP_CLOUDFLARE_DOMAIN}` from a device outside your LAN. - -Of course, if nothing is working, that is expected. This is DNS after all! - -### 🤖 Renovate - -There are several Github workflows included in this repository that help automate some processes. -_NOTE:_ several workflows require [creating a private github bot](https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens) - -- [Megalinter](./.github/workflows/megalinter.yaml) - workflow to lint so cluster specifications - remain properly formatted -- [Helm differ](./.github/workflows/helmrelease-diff.yaml) - workflow to annotate PRs with the differences in helm files - -[Renovate](https://www.whitesourcesoftware.com/free-developer-tools/renovate) is a very useful -tool that when configured will start to create PRs in your Github repository when Docker images, -Helm charts or anything else that can be tracked has a newer version. The configuration for -renovate is located [here](./.github/renovate.json5). - -To enable Renovate, click the 'Configure' button over at their [Github app page](https://github.com/apps/renovate) -and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. -Flux will deploy any merged PRs. Alternatively, use the private bot mentioned above in conjunction with -a chron scheduler workflow to manage renovate privately. - -- [Renovate schedule](./.github/workflows/renovate.yaml) - workflow to annotate `HelmRelease`'s which allows - Renovate to track Helm chart versions. - -### 🪝 Github Webhook - -Flux is pull-based by design meaning it will periodically check your git repository for changes; -instead, using a webhook can enable Flux to update the cluster on `git push`. -In order to configure Github to send `push` events from your repository to the Flux webhook receiver you will need: - -1. Webhook URL - Your webhook receiver will be deployed on `https://flux-webhook.${SECRET_DOMAIN}/hook/:hookId`. - In order to find out your hook id you can run the following command: - - ```sh - kubectl -n flux-system get receiver/github-receiver --kubeconfig=./kubeconfig - # NAME AGE READY STATUS - # github-receiver 6h8m True Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123 - ``` - - So if my domain was `testdomain.com`, the full url would look like this: - - ```text - https://flux-webhook.testdomain.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123 - ``` - -2. Webhook secret - Generate the secret token and populate the secret - - ```sh - TOKEN=$(head -c 12 /dev/urandom | shasum | cut -d ' ' -f1) - echo $TOKEN - ``` - - **Note:** Don't forget to update the `WEBHOOK_TOKEN` variable in your `.envrc` file - and run `envsubst ...` ands `sops ...` to create the encrypted secret - -Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. -Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. -Fill in the webhook url and your secret. - -In order to allow the github webhook access to the cluster, follow [`cloudflared` readme](../kubernetes/apps/networking/cloudflared/README.md) -instructions to: - -1. Create the tunnel -2. Create the route / DNS CNAME -3. Configure the `cloudflared` deployment diff --git a/docs/Node Prep.md b/docs/Node Prep.md new file mode 100644 index 000000000..e5891e265 --- /dev/null +++ b/docs/Node Prep.md @@ -0,0 +1,95 @@ + +# 💻 Machine Preparation + +## System requirements + +📍 _k3s default behaviour is that all nodes are able to run workloads, including control nodes. Worker nodes are therefore optional._ + +📍 _If you have 3 or more nodes it is strongly recommended to make 3 of them control nodes for a highly available control plane._ + +📍 _Ideally you will run the cluster on bare metal machines. If you intend to run your cluster on Proxmox VE, my thoughts and recommendations about that are documented [here](https://onedr0p.github.io/home-ops/notes/proxmox-considerations.html)._ + +| Role | Cores | Memory | System Disk | +|---------|----------|---------------|---------------------------| +| Control | 4 _(6*)_ | 8GB _(24GB*)_ | 100GB _(500GB*)_ SSD/NVMe | +| Worker | 4 _(6*)_ | 8GB _(24GB*)_ | 100GB _(500GB*)_ SSD/NVMe | +| _\* recommended_ | + +## Debian for AMD64 + +1. Download the latest stable release of Debian from [here](https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd), then follow [this guide](https://www.linuxtechi.com/how-to-install-debian-12-step-by-step) to get it installed. Deviations from the guide: + + ```txt + Choose "Guided - use entire disk" + Choose "All files in one partition" + Delete Swap partition + Uncheck all Debian desktop environment options + ``` + +2. [Post install] Remove CD/DVD as apt source + + ```sh + su - + sed -i '/deb cdrom/d' /etc/apt/sources.list + apt update + exit + ``` + +3. [Post install] Enable sudo for your non-root user + + ```sh + su - + apt update + apt install -y sudo + usermod -aG sudo ${username} + echo "${username} ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/${username} + exit + newgrp sudo + sudo apt update + ``` + +4. [Post install] Add SSH keys (or use `ssh-copy-id` on the client that is connecting) + + 📍 _First make sure your ssh keys are up-to-date and added to your github account as [instructed](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)._ + + ```sh + mkdir -m 700 ~/.ssh + sudo apt install -y curl + curl https://github.com/${github_username}.keys > ~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys + ``` + +## Debian for RasPi4 + +📍 _If you choose to use a Raspberry Pi 4 for the cluster, it is recommended to have an 8GB model. Most important is to **boot from an external SSD/NVMe** rather than an SD card. This is supported [natively](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html), however if you have an early model you may need to [update the bootloader](https://www.tomshardware.com/how-to/boot-raspberry-pi-4-usb) first._ + +📍 _Be sure to check the [power requirements](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#power-supply) if using a PoE Hat and a SSD/NVMe dongle._ + +1. Download the latest stable release of Debian from [here](https://raspi.debian.net/tested-images). _**Do not** use Raspbian or DietPi or any other flavor Linux OS._ + +2. Flash the image onto an SSD/NVMe drive. + +3. Re-mount the drive to your workstation and then do the following (per the [official documentation](https://raspi.debian.net/defaults-and-settings)): + + ```txt + Open 'sysconf.txt' in a text editor and save it upon updating the information below + - Change 'root_authorized_key' to your desired public SSH key + - Change 'root_pw' to your desired root password + - Change 'hostname' to your desired hostname + ``` + +4. Connect SSD/NVMe drive to the Raspberry Pi 4 and power it on. + +5. [Post install] SSH into the device with the `root` user and then create a normal user account with `adduser ${username}` + +6. [Post install] Follow steps 3 and 4 from [Debian for AMD64](#debian-for-amd64). + +7. [Post install] Install `python3` which is needed by Ansible. + + ```sh + sudo apt install -y python3 + ``` + +## 🚀 Getting Started + +Once you have installed Debian on your nodes, there are 6 stages to getting a Flux-managed cluster up and running. diff --git a/docs/index.md b/docs/index.md deleted file mode 100644 index d45e6a5ec..000000000 --- a/docs/index.md +++ /dev/null @@ -1,65 +0,0 @@ -# Homelab cluster with k3s and Flux - -This repo configures a single [k3s](https://k3s.io/) cluster, managed by the GitOps tool [Flux](https://toolkit.fluxcd.io/). -Cluster provisioned with [pxe, ansible, and/or terraform](https://github.com/ahgraber/homelab-infra). - -_With inspiration from the k8s-at-home community, especially [onedr0p's cluster template](https://github.com/onedr0p/flux-cluster-template)_ - -## Overview - - -- [👋 Introduction](#-introduction) -- [📂 Repository structure](#-repository-structure) -- [📝 Prerequisites](./1-prerequisites.md) -- [📡 Install k3s](./2-install_k3s_with_ansible.md) -- [🤖 GitOps with Flux](./3-gitops_with_flux.md) - -## 👋 Introduction - -The following components are installed in the [k3s](https://k3s.io/) cluster by default. - -- [flux](https://toolkit.fluxcd.io/) - GitOps operator for managing Kubernetes clusters from a Git repository -- [kube-vip](https://kube-vip.io/) - Load balancer for the Kubernetes control plane nodes -- [metallb](https://metallb.universe.tf/) - Load balancer for Kubernetes services -- [cert-manager](https://cert-manager.io/) - Operator to request SSL certificates and store them as Kubernetes resources -- [calico](https://www.tigera.io/project-calico/) - Container networking interface for inter pod and service networking -- [external-dns](https://github.com/kubernetes-sigs/external-dns) - Operator to publish DNS records to Cloudflare (or other providers) based on Kubernetes ingresses -- [k8s_gateway](https://github.com/ori-edge/k8s_gateway) - DNS resolver that provides local DNS to your Kubernetes ingresses - -## 📂 Repository structure - -The Git repository contains the following directories under `cluster` and are ordered below by how -Flux will apply them. - -- **bootstrap** helps initialize Flux -- **flux** installs Flux, defines the cluster, and deploys cluster secrets and variables -- **apps** organizes all applications. Applications are defined by a nested folder where the exterior - folder contains a "fluxtomization" (kustomize.toolkit.fluxcd.io/v1) that manages dependencies, - and the inner folder contains a kustomization (kustomize.config.k8s.io/v1beta1) that deploys the manifests. - -```txt -kubernetes -├── apps -| ├── cluster-system - cluster management & internal applications -| ├── flux-system - flux/gitops resources & applications -| ├── kube-system - k8s system management -| ├── monitoring -| | ├── grafana -| | ├── kube-prometheus-stack -│ | ├── kubernetes-dashboard -│ | └── ... -│ ├── networking -| | ├── cert-manager -| | ├── kube-vip -│ | ├── metallb-system -│ | ├── tigera-operator -│ | ├── traefik -│ | └── ... -│ ├── services - public services & applications -│ └── storage - storage providers -├── bootstrap -└── flux - ├── config - cluster definition - ├── repositories - source repositories (git, helm, OCI) - └── vars - cluster secrets and variables -``` diff --git a/docs/persisting data/backups.md b/docs/persisting data/backups.md deleted file mode 100644 index a334bcbe6..000000000 --- a/docs/persisting data/backups.md +++ /dev/null @@ -1,83 +0,0 @@ -# Backups - -## Current Setup - -- Persisted storage is provided via [CSI](https://github.com/democratic-csi/democratic-csi) via NFS - or iSCSI shares backed by TrueNAS; - - `Democratic-CSI` (can) leverage native ZFS snapshots - - TrueNAS has replication tasks to copy snapshots & preserve limited history on a separate (local) - storage pool - - TrueNAS has backup tasks to back up share directories to S3 storage (rsync/restic/kopia) -- The cluster runs [Velero](https://velero.io) for k8s-object snapshots. Application Helm charts can - be annotated to preserve objects (PVs, PVCs, Pods, ...) - - Velero backs up snapshots to offsite S3 storage. - - It can use k8s snapshots natively, or use restic to back up volumes that are not supported by - snapshots - -## [Velero](https://velero.io/docs/main/) - -1. Install Velero to cluster. Optionally, install the Velero CLI to local machine. -2. If using restic to back up pod volumes, ensure that restic is enabled -3. Annotate pods with volumes to be backed up by restic: - `backup.velero.io/backup-volumes=YOUR_VOLUME_NAME_1,YOUR_VOLUME_NAME_2` -4. Configure backup schedules, storage locations, snapshot locations - -## TrueNAS SCALE - -1. Install [Restic](https://github.com/restic/restic) and [autorestic](https://github.com/cupcakearmy/autorestic) - [using Ansible](https://github.com/ahgraber/homelab-infra/blob/main/ansible/playbooks/truenas/packages.yaml) - -2. Check for updates - - ```sh - restic self-update - autorestic upgrade - ``` - -3. [Configure `autorestic`](https://autorestic.vercel.app/config) - - ```yml - version: 2 - - locations: - location_name: - from: '/path/on/nas' - to: - - backend_name - cron: '0 3 * * 0' # Every Sunday at 3:00 - forget: prune - options: - forget: - keep-last: 5 # always keep at least 5 snapshots - - backends: - backend_name: - type: b2 - path: 'bucketname:/some/path' - env: - B2_ACCOUNT_ID: '12345' - B2_ACCOUNT_KEY: 'qwerty' - ``` - -4. Set up [crontab](https://autorestic.vercel.app/location/cron) - - ```sh - crontab -e - ``` - - ```sh - ### at end of file - # This is required, as it otherwise cannot find restic as a command. - PATH="/usr/local/bin:/usr/bin:/bin" - - # Example running every 5 minutes - */5 * * * * autorestic -c /path/to/my/.autorestic.yml --ci cron - ``` - -## References - -## Future Scope - -- [k8up](https://github.com/k8up-io/k8up) - waiting for - [RWO PVC support](https://github.com/k8up-io/k8up/issues/319) -- [benji](https://github.com/elemental-lf/benji/tree/master/charts/benji-k8s) - best with rook/ceph diff --git a/docs/persisting data/restore_truenas_offsite.md b/docs/persisting data/restore_truenas_offsite.md deleted file mode 100644 index 447f408ff..000000000 --- a/docs/persisting data/restore_truenas_offsite.md +++ /dev/null @@ -1,3 +0,0 @@ -# Resote TrueNAS (Offsite) - -WIP diff --git a/docs/persisting data/restore_truenas_snapshot.md b/docs/persisting data/restore_truenas_snapshot.md deleted file mode 100644 index 0e17cd16a..000000000 --- a/docs/persisting data/restore_truenas_snapshot.md +++ /dev/null @@ -1,3 +0,0 @@ -# Restore TrueNAS Snapshots - -WIP diff --git a/docs/persisting data/restore_velero.md b/docs/persisting data/restore_velero.md deleted file mode 100644 index 0bf21a501..000000000 --- a/docs/persisting data/restore_velero.md +++ /dev/null @@ -1,57 +0,0 @@ -# Data Restoration with Velero - -Refer to [Velero Documentation](https://velero.io/docs/main/) - -1. Suspend Flux - - ```sh - flux suspend kustomization core # don't auto reconcile namespaces, etc - flux suspend kustomization apps # don't auto reconcile applications - flux suspend hr # don't auto reconcile specific helm release - ``` - -2. Delete namespace to be restored - - ```sh - kubectl delete namespace - ``` - -3. Restore namespace with Velero - - ```sh - # this should simply recreate the namespace - velero restore create --from-backup - ### or restore specific resources only - # # restore pod - # velero restore create --from-backup --selector app.kubernetes.io/instance= --wait - # # restore volumes - # velero restore create --from-backup \ - # --selector app.kubernetes.io/instance= \ - # --include-resources persistentvolumeclaims,persistentvolumes \ - # --wait - ``` - - > We can test by creating a duplicate namespace: - > - > ```sh - > velero restore create --from-backup --namespace-mappings : - > ``` - > - > Connect to replicated namespace with `kubectl proxy` - > - > ```sh - > # in terminal - > kubectl proxy --port=8080 - > # access url from web page - > # http://localhost:8080/api/v1/namespaces//services/:/proxy/ - > ``` - -4. Resume Flux - - ```sh - flux resume kustomization core - flux resume kustomization apps - flux resume hr - ``` - -5. Profit diff --git a/docs/troubleshooting/debug.zsh b/docs/troubleshooting/debug.zsh deleted file mode 100644 index 9be4249cf..000000000 --- a/docs/troubleshooting/debug.zsh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env zsh -# shellcheck disable=SC1071 - -debug_hr="nextcloud" -debug_ns="nextcloud" -flux suspend kustomization core -flux suspend kustomization apps && sleep 10 -flux delete hr "${debug_hr}" -n "${debug_ns}" -s && sleep 30 - -declare -a pvcs=($(kubectl get pvc -n "${debug_ns}" --no-headers | awk '{print $1}')) -declare -a pvs=($(kubectl get pvc -n "${debug_ns}" --no-headers | awk '{print $3}')) -for pvc in "${pvcs[@]}"; do kubectl delete pvc "${pvc}" -n "${debug_ns}"; done -for pv in "${pvs[@]}"; do kubectl delete pv "${pv}"; done -unset pvcs -unset pvs - -kubectl delete ns "${debug_ns}" && sleep 30 -# ref: https://stackoverflow.com/questions/52369247/namespace-stuck-as-terminating-how-i-removed-it -function ns_cleanup { - declare -a terminating=($(kubectl get ns -o json | jq '.items[] | select(.status.phase=="Terminating") | (.metadata.name)' | xargs -n1)) - for ns in "${terminating[@]}"; do - echo "$ns" - # kubectl get ns "$ns" -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f - - kubectl patch ns "${ns}" -p '{"spec":{"finalizers":null}}' - done - unset terminating -} -ns_cleanup - -bash ./cluster/core/democratic-csi/cleanup.sh - -flux resume kustomization core && flux reconcile kustomization core -flux resume kustomization apps && flux reconcile kustomization apps -flux-update diff --git a/docs/troubleshooting/troubleshooting_flux.md b/docs/troubleshooting/troubleshooting_flux.md deleted file mode 100644 index 995a6e15c..000000000 --- a/docs/troubleshooting/troubleshooting_flux.md +++ /dev/null @@ -1,40 +0,0 @@ -# Troubleshooting flux system - -- Verify flux is running - - ```sh - kubectl --kubeconfig=${KUBECONFIG} get pods -n flux-system - ``` - -- Manually sync Flux with your Git repository - - ```sh - flux --kubeconfig=${KUBECONFIG} reconcile source git flux-system - ``` - -- Get status of objects managed by Flux - - ```sh - # flux --kubeconfig=${KUBECONFIG} get all -A - flux get sources git -A - flux get sources helm -A - flux get sources chart -A - flux get helmrelease -A - flux get kustomization -A - ``` - -- Force flux to reconcile: - - ```sh - flux reconcile helmrelease RELEASENAME -n NAMESPACE - flux reconcile kustomization NAME - flux reconcile source SOURCE NAME - ``` - -- View kustomization logs - - ```sh - flux logs --kind=HelmRelease - flux logs --kind=Kustomization --name=apps - - ``` diff --git a/docs/troubleshooting/troubleshooting_nodes.md b/docs/troubleshooting/troubleshooting_nodes.md deleted file mode 100644 index 86c66bcaf..000000000 --- a/docs/troubleshooting/troubleshooting_nodes.md +++ /dev/null @@ -1,79 +0,0 @@ -# Troubleshooting nodes - -- Check node status - - ```sh - kubectl --kubeconfig=${KUBECONFIG} get nodes -o wide - kubectl --kubeconfig=${KUBECONFIG} describe node NODENAME - ``` - -- Check node taints - - ```sh - kubectl get nodes -o json | jq '.items[].spec.taints' - ``` - -- Add or overwrite a taint (see - [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) - - ```sh - # add/overwrite - kubectl --kubeconfig=${KUBECONFIG} taint nodes NODENAME KEY=VALUE:NoSchedule - # remove specific value taint - kubectl --kubeconfig=${KUBECONFIG} taint nodes NODENAME KEY=VALUE:NoSchedule- - # remove all taints from given key - kubectl --kubeconfig=${KUBECONFIG} taint nodes NODENAME KEY- - ``` - - Example: Remove disk pressure taint - - ```sh - kubectl --kubeconfig=${KUBECONFIG} taint nodes NODENAME node.kubernetes.io/disk-pressure- - ``` - -- Clear evicted pods - - ```sh - kubectl get po --all-namespaces -o json | \ - jq '.items[] | select(.status.reason!=null) | select(.status.reason | contains("Evicted")) | - "kubectl delete po \(.metadata.name) -n \(.metadata.namespace)"' | xargs -n 1 bash -c - ``` - -- Clean orphaned pods - - [ref 1](https://docs.microfocus.com/doc/SMAX/2019.08/OrphanedPodFound) - [ref 2](https://breest.io/_/remove-orphaned-pods/) - - ```sh - pod_id=$(journalctl -n 1 -g 'err="orphaned pod' | awk '{print $23}' | sed 's/["\\]//g' | tr -d '\n') - while [[ -n "${pod_id}" ]]; do - echo "${pod_id}" - rm -rf "/var/lib/kubelet/pods/${pod_id}" || true - sleep 2s - pod_id=$(journalctl -n 1 -g 'err="orphaned pod' | awk '{print $23}' | sed 's/["\\]//g' | tr -d '\n') - done - unset pod_id - ``` - -## Checking node logs (from node) - -```sh -journalctl -u k3s -n 20 -``` - -> If `journalctl -u k3s` has many "" entries, remove the offending pod volume -> -> ```sh -> sudo rm -rf /var/lib/kubelet/pods/ -> ``` - -## Check node configuration (from node) - -- check k3s configuration: - - ```sh - cat /etc/rancher/k3s/config.yaml - ``` - -- Other important file locations: - - `/var/lib/rancher/k3s` diff --git a/docs/troubleshooting/troubleshooting_rook_ceph.md b/docs/troubleshooting/troubleshooting_rook_ceph.md deleted file mode 100644 index 16123d8c9..000000000 --- a/docs/troubleshooting/troubleshooting_rook_ceph.md +++ /dev/null @@ -1,85 +0,0 @@ -# Troubleshooting Rook-Ceph - -## Teardown and Cleanup - -> Order of operations is critical! See [documentation](https://rook.io/docs/rook/v1.0/ceph-teardown.html) - -1. Suspend Flux reconciliation or remove kustomization/s (at least the rook-ceph cluster) from git repo -2. Delete the cluster helm release (and associated configmaps) or `kubectl delete -k ./cluster/core/rook-ceph/cluster`. - **DO NOT REMOVE THE ORCHESTRATOR** -3. Delete the cephcluster custom resource (if it still exists) -4. Check crds for remaining objects - -```sh -# get hanging resources - kubectl api-resources --verbs=list --namespaced -o name \ - | xargs -n 1 kubectl get --show-kind --ignore-not-found -n rook-ceph -flux suspend kustomization rook-ceph -kubectl patch cephcluster rook-ceph -n rook-ceph --type merge -p '{"spec":{"cleanupPolicy":{"confirmation":"yes-really-destroy-data"}}}' -kubectl delete hr rook-ceph-cluster -n rook-ceph -kubectl delete cephcluster rook-ceph -n rook-ceph -kubectl patch cephcluster rook-ceph -n rook-ceph --type merge -p '{"metadata":{"finalizers": []}}' -for RES in $(kubectl get configmap,secret -n rook-ceph -o name); do - kubectl patch "$RES" -n rook-ceph --type merge -p '{"metadata":{"finalizers": []}}' - kubectl delete "$RES" -n rook-ceph -done -for CRD in $(kubectl get crd -A -o name | grep ceph.rook.io); do - kubectl patch "$CRD" --type merge -p '{"metadata":{"finalizers": []}}' - kubectl delete "$CRD" -done; -kubectl patch ns rook-ceph --type merge -p '{"metadata":{"finalizers": []}}' -kubectl delete ns rook-ceph - -### RUN ROOK-CEPH-CLEANUP ANSIBLE SCRIPT -``` - -## Remove orphan rbd images - -1. With `kubectl`, list all currently-in-use PVs by storage class - - ```sh - # with add'l info - k get pv -o json \ - | jq '.items[] - | select(.spec.storageClassName == "ceph-block-retain") - | {name: .metadata.name, usedby: .spec.claimRef.name, imageName: .spec.csi.volumeAttributes.imageName}' - - # just the rook-ceph imageNames - k get pv -o json \ - | jq '.items[] - | select(.spec.storageClassName == "ceph-block-retain") - | .spec.csi.volumeAttributes.imageName' - ``` - -2. From `ceph toolbox` pod, list of existing ceph RBD images by storage class - - ```sh - rbd ls -p ceph-blockpool-retain - ``` - -3. In `ceph toolbox` pod, create arrays - - ```sh - # from kubectl command, copy list of imageNames - pvs=(< copy outputs from step 1 >) - # pvs=("csi-vol-9918487c-718e-11ed-af1c-d608edb9ade0" \ - # "csi-vol-7f05fdba-8847-11ed-af1c-d608edb9ade0" \ - # "csi-vol-30448e88-74fd-11ed-af1c-d608edb9ade0" \ - # ) - echo "${pvs[0]}" - - # create array from rbd command - imgs=($(rbd ls -p ceph-blockpool-retain)) - echo "${pvs[0]}" - ``` - -4. In `ceph toolbox` pod, compare arrays and remove trash - - ```sh - toremove=($(echo ${imgs[@]} ${pvs[@]} | tr ' ' '\n' | sort | uniq -u)) - echo "${toremove[@]}" - for img in "${toremove[@]}"; do - echo "Removing $img" - rbd rm "$img" -p ceph-blockpool-retain - done - ``` diff --git a/docs/troubleshooting/troubleshooting_services.md b/docs/troubleshooting/troubleshooting_services.md deleted file mode 100644 index d92fe0f4f..000000000 --- a/docs/troubleshooting/troubleshooting_services.md +++ /dev/null @@ -1,173 +0,0 @@ -# Troubleshooting services - -[Jq cheatsheet](https://medium.com/geekculture/my-jq-cheatsheet-34054df5b650) - -## Debug HelmRelease - -- Show the health of helm _releases_ - - ```sh - flux --kubeconfig=${KUBECONFIG} get helmrelease -A - ``` - -- Force flux to reconcile a helm release: - - ```sh - flux reconcile helmrelease traefik -n networking - ``` - -- Debug a nonfunctional helm release - - ```sh - # identify helm-controller name - HELM_CTL=$(kubectl get pods -n flux-system | grep helm-controller | awk '{print $1}') - # find last 20 logs for helmrelease name - kubectl --kubeconfig=${KUBECONFIG} logs ${HELM_CTL} -n flux-system | grep traefik | tail -20 - # get flux logs - flux logs --kind=HelmRelease --name=traefik -n networking --tail 20 - # check configured values - helm get values traefik -n networking - ``` - -- Show the health of your Helm _repositories_ - - ```sh - flux --kubeconfig=${KUBECONFIG} get sources helm -A - ``` - -- Force flux to sync a helm repository: - - ```sh - flux reconcile source helm traefik-charts -n flux-system - ``` - -### Delete and reinstall errored helm deployments - -- Delete helm deployment and `flux reconcile` - - ```sh - helm delete traefik -n networking - sleep 120 && flux reconcile hr traefik -n networking - flux get hr traefik -n networking - ``` - -- Delete helmrelease and reinstall via full app kustomization - - ```sh - flux delete hr traefik -n networking -s - sleep 120 && flux reconcile kustomization apps - flux get hr traefik -n networking - ``` - -## Debug namespaces - -- Get all resources in a given namespace - - ```sh - kubectl get all -n - ``` - -- Force delete namespace - - ```sh - kubectl delete ns --force - ``` - -- Overwrite finalizers if namespace stuck `terminating` - - ```sh - function ns_cleanup { - declare -a terminating=( \ - $(kubectl get ns -o json | \ - jq '.items[] | select(.status.phase=="Terminating") | (.metadata.name)' | \ - xargs -n1) \ - ) - for ns in "${terminating[@]}"; do - echo "$ns" - kubectl get ns "$ns" -o json | \ - jq '.spec.finalizers = []' | \ - kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f - - done - unset terminating - } - ns_cleanup - ``` - -## Debug Pods - -- Identify pods with - - ```sh - kubectl --kubeconfig=${KUBECONFIG} get pods -o wide -A - ``` - -- Get pod issues with - - ```sh - kubectl --kubeconfig=${KUBECONFIG} describe pods -n - ``` - -- Get specific pod logs with - - ```sh - kubectl --kubeconfig=${KUBECONFIG} logs -n - ``` - -- Get all logs pertaining to app with - - ```sh - # kubectl --kubeconfig=${KUBECONFIG} logs -l app.kubernetes.io/name= -n - kubectl --kubeconfig=${KUBECONFIG} logs -l app.kubernetes.io/name=traefik -n networking - ``` - -- Clear evicted pods - - ```sh - kubectl get po --all-namespaces -o json | \ - jq '.items[] | select(.status.reason!=null) | select(.status.reason | contains("Evicted")) | - "kubectl delete po \(.metadata.name) -n \(.metadata.namespace)"' | xargs -n 1 bash -c - ``` - -- Delete failed pods - - ```sh - kubectl delete pods -n --field-selector status.phase=Failed - ``` - -- Force delete stalled pods - - ```sh - pod="asd" - namespace="qwer" - kubectl delete pods "$pod" -n "$namespace" --grace-period=0 --force - # if pod is stuck on `Unknown` state, run: - kubectl patch pod "$pod" -n "$namespace" -p '{"metadata":{"finalizers":[]]}}' --type=merge - unset pod namespace - ``` - -- Remove disk pressure taint - - ```sh - kubectl taint nodes {NODENAME} node.kubernetes.io/disk-pressure- - ``` - -### Delete released PVs - -```sh -kubectl get pv | grep "Released" | awk '{print $1}' | while read vol; do kubectl delete pv/${vol}; done -kubectl patch pv/c -p '{"metadata":{"finalizers": []}}' --type=merge -``` - -## Clean up empty replicasets - -```sh -kubectl get rs --all-namespaces -o json | \ - jq '.items[] | select((.spec.replicas==0) and (.status.replicas==0)) | - "kubectl delete rs \(.metadata.name) -n \(.metadata.namespace)"' | xargs -n 1 bash -c -``` - -## Remove `claimRef` on retained PVs to reuse - -```sh -kubectl patch pv pvc-455ad896-d4ba-4383-9627-bf1f28940d62 -p '{"spec":{"claimRef": null}}' -``` diff --git a/docs/troubleshooting/undoing_bad_commit.md b/docs/troubleshooting/undoing_bad_commit.md deleted file mode 100644 index 0c47c5239..000000000 --- a/docs/troubleshooting/undoing_bad_commit.md +++ /dev/null @@ -1,33 +0,0 @@ -# Undoing a bad commit - -To roll back a commit (or revert a particular file), we can use `git checkout`: - -1. Check out the working branch - -2. List the commit messages - - ```sh - # show commit history for current branch - git log - # commit c4aad196a294db5e2d01a63c549e50bcc6f1f7ac (HEAD -releases/0.0.1, origin/releases/0.0.1) - # Author: Alex Graber - # Date: Thu Sep 29 10:33:02 2022 -0400 - # this is a commit message - ``` - -3. Identify the `` _prior_ to the commit where the changed happened - (we want the file as of the prior state, not as of the updated state) - -4. Show the diffs between current and prior commit - - ```sh - # show the difference between current and specified prior commit - git diff - ``` - -5. Revert file to commit hash - - ```sh - # refert specified file to specified prior commit - git checkout -- - ``` diff --git a/kubernetes/apps/cert-manager/cert-manager/add-ons/cert-manager.json b/kubernetes/apps/cert-manager/addons/cert-manager.json similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/add-ons/cert-manager.json rename to kubernetes/apps/cert-manager/addons/cert-manager.json diff --git a/kubernetes/apps/cert-manager/cert-manager/add-ons/kustomization.yaml b/kubernetes/apps/cert-manager/addons/kustomization.yaml similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/add-ons/kustomization.yaml rename to kubernetes/apps/cert-manager/addons/kustomization.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index 4ac106de7..67b4d1715 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -3,26 +3,29 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: &app cert-manager - namespace: &namespace cert-manager + name: cert-manager + namespace: cert-manager spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.jetstack.io/ chart: cert-manager version: v1.13.1 sourceRef: kind: HelmRepository - name: jetstack-charts + name: jetstack namespace: flux-system + maxHistory: 2 install: createNamespace: true remediation: retries: 3 upgrade: + cleanupOnFail: true remediation: retries: 3 + uninstall: + keepHistory: false values: installCRDs: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml index 5e0988437..08f28fcec 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: cert-manager resources: - ./helmrelease.yaml - ./prometheusrule.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml b/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml index 6677aa857..98c0f6da4 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml @@ -2,7 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: cert-manager-rules + name: cert-manager.rules namespace: cert-manager spec: groups: @@ -15,51 +15,47 @@ spec: labels: severity: critical annotations: - description: - "New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is - back." + description: > + New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent summary: "Cert Manager has disappeared from Prometheus service discovery." - name: certificates rules: - alert: CertManagerCertExpirySoon expr: | - avg by (exported_namespace, namespace, name) ( - certmanager_certificate_expiration_timestamp_seconds - time()) - < (21 * 24 * 3600) + avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600) for: 15m labels: severity: warning annotations: - description: - "The domain that this cert covers will be unavailable after {{ $value | humanizeDuration }}. Clients - using endpoints that this cert protects will start to fail in {{ $value | humanizeDuration }}." + description: > + The domain that this cert covers will be unavailable after + {{ $value | humanizeDuration }}. Clients using endpoints that this cert + protects will start to fail in {{ $value | humanizeDuration }}. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon - summary: - "The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry, it should have renewed over - a week ago." + summary: | + The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry, it should have renewed over a week ago. - alert: CertManagerCertNotReady expr: | - max by (name, exported_namespace, namespace, condition) ( - certmanager_certificate_ready_status{condition!="True"} == 1) + max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1) for: 15m labels: severity: critical annotations: - description: - "This certificate has not been ready to serve traffic for at least 10m. If the cert is being renewed or - there is another valid cert, the ingress controller _may_ be able to serve that instead." + description: > + This certificate has not been ready to serve traffic for at least + 10m. If the cert is being renewed or there is another valid cert, the ingress + controller _may_ be able to serve that instead. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready summary: "The cert {{ $labels.name }} is not ready to serve traffic." - alert: CertManagerHittingRateLimits expr: | - sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) - > 0 + sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) > 0 for: 15m labels: severity: critical annotations: description: > - "Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week." + Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits summary: "Cert manager hitting LetsEncrypt rate limits." diff --git a/kubernetes/apps/cert-manager/cert-manager/certs/README.md b/kubernetes/apps/cert-manager/cert-manager/certificates/README.md similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/certs/README.md rename to kubernetes/apps/cert-manager/cert-manager/certificates/README.md diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/certificates/kustomization.yaml similarity index 78% rename from kubernetes/apps/flux-system/add-ons/webhooks/kustomization.yaml rename to kubernetes/apps/cert-manager/cert-manager/certificates/kustomization.yaml index 08c1780f0..21774f0b9 100644 --- a/kubernetes/apps/flux-system/add-ons/webhooks/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/certificates/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./github + - ./production.yaml + # - ./staging.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/certificates/production.yaml b/kubernetes/apps/cert-manager/cert-manager/certificates/production.yaml new file mode 100644 index 000000000..58b89de5e --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/certificates/production.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-production" + namespace: networking +spec: + secretName: "${SECRET_DOMAIN/./-}-production-tls" + # secretTemplate: + # annotations: + # # allow replication? + # reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + # reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces + # # automatically create replicated resources? + # reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "false" + # reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/cert-manager/cert-manager/certificates/staging.yaml b/kubernetes/apps/cert-manager/cert-manager/certificates/staging.yaml new file mode 100644 index 000000000..c94f52342 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/certificates/staging.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-staging" + namespace: networking +spec: + secretName: "${SECRET_DOMAIN/./-}-staging-tls" + # secretTemplate: + # annotations: + # # allow replication? + # reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + # reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces + # # automatically create replicated resources? + # reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "false" + # reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-prod.yaml b/kubernetes/apps/cert-manager/cert-manager/certs/certificate-prod.yaml deleted file mode 100644 index ab2f7a264..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-prod.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_DOMAIN/./-}" - namespace: networking -spec: - secretName: "${SECRET_DOMAIN/./-}-tls" - secretTemplate: - annotations: - # allow replication? - reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces - # automatically create replicated resources? - reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "false" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: - - "${SECRET_DOMAIN}" - - "*.${SECRET_DOMAIN}" - privateKey: - rotationPolicy: Never -# --- -# # define blank secret to be filled/used by Cert -# apiVersion: v1 -# data: -# ca.crt: '' -# tls.crt: '' -# tls.key: '' -# kind: Secret -# metadata: -# name: ${SECRET_DOMAIN/./-}-tls -# namespace: networking -# annotations: -# # allow replication? -# reflector.v1.k8s.emberstack.com/reflection-allowed: "true" -# reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces -# # automatically create replicated resources? -# reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" -# reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns1,ns2" -# type: kubernetes.io/tls diff --git a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-stage.yaml b/kubernetes/apps/cert-manager/cert-manager/certs/certificate-stage.yaml deleted file mode 100644 index e50d512ba..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-stage.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_DOMAIN/./-}-stage" - namespace: networking -spec: - secretName: "${SECRET_DOMAIN/./-}-stage-tls" - secretTemplate: - annotations: - # allow replication? - reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces - # automatically create replicated resources? - reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "false" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" - issuerRef: - name: letsencrypt-staging - kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: - - "${SECRET_DOMAIN}" - - "*.${SECRET_DOMAIN}" - privateKey: - rotationPolicy: Never -# --- -# # define blank secret to be filled/used by Cert -# apiVersion: v1 -# data: -# ca.crt: '' -# tls.crt: '' -# tls.key: '' -# kind: Secret -# metadata: -# name: ${SECRET_DOMAIN/./-}-stage-tls -# namespace: networking -# annotations: -# # allow replication? -# reflector.v1.k8s.emberstack.com/reflection-allowed: "true" -# reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" # Allow all namespaces -# # automatically create replicated resources? -# reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" -# reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns1, ns2" -# type: kubernetes.io/tls diff --git a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-test.yaml b/kubernetes/apps/cert-manager/cert-manager/certs/certificate-test.yaml deleted file mode 100644 index d8691d672..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/certs/certificate-test.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "test-${SECRET_DOMAIN/./-}" - namespace: networking -spec: - commonName: "${SECRET_DOMAIN}" - dnsNames: - - "${SECRET_DOMAIN}" - - "*.${SECRET_DOMAIN}" - issuerRef: - kind: ClusterIssuer - name: letsencrypt-staging - privateKey: - rotationPolicy: Never - secretName: test-tls diff --git a/kubernetes/apps/cert-manager/cert-manager/certs/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/certs/kustomization.yaml deleted file mode 100644 index e7ced8877..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/certs/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./certificate-prod.yaml - # - ./certificate-stage.yaml - # - ./certificate-test.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-production.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-production.yaml index 9bb2c6b6e..70df08943 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-production.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-production.yaml @@ -6,16 +6,16 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_CLOUDFLARE_EMAIL}" + email: "${SECRET_ACME_EMAIL}" privateKeySecretRef: name: letsencrypt-production solvers: - dns01: cloudflare: ### api-key requires email; token does not - # email: "${SECRET_CLOUDFLARE_EMAIL}" + # email: "${SECRET_ACME_EMAIL}" apiTokenSecretRef: - name: cloudflare-api-token-secret + name: cert-manager-secret key: api-token selector: dnsZones: diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-staging.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-staging.yaml index a2f56f939..1248dbdc3 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-staging.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/letsencrypt-staging.yaml @@ -6,16 +6,16 @@ metadata: spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory - email: "${SECRET_CLOUDFLARE_EMAIL}" + email: "${SECRET_ACME_EMAIL}" privateKeySecretRef: name: letsencrypt-staging solvers: - dns01: cloudflare: ### api-key requires email; token does not - # email: "${SECRET_CLOUDFLARE_EMAIL}" + # email: "${SECRET_ACME_EMAIL}" apiTokenSecretRef: - name: cloudflare-api-token-secret + name: cert-manager-secret key: api-token selector: dnsZones: diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index cfb044521..dec0632d7 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -1,13 +1,10 @@ -# yamllint disable apiVersion: v1 kind: Secret metadata: - name: cloudflare-api-token-secret + name: cert-manager-secret namespace: cert-manager - annotations: - reloader.stakater.com/match: "true" stringData: - api-token: ENC[AES256_GCM,data:wdA3h06AXPwKrtgzGDfq95+1YbXabzcCReqCwks36wcvxJjXLGVtVQ==,iv:SLpTusnSF3ghgmRWreBcd7+EnS0E55jXZLq2Hc4zCps=,tag:Ndjj7Ks4PNUNx2CmTIG5bw==,type:str] + api-token: ENC[AES256_GCM,data:mkRDvdRsZW1VdV/jKIHGgO1X7Lv0V9S2o6HifYLVKecw1s2bbNVe6A==,iv:/8WQQNedS0IAzgonS2iHP2IYodQn1vCLYacUnsCG8EA=,tag:/Su1J+9T8hTp4j2Ac3V19A==,type:str] sops: kms: [] gcp_kms: [] @@ -17,14 +14,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnM0U5cFo4RVkwK2tVVExG - eEd6clNjRTZ0NERFbHl6UGwvY09VZ2JMTVdNCjV3YUVBblpPMERXbHlqd1RjU1Yw - cUd3SGxoaDJlWVNERGJPcCs2T1BzKzQKLS0tIFRGdVR2cDRpM0hTbUJCQ0lSenpv - Myt3ckVHaGVCZ1AxbFdMYkpKbUorMUEKC/TWowP3aC/OUbjcLh7vq8f1vPjX4s6l - 4J2WkvuQPbVq/JdL/xRPwqx7S1ya4FQ1kG9zQGVTqRl46y+Cpy+vdA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycEZZbUZiR3lqZGtwMVRq + eGR2RXBNVGN2dUZ5TWhwTHhaV3B1a2k2K0RnCmNOTzdpM2s5STAwdkl4NWJYSHZj + czd6c0p5c08rRkk4K0JraGRRNGRyUncKLS0tIE0vZTVyNmhhWk9UR0NXZE5aY0p0 + NEYweXMxcThKN202RGc2WWNrWXpLYlkKtKPp6Mq2TPzwDsFb/DsFbu0Z9oifpbaB + WpETOGZaCpJQOPZKy92F0HhAAvyS6kVR9yJ0Mx2p+KYl53+wf6ciuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-06T03:16:12Z" - mac: ENC[AES256_GCM,data:VBD+a3nKoLtlAVgolaI9DOjfvTzQSMb98q/U1kuC24jBPyNZNpT/nZgoUyoukqnaQLK3B4YSMwUh/tRW6AAb9Hq9iZ0AEybX5cgeEi1YcTvTlCov08e7/Q7uhTytmy/nmK4NSUjHuFMupVd/65okbVuIWD3X18qXSRN4kz7z+KU=,iv:SyhM7GZd1US4ekDxNiymyMg1r89667fAsXvFTFAUsT0=,tag:1gSpKcE3dU7j9Qba7EkAXQ==,type:str] + lastmodified: "2023-09-05T01:23:39Z" + mac: ENC[AES256_GCM,data:4THiNiZCRH4yTTiTPk5OcE0tRxg9BgxK5gpGVLwrmNMNxnrQ6bX9vnytjUBZqI5kjbjv4zQRlJ5SmfGtY2Ms8nG2QEbYVnA7gpCope9pUrGbe4P35P3VmVGaCYowyXixkn48rFv6hr0BZr29HNlJKvE88BhIF26J0ZdBEO0tqaI=,iv:w0ZCXwq1XV2myqgQFMZUsDvtZzomgdfptOVgbc8s9Xc=,tag:1xG6+ZB15boAOBmqAl9f2w==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.tmpl b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.tmpl index 6ecfa2ab5..28ab06c94 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.tmpl +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.tmpl @@ -8,4 +8,4 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - api-token: "${SECRET_CLOUDFLARE_TOKEN}" + api-token: "${CLOUDFLARE_TOKEN}" diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index d4e72d187..e0fb44b3a 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -3,14 +3,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cert-manager + name: cert-manager namespace: flux-system spec: path: ./kubernetes/apps/cert-manager/cert-manager/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -20,16 +20,17 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cert-manager-issuers + name: cert-manager-issuers namespace: flux-system spec: dependsOn: - - name: apps-cert-manager + - name: cert-manager path: ./kubernetes/apps/cert-manager/cert-manager/issuers prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -38,18 +39,19 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cert-manager-certs + name: cert-manager-certificates namespace: flux-system spec: dependsOn: - - name: apps-cert-manager - - name: apps-cert-manager-issuers - - name: apps-kube-system-reflector - path: ./kubernetes/apps/cert-manager/cert-manager/certs + - name: cert-manager + - name: cert-manager-issuers + # - name: kube-system-reflector + path: ./kubernetes/apps/cert-manager/cert-manager/certificates prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -58,17 +60,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cert-manager-addons + name: cert-manager-addons namespace: flux-system spec: dependsOn: - - name: apps-cert-manager - - name: apps-monitoring-grafana - path: ./kubernetes/apps/cert-manager/cert-manager/certs + - name: cert-manager + - name: monitoring-grafana + path: ./kubernetes/apps/cert-manager/addons prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/cnpg-system/cloudnative-pg/add-ons/cloudnative-postgres.json b/kubernetes/apps/cnpg-system/cloudnative-pg/addons/cloudnative-postgres.json similarity index 100% rename from kubernetes/apps/cnpg-system/cloudnative-pg/add-ons/cloudnative-postgres.json rename to kubernetes/apps/cnpg-system/cloudnative-pg/addons/cloudnative-postgres.json diff --git a/kubernetes/apps/cnpg-system/cloudnative-pg/add-ons/kustomization.yaml b/kubernetes/apps/cnpg-system/cloudnative-pg/addons/kustomization.yaml similarity index 100% rename from kubernetes/apps/cnpg-system/cloudnative-pg/add-ons/kustomization.yaml rename to kubernetes/apps/cnpg-system/cloudnative-pg/addons/kustomization.yaml diff --git a/kubernetes/apps/cnpg-system/cloudnative-pg/ks.yaml b/kubernetes/apps/cnpg-system/cloudnative-pg/ks.yaml index 45b5b69a0..dbec4157e 100644 --- a/kubernetes/apps/cnpg-system/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/cnpg-system/cloudnative-pg/ks.yaml @@ -3,14 +3,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cnpg-system-operator + name: cnpg-system-operator namespace: flux-system spec: path: ./kubernetes/apps/cnpg-system/cloudnative-pg/operator prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -20,19 +20,19 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-cnpg-system-addons + name: cnpg-system-addons namespace: flux-system spec: dependsOn: - - name: apps-cnpg-system-operator - # - name: apps-default-cnpg-db - - name: apps-monitoring-kube-prometheus-stack - - name: apps-monitoring-grafana - path: ./kubernetes/apps/cnpg-system/cloudnative-pg/add-ons + - name: cnpg-system-operator + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana + path: ./kubernetes/apps/cnpg-system/cloudnative-pg/addons prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/cnpg-system/cloudnative-pg/operator/helmrelease.yaml b/kubernetes/apps/cnpg-system/cloudnative-pg/operator/helmrelease.yaml index e6bc3da5a..cb38916e5 100644 --- a/kubernetes/apps/cnpg-system/cloudnative-pg/operator/helmrelease.yaml +++ b/kubernetes/apps/cnpg-system/cloudnative-pg/operator/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://github.com/cloudnative-pg/charts chart: cloudnative-pg version: 0.18.2 sourceRef: kind: HelmRepository - name: cloudnativepg-charts + name: cloudnativepg namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/datasci/docat/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/datasci/docat/app/backup/secret.sops.yaml.tmpl index 633efd3f5..2047f4d79 100644 --- a/kubernetes/apps/datasci/docat/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/datasci/docat/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-docat + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-docat # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/datasci/docat/app/helmrelease.yaml b/kubernetes/apps/datasci/docat/app/helmrelease.yaml index c33a539ac..87146fb01 100755 --- a/kubernetes/apps/datasci/docat/app/helmrelease.yaml +++ b/kubernetes/apps/datasci/docat/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system maxHistory: 3 install: @@ -59,7 +58,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/datasci/docat/ks.yaml b/kubernetes/apps/datasci/docat/ks.yaml index fc7188d39..d03c78157 100644 --- a/kubernetes/apps/datasci/docat/ks.yaml +++ b/kubernetes/apps/datasci/docat/ks.yaml @@ -3,19 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-docat + name: datasci-docat namespace: flux-system spec: dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster - - name: apps-volsync + - name: rook-ceph-cluster path: ./kubernetes/apps/datasci/docat/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/datasci/mlflow/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/datasci/mlflow/app/backup/secret.sops.yaml.tmpl index d67d77776..5fce56bd2 100644 --- a/kubernetes/apps/datasci/mlflow/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/datasci/mlflow/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-mlflow + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-mlflow # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/datasci/mlflow/app/helmrelease.yaml b/kubernetes/apps/datasci/mlflow/app/helmrelease.yaml index 6cb8773ac..12e8832c1 100755 --- a/kubernetes/apps/datasci/mlflow/app/helmrelease.yaml +++ b/kubernetes/apps/datasci/mlflow/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system maxHistory: 3 install: @@ -70,7 +69,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/datasci/mlflow/ks.yaml b/kubernetes/apps/datasci/mlflow/ks.yaml index 3625db709..08a3a4892 100644 --- a/kubernetes/apps/datasci/mlflow/ks.yaml +++ b/kubernetes/apps/datasci/mlflow/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-mlflow-db + name: datasci-mlflow-db namespace: flux-system spec: dependsOn: - - name: apps-datasci-cnpg-db - - name: apps-datasci-postgres-operator + - name: datasci-cnpg-db + - name: datasci-postgres-operator path: ./kubernetes/apps/datasci/mlflow/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes interval: 30m retryInterval: 1m timeout: 5m @@ -22,20 +22,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-mlflow + name: datasci-mlflow namespace: flux-system spec: dependsOn: - - name: apps-datasci-mlflow-db - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster - - name: apps-volsync + - name: datasci-mlflow-db + - name: rook-ceph-cluster path: ./kubernetes/apps/datasci/mlflow/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/datasci/postgres/cloudnative-pg/db/cluster.yaml b/kubernetes/apps/datasci/postgres/cloudnative-pg/db/cluster.yaml index c4ebe4e57..b15c55082 100644 --- a/kubernetes/apps/datasci/postgres/cloudnative-pg/db/cluster.yaml +++ b/kubernetes/apps/datasci/postgres/cloudnative-pg/db/cluster.yaml @@ -38,11 +38,11 @@ spec: # # name: -user-secret ## Alternative bootstrap method: start from a backup recovery: - source: &s3-backup datasci # next time it will be datasci-v2 + source: &old_db datasci-v2 # next time it will be datasci-v3 # externalClusters is needed when recovering from an existing cnpg cluster externalClusters: - - name: *s3-backup + - name: *old_db barmanObjectStore: endpointURL: https://${SECRET_S3_ENDPOINT} destinationPath: s3://postgres/ @@ -60,7 +60,7 @@ spec: backup: retentionPolicy: 30d barmanObjectStore: - serverName: datasci-v2 # next time it will be datasci-v3 + serverName: ¤t_db datasci-v3 # next time it will be datasci-v4 endpointURL: https://${SECRET_S3_ENDPOINT} destinationPath: s3://postgres/ s3Credentials: diff --git a/kubernetes/apps/datasci/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl b/kubernetes/apps/datasci/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl index de6bbd5fd..03d270c5b 100644 --- a/kubernetes/apps/datasci/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl +++ b/kubernetes/apps/datasci/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl @@ -9,7 +9,7 @@ metadata: reloader.stakater.com/match: "true" stringData: username: postgres - password: ${SECRET_DB_ROOT_PWD} + password: ${DB_ROOT_PWD} --- # yamllint disable apiVersion: v1 @@ -19,5 +19,5 @@ metadata: namespace: datasci type: Opaque stringData: - S3_ACCESS_KEY: ${SECRET_S3_ACCESS_KEY} - S3_SECRET_KEY: ${SECRET_S3_SECRET_KEY} + S3_ACCESS_KEY: ${S3_ACCESS_KEY} + S3_SECRET_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/datasci/postgres/cloudnative-pg/ks.yaml b/kubernetes/apps/datasci/postgres/cloudnative-pg/ks.yaml index 94532437e..42358908f 100644 --- a/kubernetes/apps/datasci/postgres/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/datasci/postgres/cloudnative-pg/ks.yaml @@ -3,18 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-cnpg-db + name: datasci-cnpg-db namespace: flux-system spec: dependsOn: - - name: apps-cnpg-system-operator - - name: apps-monitoring-kube-prometheus-stack - # - name: apps-rook-ceph-cluster + - name: cnpg-system-operator + - name: monitoring-kube-prometheus-stack path: ./kubernetes/apps/datasci/postgres/cloudnative-pg/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/datasci/postgres/postgres-operator/app/helmrelease.yaml b/kubernetes/apps/datasci/postgres/postgres-operator/app/helmrelease.yaml index 022265198..75b2e53c3 100644 --- a/kubernetes/apps/datasci/postgres/postgres-operator/app/helmrelease.yaml +++ b/kubernetes/apps/datasci/postgres/postgres-operator/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://movetokube.github.io/postgres-operator/ chart: ext-postgres-operator version: 1.2.3 sourceRef: kind: HelmRepository - name: movetokube-charts + name: movetokube namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/datasci/postgres/postgres-operator/app/secret.sops.yaml.tmpl b/kubernetes/apps/datasci/postgres/postgres-operator/app/secret.sops.yaml.tmpl index f9989031a..c44f33d24 100644 --- a/kubernetes/apps/datasci/postgres/postgres-operator/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/datasci/postgres/postgres-operator/app/secret.sops.yaml.tmpl @@ -10,7 +10,7 @@ type: Opaque stringData: POSTGRES_HOST: "datasci-rw.datasci.svc.cluster.local" POSTGRES_USER: "postgres" - POSTGRES_PASS: "${SECRET_DB_ROOT_PWD}" + POSTGRES_PASS: "${DB_ROOT_PWD}" POSTGRES_DEFAULT_DATABASE: "postgres" POSTGRES_URI_ARGS: "" POSTGRES_CLOUD_PROVIDER: "" @@ -21,7 +21,7 @@ stringData: # host: "datasci-rw.datasci.svc.cluster.local" # # postgres admin user and password # user: "postgres" - # password: "${SECRET_DB_ROOT_PWD}" + # password: "${DB_ROOT_PWD}" # # additional connection args to pg driver # uri_args: "" # # postgres cloud provider, could be AWS, Azure, GCP or empty (default) diff --git a/kubernetes/apps/datasci/postgres/postgres-operator/ks.yaml b/kubernetes/apps/datasci/postgres/postgres-operator/ks.yaml index a6887e23d..c175115ed 100644 --- a/kubernetes/apps/datasci/postgres/postgres-operator/ks.yaml +++ b/kubernetes/apps/datasci/postgres/postgres-operator/ks.yaml @@ -3,16 +3,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-postgres-operator + name: datasci-postgres-operator namespace: flux-system spec: dependsOn: - - name: apps-datasci-cnpg-db + - name: datasci-cnpg-db path: ./kubernetes/apps/datasci/postgres/postgres-operator/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/datasci/prefect/agent/helmrelease.yaml b/kubernetes/apps/datasci/prefect/agent/helmrelease.yaml index 76b8b4dea..d02abffef 100755 --- a/kubernetes/apps/datasci/prefect/agent/helmrelease.yaml +++ b/kubernetes/apps/datasci/prefect/agent/helmrelease.yaml @@ -14,7 +14,7 @@ spec: version: 2023.09.18 sourceRef: kind: HelmRepository - name: prefect-charts + name: prefect namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/datasci/prefect/ks.yaml b/kubernetes/apps/datasci/prefect/ks.yaml index 5a701a900..011fe20b5 100644 --- a/kubernetes/apps/datasci/prefect/ks.yaml +++ b/kubernetes/apps/datasci/prefect/ks.yaml @@ -3,17 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-prefect-db + name: datasci-prefect-db namespace: flux-system spec: dependsOn: - - name: apps-datasci-cnpg-db - - name: apps-datasci-postgres-operator + - name: datasci-cnpg-db + - name: datasci-postgres-operator path: ./kubernetes/apps/datasci/prefect/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -22,19 +23,17 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-prefect-server + name: datasci-prefect-server namespace: flux-system spec: dependsOn: - - name: apps-datasci-prefect-db - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster + - name: datasci-prefect-db path: ./kubernetes/apps/datasci/prefect/server prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m @@ -43,18 +42,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-datasci-prefect-agent + name: datasci-prefect-agent namespace: flux-system spec: dependsOn: - - name: apps-datasci-prefect-server - - name: apps-datasci-prefect-db + - name: datasci-prefect-server + - name: datasci-prefect-db path: ./kubernetes/apps/datasci/prefect/agent prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m @@ -62,18 +61,18 @@ spec: # apiVersion: kustomize.toolkit.fluxcd.io/v1 # kind: Kustomization # metadata: -# name: apps-datasci-prefect-worker +# name: datasci-prefect-worker # namespace: flux-system # spec: # dependsOn: -# - name: apps-datasci-prefect-server -# - name: apps-datasci-prefect-db +# - name: datasci-prefect-server +# - name: datasci-prefect-db # path: ./kubernetes/apps/datasci/prefect/worker # prune: true # sourceRef: # kind: GitRepository -# name: homelab-gitops-k3s -# wait: true +# name: home-kubernetes +# wait: false # interval: 30m # retryInterval: 1m # timeout: 5m diff --git a/kubernetes/apps/datasci/prefect/server/helmrelease.yaml b/kubernetes/apps/datasci/prefect/server/helmrelease.yaml index 7514b670e..140a2ce8f 100755 --- a/kubernetes/apps/datasci/prefect/server/helmrelease.yaml +++ b/kubernetes/apps/datasci/prefect/server/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://prefecthq.github.io/prefect-helm chart: prefect-server version: 2023.09.18 sourceRef: kind: HelmRepository - name: prefect-charts + name: prefect namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/datasci/prefect/worker/helmrelease.yaml b/kubernetes/apps/datasci/prefect/worker/helmrelease.yaml index 7b4cea6d9..ae878a96e 100755 --- a/kubernetes/apps/datasci/prefect/worker/helmrelease.yaml +++ b/kubernetes/apps/datasci/prefect/worker/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://prefecthq.github.io/prefect-helm chart: prefect-worker version: 2023.09.18 sourceRef: kind: HelmRepository - name: prefect-charts + name: prefect namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/debug/dnsutils/README.md b/kubernetes/apps/debug/dnsutils/README.md index d722c7f0c..9fc8b5f79 100644 --- a/kubernetes/apps/debug/dnsutils/README.md +++ b/kubernetes/apps/debug/dnsutils/README.md @@ -1,3 +1,5 @@ # [DNSUtils](https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/) Debug k8s dns + +See also: [create a simple pod to use as a test environment](https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#create-a-simple-pod-to-use-as-a-test-environment) diff --git a/kubernetes/apps/debug/dnsutils/app/helmrelease.yaml b/kubernetes/apps/debug/dnsutils/app/helmrelease.yaml index a14edc984..361c2d4dd 100644 --- a/kubernetes/apps/debug/dnsutils/app/helmrelease.yaml +++ b/kubernetes/apps/debug/dnsutils/app/helmrelease.yaml @@ -1,4 +1,3 @@ -# Debugging DNS https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#create-a-simple-pod-to-use-as-a-test-environment --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json apiVersion: helm.toolkit.fluxcd.io/v2beta1 @@ -7,14 +6,14 @@ metadata: name: dnsutils namespace: debug spec: - interval: 15m + interval: 30m chart: spec: chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -33,3 +32,4 @@ spec: command: - sleep - "3600" + # ingress: {} # None diff --git a/kubernetes/apps/debug/dnsutils/ks.yaml b/kubernetes/apps/debug/dnsutils/ks.yaml index 66054f479..af90818f4 100644 --- a/kubernetes/apps/debug/dnsutils/ks.yaml +++ b/kubernetes/apps/debug/dnsutils/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-debug-dnsutils + name: debug-dnsutils namespace: flux-system spec: path: ./kubernetes/apps/debug/dnsutils/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/debug/echo-server/app/helmrelease.yaml b/kubernetes/apps/debug/echo-server/app/helmrelease.yaml index fbbdc95ae..26de22f0e 100644 --- a/kubernetes/apps/debug/echo-server/app/helmrelease.yaml +++ b/kubernetes/apps/debug/echo-server/app/helmrelease.yaml @@ -6,14 +6,14 @@ metadata: name: echo-server namespace: debug spec: - interval: 15m + interval: 30m chart: spec: chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system maxHistory: 3 install: @@ -27,7 +27,7 @@ spec: keepHistory: false values: controller: - replicas: 1 + strategy: RollingUpdate image: repository: docker.io/jmalloc/echo-server tag: 0.3.5 @@ -39,12 +39,13 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: external annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + # nginx.ingress.kubernetes.io/whitelist-source-range: | + # 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 hosts: - - host: &host "echo.${SECRET_DOMAIN}" + - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" paths: - path: / pathType: Prefix diff --git a/kubernetes/apps/debug/echo-server/ks.yaml b/kubernetes/apps/debug/echo-server/ks.yaml index d4be5d597..031f2eed2 100644 --- a/kubernetes/apps/debug/echo-server/ks.yaml +++ b/kubernetes/apps/debug/echo-server/ks.yaml @@ -3,17 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-debug-echo + name: debug-echo-server namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx path: ./kubernetes/apps/debug/echo-server/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/debug/httpbin/app/helmrelease.yaml b/kubernetes/apps/debug/httpbin/app/helmrelease.yaml index 92132b9ac..9f9c9eb02 100644 --- a/kubernetes/apps/debug/httpbin/app/helmrelease.yaml +++ b/kubernetes/apps/debug/httpbin/app/helmrelease.yaml @@ -3,18 +3,17 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: httpbin - namespace: debug + name: &name httpbin + namespace: &namespace debug spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -29,6 +28,9 @@ spec: annotations: reloader.stakater.com/search: "true" + controller: + strategy: RollingUpdate + image: repository: kennethreitz/httpbin tag: latest @@ -39,12 +41,12 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 hosts: - - host: &host "httpbin.${SECRET_DOMAIN}" + - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" paths: - path: / pathType: Prefix diff --git a/kubernetes/apps/debug/httpbin/ks.yaml b/kubernetes/apps/debug/httpbin/ks.yaml index 1c72fd89a..606733d00 100644 --- a/kubernetes/apps/debug/httpbin/ks.yaml +++ b/kubernetes/apps/debug/httpbin/ks.yaml @@ -3,17 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-debug-httpbin + name: debug-httpbin namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx path: ./kubernetes/apps/debug/httpbin/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml b/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml index dec65a3ae..006bbd22a 100644 --- a/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml +++ b/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml @@ -5,14 +5,14 @@ metadata: namespace: default type: Opaque stringData: - #ENC[AES256_GCM,data:YTwDtHHmoi3MuQtsesOG1VU/AgwVEK8ch6g/Gs5OrwUlldvda3L6IlU7a8tTTftjw3Pw9AG1UVasGs8zCllPcEOkQH1GIDNBk4RpPtxWqm0=,iv:ukcgr7Ty15FphRfGH66y05cjPbWiFJKtJ8ub0+PY7oM=,tag:CJXWBK10V3cQgElBIWOSHg==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:gmeRrhV8Qcpnho+ZPtsWPkqBh1grKNZYX185NBYi50oWul6mghBD1Vy2fjz+j1Vua0Ph+0Yypfw2ITh1QFD6nw==,iv:w4zpmUWVduJxO3BjWWMQeS1crpvQb4UIawSNt9dSYP4=,tag:SDZgYCXJAWDIwoXiE6W/6A==,type:str] - #ENC[AES256_GCM,data:86N+/57ea6KOvXKPWJMz6c1WSjl8yXKpKPAnCE8l,iv:zoODIgM8qzNwYG5E78tEWzfGxXiYIxfagut+ek8aIrY=,tag:fqIVcAeFAUvdFnk/jYzSZA==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:R6+tH1/+roqJn3H0,iv:6mWvcJhwvTkPsDtB9M2FjSmvGhFtWZpzREv2kHilyPE=,tag:YbNv76HukjNVDV58pGfwrw==,type:str] - #ENC[AES256_GCM,data:yfLSqceYdL8qpeFJiE0iPuf/UrthB/B8uAXt2wjj/nNnHNe25xIKJRA=,iv:C49VyJDs+rQyHF6adDpx5WtM223AOFTvJNQmufZp79I=,tag:CgZDnNvwV8xVJwwMXSI8kQ==,type:comment] - #ENC[AES256_GCM,data:RxvmKmNv3XeqK6orxOzeu2+csAptO4swyg26nzDdtjIOHU5AvJcl6wh2EiGv9EzrS3GTf+lzpvpjvgotgCwjT3/MQuxjSg==,iv:A6cbI1h40x03rjUvqGRz1nC43qC/d+3//0aFxtk/TLI=,tag:rxGQcb+vYfj8+gK2VRnB9A==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:LVnmVvoaXKBL1MMP2ADpYCV9NcQ=,iv:IsSFfFHTvZKH6awBsoZCsyBWB0vcPHIsekJoXHP53WA=,tag:/oc+AvAukNf/RV5ulciCtw==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:iVhpxOHlAZemou8/W+bOk9lUdgFfaNJEI3KAQ7UNOA==,iv:o0lRE4nE2FaQblvv1C7OTy5ygsi7xoUircuhCmL60Ck=,tag:S/tyGvdBGmXgllgjU2w/yw==,type:str] + #ENC[AES256_GCM,data:wzR74ohj28dh5yZ1CgTTxhB8b5Psg/8L5uAT65xPuPvSAEbwWAzIM6xZNw+HvFXHvOLtJSKZ8j8/KlYkF7WpTPspvd6pe6xSkktZI5w4STw=,iv:yDlnP1eBVog7jeKw+bldzKb8ugJITHuaO7PUh7OqNsY=,tag:wVCtizKZphC3niQxLhUbCg==,type:comment] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:MgC7ZsgLfb7i2APfBOD7Tyf1Z+OhwHt1TyJGaiJ879E2aGLuTwWxkfxNuR2RTLSBkFnmHzE9QT7aFVKA07AjVw==,iv:x+a1PsM99SfPlM/iElulQS+5c8kyqKjG8LM6KVBcGh8=,tag:HlEvNYbdwZdxzt8hulHt8A==,type:str] + #ENC[AES256_GCM,data:lWhUboxROyG17uZpkzEgwVUweNcpb2FOhrf1c7Ef,iv:/Uvs5S5nTOQCzND6wtrKCDN+pbIwaXsmd8NvtrsSSjE=,tag:5i23XzxUoWgmJtcpqmIBAg==,type:comment] + RESTIC_PASSWORD: ENC[AES256_GCM,data:4fyMECs/Yt6mSvYJ,iv:ox7tRtYz4c+EqSfNzYf9AhoNz1iLjDUTHzGT2hL1bRM=,tag:WRQa8xNiRW2EbUG6B40V5A==,type:str] + #ENC[AES256_GCM,data:/bmOqgHKgo9uE9geypBEs2MIhRDr5729vCa5/N6N8sETPNZj2CIFepQ=,iv:X1TX7YIJSJ+VAOr3lXJ3z24gLGWpAEAMSmnVJa6p49g=,tag:k9hLFY4JIyT8MBY5zrepRw==,type:comment] + #ENC[AES256_GCM,data:9va3NR7UJiQMHUbRO0gUbmcKUnkgunI3hW1IYjtxjtuc6LzAVnftk07CPHVywQ+NgvwEy9v5CiCTaJbtz+LkCzcuVz1tzQ==,iv:rOKIrsqridjPfhV8t7IgrgdqT+rHUqkaIAUmb67yiSo=,tag:HOPltd06FAuO2yuetgJBhw==,type:comment] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:S3g7Y/puov92/7t+Q4A2F/IupaY=,iv:llXf7V8wkOHXCHFpTPEyAwErR83hjAPWihVDo+Ajd2g=,tag:NChE/pIJbp/+l37nfUAWVQ==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:rlsxpMMPnWDsK/5fP+qPCBuxuE54gWHwdK8z0wYTOQ==,iv:X+FPhaSAx+7xmAuBigrivAjOJlEJuEdShYjHnhoBx8A=,tag:iPKo5Gb7G8L5mijHsiAyTg==,type:str] sops: kms: [] gcp_kms: [] @@ -22,14 +22,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaWd0b29DdjY3aEltME9K - a2JUdGlGRE5tV0FxdkZabUpBWHBCZFZmYXhBCkZOK2dEMm9ZWTVzYjlLWkRFOEVx - dXRBcm5sL2RTcFBhVnlkVFUzWmsxeVUKLS0tIDArbUtBOFRjMTBtdGpzTFZ2R3hC - K1g5SGMzcnJUMC9NQWZjSzN6S243bjQKYe7SOsreQrwlwhT3AtcAS+1wOZvwudn7 - W6KJjYNXBpjlIvki2V4kdActBNpQiaP1YM8pYvhzCV2Ir3JwdhygpA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Z1A5VWVUUGpDTHpjbW9o + bUI1a01KMWtwVnlKT0krTnk2NldMSkxjZms0CjlaRXlmSEhLdmpXMlgxWkxvVHRw + RGlJdkx1eGYzWnVCVENPaEQxRjJJOU0KLS0tIGIzRG1rTjRpckJaaWdkeGJRU3FE + aVNtRWJhbUNLMWFFY2I4blFlWGwrWncK5u87NBfth7kVGPTcnK/umcOeYbl0Rulj + QPvYieRg7scjXQjinto9tochS7wnj8W+rclCIOTHgFMS1VyxCTdzHA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T14:50:32Z" - mac: ENC[AES256_GCM,data:HqatWY7e4ecrq1QSUzOoIJ5y3AnGF9vhL5qozet8b8CKiYNSBNwIOFgIXnHPdz+vXLm4VOMiBho62A5puczbTd/jpnmoq4qtLtNkG5rASVrFrW8XWppYvNNEKqFT5awriSEZo/uE4reX2K7mi/dHdkqHsORi6OF5MLYOuBaiJME=,iv:aJ+vkP6EOGGcJSBshDsw332PYFsEKqu4J6/DWjJ2KaM=,tag:VNg+efyeL6a8kTNuHI6Slw==,type:str] + lastmodified: "2023-10-01T19:07:13Z" + mac: ENC[AES256_GCM,data:s6tpXhaS3NnSDProsdyWqbkdOhsnb8Xtl6M0WMKK8A3/DdeLl/5osTmjAWqx9H3pfVzrBK8pG0rGvdTjKYWFA4wc/eNJKfYG1wqZLSRqOJXWIIe79CTC0QvolVxQSoEE7c6vAW93KDJ1h8/JY0fbCx72YhtsdgWhIBdRvxaNtvA=,iv:2gphXLpUrgNatxf23Exsvx7N9QIJFOWu+1fDdgLtXwc=,tag:8zEGWDbBnjuk51oFtgnHHA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml.tmpl index c126ee1bb..0d33037d2 100644 --- a/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/changedetection/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-changedetection + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-changedetection # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/default/changedetection/app/helmrelease.yaml b/kubernetes/apps/default/changedetection/app/helmrelease.yaml index 51b66d119..7bde7d995 100644 --- a/kubernetes/apps/default/changedetection/app/helmrelease.yaml +++ b/kubernetes/apps/default/changedetection/app/helmrelease.yaml @@ -14,7 +14,7 @@ spec: version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -53,7 +53,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/changedetection/ks.yaml b/kubernetes/apps/default/changedetection/ks.yaml index 5fe47ec8e..c012e6740 100644 --- a/kubernetes/apps/default/changedetection/ks.yaml +++ b/kubernetes/apps/default/changedetection/ks.yaml @@ -3,18 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-changedetection + name: default-changedetection namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-volsync + # dependsOn: + # - name: networking-nginx-internal path: ./kubernetes/apps/default/changedetection/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/cyberchef/app/helmrelease.yaml b/kubernetes/apps/default/cyberchef/app/helmrelease.yaml index 6dfcaaec4..76e21d230 100644 --- a/kubernetes/apps/default/cyberchef/app/helmrelease.yaml +++ b/kubernetes/apps/default/cyberchef/app/helmrelease.yaml @@ -6,22 +6,26 @@ metadata: name: cyberchef namespace: default spec: - interval: 15m + interval: 30m chart: spec: chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system + maxHistory: 3 install: createNamespace: true remediation: retries: 3 upgrade: + cleanupOnFail: true remediation: retries: 3 + uninstall: + keepHistory: false values: image: # https://hub.docker.com/r/mpepping/cyberchef @@ -37,10 +41,11 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: external annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + # nginx.ingress.kubernetes.io/whitelist-source-range: | + # 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" paths: diff --git a/kubernetes/apps/default/cyberchef/ks.yaml b/kubernetes/apps/default/cyberchef/ks.yaml index 7434e686d..7a82176cd 100644 --- a/kubernetes/apps/default/cyberchef/ks.yaml +++ b/kubernetes/apps/default/cyberchef/ks.yaml @@ -3,16 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-cyberchef + name: default-cyberchef namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx path: ./kubernetes/apps/default/cyberchef/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml b/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml index 2a4dc5656..2953c23aa 100644 --- a/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml +++ b/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml @@ -5,14 +5,14 @@ metadata: namespace: default type: Opaque stringData: - #ENC[AES256_GCM,data:VKeCCPHerNbwprP6ENI0CfOh7eaYNQsvLcPPe8DZklnuqX3yvN3Umz09Ne+X9qul1gV2MAX5TVxZ24/0/x1LvuwdangCJmFVbC6sfLvafKs=,iv:Nes3KlR7mi3q7x7OPbkRDFvrPZXWMe7nEYcDY9zH208=,tag:XvVFWsjBQTjEUB4FPKlS9Q==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:TFb8JwceL5kqTOJFiRymXMISxUa1O/AG3eNheyPQtPtCo7/7CtpVfjUqbf1aZORvPP9i85rxjAY=,iv:QuaS5UFfuG0LTgby01PP8YiM7uRV+Dg8NVWAhQAS+GE=,tag:WVJsorMnxJgiVfy4G9BzBg==,type:str] - #ENC[AES256_GCM,data:6xDOfCgjsQmlDxc1d2HEfeib0vYD9wIgXyzJaFNe,iv:MpvKu7CIaEtDJ/CY8QU+sDCh+YLbAfimEZbpWxe8n6E=,tag:KDIOrl6+GaaT0wiikIiM7A==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:r77EfJyplGGotAK0,iv:QYSFeG4MpW/lYHa925IC8vxE1GDalgDdsANDh+ShAgc=,tag:9tfwEVbeiS3tSwIhjQhtrw==,type:str] - #ENC[AES256_GCM,data:k8tij//jLQPPYiHkLU2EL7zgw36/cSvzkaXgcC73mULiZCyp5hsUKRc=,iv:iPXW2Nld+zoMU6r4Zwh1tlnuF/itDrggV0EKDOvs5iI=,tag:iGFVcPjpRIhXhOG1b4Q3HA==,type:comment] - #ENC[AES256_GCM,data:P4DglAyMizO+yjZ1JBZou+vmvFWKpVHL4HXgMq1mzcDnBgsaP2WNGAAxTttw1D/AUdbGV7PMHKKCpsIyF0yRSA9MAqDisA==,iv:+iTIqF9QNo2EMAmPq7D8U/0p6UWlAr9OA2x+J+BB/e4=,tag:85a6sA8C+6KRsK2+wIMWyA==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:wuyO2LfosE7S9OC++6N8+oaDVNg=,iv:9hFq/OhC4VGP0eKVToXWksdjQuaHPaDnp4/ksQ7nkIc=,tag:EqLOt863I45/MdnAA/ajLg==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:tSr2ZihpnO+5fyMwJ2QHAC1Ml+FuB/0E6DDiT3sKWQ==,iv:lFx48AS1cO06zGP7Pkns/NeXvlAeoMT0xjUejqZC+fg=,tag:/mPTCMxy6BXMVqdxRETh/A==,type:str] + #ENC[AES256_GCM,data:DiWo+c4uPiEcR3J6uCHW8s5NN1+o53Zh4OlLBHc/Fk2OM9KnlVHQb6ivXP/NluS0e5D5jhMohefwF3c4L7QU4FBRR12xwsEPXwpQa1FOP8A=,iv:UzsdEmax2Kri/fUWQ+9vHGdxhAjVZwthD+h94Z5D+vc=,tag:xpjcdgemzSMmRJugOD9riA==,type:comment] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:JeUZ9i6yY3gO/dNg/1e7ugzzJMKa3Fn9EI3sZsRCK3HYw8qJLX3Md/YOLH9mO1wveaKGuVn9FSM=,iv:k6zAJhenDV5xpyhSZDyXjBRzB0dBMM9ufQrM1D8f8xA=,tag:Ss4Y5K735LWTRYgqIc/m2A==,type:str] + #ENC[AES256_GCM,data:Z6ROA0HOWAcbsvbfeE5nvfd/eoWcKLXcsmKf5OUq,iv:q0zIPHUfYKF4XMxLJCyd0Ydbz7YLxdCIpprsNCHTzoI=,tag:uViVNkhNw9ER9CLUu7xLPQ==,type:comment] + RESTIC_PASSWORD: ENC[AES256_GCM,data:PdtJhpfiHFs1yOKV,iv:E/1PAaAABo5rbqdVoV/JKc77qkZwxOqZNs7NxSgGhgQ=,tag:SeKBCGXObMh8eTbSBoH7OQ==,type:str] + #ENC[AES256_GCM,data:AcoNMAGAhJNPECsVew7GHydpQb/FszMOr20bIrZbF6nBWkh41rZG+MQ=,iv:ivaq52M6jdryPRUG8V2JLvO/q6PqmAmT02/8CGr81dM=,tag:a4cTOZD2eOUx9t+cZtk40Q==,type:comment] + #ENC[AES256_GCM,data:PnrYMMN+lGv0Q457DcRu9wE94CTmVs6oMY8aZYc41O6y45C0oEwmseeCLhzQRwCDMKZLRmfh3iyPpd3u+1pTqPNom7SjXQ==,iv:Ue7a9xk0nikK1XSHMHHRiQitD6dQMzs/GFV3NoOXDhQ=,tag:EXw+JtlOgMDAL64Wplbezg==,type:comment] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:opAepZi+lsy76xc7sai3297tjsw=,iv:OnDH50K0q4YNPnxkSYR5/sup37FblKe/XDPtwOOrqBI=,tag:ZZ2L695FBqHpT3qk2d0yXQ==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:SaWT8rqOZbxLaOoxqeYQNbs7UPifYObWhF+hN0BFYA==,iv:ias38URCGTnotQAiTaK46B8wRwwtsAYGxqMaOjW/QME=,tag:s4qIpJk7tLCO2TEz3Tw+yA==,type:str] sops: kms: [] gcp_kms: [] @@ -22,14 +22,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsK0F3NklTbHFOVzRtV1pk - U0lBM0NaQWNLZGdGQ1BwUDNHUjRZVUV4aEdvCjZFSkdtNkFucldqcTRQUmZnUzZs - Zm84ZDVDU1E1bnYyaHhMQUl5Z2F2ZWsKLS0tIHRLYXM3Q3BINmdlaEtkSlptVkx3 - aXU2aTUvZ01pNU5jR0lVaTJYZlpkQm8K1qsBm5DZxZp0nUHIWCragK0YnV66MNp9 - A7fbm3gBLgcAYdTkt1ViOpGdDRkwV3qFkdtNVNgfYg8A8QjdlOXzPg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdUl2NVNwVDQrN2RTdE5j + cXprZG1uMWMxZGNOUjJ3OFNUZm4wR1d0WVQwCkN5S3Z6bWcvaXRPc1VaSHhheFRj + U3VhZG1pRkNjdlNzMHBDSnNENXlZSncKLS0tIGdVRnMya1JkUjVQaWg2eStwQUZx + ZTR5RW5WcE9RVkpBY0ZQR0QrZzVlMmcK1VCN/CjUMZgzEkIJj2rEx+x6mZFePxeR + ecMoxVyfT970f1gc15rSsS17rcMWPRlUCzpL7uPQ3Vh02JjmLhzmZw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T14:54:05Z" - mac: ENC[AES256_GCM,data:8cHmfMYNTPrEMsi162Fj+8c5Vnov8XuSDoRPlN040FwJmfOH56Z3drgnsTgMDZstbKL255vyisp0Euxxm2gb93WoEHqJSsU8OePRxAOWE6beF0gLpLvIhFQifIKshfagKJnKIpyzeUXvF8EFX2fFrNA2/18M4ohFovu1EGIUl+8=,iv:aHvz5lH6cFcLU4F8mX6MQ2R968atFQGkkBcsSkZEla8=,tag:5Wm1XD429promGqErjbfbA==,type:str] + lastmodified: "2023-10-01T19:18:28Z" + mac: ENC[AES256_GCM,data:+9iQPFtTAEUvqI3VTtXOhIF5TCw+hXWsyK/NfAnZimENuG+YwdbLy6oriRdhAcfn/8867W6yfvY/fcYlqA5LZg2Q6pe57pKTGjxqJOyht4M824oejxFUYt6dHjPYFadYdEjkF+l676K386J447xHLGu4s5PvA9k11HylHo2j2ng=,iv:cdMPSFK0q9J3LN/j0E+KexT582U4LbHdmgaTNSb/Qn0=,tag:U8MbR/z4bB6NWTUJIWekew==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml.tmpl index b30b8cf5f..582bf4cd2 100644 --- a/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/homebox/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-homebox + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-homebox # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/default/homebox/app/helmrelease.yaml b/kubernetes/apps/default/homebox/app/helmrelease.yaml index 6794d7219..a0978e0cf 100644 --- a/kubernetes/apps/default/homebox/app/helmrelease.yaml +++ b/kubernetes/apps/default/homebox/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: remediation: @@ -41,7 +40,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/homebox/app/secret.sops.yaml b/kubernetes/apps/default/homebox/app/secret.sops.yaml index 2d803b9ec..c5d9dbcb5 100644 --- a/kubernetes/apps/default/homebox/app/secret.sops.yaml +++ b/kubernetes/apps/default/homebox/app/secret.sops.yaml @@ -8,16 +8,16 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - HBOX_MODE: ENC[AES256_GCM,data:csTQgQrHO6IYGg==,iv:O17muJwjlNvCPOTMSzH4KsRaGIxEPqwzf1gRGt6A0ZQ=,tag:xRgm91omiZNsrziRBNmFcg==,type:str] - HBOX_OPTIONS_ALLOW_REGISTRATION: ENC[AES256_GCM,data:ul+DUg==,iv:gbFWh4c521E/oNDJ96u30ODN9kyV30j/Mo65ausaX28=,tag:Zfq7IJguHKcbg5AoTnNW0A==,type:str] - #ENC[AES256_GCM,data:jJAZPnSsM0EhWugRuwEg3Ng=,iv:B0CHTlKks8+HKygsmCycBLiJDWxkTbUgKmtVgChWKbo=,tag:AjGMMBMURfykruzdYK1j7w==,type:comment] - HBOX_MAILER_HOST: ENC[AES256_GCM,data:4bRxHx5Nzkj4DbQ4bkZeN7Y=,iv:P1CWuDiB0smKL406Ij6KzCYKW65apgpg5hH3xEY4r9c=,tag:JZx/wtDaJjgjD3NbZJTZww==,type:str] - HBOX_MAILER_PORT: ENC[AES256_GCM,data:xBP3,iv:BTdLwvCegObOmSObojyb1TRER8TP9JxIr+wHmlrFj1w=,tag:UHrprdlNwRCTNJFzwgHgjQ==,type:str] - HBOX_MAILER_USERNAME: ENC[AES256_GCM,data:MQbFXT2ruREbv6UGDhdDYdFH6K/jKXPs+5c2PJBweGk=,iv:GfjRJG7Q9aKZiMwxhec5cmFNLwqLQUd7/XgirdqODLI=,tag:rehhVdZaM/dn9QTIgIr18w==,type:str] - HBOX_MAILER_PASSWORD: ENC[AES256_GCM,data:3wLke40SlA9XnzVkoJpurCy3t6rd6ffdF+Lbi88xTec=,iv:EOD1iix9iU+d8SVcJd+0A96uzog80l8pda5LLadn0S4=,tag:NIZzYyvGQ8GRADo/ykwsUg==,type:str] - #ENC[AES256_GCM,data:hf07yTXXlVkE0QthvWJKIzARmjnjab3n8ng=,iv:9Zk9BWn16NUqft/VBLtydFtllk0GXYojXwoHTUUQtUI=,tag:qDBqWUWsVjplj8RWyozT+g==,type:comment] - #ENC[AES256_GCM,data:gtp/aEYZQBaP0uN07nrLB/0FCpkT2jWVtt0=,iv:UnWUX+rHiXYynwaVINCXKHueTyWHsn+ZuI7LhhfZ7qg=,tag:zv9prNFa6VpuzJIsjoLGsw==,type:comment] - HBOX_MAILER_FROM: ENC[AES256_GCM,data:GR4PMtOH/KIPxxVOjQhU/lrqyDKlWhMqL0Oaalfa,iv:aBgIJ/u4Rqe6FeMfwWoBo/VpXjtqdT9DTW+l+CvWhAE=,tag:xrtemt7AzBsBByhu08P5Og==,type:str] + HBOX_MODE: ENC[AES256_GCM,data:mR5EYV3FxgZkKw==,iv:1U9GbFGlvc9KXcOUciEkr4OTZKl3uoylK9Ru63ZzX8U=,tag:MZRyA2Sxb1Os3wAb8+trwg==,type:str] + HBOX_OPTIONS_ALLOW_REGISTRATION: ENC[AES256_GCM,data:vlEkUw==,iv:N3xwCBW/D4MewgrB4jL2H4o7VP9pj7RZmplP1BDAJ1E=,tag:cgiTB/yfrBZtrxJwB5fKWQ==,type:str] + #ENC[AES256_GCM,data:+Ip7GrkdY0rLZ0/D44BxsBE=,iv:qkSXsNi3VcOa/XHKouktzoC10xeGrYHsQGfg9GsK8Do=,tag:Kki62JUzlQZnpmYntNEFaw==,type:comment] + HBOX_MAILER_HOST: ENC[AES256_GCM,data:3WwE7lRrwnCIvFvC+/ECz80=,iv:0w8sbEmbllxO1ujcdf52KEWPJVwzFzWWndlVtILPx3E=,tag:uX5xWHqKoLolmHdq6BgjXw==,type:str] + HBOX_MAILER_PORT: ENC[AES256_GCM,data:c2uk,iv:SVGXWO/4eJEKGSW7XA2y0c6uTAXREZrQ241Og+qbPeg=,tag:tI/i5E9D0C0yRCf0fn3Eag==,type:str] + HBOX_MAILER_USERNAME: ENC[AES256_GCM,data:CeEc8wt0BYZqBrk04CFxVdOlInrTNQogjH9lhV6aQpc=,iv:Hy63qxOIzKmfb0oXyKN4NoFgsDU8uVxJxUumyGvwirc=,tag:O1a2XCNbxyrfMDNieX+jKQ==,type:str] + HBOX_MAILER_PASSWORD: ENC[AES256_GCM,data:xbDUUqxRTVh3KCS91U2zrmlZyt8wAlpvlMLHk5wzogk=,iv:z6WQIU1XDWCfPDNIqer5Z84rSwNUmUSt6GxtE2NwwYc=,tag:6XSn5U4bboK129siqqglQA==,type:str] + #ENC[AES256_GCM,data:/LnhkSXcRcH4ePsb9Ak1tQc8jZZ+WA1fITU=,iv:cKcKFeNInKJdsP6cbrNIS9qz/B8f++WRolhsSYaZxIk=,tag:PuOZiVmKt7TUZyqiS/dtHA==,type:comment] + #ENC[AES256_GCM,data:/q1yRCh7Xux4JbadfK7UvTq5ubfgTxZnQq4=,iv:miu9Rm6ppykrKSYnsNUa4Dzok12q5OSAGiV6MH6n3F8=,tag:Maqsa89U7+4nMqYk2NegFA==,type:comment] + HBOX_MAILER_FROM: ENC[AES256_GCM,data:WUbgns8+bc8uiON+Qu0IkfQOX/m5xPmZukf4xnzL,iv:Px+09/hMLdUb/PUbhTGt1Mcga3WDLeRhyc4hRuC+2qg=,tag:Y4qIyI6zfk0Mzsj6p3KtTA==,type:str] sops: kms: [] gcp_kms: [] @@ -27,14 +27,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVHFsL3BHbUZKZTk1MGdk - RHc5V2F3cFFGcHJxakJES0kyRmlINlN1VHlVCnByK0V3ME1QTU9WNkVNYWlkeWR4 - NHB1ZFQwa05JV1pZNFJldjB4a0Mzd2sKLS0tIEczSktwK2hnOWRuZTUvcHpRQkRu - bW5vR3A2VTBkWnB4REtvNk91NFFVclEK6dfV9qlLTGhebp2jjLmj7aGtp5zAUYMM - a4px9AIlPjUn4OjOGy1wSiVMChPSaDPoJ7EpH6MOuUBQMXh3Xxy/xw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRVlnejJiZkRxZktHd2tv + U3JvbDZDUFVRdFpzbmVlYStZY21aNytJbjI4Ck5YYy9kU3lKak53ZVM5cHZTekV3 + ckVTMkhtNWxzTjBzTmZIeS9zUVE2ZGMKLS0tIDlFSEgwUjhieTNMdEZOaFg1SWlV + TkpBODg5Y3pHY3ZrYng0T0pIRkpKbG8Ku31oDgFFkfUKHjR2AJef47NGWbJspNM5 + kg+Wa9/79Pd7G8vaCuirRJ6i5vWWMmBC0Dphde2A54IEFZZm2X6jng== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-28T15:22:16Z" - mac: ENC[AES256_GCM,data:omFbAL4FrlNU8441pyROkfe24cXwWmgqIMUymrGsohmyWAj3f/xnIcY8Ep2TNXrAEK3djK0FUsC4Ws1C+LoG8XYKKxrb8RdWKBQAK2TVLSAspQCxIGpsEytSWORq4levHlfChKlyr0bcGIaWcpHSocdIydzP3GlcjT0f3ODwzhk=,iv:az/rVwkNx+Bw709j1s68xxLD6pJFvML8AiwoMs7dxbQ=,tag:tXUhxwxhSQxD9eZCLW6EGA==,type:str] + lastmodified: "2023-10-01T19:17:47Z" + mac: ENC[AES256_GCM,data:y6/arh5J1+Mkp2J7ZXsDbVRp2m/xKVBXSKE793si2tvnU5yJXlIc7EE0Hj5VcXLxAgsXncm8Tdc4vMJ2AEybWA6KOFvdUewfgpH6tI2+1NcsNC5cS6gQLbP9ebZTGINIJ4sXF+5hnWAHSlVkftzHInOyJQF732pD9txCc+/FaS4=,iv:dsyzI3tOMVtaYt7BNGsCCjXoaxwAQFEwCxh8HID4950=,tag:bR/xDCEiqcFg1xd8nlz3Uw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/homebox/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/homebox/app/secret.sops.yaml.tmpl index 790c6c55d..e8cf0145e 100644 --- a/kubernetes/apps/default/homebox/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/homebox/app/secret.sops.yaml.tmpl @@ -11,10 +11,10 @@ stringData: HBOX_MODE: "production" HBOX_OPTIONS_ALLOW_REGISTRATION: "true" ### email settings - HBOX_MAILER_HOST: "${SECRET_SMTP_SRV}" - HBOX_MAILER_PORT: "${SECRET_SMTP_PORT}" - HBOX_MAILER_USERNAME: "${SECRET_SMTP_USER}" - HBOX_MAILER_PASSWORD: "${SECRET_SMTP_PWD}" + HBOX_MAILER_HOST: "${SMTP_SRV}" + HBOX_MAILER_PORT: "${SMTP_PORT}" + HBOX_MAILER_USERNAME: "${SMTP_USER}" + HBOX_MAILER_PASSWORD: "${SMTP_PWD}" # SMTP_AUTH_STRATEGY: "TLS" # SMTP_FROM_NAME: "homebox" - HBOX_MAILER_FROM: "${SECRET_SMTP_ADDRESS}" + HBOX_MAILER_FROM: "${SMTP_ADDRESS}" diff --git a/kubernetes/apps/default/homebox/ks.yaml b/kubernetes/apps/default/homebox/ks.yaml index d909e25e9..1b0a1e7de 100644 --- a/kubernetes/apps/default/homebox/ks.yaml +++ b/kubernetes/apps/default/homebox/ks.yaml @@ -3,18 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-homebox + name: default-homebox namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-volsync path: ./kubernetes/apps/default/homebox/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 4e6811d56..8fdecf2d2 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -13,7 +13,7 @@ spec: version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -44,7 +44,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/homepage/ks.yaml b/kubernetes/apps/default/homepage/ks.yaml index d6708e553..a62e6d7e2 100644 --- a/kubernetes/apps/default/homepage/ks.yaml +++ b/kubernetes/apps/default/homepage/ks.yaml @@ -3,18 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-homepage + name: default-homepage namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-volsync path: ./kubernetes/apps/default/homepage/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 72d8c7aab..4a2eb9360 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -19,4 +19,3 @@ resources: - ./miniflux/ks.yaml - ./opengist/ks.yaml - ./pairdrop/ks.yaml - # - ./rxresume/ks.yaml diff --git a/kubernetes/apps/default/letsblockit/app/helmrelease.yaml b/kubernetes/apps/default/letsblockit/app/helmrelease.yaml index a7cbedef0..e3d6d8b02 100644 --- a/kubernetes/apps/default/letsblockit/app/helmrelease.yaml +++ b/kubernetes/apps/default/letsblockit/app/helmrelease.yaml @@ -13,7 +13,7 @@ spec: version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -48,7 +48,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/letsblockit/app/kustomization.yaml b/kubernetes/apps/default/letsblockit/app/kustomization.yaml index a166bc78d..17cbc72b2 100644 --- a/kubernetes/apps/default/letsblockit/app/kustomization.yaml +++ b/kubernetes/apps/default/letsblockit/app/kustomization.yaml @@ -4,5 +4,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - # - ./pvc.yaml - # - ./secret.sops.yaml diff --git a/kubernetes/apps/default/letsblockit/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/letsblockit/app/secret.sops.yaml.tmpl deleted file mode 100644 index 4c9d5f582..000000000 --- a/kubernetes/apps/default/letsblockit/app/secret.sops.yaml.tmpl +++ /dev/null @@ -1,12 +0,0 @@ -# yamllint disable -kind: Secret -apiVersion: v1 -type: Opaque -metadata: - name: letsblockit - namespace: default - annotations: - reloader.stakater.com/match: "true" -stringData: - LD_SUPERUSER_NAME: ${SECRET_ADMIN_USER} - LD_SUPERUSER_PASSWORD: ${SECRET_DEFAULT_PWD} diff --git a/kubernetes/apps/default/letsblockit/ks.yaml b/kubernetes/apps/default/letsblockit/ks.yaml index 2e527bd25..cceab6f43 100644 --- a/kubernetes/apps/default/letsblockit/ks.yaml +++ b/kubernetes/apps/default/letsblockit/ks.yaml @@ -3,17 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-letsblockit-db + name: default-letsblockit-db namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db - - name: apps-default-postgres-operator + - name: default-cnpg-db + - name: default-postgres-operator path: ./kubernetes/apps/default/letsblockit/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -22,20 +23,17 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-letsblockit + name: default-letsblockit namespace: flux-system spec: dependsOn: - - name: apps-default-letsblockit-db - - name: apps-networking-ingress-nginx - # - name: apps-rook-ceph-cluster - # - name: apps-volsync + - name: default-letsblockit-db path: ./kubernetes/apps/default/letsblockit/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/linkding/app/helmrelease.yaml b/kubernetes/apps/default/linkding/app/helmrelease.yaml index 8b9ec86ed..d6ecfbd1b 100644 --- a/kubernetes/apps/default/linkding/app/helmrelease.yaml +++ b/kubernetes/apps/default/linkding/app/helmrelease.yaml @@ -13,7 +13,7 @@ spec: version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -88,7 +88,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/linkding/app/secret.sops.yaml b/kubernetes/apps/default/linkding/app/secret.sops.yaml index c4c1b40d5..b27c9b0d6 100644 --- a/kubernetes/apps/default/linkding/app/secret.sops.yaml +++ b/kubernetes/apps/default/linkding/app/secret.sops.yaml @@ -8,8 +8,8 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - LD_SUPERUSER_NAME: ENC[AES256_GCM,data:3QGLjuM=,iv:3n0j8kLgKQHxyBhazqTOVDIu0B+W/kulVWIzxapp900=,tag:mI3Fy3edvTXzukclzOrdbQ==,type:str] - LD_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:i0IijAx4TTYalwJu,iv:46AJjxu1TimM/vM/QuUm4jcBj6qocbwzd9k9A+YDsvo=,tag:sdtxaTxvs77/SkhZM4RAkQ==,type:str] + LD_SUPERUSER_NAME: ENC[AES256_GCM,data:HQ2uGvM=,iv:emWvvTzs2zdeGV3uPRaS/h1KKi1uMv7Fpq4Vr2jQIYE=,tag:xwqtoYfSX4nH8lUb+TNJUQ==,type:str] + LD_SUPERUSER_PASSWORD: ENC[AES256_GCM,data:nJs73KW8s7h+zGhi,iv:l7b1mFhdhX/b8Ku2Jxq2RQ/f8OESCWJ0LA0aI04EcRg=,tag:XEVZBvkuBeJ6Dc0e/Ezc+A==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +19,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VHQ2bzEwRDYwNU1MZWVV - MjRPUmpaQklKT3lXcXdkazNld1V2SS94TVZvCnFCTGMrcnJDZkVmVkJqNXg1QU1n - WnBEeWpob2haUXVWaGdSSXlXbkR3WEkKLS0tIEtHOFdSbmczbG9sbWxJTUN2YzFo - MDF0b1htMjBaMU5Vd05sU1dUQ0hwbHcKaeJ7Tk16yK7YZZ8ls2DvSXXQODdj2q8R - 9xCALVJ8D9SbxgdDTP3Cxi4MiQrO7hg5eX13Xk/etBPVtutzMtgTJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwS1JjMU5QRXVXc1NuNDI1 + TzlKSWJFVzArcmJWdHBheThlVUxsdmZEN1hjCndpdkpkdzRQZG1DZC9DdFZrM1ZT + M2JJR2NibFVmVFlhT3pWa0JvMmxyK1UKLS0tIHJON050RGk2Vk1ZR3BKVTBkV0ZQ + bFdBV3J2dHlxUGtnRWE0NTNkWjkrYm8KNwBuQ3KKFn/IIaDNJZtU6rL01rZis5nU + eaPKN5nnzFmErJk8etpJ8O7b3+p1ufdc3gAT+590TiOR2j2CCohHSg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T14:46:58Z" - mac: ENC[AES256_GCM,data:rYHS4J212KsTCWvNCng9cI5DOQel3kcrUU8dRZ+ytUDY28n+7BeJ5CBZIDfyNZHI9Q+juiGk9/hU9SXokBctUMMVfIQbNi7zOMxvmhc1QmFBDxgadGkoFWELpm58nTnIuSd4jSpAVeT82jX5nsb9RYCRkvjNT+NiiP6jalF6r1g=,iv:l+if3CW/PWSLSu+eD3EixEuouNzQL9ip2MFbhdjuinA=,tag:n58FEkE7zPySU5s6KPE0RQ==,type:str] + lastmodified: "2023-10-01T19:15:09Z" + mac: ENC[AES256_GCM,data:vrxN4jEyCRm6xPLn6hEfmQXLPQFzddrGYfafUgZqAr8iZZbNPsGzq1nmt3eNdi/LUdKWVaFVoHmMAUEa58bKu9nq8JGg6Cj90oxeIrz/DN1LvCIZR+K4on8xstwIQ0B/zEez1wfgYtu4eCl8AVxkX13DPNW8yHhrXpzMGc2RoeY=,iv:sZJI+CmcUWZs5iuSRUMH115JDSGKlf39g/uAVxxFUno=,tag:slVUtJPG81fAZgWbLYrdsQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/linkding/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/linkding/app/secret.sops.yaml.tmpl index 1e96657c7..db2991bff 100644 --- a/kubernetes/apps/default/linkding/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/linkding/app/secret.sops.yaml.tmpl @@ -8,5 +8,5 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - LD_SUPERUSER_NAME: ${SECRET_ADMIN_USER} - LD_SUPERUSER_PASSWORD: ${SECRET_DEFAULT_PWD} + LD_SUPERUSER_NAME: ${ADMIN_USER} + LD_SUPERUSER_PASSWORD: ${DEFAULT_PWD} diff --git a/kubernetes/apps/default/linkding/ks.yaml b/kubernetes/apps/default/linkding/ks.yaml index 45a074768..1662e5bdf 100644 --- a/kubernetes/apps/default/linkding/ks.yaml +++ b/kubernetes/apps/default/linkding/ks.yaml @@ -3,17 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-linkding-db + name: default-linkding-db namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db - - name: apps-default-postgres-operator + - name: default-cnpg-db + - name: default-postgres-operator path: ./kubernetes/apps/default/linkding/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -22,20 +23,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-linkding + name: default-linkding namespace: flux-system spec: dependsOn: - - name: apps-default-linkding-db - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster - - name: apps-volsync + - name: default-linkding-db + - name: rook-ceph-cluster path: ./kubernetes/apps/default/linkding/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml b/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml index 6dc19165e..08cbd043f 100644 --- a/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml +++ b/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml @@ -5,14 +5,14 @@ metadata: namespace: default type: Opaque stringData: - #ENC[AES256_GCM,data:2VnjTdRadsaDHArbU/jXHBwbBnQIQexwEfzD7Wxw6MWjFSnUxvq/7/xCgtZsGubpq5WKLPWgbUz4UlKM33mhI+coJxIIYSonWaSzPu/pNtM=,iv:m+/yO4RGfkYM8mVuHocVrdo27QTgcEysjOz7vuOWI24=,tag:RdhTLN9Iz1R40y4c5PYCfQ==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:vQXG16qdAPVspx+vDtiBD5u1CW86HhYZVnyVuYKLrOXeaSMiDpXcOtQquu4Py8w1mN1eiu7Alw==,iv:FpBD6FqB0SdS6A1pb37rBB0QxtW5B5FUeU0PSNDjikQ=,tag:F2Q+BlgvzA0l504G19KXgA==,type:str] - #ENC[AES256_GCM,data:e08vLJEV4QpAY3eyvFX+zhVvUKrLyTHdPE63gqKK,iv:MNdTxQ20T5N/KlZHCUxnNfwJc0JG7mUsZnlTXBj4/Kk=,tag:eNzMDjDMXmLTpFleVckIxQ==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:qWiWotbAxCf/7ClD,iv:FazU7uqd588uafTwGlzpa67fKyp6YZjr2+uYBaGySis=,tag:AARnvkj8sbikzaT5pahzqA==,type:str] - #ENC[AES256_GCM,data:085xUFm1P7ChNydMbymAIwlCmR3KVlhLTxvO89VlgVykbei6prlHQdk=,iv:ffFY+aLWg7SwE6+zOarK1x969ht2dhkRgyNyzKB4x40=,tag:EWqfR0ySAvdoqr99QpzEOw==,type:comment] - #ENC[AES256_GCM,data:WNCwEiBKJBUO9yixttpFpJ81ilXBGzaYU44KAOZyz+s/ZUS+W9WqjiQkQ8fDaertlUqh7g/XL6d94y7DQu79QTpUXMFAhA==,iv:HCG5JowKlWiCw5D5RzfxnllLUiz3ugrZq/UqYa+M8Yg=,tag:kMZXLse0ej54hsdddop+uw==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:tX6yKdCTjSk51u3rl1gkdBFeOx8=,iv:aHcmwdSOPhx/JTg7d6DGqsrsBdTeRM5bNkVZXXss8Kc=,tag:nCCP8r7cTmgs/dx5s12DaQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:/GL5lr3oEZWNR0c6NbrHLEKg98AZ3dAvMh+iNdMkRQ==,iv:G22A4IOxh6CF4vYDlMwEEwYAqOOOUcxjRs4x/L37GOk=,tag:iHTxLf3ijUCT1bGsJtqrDg==,type:str] + #ENC[AES256_GCM,data:Bqgl6cE3YeSVyjpxaNZk+9v5aG1CydpJ0H+UcMh9HpFCQtXWGenLTEwTTR0adtmAGDrme4gxzR/3l2USps3ZZs3+iJ6MkSV+qh35bSF67w8=,iv:XETiVOHJ6mOgD7o4vcPMcnoySPgaMSPy3wexe2Wy3Ck=,tag:akTu1eb0rZvY29SrADmS1g==,type:comment] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:ijUoybH8zUicy8g8WssXI7w6Eyq0mVoyGJgWoQoFuixaCuoIhF3hZGW0I6wt/Eukka51uagrvw==,iv:h5J8b7OU7e76RxSs2SnIyqnHXZu9jBz4zorEikoSEdI=,tag:SKGEYxanHEXEjzbCO3bj2A==,type:str] + #ENC[AES256_GCM,data:y3Ar4RBu0fldziFCkMnBzoo6vJjoHuABHxx9lUYy,iv:RIE0iYv+8GRvY/pbPY96bseEroRLwb2rA4s+KrCdcx4=,tag:KEgOGI6wQ9atXcZ5I/PNzQ==,type:comment] + RESTIC_PASSWORD: ENC[AES256_GCM,data:SHIdaBTWFe/t0E8D,iv:9WbX7n4W/2+HwqbYz6BF9Ygfnlbm4IJIgmT1QexmMm0=,tag:l53c99CwWn4dryfSmGiJ3A==,type:str] + #ENC[AES256_GCM,data:9ONCnzFMFIjW5FbjeQAEl3eBfceQOjrvvm4OpngXBY5IRnmplrQbLvY=,iv:KWqsiCt/bAS5xfyu21ENL+CPQgIK9yqJtaSF6IQqPA8=,tag:druKx4QccqY5ClIUSptwUw==,type:comment] + #ENC[AES256_GCM,data:vG+Jh5NTn+mIKXwcc/LjpY2F2jkghIn8r+CHcSDyPxzUQzpve0Oqsdpy36UTfS4xnFkvGoYtrTl/56FpTO8ZUGhhHY7gXg==,iv:syZq0Xey9G+RGU8RLgdOUzAvWES7QhGhwZYgMAQ1Ncg=,tag:nQ3E6yPEvgEfSFhVga8ElQ==,type:comment] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:77WAdje1JUqtl4pWiCGQzwQDDjI=,iv:17GnY8MtPs/Ix/ilUEMuCyGd7J7WGukkaT3ZGRnTLDw=,tag:7yzarhU/3WeuUuNx8Vs4kw==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:W3pGw9Z1mqWT4CBa7wm172LpM4tdkvxDRKQ/lCsIPw==,iv:cxfuFj46lgpgJOGhPDvWb8OQdKWLC7Sm7+b54cNuD2U=,tag:MXCH9Q+irBDzjKO5e79ESA==,type:str] sops: kms: [] gcp_kms: [] @@ -22,14 +22,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeFBtUnU0QnhwTm5ETDU5 - ejRhTlJBaDRyRHBIVVBzM0FjKzhkNTY2K3lVCmpDZkc2U1VCaTU4bHlIeVh4b1Fz - WjdaWVorUmN4emp6Q1p5ZStHbnpqT3MKLS0tIE9tQTJxNFlDOUxYeHNha0svYkE2 - Y093UDJLZ2dBeWpNODhDQTNaRlZ2b2sKW1oGbxvcswAhOwrqLG6HPgYMn0LfJWJj - gZRXrgqa9z0rkBlO6wkk6J0Ei4V1RJnXO0jw1Bk8inEWUvwxmLV4UA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSWIzYjNXajdtMU5NcHdm + L0dpUE1pd0UxK0NZMTYyQ09aZXJiOEFoSkRJCklkN0VUNnF1NUl1OUFpdytja1JY + TkxPRTk5UTYrakRzMi8wZXhNRFQzeWsKLS0tIE5jbkRxeUN2Y3FsWkpTeDAyaHJH + V0RaQmYzT0tyZE9xOC8vUlZvYUpFYWcKPoqPvCdw2ciJLKOgCO5EbqN8ja38CT1P + bJ4S5GIrf4R/o0GKIDBxBXXs4vGxzz2NrlqDEzcUUY4ZwQoK0zSAHg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T14:56:56Z" - mac: ENC[AES256_GCM,data:+4B2UglrR5Xlt+7yWTl0wPrOVkbbnw65t5v/exZ53W3+uwjZKza9yynIzk4slnDM2gzOLM+u9ZPcXLNqGCkRvK8QLH9BQi7wxCqZK6kiK9bGLRejc+e3JnBzdMqYpRv2E8fDrvF6qhNSecEvRYdfozlLdGMGkMNW6DbSxIG/W5A=,iv:6yQI0Jn8RNUH/Rvd5PL3ceDitoOz3DZSzCxQhQZ9Quc=,tag:CLOb04llPyfSMU1YQFbkJw==,type:str] + lastmodified: "2023-10-01T19:29:23Z" + mac: ENC[AES256_GCM,data:8oMEJQKSlKvqIS6GDAErcWg+vGksMaziAfnhVVX6wLQ9NU5Svg3tnLa5HHMMbQtuD5TO0yTR4RsX1PkHnDC5DHpldAAzI3cVd+qIO5L/AOVRGkqSjxjF+uAQ1D+0bVtZ5S9ixD7cOkXaFoDv59hyP2lgfOyPHTFmBAQb838l4DI=,iv:lfSOrkOhSvEhMvloV1yfM0y/Oqf6JUuLu1tKRCEafRI=,tag:BNSIY9o9nyd7eUhzF2RJsQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml.tmpl index 6ad084a3b..bf8d35cdd 100644 --- a/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/mealie/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-mealie + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-mealie # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/default/mealie/app/helmrelease.yaml b/kubernetes/apps/default/mealie/app/helmrelease.yaml index 44e668ed8..df5b47a63 100644 --- a/kubernetes/apps/default/mealie/app/helmrelease.yaml +++ b/kubernetes/apps/default/mealie/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: remediation: @@ -39,7 +38,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/mealie/app/secret.sops.yaml b/kubernetes/apps/default/mealie/app/secret.sops.yaml index c9dc3aa26..2f87c9ba6 100644 --- a/kubernetes/apps/default/mealie/app/secret.sops.yaml +++ b/kubernetes/apps/default/mealie/app/secret.sops.yaml @@ -8,20 +8,20 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - DEFAULT_EMAIL: ENC[AES256_GCM,data:aYgIfwA8gO+VdqsJ7fMD4SfIan6+DoY=,iv:Lxb8MKS7yX9tkFljNlIdIhnAsOhCgkwDxyCKC2sbACs=,tag:EfA/g7Wqlk/d50YdOHDofQ==,type:str] - DEFAULT_PASSWORD: ENC[AES256_GCM,data:Cwsh22bEBTmM2oVF,iv:cKW2OE8c6K1UoTab58DAmWpwOLbzHrJYKPnZEPXVDTU=,tag:ym3s3sCm7wqQGkDkY2pi0g==,type:str] - #ENC[AES256_GCM,data:IAvI6J/c,iv:aBLQroYfnvjA8RvLNrzHL7/GsZ5llLQhF1HrtLakqJ4=,tag:WS0YWKKQP4cMWO0z3Ym1+w==,type:comment] - TOKEN_TIME: ENC[AES256_GCM,data:jxc=,iv:sXXFI5TxRcV7QHgbOV8qLlKxtyktPCW9rpzp1wXcB9E=,tag:wU1RxxavN4/w9zOYDSWuAA==,type:str] - AUTO_BACKUP_ENABLED: ENC[AES256_GCM,data:g/vEQg==,iv:OpnN1p91oUQTZoZPk1NC2crBOVQsn5LbxbkfXGLJrpE=,tag:FPeuL8LP9Tf1QYlw5es+Kg==,type:str] - ALLOW_SIGNUP: ENC[AES256_GCM,data:c+KNjXw=,iv:SjmaWEsWawNfBHwHTTWZN+hFkjxI4KgUhklcZvlGmc0=,tag:85O4GzgQERvzIV32VI9xtQ==,type:str] - #ENC[AES256_GCM,data:0ICMhFAdzbU2jnSCnwNCBu0=,iv:gVBqHTOABLWPA7LdRKjUgu0FKnM0m2y4K74igLL2D+A=,tag:WGCXkNKO+xqR64TdsTLTBw==,type:comment] - SMTP_HOST: ENC[AES256_GCM,data:d3Mk248gi8qcCrnZImgX2Ww=,iv:k54wrqBTHRLRyRa3D7dfQA/CEAqvglhmq/5Y1s2ebt8=,tag:W4QtHQnS/2+mD383D7OMXw==,type:str] - SMTP_PORT: ENC[AES256_GCM,data:vqFb,iv:BQ4AG8m5JGZpRiX0JsFK80ZOONCct2CSPrLA6Nf4gB8=,tag:HBLS0+sgX8ccj8xwMp5/3Q==,type:str] - SMTP_USER: ENC[AES256_GCM,data:5/Ukdw3Q6yQFN498qx99pECWpVWSCtEMHodnVG8eJ3c=,iv:lICOUZ6KYQKkjaUDaVP3gCPgSPkKEXyt4xks102FiA0=,tag:wJDm0CRrlGAtBp/w05dPUw==,type:str] - SMTP_PASSWORD: ENC[AES256_GCM,data:8Zimhzf4i3QaUGhxKuICvzMJQE+jy/gDee5bh7Op5W8=,iv:dMm3gphBM4otFtLDssZP1iDZYLY5ZG+iJh4VjGukpdg=,tag:BQGwBxSZcnj9vGGylM+ZOQ==,type:str] - SMTP_AUTH_STRATEGY: ENC[AES256_GCM,data:zn2x,iv:iF7XHqPBFHOwJL+qSo7HurzlR2UA0pStwWsOQ1LQ2jk=,tag:WLj50J0w1aLyV215wxFKAQ==,type:str] - SMTP_FROM_NAME: ENC[AES256_GCM,data:mWnsNTCB,iv:WM35qSk5bxXnLnA2pZjc8yQ7Eg4D+/9R6b63dzjNt2Y=,tag:hIrOXUeZ5qIZ2/0Z2j8NjA==,type:str] - SMTP_FROM_EMAIL: ENC[AES256_GCM,data:iCELIumbhr3u6E0yh532xhyCBl2IUo0RFECD9ZcT,iv:oagSHFptFPK7mJfG7JycpmHKcSuPNUqsvVuvtTuslLs=,tag:bn2j+OpR+qmgSTKQTvGTFw==,type:str] + DEFAULT_EMAIL: ENC[AES256_GCM,data:OWGokfIQt0oQGNGqffneik+UVghhbAM=,iv:gpVHhL/dGKsNI2quLE/KzMGcemxtTUt91WOQlOMX3EA=,tag:oDa9iqWiRSvj3pvcqZUC4w==,type:str] + DEFAULT_PASSWORD: ENC[AES256_GCM,data:dM9NIgL9k+HOU+ZA,iv:65pcbnVlvI33FradpXfrP0jsmBFRp313QAk1I4SCtwo=,tag:0QToiWHEhVi0ORy8dA8gOg==,type:str] + #ENC[AES256_GCM,data:GENIImU2,iv:tpGCgNI+ZYu9C/LcOqF/iMFxo1JsRQT77CPRfYtYPVk=,tag:fqP21t9OWitAeQFC015law==,type:comment] + TOKEN_TIME: ENC[AES256_GCM,data:JQQ=,iv:n+R7o2eWmNyYjK21q0bvupS8jFj3M0Uz9uh2J6wr9C8=,tag:5PclReYvucmNWhRSuoeqbQ==,type:str] + AUTO_BACKUP_ENABLED: ENC[AES256_GCM,data:apTRrA==,iv:iZanprSI8XuQWE0CbBsiE4/IS9o8vzlFMGQn8Nhvxd4=,tag:m0fp9Bdhnn65gOkYdq5U/w==,type:str] + ALLOW_SIGNUP: ENC[AES256_GCM,data:N1uxlhk=,iv:lu5AUjwESlyM7xrQMSRLkDU4iWHKunC81RrENWtv/tM=,tag:wDR6QHmyurZ8YX6bBtqrzg==,type:str] + #ENC[AES256_GCM,data:hQgRNR72DZGbX7w3KYOSoTs=,iv:IdEWLFUaBJgVX/LVnMuLMbxsagCSZriajAmzH49UzYI=,tag:1KBGcsBaEIFXeAvBd+rq4A==,type:comment] + SMTP_HOST: ENC[AES256_GCM,data:iCZW1FFuHng8LqEpzIlwTis=,iv:0z1YiewWW/ObzUTyWk50/9ui8UmdTUmROOZJUlTa/78=,tag:YQBxj6Dsw0SmyeOX4tMWEw==,type:str] + SMTP_PORT: ENC[AES256_GCM,data:53FH,iv:Py7zKcRCq2MUspn1LLsA0ODfzWm9YrsVXgjJjJQWsEA=,tag:iLXsSwU0h4Jdm1JgAURhLw==,type:str] + SMTP_USER: ENC[AES256_GCM,data:se7CBFKNm0dol2rRqcvbR/5ibxG3EvYamOdzTo6rntk=,iv:ccx7vQ0A3xQE+DhVGVC+qHPBLyM90kz1YwwN9TgB2sc=,tag:CdRs72prs0i7NBTFhXl/vw==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:sLnUSMwBJX8cdDEvHya9dNoBJnA0LO5/Hzhjaal0FzY=,iv:/9FLfyqTLHA5G8dGJP6AL2hrycOcE2AW3EV7LQj7Elk=,tag:OyUXgRCMVNkLwcC+Aq0gkg==,type:str] + SMTP_AUTH_STRATEGY: ENC[AES256_GCM,data:XSOV,iv:BwC4VWz1NDIIORf3xvoHjbFDE1LI5oQEq1asneDs5Hw=,tag:jy10W1Nu6JlX9xh/sIBw5w==,type:str] + SMTP_FROM_NAME: ENC[AES256_GCM,data:cGTQ72RB,iv:oJcDfpzyzQ/+GFsq1Pea6qBhS9/R6FncInwR+SNpesM=,tag:rneJuEvLEUvDAzt2orQMUQ==,type:str] + SMTP_FROM_EMAIL: ENC[AES256_GCM,data:+T9yDv4ymJoTQyeYbS1bnIepYBJkRusGoLJX2cDa,iv:oaGk5JzaYyi/295A8RUQnC1ZSpF/BFFUmEyMPLBqfr8=,tag:a54QZbkm8mKpQefm32yE9A==,type:str] sops: kms: [] gcp_kms: [] @@ -31,14 +31,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZ2hudjAyaE5oZlFHZEhH - UGJtTVc2Ry94UlZ3Vk5qN3l5L1pua2U0UUFZCndFK0JXdFphNk03Ym9MLzV5aVdX - V1RjcHNnMkF4bUhaeERHRk52cFhDNjAKLS0tIFRPVU9jT1d0SmRWTVFIMmVWM2tJ - c1dlazRoZzl6bkNBOUJraFByWVp2WTQKMZvMnBUxZJbg84Cb+xRB+rKLk+iw8wr6 - v6DTVZt8NyVHWFrIxv66pjln/6OKeIWfsefbaL5JdorSXhkh0vK7Xg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UUVuSXVOeng4NnJPOFBw + YnhDdmNBSmdBOG1NZmxNK1RKWnlpcGx5UEV3CmxHSTdyQXJpTHJ2QUdGRzgwNytS + QjR3Mm5FQ2dTMzF4cTlRWkZmZDNHcnMKLS0tIGtuelhYbmYxWWRTSXgzNCsvRkU4 + V0tyNTdZVGZ4citNSkRCZTB0aUdqMW8Kuon0UUHgOJeskUa55BrIgBDK1acn8nBv + v25B1Kgq5SUGe8m+TJyBKaeDmFciqmg1UVJe2mauSBkwZtimZTRy6g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-28T20:58:50Z" - mac: ENC[AES256_GCM,data:oo8zgBXQ4gX4clSDPGbtrBLmlRUn9Lwfl0iIb5IEIbgXodOeAmI5zDN5oml3v9Z7TwQFEehKGZQcjenhVn6w0lfAlZzsLi7Mot3XlJ9L+9yBgBujud6mqdWvmKDZCoVVRRNISYr1BWXrdtq6RXuo8Sj9aO6bLu7CcV84qHTOysE=,iv:A0+WZf+vLH9Nhs//PVNmEeBYLyTzutXr4gvHzoMSXcM=,tag:7zNqnw6DTwzzQjJUrTrtlA==,type:str] + lastmodified: "2023-10-01T19:13:41Z" + mac: ENC[AES256_GCM,data:yuhuZ67b8Pxq0tibLKGNvIznKOxMrBBtCAv7ZkeMPWcQuocIIJRXt1oVqrYgYDQIUAUiCdzgxzfA++G4RLhfH9jDMNbjhuua+7D5I0ZXaKycCGAZef/EXx5CgI2Ws7QCPbxsuEKwSuJstUr7s79t6kQPeInhaD2VExxeB355Hfc=,iv:AyWYnAVPbnjkRongFTxkLPqliliANuL2on4Cix6nEug=,tag:zfJrB1Vy3GrrmFXQyM1ttA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/mealie/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/mealie/app/secret.sops.yaml.tmpl index cf343691f..42282cd23 100644 --- a/kubernetes/apps/default/mealie/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/mealie/app/secret.sops.yaml.tmpl @@ -8,16 +8,16 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - DEFAULT_EMAIL: "${SECRET_ADMIN_EMAIL}" - DEFAULT_PASSWORD: "${SECRET_DEFAULT_PWD}" + DEFAULT_EMAIL: "${ADMIN_EMAIL}" + DEFAULT_PASSWORD: "${DEFAULT_PWD}" TOKEN_TIME: "24" # hours AUTO_BACKUP_ENABLED: "true" ALLOW_SIGNUP: "false" ### email settings - SMTP_HOST: "${SECRET_SMTP_SRV}" - SMTP_PORT: "${SECRET_SMTP_PORT}" - SMTP_USER: "${SECRET_SMTP_USER}" - SMTP_PASSWORD: "${SECRET_SMTP_PWD}" + SMTP_HOST: "${SMTP_SRV}" + SMTP_PORT: "${SMTP_PORT}" + SMTP_USER: "${SMTP_USER}" + SMTP_PASSWORD: "${SMTP_PWD}" SMTP_AUTH_STRATEGY: "TLS" SMTP_FROM_NAME: "mealie" - SMTP_FROM_EMAIL: "${SECRET_SMTP_ADDRESS}" + SMTP_FROM_EMAIL: "${SMTP_ADDRESS}" diff --git a/kubernetes/apps/default/mealie/ks.yaml b/kubernetes/apps/default/mealie/ks.yaml index 859e92543..9fdc67c78 100644 --- a/kubernetes/apps/default/mealie/ks.yaml +++ b/kubernetes/apps/default/mealie/ks.yaml @@ -3,17 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-mealie-db + name: default-mealie-db namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db - - name: apps-default-postgres-operator + - name: default-cnpg-db + - name: default-postgres-operator path: ./kubernetes/apps/default/mealie/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -22,20 +23,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-mealie + name: default-mealie namespace: flux-system spec: dependsOn: - - name: apps-default-mealie-db - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster - - name: apps-volsync + - name: default-mealie-db + - name: rook-ceph-cluster path: ./kubernetes/apps/default/mealie/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/miniflux/app/helmrelease.yaml b/kubernetes/apps/default/miniflux/app/helmrelease.yaml index ba0ec218e..2a2a162ef 100644 --- a/kubernetes/apps/default/miniflux/app/helmrelease.yaml +++ b/kubernetes/apps/default/miniflux/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -51,7 +50,7 @@ spec: key: ADMIN_PASSWORD DEBUG: "1" LOG_DATE_TIME: "1" - METRICS_ALLOWED_NETWORKS: "${NET_POD_CIDR}" + METRICS_ALLOWED_NETWORKS: "${CLUSTER_CIDR}" METRICS_COLLECTOR: "1" # OAUTH2_CLIENT_ID: miniflux # OAUTH2_CLIENT_SECRET: "${SECRET_MINIFLUX_OAUTH_CLIENT_SECRET}" @@ -86,7 +85,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/miniflux/app/secret.sops.yaml b/kubernetes/apps/default/miniflux/app/secret.sops.yaml index f101ac6a7..4e92edf78 100644 --- a/kubernetes/apps/default/miniflux/app/secret.sops.yaml +++ b/kubernetes/apps/default/miniflux/app/secret.sops.yaml @@ -8,8 +8,8 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - ADMIN_USERNAME: ENC[AES256_GCM,data:KmrjQqo=,iv:63f6stSmY7KibaQgL3YYSscnKinlBWuUEJnTtNBrbF0=,tag:SaumiotpVkFw3AZeaB+vsw==,type:str] - ADMIN_PASSWORD: ENC[AES256_GCM,data:lcZqmGuN/ri9WzPM,iv:vlPSDnEsLZ4Yd6DN9eFfyOdR0Isrpb3kGV6v3CGxn6E=,tag:hxGb9+gf8971fszxX5ZzNg==,type:str] + ADMIN_USERNAME: ENC[AES256_GCM,data:B8cpQf0=,iv:FepcHW4GpqGS5Pk/oM6AdwYojR6/jzKwqmudpAJ9jfc=,tag:YiEmbeUlDSB4RX3SX8Q75w==,type:str] + ADMIN_PASSWORD: ENC[AES256_GCM,data:jqh3IVHalG5Iq7ED,iv:nr7y202ujJGz8pK0thrt/sBnFnNFMb2qfOdQHRrMWkQ=,tag:xDrgGOmfj7dRQx5UZN/3fQ==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +19,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRFJMYVJZdE1ERWdIL1lD - L2JoQlNNQ2x2ZXNrYk5rcGdXRU9OK0lxOG5nCnYvZGlhYnVRYmU1S3BkQ0lPd3B0 - OUc2cDkrNkNpQmFVRFNQZWtRaU5mNEUKLS0tIElIWVFabEpHSmFpTlh2OUIxbGFx - VjB3K2kyK2UwVXB1cTBSUzR5b214ZVkKU/hSssFW52auCOWo6n52YQSh+rLmr386 - na28+G2z2bqgV5MJnqW2wtkA2QVo/w30ekTsS45wemAreE6r+a9fSQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMFZkQnZvTXJNWGRNTkRz + UFNXdXlibTF4WWg1OFFSOWQzS1ZMaWxmNW00Ck03UVB5RGFTQWtINFY3S09sNUJZ + QkRTRUJMUU5ZVW5veWN3WmxTdW02R3MKLS0tIHdpdjloMWcrVWdPcWlJc2pCUHBY + QzNIU1hqQUdmNUM0aDJkdWtVR2hxVXcKg8UM4+bbGV4FHOzNDszQprf6oOHcmubW + lL3vDsDtFXoiuqjIYjFBSSFQp1bsF3l9k7ZGAeULd1EBbPFZJ4+AYQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-23T01:18:04Z" - mac: ENC[AES256_GCM,data:2R0VFfyrHXyR9qZtPFB39WpIhxLTIiGiW6kviCO3Xh2QAgUMv/F9Ao7GN1RGoGYxlEY7eIFiqgBheF4///tH4Sn+L1IkcMBBC8PyLHQ8SspnSftlIpn6coAb1vcDH18yG6IFWL0geqrlJVTYTBlX9VjqUdhwofNwgyUoJh/Ss38=,iv:nmdkHcu7DpGv9oZH28pAl2sQ+mAKQ7ipo9g2Cffdpz8=,tag:rc60V4KNq6t2nQyvLyKlAQ==,type:str] + lastmodified: "2023-10-01T19:08:56Z" + mac: ENC[AES256_GCM,data:ndE8kaQfoFMOMWFGTfrv4i3srnEgzND6Zhp164hnU5OveMzkMULw8AdWfwO1QB5bZAGNERu0dU6JgN0sLdj2UzkMHCV6QEudg42vwgwnBdr+LMngxkVmJgeC79U192K5ZdsyD0O4w61Aevi5jR00ktAu47YhTqzqimVp/3Adkrc=,iv:4ys1htKAWtyppasJjTYpCaqzsJBIAD+3eRllR/tEdUs=,tag:jmhUx698x/WIBkl9s9ye/A==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/miniflux/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/miniflux/app/secret.sops.yaml.tmpl index ed097e0fc..475f3bc4c 100644 --- a/kubernetes/apps/default/miniflux/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/miniflux/app/secret.sops.yaml.tmpl @@ -8,5 +8,5 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - ADMIN_USERNAME: "${SECRET_ADMIN_USER}" - ADMIN_PASSWORD: "${SECRET_DEFAULT_PWD}" + ADMIN_USERNAME: "${ADMIN_USER}" + ADMIN_PASSWORD: "${DEFAULT_PWD}" diff --git a/kubernetes/apps/default/miniflux/ks.yaml b/kubernetes/apps/default/miniflux/ks.yaml index aeec0ad79..57e7d8868 100644 --- a/kubernetes/apps/default/miniflux/ks.yaml +++ b/kubernetes/apps/default/miniflux/ks.yaml @@ -3,17 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-miniflux-db + name: default-miniflux-db namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db - - name: apps-default-postgres-operator + - name: default-cnpg-db + - name: default-postgres-operator path: ./kubernetes/apps/default/miniflux/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m @@ -22,20 +23,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-miniflux + name: default-miniflux namespace: flux-system spec: dependsOn: - - name: apps-default-miniflux-db - - name: apps-networking-ingress-nginx - - name: apps-rook-ceph-cluster - - name: apps-volsync + - name: default-miniflux-db + - name: rook-ceph-cluster path: ./kubernetes/apps/default/miniflux/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/namespace.yaml b/kubernetes/apps/default/namespace.yaml index 7cd621c54..81469ff48 100644 --- a/kubernetes/apps/default/namespace.yaml +++ b/kubernetes/apps/default/namespace.yaml @@ -5,5 +5,6 @@ metadata: name: default labels: goldilocks.fairwinds.com/enabled: "true" + kustomize.toolkit.fluxcd.io/prune: disabled # don't prune namespace annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml b/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml index 9c7a508c2..95a63de04 100644 --- a/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml +++ b/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml @@ -5,14 +5,14 @@ metadata: namespace: default type: Opaque stringData: - #ENC[AES256_GCM,data:GhRNidPWpkjDHm3bD75FQBvztF9zOee4YGlu/N81lHjaEYN3M10N8fY6Ku/DJ1Kn4MDiwhdt9253SD3Zzw/fFTvfP7bG7rZp39+TwWmYc2Q=,iv:wHoHRhwSh4e7r0qMdoJnjQh8pUD+yefNLgGIEsNB88g=,tag:vA9ZLTx6Yfs988XRF3UYvA==,type:comment] - RESTIC_REPOSITORY: ENC[AES256_GCM,data:XMBXPXtEEs+1CFi+v4Sud6tawo2CoeRM0BVsGMSXv9lzn7DssDW/B1EhZdj/H9Ui1Iduc6+ZPGKq,iv:fCw36NnG/WzCut6GRKcPweGfoL/WxfBlpSKisCCEk9A=,tag:jU6/Ta4bo8V9TcsXkL+p3A==,type:str] - #ENC[AES256_GCM,data:FeB+5sBe+aITCxBUPOsZezYpqZBTYXnxQKIBWCKQ,iv:A9u6/T/TF4DJ4B0RYVzf5PWmesw88I9J1vTww8hyz18=,tag://7p8IzrF80gf4u2IaVcSQ==,type:comment] - RESTIC_PASSWORD: ENC[AES256_GCM,data:ThkjA4wDd4Zmr+HV,iv:tlDlxgkbHZ34+0sNES8zbcia47sT43vP8VNAttVTmWU=,tag:PajSI3OCJNo/cD1ojP5YZA==,type:str] - #ENC[AES256_GCM,data:oaNoi4qZ9OFSEtuQeYcavG0iC56+wx3N7RfRUBgz2xOCXOi2J8mai7E=,iv:KWmwGnGfTdqeM0aWNlv452u5bE7nYutYFIHOo3KJ8R8=,tag:W8wZ3d017g0KY/JAKF6MWw==,type:comment] - #ENC[AES256_GCM,data:BuLEpGrEJpgdTZG3wKpZnoz5x7xRJKbHMuoCSEsNP1RHQQdFhxvR/noLnKfgBuPt22hJDOkxpFtKAwSRhBHGPY/QHZEsPg==,iv:OGpR2IuycWNT5trfN9pKI8GPbigv8klsgANcNi1b8x8=,tag:boJYwkuZZnNGd8kLs0eeyQ==,type:comment] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:v2rbLiLj0GUjF6imf31eT4ui5no=,iv:mg0POmevH6rq9C4NUaJTi+cf260mfVCSEd+dgvrcEmE=,tag:dkeARl6OY4gh58OphISmLQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:B6sBDnUpdqgy6wSO5oGxuN2ZoqbzeiCR3qkCoLe+Ww==,iv:SsjXOFNkVAaISWj5feuSJpaEw/kbPQjyjRqVQ+Z3Puk=,tag:sAyfiVUX+ILlGPzU9pNRfQ==,type:str] + #ENC[AES256_GCM,data:WeonWPzRZXQlqdRA8TW5/1Qq8o5cZsJDVrhNDEH8kCmsuVTQp9CL8i3pnjzEX8IvEogUaGxgWQHM81sz9kqFECQ+UffAZxLYJ3DZAdwJdyU=,iv:rdyHMbT1KvXH4V7ZIg/rfdQOLCPbYraxnJiaQttVewc=,tag:7rguf6F+ZiaRifKQBBsFMg==,type:comment] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:KcwBt6pA3aVBIpZa0rRA8H+mfzuAa+6nabwZMw3ZL7ycRoG+eGMFus+rg/jOtmE9ATOQ4tOspDGP,iv:AEy4vmAv5VIN+XSqHS4AJaq0Xue4h5/MeA6KXMiqKc8=,tag:PSiL8XgTDxSWLtfsx0r6Yw==,type:str] + #ENC[AES256_GCM,data:VSbuv6jMhHN/+h98UsOUHtinUFHfXZvLv7wSKpb6,iv:8epcb8vxbwE6gnAe9u311s8wH9Ju4dOMgSwFlsklb3w=,tag:HUUErWpSII6K5dXzET4jqg==,type:comment] + RESTIC_PASSWORD: ENC[AES256_GCM,data:mSLNWcgZ0LeGDQiJ,iv:C5rNC5RQyWTDGSAJZZV/CA3dFtQuG1P4C1nh96XRX20=,tag:+ToAgxfPDFie1s6V17HeQw==,type:str] + #ENC[AES256_GCM,data:e8FgpXUzk75NKsYbsq2LObHmZSeoTNbo/lgiitmjg3fAMW8cWUkx1Tg=,iv:5kbLgt/bTAHmq7cIZ0HzJPCuzVKWvuC2D4goqzvh8r0=,tag:kM+lmMjplyQvNSfKM22xvQ==,type:comment] + #ENC[AES256_GCM,data:YrwyfWJvksCK0DKu81xt80Q3RLFR+GsBgUZ5047AYRSiArmpOfcDUFkAmp6gGMwelo1j1YqTwRwxcngp9DTMYrh7/5QiBA==,iv:Seu6tGxuTsLwnm676XMbvQWrSOqg64uBdy0WCzkqnKc=,tag:PumIj2C3AuJVTDdmmhSBUw==,type:comment] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:ogt2m98XSaAjOFEIoadGwTnwzwI=,iv:NCVI9oX8QVj9F87tlF9mNlnSWmd4BOsLbd6kHTGb1b4=,tag:M8qDXVo4GJbHHKPQV0hXcw==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:uqdWsLe4MdKGpdojO4RPpsuYZQ+z9j7AtgQLL4rMzQ==,iv:rde27vlqP5KyN7bVa0/V1tflBz2HREHTtiMeXaa+ohU=,tag:dpAy5ak1LzZtzEeC2y90MQ==,type:str] sops: kms: [] gcp_kms: [] @@ -22,14 +22,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YWhyTVRqeHZ5NXJnQlcx - UFMwa1V2eCtYck5rWXhFSTljS2paL3JoMUFjCm9VVHpvekVSTmM3MDIzQVUzdnVJ - RjBiVTJRbUlVMzJrTWlJaFhlcHF1d0UKLS0tIGFZbmRjZFpxQUFIM2Jsc3RJaDB1 - UTVnVTZTcjNnSG56N0xGWUhKRG8xVVkKm+dn0/uzmahr1/H0RatXKoZ+OjA+7y6q - +oIjNF8ZK68WPdQefMjOaY6VnfqeEeNfM3t1aLW4x8cAhKugdYAYfQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNFREekFxcXlOVnFPQjlD + eUVVejhuRkZLSG52YVBEeDBiRGxCbWtEeGw0Cmg4dHhiVWdKbVNBZ3hSRGZGVVJE + MFRXeTQrSHhGQURZMWx0SDV5anBNSUUKLS0tIFJGbmVPZVp6Y3Y2UThzT1JiZEYv + TDVzRmxPbjVkYmx2T1VFM3VwTkxzVG8KVwhldLIVWjQa6Zrg4Tf1YW95cW4GA9uj + Tbc5kPLvNzM+1mfzFx5yCTrlE4rHgj56qZyWhrxJKnDfHp+sEKY+WQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-28T15:00:47Z" - mac: ENC[AES256_GCM,data:zq3tk5S+oV3WK3DV/xPex0g5J3lOmfKuiXCRCdfPQH/qGOxP66pFSBFU3RIo+dNZYLsYjtpmr2YDpIAhVu+euPAlyJwgyxnr7k8eZiCME/vSn/i970KPzt9y066/VZqKliyjWd3au/VE+DdnfGP/wT9Ra1Y8w/ByTYPZ3zt1fuQ=,iv:MKHM+7oKLHxYTea+4w9WIKBSeS2Wc1ccxou54XFGLik=,tag:ZJ2cnIEI1BQ7B1oI/UQaCQ==,type:str] + lastmodified: "2023-09-29T01:16:24Z" + mac: ENC[AES256_GCM,data:pUvVtiOlqFgeamY/ohJPGgxN/oUILm2nLa+g5seJ64M+ReCUq+CR5lYw//43dEIDRSxRjZ/jl9IqmdWCyaYJ7RDWgAepjC/t0p2lpfvXlvkdMmRxbmoSuqSRIZ9KndRFz2kkho65PW6mlHEg/DCZLq7P2CIcbLzyoJJIVAgbCm8=,iv:rTtEd/abY7uA2Ho6pbR8UlxLKk4YdqXXFnkP3yl0hoM=,tag:CFLYhjqQvr0zPOVRYWEIoA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml.tmpl b/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml.tmpl index 21c61344e..bef7c63cb 100644 --- a/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/opengist/app/backup/secret.sops.yaml.tmpl @@ -7,10 +7,10 @@ metadata: type: Opaque stringData: # The repository url; add trailing folders if multiple PVCs per app (one per PVC) - RESTIC_REPOSITORY: s3:https://${SECRET_S3_ENDPOINT}/restic-opengist + RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-opengist # The repository encryption key - RESTIC_PASSWORD: ${SECRET_DEFAULT_PWD} + RESTIC_PASSWORD: ${DEFAULT_PWD} # ENV vars specific to the chosen back end # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html - AWS_ACCESS_KEY_ID: ${SECRET_S3_ACCESS_KEY} - AWS_SECRET_ACCESS_KEY: ${SECRET_S3_SECRET_KEY} + AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY} + AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/default/opengist/app/configmap.yaml b/kubernetes/apps/default/opengist/app/configmap.yaml index 7701c401d..d27d32765 100644 --- a/kubernetes/apps/default/opengist/app/configmap.yaml +++ b/kubernetes/apps/default/opengist/app/configmap.yaml @@ -40,15 +40,6 @@ data: # Enable or disable git operations (clone, pull, push) via HTTP (either `true` or `false`). Default: true http.git-enabled: true - # Enable or disable TLS (either `true` or `false`). Default: false - http.tls-enabled: false - - # Path to the TLS certificate file if TLS is enabled - # http.cert-file: - - # Path to the TLS key file if TLS is enabled - # http.key-file: - # SSH built-in server configuration # Note: it is not using the SSH daemon from your machine (yet) diff --git a/kubernetes/apps/default/opengist/app/helmrelease.yaml b/kubernetes/apps/default/opengist/app/helmrelease.yaml index c0d2fe252..fbc431a9b 100644 --- a/kubernetes/apps/default/opengist/app/helmrelease.yaml +++ b/kubernetes/apps/default/opengist/app/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: &app opengist namespace: default spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: remediation: @@ -36,15 +35,11 @@ spec: args: - "--config" - "/mnt/config.yml" - # env: - # CONFIG: | - # log-level: info - # opengist-home: /data - # # disable-signup: true + ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 @@ -60,7 +55,7 @@ spec: ### ref: https://github.com/brettinternet/homelab/tree/176df6db10916d8df6d7309742b171a23c414119/cluster/apps/auth # ssh: # enabled: true - # ingressClassName: nginx + # ingressClassName: internal # annotations: # nginx.ingress.kubernetes.io/whitelist-source-range: | # 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/opengist/ks.yaml b/kubernetes/apps/default/opengist/ks.yaml index a8ddb1f27..39f292ebc 100644 --- a/kubernetes/apps/default/opengist/ks.yaml +++ b/kubernetes/apps/default/opengist/ks.yaml @@ -3,18 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-opengist + name: default-opengist namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-volsync + # dependsOn: + # - name: volsync path: ./kubernetes/apps/default/opengist/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/pairdrop/app/helmrelease.yaml b/kubernetes/apps/default/pairdrop/app/helmrelease.yaml index af3b519ad..35695ae02 100644 --- a/kubernetes/apps/default/pairdrop/app/helmrelease.yaml +++ b/kubernetes/apps/default/pairdrop/app/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: &app pairdrop namespace: default spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: remediation: @@ -33,12 +32,15 @@ spec: ingress: main: enabled: true + ingressClassName: internal + annotations: + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" paths: - path: / pathType: Prefix - tls: - hosts: - *host diff --git a/kubernetes/apps/default/pairdrop/ks.yaml b/kubernetes/apps/default/pairdrop/ks.yaml index abb52f923..b142df616 100644 --- a/kubernetes/apps/default/pairdrop/ks.yaml +++ b/kubernetes/apps/default/pairdrop/ks.yaml @@ -3,17 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-pairdrop + name: default-pairdrop namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx path: ./kubernetes/apps/default/pairdrop/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/postgres/cloudnative-pg/db/cluster.yaml b/kubernetes/apps/default/postgres/cloudnative-pg/db/cluster.yaml index 1e894385e..e6577e692 100644 --- a/kubernetes/apps/default/postgres/cloudnative-pg/db/cluster.yaml +++ b/kubernetes/apps/default/postgres/cloudnative-pg/db/cluster.yaml @@ -38,11 +38,11 @@ spec: # # name: -user-secret ## Alternative bootstrap method: start from a backup recovery: - source: &s3-backup postgres-v3 # next time it will be postgres-v4 + source: &old_db postgres-v4 # next time it will be postgres-v5 # externalClusters is needed when recovering from an existing cnpg cluster externalClusters: - - name: *s3-backup + - name: *old_db barmanObjectStore: endpointURL: https://${SECRET_S3_ENDPOINT} destinationPath: s3://postgres/ @@ -60,7 +60,7 @@ spec: backup: retentionPolicy: 30d barmanObjectStore: - serverName: postgres-v4 # next time it will be postgres-v5 + serverName: ¤t_db postgres-v5 # next time it will be postgres-v6 endpointURL: https://${SECRET_S3_ENDPOINT} destinationPath: s3://postgres/ s3Credentials: diff --git a/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml b/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml index 199346d1d..2f88d3cf6 100644 --- a/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml +++ b/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml @@ -7,8 +7,8 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - username: ENC[AES256_GCM,data:u/9TLN+9a4s=,iv:bje7/duSB5aPznUl7DI4IGlOXSmzVFjXcao47oinNNg=,tag:D9Z8qk8Aikij2ocOg11cFA==,type:str] - password: ENC[AES256_GCM,data:G0Tp/GwscKYgjVac,iv:g8feoWlqB+oy6g2npbdbskKb0OI94M1RKRpI5k0OPHM=,tag:ISDlXKcyBBYhcpklKczHGg==,type:str] + username: ENC[AES256_GCM,data:wCfpMwo3Plc=,iv:HeUQDntaOVxZlo2WUfxCrqYqdTgQdZOTEEgUDTwluMY=,tag:Nd0jiIHwbBqE11FO6e/Y4w==,type:str] + password: ENC[AES256_GCM,data:aYhO1yDTSgAgFASF,iv:YO0YCM9BuEB/Hq9Wnpy55Wag1B/MQ6LDWcJwHvQeoyU=,tag:4AGNdPPtQ5YaCdAp5on98Q==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +18,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1SUdWZlpTL0I4L2F3UkVD - U21tZmxJeTYxdkZlR29Wc1BpZWxhYmVuZkM4CmJPMTFsbnZvd3orQ1FuODlVVXFY - dXhzWUVsQ21jdXB3SW4wWE9WcUFLeDQKLS0tIHBJQVN6RHcvVFRaeW9IaW0vVzRi - S1B0K3BYWXVUVzVBVTdjMnl3N1VFVE0Khat7du9ONvsJfMCOeaNhDLWAGjZVn1jo - 3SQdV5TUFBiWlxHbzPa/fUpD7MTrPXHsvS6vCbY6sUj+Xw6nAiiqZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMTNReHVCTHN2TjJtR2lQ + cWNaeHdMQ2FyeXFhVEpsNmdUZ3dTSERkQTFjCjVDeGI4eHRHaW41bVJsMGdrZTJJ + ZitGN0wyTU1INGNZbkIydFR5VWRKZ2MKLS0tIG1VQVBuRlhuNGdyUlRjbmxnU1Nw + NWJYWURSU0lsQXNNOHNlendqQmY1RW8Kd/9YJiCRqG5K31xa5cQZ0DcaoDFWM5UB + 92eBzh7g7I20tKbTu6Zdft2BVrXZEHd+jrmq7ZZx+R77GUTroJaEtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-16T01:13:52Z" - mac: ENC[AES256_GCM,data:YnfGrJE1gIr41YbpVw0T24aRtVagGDfAP+UvdJA8Abq8YjQ7Sgm9lWdhy7MaRKj+a1dxQ7u7s+q3D+wQ8n7716rc5ITcvuO2NDbAH8sndMiaSZN3spPIbiEKvKiPdK6XYX3/vjF9Qj2yancVU6v+iWvvgtP6Iy3K00/z0e0KIUQ=,iv:dzN16huP7QyJ0GkCU641c9crPlFfF04ndIZhUldptOk=,tag:ZAjHpkWe87Punzw9i7esDw==,type:str] + lastmodified: "2023-10-01T18:28:57Z" + mac: ENC[AES256_GCM,data:pO7NLEmwgxq0BeZ2FY/1LmpxQDakz28AE7pU5seG7xp2q4wSd4qh3gM5OopwdKJxgRsqILmH+ePHwWA1TERzZxYhpsBObkjkhotFk6NbjapusgUbTGC0ihGXfq/uvHqqxOhd5+e93/MimASWj+517b89DQVmCVcYa0b56+P3G1A=,iv:J5gBV50iaJMhX8C0R2xEd05A9yIPhe35ZBGW6GGzf7U=,tag:1GRF6knoSPlfTaDZttmaYQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 @@ -38,8 +38,8 @@ metadata: namespace: default type: Opaque stringData: - S3_ACCESS_KEY: ENC[AES256_GCM,data:74OOHeKZFxYf8HyKYLQtxyPJ/e8=,iv:oBH1hVxqo/ocaStUFRPKtNaUjTyaOotqTwx6cXIdN0M=,tag:f7a+blYCQsUlfWpNDBrokw==,type:str] - S3_SECRET_KEY: ENC[AES256_GCM,data:roRirHXsPMuXQOV3Sr7qWg1VTwvGqOGxlhlvdqTweA==,iv:bRCENJmTgqsY29+bJ9L0DXP2iI1wF7Mqspj0F0+BdsU=,tag:aEWzKVxBKunYakPnjHyPsg==,type:str] + S3_ACCESS_KEY: ENC[AES256_GCM,data:cTNRcv5VMORRGy1FBk9yZCwKKic=,iv:/p3VZGbHuN3MJaa4opnRcpOBwtE6QSpOyZoYvkAGpSI=,tag:sK49xZ1BsZc14Xr9SSwB2Q==,type:str] + S3_SECRET_KEY: ENC[AES256_GCM,data:Gbeq11sUGE2euG+hW8G784ZceC81WwToOlK/jVeuqA==,iv:92skbVAB8FNdNUd9khb5br8cy0y9YFxJ0JF6HvzqADc=,tag:BScxWP994E1XaqYQaNltQg==,type:str] sops: kms: [] gcp_kms: [] @@ -49,14 +49,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1SUdWZlpTL0I4L2F3UkVD - U21tZmxJeTYxdkZlR29Wc1BpZWxhYmVuZkM4CmJPMTFsbnZvd3orQ1FuODlVVXFY - dXhzWUVsQ21jdXB3SW4wWE9WcUFLeDQKLS0tIHBJQVN6RHcvVFRaeW9IaW0vVzRi - S1B0K3BYWXVUVzVBVTdjMnl3N1VFVE0Khat7du9ONvsJfMCOeaNhDLWAGjZVn1jo - 3SQdV5TUFBiWlxHbzPa/fUpD7MTrPXHsvS6vCbY6sUj+Xw6nAiiqZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMTNReHVCTHN2TjJtR2lQ + cWNaeHdMQ2FyeXFhVEpsNmdUZ3dTSERkQTFjCjVDeGI4eHRHaW41bVJsMGdrZTJJ + ZitGN0wyTU1INGNZbkIydFR5VWRKZ2MKLS0tIG1VQVBuRlhuNGdyUlRjbmxnU1Nw + NWJYWURSU0lsQXNNOHNlendqQmY1RW8Kd/9YJiCRqG5K31xa5cQZ0DcaoDFWM5UB + 92eBzh7g7I20tKbTu6Zdft2BVrXZEHd+jrmq7ZZx+R77GUTroJaEtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-16T01:13:52Z" - mac: ENC[AES256_GCM,data:YnfGrJE1gIr41YbpVw0T24aRtVagGDfAP+UvdJA8Abq8YjQ7Sgm9lWdhy7MaRKj+a1dxQ7u7s+q3D+wQ8n7716rc5ITcvuO2NDbAH8sndMiaSZN3spPIbiEKvKiPdK6XYX3/vjF9Qj2yancVU6v+iWvvgtP6Iy3K00/z0e0KIUQ=,iv:dzN16huP7QyJ0GkCU641c9crPlFfF04ndIZhUldptOk=,tag:ZAjHpkWe87Punzw9i7esDw==,type:str] + lastmodified: "2023-10-01T18:28:57Z" + mac: ENC[AES256_GCM,data:pO7NLEmwgxq0BeZ2FY/1LmpxQDakz28AE7pU5seG7xp2q4wSd4qh3gM5OopwdKJxgRsqILmH+ePHwWA1TERzZxYhpsBObkjkhotFk6NbjapusgUbTGC0ihGXfq/uvHqqxOhd5+e93/MimASWj+517b89DQVmCVcYa0b56+P3G1A=,iv:J5gBV50iaJMhX8C0R2xEd05A9yIPhe35ZBGW6GGzf7U=,tag:1GRF6knoSPlfTaDZttmaYQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl b/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl index 0c51b4134..e50c28d73 100644 --- a/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl +++ b/kubernetes/apps/default/postgres/cloudnative-pg/db/secrets.sops.yaml.tmpl @@ -9,7 +9,7 @@ metadata: reloader.stakater.com/match: "true" stringData: username: postgres - password: ${SECRET_DB_ROOT_PWD} + password: ${DB_ROOT_PWD} --- # yamllint disable apiVersion: v1 @@ -19,5 +19,5 @@ metadata: namespace: default type: Opaque stringData: - S3_ACCESS_KEY: ${SECRET_S3_ACCESS_KEY} - S3_SECRET_KEY: ${SECRET_S3_SECRET_KEY} + S3_ACCESS_KEY: ${S3_ACCESS_KEY} + S3_SECRET_KEY: ${S3_SECRET_KEY} diff --git a/kubernetes/apps/default/postgres/cloudnative-pg/ks.yaml b/kubernetes/apps/default/postgres/cloudnative-pg/ks.yaml index 395d7dc99..db9a47c5f 100644 --- a/kubernetes/apps/default/postgres/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/default/postgres/cloudnative-pg/ks.yaml @@ -3,18 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-cnpg-db + name: default-cnpg-db namespace: flux-system spec: dependsOn: - - name: apps-cnpg-system-operator - - name: apps-monitoring-kube-prometheus-stack - # - name: apps-rook-ceph-cluster + - name: cnpg-system-operator + - name: monitoring-kube-prometheus-stack path: ./kubernetes/apps/default/postgres/cloudnative-pg/db prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/postgres/pgadmin/app/helmrelease.yaml b/kubernetes/apps/default/postgres/pgadmin/app/helmrelease.yaml index f3a2100e9..ac5c0c3bd 100644 --- a/kubernetes/apps/default/postgres/pgadmin/app/helmrelease.yaml +++ b/kubernetes/apps/default/postgres/pgadmin/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://helm.runix.net chart=pgadmin4 chart: pgadmin4 version: 1.17.3 sourceRef: kind: HelmRepository - name: runix-charts + name: runix namespace: flux-system maxHistory: 3 install: @@ -43,7 +42,7 @@ spec: ingress: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/postgres/pgadmin/app/pvc.yaml b/kubernetes/apps/default/postgres/pgadmin/app/pvc.yaml index 70a73ef7b..76b5f93e3 100644 --- a/kubernetes/apps/default/postgres/pgadmin/app/pvc.yaml +++ b/kubernetes/apps/default/postgres/pgadmin/app/pvc.yaml @@ -7,6 +7,7 @@ metadata: labels: app.kubernetes.io/instance: *app app.kubernetes.io/name: *app + # snapshot.home.arpa/enabled: "true" spec: accessModes: - ReadWriteOnce diff --git a/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml b/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml index 9c0c08dfb..ee2756901 100644 --- a/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml +++ b/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml @@ -7,9 +7,9 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - #ENC[AES256_GCM,data:BbSf/udo8AEf7HDSbGfvwAcLnrN3xkUdXucEAqxiOw==,iv:/FgsEUQ8Hx9rpJGId3k1n9jrGenaX8IBjxDNwinUyJE=,tag:AKTBPC0U/QSRKYX2whFEng==,type:comment] - password: ENC[AES256_GCM,data:Cq9m/9u0IJz6LbI8,iv:z9whTV5hxff/xKkfuwE+qKBgdRDUoAf8YjPJD9Sq9g0=,tag:T/Iam40XugiRROChm+gY3A==,type:str] - servers.json: ENC[AES256_GCM,data:AdIktwTqwHYuUjhADltPc2jS2NfT/YUzzld9PfDz25pxu5UJTGrSKjIZIvXzsg5eqjmEKJsHC2bJM1Y8thZLC1MBMS3fW3e7vo26vp+FvGXh0cuy3O8Z2apM1APOyRqFRiBjc+jfQUBRL7bqPEA1LZk2JevY1UuLYI97ai6KB/dNNylksB09BdoxVAWDTKG/bTlKl40vxTIV2LRb2FdQl+8e/OP1EFtTX6K2ZlYal+lLnJ+1uoG2gDgfRTcbAGzPHZBujsLz6WZ7WBd4h+gr9OVMrZELswdItDS92RSfbiRynQzQAy7gIT/chdEVTucgHrQ4m+2TpFIQK2tHsfl6wY1ZHkRh7oKeX+4pgq2aASN2ddehhPUAd8vPYu1db6TRmRHkwcTu6aKikuJz5BfZ13NnHQf0Kp9cUlXEmxi4u4ohaE/pYpGnuY/cEexw7uWBi2iRrRZmiyjxI8jk8NmGwmBfBWUw2YMMwIcWeyZCp/5cP6Eifj+v/4wxFs7juIhYY8vQnq+M6+8jHAaNedoTqwz7ahLpv8YLMVhbca8/tw4CuyldA/HrI+89Ts9iMhu7YDgD5D8oU6Mcor6GdPfoLek1UDMNUWDQNLClcHrZQTwhOGGjDHpRaatY9Gx/aUNgzHOxdIzoUcHJTzBH8E4qQkOoSKmXz1A=,iv:b0PthevfQ47O0UeYSp8ofIoSGhzaL1tNJ/ushOSEOrw=,tag:cn2XqXTNL7QevE2eitQjjg==,type:str] + #ENC[AES256_GCM,data:D41zaEK7NKj9gpp/Ygg=,iv:C3kYoU3G+ttxQ7RS4NQ017HXs2baF80SZeD0bivvGDc=,tag:IpXqcasyewGRUclRGzBWfQ==,type:comment] + password: ENC[AES256_GCM,data:qFxW6Kf0sGjLyALa,iv:GsboPC0v4X3YcRqIznEdah0CXnPeFkWcDlsO+2q/Jrw=,tag:uo6EY/8LBHQkeGdFHuCQQg==,type:str] + servers.json: ENC[AES256_GCM,data:uyTyKBZzc98KjWHIyIxGPmLl30It7cebyj0plTBspqNpl2OJOcbNGNievngizUvv1xC9W/ORswx0PhddXmgsAoqyZYlW+gAINFHstdyk4e0KVUJZrNCRaFrIMOcEaSwMNZX6INYiBy799q3KFsXeR6VpiXmgcVb99argwqHfxw7nv3Joq8OsUkaBExeAKy4nHmYeHv7Xl5aIyXBD/HhRRt67mn6GB6nrBogbCHXQ0PrnJQgAqRRM4eye3NTm2ozMgUivMWeWP3hhX62XzY61hTA7EFcFl8yaT9WQB7A9QWOKX22N4lkSlwG71SOUFjrtJY6PNudJeuCl5O1HA5f74qe8vXmZMTpFk/gXZsBJFWK/v0+LwNymHEfvbMXVrtOMBUhRr/GmtmYylkNZ6g8u7DnO2vd2yKn4baaOil/TKdmOdYX4cbbTnhVftsmuROnrzL/00mn3EHngHU+UERVYBBR2JA8ZGaboL1TdrjW9HTKh2XtmbGERn185nOe9XjPtZEAUESN1I2PAvKes8G1Qby9q8AE28tVl3xIXMbEq9vGVvK14Pb1jGqa5UYeDpzvG4G+jLOxDn1r5aYtTLzV6B6jgQc3K85k4tmJyHgZnAMuV+IiNjPtc5/g7OUdEJc9kLCRD2tDAk5OM+O9ji1JOnEoMRryc9B8=,iv:RvFOFU4DxBtR06bpZG2xR8V61eeQ9r7MTvKXy03r2hw=,tag://3EwFtfs3Lc3uaiEd16gg==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +19,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMW1HRXcrdU00cHIzTGpw - OVdDRkJGZW9rZXF0bjNPSStxU0twcjVSSWxNClJxUWxYVkNTYlJhOWpyQmthcjNj - dkp2aWJCYVlzYytUcXpGZGpBVnlKZ0kKLS0tIGtqRVZBVGxFVkZZSjlXaHB5b01h - a3hTaVdtN3BvbldCMk9pc1FPVlpkZXMKptuOcrRLgQfcqSGIBq01Ifl6FBWiKjy+ - c/AHiFNXAUKFc/tzcdf/YNrQPl60HpT5KyJWlzkbIOSumurMwMFc/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUEF4ZklYTVpWWFZndU9i + QnJGMnErYy9kSzJoSDR6WnNvMmRUWllEUGtrCjluVVcxdzdCbjgzOHFzNEFIV0or + RUYvMGs0OTJIL1ZrcytGc3ZjNFByaU0KLS0tIHMzVG9NbzY2REFobjRXbDVWNFM3 + UHB5WkFsZU00VHpKb0JTWTJkbWJLZ2MKFE+Yq1KVfQgYza+6sNrSFB5+jDgtfK8m + 9rZtmAoOZ0XVmOLrZ2W5KfgU606Cum4QBIoT2gcyW6nzaDcMrH41jg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T00:25:42Z" - mac: ENC[AES256_GCM,data:Gli6hsPbhC9LhQ6WtsbvGuWtKVO3dSLPeiWAbU8BNhFRcbIcDFZOOycVE4p1iIoOCSf+pkiQF/iwy+YaiCt3d2oA91uyPTVBIkv06iH1wMVUlzeyit74iUu5o/n5ueO8OYZM+xetAexI3MU7sd/iAmhxfX6T/Pxl4u6qWJlystY=,iv:YO2TOgeZ32nZVUIkLtUiSfCN6Qj/fuM7D0F3HK2jCFU=,tag:CmKPpedaRR3beSEA8DqKIQ==,type:str] + lastmodified: "2023-10-01T18:30:26Z" + mac: ENC[AES256_GCM,data:gfglejpZncoRZ1mwWzL8QjJLUGI7bVgQLfSs6zA4sL/N3l+L3TAVqYPL3OuWUyhM8mk4ShV3KSruR5IRKh+yIUzUxtcg264KBdJY0VKh11ZSgh+l+GrkJIphgT3aNMHZ88oZJ0oxxi3KAjS3XV8U3DsES2XGjKDHHXQvEVkAs7c=,iv:dbEHQvNrE9kxJacptF0E6n/4NY/aaJFqquF82yMhyF0=,tag:pPNSQfsn7lnYsFGHLhuWgA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml.tmpl index c3bb240b3..1ebc0abb3 100644 --- a/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/postgres/pgadmin/app/secret.sops.yaml.tmpl @@ -9,7 +9,7 @@ metadata: reloader.stakater.com/match: "true" stringData: # email: admin@${SECRET_DOMAIN} - password: ${SECRET_DEFAULT_PWD} + password: ${DEFAULT_PWD} servers.json: | { "Servers": { diff --git a/kubernetes/apps/default/postgres/pgadmin/ks.yaml b/kubernetes/apps/default/postgres/pgadmin/ks.yaml index b5f72af5f..3cf41e5c8 100644 --- a/kubernetes/apps/default/postgres/pgadmin/ks.yaml +++ b/kubernetes/apps/default/postgres/pgadmin/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-pgadmin + name: default-pgadmin namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db + - name: default-cnpg-db path: ./kubernetes/apps/default/postgres/pgadmin/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/postgres/postgres-operator/app/helmrelease.yaml b/kubernetes/apps/default/postgres/postgres-operator/app/helmrelease.yaml index ec3463046..a51e5b61d 100644 --- a/kubernetes/apps/default/postgres/postgres-operator/app/helmrelease.yaml +++ b/kubernetes/apps/default/postgres/postgres-operator/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://movetokube.github.io/postgres-operator/ chart: ext-postgres-operator version: 1.2.3 sourceRef: kind: HelmRepository - name: movetokube-charts + name: movetokube namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml b/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml index bf7ad48b2..6f99fc0c5 100644 --- a/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml +++ b/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml @@ -7,26 +7,26 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - POSTGRES_HOST: ENC[AES256_GCM,data:M7uT23tAKcNv1ARFQsX/dV8jcMNBothERT3LlgrrXP7BEFpsJg==,iv:Ynp+8q8dF6JCEYULWMrdjor+P8zClnavkVGsHFXEAFI=,tag:g4pnuF7qkK6ZR9Uhm6Mk+A==,type:str] - POSTGRES_USER: ENC[AES256_GCM,data:eQ9hWVFA1Rg=,iv:S0Ryxx47ntR67cYDBoU7LwnGIKPiZ8eB8O7N5K9uxn8=,tag:+RKyIqFhVuqSdHYvV31QXA==,type:str] - POSTGRES_PASS: ENC[AES256_GCM,data:pJ6fZSXyTanNnhCy,iv:crjpUNjN5IhGKSI/NkCIHIjhxn5STtcGSZLNPT+g/L0=,tag:51HNekLb2LFrFZ0ZejoysQ==,type:str] - POSTGRES_DEFAULT_DATABASE: ENC[AES256_GCM,data:rcvXc+6rM20=,iv:4m3AsliIBY2ZC2SNsC5LJ5v5eOJDNWuX6ih72n0aeHE=,tag:CrqyZD0ADXyRtMylnasCPg==,type:str] + POSTGRES_HOST: ENC[AES256_GCM,data:BcqJ7RgQBRwxbAgC2MD+qdpsB2QG6f5CW6nkkTYejkkGDdJlwA==,iv:HiXwDLAav8xgtwODnHTvg/DN2boKoT/4iVf4G+MDupw=,tag:DUoCD6XZTiEKRlB2gGEoTA==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:gOU2isvvNag=,iv:lvbw38HmeDz+/haOVUN6GgWGsMYDwLMAy1SArCzPVzg=,tag:8fSFlDep+BZT5H6lvAFn7g==,type:str] + POSTGRES_PASS: ENC[AES256_GCM,data:TMeswsVRcowfYbJ6,iv:hMgC2aIfchfmdSjUj2beq1PDz/Wlj8P1VB22VDt2+BE=,tag:SLt/0RXO+hFx7ak5XM3lnw==,type:str] + POSTGRES_DEFAULT_DATABASE: ENC[AES256_GCM,data:4egDgTvHlfs=,iv:74AIKRb4p64CKIf1bjjYm10/11evK5Q+c1KhtrZo7Yk=,tag:Z6Wz4vG664LvBHzM+c5MQQ==,type:str] POSTGRES_URI_ARGS: "" POSTGRES_CLOUD_PROVIDER: "" - #ENC[AES256_GCM,data:CJKLYr1h+1PqG+2HqvaM,iv:GbOjx8qMI5kjWdcb1Hg37YCu0IRI6wVIALBIEalzyLA=,tag:kD3Sh+GqfVRaK/GcgxOnsQ==,type:comment] - #ENC[AES256_GCM,data:MEK5jZC/LcvGV55WyK7ZLkFxng3mre72qVh+9D5jp997mu3kwTg5u3kZhwgu8ke+j1s=,iv:7CGrIVB+74p/Zb25H58OHdpVIv8Lx5K6bDm9MaOrVrg=,tag:NLoYeMOy6REyAKi7Uhr5Pg==,type:comment] - #ENC[AES256_GCM,data:ehzYOdJExJgGSr0v,iv:c6NJZVmi9dlG04R5UDvsBQvKdazVA3YOrnBj5He4m0w=,tag:sI+cnj6ix/ic3MQAvzPPfg==,type:comment] - #ENC[AES256_GCM,data:gDGoPfr+8xftprh0ykb1oTTvLdjPyMru,iv:ltT7iTQ2AG3uH9whXUmxV/NKkCpr1UEAxri0vM1Q4+E=,tag:MB4y/6UdhNBJnsULgWgGDA==,type:comment] - #ENC[AES256_GCM,data:WOz+oU+212kEp9BG3tiZG2pmSvn8denlmSKG08vYFVn9zRhNhW4QJo2Fpg0du4Tgfrw=,iv:RWsLw0wIZx0CWq7gKPvPHVrSzdgIgE0b1gpjL/sow1s=,tag:3FpgGK//4biwjST+sj0YkA==,type:comment] - #ENC[AES256_GCM,data:a+ZQ2xdZCYtUCpRI8LhcFkByMoPR/+lpt+GzBRkBxX/PDdQ/JLGA,iv:tAw5gVhCXZXDQ9oazuVxklbUtJyS22iWvluOgrTTNA0=,tag:9MbfLmamkTQ8wz3I1WIHFA==,type:comment] - #ENC[AES256_GCM,data:hUp8t7DG6c53yFKy+Sg09XIh61GQ,iv:3tz9Hxo6uvy8g4RJ37Z7tBj4qA5bOvhxwEd6QL1MflQ=,tag:vQf2vfmR0DR/w8lgowukvg==,type:comment] - #ENC[AES256_GCM,data:AISwRKa5RpSJ8JJIMiQcnTE6ube9FO0L2/JcTMA=,iv:F0rP8wBoRcqgyQi6ZEeWWPKdO1SSLBOV3Mm2CWgl9hg=,tag:nf7mV/lMq3xZjp0CE9j4BQ==,type:comment] - #ENC[AES256_GCM,data:O3ykWqG6+oPS9dsZFwx7bFcWhvqs6AP1F7+bEcildcnF3vaKXjKZNuwJTej7GA==,iv:6iRvmyFYDevy/fsBe45cbtuOpSR+ianewFLw3aC5/cw=,tag:uDbBc6jda9Ii55LGXdeRLA==,type:comment] - #ENC[AES256_GCM,data:RWWBGMxeORzBwnK3pCTfm6M=,iv:dK3pIp727zJB4M6HBvqtJ3dLhGOb5+LZHot8Jt0/t4I=,tag:HgOAPoy85vX9wZy3B7OFlQ==,type:comment] - #ENC[AES256_GCM,data:bTV8fDHPL9KYaB0T+RsRAOWN/M/q/i6ykf8nGBQ9W/Q1fxJve1Mbhr2lr5UeDDmN1mbzD54f6UxdqRg3cE3gHQF+UzNYvs9lRMMu,iv:C2P4AawstXjQ8RbKWRIj3IZZku1FLq/meg+Ah9D11VI=,tag:7aChs1i3mjSZ+G+j8UC15Q==,type:comment] - #ENC[AES256_GCM,data:cD8xXUr9RdULgX2ZuorIn/Sly3COnK8=,iv:yfTWihyw71+nQW7E7YX9K7FKN6zB1yj59jQUx2Z90x4=,tag:4ACFv1725FzBSlgvD7ExPg==,type:comment] - #ENC[AES256_GCM,data:G6c8SK62wwoC3xJBvXgcFSDsb5RK4bR4KUQUdNI0,iv:q2BMCjzMcyUOlstDyNAGLn/6biV+5tf8NCVmGqHWcXU=,tag:U0CzQi2wh+xfOxlKEz/ulA==,type:comment] - #ENC[AES256_GCM,data:naFnh/YQX67BW9m8UQWyJg643gD0gVLKrDK6ZBRcHtWy,iv:cTkRvrVxyBsZJBwkN7KrJDgdg4bHGyJjHNgnZylFEOE=,tag:iL7X8lGl/t0LATgTlKlUhw==,type:comment] + #ENC[AES256_GCM,data:wsfHl2h+MUC6R592nbBp,iv:yK7FEdGw8XQTUId3oxWWPu21sINjEbu7Bllhp7a/mrc=,tag:6Nv4cJR+NVq9cgsCTzZh5w==,type:comment] + #ENC[AES256_GCM,data:h5VNRNHKrJ5XkXKqaziqQieWUEq4W4B4CvigEPpt9MoFR/qD9Gj6cStkeE3jep0399s=,iv:FuV9sXTJoJ03AM4E+flvCaSkClSstiij1Yw09TZ0ueo=,tag:oYmjPvnIk7spjVrlvkuA2Q==,type:comment] + #ENC[AES256_GCM,data:7caVzRhLGM4xWufh,iv:q7Rrcl6aBNF/PwKkE38w/LjgBNCszDIEhyWVTzI/Z3U=,tag:pZT2WVa06zvrCWLGWfccmw==,type:comment] + #ENC[AES256_GCM,data:IasEbySD35mPChLEj1IsX2uDuEOHPrBE,iv:NEMBcPZyXKdsLBRwxOTpWlA+17/J6fh0LZaqBcYtRjY=,tag:/uOe/7z4RKgSToiHG2tl8g==,type:comment] + #ENC[AES256_GCM,data:WVqTts9C2+pkn5tUQreROLYfqgl03qDSmQR/Awpd373u+TGpVtaVNzHI+3yS/DvFj+Y=,iv:jpOQ7KFhhQXMtZSqpDEUsheRA51C3P9mXj+xQLct4Uw=,tag:WVDL0YZU5aFyYHyeYqA6qw==,type:comment] + #ENC[AES256_GCM,data:0RWsUPJquG3VDekZdy8AhhrqkQdxz/oVblZ7AizRZ1f/6hnIO6oD,iv:yNf25aYvJM9wUwz39PBt/Q9NihJHbLM/G8s4Rqm+7f4=,tag:yqNAtJ6dC6fYQeqCuZ03XQ==,type:comment] + #ENC[AES256_GCM,data:kWRv8wLHsz2xHe0C49KaF2p4oIuB,iv:WZny4YfHmucWEt3wxFSbGfecrSkw/LiQim4XHMfBKdQ=,tag:aji1R0Czz1C5ZIhChcyyCw==,type:comment] + #ENC[AES256_GCM,data:y9k1a+wQxQxpgTUIHV8uXwX6TxgUrpDgWAVjFxg=,iv:KuJzj9BtPwRIwg28/JPcFkm1UUWwBUQO2qy0gPQ80sw=,tag:syoVdhXoUH5Im5DSSuzOxA==,type:comment] + #ENC[AES256_GCM,data:XkbMC4a9Vy1KmrdtnWzi0h+8S8tLuU0UksGUapAKMAM1UW76qx1QrU7hmq9ovg==,iv:52/4Tc92VnOy+r/NU4vhfee7k8iCWOIhFS6C9Wvpz4A=,tag:TsscCmfr+NBtX4zbJtXz3w==,type:comment] + #ENC[AES256_GCM,data:OadsiqxE5pVyAMUTUVo+qIw=,iv:oweph8xstuTNjB7GjH/GMqQzdGqdWV7Qx1fjN4qht+s=,tag:hxbummmKy3Z+gXXbpUhICA==,type:comment] + #ENC[AES256_GCM,data:GXqoz8D2ameUocnjge/Sm6RAbE4QRTjMko/eLeFUlzJmcpBg9mM4V/80vrwVY8eRBTA6OqmuH0PExxfxSFJIG1N/Km9qyJB7SLPD,iv:ao6Yn3cvn4D+oMfgZDs7AuBvF8SuwbZH0amuelX3R3Q=,tag:g3ohRC1FH1Tjw1sPnaUfKA==,type:comment] + #ENC[AES256_GCM,data:3hZkr7UdEJwuV6GUTKk8XYJrlEs3Slc=,iv:yEK76POX0vrOebfkaJ9lFbb0EtgcfRiTv735Rd23ZPs=,tag:rpIXtvwDVfrq30vPdpa+kA==,type:comment] + #ENC[AES256_GCM,data:t+QpTeZ2Amezv5IyDcu8idI+2rBVL33NAQ4A6GO6,iv:WXAn1sFidzPiwTq5wnk0IPExTSAPtYN+V1zHF6TWPws=,tag:Pop8BZYnOfRbPxQAupb2Ow==,type:comment] + #ENC[AES256_GCM,data:MUIa81eRSg0RskgczGExlNRL7dUhC7SLnOnwFN+29kHC,iv:lG6PPAYob+HO6q8q476uWJGGJFxzu3OhWfT+hpZwlBw=,tag:HdlFuCGjS2HI2dTsOuw1tw==,type:comment] sops: kms: [] gcp_kms: [] @@ -36,14 +36,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVWlDUWlsRDJIYlpoVTJx - aGxuQ0MzdE0xdE9MYXpFd3B1cURTUzZBNVQ4CkpJZ2lSNk1vbVByT2hjZHJLbmxp - blV3NlBWT2NaTjkzYUl6SEkzYS9OeVUKLS0tIGNrc0k1b1cyR3JYVlJIWS92TnZT - SmpvWjlYRFNXRWdRS1JidHJvdDNBMm8KKWKgMXXkobji8TvxclIRuxmTxZN5B/jn - /L6HCCcbtxCSVXjHXQznHJedn8oI1XAwYKf3Kz2utTLew2EnOjjLbA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeFNrMW9ibmZPS1NkdFJ4 + ck9TNG9OVEwrZ0R5SWYyWlI2ZU9XL1NLWEJ3CnVsQlQ5emcrZjIrTUErRC9rb1Fj + eEF1OGNhT0ZnUFdMVDY2MCtHOVRmcE0KLS0tIHlsaDYvMGZlZzRMNmhQd2FhWitx + WjVTWFpOM3FhODJIa1Q1YXFCdEJKdGcKD9RsBJ5w3e2dXrhss0Ev8trksvAmJW1D + EiBmF6jbSjRQFGuiN3OdbTKxosp0PEw9ufUUKes08OiFxNJMcDECvQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-26T11:46:27Z" - mac: ENC[AES256_GCM,data:bBwHsjG6ci9dYuqTYPZ18f6C9gqVtyqFNKGQgrWpCwozbaZUPQtnFFftDZHa+/9HGk6Q0X6Hm9muVDux1xrc2C71OgO1UsH2JFKEf6UA4vFAZwkxbFuoaoUWDGyaRJ2HeoQ6XvpeKaaBTcKXCuPHL7DzUWb0X8H2QzH13sVhhzw=,iv:NzNe3UVGqB9jNfaParmYZTVZyCHnKHyq18OcBRWyHVA=,tag:DkIRUES9AaL9XSqwRpUxSA==,type:str] + lastmodified: "2023-10-01T18:20:39Z" + mac: ENC[AES256_GCM,data:hDbawHnZ4kalG31UoTZ9FMH2ULIY4G15Sn2UYVk8aOPv5EHSrRJsv7iyMO+HvHXGKWha+v6fUjN7FrCaGUKuhOmbfb2TijTen+AjI7PxfJCo54X1zTvdEjEEUH9ZQwjfI/xzdCC1R6943zLWR6FgHlVDdc5iLrQIecu1XG138EU=,iv:Ox19ZrbJsVOrYjZ3RGYoa77GHCcxis//BnqXbpiJ4Yc=,tag:Kd4A14V5yuW+xsJvD1a+sQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml.tmpl b/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml.tmpl index 878c036b1..edfc82d3c 100644 --- a/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/postgres/postgres-operator/app/secret.sops.yaml.tmpl @@ -10,7 +10,7 @@ type: Opaque stringData: POSTGRES_HOST: "postgres-rw.default.svc.cluster.local" POSTGRES_USER: "postgres" - POSTGRES_PASS: "${SECRET_DB_ROOT_PWD}" + POSTGRES_PASS: "${DB_ROOT_PWD}" POSTGRES_DEFAULT_DATABASE: "postgres" POSTGRES_URI_ARGS: "" POSTGRES_CLOUD_PROVIDER: "" @@ -21,7 +21,7 @@ stringData: # host: "postgres-rw.default.svc.cluster.local" # # postgres admin user and password # user: "postgres" - # password: "${SECRET_DB_ROOT_PWD}" + # password: "${DB_ROOT_PWD}" # # additional connection args to pg driver # uri_args: "" # # postgres cloud provider, could be AWS, Azure, GCP or empty (default) diff --git a/kubernetes/apps/default/postgres/postgres-operator/ks.yaml b/kubernetes/apps/default/postgres/postgres-operator/ks.yaml index 01c69101e..27c655323 100644 --- a/kubernetes/apps/default/postgres/postgres-operator/ks.yaml +++ b/kubernetes/apps/default/postgres/postgres-operator/ks.yaml @@ -3,16 +3,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-postgres-operator + name: default-postgres-operator namespace: flux-system spec: dependsOn: - - name: apps-default-cnpg-db + - name: default-cnpg-db path: ./kubernetes/apps/default/postgres/postgres-operator/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/redis/redis/add-ons/kustomization.yaml b/kubernetes/apps/default/redis/redis/addons/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/redis/redis/add-ons/kustomization.yaml rename to kubernetes/apps/default/redis/redis/addons/kustomization.yaml diff --git a/kubernetes/apps/default/redis/redis/add-ons/redis-dashboard.json b/kubernetes/apps/default/redis/redis/addons/redis-dashboard.json similarity index 100% rename from kubernetes/apps/default/redis/redis/add-ons/redis-dashboard.json rename to kubernetes/apps/default/redis/redis/addons/redis-dashboard.json diff --git a/kubernetes/apps/default/redis/redis/ks.yaml b/kubernetes/apps/default/redis/redis/ks.yaml index 55f9d0e8b..3f4a0adf0 100644 --- a/kubernetes/apps/default/redis/redis/ks.yaml +++ b/kubernetes/apps/default/redis/redis/ks.yaml @@ -3,14 +3,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-redis-operator + name: default-redis-operator namespace: flux-system spec: path: ./kubernetes/apps/default/redis/redis/operator prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -19,19 +19,19 @@ spec: # apiVersion: kustomize.toolkit.fluxcd.io/v1 # kind: Kustomization # metadata: -# name: apps-default-redis-cluster +# name: default-redis-cluster # namespace: flux-system # labels: # substitution.flux.home.arpa/enabled: "true" # spec: # dependsOn: -# - name: apps-default-redis-operator -# - name: apps-rook-ceph-cluster +# - name: default-redis-operator +# - name: rook-ceph-cluster # path: ./kubernetes/apps/default/redis/redis/app # prune: true # sourceRef: # kind: GitRepository -# name: homelab-gitops-k3s +# name: home-kubernetes # wait: true # interval: 30m # retryInterval: 1m @@ -41,18 +41,19 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-redis-addons + name: default-redis-addons namespace: flux-system spec: dependsOn: - - name: apps-default-redis-operator - - name: apps-monitoring-kube-prometheus-stack - - name: apps-monitoring-grafana - path: ./kubernetes/apps/default/redis/redis/add-ons + - name: default-redis-operator + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana + path: ./kubernetes/apps/default/redis/redis/addons prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/default/redis/redis/operator/helmrelease.yaml b/kubernetes/apps/default/redis/redis/operator/helmrelease.yaml index 90b8ead8b..76dddaae6 100644 --- a/kubernetes/apps/default/redis/redis/operator/helmrelease.yaml +++ b/kubernetes/apps/default/redis/redis/operator/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://ot-container-kit.github.io/helm-charts chart=redis-operator chart: redis-operator version: 0.15.3 sourceRef: kind: HelmRepository - name: ot-charts + name: opstree namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml b/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml index bb1970885..9f8c873b8 100644 --- a/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml +++ b/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml @@ -8,7 +8,7 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - password: ENC[AES256_GCM,data:Ti4I9znfajTq3Q==,iv:aZZnbRZ10XFdldMFKhtv+Wunf4xjI9FfUijVNOwz1FY=,tag:FDXN+TUDC7FuSSEDAW+5UA==,type:str] + password: ENC[AES256_GCM,data:itoZkIR6cY7t5w==,iv:y+LdITZRMiACyy74iyTWnH4a9likw775IjekJoEKtOo=,tag:UzGKMqa5hQQWTX6rDeVWEw==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +18,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRGV5VXNVOER0U3QzQUFN - NDdlMjl3bExIcUh0aC9ZUG81RkdTRllLaEQwCmJmUkRaM3d1S0RiWjV5c0Z6SUNp - Rkpqbm9LZ2N6c2l0TEk3Ym1iemhwRm8KLS0tIDRUZ3N6UUUzeGVhS3dJYVBKT2JO - dHRDVE9RQ0VLZXJ6RmhTY1dRd2RGOW8Kf7Anf4UrnYSYR2BMZkqh57NXzG0h3HgB - 9M1SDfj5FmaNii4CnM7pkFSmE/221hXUKfJmqxazsrnqNpTAaQCZlA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWXFDcVlkU25rT3JlNXBK + Ylh3U2cvSEEwQVo3aWhIUCtBeVpVaXVYR1JFCnlBd2toZ0c3UXFMN21UbWlmWjBK + dm9tZ20xQ2YxSXMyK2QyZTR0SGhCSlUKLS0tIDlQL20yWGcyQWs3QVN1TUl3S0py + ZXV0dnZzRmpNb0hWK2JBR0YxZTFNak0K+BKMiXr8y0mlf1FH+ugoSuGeMwhKZoyb + Vz1XGnsWrnFWCVEnWizD4LZT3kN5exDPfsThpF0HWVkdxpVlpp61gw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-16T13:20:25Z" - mac: ENC[AES256_GCM,data:YmnKZbemmBeU0XXtAdWmKm9hXCOYj8eI+derakNA6rcN0vp5SzoRBiEA5Md6MT/4RpksqNspbb/JsQAIUJmM4KXHx3IdQxyq0iJzFOKc1wLUezwd+D6xI5rAqyjJgsOybRRYlCQu62DUnRecDWNiipeD7tvf0ZH9ZZUVn+9awWQ=,iv:iC0Z8y+JrTOvfNrkbLKp0y16rvS3K3dywlLOMM2nbg0=,tag:1Y15etQidCVaTp1PYDyrdA==,type:str] + lastmodified: "2023-10-01T18:40:18Z" + mac: ENC[AES256_GCM,data:W5Q9OMBJsxEC6FsikQCzSra0rTDaH8NWlIqBj5go3+peeedh6LCaD1pr2+7zOjT7MTzpnKRD0GgZmArphq+/SLtnSF0vFYyA01UE9i54ml9kpVvqdxxFlMOPREs3iC0Nxu1psNijPEuIAm2MiSH0umVXDBl/VjzLe+ZEMmI8h5U=,iv:aOWOcw1jhyIkizkh2n7MEtkGXQvVwqb7nz688WglIp8=,tag:0rbjogsgeuDzwDTW/wuVsQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml.tmpl b/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml.tmpl index 4d2460e77..dac5e1864 100644 --- a/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml.tmpl +++ b/kubernetes/apps/default/redis/redis/operator/secret.sops.yaml.tmpl @@ -9,4 +9,4 @@ metadata: reloader.stakater.com/match: "true" type: Opaque stringData: - password: "${SECRET_DB_USER_PWD}" + password: "${DB_USER_PWD}" diff --git a/kubernetes/apps/default/redis/redisinsight/app/helmrelease.yaml b/kubernetes/apps/default/redis/redisinsight/app/helmrelease.yaml index af71f1880..e3bd8617f 100644 --- a/kubernetes/apps/default/redis/redisinsight/app/helmrelease.yaml +++ b/kubernetes/apps/default/redis/redisinsight/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system maxHistory: 3 install: @@ -44,7 +43,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/default/redis/redisinsight/ks.yaml b/kubernetes/apps/default/redis/redisinsight/ks.yaml index ed9611b50..8782d9c67 100644 --- a/kubernetes/apps/default/redis/redisinsight/ks.yaml +++ b/kubernetes/apps/default/redis/redisinsight/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-default-redisinsight + name: default-redisinsight namespace: flux-system spec: dependsOn: - - name: apps-default-redis-operator + - name: default-redis-operator path: ./kubernetes/apps/default/redis/redisinsight/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/flux-system/add-ons/ks.yaml b/kubernetes/apps/flux-system/add-ons/ks.yaml deleted file mode 100644 index 042c36136..000000000 --- a/kubernetes/apps/flux-system/add-ons/ks.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: apps-flux-system-monitoring - namespace: flux-system -spec: - dependsOn: - - name: apps-monitoring-kube-prometheus-stack - - name: apps-monitoring-grafana - path: ./kubernetes/apps/flux-system/add-ons/monitoring - prune: true - sourceRef: - kind: GitRepository - name: homelab-gitops-k3s - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: apps-flux-system-notifications - namespace: flux-system -spec: - dependsOn: - - name: apps-monitoring-kube-prometheus-stack - path: ./kubernetes/apps/flux-system/add-ons/notifications - prune: true - sourceRef: - kind: GitRepository - name: homelab-gitops-k3s - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: apps-flux-system-webhooks - namespace: flux-system -spec: - dependsOn: - - name: apps-networking-cloudflared - - name: apps-networking-ingress-nginx - path: ./kubernetes/apps/flux-system/add-ons/webhooks - prune: true - sourceRef: - kind: GitRepository - name: homelab-gitops-k3s - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/flux-system/add-ons/notifications/github/notification.yaml b/kubernetes/apps/flux-system/add-ons/notifications/github/notification.yaml deleted file mode 100644 index f0e920b04..000000000 --- a/kubernetes/apps/flux-system/add-ons/notifications/github/notification.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# https://github.com/fluxcd-community/flux2-schemas/blob/main/provider-notification-v1beta2.json -apiVersion: notification.toolkit.fluxcd.io/v1beta2 -kind: Provider -metadata: - name: github - namespace: flux-system -spec: - type: github - address: https://github.com/ahgraber/homelab-gitops-k3s - secretRef: - name: github-token ---- -apiVersion: notification.toolkit.fluxcd.io/v1beta2 -kind: Alert -metadata: - name: github - namespace: flux-system -spec: - providerRef: - name: github - eventSeverity: info - eventSources: - - kind: Kustomization - name: "*" - - kind: HelmRelease - name: "*" diff --git a/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml b/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml deleted file mode 100644 index 2a4a9da11..000000000 --- a/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-token - namespace: flux-system -stringData: - token: ENC[AES256_GCM,data:rhMPPHIhJ/MfTUJZFbv/8yrqDDeUWJ5MN4UNfqXYdOWqGnWMeD2xhw==,iv:bUd8X+SM8KWWvjSBHoVKsLbmMRdmQR8pbIdEWORSVQk=,tag:TtyWld4nNZD94d1wRa5ckg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbFp2RjkxMDBqYUxtSm9x - RDd6WmJmQVd1c1RTTWhJWGZYNGk5S2NyMWw0Cmw4QXVwSGRkblNlNG14bzRlSGd1 - dE00dElENU1UOXYyMU84VTdSdGtMam8KLS0tIHA3Q0NKVG5SRmJaN2tLVFhSU2sw - Q0Vlcjd5OEhpbGU5TGt0QlhaYzU2dmsKzt4K1YDImizdXlNEMoRs47H1GCmMOQJd - VQIxdzl+rCQ5EWRXeqZLrt9uVjpH/+uut/3CDJkZ4eEosCiZiKASNw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-21T15:31:17Z" - mac: ENC[AES256_GCM,data:Wcw7j78tfaMIqMgQW2Y/7Uf7hk553FU4qav0GIcHv04xPAIEWqtyNrEsBSAlH0FZfS6057cyfRltGCe7akfpQPhaGMjDAw3FJdcUmAhTjwO2TDwB7ms2CB15wssIix+D1wqpK6sv8rasmuQGmHT/IL4HF9IP7VoXNCMRmrtOvSw=,iv:DLBRovM7uf1V0xDjXSlmtqOwK110PPnxu/be7v4FejY=,tag:LsszQt/zn/ngNcynInlvyw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml.tmpl b/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml.tmpl deleted file mode 100644 index 5ac1b9eff..000000000 --- a/kubernetes/apps/flux-system/add-ons/notifications/github/secret.sops.yaml.tmpl +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-token - namespace: flux-system -stringData: - token: ${GITHUB_TOKEN} diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/README.md b/kubernetes/apps/flux-system/add-ons/webhooks/github/README.md deleted file mode 100644 index 251ff74d9..000000000 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Github Webhook - -Flux is pull-based by design meaning it will periodically check your git repository for changes; -instead, using a webhook can enable Flux to update the cluster on `git push` by sending -notifications to a [Flux receiver](https://fluxcd.io/docs/guides/webhook-receivers/) - -## Create receiver - -1. Create a token - - ```sh - TOKEN=$(head -c 12 /dev/urandom | shasum | cut -d ' ' -f1) - echo $TOKEN - ``` - -2. Create secret using token -3. Apply `github-webhook` kustomization - -## Create webhoook in Github settings - -1. In Github repo > Settings > Create Webhook - -2. Set `payload url` to the url specified in the ingress + the `/hook/`: - i.e., `https://flux-receiver.example.com/hook/0p39dj3nck3udn3m` - - The path can be found with: - - ```sh - kubectl -n flux-system get receiver/github-receiver - ``` - -3. Set `token` to the token created above diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml b/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml deleted file mode 100644 index b817ee4b1..000000000 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-webhook-secret - namespace: flux-system -stringData: - token: ENC[AES256_GCM,data:oMMScmn5jNcBw1P9ZvrP2sDe5AZhs51fl486rU0jMCGOAy/cm/fkaw==,iv:q/Zmz+g+q9U6WZiQ9z1HryE4iepdE3hdTbStSiHF5yU=,tag:oxHiDbdeSGBrQoPW+9Pyog==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBja1drOXlkY0ZkNjdGcjFl - VEo2eVVlQnFMVng4K28vTlNzQ3dzUFgzQm0wCnJ4WkIrVDNMVGtVcXVrY2UrNTdP - UEhlMkpiWm1JQWpBd1Juc2RBM3ROWFkKLS0tIHFGcHdvc29ETWxoa3JsR0FLaTNX - djUvcDhMbWd5RHdwNWhPSW94YjQvWGcK+65S4K4iu0HNyW5u6Ujijop8s9XLKETN - ciVIv302XhEytaYfS1Nf/UlqocXOBhUFN/3zHXW5RP2zDxVwOqwj1A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-21T15:37:17Z" - mac: ENC[AES256_GCM,data:knDdZZnVMb2J2HaZnJHgsRglaUZPoqj3RFcWh8op5r1oTxmI4Z9F3IjTrpAH2/nebGzPyC9xuJFeH5aPQaAh6bP8/+24J4/wnXlrE5u1be9FgwYZO99pz5ulBgS/9HgG8FtJ4jmAQtrVaIbkeOARbclbU66iMWu6xfG27M+d+Uc=,iv:KJ8OOJj0x9q/8+85mMKVNsVzzhA7m956Pr0qSY4Ypbg=,tag:MQHd5+rMwTg+qQfO4CKuFg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml.tmpl b/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml.tmpl deleted file mode 100644 index 7c1b9a699..000000000 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/secret.sops.yaml.tmpl +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-webhook-secret - namespace: flux-system -stringData: - token: ${WEBHOOK_TOKEN} diff --git a/kubernetes/apps/metallb-system/metallb-system/ks.yaml b/kubernetes/apps/flux-system/addons/ks.yaml similarity index 61% rename from kubernetes/apps/metallb-system/metallb-system/ks.yaml rename to kubernetes/apps/flux-system/addons/ks.yaml index 25f7a3588..5c57cec1a 100644 --- a/kubernetes/apps/metallb-system/metallb-system/ks.yaml +++ b/kubernetes/apps/flux-system/addons/ks.yaml @@ -3,15 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-metallb-system + name: flux-system-monitoring namespace: flux-system spec: - path: ./kubernetes/apps/metallb-system/metallb-system/app + dependsOn: + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana + path: ./kubernetes/apps/flux-system/addons/monitoring prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m @@ -20,16 +23,19 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-metallb-system-config + name: flux-system-webhooks namespace: flux-system spec: - dependsOn: - - name: apps-metallb-system - path: ./kubernetes/apps/metallb-system/metallb-system/config + # dependsOn: + # - name: networking-cloudflared + # - name: networking-nginx-external + # - name: monitoring-kube-prometheus-stack + path: ./kubernetes/apps/flux-system/addons/webhooks prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: true interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/flux-system/add-ons/monitoring/kustomization.yaml b/kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/monitoring/kustomization.yaml rename to kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml diff --git a/kubernetes/apps/flux-system/add-ons/monitoring/pod-resources-max.json b/kubernetes/apps/flux-system/addons/monitoring/pod-resources-max.json similarity index 100% rename from kubernetes/apps/flux-system/add-ons/monitoring/pod-resources-max.json rename to kubernetes/apps/flux-system/addons/monitoring/pod-resources-max.json diff --git a/kubernetes/apps/flux-system/add-ons/monitoring/podmonitor.yaml b/kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/monitoring/podmonitor.yaml rename to kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml diff --git a/kubernetes/apps/flux-system/add-ons/monitoring/prometheusrule.yaml b/kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/monitoring/prometheusrule.yaml rename to kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml diff --git a/kubernetes/apps/flux-system/add-ons/notifications/alert-manager/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/alert-manager/kustomization.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/notifications/alert-manager/kustomization.yaml rename to kubernetes/apps/flux-system/addons/webhooks/alert-manager/kustomization.yaml diff --git a/kubernetes/apps/flux-system/add-ons/notifications/alert-manager/notification.yaml b/kubernetes/apps/flux-system/addons/webhooks/alert-manager/notification.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/notifications/alert-manager/notification.yaml rename to kubernetes/apps/flux-system/addons/webhooks/alert-manager/notification.yaml diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/ingress.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml similarity index 65% rename from kubernetes/apps/flux-system/add-ons/webhooks/github/ingress.yaml rename to kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml index 13adbe663..8cd55d2b9 100644 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/ingress.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml @@ -2,12 +2,14 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: webhook-receiver + name: flux-webhook namespace: flux-system + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" spec: - ingressClassName: nginx + ingressClassName: external rules: - - host: &host "flux-receiver.${SECRET_DOMAIN}" + - host: &host "flux-webhook.${SECRET_DOMAIN}" http: paths: - path: /hook/ @@ -20,4 +22,3 @@ spec: tls: - hosts: - *host - # secretName: "${SECRET_DOMAIN/./-}-tls" diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/webhooks/github/kustomization.yaml rename to kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml index 1f52a1dca..5461805cb 100644 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/kustomization.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./secret.sops.yaml - ./ingress.yaml - ./receiver.yaml - - ./secret.sops.yaml diff --git a/kubernetes/apps/flux-system/add-ons/webhooks/github/receiver.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml similarity index 87% rename from kubernetes/apps/flux-system/add-ons/webhooks/github/receiver.yaml rename to kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml index 535dfcfdb..1018c2607 100644 --- a/kubernetes/apps/flux-system/add-ons/webhooks/github/receiver.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml @@ -11,15 +11,15 @@ spec: - ping - push secretRef: - name: github-webhook-secret + name: github-webhook-token-secret resources: - apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes namespace: flux-system - apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization - name: flux-cluster + name: cluster namespace: flux-system - apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml new file mode 100644 index 000000000..0e28cb0e9 --- /dev/null +++ b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml @@ -0,0 +1,31 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: github-webhook-token-secret + namespace: flux-system + annotations: + reloader.stakater.com/match: "true" +type: Opaque +stringData: + token: ENC[AES256_GCM,data:A3QPBctS1hY+4Ly2NbiKgPGiubOUVItFTeQ8vUnYQKFw/RJspCuUUw==,iv:Gq3+be4y5/nzOziGl5K3Jw9tSoIuI1aAgNOeCxoF9qU=,tag:ia7D+7AO/Y6MotgAQ+/5dA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRR3d3Ym5kQTExanFlS09u + TUJrYnFCZ0NZWENzOVBRcU1NZ2Zrakpjd2xrCkZhaWRsNUZiMVhrU2tXSm5DZ1VS + MkZwSkY1d1JTYjZOVVBtU2hoRkk0U00KLS0tIFVRcGlvMzI2K01PU2NDMllDdkRT + bmQ2bnNUWHdrMFg5cnlhUjhtZkd1dEEKxEfcVL0TVlEehdF3Jg97meFTLVTKyU4I + 3E1je4eCZvnOmI6HFkpvapFQ2TaCsu6wG6wuY5ZV5Xi1b5hAvxMPxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-03T01:05:18Z" + mac: ENC[AES256_GCM,data:0ceJ4nw/pHunUwALrtHb5/IOT5bsmBBqvNBS+cKt23+eijJzZYPLPMEGUfiv029uaq6HZAzq9OvEwZjKexxZcydz0pHzYmwnr4ZJ9OVcWxA3XD1ZRun/zssjswkwFu4BLAKVlyH6c9AnfBzKgGRo5tfSPrLQ9nepu80S99ySAHc=,iv:dcgTQOt1/ZgHLqqQYdsvbIc80eag9Uq1AYPr9ZAGU4w=,tag:pVVGNIqrNpuupWYT+R/9qA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.0 diff --git a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml.tmpl b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml.tmpl similarity index 51% rename from kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml.tmpl rename to kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml.tmpl index 9535d9d90..5eb5f5ec0 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml.tmpl @@ -2,11 +2,10 @@ apiVersion: v1 kind: Secret metadata: - name: weave-gitops-secret + name: github-webhook-token-secret namespace: flux-system annotations: reloader.stakater.com/match: "true" type: Opaque stringData: - # hash with bcrypt: `echo -n "$SECRET_DEFAULT_PWD" | gitops get bcrypt-hash` - adminPassword: ${SECRET_DEFAULT_PWD_BCRYPT} + token: "${GH_WEBHOOK_TOKEN}" diff --git a/kubernetes/apps/flux-system/add-ons/notifications/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml similarity index 100% rename from kubernetes/apps/flux-system/add-ons/notifications/kustomization.yaml rename to kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml diff --git a/kubernetes/apps/flux-system/kustomization.yaml b/kubernetes/apps/flux-system/kustomization.yaml index 0662ecde8..5604fa43a 100644 --- a/kubernetes/apps/flux-system/kustomization.yaml +++ b/kubernetes/apps/flux-system/kustomization.yaml @@ -6,5 +6,5 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - - ./add-ons/ks.yaml + - ./addons/ks.yaml - ./weave-gitops/ks.yaml diff --git a/kubernetes/apps/flux-system/namespace.yaml b/kubernetes/apps/flux-system/namespace.yaml index 17dbc10e1..4c4da8f20 100644 --- a/kubernetes/apps/flux-system/namespace.yaml +++ b/kubernetes/apps/flux-system/namespace.yaml @@ -5,3 +5,4 @@ metadata: name: flux-system labels: goldilocks.fairwinds.com/enabled: "true" + kustomize.toolkit.fluxcd.io/prune: disabled # don't prune namespace diff --git a/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml b/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml index 03feaccba..ebf4d05a1 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml @@ -6,41 +6,41 @@ metadata: name: weave-gitops namespace: flux-system spec: - interval: 15m + interval: 30m chart: spec: chart: weave-gitops version: 4.0.31 sourceRef: kind: HelmRepository - name: weave-gitops-charts + name: weave-gitops namespace: flux-system + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: + cleanupOnFail: true remediation: retries: 3 + uninstall: + keepHistory: false values: adminUser: create: true + createSecret: false username: admin ingress: - main: - enabled: true - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - hosts: - - host: &host "gitops.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - *host + enabled: true + className: internal + hosts: + - host: &host "gitops.${SECRET_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host networkPolicy: create: false metrics: @@ -49,9 +49,4 @@ spec: create: true impersonationResourceNames: ["admin"] podAnnotations: - secret.reloader.stakater.com/reload: weave-gitops-secret - valuesFrom: - - kind: Secret - name: weave-gitops-secret - valuesKey: adminPassword - targetPath: adminUser.passwordHash + secret.reloader.stakater.com/reload: cluster-user-auth diff --git a/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml b/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml index 8b3cc1a14..ee853b22b 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: flux-system resources: - - ./helmrelease.yaml - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml b/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml index 01b54294d..592b50925 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml @@ -1,15 +1,12 @@ -# yamllint disable apiVersion: v1 kind: Secret metadata: - name: weave-gitops-secret + name: cluster-user-auth namespace: flux-system - annotations: - reloader.stakater.com/match: "true" -type: Opaque stringData: - #ENC[AES256_GCM,data:HU2XhufD+SVrpbjl2gNLkTqEupFSe1keF7T7C7Z013vZ5SiODPtNAZiICQ==,iv:leDCavuQfvPru+zvg/hgtW4xihJpC7aWQkHp1DPLLuo=,tag:YNU6V8jAlK/g8yMz3bVZ2A==,type:comment] - adminPassword: ENC[AES256_GCM,data:qCpBUKNnuq6Bk9N0nSBWYVH2/l6gsZowC9DRsRQ7iYg/Ua28onCZVxH6CikX7q3Yt0ac6fjcC54gB2fV,iv:6HL4HxXN3RV5PeehEuW0/Vuc1AkvnWoP/c6kBugh/qA=,tag:Xv0rTX5pl3SDLAxa9NAu6Q==,type:str] + password: ENC[AES256_GCM,data:g4oOA27bNZFNb+s+wqE3lWI2F0RfmtVXJd+GnrOsE6U41vrCf/aOsvpsON1+VKbftMO6+oiSb0hLsW+N,iv:9G55LypUzconrGgOad786L7/6RpsRwNWM9A5tJ0CFFI=,tag:BNLpx/D5Y9Tj93JYHNC6ig==,type:str] + username: ENC[AES256_GCM,data:te487u4=,iv:ZHmtCk6yokzZUAhs2PcnBK53UnRRvd9apRrCoBKkpqo=,tag:Nwqn4RrzCuG+je87l5ODKQ==,type:str] +type: Opaque sops: kms: [] gcp_kms: [] @@ -19,14 +16,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRXlTRG8wVVRaSG8wUFZq - TU0ycyszUm80M1dyRU1jcWwvMGZiZGtGbW5FClFRTkxYVHR5Q29KN1lYVHNhQTJP - M043ZVhtYkx6OG5Hd2dNWHRiVDk5VU0KLS0tICt1bGVvc3gwQUJWZU5kVVlTZUZM - TFpVMHYyNWhrNEdGQ01GMUVHRXpQaDAKZSfu01HQK4LfFxqYzkNZuevvaw3TCgwM - 6kQvurMEwKBRb7mrwSmis9S7CeOec+jDVucqlLnU7SzZyz7neyS2QA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaXRNcW1wWjNLdVV6dWlI + cmhwVEcxMjYxT3dEbC9yQS9sK2JXSHNWdHhFCkVZVmZvdXFUOWszVzY5d0cvS1dS + bFhyVXN3dE85cFJtbHhMVlJiWE51SkkKLS0tIFhhdlg1NE1kU091WmlEN09rdUR2 + aFArSVpvZUdYenhhMDZaWTU0UzZVYzgKj34m2UaoPBdgYKwNrQ9vbDPDXlHseF6b + FUmefeDwohREQo8Taiwx/OlsPwWhj47yP0RWzqxFlpgXOTnEQzMqug== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-01T21:14:37Z" - mac: ENC[AES256_GCM,data:nYigW43jqAsk1dg7I3GfjqchbYSCTnRKheTl+PaBQeyOk2Ktx2R2s0MIUem0RvAHGo4y4VK1juNvi5bXDwjOABincCfgQIOelJOMTyCj1j2jmms8wOXMjTlQSM5KkZueC9tR7Sr5x4S4uIw0l54bF2IzqFH3t+XWmQVP/Ly9jM4=,iv:6v74sT8fsikxZAlpfjTVvf4FMyRPWnsSbfZGMDiHdoc=,tag:imPv9Y18n4ADWKwc9aekMw==,type:str] + lastmodified: "2023-09-05T01:23:45Z" + mac: ENC[AES256_GCM,data:xsM7174fUH/RR5v1svu5VbBfAf9QBTO1NRsbN4RemVmEapsASDa7JA5OKv1WzRT/WTfR0QMv8hikeSFa72f1DU3JLSRmtPWcZAnCLeKwDDNbmp6uFdn1mnZS4W+AhSoniAxl2ghoag3LgRQLkWvTSvqTaIwK/ylVUugYGmDimUw=,iv:LyRGcSwSRfkQpEX5n0fVDQzToTjSxSJ3LmoD9cW4KdY=,tag:j2r1OtW55QCO/tI3Xww6fQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/flux-system/weave-gitops/ks.yaml b/kubernetes/apps/flux-system/weave-gitops/ks.yaml index 0ab7e5cdf..fa7d9955f 100644 --- a/kubernetes/apps/flux-system/weave-gitops/ks.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/ks.yaml @@ -3,17 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-flux-system-weave-gitops + name: flux-system-weave-gitops namespace: flux-system spec: - dependsOn: - - name: apps-networking-ingress-nginx path: ./kubernetes/apps/flux-system/weave-gitops/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/cilium/README.md b/kubernetes/apps/kube-system/cilium/README.md new file mode 100644 index 000000000..ef4c36223 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/README.md @@ -0,0 +1,66 @@ +# [Cilium](https://cilium.io/) + +Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary Kernel technology eBPF + +## [Preserving source IPs](https://github.com/JJGadgets/Biohazard/blob/main/kube/deploy/core/_networking/cilium/README.md) + +There are 2 ways to preserve source IPs when using Cilium. A quick summary based on my understanding is provided here, read more on the official Cilium docs here: [https://docs.cilium.io/en/v1.13/network/kubernetes/kubeproxy-free/#client-source-ip-preservation](https://docs.cilium.io/en/v1.13/network/kubernetes/kubeproxy-free/#client-source-ip-preservation) + +### `externalTrafficPolicy: Local` on LoadBalancer Service spec + +Services create Endpoints that are like the "magic bridge" connecting traffic from Services to Nodes to Pods. + +With `externalTrafficPolicy: Local`, traffic that hits a node's LoadBalancerIP must use that local node's Endpoint. + +The upside is that this removes any further masquerading and hops to other nodes. +Since the request traffic has now established a "straight line" from source IP --> LBIP --> node --> pod, the return traffic can go out through the same straight line. + +The downside is this creates uneven traffic distribution and potentially bottlenecks across all nodes that have a horizontally scalable workload's pod scheduled (e.g. replicaCount >= 2). + +Read more about it here: [https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer) + +### PREFERRED: Direct Server Return (DSR) + +Cilium supports DSR, which returns the proper source IP **regardless of externalTrafficPolicy setting**. + +The benefit of combining `externalTrafficPolicy: Cluster` and DSR is that you can get the best of both worlds: DSR's source IP preservation, and eTP=Cluster's Load Balancing across all nodes. + +Read more about DSR here: [https://docs.cilium.io/en/v1.9/gettingstarted/kubeproxy-free/#dsr-mode](https://docs.cilium.io/en/v1.9/gettingstarted/kubeproxy-free/#dsr-mode) + +## BGP Control Plane + +The new Cilium BGP Control Plane, BGPCP for short in these docs, replaces the old MetalLB BGP implementation in Cilium with one based on GoBGP and is better integrated with Cilium's features. + +(TODO: add stuff about the required Custom Resources, service selectors) + +### Issues I've encountered + +#### `externalTrafficPolicy: Local` when all nodes don't have an Endpoint + +##### Problem + +Services create Endpoints that are like the "magic bridge" connecting traffic from Services to Nodes to Pods. + +BGP Control Plane, as of 27 May 2023, will advertise BGP routes to nodes that don't have Endpoints since a workload's Pods don't run on those nodes. This creates an additional issue with `externalTrafficPolicy: Local` + +e.g. node1 is scheduled with 1 ingress-nginx Pod, thus has Endpoint, thus Service can route to Node. + +e.g. node2 doesn't have any ingress-nginx Pods, thus no Endpoints, thus Service can't route to Node. + +With `externalTrafficPolicy: Local`, since traffic that hits a node must use that local node's Endpoint, if the traffic hits a node that isn't running the workload's pods, **it errors out**, usually with a timeout. + +Other LoadBalancers like MetalLB solve this by **only advertising** a LoadBalancer Service's LoadBalancerIP _from a node **with** that Service's Endpoint_. BGPCP doesn't have this check. + +##### Solution + +###### Preferred + +Switch the service to `externalTrafficPolicy: Cluster`, and **use DSR (Direct Server Return)**. + +###### Alternative + +Refine CiliumBGPPeeringPolicy and the workload's scheduling policies to select the same service and node. + +###### NOT RECOMMENDED (unless your workload supports it, like ingress-nginx) + +Scale the workload onto all nodes that are advertising BGP (in my homelab, currently all nodes advertise). diff --git a/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml b/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml new file mode 100644 index 000000000..e8eba26e1 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml @@ -0,0 +1,22 @@ +--- +# https://docs.cilium.io/en/latest/network/l2-announcements +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + name: policy +spec: + loadBalancerIPs: true + # NOTE: This might need to be set if you have more than one active NIC on your nodes + # interfaces: + # - ^eno[0-9]+ + nodeSelector: + matchLabels: + kubernetes.io/os: linux +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: pool +spec: + cidrs: + - cidr: "${NODE_CIDR}" diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 000000000..09ea013ff --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,116 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.14.2 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + autoDirectNodeRoutes: true + bpf: + masquerade: true + bgp: + enabled: false + cluster: + name: home-cluster + id: 1 + containerRuntime: + integration: containerd + socketPath: /var/run/k3s/containerd/containerd.sock + endpointRoutes: + enabled: true + hubble: + enabled: true + metrics: + enabled: + - dns:query + - drop + - tcp + - flow + - port-distribution + - icmp + - http + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + relay: + enabled: true + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + ui: + enabled: true + rollOutPods: true + ingress: + enabled: true + className: internal + hosts: + - &host "hubble.${SECRET_DOMAIN}" + tls: + - hosts: + - *host + ipam: + mode: kubernetes + ipv4NativeRoutingCIDR: "${CLUSTER_CIDR}" + k8sServiceHost: "${KUBE_VIP_ADDR}" + k8sServicePort: 6443 + kubeProxyReplacement: true + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + l2announcements: + enabled: true + # https://github.com/cilium/cilium/issues/26586 + leaseDuration: 120s + leaseRenewDeadline: 60s + leaseRetryPeriod: 1s + loadBalancer: + algorithm: maglev + mode: dsr + localRedirectPolicy: true + operator: + replicas: 1 + rollOutPods: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + rollOutCiliumPods: true + securityContext: + privileged: true + tunnel: disabled diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 000000000..c6279e1df --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./cilium-l2.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml new file mode 100644 index 000000000..21a84e557 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-cilium + namespace: flux-system +spec: + path: ./kubernetes/apps/kube-system/cilium/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml new file mode 100644 index 000000000..d80c627c9 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml @@ -0,0 +1,90 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: coredns + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: coredns + version: 1.26.0 + sourceRef: + kind: HelmRepository + name: coredns + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + fullnameOverride: coredns + replicaCount: 1 + k8sAppLabelOverride: kube-dns + service: + name: kube-dns + clusterIP: "${COREDNS_ADDR}" + serviceAccount: + create: true + deployment: + annotations: + reloader.stakater.com/auto: "true" + servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: log + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + - name: prometheus + parameters: 0.0.0.0:9153 + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: coredns diff --git a/kubernetes/apps/tigera-operator/tigera-operator/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml similarity index 88% rename from kubernetes/apps/tigera-operator/tigera-operator/app/kustomization.yaml rename to kubernetes/apps/kube-system/coredns/app/kustomization.yaml index 17cbc72b2..a09cef314 100644 --- a/kubernetes/apps/tigera-operator/tigera-operator/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kube-system resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml new file mode 100644 index 000000000..b0ad938c7 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kube-system-coredns + namespace: flux-system +spec: + path: ./kubernetes/apps/kube-system/coredns/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/descheduler/README.md b/kubernetes/apps/kube-system/descheduler/README.md new file mode 100644 index 000000000..d464a0104 --- /dev/null +++ b/kubernetes/apps/kube-system/descheduler/README.md @@ -0,0 +1,20 @@ +# [descheduler](https://github.com/kubernetes-sigs/descheduler) + +Scheduling in Kubernetes is the process of binding pending pods to nodes, +and is performed by a component of Kubernetes called kube-scheduler. +The scheduler's decisions, whether or where a pod can or can not be scheduled, +are guided by its configurable policy which comprises of set of rules, called predicates and priorities. +The scheduler's decisions are influenced by its view of a Kubernetes cluster +at that point of time when a new pod appears for scheduling. +As Kubernetes clusters are very dynamic and their state changes over time, +there may be desire to move already running pods to some other nodes for various reasons: + +- Some nodes are under or over utilized. +- The original scheduling decision does not hold true any more, + as taints or labels are added to or removed from nodes, + pod/node affinity requirements are not satisfied any more. +- Some nodes failed and their pods moved to other nodes. +- New nodes are added to clusters. + +Consequently, there might be several pods scheduled on less desired nodes in a cluster. +Descheduler, based on its policy, finds pods that can be moved and evicts them. diff --git a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml b/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml index ed12ab433..a9ceb5051 100644 --- a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml @@ -6,18 +6,17 @@ metadata: name: descheduler namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: chart: descheduler version: 0.28.0 sourceRef: kind: HelmRepository - name: descheduler-charts + name: descheduler namespace: flux-system maxHistory: 3 install: - createNamespace: true remediation: retries: 3 upgrade: diff --git a/kubernetes/apps/kube-system/descheduler/ks.yaml b/kubernetes/apps/kube-system/descheduler/ks.yaml index 9519c8c39..acdb826bc 100644 --- a/kubernetes/apps/kube-system/descheduler/ks.yaml +++ b/kubernetes/apps/kube-system/descheduler/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-descheduler + name: kube-system-descheduler namespace: flux-system spec: path: ./kubernetes/apps/kube-system/descheduler/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/kube-cleanup-operator/app/helmrelease.yaml b/kubernetes/apps/kube-system/kube-cleanup-operator/app/helmrelease.yaml index 1bb7d921e..58b9db050 100755 --- a/kubernetes/apps/kube-system/kube-cleanup-operator/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/kube-cleanup-operator/app/helmrelease.yaml @@ -6,22 +6,17 @@ metadata: name: kube-cleanup-operator namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.lwolf.org chart: kube-cleanup-operator version: 1.0.4 sourceRef: kind: HelmRepository - name: lwolf-charts + name: lwolf namespace: flux-system maxHistory: 3 - # dependsOn: - # - name: DEPENDS_APP - # namespace: DEPENDS_NS install: - createNamespace: true remediation: retries: 3 upgrade: diff --git a/kubernetes/apps/kube-system/kube-cleanup-operator/ks.yaml b/kubernetes/apps/kube-system/kube-cleanup-operator/ks.yaml index 04682a9bd..e5b19f770 100644 --- a/kubernetes/apps/kube-system/kube-cleanup-operator/ks.yaml +++ b/kubernetes/apps/kube-system/kube-cleanup-operator/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-kube-cleanup-operator + name: kube-system-kube-cleanup-operator namespace: flux-system spec: path: ./kubernetes/apps/kube-system/kube-cleanup-operator/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index d7c26f5ed..a8c54aa68 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -7,11 +7,14 @@ resources: - ./namespace.yaml # - ./storageclass-local.yaml # overwrite local-path StorageClass to set as NOT default # Flux-Kustomizations + - ./cilium/ks.yaml + - ./coredns/ks.yaml - ./descheduler/ks.yaml - ./kube-cleanup-operator/ks.yaml - ./local-path-provisioner/ks.yaml - ./metrics-server/ks.yaml - - ./node-feature-discovery/ks.yaml + # - ./node-feature-discovery/ks.yaml - ./reflector/ks.yaml - ./reloader/ks.yaml - ./snapshot-controller/ks.yaml + - ./ycl/ks.yaml # yeet-cpu-limits operator diff --git a/kubernetes/apps/kube-system/local-path-provisioner/README.md b/kubernetes/apps/kube-system/local-path-provisioner/README.md new file mode 100644 index 000000000..5bd0c8af4 --- /dev/null +++ b/kubernetes/apps/kube-system/local-path-provisioner/README.md @@ -0,0 +1,9 @@ +# [Local Path Provisioner](https://github.com/rancher/local-path-provisioner) + +Dynamically provisioning persistent local storage with Kubernetes. + +Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. +Based on the user configuration, the Local Path Provisioner will create either +hostPath or local based persistent volume on the node automatically. +It utilizes the features introduced by Kubernetes Local Persistent Volume feature, +but makes it a simpler solution than the built-in local volume feature in Kubernetes. diff --git a/kubernetes/apps/kube-system/local-path-provisioner/app/helmrelease.yaml b/kubernetes/apps/kube-system/local-path-provisioner/app/helmrelease.yaml index 84419f5c7..5a18c8e7c 100644 --- a/kubernetes/apps/kube-system/local-path-provisioner/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/local-path-provisioner/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: local-path-provisioner namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: chart: ./deploy/chart/local-path-provisioner @@ -14,9 +14,8 @@ spec: kind: GitRepository name: local-path-provisioner namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: @@ -26,22 +25,15 @@ spec: uninstall: keepHistory: false values: - image: - repository: rancher/local-path-provisioner - tag: v0.0.23 # ref: https://github.com/rancher/local-path-provisioner/issues/333 helperImage: repository: public.ecr.aws/docker/library/busybox tag: latest storageClass: - create: true defaultClass: false - name: local-path - reclaimPolicy: Delete nodePathMap: - node: DEFAULT_PATH_FOR_NON_LISTED_NODES paths: ["/var/lib/rancher/k3s/storage"] - # Note: Do not enable Flux variable substitution on this HelmRelease - # see disable label in ks.yaml + # NOTE: Do not enable Flux variable substitution on this HelmRelease configmap: setup: |- #!/bin/sh diff --git a/kubernetes/apps/kube-system/local-path-provisioner/app/kustomization.yaml b/kubernetes/apps/kube-system/local-path-provisioner/app/kustomization.yaml index 17cbc72b2..a09cef314 100644 --- a/kubernetes/apps/kube-system/local-path-provisioner/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/local-path-provisioner/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kube-system resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/local-path-provisioner/ks.yaml b/kubernetes/apps/kube-system/local-path-provisioner/ks.yaml index 11326f614..450a0b368 100644 --- a/kubernetes/apps/kube-system/local-path-provisioner/ks.yaml +++ b/kubernetes/apps/kube-system/local-path-provisioner/ks.yaml @@ -3,9 +3,8 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-local-path-provisioner + name: kube-system-local-path-provisioner namespace: flux-system - ### envvar subst breaks the helmrelease configmap labels: substitution.flux.home.arpa/disabled: "true" spec: @@ -13,8 +12,8 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/metrics-server/README.md b/kubernetes/apps/kube-system/metrics-server/README.md new file mode 100644 index 000000000..763ced161 --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/README.md @@ -0,0 +1,13 @@ +# [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) + +Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. + +Metrics Server is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. + +Metrics Server collects resource metrics from Kubelets and exposes them in +Kubernetes apiserver through Metrics API for use by Horizontal Pod Autoscaler and Vertical Pod Autoscaler. +Metrics API can also be accessed by kubectl top, making it easier to debug autoscaling pipelines. + +Metrics Server is not meant for non-autoscaling purposes. +For example, don't use it to forward metrics to monitoring solutions, or as a source of monitoring solution metrics. +In such cases please collect metrics from Kubelet /metrics/resource endpoint directly. diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml index 5e4fe4207..9839a12dc 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -6,19 +6,17 @@ metadata: name: metrics-server namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://kubernetes-sigs.github.io/metrics-server/ chart: metrics-server version: 3.11.0 sourceRef: kind: HelmRepository - name: metrics-server-charts + name: metrics-server namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: @@ -37,5 +35,3 @@ spec: enabled: true serviceMonitor: enabled: true - # annotations: - # reloader.stakater.com/search: "true" diff --git a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml index 17cbc72b2..a09cef314 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kube-system resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml index c3b86e3c3..6c753c12c 100644 --- a/kubernetes/apps/kube-system/metrics-server/ks.yaml +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-metrics-server + name: kube-system-metrics-server namespace: flux-system spec: path: ./kubernetes/apps/kube-system/metrics-server/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/namespace.yaml b/kubernetes/apps/kube-system/namespace.yaml index 481f5a3ae..00442da31 100644 --- a/kubernetes/apps/kube-system/namespace.yaml +++ b/kubernetes/apps/kube-system/namespace.yaml @@ -4,5 +4,5 @@ kind: Namespace metadata: name: kube-system labels: - kustomize.toolkit.fluxcd.io/prune: disabled + kustomize.toolkit.fluxcd.io/prune: disabled # don't prune namespace goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/kube-system/node-feature-discovery/app/helmrelease.yaml b/kubernetes/apps/kube-system/node-feature-discovery/app/helmrelease.yaml deleted file mode 100644 index 400550d89..000000000 --- a/kubernetes/apps/kube-system/node-feature-discovery/app/helmrelease.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: node-feature-discovery - namespace: kube-system -spec: - interval: 15m - chart: - spec: - chart: node-feature-discovery - version: 0.14.1 - sourceRef: - kind: HelmRepository - name: node-feature-discovery-charts - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - crds: CreateReplace - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - worker: - config: - core: - sources: ["custom", "pci", "usb"] - sources: - usb: - deviceClassWhitelist: ["02", "03", "0e", "ef", "fe", "ff"] - deviceLabelFields: ["class", "vendor", "device"] diff --git a/kubernetes/apps/kube-system/reflector/app/helmrelease.yaml b/kubernetes/apps/kube-system/reflector/app/helmrelease.yaml index 4a4079b5f..27729a728 100644 --- a/kubernetes/apps/kube-system/reflector/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/reflector/app/helmrelease.yaml @@ -6,22 +6,17 @@ metadata: name: &app reflector namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://emberstack.github.io/helm-charts/ - chart: *app + chart: reflector version: 7.1.203 sourceRef: kind: HelmRepository - name: emberstack-charts + name: emberstack namespace: flux-system maxHistory: 3 - # dependsOn: - # - name: DEPENDS_APP - # namespace: DEPENDS_NS install: - createNamespace: true remediation: retries: 3 upgrade: diff --git a/kubernetes/apps/kube-system/reflector/ks.yaml b/kubernetes/apps/kube-system/reflector/ks.yaml index 2621ac17b..9252c2131 100644 --- a/kubernetes/apps/kube-system/reflector/ks.yaml +++ b/kubernetes/apps/kube-system/reflector/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-reflector + name: kube-system-reflector namespace: flux-system spec: path: ./kubernetes/apps/kube-system/reflector/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/reloader/README.md b/kubernetes/apps/kube-system/reloader/README.md new file mode 100644 index 000000000..960f7281b --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/README.md @@ -0,0 +1,12 @@ +# [reloader](https://github.com/stakater/Reloader) + +A Kubernetes controller to watch changes in ConfigMap and Secrets +and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig + +## Problem + +We would like to watch if some change happens in ConfigMap and/or Secret; then perform a rolling upgrade on relevant DeploymentConfig, Deployment, Daemonset, Statefulset and Rollout + +## Solution + +Reloader can watch changes in ConfigMap and Secret and do rolling upgrades on Pods with their associated DeploymentConfigs, Deployments, Daemonsets Statefulsets and Rollouts. diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml index e52c516bb..9e5fa7a4c 100644 --- a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -6,18 +6,17 @@ metadata: name: reloader namespace: &namespace kube-system spec: - interval: 15m + interval: 30m chart: spec: chart: reloader version: 1.0.41 sourceRef: kind: HelmRepository - name: stakater-charts + name: stakater namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: @@ -29,11 +28,7 @@ spec: values: fullnameOverride: reloader reloader: - enableHA: true - deployment: - replicas: 3 reloadStrategy: annotations - reloadOnCreate: false podMonitor: enabled: true namespace: *namespace diff --git a/kubernetes/apps/kube-system/reloader/app/kustomization.yaml b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml index 17cbc72b2..a09cef314 100644 --- a/kubernetes/apps/kube-system/reloader/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kube-system resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml index 4129aa6e1..d65f3b823 100644 --- a/kubernetes/apps/kube-system/reloader/ks.yaml +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-reloader + name: kube-system-reloader namespace: flux-system spec: path: ./kubernetes/apps/kube-system/reloader/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/snapshot-controller/README.md b/kubernetes/apps/kube-system/snapshot-controller/README.md new file mode 100644 index 000000000..e84a6c9ab --- /dev/null +++ b/kubernetes/apps/kube-system/snapshot-controller/README.md @@ -0,0 +1,5 @@ +# [snapshot-controller](https://github.com/piraeusdatastore/helm-charts/tree/main/charts/snapshot-controller) + +Deploys the [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter) in a cluster. +The controller is required for CSI snapshotting to work and is not specific to any CSI driver. +The CSI snapshotter is part of Kubernetes implementation of Container Storage Interface (CSI). diff --git a/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-controller.yaml b/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-controller.yaml index c5e68d7cc..816a4589a 100644 --- a/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-controller.yaml +++ b/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-controller.yaml @@ -6,21 +6,17 @@ metadata: name: snapshot-controller namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: chart: snapshot-controller version: 1.9.1 sourceRef: kind: HelmRepository - name: piraeus-charts + name: piraeus namespace: flux-system maxHistory: 3 - # dependsOn: - # - name: snapshot-validation-webhook - # namespace: kube-system install: - createNamespace: true crds: CreateReplace remediation: retries: 3 @@ -35,7 +31,7 @@ spec: replicaCount: 3 serviceMonitor: create: true - # ## maanged with storage application deployments + # ## managed with storage application deployments # volumeSnapshotClasses: # - name: csi-democratic-csi-iscsi # driver: org.democratic-csi.truenas-iscsi diff --git a/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-webhook.yaml b/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-webhook.yaml index 4f53f1ae8..7bfd369b5 100644 --- a/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-webhook.yaml +++ b/kubernetes/apps/kube-system/snapshot-controller/app/helmrelease-webhook.yaml @@ -6,20 +6,19 @@ metadata: name: snapshot-validation-webhook namespace: kube-system spec: - interval: 15m + interval: 30m chart: spec: chart: snapshot-validation-webhook version: 1.8.1 sourceRef: kind: HelmRepository - name: piraeus-charts + name: piraeus namespace: flux-system maxHistory: 3 dependsOn: - name: snapshot-controller install: - createNamespace: true crds: Skip remediation: retries: 3 diff --git a/kubernetes/apps/kube-system/snapshot-controller/ks.yaml b/kubernetes/apps/kube-system/snapshot-controller/ks.yaml index 9f4d18cc2..a431a219c 100644 --- a/kubernetes/apps/kube-system/snapshot-controller/ks.yaml +++ b/kubernetes/apps/kube-system/snapshot-controller/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-snapshot-controller + name: kube-system-snapshot-controller namespace: flux-system spec: path: ./kubernetes/apps/kube-system/snapshot-controller/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kube-system/storageclass-local.yaml b/kubernetes/apps/kube-system/storageclass-local.yaml deleted file mode 100644 index 9c7f95f3c..000000000 --- a/kubernetes/apps/kube-system/storageclass-local.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: local-path - annotations: - storageclass.kubernetes.io/is-default-class: "false" -provisioner: rancher.io/local-path -reclaimPolicy: Delete -volumeBindingMode: WaitForFirstConsumer diff --git a/kubernetes/apps/kube-system/ycl/README.md b/kubernetes/apps/kube-system/ycl/README.md new file mode 100644 index 000000000..b1cf1c67c --- /dev/null +++ b/kubernetes/apps/kube-system/ycl/README.md @@ -0,0 +1,5 @@ +# [Yeet CPU Limits](https://github.com/bjw-s/k8s-ycl) + +Admission Controller to Yeet Kubernetes CPU limits + +[More info on requests vs limits](https://home.robusta.dev/blog/stop-using-cpu-limits) diff --git a/kubernetes/apps/kube-system/ycl/app/helmrelease.yaml b/kubernetes/apps/kube-system/ycl/app/helmrelease.yaml new file mode 100644 index 000000000..2c1e30303 --- /dev/null +++ b/kubernetes/apps/kube-system/ycl/app/helmrelease.yaml @@ -0,0 +1,32 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: ycl + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: k8s-ycl + version: 0.2.1 + interval: 30m + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + values: + controller: + replicas: 3 + image: + repository: ghcr.io/bjw-s/k8s-ycl + tag: v0.1.0@sha256:5b18b022759d2dbee690ba2d75ea378b0a0e9bb4f16ba5ca0abafb428878b795 + + topologySpreadConstraints: + - maxSkew: 2 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ycl diff --git a/kubernetes/apps/kube-system/ycl/app/kustomization.yaml b/kubernetes/apps/kube-system/ycl/app/kustomization.yaml new file mode 100644 index 000000000..ff299a538 --- /dev/null +++ b/kubernetes/apps/kube-system/ycl/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./helmrelease.yaml +labels: + - pairs: + app.kubernetes.io/name: ycl + app.kubernetes.io/instance: ycl diff --git a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml b/kubernetes/apps/kube-system/ycl/ks.yaml similarity index 68% rename from kubernetes/apps/kube-system/node-feature-discovery/ks.yaml rename to kubernetes/apps/kube-system/ycl/ks.yaml index e3ff2cb5f..4035a3bcc 100644 --- a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml +++ b/kubernetes/apps/kube-system/ycl/ks.yaml @@ -3,15 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kube-system-node-feature-discovery + name: kube-system-ycl namespace: flux-system spec: - path: ./kubernetes/apps/kube-system/node-feature-discovery/app + dependsOn: + - name: cert-manager + path: ./kubernetes/apps/kube-system/ycl/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/kyverno/kustomization.yaml b/kubernetes/apps/kyverno/kustomization.yaml deleted file mode 100644 index 10b5d06cd..000000000 --- a/kubernetes/apps/kyverno/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./kyverno/ks.yaml diff --git a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml deleted file mode 100644 index d9ea4aeeb..000000000 --- a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml +++ /dev/null @@ -1,97 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: kyverno - namespace: kyverno -spec: - interval: 15m - chart: - spec: - # renovate: registryUrl=https://kyverno.github.io/kyverno/ - chart: kyverno - version: 3.0.5 - sourceRef: - kind: HelmRepository - name: kyverno-charts - namespace: flux-system - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - crds: - install: true - - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - # effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/control-plane: "true" - annotations: - reloader.stakater.com/search: "true" - - resources: - requests: - cpu: 203m - memory: 128Mi - limits: - memory: 384Mi - - admissionController: - replicas: 3 - serviceMonitor: - enabled: true - rbac: - clusterRole: - extraResources: - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - update - - delete - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/component: kyverno - backgroundController: - serviceMonitor: - enabled: true - rbac: - clusterRole: - extraResources: - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - update - - patch - - delete - - get - - list - cleanupController: - serviceMonitor: - enabled: true - reportsController: - serviceMonitor: - enabled: true - grafana: - enabled: true - serviceMonitor: - enabled: true - annotations: - grafana_folder: General diff --git a/kubernetes/apps/kyverno/kyverno/app/rbac.yaml b/kubernetes/apps/kyverno/kyverno/app/rbac.yaml deleted file mode 100644 index 298701b56..000000000 --- a/kubernetes/apps/kyverno/kyverno/app/rbac.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kyverno:admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: - - kind: ServiceAccount - name: kyverno - namespace: kyverno diff --git a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml deleted file mode 100644 index 1ae01740f..000000000 --- a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # - ./add-goldilocks-labels.yaml - # - ./add-reloader-annotations.yaml - # - ./exclude-cephfs-from-alerts.yaml - - ./remove-cpu-limits.yaml diff --git a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml deleted file mode 100644 index 6d5ee5ab5..000000000 --- a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: remove-cpu-limits-pod - annotations: - policies.kyverno.io/title: Remove CPU limits - policies.kyverno.io/subject: Pods - policies.kyverno.io/description: >- - This policy searches for resource definitions and removes set CPU limits, unless: annotated with - `kyverno.io/ignore: "true"`, or in a specific set of namespaces - pod-policies.kyverno.io/autogen-controllers: none -spec: - # mutateExistingOnPolicyUpdate: true - # generateExistingOnPolicyUpdate: true - rules: - - name: delete-containers-cpu-limits - match: - any: - - resources: - kinds: ["Pod"] - exclude: - any: - - resources: - annotations: - kyverno.io/ignore: "true" - - resources: - namespaces: - - flux-system - - kube-node-lease - - kube-public - - kube-system - - calico-apiserver - - calico-system - - tigera-operator - mutate: - foreach: - - list: "request.object.spec.containers" - patchesJson6902: |- - - path: /spec/containers/{{elementIndex}}/resources/limits/cpu - op: remove - - name: delete-initcontainers-cpu-limits - match: - any: - - resources: - kinds: ["Pod"] - exclude: - any: - - resources: - annotations: - kyverno.io/ignore: "true" - - resources: - namespaces: - - flux-system - - kube-node-lease - - kube-public - - kube-system - - calico-apiserver - - calico-system - - tigera-operator - preconditions: - all: - - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}" - operator: GreaterThanOrEquals - value: 1 - mutate: - foreach: - - list: "request.object.spec.initContainers" - patchesJson6902: |- - - path: /spec/initContainers/{{elementIndex}}/resources/limits/cpu - op: remove diff --git a/kubernetes/apps/kyverno/namespace.yaml b/kubernetes/apps/kyverno/namespace.yaml deleted file mode 100644 index a51dc892a..000000000 --- a/kubernetes/apps/kyverno/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kyverno - labels: - # kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/metallb-system/README.md b/kubernetes/apps/metallb-system/README.md deleted file mode 100644 index 9d4961266..000000000 --- a/kubernetes/apps/metallb-system/README.md +++ /dev/null @@ -1 +0,0 @@ -# metallb diff --git a/kubernetes/apps/metallb-system/kustomization.yaml b/kubernetes/apps/metallb-system/kustomization.yaml deleted file mode 100644 index 86ffd13a5..000000000 --- a/kubernetes/apps/metallb-system/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./metallb-system/ks.yaml diff --git a/kubernetes/apps/metallb-system/metallb-system/app/helmrelease.yaml b/kubernetes/apps/metallb-system/metallb-system/app/helmrelease.yaml deleted file mode 100644 index b4598d86f..000000000 --- a/kubernetes/apps/metallb-system/metallb-system/app/helmrelease.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: metallb - namespace: metallb-system -spec: - interval: 15m - chart: - spec: - # renovate: registryUrl=https://metallb.github.io/metallb - chart: metallb - version: 0.13.11 - sourceRef: - kind: HelmRepository - name: metallb-charts - namespace: flux-system - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - remediateLastFailure: true - values: - crds: - enabled: true - controller: - annotations: - reloader.stakater.com/search: "true" - tolerations: - # - effect: NoSchedule - # key: node-role.kubernetes.io/control-plane - # operator: Exists - - effect: "NoExecute" - operator: "Exists" - - effect: "NoSchedule" - operator: "Exists" - speaker: - annotations: - reloader.stakater.com/search: "true" - tolerations: - # - effect: NoSchedule - # key: node-role.kubernetes.io/control-plane - # operator: Exists - - effect: "NoExecute" - operator: "Exists" - - effect: "NoSchedule" - operator: "Exists" - # frr: - # enabled: true - # image: - # repository: docker.io/frrouting/frr - # tag: v8.2.2 - prometheus: - podMonitor: - enabled: false - prometheusRule: - enabled: false diff --git a/kubernetes/apps/metallb-system/metallb-system/config/ipAddressPool.yaml b/kubernetes/apps/metallb-system/metallb-system/config/ipAddressPool.yaml deleted file mode 100644 index d95d9f536..000000000 --- a/kubernetes/apps/metallb-system/metallb-system/config/ipAddressPool.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# This was autogenerated by MetalLB's custom resource generator. -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: gateway - namespace: metallb-system -spec: - addresses: - - ${LB_GATEWAY}/32 ---- -# This was autogenerated by MetalLB's custom resource generator. -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: ingress - namespace: metallb-system -spec: - addresses: - - ${LB_INGRESS}/32 ---- -# This was autogenerated by MetalLB's custom resource generator. -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: auth - namespace: metallb-system -spec: - addresses: - - ${LB_AUTH}/32 ---- -# This was autogenerated by MetalLB's custom resource generator. -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: default - namespace: metallb-system -spec: - addresses: - - ${LB_DEFAULT_RANGE} diff --git a/kubernetes/apps/metallb-system/metallb-system/config/kustomization.yaml b/kubernetes/apps/metallb-system/metallb-system/config/kustomization.yaml deleted file mode 100644 index 054f9e24c..000000000 --- a/kubernetes/apps/metallb-system/metallb-system/config/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./ipAddressPool.yaml - - ./l2Advertisement.yaml # not needed with calico? see: https://metallb.universe.tf/configuration/calico/ diff --git a/kubernetes/apps/metallb-system/metallb-system/config/l2Advertisement.yaml b/kubernetes/apps/metallb-system/metallb-system/config/l2Advertisement.yaml deleted file mode 100644 index 2ab6cdc42..000000000 --- a/kubernetes/apps/metallb-system/metallb-system/config/l2Advertisement.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# This was autogenerated by MetalLB's custom resource generator. -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: l2advertisement - namespace: metallb-system -spec: - ipAddressPools: - - default - - gateway - - ingress - - auth diff --git a/kubernetes/apps/metallb-system/namespace.yaml b/kubernetes/apps/metallb-system/namespace.yaml deleted file mode 100644 index 0aa483606..000000000 --- a/kubernetes/apps/metallb-system/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/monitoring/README.md b/kubernetes/apps/monitoring/README.md index 5f50d770a..db8bf5ec4 100644 --- a/kubernetes/apps/monitoring/README.md +++ b/kubernetes/apps/monitoring/README.md @@ -1,25 +1,25 @@ # Monitoring and Observability - [Monitoring and Observability](#monitoring-and-observability) - - [Grafana](#grafana) - [Prometheus](#prometheus) - - [Thanos](#thanos) - - [Loki](#loki) - -## Grafana - -Provides dashboards. Queries from Prometheus (or Thanos) + - [Alertmanager](#alertmanager) + - [Grafana](#grafana) + - [Scrutiny](#scrutiny) ## Prometheus Time-series database for metrics. Exporters / serviceMonitors ship metrics to Prometheus. -## Thanos +## Alertmanager + +Alertmanager handles alerts sent by client applications such as the Prometheus server. +It takes care of deduplicating, grouping, and routing them to the correct receiver integration such as email, PagerDuty, or OpsGenie. -Long-term storage and compaction of metrics (in an s3 bucket). Use if Prometheus gets expensive. +## Grafana + +Provides dashboards. Queries from Prometheus (or Thanos) -## Loki +## Scrutiny -Prometheus, but for logs. -Currently not used. +Monitors disk drive SMART status diff --git a/kubernetes/apps/monitoring/goldilocks/README.md b/kubernetes/apps/monitoring/goldilocks/README.md index cfd334714..cfd9ca2cb 100644 --- a/kubernetes/apps/monitoring/goldilocks/README.md +++ b/kubernetes/apps/monitoring/goldilocks/README.md @@ -1,8 +1,8 @@ -# Goldilocks +# [Goldilocks](https://github.com/FairwindsOps/goldilocks) Get resource requests "just right". -[Goldilocks](https://github.com/FairwindsOps/goldilocks) is a utility that can help you identify a starting point for resource requests and limits +Goldilocks is a utility that can help you identify a starting point for resource requests and limits ## Label namespaces diff --git a/kubernetes/apps/monitoring/goldilocks/app/helmrelease-goldilocks.yaml b/kubernetes/apps/monitoring/goldilocks/app/helmrelease-goldilocks.yaml index 911379d01..01d43dda1 100755 --- a/kubernetes/apps/monitoring/goldilocks/app/helmrelease-goldilocks.yaml +++ b/kubernetes/apps/monitoring/goldilocks/app/helmrelease-goldilocks.yaml @@ -6,15 +6,14 @@ metadata: name: &app goldilocks namespace: &namespace monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.fairwinds.com/stable - chart: goldilocks + chart: *app version: 7.3.0 sourceRef: kind: HelmRepository - name: fairwinds-charts + name: fairwinds namespace: flux-system maxHistory: 3 dependsOn: @@ -43,16 +42,15 @@ spec: cpu: 15m memory: 105Mi limits: - cpu: 15m memory: 132Mi dashboard: enabled: true + replicaCount: 1 # Container names to exclude from displaying in the Goldilocks dashboard - excludeContainers: "linkerd-proxy,istio-proxy" ingress: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 @@ -69,7 +67,6 @@ spec: cpu: 15m memory: 105Mi limits: - cpu: 15m memory: 105Mi annotations: diff --git a/kubernetes/apps/monitoring/goldilocks/app/helmrelease-vpa.yaml b/kubernetes/apps/monitoring/goldilocks/app/helmrelease-vpa.yaml index b3b8d8884..f4355b56a 100755 --- a/kubernetes/apps/monitoring/goldilocks/app/helmrelease-vpa.yaml +++ b/kubernetes/apps/monitoring/goldilocks/app/helmrelease-vpa.yaml @@ -6,15 +6,14 @@ metadata: name: &app vpa namespace: &namespace monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.fairwinds.com/stable - chart: vpa + chart: *app version: 3.0.1 sourceRef: kind: HelmRepository - name: fairwinds-charts + name: fairwinds namespace: flux-system interval: 15m maxHistory: 3 diff --git a/kubernetes/apps/monitoring/goldilocks/app/kustomization.yaml b/kubernetes/apps/monitoring/goldilocks/app/kustomization.yaml index 51084861f..b07c4b03a 100644 --- a/kubernetes/apps/monitoring/goldilocks/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/goldilocks/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease-goldilocks.yaml - ./helmrelease-vpa.yaml diff --git a/kubernetes/apps/monitoring/goldilocks/ks.yaml b/kubernetes/apps/monitoring/goldilocks/ks.yaml index 32aa239a5..60df1bd1d 100644 --- a/kubernetes/apps/monitoring/goldilocks/ks.yaml +++ b/kubernetes/apps/monitoring/goldilocks/ks.yaml @@ -3,15 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-goldilocks + name: monitoring-goldilocks namespace: flux-system spec: path: ./kubernetes/apps/monitoring/goldilocks/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index de1aedc81..9bce400bd 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -3,55 +3,49 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: &app grafana - namespace: &namespace monitoring + name: grafana + namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://grafana.github.io/helm-charts chart: grafana version: 6.60.1 sourceRef: kind: HelmRepository - name: grafana-charts + name: grafana namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: local-path-provisioner + namespace: kube-system values: - replicas: 1 deploymentStrategy: type: Recreate - + admin: + existingSecret: grafana-admin-secret env: - GF_ANALYTICS_CHECK_FOR_UPDATES: false - # GF_DATABASE_HOST: postgres-rw.default.svc.cluster.local:5432 - # GF_DATABASE_NAME: grafana - # GF_DATABASE_SSL_MODE: disable - # GF_DATABASE_TYPE: postgres - GF_DATE_FORMATS_USE_BROWSER_LOCALE: true - GF_DATE_FORMATS_FULL_DATE: "MMM Do, YYYY hh:mm:ss a" GF_EXPLORE_ENABLED: true - GF_GRAFANA_NET_URL: https://grafana.net - GF_LOG_FILTERS: rendering:debug - GF_LOG_MODE: console - GF_PANELS_DISABLE_SANITIZE_HTML: true - GF_SECURITY_ALLOW_EMBEDDING: true - GF_SECURITY_COOKIE_SAMESITE: grafana GF_SERVER_ROOT_URL: "https://grafana.${SECRET_DOMAIN}" - - admin: - existingSecret: *app - userKey: admin-user - passwordKey: admin-password - grafana.ini: - auth.basic: - disable_login_form: false - + analytics: + check_for_updates: false + check_for_plugin_updates: false + reporting_enabled: false dashboardProviders: dashboardproviders.yaml: apiVersion: 1 providers: - - name: "default" + - name: default orgId: 1 folder: "" type: file @@ -59,55 +53,114 @@ spec: editable: true options: path: /var/lib/grafana/dashboards/default - + - name: flux + orgId: 1 + folder: Flux + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/flux + - name: kubernetes + orgId: 1 + folder: Kubernetes + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/kubernetes + - name: nginx + orgId: 1 + folder: Nginx + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/nginx datasources: datasources.yaml: apiVersion: 1 + deleteDatasources: + - { name: Prometheus, orgId: 1 } datasources: - name: Prometheus type: prometheus + uid: prometheus access: proxy - # url: http://thanos-query.monitoring.svc.cluster.local:9090 - url: http://kps-prometheus.monitoring.svc.cluster.local:9090 - isDefault: true - - name: Alertmanager - type: alertmanager - access: proxy - url: http://kps-alertmanager.monitoring.svc.cluster.local:9093 + url: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 jsonData: - implementation: prometheus - # - name: Loki - # type: loki - # access: proxy - # url: http://loki-gateway.monitoring.svc.cluster.local:80 - deleteDatasources: - - name: Alertmanager - orgId: 1 - # - name: Loki - # orgId: 1 - + prometheusType: Prometheus + isDefault: true + dashboards: + default: + cloudflared: + gnetId: 17457 # https://grafana.com/grafana/dashboards/17457?tab=revisions + revision: 6 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + external-dns: + gnetId: 15038 # https://grafana.com/grafana/dashboards/15038?tab=revisions + revision: 1 + datasource: Prometheus + cert-manager: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json + datasource: Prometheus + node-exporter-full: + gnetId: 1860 # https://grafana.com/grafana/dashboards/1860?tab=revisions + revision: 31 + datasource: Prometheus + flux: + flux-cluster: + url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/cluster.json + datasource: Prometheus + flux-control-plane: + url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/control-plane.json + datasource: Prometheus + kubernetes: + kubernetes-api-server: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json + datasource: Prometheus + kubernetes-coredns: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json + datasource: Prometheus + kubernetes-global: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json + datasource: Prometheus + kubernetes-namespaces: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json + datasource: Prometheus + kubernetes-nodes: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json + datasource: Prometheus + kubernetes-pods: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json + datasource: Prometheus + nginx: + nginx: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json + datasource: Prometheus + nginx-request-handling-performance: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json + datasource: Prometheus sidecar: dashboards: enabled: true searchNamespace: ALL + labelValue: "" + label: grafana_dashboard + folderAnnotation: grafana_folder + provider: + disableDelete: true + foldersFromFilesStructure: true datasources: enabled: true searchNamespace: ALL - - # imageRenderer: - # enabled: true - - plugins: - - natel-discrete-panel - - pr0ps-trackmap-panel - - grafana-piechart-panel - - vonage-status-panel - - grafana-worldmap-panel - - grafana-clock-panel - + labelValue: "" + serviceMonitor: + enabled: true ingress: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 @@ -116,29 +169,8 @@ spec: tls: - hosts: - *host - persistence: enabled: true - storageClassName: "ceph-fs" - accessModes: - - ReadWriteMany - size: 2Gi - - resources: - requests: - cpu: 49m - memory: 81M - limits: - memory: 256M - - serviceMonitor: - enabled: true - - rbac: - pspEnabled: false - - annotations: - reloader.stakater.com/search: "true" - - tolerations: [] - nodeSelector: {} + storageClassName: local-path + testFramework: + enabled: false diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml index 8b3cc1a14..f95906c2d 100644 --- a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - - ./helmrelease.yaml - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml index cae540731..44134e587 100644 --- a/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml +++ b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml @@ -1,15 +1,11 @@ -# yamllint disable apiVersion: v1 kind: Secret -type: Opaque metadata: - name: grafana + name: grafana-admin-secret namespace: monitoring - annotations: - reloader.stakater.com/match: "true" stringData: - admin-user: ENC[AES256_GCM,data:42iGrP4=,iv:RJSurGl0FxkL/dFCz8BO+MSQUTxTmcE0BS061iTm0jw=,tag:E8IeNhCJ4DGnXvrL2hrG7g==,type:str] - admin-password: ENC[AES256_GCM,data:4GQr+8u+KoxRAF/t,iv:oZIp19LZzbKKtr0n3gbUOl63qGt8X2IhhwVPPwHu2qk=,tag:/vNn45JOWwV+VqnRk/XwMQ==,type:str] + admin-password: ENC[AES256_GCM,data:YaDZFwYwyGBm8l5k,iv:f0kgic46I7rlRknQNHtLarbbOy5mlbZttLMMZsxhhG4=,tag:qWFRz14a507mUxcNVQ6InA==,type:str] + admin-user: ENC[AES256_GCM,data:TjsJ5oo=,iv:gowuNqCl8CgkIfpJzyfPUKayV13+rwg8LM+a7JfT1aE=,tag:sXVkdy7kLi7saE7Pi0pinQ==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +15,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZGIrN3U3ZU53a2E3UDBG - RTRrVTRJTHhRRzZ5c0tRelMvQjU0QkM3eGg4CjRmbXlKWDh5cytKNTBIRGhQVUNY - NGgxSkZ6RUY5c3htZk5vYlNUNmNxZFEKLS0tIGZ6ZDhreUgwU1AzaXJQa2M1Qlc2 - cFRpRTdDK0lpTkhFcDZYNFN4Z1AvNlEKCq1GwDb+251h9bLE2kioNZVlQqcohLTO - TwkWq9GpoEnF0Ynh+UdnjNtYupNY3DjVsCbRbrMbbZJWhYpis1l/MQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbHlWbzJINFV2cnBPdFRz + bXB3QVJqM1ZrOThlbllsV1BqR2Y3MGVITlVrCm8rNUY1Q09YbmIrSWErZytuYkpD + c0hKSzVPTkJ6ay9LOHNWYkNBOTlKODgKLS0tIG5RN0pwdXlXQVFXSWNkS05vMHgz + ZkFObjZaOW1IQU4vWWw4dHpHZGpaMmMKjc+9aJI9PMALNjdoPOD5BDBa5BPzRg2S + VYeKqvfGHfgiUq0G+7BfPNjkEolTgbzKz0PFAxfJKHkYqKU9WGVXog== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-08T02:16:09Z" - mac: ENC[AES256_GCM,data:Miu4gnRTCczKWaU0wQbIN8/aK8jc0e/7+gLHOTMiEKuBdALiowDQF0Jv+GshOhpX65zfPMsc0YtX9qYpUUvfcq/bXAvZt5c+Yq3EcWcL0O1EgSy8PNOCclE1yvtzzw/Kavew9X+oZP/zu3s/6y2LOxSuv6toXbUSGVPxbrsOVBg=,iv:qDMhlLaAdw1mssgdiRr0YUcWHOQh4+xmdl/WRYqbXHU=,tag:fYUD80jggP4y7RCL66qEAw==,type:str] + lastmodified: "2023-09-05T01:23:41Z" + mac: ENC[AES256_GCM,data:GbBclFaUbeyYj5qlWtmQOIlws21UwMEZq6VntyK8uOdyQ2P8VobF3y+J27+ppCwk9n9EHEX7RffdI6Rp9XCgKxmalYh1jCJn6nNlbECUsCW/ceQyJxAnIKJ554ACu8//MJ/HmB5sIql1UiA+5qcZMvjh968RdUj1H2JBJLaZSAo=,iv:D9HP/rCPfEkms1TeBX2IX83GKldM4cYtzXh6Mxfu/JA=,tag:P6q7fsbh7tF2dG4wy/Me/Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/monitoring/grafana/ks.yaml index c00fc7fde..faf693703 100644 --- a/kubernetes/apps/monitoring/grafana/ks.yaml +++ b/kubernetes/apps/monitoring/grafana/ks.yaml @@ -3,17 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-grafana + name: monitoring-grafana namespace: flux-system spec: - dependsOn: - - name: apps-monitoring-kube-prometheus-stack path: ./kubernetes/apps/monitoring/grafana/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/karma/README.md b/kubernetes/apps/monitoring/karma/README.md index 44fee6ec9..3756fce50 100644 --- a/kubernetes/apps/monitoring/karma/README.md +++ b/kubernetes/apps/monitoring/karma/README.md @@ -1,3 +1,3 @@ -# Karma +# [Karma](https://github.com/prymitive/karma) -[Karma](https://github.com/prymitive/karma) is an Alert dashboard for Prometheus Alertmanager +An Alert dashboard for Prometheus Alertmanager diff --git a/kubernetes/apps/monitoring/karma/app/helmrelease.yaml b/kubernetes/apps/monitoring/karma/app/helmrelease.yaml index ebf1c9a2b..b5d38fb89 100644 --- a/kubernetes/apps/monitoring/karma/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/karma/app/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: &app karma namespace: &namespace monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system maxHistory: 3 # dependsOn: @@ -37,7 +36,6 @@ spec: reloader.stakater.com/search: "true" image: - # renovate: registryUrl=https://github.com/prymitive/karma repository: ghcr.io/prymitive/karma tag: v0.116 @@ -48,7 +46,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/monitoring/karma/ks.yaml b/kubernetes/apps/monitoring/karma/ks.yaml index 3f7a8fed1..0f765b1f3 100644 --- a/kubernetes/apps/monitoring/karma/ks.yaml +++ b/kubernetes/apps/monitoring/karma/ks.yaml @@ -3,18 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-karma + name: monitoring-karma namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-cluster - - name: apps-monitoring-kube-prometheus-stack + - name: monitoring-kube-prometheus-stack path: ./kubernetes/apps/monitoring/karma/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/README.md b/kubernetes/apps/monitoring/kube-prometheus-stack/README.md index b0d8f9b71..855ecdc46 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/README.md +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/README.md @@ -13,22 +13,22 @@ is stored with the timestamp at which it was recorded, alongside optional key-va `./prometheus-rules` will need to be disable on first install due to race condition. Once `prometheus-operator` is up and running, `./prometheus-rules` can be added back -## Included - -### [Kube-State-Metrics](https://github.com/kubernetes/kube-state-metrics) - -### [Node Exporter](https://github.com/prometheus/node_exporter) - -### Thanos - -Distributed Prometheus solutions such as Thanos and Cortex use an alternate architecture in which multiple small -Prometheus instances are deployed. - -In the case of Thanos, the metrics from each Prometheus are aggregated into the common Thanos deployment, -and then those metrics are exported to a persistent store, such as S3. - -This more robust architecture avoids burdening any single Prometheus instance with too many time series, -while also preserving the ability to query metrics on a global level. +### Naming + +> As of Helm Chart `v51.*` + +| | `fullNameOverride` | `nameOverride` | `cleanPrometheusOperatorObjectNames` | `alertmanager` | `prometheus` | `operator` | `kube-state-metrics` | +| :---: | :---: | :---: | :---: | :--- | :--- | :--- | :--- | +| 🆗 | 'kps' | `null` | `false` | `alertmanager-kps-alertmanager-0` | `prometheus-kps-prometheus-0` | `kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | +| ❌ | `null` | 'kps' | `false` | `alertmanager-kube-prometheus-stack-kps-alertmanager-0` | `prometheus-kube-prometheus-stack-kps-prometheus-0` | `kube-prometheus-stack-kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | +| 🆗 | 'kps' | 'kps' | `false` | `alertmanager-kps-alertmanager-0` | `prometheus-kps-prometheus-0` | `kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | +| ✅ | 'kps' | `null` | `true` | `alertmanager-kps-0` | `prometheus-kps-0` | `kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | +| ❌ | `null` | 'kps' | `true` | `alertmanager-kube-prometheus-stack-kps-0` | `prometheus-kube-prometheus-stack-kps-0` | `kube-prometheus-stack-kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | +| ✅ | 'kps' | 'kps' | `true` | `alertmanager-kps-0` | `prometheus-kps-0` | `kps-operator-...` | `kube-prometheus-stack-kube-state-metrics-...` | + +| | `fullNameOverride` | `cleanPrometheusOperatorObjectNames` | `values.kube-state-metrics.fullNameOverride` | `alertmanager` | `prometheus` | `operator` | `kube-state-metrics` | +| :---: | :---: | :---: | :--- | :--- | :--- | :--- | :--- | +| ⭐️ | 'kps' | `true` | `kube-state-metrics` | `alertmanager-kps-0` | `prometheus-kps-0` | `kps-operator-...` | `kube-state-metrics-...` | ## Monitoring external services diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/kustomization.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/addons/kustomization.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/kustomization.yaml rename to kubernetes/apps/monitoring/kube-prometheus-stack/addons/kustomization.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/etcd.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/etcd.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/etcd.yaml rename to kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/etcd.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/kustomization.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/kustomization.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/kustomization.yaml rename to kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/kustomization.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/node-exporter.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/node-exporter.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/add-ons/rules/node-exporter.yaml rename to kubernetes/apps/monitoring/kube-prometheus-stack/addons/rules/node-exporter.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/alertmanager.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/alertmanager.yaml new file mode 100644 index 000000000..2f48f9dd7 --- /dev/null +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/alertmanager.yaml @@ -0,0 +1,65 @@ +--- +## ref: https://prometheus.io/docs/alerting/alertmanager/ +## ref: https://prometheus.io/docs/alerting/latest/configuration/#configuration-file +global: + resolve_timeout: 5m +# Inhibition rules allow to mute a set of alerts given that another alert is firing. +# We use this to mute any warning-level notifications if the same alert is already critical. +inhibit_rules: + - source_matchers: + - "severity = critical" + target_matchers: + - "severity =~ warning|info" + equal: + - "namespace" + - "alertname" + - source_matchers: + - "severity = warning" + target_matchers: + - "severity = info" + equal: + - "namespace" + - "alertname" + - source_matchers: + - "alertname = InfoInhibitor" + target_matchers: + - "severity = info" + equal: + - "namespace" +receivers: + - name: "null" + - name: "email" + email_configs: + - to: "${SECRET_DEFAULT_EMAIL}" + from: "${SECRET_SMTP_ADDRESS}" + smarthost: "${SECRET_SMTP_SRV}:${SECRET_SMTP_PORT}" + auth_username: "${SECRET_SMTP_USER}" + auth_password: "${SECRET_SMTP_PWD}" + require_tls: true + # prettier-ignore + text: >- + [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ if ne .CommonAnnotations.summary ""}}{{ .CommonAnnotations.summary }} {{ else if ne .CommonAnnotations.message ""}}{{ .CommonAnnotations.message }} {{ else if ne .CommonAnnotations.description ""}}{{ .CommonAnnotations.description }} {{ else }}{{ .CommonLabels.alertname }}{{ end }} + + {{ range .Alerts -}} + *Alert:* {{ .Annotations.title }}{{ if .Labels.severity }} - `{{ .Labels.severity }}`{{ end }} + {{ if ne .Annotations.summary ""}}*Summary:* {{ .Annotations.summary }} {{ else if ne .Annotations.message ""}}*Message:* {{ .Annotations.message }} {{ else if ne .Annotations.description ""}}*Description:* {{ .Annotations.description }}{{ end }} + *Details:* + {{ range .Labels.SortedPairs }} • *{{ .Name }}:* `{{ .Value }}` + {{ end }} + {{ end }} +route: + # root route with all parameters are inherited by the child routes if they are not overwritten + receiver: "null" + group_by: ["alertname"] + group_wait: 60s + group_interval: 15m + repeat_interval: 6h + routes: + - receiver: "null" + matchers: + - alertname =~ "InfoInhibitor|Watchdog" + continue: false + - receiver: "email" + matchers: + - severity = "critical" + continue: true diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 2333742bf..911e15e71 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: kube-prometheus-stack namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://prometheus-community.github.io/helm-charts chart: kube-prometheus-stack version: 51.2.0 sourceRef: kind: HelmRepository - name: prometheus-community-charts + name: prometheus-community namespace: flux-system maxHistory: 3 install: @@ -26,89 +25,266 @@ spec: crds: CreateReplace remediation: retries: 3 + dependsOn: + - name: local-path-provisioner + namespace: kube-system + - name: rook-ceph-cluster + namespace: rook-ceph values: + ## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml fullnameOverride: kps + cleanPrometheusOperatorObjectNames: true + + crds: + enabled: true + + alertmanager: + enabled: true + fullnameOverride: alertmanager + alertmanagerSpec: + retention: 72h + storage: + volumeClaimTemplate: + spec: + storageClassName: ceph-block + resources: + requests: + storage: 1Gi + # config: # see configmap + ingress: + enabled: true + ingressClassName: internal + annotations: + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hosts: + - &host "alertmanager.${SECRET_DOMAIN}" + tls: + - hosts: + - *host + + grafana: + enabled: false # manage by itself + forceDeployDashboards: true + sidecar: + dashboards: + multicluster: + global: + enabled: true + + # coreDns: + # enabled: false + kubelet: + enabled: true + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: (apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|authentication_token|cadvisor_version|container_blkio|container_cpu|container_fs|container_last|container_memory|container_network|container_oom|container_processes|container|csi_operations|disabled_metric|get_token|go|hidden_metric|kubelet_certificate|kubelet_cgroup|kubelet_container|kubelet_containers|kubelet_cpu|kubelet_device|kubelet_graceful|kubelet_http|kubelet_lifecycle|kubelet_managed|kubelet_node|kubelet_pleg|kubelet_pod|kubelet_run|kubelet_running|kubelet_runtime|kubelet_server|kubelet_started|kubelet_volume|kubernetes_build|kubernetes_feature|machine_cpu|machine_memory|machine_nvm|machine_scrape|node_namespace|plugin_manager|prober_probe|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|storage_operation|volume_manager|volume_operation|workqueue)_(.+) + - action: replace + sourceLabels: ["node"] + targetLabel: instance + # Drop high cardinality labels + - action: labeldrop + regex: (uid) + - action: labeldrop + regex: (id|name) + - action: drop + sourceLabels: ["__name__"] + regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) + kubeApiServer: + enabled: true + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: (aggregator_openapi|aggregator_unavailable|apiextensions_openapi|apiserver_admission|apiserver_audit|apiserver_cache|apiserver_cel|apiserver_client|apiserver_crd|apiserver_current|apiserver_envelope|apiserver_flowcontrol|apiserver_init|apiserver_kube|apiserver_longrunning|apiserver_request|apiserver_requested|apiserver_response|apiserver_selfrequest|apiserver_storage|apiserver_terminated|apiserver_tls|apiserver_watch|apiserver_webhooks|authenticated_user|authentication|disabled_metric|etcd_bookmark|etcd_lease|etcd_request|field_validation|get_token|go|grpc_client|hidden_metric|kube_apiserver|kubernetes_build|kubernetes_feature|node_authorizer|pod_security|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|serviceaccount_legacy|serviceaccount_stale|serviceaccount_valid|watch_cache|workqueue)_(.+) + # Drop high cardinality labels + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket) + kubeControllerManager: + enabled: true + endpoints: &cp + - 10.2.118.23 + - 10.2.118.24 + - 10.2.118.25 + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: "(apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|attachdetach_controller|authenticated_user|authentication|cronjob_controller|disabled_metric|endpoint_slice|ephemeral_volume|garbagecollector_controller|get_token|go|hidden_metric|job_controller|kubernetes_build|kubernetes_feature|leader_election|node_collector|node_ipam|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|pv_collector|registered_metric|replicaset_controller|rest_client|retroactive_storageclass|root_ca|running_managed|scrape_duration|scrape_samples|scrape_series|service_controller|storage_count|storage_operation|ttl_after|volume_operation|workqueue)_(.+)" + kubeEtcd: + enabled: true + endpoints: *cp + kubeProxy: + enabled: false + kubeScheduler: + enabled: false + kubeStateMetrics: + enabled: true + kube-state-metrics: + fullnameOverride: kube-state-metrics + releaseLabel: true # enable servicemonitor scraping with kube-prometheus-stack out of the box + metricLabelsAllowlist: + - "deployments=[*]" + - "persistentvolumeclaims=[*]" + - "pods=[*]" + prometheus: + monitor: + enabled: true + relabelings: + - action: replace + sourceLabels: ["__meta_kubernetes_pod_node_name"] + regex: ^(.*)$ + replacement: $1 + targetLabel: kubernetes_node + + nodeExporter: + enabled: false + + prometheusOperator: + resources: + requests: + cpu: 35m + memory: 273M + limits: + memory: 326M + prometheusConfigReloader: + # resource config for prometheusConfigReloader + resources: + requests: + cpu: 5m + memory: 32M + limits: + memory: 32M + + prometheus: + enabled: true + fullNameOverride: prometheus + ingress: + enabled: true + ingressClassName: internal + annotations: + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hosts: + - &host "prometheus.${SECRET_DOMAIN}" + tls: + - hosts: + - *host + prometheusSpec: + replicas: 1 + replicaExternalLabelName: __replica__ + enableAdminAPI: true + externalLabels: + cluster: home-kubernetes + additionalScrapeConfigsSecret: + enabled: true + name: prometheus-additional-scrape-configs + key: additionalScrapeConfigs + + podMonitorSelectorNilUsesHelmValues: false + probeSelectorNilUsesHelmValues: false + ruleSelectorNilUsesHelmValues: false + serviceMonitorSelectorNilUsesHelmValues: false + scrapeConfigSelectorNilUsesHelmValues: false + + resources: + requests: + cpu: 763m + memory: 7Gi + limits: + memory: 7Gi + + retention: 3d + retentionSize: 8GiB + walCompression: true + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: ceph-block + resources: + requests: + storage: 10Gi - global: - rbac: - create: true - - valuesFrom: - - kind: ConfigMap - name: values-alertmanager - - kind: ConfigMap - name: values-grafana - - kind: ConfigMap - name: values-kube-state-metrics - - kind: ConfigMap - name: values-node-exporter - - kind: ConfigMap - name: values-prometheus-exporters - - kind: ConfigMap - name: values-prometheus-operator - - kind: ConfigMap - name: values-prometheus - - kind: ConfigMap - name: values-rules - - ### exclude ceph-fs storageclass from inode calculations - ### CephFS doesn't have the same notion of inodes as other fs do because it expands them dynamically. - ### It reports a non-valid value to the check (0), causing it to trigger that alert - ### https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack/templates/prometheus/rules-1.14 # yamllint disable-line rule:line-length postRenderers: - # use built-in "kustomize" post renderer. - kustomize: patches: - target: - group: monitoring.coreos.com version: v1 - kind: PrometheusRule - name: kps-kubernetes-storage - namespace: monitoring - patch: | - # KubePersistentVolumeInodesFillingUp | critical - - op: replace - path: /spec/groups/0/rules/2/expr - value: | - ( - kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.03 - and - kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{access_mode="ReadOnlyMany"}== 1 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"}== 1 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_info{storageclass=~"ceph.*"} == 1 - - # KubePersistentVolumeInodesFillingUp | warning - - op: replace - path: /spec/groups/0/rules/3/expr - value: | - ( - kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} - / - kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} - ) < 0.15 - and - kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 - and - predict_linear( - kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], - 4 * 24 * 3600 - ) < 0 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_access_mode{access_mode="ReadOnlyMany"}== 1 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"}== 1 - - unless on(namespace, persistentvolumeclaim) - kube_persistentvolumeclaim_info{storageclass=~"ceph.*"} == 1 + kind: ConfigMap + labelSelector: grafana_dashboard in (1) + patch: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: not-used + namespace: not-used + annotations: + grafana_folder: Kubernetes + # ### exclude ceph-fs storageclass from inode calculations + # ### CephFS doesn't have the same notion of inodes as other fs do because it expands them dynamically. + # ### It reports a non-valid value to the check (0), causing it to trigger that alert + # ### https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack/templates/prometheus/rules-1.14 # yamllint disable-line rule:line-length + # - kustomize: + # patches: + # - target: + # group: monitoring.coreos.com + # version: v1 + # kind: PrometheusRule + # name: kps-kubernetes-storage + # namespace: monitoring + # patch: | + # # KubePersistentVolumeInodesFillingUp | critical + # - op: replace + # path: /spec/groups/0/rules/2/expr + # value: | + # ( + # kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} + # / + # kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} + # ) < 0.03 + # and + # kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_access_mode{access_mode="ReadOnlyMany"}== 1 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"}== 1 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_info{storageclass=~"ceph.*"} == 1 + + # # KubePersistentVolumeInodesFillingUp | warning + # - op: replace + # path: /spec/groups/0/rules/3/expr + # value: | + # ( + # kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} + # / + # kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} + # ) < 0.15 + # and + # kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 + # and + # predict_linear( + # kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], + # 4 * 24 * 3600 + # ) < 0 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_access_mode{access_mode="ReadOnlyMany"}== 1 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"}== 1 + + # unless on(namespace, persistentvolumeclaim) + # kube_persistentvolumeclaim_info{storageclass=~"ceph.*"} == 1 diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml index 8300cbe68..71b0d5c04 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml @@ -2,14 +2,17 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml - ./secret-additionalScrapeConfigs.sops.yaml - - ./values-alertmanager.yaml - - ./values-grafana.yaml - - ./values-kube-state-metrics.yaml - - ./values-node-exporter.yaml - - ./values-prometheus-exporters.yaml - - ./values-prometheus-operator.yaml - - ./values-prometheus.yaml - - ./values-rules.yaml + +configMapGenerator: + - name: alertmanager-config-tpl + files: + - alertmanager.yaml=./alertmanager.yaml +generatorOptions: + disableNameSuffixHash: true + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + reloader.stakater.com/match: "true" diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml index 6c112bb2f..ebc012c1b 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml @@ -7,7 +7,7 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - additionalScrapeConfigs: ENC[AES256_GCM,data:gWF9FozKlyhLVaTIX98xd79mCutrAlZhJcSI+M9ZzkeP9yCw36uzYCwq614fkIq2cIuetewohsWGePWE9bsraeRI22fAYNjYOZv1KR2qBIhLRLP/ibQ2YId+x2966ZhMBj0CqdFf2RoYNIg6+Qf1r8Gr5bPLOMZydThHMT267iRVc9+Uy7WxUlDH8Kie94bKpOUmskz+gmJyv5CPb6lNk0eqe2OVAV+jut+0gb6Rk8de6tQb9VWagvU6Rk8SOkFoFJkXTY0z6qdoERwPpLM6Z3Egetg1l9rYJqnVFcnIp3aDUbnK7y762Lfuw1oIwVUAuXXP2cRZI7NvI5JWWgl2QFdvvLRJfCJoBz/gSrQAAMHmkuqCj8N5bJoQPXjHXylpxGKwNkPO8A92PMaMQ62cS4UPJzwfA0jwU+APXOX/WVilCsy/9B63WOORslxGvLRehg5RJQz+ZvNqkd5pwswvJzfGFpKHNrlMg+tPCnBs/0pjmeLf0ufW92ikXpSBikSkr6E8yjWq9SKJ/SVTjJ0Hacne0IINohwqetSRNynCKgeq/shmpHt5SEDn3R0gfaI8z+Kb0M6ivwDtVT+ndwLY1W9ainbSqn42sYiG956WQCxnBdyfOPdG4Oh3y8J1bo4u+YryoZ7/K+tPqqraY5sy3F9GK5l7fteUP2GDyqzEeKmST3KDZSZv4+R85MNadleyd4GU+3qZmBoCugh3OTYZ78iTiwAc2bwb3gSX/21cUGZh66HoelcW0K42KmJV79YHvWfxubItnuQDWAHL2m9hBWn9cChVtMKz+1B3iD7WGFa2EoZsnB7W4aNCHN4kqVKQEju73HtjJILRfddkH7dDd5bZQ6TQHunfICG60aiVLypP9I2OrvZoeyfTCJOneOWtpTVj98KqzxZUZAYiHG8HbyMP/1t9w57yPK4A55zutVjGeKDjlksf5MRt7UkP4vdw88+sorRwCQiiympqbRGRwNgdqchCb/n/hxkJk422Ekad1swJKL7RUhEub95/t6bS/ORnbt9lKezDxGuscFBYHdrUx9aMlCX+sgVZO5OqJlkc/q/P8FjccQk8FW612hUKWxq26dkFNtaq6iSjFxjaipaCMZjbe+dvO+ZTI34Va4E0z2+LxTFrXM7SvY0ToIeNW4T5Kqtq+wmng+63AWnDdvhBF8MK8THdQas9Ck4y1bcRnuWZYXMNa8KTmui487N2HEPKA5bA7ywwMUlcWKZOR5zv4adR/baOOA1cHzdzWy8gyyNPmgOdlj4lZTpTIROO0rPuyqWnVK8fV9Ysnza2lWiBP9OUmJfaNXwdFPSX/f2mPYRvU9hDhyZEf8TFpgeQqO0/iBdqvoZ8pTQ1IRHkNuMEy/N5QAr0wPKcHu7Glg9capNQvht00rZlv9cwDUotGeNoHjg7YGhHzpcEQg2UAXUJ/hAN3Ut/eCDJZOPTQZWoroFiw8GDuHanWNffMio=,iv:/sTLTb9bYfyoO9SuJ2FuZMChIlOdZ5enzHjZJixLYYU=,tag:gxTgNPHkED0YxTGeoNvCoQ==,type:str] + additionalScrapeConfigs: ENC[AES256_GCM,data:Fp6hFjhnoL9F1K8qlrsj93iH2Z20XqcSWnkTJtZQFBwCRhgRUulxx20zEDZvQ/mYjlqYqvQtG+4TSL22+6qOqKMAUSa8q0ggH9XWE7szmT2UdVCyEEGU6uqKfRe1H4rV7J3xiLVFF/aeQjfPizUwnZbNsV7iXzLVipgtaFaI0cvYQKvrOvPLlvKpazPLaJXoHNPh620I8N1rO7Qp6730qAkfm85aisTOJypPXeYHXwKj9OursjfCbA78jl/gliKTi0CBYG+uRtDdyn0kSEbgFuVpLgr1c9Z/3wmPMTPO8UsPhRBqdu6w9yCpATZpWHE9riDux2urYq7CdK1H4GysFhWWZf+2EXLa1JrE1K1suHTnAeW4EWDg7SIH928uA4FDxbNc3kzM3kLuonUO4h+rY+Od+MwJcy3rPcpgRm0YXcFsAOKOoxx9lM849wx39jkzMryMqOh9hVTl5LK0k7yNmnqKhf6zORD4fy4KW8yBAd/qhiNY+9s+xkNdQNG4nh+9cPJs78UCVG3khJvSB9DCrKNACl2lWPIHQz7LovFF5xgnrdG2Xoy4I+t/v0Hm0b4Paz7aB2uenHndzUP9ygtvxMo63q5xymnWOPliydkJJRq6kTkzUJhcPwy1Iad0fDbbC//2VV7cOmpADTwdNmNalMvxQt5JHuU8l2l0wMWY6uPhBUm/PnHsDOqxH4Pd622OsvjAxRrtouql6Bo4ovuDyFaF+dvFlUpDrcCcglwV58d2izxhBPZLmbf+g2lQ11DnXv+q/PknrRMhuHr0wmxJB1T3/8Mgc9FOvUwQELw5ZPxzK5aOByQ563iWt1jzG+KnEoyVq94zqrYVZokDB60dFIeQczMxqIXUSyQhdI9b43CPxG5drLbgA6MoMZgIueNCKy0XLnzh+MzpcRXHr7TJKpi3oJScB3bMGrtdKZPzmKDFRIBtODEdalAVDZyeoPhbdd4pVToumfZJu4ZkQ021kp7UCXuFEhqfZpPZm+uiHpiuWFNJp6ZlQ60NyLzFe/ZJ2Hrbo09/vT8d0Jmj3Tp+hAlnRJUmgH4xJxVsxnwLuqJuck9DDKrd4HVpOijgIOUphk8cyeX3qkQfHaGuGglT19d/3HYe7WzzLvIVJ94xDR7CWo8k6XTQGg+flPdH5MCmRN6pH2ZPsIHOHKE797VNC7mApIseQOCL0udTVbAXuACpOxdh1pJRgZk7Lns=,iv:zxd27lZFmiPNXl9cAxYGC/Bfq3hIXDSbkeVMzwP6tVA=,tag:JGc8+8+f8E34SKoel0U8vg==,type:str] sops: kms: [] gcp_kms: [] @@ -17,14 +17,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZEZoTkptajdwU1l3dnIw - V3ZWQVlzZG5HQWpjV2puSzhkbDVYbXU0T0FnCndibHdZWlBvS3M1OUlwU2xwRkti - dnZWTHAwZER4cE5DM2daVnY2V1ZTV0EKLS0tIDNDY2dUenl0ZGx4cWRtcms0Wjhz - ZmhueUpiWVFRVk1DaDBlT0NYMWhwMkEKf+fGtumbySrWfhG0wSH/51VZ8MHoGbHk - xINdWUbzUBwZZZfI9z4myEdORVw7jaQin3Xsawsv2TVKkcdBDfyaEw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac2pUUnRBVzJJTGdQQWlX + TEJmd2hRaGZFMXlaNFRhZit2OURqcW5WUXhRClAvUktFcU1XNmJqMkUrY3cvUlZr + Mnh6SUtycjJ1MHFTMEtVaHRqTGVTNVUKLS0tIHFwYW5EbUZPOUNnQ2tGc0NWZVJJ + Z0NCWjAxMzFia3hZV1Fpb2dYLzM3VTgKfhFaBKwcaW2ZFvTUYpFVt7kKJVyBIDHr + D1vTUazm1wttGWf4MYB87PsJ+82oDI1YlCmVHGbzJadh4cH8AtQzLQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-25T23:52:47Z" - mac: ENC[AES256_GCM,data:0WRt6M6AedYEvlPd5K68vF+uqZ6xaSr/xiH0giOjBoAfZLA1LCC4Gk/6wTYn1/qzFWQ87e8/sRsZC8oDH4T+3RQEs9SCONlUJD9pjKj86L2y7DlHj9U9lIp9/Iv1sRW4ExPgy2rvnrWLuBRBz7OpP5ZYO5LZbWT34At2HoKBtV8=,iv:Iknn0NHgZ9i58qMq5OO2+16DFVLceOOJPOStiax2eXs=,tag:xtZIkal4y1VqzM4xWKIEZg==,type:str] + lastmodified: "2023-09-15T22:52:16Z" + mac: ENC[AES256_GCM,data:JuPQ/Pz12lrmKULRKTTweUJEes6X+9dmTdALfXPBLwMrYGin2lMYQ/8NhQiedYFu8mFBf7tHEQYVHz4CX/HY1JbJ5h5DeRLCX7Z777Blb2CKtcMpC3T34IZzvG2QKqV8tv44ZQrtREldglupGRyC40Qp0xXOaFz9go5pAv1vAsw=,iv:o0+fJfqZ907ap9VJ2ID8jaHMA+BC6Rhj5k5U9nGafeo=,tag:cj6cClCAk2jDMcNUIMV6pw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml.tmpl b/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml.tmpl index 8370a2f5b..ed561d05d 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml.tmpl +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/secret-additionalScrapeConfigs.sops.yaml.tmpl @@ -12,7 +12,16 @@ stringData: honor_timestamps: true static_configs: - targets: - - opnsense.${SECRET_DOMAIN}:9100 + - opnsense.${INT_DOMAIN}:9100 + + # run `mc admin prometheus generate ` + - job_name: truenas-minio + bearer_token: ${PROMETHEUS_BEARER_TOKEN} + metrics_path: /minio/v2/metrics/cluster + scheme: https + static_configs: + - targets: + - "${S3_ENDPOINT}" # - job_name: nut-exporter # honor_timestamps: true @@ -26,20 +35,4 @@ stringData: # ups: ["PR1500RT2U"] # server: ["10.2.0.1"] # username: "monuser" - # password: ${SECRET_DEFAULT_PWD} - - # - job_name: graphite-exporter # truenas - # scrape_interval: 1m - # metrics_path: /metrics - # static_configs: - # - targets: - # - graphite-exporter.monitoring.svc.cluster.local:9108 - - # # run `mc admin prometheus generate ` - - job_name: truenas-minio - bearer_token: ${SECRET_PROMETHEUS_BEARER_TOKEN} - metrics_path: /minio/v2/metrics/cluster - scheme: https - static_configs: - - targets: - - "${SECRET_S3_ENDPOINT}" + # password: ${DEFAULT_PWD} diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-alertmanager.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-alertmanager.yaml deleted file mode 100644 index 801b05519..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-alertmanager.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-alertmanager - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - ## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml - ## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/alertmanager/values.yaml - alertmanager: - enabled: true - nameOverride: alertmanager - - alertmanagerSpec: - # externalUrl: "https://alertmanager.${SECRET_DOMAIN}" - retention: 72h - storage: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - resources: - requests: - storage: 1Gi - resources: - requests: - cpu: 23m - memory: 53M - limits: - memory: 53M - - # tolerations: [] - # nodeSelector: {} - - ingress: - enabled: true - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - hosts: - - &host "alertmanager.${SECRET_DOMAIN}" - tls: - - hosts: - - *host - - ## ref: https://prometheus.io/docs/alerting/alertmanager/ - config: - global: - resolve_timeout: 5m - receivers: - - name: "null" - - name: "email" - email_configs: - - to: "${SECRET_DEFAULT_EMAIL}" - from: "${SECRET_SMTP_ADDRESS}" - smarthost: "${SECRET_SMTP_SRV}:${SECRET_SMTP_PORT}" - auth_username: "${SECRET_SMTP_USER}" - auth_password: "${SECRET_SMTP_PWD}" - # auth_identity: "${SECRET_SMTP_ADDRESS}" - # auth_secret: "${SECRET_SMTP_PWD}" - require_tls: true - # prettier-ignore - text: >- - [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ if ne .CommonAnnotations.summary ""}}{{ .CommonAnnotations.summary }} {{ else if ne .CommonAnnotations.message ""}}{{ .CommonAnnotations.message }} {{ else if ne .CommonAnnotations.description ""}}{{ .CommonAnnotations.description }} {{ else }}{{ .CommonLabels.alertname }}{{ end }} - - {{ range .Alerts -}} - *Alert:* {{ .Annotations.title }}{{ if .Labels.severity }} - `{{ .Labels.severity }}`{{ end }} - {{ if ne .Annotations.summary ""}}*Summary:* {{ .Annotations.summary }} {{ else if ne .Annotations.message ""}}*Message:* {{ .Annotations.message }} {{ else if ne .Annotations.description ""}}*Description:* {{ .Annotations.description }}{{ end }} - *Details:* - {{ range .Labels.SortedPairs }} • *{{ .Name }}:* `{{ .Value }}` - {{ end }} - {{ end }} - - route: - # root route with all parameters are inherited by the child routes if they are not overwritten - receiver: "null" - group_by: ["alertname", "job"] - group_wait: 60s - group_interval: 15m - repeat_interval: 6h - routes: - - receiver: "null" - matchers: - - alertname =~ "InfoInhibitor|Watchdog" - continue: false - - receiver: "email" - matchers: - - severity = "critical" - continue: true - - # Inhibition rules allow to mute a set of alerts given that another alert is firing. - # We use this to mute any warning-level notifications if the same alert is already critical. - inhibit_rules: - - source_matchers: - - severity = "critical" - target_matchers: - - severity = "warning" - equal: ["alertname", "namespace"] diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-grafana.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-grafana.yaml deleted file mode 100644 index ea3a450cc..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-grafana.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-grafana - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - grafana: - enabled: false # manage by itself - forceDeployDashboards: true - sidecar: - dashboards: - multicluster: - global: - enabled: true diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-kube-state-metrics.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-kube-state-metrics.yaml deleted file mode 100644 index b5f9c6cba..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-kube-state-metrics.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-kube-state-metrics - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - kubeStateMetrics: - enabled: true - - kube-state-metrics: - nameOverride: kube-state-metrics - fullnameOverride: kube-state-metrics - - ## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box - releaseLabel: true - - # allow labels to be parsed from listed types - metricLabelsAllowlist: - - persistentvolumeclaims=[*] - - ## enable prometheus serviceMonitor - prometheus: - monitor: - enabled: true - relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node - - # Enable self metrics configuration for service and Service Monitor - # Default values for telemetry configuration can be overridden - selfMonitor: - enabled: false - # telemetryHost: 0.0.0.0 - # telemetryPort: 8081 - - resources: - requests: - cpu: 23m - memory: 184Mi - limits: - memory: 256Mi - - tolerations: - - effect: NoSchedule - operator: Exists diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-node-exporter.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-node-exporter.yaml deleted file mode 100644 index 9d8eb71cf..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-node-exporter.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-node-exporter - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - nodeExporter: - enabled: true - prometheus-node-exporter: - nameOverride: node-exporter - fullnameOverride: node-exporter - - extraArgs: - - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/) - - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ - - prometheus: - monitor: - enabled: true - jobLabel: jobLabel - relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node - - tolerations: - - effect: NoSchedule - operator: Exists - - resources: - requests: - cpu: 36m - memory: 105M - limits: - memory: 105M diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-exporters.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-exporters.yaml deleted file mode 100644 index 48ca7e64e..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-exporters.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-prometheus-exporters - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - coreDns: - enabled: false - kubelet: - enabled: true - serviceMonitor: - metricRelabelings: - - action: replace - sourceLabels: - - node - targetLabel: instance - kubeApiServer: - enabled: true - kubeControllerManager: - enabled: false - # endpoints: - # - 10.2.118.10 - # - 10.2.118.11 - # - 10.2.118.12 - # service: - # enabled: true - # port: 10257 - # targetPort: 10257 - # serviceMonitor: - # enabled: true - # https: true - # insecureSkipVerify: true - kubeEtcd: - enabled: false - # endpoints: - # - 10.2.118.10 - # - 10.2.118.11 - # - 10.2.118.12 - # service: - # enabled: true - # port: 2381 - # targetPort: 2381 - kubeProxy: - enabled: false - # endpoints: - # - 10.2.118.10 - # - 10.2.118.11 - # - 10.2.118.12 - kubeScheduler: - enabled: false - # endpoints: - # - 10.2.118.10 - # - 10.2.118.11 - # - 10.2.118.12 - # service: - # enabled: true - # port: 10259 - # targetPort: 10259 - # serviceMonitor: - # enabled: true - # https: true - # insecureSkipVerify: true diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-operator.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-operator.yaml deleted file mode 100644 index 87cccf0c3..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus-operator.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-prometheus-operator - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - ## Manages Prometheus and Alertmanager components - prometheusOperator: - enabled: true - - hostNetwork: false - - ## Resource limits & requests - resources: - requests: - cpu: 23m - memory: 150Mi - limits: - memory: 150Mi - - tolerations: - - effect: NoSchedule - operator: Exists - - ## Define which Nodes the Pods are scheduled on. - # nodeSelector: - # node-role.kubernetes.io/control-plane: "true" - - ## Setting this option to 0 to disable cpu limits - ## see https://github.com/prometheus-operator/prometheus-operator/blob/master/cmd/operator/main.go#L175 - configReloaderCpu: 0 - prometheusConfigReloader: - resources: - requests: - cpu: 11m - memory: 53M - limits: - memory: 53M - - # ## Thanos side-car image when configured - # thanosImage: - # repository: quay.io/thanos/thanos - # tag: v0.25.2 - - # ## Set a Field Selector to filter watched secrets - # secretFieldSelector: "" diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus.yaml deleted file mode 100644 index baa489a47..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-prometheus.yaml +++ /dev/null @@ -1,114 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-prometheus - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - ## Deploy a Prometheus instance - prometheus: - enabled: true - nameOverride: prometheus - - ## Settings affecting prometheusSpec - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#prometheusspec - prometheusSpec: - replicas: 1 - replicaExternalLabelName: __replica__ - - enableAdminAPI: true - logLevel: info - - ## External URL at which Prometheus will be reachable. - externalLabels: - cluster: homelab-gitops-k3s - externalUrl: "https://prometheus.${SECRET_DOMAIN}" - - ## If true, a nil or {} value for prometheus.prometheusSpec.___Selector will cause the - ## prometheus resource to be created with selectors based on values in the helm deployment, - ## which will also match the Prometheus___resources created - ruleSelectorNilUsesHelmValues: false - serviceMonitorSelectorNilUsesHelmValues: false - podMonitorSelectorNilUsesHelmValues: false - probeSelectorNilUsesHelmValues: false - - ## retention & compression - retention: 3d - retentionSize: 8GiB - walCompression: true - - ## Prometheus StorageSpec for persistent data - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/storage.md - storageSpec: - volumeClaimTemplate: - spec: - storageClassName: ceph-block - resources: - requests: - storage: 10Gi - - ## Resource limits & requests - resources: - requests: - cpu: 763m - memory: 7Gi - limits: - memory: 7Gi - - # tolerations: [] - # nodeSelector: {} - podAntiAffinity: hard - podAntiAffinityTopologyKey: kubernetes.io/hostname - - # ## AdditionalScrapeConfigs allows specifying additional Prometheus scrape configurations. - # ## AdditionalScrapeConfigs can be defined as a list or as a templated string. - # additionalScrapeConfigs: - # - job_name: node-exporter - # honor_timestamps: true - # static_configs: - # - targets: - # - opnsense.${SECRET_DOMAIN}:9100 - # # - job_name: graphite-exporter # truenas - # # scrape_interval: 1m - # # metrics_path: /metrics - # # static_configs: - # # - targets: - # # - graphite-exporter.monitoring.svc.cluster.local:9108 - - ## use if keys are present INSTEAD of additionalScrapeConfigs - additionalScrapeConfigsSecret: - enabled: true - name: prometheus-additional-scrape-configs - key: additionalScrapeConfigs - - ingress: - enabled: true - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - hosts: - - &host "prometheus.${SECRET_DOMAIN}" - tls: - - hosts: - - *host - - # thanos: - # image: quay.io/thanos/thanos:v0.29.0 - # # renovate: datasource=docker depName=quay.io/thanos/thanos - # version: "v0.31.0" - # objectStorageConfig: - # name: thanos-objstore-secret - # key: objstore.yml - - # thanosService: - # enabled: true - # thanosServiceMonitor: - # enabled: true - # thanosServiceExternal: - # enabled: true - # thanosIngress: - # enabled: false diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-rules.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-rules.yaml deleted file mode 100644 index 87708f9de..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/values-rules.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: values-rules - namespace: monitoring - annotations: - reloader.stakater.com/match: "true" -data: - values.yaml: | - defaultRules: - create: true - rules: - alertmanager: true - # etcd: false # current version causes extra alerts. Use our own. - etcd: true - configReloaders: true - general: true - k8s: true - kubeApiserver: true - kubeApiserverAvailability: true - kubeApiserverSlos: true - kubelet: true - kubeProxy: false - kubePrometheusGeneral: true - kubePrometheusNodeRecording: true - kubernetesApps: true - kubernetesResources: true - kubernetesStorage: true - kubernetesSystem: true - kubeScheduler: false - kubeStateMetrics: true - network: true - node: true - nodeExporterAlerting: true - nodeExporterRecording: true - prometheus: true - prometheusOperator: true diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml index 4d46db14d..494a5c699 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml @@ -3,16 +3,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-kube-prometheus-stack + name: monitoring-kube-prometheus-stack namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-cluster + - name: rook-ceph-cluster path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -22,16 +22,16 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-kube-prometheus-stack-addons + name: monitoring-kube-prometheus-stack-addons namespace: flux-system spec: dependsOn: - - name: apps-monitoring-kube-prometheus-stack - path: ./kubernetes/apps/monitoring/kube-prometheus-stack/add-ons + - name: monitoring-kube-prometheus-stack + path: ./kubernetes/apps/monitoring/kube-prometheus-stack/addons prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/kubernetes-dashboard/app/helmrelease.yaml b/kubernetes/apps/monitoring/kubernetes-dashboard/app/helmrelease.yaml index e265f3515..61d525ed1 100644 --- a/kubernetes/apps/monitoring/kubernetes-dashboard/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kubernetes-dashboard/app/helmrelease.yaml @@ -3,81 +3,41 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: &app kubernetes-dashboard - namespace: &namespace monitoring + name: kubernetes-dashboard + namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: chart: kubernetes-dashboard - version: 7.0.2 + version: 6.0.8 sourceRef: kind: HelmRepository - name: kubernetes-dashboard-charts + name: kubernetes-dashboard namespace: flux-system + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: + cleanupOnFail: true remediation: retries: 3 + uninstall: + keepHistory: false values: - api: - containers: - # https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md - args: - - --disable-settings-authorizer - - --enable-insecure-login - - --enable-skip-login - - --namespace=monitoring - - --token-ttl=43200 - env: - - name: TZ - value: "${TIMEZONE}" - resources: - requests: - cpu: 100m - memory: 200Mi - limits: - # cpu: 250m - memory: 400Mi - web: - containers: - # args: [] - resources: - requests: - cpu: 100m - memory: 200Mi - limits: - # cpu: 250m - memory: 400Mi + extraArgs: + - --enable-insecure-login + - --enable-skip-login + - --disable-settings-authorizer ingress: - # hosts: - # # Keep 'localhost' host only if you want to access Dashboard using 'kubectl port-forward ...' on: - # # https://localhost:8443 - # - localhost enabled: true - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + className: internal hosts: - &host "kubernetes.${SECRET_DOMAIN}" - # paths: - # web: / - # api: /api - secretName: null tls: - hosts: - *host + # secretName: kubernetes-dashboard-tls metricsScraper: enabled: true - metrics-server: - enabled: false # installed separately - cert-manager: - enabled: false - nginx: - enabled: false - serviceMonitor: - enabled: false diff --git a/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml b/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml index adb2a4f6d..10c006a1a 100644 --- a/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml - ./rbac.yaml diff --git a/kubernetes/apps/monitoring/kubernetes-dashboard/ks.yaml b/kubernetes/apps/monitoring/kubernetes-dashboard/ks.yaml index 31a0d5b17..611064808 100644 --- a/kubernetes/apps/monitoring/kubernetes-dashboard/ks.yaml +++ b/kubernetes/apps/monitoring/kubernetes-dashboard/ks.yaml @@ -3,18 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-kubernetes-dashboard + name: monitoring-kubernetes-dashboard namespace: flux-system spec: dependsOn: - - name: apps-networking-ingress-nginx - - name: apps-monitoring-kube-prometheus-stack + - name: cert-manager + - name: kube-system-metrics-server path: ./kubernetes/apps/monitoring/kubernetes-dashboard/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/kustomization.yaml b/kubernetes/apps/monitoring/kustomization.yaml index 9da862260..86e432458 100644 --- a/kubernetes/apps/monitoring/kustomization.yaml +++ b/kubernetes/apps/monitoring/kustomization.yaml @@ -2,17 +2,19 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +# yamllint disable rule:comments +# prettier-ignore resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - ./goldilocks/ks.yaml - ./grafana/ks.yaml - # - ./graphite-exporter/ks.yaml - ./karma/ks.yaml - ./kube-prometheus-stack/ks.yaml - # - ./kubernetes-dashboard/ks.yaml + - ./kubernetes-dashboard/ks.yaml # NOTE: do not upgrade; versions>6.* have breaking & unresolved changes - ./nut-exporter/ks.yaml + - ./node-exporter/ks.yaml - ./node-problem-detector/ks.yaml - ./scrutiny/ks.yaml - ./speedtest-exporter/ks.yaml diff --git a/kubernetes/apps/monitoring/namespace.yaml b/kubernetes/apps/monitoring/namespace.yaml index c357cca0a..fc394fd0c 100644 --- a/kubernetes/apps/monitoring/namespace.yaml +++ b/kubernetes/apps/monitoring/namespace.yaml @@ -4,4 +4,4 @@ kind: Namespace metadata: name: monitoring labels: - goldilocks.fairwinds.com/enabled: "true" + kustomize.toolkit.fluxcd.io/prune: disabled # don't prune namespace diff --git a/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml new file mode 100644 index 000000000..ddbb147de --- /dev/null +++ b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml @@ -0,0 +1,45 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: node-exporter + namespace: monitoring +spec: + interval: 30m + chart: + spec: + chart: prometheus-node-exporter + version: 4.23.2 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + fullnameOverride: node-exporter + releaseLabel: true # disable for victoria-metrics + podLabels: + jobLabel: node-exporter + extraArgs: + - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/) + - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ + prometheus: + monitor: + enabled: true + jobLabel: jobLabel + metricRelabelings: + - action: drop + sourceLabels: ["mountpoint"] + regex: /var/lib/kubelet/pods.+ + rbac: + pspEnabled: false diff --git a/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml b/kubernetes/apps/monitoring/node-exporter/app/kustomization.yaml similarity index 88% rename from kubernetes/apps/kyverno/kyverno/app/kustomization.yaml rename to kubernetes/apps/monitoring/node-exporter/app/kustomization.yaml index adb2a4f6d..27e12039d 100644 --- a/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/node-exporter/app/kustomization.yaml @@ -2,6 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml - - ./rbac.yaml diff --git a/kubernetes/apps/monitoring/node-exporter/ks.yaml b/kubernetes/apps/monitoring/node-exporter/ks.yaml new file mode 100644 index 000000000..edca2af40 --- /dev/null +++ b/kubernetes/apps/monitoring/node-exporter/ks.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: monitoring-node-exporter + namespace: flux-system +spec: + path: ./kubernetes/apps/monitoring/node-exporter/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/monitoring/node-problem-detector/app/helmrelease.yaml b/kubernetes/apps/monitoring/node-problem-detector/app/helmrelease.yaml index caf7b4f96..4194f77d7 100755 --- a/kubernetes/apps/monitoring/node-problem-detector/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/node-problem-detector/app/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: node-problem-detector namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.deliveryhero.io/ chart: node-problem-detector version: 2.3.11 sourceRef: kind: HelmRepository - name: deliveryhero-charts + name: deliveryhero namespace: flux-system values: metrics: diff --git a/kubernetes/apps/monitoring/node-problem-detector/app/kustomization.yaml b/kubernetes/apps/monitoring/node-problem-detector/app/kustomization.yaml index 17cbc72b2..27e12039d 100755 --- a/kubernetes/apps/monitoring/node-problem-detector/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/node-problem-detector/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/node-problem-detector/ks.yaml b/kubernetes/apps/monitoring/node-problem-detector/ks.yaml index 6b187c9cb..88dcfd7f7 100644 --- a/kubernetes/apps/monitoring/node-problem-detector/ks.yaml +++ b/kubernetes/apps/monitoring/node-problem-detector/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-node-problem-detector + name: monitoring-node-problem-detector namespace: flux-system spec: dependsOn: - - name: apps-monitoring-kube-prometheus-stack + - name: monitoring-kube-prometheus-stack path: ./kubernetes/apps/monitoring/node-problem-detector/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/nut-exporter/app/helmrelease.yaml b/kubernetes/apps/monitoring/nut-exporter/app/helmrelease.yaml index ed5f1ddff..f820c5045 100644 --- a/kubernetes/apps/monitoring/nut-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/nut-exporter/app/helmrelease.yaml @@ -6,14 +6,14 @@ metadata: name: &app nut-exporter namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: remediation: @@ -26,7 +26,7 @@ spec: repository: ghcr.io/druggeri/nut_exporter tag: 3.0.0 env: - TZ: "${TZ}" + TZ: "${TIMEZONE}" envFrom: - secretRef: name: *app diff --git a/kubernetes/apps/monitoring/nut-exporter/app/kustomization.yaml b/kubernetes/apps/monitoring/nut-exporter/app/kustomization.yaml index 052a7af63..d405629b6 100644 --- a/kubernetes/apps/monitoring/nut-exporter/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/nut-exporter/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml - ./prometheusrule.yaml @@ -9,7 +10,6 @@ resources: configMapGenerator: - name: nut-exporter-dashboard - namespace: monitoring files: - ./nut-exporter-dashboard.json # - nut-exporter.json=https://grafana.com/api/dashboards/15406/revisions/2/download diff --git a/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml b/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml index b53cd6d0b..804b88929 100644 --- a/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml +++ b/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml @@ -7,9 +7,9 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - NUT_EXPORTER_SERVER: ENC[AES256_GCM,data:dVZIqYxUqNE=,iv:xSOuFK/XdYGjG782f+PcJ+t3T0y4XmM+HzG965aRvV8=,tag:agno190vrz5qKr2CTqLVdQ==,type:str] - NUT_EXPORTER_USERNAME: ENC[AES256_GCM,data:TZhIvPiCAw==,iv:Db7cD1MWbxzfr8b6kc0In2OSF+NYR4it9YYUrtjjbL8=,tag:nR7wl9uL/TUqt7HdUZF53w==,type:str] - NUT_EXPORTER_PASSWORD: ENC[AES256_GCM,data:P9P9v93cwJ4CEn3O,iv:0/nzaXva0ArixLmYyA1+OofrJ4qhcUsuQK3jkyIBkHQ=,tag:x5TOlPdkibbpTUMZep0ROA==,type:str] + NUT_EXPORTER_SERVER: ENC[AES256_GCM,data:/gEB/Zna3pA=,iv:dmUCaOkd72tCXQq2kS25Jesyh9ghmrXtMutP/PrluWE=,tag:+mT5234DvSwKdMThCm3vaQ==,type:str] + NUT_EXPORTER_USERNAME: ENC[AES256_GCM,data:I+oJrCAYQA==,iv:HZVGzVUCydf0BHhqhRhBdq1DpA5KfxOn/9qfkvyASDM=,tag:vCJMC6ewD/RMt+OAbAA+ww==,type:str] + NUT_EXPORTER_PASSWORD: ENC[AES256_GCM,data:8S+B2pyA7VGtrERx,iv:L1kB/NtjHJQVkayDclMZUAqxgrPdIbZWGrqkR/hRoeQ=,tag:K18g42+f14+VnqpAUo5FKQ==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +19,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZY3ZkdXR2TXhWNm9peFJR - ZlV1UzV5Q0N4cGFHRXFpd1FVR2NjTm1pTlQwCjVnczVZMGlENnRyZjhibkVuZ2Fi - QTJhTGJaRHVtZHFtM1FIa2R1VmpTRTgKLS0tIHhaRjNLOEhYS1JNRXFNUFloaHVX - NUh3bFY3SWpWZUFPOFV2bGF4ZWtJWjAKnDuDZtsC6qihPOgeqwlTdzj+XXjKFbWs - MYgS82bk8CTKkzc/hVQM1LWLOVJ6bRkXpWb/g+kXRLdxVp5Cq9B05Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlT05LaDdOYTY3dEc3UkJu + c1VnTWQzMk5pbW1lL0NRS2hBMW83bzdRSXhzCjB1dERibkZ2ME9hMHN2YTYrVk4x + c2wyejFEc3ZjNjhqN3FVSUY3SFBCWGsKLS0tIHEzK05uNlRZQStqZ042cnB0RHNh + aTQ0OGtYdzk2OWEwY3lrUU8ybkpwWmMK5hfh2slHa3jsGYVPuObrZrp4eV6xlJXO + Uhbo5ykOZ5eMdtNB7R0nXtkSWUThOfAxxWHGjg/2gUpjfqWcgYEcTA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-15T13:37:50Z" - mac: ENC[AES256_GCM,data:TQtxBHUe84P+aGgdDQws2HPAeU/DNLdKAceZQtGF/0YTtllEHpoSLC/Y+9/W34VjbGGdO8X2Ld8w9nQd/U9F2R8Q2Pg85XCCPzhLWP0/H8j3e5QuKMduQU40xoCTQJk5a1zCkICUw1qEdlmVvwCg/BXaD4Jhs7Rl6IIzs9rHYx4=,iv:0cahVr65ZebtyvuTug6PNQ+GQWrx1llRWHd+ldAMjrQ=,tag:AYS03EA/VEH2T/jsTiWsLQ==,type:str] + lastmodified: "2023-09-15T01:05:35Z" + mac: ENC[AES256_GCM,data:swk81xW3x0GtbxN8WnrfcbzqfuT3BvLdZjO/WfVpGF830m9cWso+m/i0E0kmGWgmq6ZtH6ic6PW1pIhKXGHp/y3TT3/YOZPsrSm7mVVa4FoJni4VaZ7YzDKNh4yhtpsUwbfJ6341fD5/4K4v27Q3KjeyTk2UKjApmuT+M7h4BrU=,iv:rxV6zikh4pUlWzjmx7SpUjC7cUB5umSSWABv2nNdHYQ=,tag:ew0RlVm/C/+wtG3/lXV4Eg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml.tmpl b/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml.tmpl index 3a9b5ab97..9ada1d036 100644 --- a/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/monitoring/nut-exporter/app/secret.sops.yaml.tmpl @@ -9,4 +9,4 @@ metadata: stringData: NUT_EXPORTER_SERVER: "10.2.0.1" NUT_EXPORTER_USERNAME: "monuser" - NUT_EXPORTER_PASSWORD: "${SECRET_DEFAULT_PWD}" + NUT_EXPORTER_PASSWORD: "${DEFAULT_PWD}" diff --git a/kubernetes/apps/monitoring/nut-exporter/ks.yaml b/kubernetes/apps/monitoring/nut-exporter/ks.yaml index 8c4482f7b..54475716f 100644 --- a/kubernetes/apps/monitoring/nut-exporter/ks.yaml +++ b/kubernetes/apps/monitoring/nut-exporter/ks.yaml @@ -3,18 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-nut-exporter + name: monitoring-nut-exporter namespace: flux-system spec: dependsOn: - - name: apps-monitoring-kube-prometheus-stack - - name: apps-monitoring-grafana + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana path: ./kubernetes/apps/monitoring/nut-exporter/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/scrutiny/README.md b/kubernetes/apps/monitoring/scrutiny/README.md index 54c8c83af..db4f30163 100644 --- a/kubernetes/apps/monitoring/scrutiny/README.md +++ b/kubernetes/apps/monitoring/scrutiny/README.md @@ -19,6 +19,7 @@ Scrutiny is deployed as 3 distinct components: ## [TrueNAS setup](https://github.com/AnalogJ/scrutiny/blob/master/docs/INSTALL_HUB_SPOKE.md) +> Add'l references: [docker-compose](https://github.com/AnalogJ/scrutiny/blob/master/docker/example.hubspoke.docker-compose.yml) > NOTE: Scrutiny collector may need to be installed after every TrueNAS update! 1. Scrutiny needs Smartmontools version 7+. Check on the TrueNAS terminal that version 7 is installed. diff --git a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-collector.yaml b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-collector.yaml index 082c820d5..453fe3686 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-collector.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-collector.yaml @@ -6,15 +6,14 @@ metadata: name: scrutiny-collector namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true diff --git a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-influxdb.yaml b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-influxdb.yaml index 348b08da1..0c6175ded 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-influxdb.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-influxdb.yaml @@ -6,15 +6,14 @@ metadata: name: scrutiny-influxdb namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true diff --git a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-scrutiny.yaml b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-scrutiny.yaml index 87479df8f..dd50eafc1 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease-scrutiny.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/helmrelease-scrutiny.yaml @@ -1,4 +1,3 @@ -# https://github.com/AnalogJ/scrutiny/blob/master/docker/example.hubspoke.docker-compose.yml --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json apiVersion: helm.toolkit.fluxcd.io/v2beta1 @@ -7,15 +6,14 @@ metadata: name: &app scrutiny namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true @@ -39,7 +37,7 @@ spec: ingress: main: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml b/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml index aa4a20c6d..df0f6219a 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml @@ -2,6 +2,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease-collector.yaml - ./helmrelease-influxdb.yaml diff --git a/kubernetes/apps/monitoring/scrutiny/app/pvc.yaml b/kubernetes/apps/monitoring/scrutiny/app/pvc.yaml index cc9ed0b77..7882c3d47 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/pvc.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/pvc.yaml @@ -2,8 +2,12 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: scrutiny + name: &app scrutiny namespace: monitoring + labels: + app.kubernetes.io/name: *app + app.kubernetes.io/instance: *app + # snapshot.home.arpa/enabled: "true" spec: accessModes: - ReadWriteMany diff --git a/kubernetes/apps/monitoring/scrutiny/ks.yaml b/kubernetes/apps/monitoring/scrutiny/ks.yaml index d255562a6..365ab6275 100644 --- a/kubernetes/apps/monitoring/scrutiny/ks.yaml +++ b/kubernetes/apps/monitoring/scrutiny/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-scrutiny + name: monitoring-scrutiny namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-cluster + - name: rook-ceph-cluster path: ./kubernetes/apps/monitoring/scrutiny/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/monitoring/speedtest-exporter/app/helmrelease.yaml b/kubernetes/apps/monitoring/speedtest-exporter/app/helmrelease.yaml index 5a38d2ba7..1e025496e 100644 --- a/kubernetes/apps/monitoring/speedtest-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/speedtest-exporter/app/helmrelease.yaml @@ -6,14 +6,14 @@ metadata: name: speedtest-exporter namespace: monitoring spec: - interval: 15m + interval: 30m chart: spec: chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system install: createNamespace: true diff --git a/kubernetes/apps/monitoring/speedtest-exporter/app/kustomization.yaml b/kubernetes/apps/monitoring/speedtest-exporter/app/kustomization.yaml index 7ae485820..099cc1df5 100644 --- a/kubernetes/apps/monitoring/speedtest-exporter/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/speedtest-exporter/app/kustomization.yaml @@ -2,12 +2,12 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: monitoring resources: - ./helmrelease.yaml configMapGenerator: - name: speedtest-dashboard - namespace: monitoring files: - ./speedtest-exporter-dashboard.json # - speedtest-dashboard.json=https://raw.githubusercontent.com/MiguelNdeCarvalho/speedtest-exporter/main/Dashboard/Speedtest-Exporter.json diff --git a/kubernetes/apps/monitoring/speedtest-exporter/ks.yaml b/kubernetes/apps/monitoring/speedtest-exporter/ks.yaml index 037be1467..d26f8a4d9 100644 --- a/kubernetes/apps/monitoring/speedtest-exporter/ks.yaml +++ b/kubernetes/apps/monitoring/speedtest-exporter/ks.yaml @@ -3,18 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-monitoring-speedtest-exporter + name: monitoring-speedtest-exporter namespace: flux-system spec: dependsOn: - - name: apps-monitoring-kube-prometheus-stack - - name: apps-monitoring-grafana + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana path: ./kubernetes/apps/monitoring/speedtest-exporter/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/networking/README.md b/kubernetes/apps/networking/README.md index 048579a4c..0daebe5e1 100644 --- a/kubernetes/apps/networking/README.md +++ b/kubernetes/apps/networking/README.md @@ -1 +1,61 @@ -# Networking +# 🌐 Networking + +```txt + "appname.domain.com" + + internal: external: + + ┌───────────────┐ + *dns lookup* │ external-dns │ + │ │ creates │ + ▼ │ dns record │ + split-dns: └──────┬────────┘ + if domain.com: │ + use k8s_gateway ▼ + as resolver *dns lookup* + │ │ + │ │ + ┌───────▼───────┐ ▼ + │ k8s_gateway │ public + │ 10.2.118.2 │ cloudflare IP + └───────┬─┬─────┘ │ + │ │ │ + │ │ ┌─▼─────────────┐ + │ │ │ │ +┌──────────┼─┼────────────────┤ cloudflared │ +│ │ │ │ │ +│ │ └────────┐ └──┬──────────┬─┘ +│ │ │ │ │ +│ ┌───────▼───────┐ │ ┌───────▼───────┐ │ +│ │ internal │ │ │ external │ │ +│ │ ingress-nginx │ └──► ingress-nginx │ │ +│ │ 10.2.118.3 │ │ 10.2.118.4 │ │ +│ └───────┬───────┘ └───────┬───────┘ │ +│ │ │ │ +│ │ │ │ +│ ┌───────▼───────┐ ┌───────▼───────┐ │ +│ │ internal │ │ external │ │ +│ │ application │ │ application │ │ +│ └───────────────┘ └───────────────┘ │ +│ │ +└───────────────────────────────────────────┘ + k8s cluster + https://asciiflow.com/ +``` + +## 🌎 Public Applications + +The `external-dns` application will create public DNS records. +External-facing application access relies on a `cloudflared` tunnel to access the external `ingress-nginx`, +which acts as a reverse proxy to the application. + +By default, `echo-server` and the `flux-webhook` are the only subdomains reachable from the public internet. +In order to make additional applications public you must set set the correct ingress class name and ingress annotations (see the `echo-server` HelmRelease). + +## 🏠 Private Applications + +`k8s_gateway` will provide DNS resolution to Kubernetes entrypoints from any device that uses your home DNS server. +For this to work, your home DNS server must be configured to forward DNS queries for `${bootstrap_cloudflare_domain}` to `${bootstrap_k8s_gateway_addr}` instead of the upstream DNS server(s) it normally uses. +This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding). + +Internal/Private applications will access external and/or internal ingress-nginx local/private IP(s) provided by k8s_gateway diff --git a/kubernetes/apps/networking/cloudflared/app/config.yaml b/kubernetes/apps/networking/cloudflared/app/config.yaml deleted file mode 100644 index eabde181d..000000000 --- a/kubernetes/apps/networking/cloudflared/app/config.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# Name of the tunnel you want to run -tunnel: k8s-argo-tunnel -credentials-file: /etc/cloudflared/credentials.json -metrics: 0.0.0.0:2000 -no-autoupdate: true -originRequest: - connectTimeout: 30s - # Hostname that cloudflared should expect from your origin server certificate - originServerName: ${SECRET_DOMAIN} -warp-routing: - enabled: false - -# The `ingress` block tells cloudflared which local service to route incoming requests to. -# To route traffic from the internet to cloudflared, run: -# ```sh -# cloudflared tunnel route dns k8s-argo-tunnel -# ```` -# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress -ingress: - ### Proxy traefik to the k8s ingress to hand off to Services - # internet --> cloudflared tunnel --> local DNS --> ingress --> service - ### NOTE: relies on split-brain DNS / local overrides - - hostname: echo.${SECRET_DOMAIN} - service: https://ingress-nginx-controller.networking.svc.cluster.local - # - hostname: httpbin.${SECRET_DOMAIN} - # service: https://ingress-nginx-controller.networking.svc.cluster.local:443 - - hostname: linkding.${SECRET_DOMAIN} - service: https://ingress-nginx-controller.networking.svc.cluster.local - - hostname: miniflux.${SECRET_DOMAIN} - service: https://ingress-nginx-controller.networking.svc.cluster.local - - hostname: opengist.${SECRET_DOMAIN} - service: https://ingress-nginx-controller.networking.svc.cluster.local - - ### Proxy traffic to the k8s Services directly - - hostname: flux-receiver.${SECRET_DOMAIN} - service: http://webhook-receiver.flux-system:80 - # - hostname: ghar-webhook.${SECRET_DOMAIN} - # service: http://actions-runner-controller-github-webhook-server.actions-runner-system:80 - - # This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity issues. - # If hello.${SECRET_DOMAIN} resolves and .${SECRET_DOMAIN} does not, then the problem is - # in the connection from cloudflared to your local service, not from the internet to cloudflared. - - hostname: "hello.${SECRET_DOMAIN}" - service: hello_world - - ### "Else" rule matches any traffic which didn't match a previous rule, and responds with HTTP 404. - - service: http_status:404 - - # ### Alternatively, fail to sending to ingress - # - service: https://ingress-nginx-controller.networking.svc.cluster.local:443 diff --git a/kubernetes/apps/networking/cloudflared/app/configs/config.yaml b/kubernetes/apps/networking/cloudflared/app/configs/config.yaml new file mode 100644 index 000000000..fdefd098a --- /dev/null +++ b/kubernetes/apps/networking/cloudflared/app/configs/config.yaml @@ -0,0 +1,16 @@ +--- +originRequest: + http2Origin: true + +ingress: + ### Traffic coming in thru cloudflare should go to `external` nginx + - hostname: "${SECRET_DOMAIN}" + service: https://nginx-external-controller.networking.svc.cluster.local:443 + originRequest: + originServerName: "external.${SECRET_DOMAIN}" + - hostname: "*.${SECRET_DOMAIN}" + service: https://nginx-external-controller.networking.svc.cluster.local:443 + originRequest: + originServerName: "external.${SECRET_DOMAIN}" + ### "Else" rule matches any traffic which didn't match a previous rule, and responds with HTTP 404. + - service: http_status:404 diff --git a/kubernetes/apps/networking/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/networking/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 000000000..2a748f949 --- /dev/null +++ b/kubernetes/apps/networking/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared + namespace: networking +spec: + endpoints: + - dnsName: "external.${SECRET_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml b/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml index ba90f3f70..ae19969eb 100644 --- a/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml +++ b/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml @@ -6,57 +6,58 @@ metadata: name: &app cloudflared namespace: networking spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 sourceRef: kind: HelmRepository - name: bjw-s-charts + name: bjw-s namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: + cleanupOnFail: true remediation: retries: 3 uninstall: keepHistory: false values: - global: - # nameOverride: cloudflared - annotations: - reloader.stakater.com/search: "true" - # configmap.reloader.stakater.com/reload: "k8s-argo-tunnel" - controller: type: deployment replicas: 3 + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" image: repository: docker.io/cloudflare/cloudflared tag: 2023.8.2 - # Outbound traffic is proxied through port 8080 - # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#configuration-file - # Arguments: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/local-management/arguments/#metrics + env: + TZ: "${TIMEZONE}" + NO_AUTOUPDATE: "true" + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID args: - tunnel - --config - - /etc/cloudflared/config.yaml + - /etc/cloudflared/config/config.yaml - run - env: - TZ: "${TIMEZONE}" - ingress: - main: - enabled: false + - "$(TUNNEL_ID)" service: main: ports: http: - port: 2000 + port: 8080 serviceMonitor: main: enabled: true @@ -81,31 +82,24 @@ spec: readiness: *probes startup: enabled: false - persistence: config: enabled: true type: configMap name: *app - mountPath: /etc/cloudflared/config.yaml subPath: config.yaml + mountPath: /etc/cloudflared/config/config.yaml readOnly: true - # By default, the credentials file will be created under ~/.cloudflared/.json - # when you run `cloudflared tunnel create`. You can move it into a secret by using: - # ```sh - # kubectl create secret generic tunnel-credentials \ - # --from-file=credentials.json=/Users/yourusername/.cloudflared/.json - # ``` - credentials: + creds: enabled: true type: secret - name: *app - mountPath: /etc/cloudflared/credentials.json + name: cloudflared-secret subPath: credentials.json + mountPath: /etc/cloudflared/creds/credentials.json readOnly: true resources: requests: - cpu: 25m - memory: 105M + cpu: 5m + memory: 10Mi limits: - memory: 105M + memory: 256Mi diff --git a/kubernetes/apps/networking/cloudflared/app/kustomization.yaml b/kubernetes/apps/networking/cloudflared/app/kustomization.yaml index 29fc1f278..43aee3606 100644 --- a/kubernetes/apps/networking/cloudflared/app/kustomization.yaml +++ b/kubernetes/apps/networking/cloudflared/app/kustomization.yaml @@ -2,18 +2,14 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: networking resources: - - ./helmrelease.yaml + - ./dnsendpoint.yaml - ./secret.sops.yaml - + - ./helmrelease.yaml configMapGenerator: - name: cloudflared - namespace: networking files: - - config.yaml=config.yaml + - ./configs/config.yaml generatorOptions: disableNameSuffixHash: true -labels: - - pairs: - app.kubernetes.io/name: cloudflared - app.kubernetes.io/instance: cloudflared diff --git a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml b/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml index cd0f65105..781e841d3 100644 --- a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml +++ b/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml @@ -1,13 +1,11 @@ -# yamllint disable apiVersion: v1 +kind: Secret metadata: - name: cloudflared + name: cloudflared-secret namespace: networking - annotations: - reloader.stakater.com/match: "true" -kind: Secret -data: - credentials.json: ENC[AES256_GCM,data:1Ii6JfXzcmwso7fAOAamBdjqzyEZ7Bu+dQ3NxiEU4p9JhtARovinsjXhw638/htwt97Z0YY9S2C+tSqVyUQRyd40THuvYEIxEg4if06ajEfvuOr5/PWcquXvIr8rKNXuAuSdeoCiw+KPcF7rrxof2dERNMDcOs00kFZAC2NuJL8DEGD2X/GqS8ptCIWUUEJzLo+akMEFPzQUS+HEZ1Lk5UKWDOUwzOe0cDKp1DKXmvuFAjY0mpm2QYzpe8WBV5xR4FPyaqdMF7NCylzA95llTN2gieDbpS1Y,iv:ZMmZc85bhpWDATLut0JAFUZT8+9SuRw6x5/Dt0mCShM=,tag:/+QY7Ixd5UMy1wwdjDAjyg==,type:str] +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:Er1OjMKJwoFjO8v0FjRDVXJITvlzgDkwY4NMCL1iPeW9yahr,iv:x2jKvaDHZodUGXk+a5icz+tAhmkXgT6y+Z7cG3Nar4A=,tag:LgtIi7OylttwwwFEjuXujg==,type:str] + credentials.json: ENC[AES256_GCM,data:MxTQlSEnQ03Oe1uMvZjJHFVpndssqecM3VB2Gqb6vmJNzEM0uMRLRD/C00BZoMW2uk5Dq2rzwu5zM6UVu4KAeoUj9pZD3NpoImHeFlE3O/DC5OMFf3RT+ktguGOpdVreNewwj3YLpG3mdAkWttESdLx4ftmSB38jnKN2dd0AC2SG/pLOskRbGuV6VVWAh2FD+JI0uvQPPb3JDgLT1FJfTs8BHH954JQ6o6RxdhLxVg==,iv:Nt00T1TBy5ShNwsIh5R+SpzFpEB53SyISo1upQOEKv4=,tag:8tWPXwrxwCuNxl9qaFuKaQ==,type:str] sops: kms: [] gcp_kms: [] @@ -17,14 +15,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbUx2N2dhSW96aEFqaDZy - S25FbkoxS1FSNFlvdXo5U2xxNGhBd0kyN2tFCjRQMHN6SWxudXZLdUxvbmhiT2E1 - MitkS1ZtbkFFakFLZ1hnZk1ja1R4Y2cKLS0tIDVqVWE5akNrYSs1M0l3TzZQVVpW - dS9neGNPdmk3cTZmNWpRcUtoZW4yWDQKa9Ur+XOi/3FgfiG7gIpQS4v45hK57qCl - QF8asJj77WSBZfC+ea9eSdmFbUWxJfmn0xZaTrXMR9BkM1sVdx3nJg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSDMwZ0lYMENySndtSG02 + UEtQaEl6dG5pTGY0ekxNYy9UNlFyaDVtTHowCm1HV3U1NHVFM0llUkhaQ3FtREk3 + d1pmZ3c3a1BVbng1T2phNjZSMy9JMGsKLS0tIEgydU05aTVtU1dMS3daQXJUQW9u + RS9NUVBUQmw1b1UrcCsvcnVZVlM2VjgKERzqS5AW9MNmBf2d7Y0m1XvVdu824mHj + xDB17dKwxZfxuXdBlWwLIru04h9G9S2lZeji+frmRFv8M2DQYxApnw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-01T15:08:40Z" - mac: ENC[AES256_GCM,data:onIH/yHlz4b0n7SYmmcAITyX42nNVK4EDAh4zV5/4I81/nJN1Ze3DFeC2n61bC7nWnMNWMWDu49RGqtmSacYQnTnrB38YwbjyIrMKmc4AY3vjL4Lym367p1U9Jsy7bdGnvkuae2qe4SD80I+ZE1v7283JTPrB9IWRUrIJW5HHKQ=,iv:J7bwne1Vbry8q9uwG/FVlUClrK4ELoyD558JpusXtHk=,tag:NFwYznOsEIPQUdSdegelVQ==,type:str] + lastmodified: "2023-09-05T01:23:39Z" + mac: ENC[AES256_GCM,data:0fE6o96vgQX7H5vHWX5/ZlcvQ2LhvE7P4M4NLcLgF1q2AC8kd3TQy7rEob2DMK5ju4z4g8Fqi6wG8x7nA+8Kft2vb5GzDyWtKv8pwYTQF/i8YCUNemCXNiGPLHFfFOB0oMVEW9hn2QZ4nxtu7Lo2cTBTxMl8DjzzS/2XkN3cCXk=,iv:ASrEJlPfhBj/aqZ9cE7ZmGn4ujRedvUWGxcayJA+XvU=,tag:TyMFMAijNZgs/J68VUq4NQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/networking/cloudflared/ks.yaml b/kubernetes/apps/networking/cloudflared/ks.yaml index 1250bef0f..f60214b01 100644 --- a/kubernetes/apps/networking/cloudflared/ks.yaml +++ b/kubernetes/apps/networking/cloudflared/ks.yaml @@ -3,15 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-networking-cloudflared + name: networking-cloudflared namespace: flux-system spec: + dependsOn: + - name: networking-external-dns path: ./kubernetes/apps/networking/cloudflared/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/networking/crowdsec/app/helmrelease.yaml b/kubernetes/apps/networking/crowdsec/app/helmrelease.yaml index 638ab44ee..efd0c4d25 100644 --- a/kubernetes/apps/networking/crowdsec/app/helmrelease.yaml +++ b/kubernetes/apps/networking/crowdsec/app/helmrelease.yaml @@ -9,12 +9,11 @@ spec: interval: 15m chart: spec: - # renovate: registryUrl=https://crowdsecurity.github.io/helm-charts chart: crowdsec version: 0.9.8 sourceRef: kind: HelmRepository - name: crowdsec-charts + name: crowdsec namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml b/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml index 89e3c5351..b30503419 100644 --- a/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml +++ b/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml @@ -7,9 +7,9 @@ metadata: annotations: reloader.stakater.com/match: "true" stringData: - #ENC[AES256_GCM,data:gd0WL5RwwD6Ac4CIJzyK2vNIX090BGSVDM92VfO/oQvSrKU=,iv:Oji6oNGKPOM0VGBcuWHQpisH7fHqqMeq6AJWoB8RTCs=,tag:Rmp77SUiHYnsANacIkNkZw==,type:comment] - ENROLL_KEY: ENC[AES256_GCM,data:/SxxMhjmIb/i7WSFsPfQFRh1dAFGD3MBBQ==,iv:/dDqNBhO/ga2fsVPpy7Xwgpww2N0ClGwbtyzMHoWuDo=,tag:SescpAFW2A5Y3ZrQB2y9rg==,type:str] - BOUNCER_KEY_traefik: ENC[AES256_GCM,data:mnXpLoM6PHTwcBSk0ep/nLnckwreL/HNlJB/Pdrz1Jc=,iv:G1nGhcy4bt1lm1QAZAKb2RiVJAOAbvRdqwGt0Yw/3js=,tag:uv+rx7IdAq3ai7zAXZs8iw==,type:str] + #ENC[AES256_GCM,data:YDeVJjkV2xuriuWNKaY6iQj5XIpDK2crqNK8BM6sYEoMSLE=,iv:WloZbrGGI4RBCMWv0AQwpYMAOoG2TqwDNZzVJTnuj/o=,tag:2vfN4MZ7NPdOt1lc8Qk7Qg==,type:comment] + ENROLL_KEY: ENC[AES256_GCM,data:5GQ3ZVT7cRR3Q8d2EjTstbXcvJfSshekPw==,iv:ni+M3fGTey/V2lhDw7aGX/F8X6qjBt2s1gY5nvdnQSo=,tag:DislwT1HQXEWDhkOjzdhtA==,type:str] + BOUNCER_KEY_INGRESS: ENC[AES256_GCM,data:KDI6PJksg5egliUH1mtPZwSsMsO5vQLPDI2T6FQmDVM=,iv:5I/HJnPI3w1yA2hmWt2gKrN3ysR8HkGAn8YlcKSrZ6w=,tag:Ars8ioBxMAXhrC0k3aqYiw==,type:str] sops: kms: [] gcp_kms: [] @@ -19,14 +19,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRENKN1B3cGR0dnBTZnE5 - a0FicEtlRENXVmtPMHdoOHJCVVVVWFpkeUFzCnpBeUJDc2psQ2F2eEw3cE1jR2pN - NEZ1UU8veURTd2oyWEs2S3c5NXNBQzQKLS0tIEhiQmxIakFodWRUbHRYUURZNk4v - SnNQUUtCcS9HaFlwazV2bXBHOTQvcUUKtrsaFmlUqG/Ch6lFMv9eDiqo9ELxXJhy - +rgiuHPXo/Q4HE6njHG7QBPTwUyF5ta3M/GprESTs20jegmC9ENEog== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQWpnLys0Ui82bERHTnZW + V1l6Snc3ZWVxOGhHTC9qYjlHOUkxdjlJekZZCkFVUG5WcW1NY2pVS2Q1ZUd1STdx + YTA3cTRnT2cvelFoSTgxZlF0NmNrL1UKLS0tIHRqR1pzaTJoWFZVU0o0QVFEZWdE + NUlTbVNDMWZYODhBMXI1RXROQUJjOXMKkIBiplQr7jQnCcw90rrPJ1a/o8K2y3cw + kgCxoU8+BFUEhjg2/m6Uw8eGxkl6k1Bz4NxiZEMzAZxNTdUL9PUONA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-01T14:20:21Z" - mac: ENC[AES256_GCM,data:ztJu0ZciFtWGkGeO9LvQxhgWCEjWnNTOO6EMYl4c1e2g74jo0/MqCLvgNr6D4P/p/HL2YsSGXCKTiA6AkWH5UX82KpUq7Qsrl/vklfQZFLCN9mV/gioW6CcnJHiRmumFO6Tmcv2QsotpIWUup6CoOXELHby3k0+Yu8YMzaG+GRo=,iv:sA9tDUbzTM7YSTS4CpviIVLPlTIii18ulvXbC9n+cGY=,tag:vSRkWgdaUNmWBBtUOpBI8A==,type:str] + lastmodified: "2023-10-02T23:37:05Z" + mac: ENC[AES256_GCM,data:FWa1kfklcgWUZkgIWZBrjPpRhMeKHpTi0CTi/rw7fzZDU2zyztBUIWJHv34UMLmxOpkoOuJDuZ1obBRA5C6b9u2GqaAeO1yPn8iSsaUQqEpxKOZDgBkQ1TQJTHSyGeQTcR0uttpQuy9FT3834zWYBneI6uzJ8LbHUDOZpWQLnTc=,iv:VirOVK2zL50wTR8N7xebaIndpwvu8xGp4BbKv27Q2FY=,tag:m4i0PAQ0GId5+MPTnSF5pw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml.tmpl b/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml.tmpl index 6e4c6d974..0e1537cf3 100644 --- a/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/networking/crowdsec/app/secret.sops.yaml.tmpl @@ -9,5 +9,5 @@ metadata: reloader.stakater.com/match: "true" stringData: # generated from crowdsec web portal - ENROLL_KEY: "${SECRET_CROWDSEC_ENROLL_KEY}" - BOUNCER_KEY_INGRESS: "${SECRET_CROWDSEC_BOUNCER_KEY}" + ENROLL_KEY: "${CROWDSEC_ENROLL_KEY}" + BOUNCER_KEY_INGRESS: "${CROWDSEC_BOUNCER_KEY}" diff --git a/kubernetes/apps/networking/crowdsec/ks.yaml b/kubernetes/apps/networking/crowdsec/ks.yaml index e3abc37dc..67c93c69c 100644 --- a/kubernetes/apps/networking/crowdsec/ks.yaml +++ b/kubernetes/apps/networking/crowdsec/ks.yaml @@ -3,16 +3,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-networking-crowdsec + name: networking-crowdsec namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-cluster + - name: rook-ceph-cluster path: ./kubernetes/apps/networking/crowdsec/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/networking/external-dns/README.md b/kubernetes/apps/networking/external-dns/README.md new file mode 100644 index 000000000..93d20b1bb --- /dev/null +++ b/kubernetes/apps/networking/external-dns/README.md @@ -0,0 +1,3 @@ +# [External DNS](https://github.com/kubernetes-sigs/external-dns) + +Configure external (public) DNS records for Kubernetes Ingresses and Services diff --git a/kubernetes/apps/networking/external-dns/app/dnsendpoint-crd.yaml b/kubernetes/apps/networking/external-dns/app/dnsendpoint-crd.yaml new file mode 100644 index 000000000..2e0e45c69 --- /dev/null +++ b/kubernetes/apps/networking/external-dns/app/dnsendpoint-crd.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-sigs/external-dns/pull/2007" + creationTimestamp: null + name: dnsendpoints.externaldns.k8s.io +spec: + group: externaldns.k8s.io + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec defines the desired state of DNSEndpoint + properties: + endpoints: + items: + description: Endpoint is a high-level way of a connection between a service and an IP + properties: + dnsName: + description: The hostname of the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers + properties: + name: + type: string + value: + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, TXT etc + type: string + setIdentifier: + description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple') + type: string + targets: + description: The targets the DNS record points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus defines the observed state of DNSEndpoint + properties: + observedGeneration: + description: The generation observed by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml new file mode 100644 index 000000000..4d3383da6 --- /dev/null +++ b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml @@ -0,0 +1,50 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app external-dns + namespace: networking +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.13.1 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-secret + key: api-token + extraArgs: + - --ingress-class=external + - --cloudflare-proxied + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 + - --crd-source-kind=DNSEndpoint + policy: sync + sources: ["crd", "ingress"] + txtPrefix: k8s. + txtOwnerId: default + domainFilters: ["${SECRET_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/apps/flux-system/add-ons/notifications/github/kustomization.yaml b/kubernetes/apps/networking/external-dns/app/kustomization.yaml similarity index 71% rename from kubernetes/apps/flux-system/add-ons/notifications/github/kustomization.yaml rename to kubernetes/apps/networking/external-dns/app/kustomization.yaml index f9909230c..74db0048a 100644 --- a/kubernetes/apps/flux-system/add-ons/notifications/github/kustomization.yaml +++ b/kubernetes/apps/networking/external-dns/app/kustomization.yaml @@ -2,6 +2,8 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: networking resources: - - ./notification.yaml + - ./dnsendpoint-crd.yaml - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/networking/external-dns/app/secret.sops.yaml b/kubernetes/apps/networking/external-dns/app/secret.sops.yaml new file mode 100644 index 000000000..3022ae745 --- /dev/null +++ b/kubernetes/apps/networking/external-dns/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret + namespace: networking +stringData: + api-token: ENC[AES256_GCM,data:Se1QnDxtHM9KbCWK4b/O02dYQJq3XW0Z54xaGlpKclWVcYHCj/31pg==,iv:goq31ITLABOHKHXQq4qlMS2lasxCQNGEzQJ9GmRULMg=,tag:TBUN4SYLp2v6dvqe05I2CQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYU2MzYWlCUFM0QytxRHhD + TkhaeENNUW94TFh4Q2ZqZk9Wd204ck5wUHpvCjJyZDdTSjdiSlM2MTdQeC94YXU4 + blNQdlZjUmVTTmxJdjhhU1FETzlnd0UKLS0tIG9ydUNUblZZQ0RIaGlJNFpDZE1o + NFVjWHhyOEhPMHFMNUp5RHJ4SUxwTWcKyEa/mtin2PgFequzY8OoghMek6q4WCW3 + sUUyCqb/4VxUWJDBc4+RxFZTh5njWxed5J5r3gDVWBfQUjUyYJLFeQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-05T01:23:39Z" + mac: ENC[AES256_GCM,data:kZWGO6XQpXjOkjW2nWTcO08ADJ7+YTPLwqpnmu3esfwd4TplMf4qlk6bTK7EwS4Lp0gxonyytMCdTosGjI8P4JT7WZastSb6jVblVP4mmv+bvoAlihZQbJT81bt4WHyG6mcfdSw1ExJviNB0kyf9BsLMgtR317n2Z012FlDQuxo=,iv:vG0Otqhn+YJJX27gaSivAaTJWsBCclyu6Edp+1ZlPtY=,tag:R5Uf8mE2oCz3nauUx3rY0Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/tigera-operator/tigera-operator/ks.yaml b/kubernetes/apps/networking/external-dns/ks.yaml similarity index 74% rename from kubernetes/apps/tigera-operator/tigera-operator/ks.yaml rename to kubernetes/apps/networking/external-dns/ks.yaml index 54d27a7f4..618396d1f 100644 --- a/kubernetes/apps/tigera-operator/tigera-operator/ks.yaml +++ b/kubernetes/apps/networking/external-dns/ks.yaml @@ -3,14 +3,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-tigera-operator + name: networking-external-dns namespace: flux-system spec: - path: ./kubernetes/apps/tigera-operator/tigera-operator/app + path: ./kubernetes/apps/networking/external-dns/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/networking/external-services/README.md b/kubernetes/apps/networking/external-services/README.md new file mode 100644 index 000000000..21daca6c0 --- /dev/null +++ b/kubernetes/apps/networking/external-services/README.md @@ -0,0 +1,7 @@ +# External Services + +This leverages kubernetes networking resources (Service, Endpoint, Ingress) +to allow k8s-gateway and nginx to act as reverse proxy for services +not hosted within the k8s cluster. + +See also [proxy to external services](https://kristhecodingunicorn.com/post/k8s_proxy_svc/#proxy-to-external-services-with-service-without-selectors) diff --git a/kubernetes/apps/networking/external-services/ks.yaml b/kubernetes/apps/networking/external-services/ks.yaml index 899abe60f..9995e0602 100644 --- a/kubernetes/apps/networking/external-services/ks.yaml +++ b/kubernetes/apps/networking/external-services/ks.yaml @@ -3,16 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-networking-external-services + name: networking-external-services namespace: flux-system spec: dependsOn: - - name: apps-networking-ingress-nginx + - name: networking-nginx-internal path: ./kubernetes/apps/networking/external-services/services prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/networking/external-services/services/homeassistant.yaml b/kubernetes/apps/networking/external-services/services/homeassistant.yaml index 33392b369..3ab662efe 100644 --- a/kubernetes/apps/networking/external-services/services/homeassistant.yaml +++ b/kubernetes/apps/networking/external-services/services/homeassistant.yaml @@ -11,7 +11,7 @@ metadata: app.kubernetes.io/name: *app app.kubernetes.io/instance: *app spec: - ingressClassName: nginx + ingressClassName: internal rules: - host: &host "homeassistant.${SECRET_DOMAIN}" http: @@ -34,6 +34,9 @@ kind: Service metadata: name: &app homeassistant namespace: networking + annotations: + app.kubernetes.io/name: *app + app.kubernetes.io/instance: *app labels: app.kubernetes.io/name: *app app.kubernetes.io/instance: *app diff --git a/kubernetes/apps/networking/ingress-nginx/app/cloudflare-networks.txt b/kubernetes/apps/networking/ingress-nginx/app/cloudflare-networks.txt deleted file mode 100644 index d6e3abd1a..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/cloudflare-networks.txt +++ /dev/null @@ -1 +0,0 @@ -173.245.48.0/20\,103.21.244.0/22\,103.22.200.0/22\,103.31.4.0/22\,141.101.64.0/18\,108.162.192.0/18\,190.93.240.0/20\,188.114.96.0/20\,197.234.240.0/22\,198.41.128.0/17\,162.158.0.0/15\,104.16.0.0/13\,104.24.0.0/14\,172.64.0.0/13\,131.0.72.0/22\,2400:cb00::/32\,2606:4700::/32\,2803:f800::/32\,2405:b500::/32\,2405:8100::/32\,2a06:98c0::/29\,2c0f:f248::/32 diff --git a/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml b/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml deleted file mode 100644 index cb3b57114..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: networking -configMapGenerator: - - name: nginx-dashboard - files: - - nginx-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json - - name: nginx-request-handling-performance-dashboard - files: - - nginx-request-handling-performance-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json -generatorOptions: - disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled - labels: - grafana_dashboard: "true" diff --git a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml deleted file mode 100644 index 990926ee5..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml +++ /dev/null @@ -1,165 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: ingress-nginx - namespace: networking -spec: - interval: 15m - chart: - spec: - chart: ingress-nginx - version: 4.8.0 - sourceRef: - kind: HelmRepository - name: ingress-nginx-charts - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - controller: - replicaCount: 2 - service: - type: LoadBalancer - ### pick either metallb annotation OR spec.loadBalancerIP - # annotations: - # metallb.universe.tf/loadBalancerIPs: "${LB_INGRESS}" - externalIPs: ["${LB_INGRESS}"] - loadBalancerIP: "${LB_INGRESS}" - externalTrafficPolicy: Local # preserve client source IP - - ingressClassResource: - default: true - # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - custom-http-errors: 400,401,403,404,500,501,502,503,504 - enable-brotli: "true" - enable-real-ip: "true" - forwarded-for-header: CF-Connecting-IP # X-Forwarded-For - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", - "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", - "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", - "path": "$uri", "request_query": "$args", "request_length": $request_length, - "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - use-forwarded-headers: "true" - # use-proxy-protocol: "true" - extraArgs: - default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-tls" - extraEnvs: - - name: TZ - value: "${TIMEZONE}" - # crowdsec bouncer - # extraVolumes: - # - name: crowdsec-bouncer-plugin - # emptyDir: {} - # extraInitContainers: - # - name: init-clone-crowdsec-bouncer - # image: crowdsecurity/lua-bouncer-plugin - # tag: v0.1.11 - # imagePullPolicy: IfNotPresent - # env: - # - name: API_URL - # value: "http://crowdsec-service.networking.svc.cluster.local:8080" - # - name: API_KEY - # # value: "${BOUNCER_KEY_INGRESS}" - # valueFrom: - # secretKeyRef: - # name: crowdsec-secret - # key: BOUNCER_KEY_INGRESS - # - name: DISABLE_RUN - # value: "true" - # - name: BOUNCER_CONFIG - # value: "/crowdsec/crowdsec-bouncer.conf" - # command: - # - "/bin/sh" - # - "-c" - # - | - # #!/bin/sh - # sh /docker_start.sh - # mkdir -p /lua_plugins/crowdsec/ - # cp -pr /crowdsec/* /lua_plugins/crowdsec/ - # volumeMounts: - # - name: crowdsec-bouncer-plugin - # mountPath: /lua_plugins - # extraVolumeMounts: - # - name: crowdsec-bouncer-plugin - # mountPath: /etc/nginx/lua/plugins/crowdsec - # subPath: crowdsec - # resources: - # requests: - # memory: 400Mi - # cpu: 25m - # limits: - # memory: 1Gi - metrics: - enabled: true - serviceMonitor: - enabled: true - namespace: networking - namespaceSelector: - any: true - - podAnnotations: - configmap.reloader.stakater.com/reload: cloudflare-proxied-networks - tolerations: - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/component: controller - - resources: - requests: - cpu: 100m - memory: 250Mi - limits: - memory: 750Mi - - defaultBackend: - enabled: true # Note: obsidian-livesync does not work with a default backend enabled - image: - repository: ghcr.io/tarampampam/error-pages - tag: 2.25.0 - replicaCount: 1 - extraEnvs: - # https://github.com/tarampampam/error-pages#-templates - - name: TEMPLATE_NAME - value: shuffle - - name: SHOW_DETAILS - value: "false" - - valuesFrom: - # Cloudflare Networks - # https://www.cloudflare.com/ips/ - - kind: ConfigMap - name: cloudflare-networks - valuesKey: cloudflare-networks.txt - targetPath: controller.config.proxy-real-ip-cidr diff --git a/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml b/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml deleted file mode 100644 index 17e9ccd84..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: networking -resources: - - ./dashboard/ - - ./helmrelease.yaml -configMapGenerator: - - name: cloudflare-networks - files: - - ./cloudflare-networks.txt -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/networking/k8s-gateway/README.md b/kubernetes/apps/networking/k8s-gateway/README.md new file mode 100644 index 000000000..4a034ef27 --- /dev/null +++ b/kubernetes/apps/networking/k8s-gateway/README.md @@ -0,0 +1,8 @@ +# [k8s-gateway](https://github.com/ori-edge/k8s_gateway) + +A CoreDNS plugin to resolve all types of external Kubernetes resources. + +`k8s_gateway` will provide DNS resolution to Kubernetes entrypoints from any device that uses your home DNS server. +For this to work, your home DNS server must be configured to forward DNS queries for `${bootstrap_cloudflare_domain}` +to `${bootstrap_k8s_gateway_addr}` instead of the upstream DNS server(s) it normally uses. +This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding). diff --git a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml new file mode 100644 index 000000000..aac494341 --- /dev/null +++ b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml @@ -0,0 +1,37 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: k8s-gateway + namespace: networking +spec: + interval: 30m + chart: + spec: + chart: k8s-gateway + version: 2.0.4 + sourceRef: + kind: HelmRepository + name: k8s-gateway + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + fullnameOverride: k8s-gateway + domain: "${SECRET_DOMAIN}" + ttl: 1 + service: + type: LoadBalancer + port: 53 + annotations: + io.cilium/lb-ipam-ips: "10.2.118.2" + externalTrafficPolicy: Cluster diff --git a/kubernetes/apps/kube-system/node-feature-discovery/app/kustomization.yaml b/kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml similarity index 88% rename from kubernetes/apps/kube-system/node-feature-discovery/app/kustomization.yaml rename to kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml index 17cbc72b2..4d56b7868 100644 --- a/kubernetes/apps/kube-system/node-feature-discovery/app/kustomization.yaml +++ b/kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: networking resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/networking/ingress-nginx/ks.yaml b/kubernetes/apps/networking/k8s-gateway/ks.yaml similarity index 57% rename from kubernetes/apps/networking/ingress-nginx/ks.yaml rename to kubernetes/apps/networking/k8s-gateway/ks.yaml index 9f7753d5c..bbe5e6461 100644 --- a/kubernetes/apps/networking/ingress-nginx/ks.yaml +++ b/kubernetes/apps/networking/k8s-gateway/ks.yaml @@ -3,19 +3,15 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-networking-ingress-nginx + name: networking-k8s-gateway namespace: flux-system spec: - dependsOn: - - name: apps-cert-manager-certs - - name: apps-metallb-system - - name: apps-metallb-system-config - path: ./kubernetes/apps/networking/ingress-nginx/app + path: ./kubernetes/apps/networking/k8s-gateway/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/networking/kustomization.yaml b/kubernetes/apps/networking/kustomization.yaml index 590e791b4..417b700d0 100644 --- a/kubernetes/apps/networking/kustomization.yaml +++ b/kubernetes/apps/networking/kustomization.yaml @@ -3,11 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # Pre Flux-Kustomizations - ./namespace.yaml - # Flux-Kustomizations - ./cloudflared/ks.yaml - # - ./crowdsec/ks.yaml + - ./external-dns/ks.yaml - ./external-services/ks.yaml - - ./ingress-nginx/ks.yaml - # - ./traefik/ks.yaml + - ./k8s-gateway/ks.yaml + - ./nginx/ks.yaml diff --git a/kubernetes/apps/networking/namespace.yaml b/kubernetes/apps/networking/namespace.yaml index 96c4aeba9..aff62807c 100644 --- a/kubernetes/apps/networking/namespace.yaml +++ b/kubernetes/apps/networking/namespace.yaml @@ -4,5 +4,5 @@ kind: Namespace metadata: name: networking labels: - kustomize.toolkit.fluxcd.io/prune: disabled + kustomize.toolkit.fluxcd.io/prune: disabled # don't prune namespace goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/networking/ingress-nginx/README.md b/kubernetes/apps/networking/nginx/README.md similarity index 100% rename from kubernetes/apps/networking/ingress-nginx/README.md rename to kubernetes/apps/networking/nginx/README.md diff --git a/kubernetes/apps/networking/nginx/external/helmrelease.yaml b/kubernetes/apps/networking/nginx/external/helmrelease.yaml new file mode 100644 index 000000000..aa78df814 --- /dev/null +++ b/kubernetes/apps/networking/nginx/external/helmrelease.yaml @@ -0,0 +1,115 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: nginx-external + namespace: networking +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.8.0 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: cloudflared + namespace: networking + values: + fullnameOverride: nginx-external + controller: + replicaCount: 1 + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" + io.cilium/lb-ipam-ips: "10.2.118.4" + externalTrafficPolicy: Cluster + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + allowSnippetAnnotations: true + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", + "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", + "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-geoip2: true + extraArgs: + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-production-tls" + # default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-staging-tls" + metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: networking + namespaceSelector: + any: true + podAnnotations: + configmap.reloader.stakater.com/reload: nginx-external-controller, cloudflare-networks + resources: + requests: + cpu: 10m + memory: 250Mi + limits: + memory: 500Mi + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: nginx-external + app.kubernetes.io/component: controller + defaultBackend: + enabled: true + image: + repository: ghcr.io/tarampampam/error-pages + tag: 2.25.0 + replicaCount: 1 + extraEnvs: + # https://github.com/tarampampam/error-pages#-templates + - name: TEMPLATE_NAME + value: shuffle + - name: SHOW_DETAILS + value: "false" + + valuesFrom: + - targetPath: controller.maxmindLicenseKey + kind: Secret + name: maxmind + valuesKey: MAXMIND_LICENSE_KEY diff --git a/kubernetes/apps/networking/nginx/external/kustomization.yaml b/kubernetes/apps/networking/nginx/external/kustomization.yaml new file mode 100644 index 000000000..7bedc2b84 --- /dev/null +++ b/kubernetes/apps/networking/nginx/external/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: networking +resources: + - ./helmrelease.yaml + - ./secret-maxmind.sops.yaml diff --git a/kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml b/kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml new file mode 100644 index 000000000..b62fcce90 --- /dev/null +++ b/kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +apiVersion: v1 +metadata: + name: maxmind + namespace: networking + annotations: + reloader.stakater.com/match: "true" +kind: Secret +stringData: + MAXMIND_LICENSE_KEY: ENC[AES256_GCM,data:GFMSvqbsrmucdmhOBhNaaRBcxPcbdCdbOBeJLurlGw7AgKjwOLybDg==,iv:8UNjgYg0bZ0fsrqxwgzMtwxxlJjf77g2bQT6SqWX94A=,tag:yy6hUnKZK0RJTT92mJAYtA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiL1R5MGNuVXBkc1RFNmdU + L3VsMWxENkJERkZRUXlPSldxT2J1aHN2VTFrCmdRbXhGRVREanhncXI5MU95Wi9k + a2hGVGRBcVByRVB1eTJ4Y0RTdkJhcjQKLS0tIDRac0ZjVnpIaVozWG8xbGVmOGVB + S3V3S2hZTXg5SCtDSnJCNWw2clEwQVUKYKkR3m/RumsBWa7Gba9mB2NlRXSc/Xz2 + 0YB2Y/gbP6LAjKliWT1QN42saCA8dawx6CTpBCVh6wGDROx9zggvkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-12T21:53:17Z" + mac: ENC[AES256_GCM,data:nyAgmxWhv8ydeEiRyvA0uA6zcm4ghVNiJo/UwSH35Z9T1loyzMkkKHGVeUk1/ekEBpMUS4sQjJZAhG7L5HLCS7eIcP/b/ky8edH2yp2CQggwHCR3k1PySdFwh2tvViJLmUnJyjZKA9bOIHP87Sj/tbu8uYcATh4qdkO47ZNCY0g=,iv:COCJldAQn7Y31oBKF9vym/dAvq5cv6qkGNrkucAMoeM=,tag:dsTf3zGvDbiynxM6MZ3PVg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml.tmpl b/kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml.tmpl similarity index 63% rename from kubernetes/apps/networking/cloudflared/app/secret.sops.yaml.tmpl rename to kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml.tmpl index 5d5daa62d..02910af20 100644 --- a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml.tmpl +++ b/kubernetes/apps/networking/nginx/external/secret-maxmind.sops.yaml.tmpl @@ -2,10 +2,10 @@ # yamllint disable apiVersion: v1 metadata: - name: cloudflared + name: maxmind namespace: networking annotations: reloader.stakater.com/match: "true" kind: Secret -data: - credentials.json: ${SECRET_CLOUDFLARE_TUNNEL_CREDS} +stringData: + MAXMIND_LICENSE_KEY: "${MAXMIND_LICENSE_KEY}" diff --git a/kubernetes/apps/networking/nginx/internal/helmrelease.yaml b/kubernetes/apps/networking/nginx/internal/helmrelease.yaml new file mode 100644 index 000000000..1080fda4e --- /dev/null +++ b/kubernetes/apps/networking/nginx/internal/helmrelease.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: nginx-internal + namespace: networking +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.8.0 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + fullnameOverride: nginx-internal + controller: + replicaCount: 1 + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "internal.${SECRET_DOMAIN}" + io.cilium/lb-ipam-ips: "10.2.118.3" + externalTrafficPolicy: Cluster + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + allowSnippetAnnotations: true + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", + "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + extraArgs: + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-production-tls" + # default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-staging-tls" + metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: networking + namespaceSelector: + any: true + resources: + requests: + cpu: 10m + memory: 250Mi + limits: + memory: 500Mi + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: nginx-internal + app.kubernetes.io/component: controller + defaultBackend: + enabled: true + image: + repository: ghcr.io/tarampampam/error-pages + tag: 2.25.0 + replicaCount: 1 + extraEnvs: + # https://github.com/tarampampam/error-pages#-templates + - name: TEMPLATE_NAME + value: shuffle + - name: SHOW_DETAILS + value: "false" diff --git a/kubernetes/apps/metallb-system/metallb-system/app/kustomization.yaml b/kubernetes/apps/networking/nginx/internal/kustomization.yaml similarity index 88% rename from kubernetes/apps/metallb-system/metallb-system/app/kustomization.yaml rename to kubernetes/apps/networking/nginx/internal/kustomization.yaml index 17cbc72b2..4d56b7868 100644 --- a/kubernetes/apps/metallb-system/metallb-system/app/kustomization.yaml +++ b/kubernetes/apps/networking/nginx/internal/kustomization.yaml @@ -2,5 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: networking resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/kyverno/kyverno/ks.yaml b/kubernetes/apps/networking/nginx/ks.yaml similarity index 63% rename from kubernetes/apps/kyverno/kyverno/ks.yaml rename to kubernetes/apps/networking/nginx/ks.yaml index af113f26e..29bb65439 100644 --- a/kubernetes/apps/kyverno/kyverno/ks.yaml +++ b/kubernetes/apps/networking/nginx/ks.yaml @@ -3,15 +3,18 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kyverno + name: networking-nginx-external namespace: flux-system spec: - path: ./kubernetes/apps/kyverno/kyverno/app + dependsOn: + # - name: nginx-certificates + - name: cert-manager-certificates + path: ./kubernetes/apps/networking/nginx/external prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m @@ -20,17 +23,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-kyverno-policies + name: networking-nginx-internal namespace: flux-system spec: dependsOn: - - name: apps-kyverno - path: ./kubernetes/apps/kyverno/kyverno/policies + # - name: nginx-certificates + - name: cert-manager-certificates + path: ./kubernetes/apps/networking/nginx/internal prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/rook-ceph/README.md b/kubernetes/apps/rook-ceph/README.md index 508675b14..7e5c27a94 100644 --- a/kubernetes/apps/rook-ceph/README.md +++ b/kubernetes/apps/rook-ceph/README.md @@ -61,6 +61,12 @@ kubectl -n "${ROOK_CLUSTER_NAMESPACE}" get deployment \ ``` +## Teardown and Cleanup + +> Order of operations is critical! See [documentation](https://rook.io/docs/rook/v1.11/Getting-Started/ceph-teardown) + +Run `task ceph:teardown` + ## Troubleshooting ### Dashboard not accessible thru ingress @@ -227,43 +233,6 @@ ssh ... sudo k3s crictl rmi --prune ``` -## Teardown and Cleanup - -> Order of operations is critical! See [documentation](https://rook.io/docs/rook/v1.9/ceph-teardown.html) - -1. Suspend Flux reconciliation or remove kustomization/s (at least the rook-ceph cluster) from git repo -2. Delete the cluster helm release (and associated configmaps) or `kubectl delete -k ./kubernetes/apps/rook-ceph/rook-ceph/cluster/`. - **DO NOT REMOVE THE ORCHESTRATOR** -3. Delete the cephcluster custom resource (if it still exists) -4. Check crds for remaining objects - -```sh -# get hanging resources -# kubectl get all -o name \ -# | xargs -n 1 kubectl get --show-kind --ignore-not-found -n rook-ceph -flux suspend kustomization apps-rook-ceph-cluster -flux suspend kustomization apps-rook-ceph-operator -kubectl patch cephcluster rook-ceph -n rook-ceph --type merge -p '{"spec":{"cleanupPolicy":{"confirmation":"yes-really-destroy-data"}}}' -kubectl patch cephcluster rook-ceph -n rook-ceph --type merge -p '{"metadata":{"finalizers": []}}' -kubectl delete cephcluster rook-ceph -n rook-ceph -kubectl delete hr rook-ceph-cluster -n rook-ceph -for RES in $(kubectl get configmap,secret -n rook-ceph -o name); do - kubectl patch "$RES" -n rook-ceph --type merge -p '{"metadata":{"finalizers": []}}' - kubectl delete "$RES" -n rook-ceph -done -for CRD in $(kubectl get crd -A -o name | grep ceph.rook.io); do - kubectl patch "$CRD" --type merge -p '{"metadata":{"finalizers": []}}' - kubectl delete "$CRD" -done; -flux delete kustomization apps-rook-ceph-cluster -s -kubectl delete hr rook-ceph-operator -n rook-ceph -flux delete kustomization apps-rook-ceph-operator -s -kubectl patch ns rook-ceph --type merge -p '{"spec":{"finalizers": []}}' -kubectl delete ns rook-ceph - -echo "!!! Don't forget to run rook-ceph cleanup ansible script !!!" -``` - ## Remove orphan rbd images 1. With `kubectl`, list all currently-in-use PVs by storage class diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 74fe14a9b..374010343 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: rook-ceph-cluster namespace: rook-ceph spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.rook.io/release chart: rook-ceph-cluster version: v1.12.4 sourceRef: kind: HelmRepository - name: rook-ceph-charts + name: rook-ceph namespace: flux-system maxHistory: 3 install: @@ -39,7 +38,7 @@ spec: ingress: dashboard: - ingressClassName: nginx + ingressClassName: internal annotations: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml index 7b27db33f..0da798341 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml @@ -3,16 +3,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-rook-ceph-operator + name: rook-ceph-operator namespace: flux-system spec: # dependsOn: - # - name: apps-cert-manager # for rook-ceph admission controller + # - name: cert-manager # for rook-ceph admission controller path: ./kubernetes/apps/rook-ceph/rook-ceph/operator prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -22,18 +22,18 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-rook-ceph-cluster + name: rook-ceph-cluster namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-operator - - name: apps-kube-system-snapshot-controller - - name: apps-networking-ingress-nginx + - name: rook-ceph-operator + - name: kube-system-snapshot-controller + # - name: networking-nginx-internal path: ./kubernetes/apps/rook-ceph/rook-ceph/cluster prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -43,17 +43,19 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-rook-ceph-addons + name: rook-ceph-addons namespace: flux-system spec: dependsOn: - - name: apps-rook-ceph-cluster - - name: apps-monitoring-kube-prometheus-stack + - name: rook-ceph-cluster + - name: monitoring-kube-prometheus-stack + - name: monitoring-grafana path: ./kubernetes/apps/rook-ceph/rook-ceph/addons prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/rook-ceph/rook-ceph/operator/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/operator/helmrelease.yaml index 8e04b5168..c712784f1 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/operator/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/operator/helmrelease.yaml @@ -6,15 +6,14 @@ metadata: name: rook-ceph-operator namespace: rook-ceph spec: - interval: 15m + interval: 30m chart: spec: - # renovate: registryUrl=https://charts.rook.io/release chart: rook-ceph version: v1.12.4 sourceRef: kind: HelmRepository - name: rook-ceph-charts + name: rook-ceph namespace: flux-system maxHistory: 3 install: diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml index 33a30d302..0d16d6f45 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml @@ -3,8 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # renovate: datasource=docker image=rancher/system-upgrade-controller - - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.0/crd.yaml + # renovate: datasource=github-releases depName=rancher/system-upgrade-controller + - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.1/crd.yaml - https://github.com/rancher/system-upgrade-controller?ref=v0.13.1 images: - name: rancher/system-upgrade-controller @@ -12,12 +12,12 @@ images: labels: - includeSelectors: true pairs: - app.kubernetes.io/name: system-upgrade-controller app.kubernetes.io/instance: system-upgrade-controller -patchesStrategicMerge: - - | - $patch: delete - apiVersion: v1 - kind: Namespace - metadata: - name: system-upgrade + app.kubernetes.io/name: system-upgrade-controller +patches: + - patch: | + $patch: delete + apiVersion: v1 + kind: Namespace + metadata: + name: system-upgrade diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml index ff22106d5..7f8535f9a 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml @@ -3,14 +3,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-system-upgrade-controller + name: system-upgrade-controller namespace: flux-system spec: path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes wait: true interval: 30m retryInterval: 1m @@ -20,17 +20,17 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-system-upgrade-controller-plans + name: system-upgrade-controller-plans namespace: flux-system spec: dependsOn: - - name: apps-system-upgrade-controller + - name: system-upgrade-controller path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml index 14b481144..4af47c07a 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml @@ -6,7 +6,7 @@ metadata: namespace: system-upgrade spec: # renovate: datasource=github-releases depName=k3s-io/k3s - version: "v1.26.7+k3s1" + version: "v1.28.2+k3s1" serviceAccountName: system-upgrade concurrency: 1 nodeSelector: diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml index 21744e5c7..1369300fd 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml @@ -6,7 +6,7 @@ metadata: namespace: system-upgrade spec: # renovate: datasource=github-releases depName=k3s-io/k3s - version: "v1.26.7+k3s1" + version: "v1.28.2+k3s1" serviceAccountName: system-upgrade concurrency: 1 cordon: true diff --git a/kubernetes/apps/tigera-operator/README.md b/kubernetes/apps/tigera-operator/README.md deleted file mode 100644 index 6df33db05..000000000 --- a/kubernetes/apps/tigera-operator/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# [Tigera Operator](https://github.com/tigera/operator) - -Kubernetes operator for installing Calico and Calico Enterprise - -## Give Helm ownership - -(Re)Install Operator over ansible-installed version to allow subsequent cluster updates - -```sh -zsh ./kubernetes/apps/tigera-operator/give_helm_ownership.sh -``` - -[see also](https://github.com/onedr0p/flux-cluster-template/issues/321) diff --git a/kubernetes/apps/tigera-operator/give_helm_ownership.sh b/kubernetes/apps/tigera-operator/give_helm_ownership.sh deleted file mode 100644 index aaaf8d593..000000000 --- a/kubernetes/apps/tigera-operator/give_helm_ownership.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bash -# shellcheck disable=SC2155 -export KUBECONFIG="$(git rev-parse --show-toplevel)/kubeconfig" -export meta_namespace='{"metadata": {"annotations": {"meta.helm.sh/release-namespace": "tigera-operator"}}}' -export meta_releasename='{"metadata": {"annotations": {"meta.helm.sh/release-name": "tigera-operator"}}}' -export managed_by='{"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}}' - -# kubectl patch apiserver default --type=merge -p "${meta_namespace}" -# kubectl patch apiserver default --type=merge -p "${meta_releasename}" -# kubectl patch apiserver default --type=merge -p "${managed_by}" -kubectl patch installation default --type=merge -p "${meta_namespace}" -kubectl patch installation default --type=merge -p "${meta_releasename}" -kubectl patch installation default --type=merge -p "${managed_by}" -# kubectl patch podsecuritypolicy tigera-operator --type=merge -p "${meta_namespace}" -# kubectl patch podsecuritypolicy tigera-operator --type=merge -p "${meta_releasename}" -# kubectl patch podsecuritypolicy tigera-operator --type=merge -p "${managed_by}" -kubectl patch -n tigera-operator deployment tigera-operator --type=merge -p "${meta_namespace}" -kubectl patch -n tigera-operator deployment tigera-operator --type=merge -p "${meta_releasename}" -kubectl patch -n tigera-operator deployment tigera-operator --type=merge -p "${managed_by}" -kubectl patch -n tigera-operator serviceaccount tigera-operator --type=merge -p "${meta_namespace}" -kubectl patch -n tigera-operator serviceaccount tigera-operator --type=merge -p "${meta_releasename}" -kubectl patch -n tigera-operator serviceaccount tigera-operator --type=merge -p "${managed_by}" -kubectl patch clusterrole tigera-operator --type=merge -p "${meta_namespace}" -kubectl patch clusterrole tigera-operator --type=merge -p "${meta_releasename}" -kubectl patch clusterrole tigera-operator --type=merge -p "${managed_by}" -kubectl patch clusterrolebinding tigera-operator tigera-operator --type=merge -p "${meta_namespace}" -kubectl patch clusterrolebinding tigera-operator tigera-operator --type=merge -p "${meta_releasename}" -kubectl patch clusterrolebinding tigera-operator tigera-operator --type=merge -p "${managed_by}" - -unset meta_namespace -unset meta_releasename -unset managed_by diff --git a/kubernetes/apps/tigera-operator/kustomization.yaml b/kubernetes/apps/tigera-operator/kustomization.yaml deleted file mode 100644 index 5b3476754..000000000 --- a/kubernetes/apps/tigera-operator/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - # Before enabling read https://github.com/onedr0p/flux-cluster-template/issues/321 - - ./tigera-operator/ks.yaml diff --git a/kubernetes/apps/tigera-operator/namespace.yaml b/kubernetes/apps/tigera-operator/namespace.yaml deleted file mode 100644 index c92893848..000000000 --- a/kubernetes/apps/tigera-operator/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: tigera-operator - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/tigera-operator/tigera-operator/app/helmrelease.yaml b/kubernetes/apps/tigera-operator/tigera-operator/app/helmrelease.yaml deleted file mode 100644 index 0e2a60750..000000000 --- a/kubernetes/apps/tigera-operator/tigera-operator/app/helmrelease.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: tigera-operator - namespace: tigera-operator -spec: - interval: 15m - chart: - spec: - chart: tigera-operator - version: v3.25.1 - sourceRef: - kind: HelmRepository - name: calico-charts - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - crds: CreateReplace - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - # Configures general installation parameters for Calico. Schema is based - # on the operator.tigera.io/Installation API documented - # here: https://projectcalico.docs.tigera.io/reference/installation/api#operator.tigera.io/v1.InstallationSpec - installation: - enabled: true - registry: quay.io - imagePath: calico - ### from the ansible template used in bootstrap - calicoNetwork: - # Note: The ipPools section cannot be modified post-install. - ipPools: - - blockSize: 26 - cidr: "${NET_POD_CIDR}" - encapsulation: "VXLANCrossSubnet" - natOutgoing: Enabled - nodeSelector: all() - linuxDataplane: Iptables - multiInterfaceMode: None - nodeAddressAutodetectionV4: - cidrs: - - "${NET_NODE_CIDR}" - nodeMetricsPort: 9091 - typhaMetricsPort: 9093 - - resources: - requests: - cpu: 35m - memory: 200Mi - limits: - memory: 200Mi - - tolerations: - - effect: NoExecute - operator: Exists - - effect: NoSchedule - operator: Exists - - nodeSelector: - node-role.kubernetes.io/control-plane: "true" diff --git a/kubernetes/apps/tigera-operator/tigera-operator/app/ipreservation.yaml b/kubernetes/apps/tigera-operator/tigera-operator/app/ipreservation.yaml deleted file mode 100644 index 4fd74ef74..000000000 --- a/kubernetes/apps/tigera-operator/tigera-operator/app/ipreservation.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: projectcalico.org/v3 -kind: IPReservation -metadata: - name: pod-reservations -spec: - reservedCIDRs: - ## cloudflared - - 10.42.42.40 - - 10.42.42.41 - - 10.42.42.42 diff --git a/kubernetes/apps/volsync/volsync/app/helmrelease.yaml b/kubernetes/apps/volsync/volsync/app/helmrelease.yaml index 04d3c71f0..b1f2e0e95 100644 --- a/kubernetes/apps/volsync/volsync/app/helmrelease.yaml +++ b/kubernetes/apps/volsync/volsync/app/helmrelease.yaml @@ -6,14 +6,14 @@ metadata: name: volsync namespace: volsync spec: - interval: 15m + interval: 30m chart: spec: chart: volsync version: 0.7.1 sourceRef: kind: HelmRepository - name: backube-charts + name: backube namespace: flux-system maxHistory: 3 install: @@ -30,3 +30,24 @@ spec: manageCRDs: true metrics: disableAuth: true + + postRenderers: + - kustomize: + patchesStrategicMerge: + - apiVersion: apps/v1 + kind: Deployment + metadata: + name: volsync + spec: + template: + spec: + containers: + - name: manager + volumeMounts: + - name: tz-config + mountPath: /etc/localtime + volumes: + - name: tz-config + hostPath: + path: /usr/share/zoneinfo/America/New_York + type: File diff --git a/kubernetes/apps/volsync/volsync/ks.yaml b/kubernetes/apps/volsync/volsync/ks.yaml index d9f1fcaee..8e59102e6 100644 --- a/kubernetes/apps/volsync/volsync/ks.yaml +++ b/kubernetes/apps/volsync/volsync/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps-volsync + name: volsync namespace: flux-system spec: dependsOn: - - name: apps-kube-system-snapshot-controller + - name: kube-system-snapshot-controller path: ./kubernetes/apps/volsync/volsync/app prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s - wait: true + name: home-kubernetes + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/bootstrap/kustomization.yaml b/kubernetes/bootstrap/kustomization.yaml index 1d7a1e988..e21a78dca 100644 --- a/kubernetes/bootstrap/kustomization.yaml +++ b/kubernetes/bootstrap/kustomization.yaml @@ -1,3 +1,5 @@ +# IMPORTANT: This file is not tracked by flux and should never be. Its +# purpose is to only install the Flux components and CRDs into your cluster. --- # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 @@ -5,8 +7,8 @@ kind: Kustomization resources: - github.com/fluxcd/flux2/manifests/install?ref=v2.1.1 patches: - # Remove the network policies that does not work with k3s - - patch: |- + # Remove the default network policies + - patch: | $patch: delete apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -14,7 +16,6 @@ patches: name: not-used target: group: networking.k8s.io - version: v1 kind: NetworkPolicy - patch: | apiVersion: apps/v1 diff --git a/kubernetes/flux/apps.yaml b/kubernetes/flux/apps.yaml index 6a4884e2c..6ad55e6d1 100644 --- a/kubernetes/flux/apps.yaml +++ b/kubernetes/flux/apps.yaml @@ -6,12 +6,12 @@ metadata: name: apps namespace: flux-system spec: - interval: 15m + interval: 30m path: ./kubernetes/apps prune: true sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes decryption: provider: sops secretRef: @@ -22,6 +22,10 @@ spec: name: cluster-settings - kind: Secret name: cluster-secrets + - kind: ConfigMap + name: custom-settings + - kind: Secret + name: custom-secrets patches: # add decryption & envsubst to Kustomizations with given label - patch: |- @@ -40,9 +44,12 @@ spec: name: cluster-settings - kind: Secret name: cluster-secrets + - kind: ConfigMap + name: custom-settings + - kind: Secret + name: custom-secrets target: # substitute is default condition unless 'substitution.flux.home.arpa/disabled: "true"' is present group: kustomize.toolkit.fluxcd.io - version: v1 kind: Kustomization labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml index 56c91f97e..2ecef7ef4 100644 --- a/kubernetes/flux/config/cluster.yaml +++ b/kubernetes/flux/config/cluster.yaml @@ -1,17 +1,15 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/gitrepository-source-v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: homelab-gitops-k3s + name: home-kubernetes namespace: flux-system spec: - interval: 15m - # ssh:// requires github-deploy-key in bootstrap - url: ssh://git@github.com/ahgraber/homelab-gitops-k3s + interval: 30m ref: branch: main - secretRef: - name: github-deploy-key + url: "https://github.com/ahgraber/homelab-gitops-k3s.git" ignore: | # exclude all /* @@ -22,16 +20,16 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: flux-cluster + name: cluster namespace: flux-system spec: - interval: 15m + interval: 30m path: ./kubernetes/flux prune: true wait: false sourceRef: kind: GitRepository - name: homelab-gitops-k3s + name: home-kubernetes decryption: provider: sops secretRef: @@ -40,7 +38,9 @@ spec: substituteFrom: - kind: ConfigMap name: cluster-settings - optional: false + - kind: ConfigMap + name: custom-settings - kind: Secret name: cluster-secrets - optional: false + - kind: Secret + name: custom-secrets diff --git a/kubernetes/flux/config/flux.yaml b/kubernetes/flux/config/flux.yaml index 80de65ccf..9f030ca44 100644 --- a/kubernetes/flux/config/flux.yaml +++ b/kubernetes/flux/config/flux.yaml @@ -1,11 +1,12 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1beta2.json apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: OCIRepository metadata: name: flux-manifests namespace: flux-system spec: - interval: 15m + interval: 10m url: oci://ghcr.io/fluxcd/flux-manifests ref: tag: v2.1.1 @@ -17,7 +18,7 @@ metadata: name: flux namespace: flux-system spec: - interval: 15m + interval: 10m path: ./ prune: true wait: true @@ -25,7 +26,7 @@ spec: kind: OCIRepository name: flux-manifests patches: - # Remove the network policy which doesn't work with k3s + # Remove the network policies that does not work with k3s - patch: | $patch: delete apiVersion: networking.k8s.io/v1 @@ -34,7 +35,6 @@ spec: name: not-used target: group: networking.k8s.io - version: v1 kind: NetworkPolicy # Bump resource limits and add node selector & tolerations - patch: | diff --git a/kubernetes/flux/repositories/git/local-path-provisioner.yaml b/kubernetes/flux/repositories/git/local-path-provisioner.yaml index 8e72d4976..e7f7a67fc 100644 --- a/kubernetes/flux/repositories/git/local-path-provisioner.yaml +++ b/kubernetes/flux/repositories/git/local-path-provisioner.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/gitrepository-source-v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: @@ -8,7 +9,7 @@ spec: interval: 30m url: https://github.com/rancher/local-path-provisioner ref: - tag: v0.0.23 # ref: https://github.com/rancher/local-path-provisioner/issues/333 + tag: v0.0.24 ignore: | # exclude all /* diff --git a/kubernetes/flux/repositories/helm/authentik-charts.yaml b/kubernetes/flux/repositories/helm/authentik-charts.yaml deleted file mode 100644 index df6e6cda7..000000000 --- a/kubernetes/flux/repositories/helm/authentik-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: authentik-charts - namespace: flux-system -spec: - interval: 1h - url: https://charts.goauthentik.io/ diff --git a/kubernetes/flux/repositories/helm/backube-charts.yaml b/kubernetes/flux/repositories/helm/backube.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/backube-charts.yaml rename to kubernetes/flux/repositories/helm/backube.yaml index 695cb8a9a..a4a6a0182 100644 --- a/kubernetes/flux/repositories/helm/backube-charts.yaml +++ b/kubernetes/flux/repositories/helm/backube.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: backube-charts + name: backube namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/bitnami-charts.yaml b/kubernetes/flux/repositories/helm/bitnami.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/bitnami-charts.yaml rename to kubernetes/flux/repositories/helm/bitnami.yaml index 52f7c0d7d..c800719c0 100644 --- a/kubernetes/flux/repositories/helm/bitnami-charts.yaml +++ b/kubernetes/flux/repositories/helm/bitnami.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: bitnami-charts + name: bitnami namespace: flux-system spec: type: oci diff --git a/kubernetes/flux/repositories/helm/bjws-charts.yaml b/kubernetes/flux/repositories/helm/bjw-s.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/bjws-charts.yaml rename to kubernetes/flux/repositories/helm/bjw-s.yaml index a63f5b8ba..79045f04d 100644 --- a/kubernetes/flux/repositories/helm/bjws-charts.yaml +++ b/kubernetes/flux/repositories/helm/bjw-s.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: bjw-s-charts + name: bjw-s namespace: flux-system spec: type: oci diff --git a/kubernetes/flux/repositories/helm/dysnix-charts.yaml b/kubernetes/flux/repositories/helm/cilium.yaml similarity index 81% rename from kubernetes/flux/repositories/helm/dysnix-charts.yaml rename to kubernetes/flux/repositories/helm/cilium.yaml index 803ed4c2a..4bdfb500a 100644 --- a/kubernetes/flux/repositories/helm/dysnix-charts.yaml +++ b/kubernetes/flux/repositories/helm/cilium.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: dysnix-charts + name: cilium namespace: flux-system spec: interval: 1h - url: https://dysnix.github.io/charts + url: https://helm.cilium.io diff --git a/kubernetes/flux/repositories/helm/cloudnativepg-charts.yaml b/kubernetes/flux/repositories/helm/cloudnativepg.yaml similarity index 91% rename from kubernetes/flux/repositories/helm/cloudnativepg-charts.yaml rename to kubernetes/flux/repositories/helm/cloudnativepg.yaml index c50b74f3c..6c3986f26 100644 --- a/kubernetes/flux/repositories/helm/cloudnativepg-charts.yaml +++ b/kubernetes/flux/repositories/helm/cloudnativepg.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: cloudnativepg-charts + name: cloudnativepg namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/coredns.yaml b/kubernetes/flux/repositories/helm/coredns.yaml new file mode 100644 index 000000000..29cd6d18e --- /dev/null +++ b/kubernetes/flux/repositories/helm/coredns.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: coredns + namespace: flux-system +spec: + interval: 1h + url: https://coredns.github.io/helm diff --git a/kubernetes/flux/repositories/helm/crowdsec-charts.yaml b/kubernetes/flux/repositories/helm/crowdsec.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/crowdsec-charts.yaml rename to kubernetes/flux/repositories/helm/crowdsec.yaml index 84e129062..46708c53b 100644 --- a/kubernetes/flux/repositories/helm/crowdsec-charts.yaml +++ b/kubernetes/flux/repositories/helm/crowdsec.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: crowdsec-charts + name: crowdsec namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/calico-charts.yaml b/kubernetes/flux/repositories/helm/csi-driver-nfs.yaml similarity index 70% rename from kubernetes/flux/repositories/helm/calico-charts.yaml rename to kubernetes/flux/repositories/helm/csi-driver-nfs.yaml index e5d72a2cd..3c0226028 100644 --- a/kubernetes/flux/repositories/helm/calico-charts.yaml +++ b/kubernetes/flux/repositories/helm/csi-driver-nfs.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: calico-charts + name: csi-driver-nfs namespace: flux-system spec: interval: 1h - url: https://projectcalico.docs.tigera.io/charts + url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts diff --git a/kubernetes/flux/repositories/helm/deliveryhero-charts.yaml b/kubernetes/flux/repositories/helm/deliveryhero.yaml similarity index 91% rename from kubernetes/flux/repositories/helm/deliveryhero-charts.yaml rename to kubernetes/flux/repositories/helm/deliveryhero.yaml index 81ce1556a..1cfb1dadc 100755 --- a/kubernetes/flux/repositories/helm/deliveryhero-charts.yaml +++ b/kubernetes/flux/repositories/helm/deliveryhero.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: deliveryhero-charts + name: deliveryhero namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/democratic-csi-charts.yaml b/kubernetes/flux/repositories/helm/democratic-csi.yaml similarity index 91% rename from kubernetes/flux/repositories/helm/democratic-csi-charts.yaml rename to kubernetes/flux/repositories/helm/democratic-csi.yaml index d01bb7152..873c5fdf8 100644 --- a/kubernetes/flux/repositories/helm/democratic-csi-charts.yaml +++ b/kubernetes/flux/repositories/helm/democratic-csi.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: democratic-csi-charts + name: democratic-csi namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/descheduler-charts.yaml b/kubernetes/flux/repositories/helm/descheduler.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/descheduler-charts.yaml rename to kubernetes/flux/repositories/helm/descheduler.yaml index a8c7e1397..b0257f494 100755 --- a/kubernetes/flux/repositories/helm/descheduler-charts.yaml +++ b/kubernetes/flux/repositories/helm/descheduler.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: descheduler-charts + name: descheduler namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/emberstack-charts.yaml b/kubernetes/flux/repositories/helm/emberstack.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/emberstack-charts.yaml rename to kubernetes/flux/repositories/helm/emberstack.yaml index c7461d7d0..624eb6f53 100644 --- a/kubernetes/flux/repositories/helm/emberstack-charts.yaml +++ b/kubernetes/flux/repositories/helm/emberstack.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: emberstack-charts + name: emberstack namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/external-dns-charts.yaml b/kubernetes/flux/repositories/helm/external-dns.yaml similarity index 87% rename from kubernetes/flux/repositories/helm/external-dns-charts.yaml rename to kubernetes/flux/repositories/helm/external-dns.yaml index 14d1bf02c..e3f7f3502 100644 --- a/kubernetes/flux/repositories/helm/external-dns-charts.yaml +++ b/kubernetes/flux/repositories/helm/external-dns.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: external-dns-charts + name: external-dns namespace: flux-system spec: - interval: 2h + interval: 1h url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/flux/repositories/helm/fairwinds-charts.yaml b/kubernetes/flux/repositories/helm/fairwinds.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/fairwinds-charts.yaml rename to kubernetes/flux/repositories/helm/fairwinds.yaml index f3bb7cbcf..64f8b6141 100755 --- a/kubernetes/flux/repositories/helm/fairwinds-charts.yaml +++ b/kubernetes/flux/repositories/helm/fairwinds.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: fairwinds-charts + name: fairwinds namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/grafana-charts.yaml b/kubernetes/flux/repositories/helm/grafana.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/grafana-charts.yaml rename to kubernetes/flux/repositories/helm/grafana.yaml index d7a4afd95..464f98cfb 100644 --- a/kubernetes/flux/repositories/helm/grafana-charts.yaml +++ b/kubernetes/flux/repositories/helm/grafana.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: grafana-charts + name: grafana namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/ingress-nginx-charts.yaml b/kubernetes/flux/repositories/helm/ingress-nginx.yaml similarity index 87% rename from kubernetes/flux/repositories/helm/ingress-nginx-charts.yaml rename to kubernetes/flux/repositories/helm/ingress-nginx.yaml index fc621b6c9..0438609d7 100644 --- a/kubernetes/flux/repositories/helm/ingress-nginx-charts.yaml +++ b/kubernetes/flux/repositories/helm/ingress-nginx.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: ingress-nginx-charts + name: ingress-nginx namespace: flux-system spec: - interval: 2h + interval: 1h url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/flux/repositories/helm/jetstack-charts.yaml b/kubernetes/flux/repositories/helm/jetstack.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/jetstack-charts.yaml rename to kubernetes/flux/repositories/helm/jetstack.yaml index 6268de7e1..3dd6d7801 100644 --- a/kubernetes/flux/repositories/helm/jetstack-charts.yaml +++ b/kubernetes/flux/repositories/helm/jetstack.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: jetstack-charts + name: jetstack namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/jupyterhub-charts.yaml b/kubernetes/flux/repositories/helm/jupyterhub.yaml similarity index 86% rename from kubernetes/flux/repositories/helm/jupyterhub-charts.yaml rename to kubernetes/flux/repositories/helm/jupyterhub.yaml index dee207cf4..858dfb442 100644 --- a/kubernetes/flux/repositories/helm/jupyterhub-charts.yaml +++ b/kubernetes/flux/repositories/helm/jupyterhub.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: jupyterhub-charts + name: https://jupyterhub.github.io/helm-chart namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/k8s-gateway-charts.yaml b/kubernetes/flux/repositories/helm/k8s-gateway.yaml similarity index 91% rename from kubernetes/flux/repositories/helm/k8s-gateway-charts.yaml rename to kubernetes/flux/repositories/helm/k8s-gateway.yaml index 0f74ad84e..af2cbe701 100644 --- a/kubernetes/flux/repositories/helm/k8s-gateway-charts.yaml +++ b/kubernetes/flux/repositories/helm/k8s-gateway.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: k8s-gateway-charts + name: k8s-gateway namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/kubereboot-charts.yaml b/kubernetes/flux/repositories/helm/kubereboot-charts.yaml deleted file mode 100755 index 8bdd481fc..000000000 --- a/kubernetes/flux/repositories/helm/kubereboot-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: kubereboot-charts - namespace: flux-system -spec: - interval: 1h - url: https://kubereboot.github.io/charts diff --git a/kubernetes/flux/repositories/helm/kubernetes-dashboard-charts.yaml b/kubernetes/flux/repositories/helm/kubernetes-dashboard.yaml similarity index 85% rename from kubernetes/flux/repositories/helm/kubernetes-dashboard-charts.yaml rename to kubernetes/flux/repositories/helm/kubernetes-dashboard.yaml index f2b6de4c9..2d1030b5d 100644 --- a/kubernetes/flux/repositories/helm/kubernetes-dashboard-charts.yaml +++ b/kubernetes/flux/repositories/helm/kubernetes-dashboard.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: kubernetes-dashboard-charts + name: kubernetes-dashboard namespace: flux-system spec: - interval: 2h + interval: 1h url: https://kubernetes.github.io/dashboard/ diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 4f1056338..44fbe1f1e 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -2,45 +2,39 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +# yamllint disable rule:comments +# prettier-ignore resources: - - ./actions-runner-controller.yaml - # - ./authentik-charts.yaml - - ./backube-charts.yaml # snapscheduler, volsync - - ./bitnami-charts.yaml - - ./bjws-charts.yaml - - ./calico-charts.yaml - - ./cloudflare-charts.yaml - - ./cloudnativepg-charts.yaml - - ./crowdsec-charts.yaml - - ./deliveryhero-charts.yaml # node-problem-detector (and others) - - ./democratic-csi-charts.yaml - - ./descheduler-charts.yaml - # - ./dysnix-charts.yaml # raw - - ./emberstack-charts.yaml # reflector - - ./external-dns-charts.yaml - - ./fairwinds-charts.yaml # goldilocks (and others) - - ./grafana-charts.yaml - - ./ingress-nginx-charts.yaml - - ./jetstack-charts.yaml # cert-manager - - ./jupyterhub-charts.yaml - - ./k8s-gateway-charts.yaml - - ./kubernetes-dashboard-charts.yaml - - ./kubereboot-charts.yaml # kured - - ./kyverno-charts.yaml - - ./lwolf-charts.yaml # kube-cleanup-operator - - ./metallb-charts.yaml - - ./metrics-server-charts.yaml - - ./movetokube-charts.yaml - # - ./mysql-charts.yaml - - ./node-feature-discovery-charts.yaml - - ./ot-charts.yaml - # - ./percona-charts.yaml - - ./piraeus-charts.yaml - - ./prefect-charts.yaml - - ./prometheus-community-charts.yaml - - ./rook-ceph-charts.yaml - - ./runix-charts.yaml # pgadmin - - ./stakater-charts.yaml # reloader - # - ./traefik-charts.yaml - - ./valheim-charts.yaml - - ./weave-gitops-charts.yaml + # - ./actions-runner-controller.yaml + - ./backube.yaml # volsync + - ./bitnami.yaml + - ./bjw-s.yaml # common app-template + - ./cilium.yaml + - ./cloudnativepg.yaml + - ./coredns.yaml + - ./crowdsec.yaml + - ./csi-driver-nfs.yaml + - ./deliveryhero.yaml # node-problem-detector (and others) + - ./democratic-csi.yaml + - ./descheduler.yaml + - ./emberstack.yaml # reflector + - ./external-dns.yaml + - ./fairwinds.yaml # goldilocks (and others) + - ./grafana.yaml + - ./ingress-nginx.yaml + - ./jetstack.yaml # cert-manager + # - ./jupyterhub.yaml + - ./k8s-gateway.yaml + - ./kubernetes-dashboard.yaml + - ./lwolf.yaml # kube-cleanup-operator + - ./metrics-server.yaml + - ./movetokube.yaml # ext-postgres-operator + - ./opstree.yaml # redis-operator + - ./piraeus.yaml # snapshot-controller + - ./prefect.yaml + - ./prometheus-community.yaml + - ./rook-ceph.yaml + - ./runix.yaml # pgadmin + - ./stakater.yaml # reloader + # - ./valheim.yaml + - ./weave-gitops.yaml diff --git a/kubernetes/flux/repositories/helm/kyverno-charts.yaml b/kubernetes/flux/repositories/helm/kyverno-charts.yaml deleted file mode 100644 index 9c3e3dc80..000000000 --- a/kubernetes/flux/repositories/helm/kyverno-charts.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: kyverno-charts - namespace: flux-system -spec: - type: oci - interval: 5m - url: oci://ghcr.io/kyverno/charts diff --git a/kubernetes/flux/repositories/helm/lwolf-charts.yaml b/kubernetes/flux/repositories/helm/lwolf.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/lwolf-charts.yaml rename to kubernetes/flux/repositories/helm/lwolf.yaml index 30fde74f5..464a65f40 100755 --- a/kubernetes/flux/repositories/helm/lwolf-charts.yaml +++ b/kubernetes/flux/repositories/helm/lwolf.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: lwolf-charts + name: lwolf namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/metallb-charts.yaml b/kubernetes/flux/repositories/helm/metallb-charts.yaml deleted file mode 100644 index 860e4e879..000000000 --- a/kubernetes/flux/repositories/helm/metallb-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: metallb-charts - namespace: flux-system -spec: - interval: 1h - url: https://metallb.github.io/metallb diff --git a/kubernetes/flux/repositories/helm/metrics-server-charts.yaml b/kubernetes/flux/repositories/helm/metrics-server-charts.yaml deleted file mode 100644 index be65de77e..000000000 --- a/kubernetes/flux/repositories/helm/metrics-server-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: metrics-server-charts - namespace: flux-system -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/metrics-server/ diff --git a/kubernetes/flux/repositories/helm/cloudflare-charts.yaml b/kubernetes/flux/repositories/helm/metrics-server.yaml similarity index 76% rename from kubernetes/flux/repositories/helm/cloudflare-charts.yaml rename to kubernetes/flux/repositories/helm/metrics-server.yaml index 328712746..552a1b4ab 100644 --- a/kubernetes/flux/repositories/helm/cloudflare-charts.yaml +++ b/kubernetes/flux/repositories/helm/metrics-server.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: cloudflare-charts + name: metrics-server namespace: flux-system spec: interval: 1h - url: https://cloudflare.github.io/helm-charts + url: https://kubernetes-sigs.github.io/metrics-server diff --git a/kubernetes/flux/repositories/helm/movetokube-charts.yaml b/kubernetes/flux/repositories/helm/movetokube.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/movetokube-charts.yaml rename to kubernetes/flux/repositories/helm/movetokube.yaml index 1d04a3839..10e5916e6 100644 --- a/kubernetes/flux/repositories/helm/movetokube-charts.yaml +++ b/kubernetes/flux/repositories/helm/movetokube.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: movetokube-charts + name: movetokube namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/mysql-charts.yaml b/kubernetes/flux/repositories/helm/mysql-charts.yaml deleted file mode 100644 index 6d2939d8d..000000000 --- a/kubernetes/flux/repositories/helm/mysql-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: mysql-charts - namespace: flux-system -spec: - interval: 1h - url: https://mysql.github.io/mysql-operator/ diff --git a/kubernetes/flux/repositories/helm/node-feature-discovery-charts.yaml b/kubernetes/flux/repositories/helm/node-feature-discovery-charts.yaml deleted file mode 100755 index 1997070e6..000000000 --- a/kubernetes/flux/repositories/helm/node-feature-discovery-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: node-feature-discovery-charts - namespace: flux-system -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/node-feature-discovery/charts diff --git a/kubernetes/flux/repositories/helm/ot-charts.yaml b/kubernetes/flux/repositories/helm/opstree.yaml similarity index 94% rename from kubernetes/flux/repositories/helm/ot-charts.yaml rename to kubernetes/flux/repositories/helm/opstree.yaml index 0b8dfe571..7e189bc66 100755 --- a/kubernetes/flux/repositories/helm/ot-charts.yaml +++ b/kubernetes/flux/repositories/helm/opstree.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: ot-charts + name: opstree namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/percona-charts.yaml b/kubernetes/flux/repositories/helm/percona-charts.yaml deleted file mode 100644 index 271a592d7..000000000 --- a/kubernetes/flux/repositories/helm/percona-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: percona-charts - namespace: flux-system -spec: - interval: 1h - url: https://percona.github.io/percona-helm-charts/ diff --git a/kubernetes/flux/repositories/helm/piraeus-charts.yaml b/kubernetes/flux/repositories/helm/piraeus.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/piraeus-charts.yaml rename to kubernetes/flux/repositories/helm/piraeus.yaml index 41ff440c9..5e98398fb 100644 --- a/kubernetes/flux/repositories/helm/piraeus-charts.yaml +++ b/kubernetes/flux/repositories/helm/piraeus.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: piraeus-charts + name: piraeus namespace: flux-system spec: interval: 2h diff --git a/kubernetes/flux/repositories/helm/prefect-charts.yaml b/kubernetes/flux/repositories/helm/prefect.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/prefect-charts.yaml rename to kubernetes/flux/repositories/helm/prefect.yaml index 21bd004be..a848c3c5c 100644 --- a/kubernetes/flux/repositories/helm/prefect-charts.yaml +++ b/kubernetes/flux/repositories/helm/prefect.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: prefect-charts + name: prefect namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/prometheus-community-charts.yaml b/kubernetes/flux/repositories/helm/prometheus-community.yaml similarity index 90% rename from kubernetes/flux/repositories/helm/prometheus-community-charts.yaml rename to kubernetes/flux/repositories/helm/prometheus-community.yaml index 9e24ff5b2..36379fb4d 100644 --- a/kubernetes/flux/repositories/helm/prometheus-community-charts.yaml +++ b/kubernetes/flux/repositories/helm/prometheus-community.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: prometheus-community-charts + name: prometheus-community namespace: flux-system spec: type: oci diff --git a/kubernetes/flux/repositories/helm/rook-ceph-charts.yaml b/kubernetes/flux/repositories/helm/rook-ceph.yaml similarity index 92% rename from kubernetes/flux/repositories/helm/rook-ceph-charts.yaml rename to kubernetes/flux/repositories/helm/rook-ceph.yaml index 22049ba44..77b82165d 100644 --- a/kubernetes/flux/repositories/helm/rook-ceph-charts.yaml +++ b/kubernetes/flux/repositories/helm/rook-ceph.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: rook-ceph-charts + name: rook-ceph namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/runix-charts.yaml b/kubernetes/flux/repositories/helm/runix.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/runix-charts.yaml rename to kubernetes/flux/repositories/helm/runix.yaml index 69b5e8c3e..a9161c3af 100644 --- a/kubernetes/flux/repositories/helm/runix-charts.yaml +++ b/kubernetes/flux/repositories/helm/runix.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: runix-charts + name: runix namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/stakater-charts.yaml b/kubernetes/flux/repositories/helm/stakater.yaml old mode 100755 new mode 100644 similarity index 92% rename from kubernetes/flux/repositories/helm/stakater-charts.yaml rename to kubernetes/flux/repositories/helm/stakater.yaml index 6238d3e8d..3bd37f762 --- a/kubernetes/flux/repositories/helm/stakater-charts.yaml +++ b/kubernetes/flux/repositories/helm/stakater.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: stakater-charts + name: stakater namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/traefik-charts.yaml b/kubernetes/flux/repositories/helm/traefik-charts.yaml deleted file mode 100644 index b1eef5fe5..000000000 --- a/kubernetes/flux/repositories/helm/traefik-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: traefik-charts - namespace: flux-system -spec: - interval: 1h - url: https://helm.traefik.io/traefik diff --git a/kubernetes/flux/repositories/helm/valheim-charts.yaml b/kubernetes/flux/repositories/helm/valheim.yaml similarity index 93% rename from kubernetes/flux/repositories/helm/valheim-charts.yaml rename to kubernetes/flux/repositories/helm/valheim.yaml index 7683d0c25..5b9ea478d 100755 --- a/kubernetes/flux/repositories/helm/valheim-charts.yaml +++ b/kubernetes/flux/repositories/helm/valheim.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: valheim-charts + name: valheim namespace: flux-system spec: interval: 1h diff --git a/kubernetes/flux/repositories/helm/weave-gitops-charts.yaml b/kubernetes/flux/repositories/helm/weave-gitops.yaml old mode 100755 new mode 100644 similarity index 91% rename from kubernetes/flux/repositories/helm/weave-gitops-charts.yaml rename to kubernetes/flux/repositories/helm/weave-gitops.yaml index fc3bb3f7f..a0e8663fc --- a/kubernetes/flux/repositories/helm/weave-gitops-charts.yaml +++ b/kubernetes/flux/repositories/helm/weave-gitops.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: weave-gitops-charts + name: weave-gitops namespace: flux-system spec: type: oci diff --git a/kubernetes/flux/repositories/kustomization.yaml b/kubernetes/flux/repositories/kustomization.yaml index 7fc253395..3267ebf08 100644 --- a/kubernetes/flux/repositories/kustomization.yaml +++ b/kubernetes/flux/repositories/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./git/ - - ./helm/ - # - ./oci/ + - ./git + - ./helm + # - ./oci diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 2ac2464a3..f8649b4f1 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -1,38 +1,12 @@ -# yamllint disable apiVersion: v1 kind: Secret metadata: name: cluster-secrets namespace: flux-system stringData: - #ENC[AES256_GCM,data:cPgmqo803juC,iv:cEMF5dWOGyH/qQU3UFELZu4/NZ+0zE4a+p5msgIaZi4=,tag:034kcek5bs+pZ1IIspxMww==,type:comment] - SECRET_DOMAIN: ENC[AES256_GCM,data:FaoyJ+VZXMOnwcB+arlyhqE=,iv:qXwr/BUU8RjysCFiI1p34yjIylxMPkHtrHeLNoqIfp8=,tag:faJee7oSkTF6EQ28SGk9kA==,type:str] - SECRET_ADMIN_USER: ENC[AES256_GCM,data:06egUH0=,iv:8PGXKjW5HFISoLLLRBDEQkWFDAvulBsnqlgrK7CYNMM=,tag:2W3/itCo0SWXSN+UB+HYvg==,type:str] - SECRET_ADMIN_EMAIL: ENC[AES256_GCM,data:NIhyTcW8GTAaxcwpXEBLoPSnUthko3w=,iv:2vkaKEgb4OBqOnKQOdlKFFGwsK8TkS7/kQ/D/wRv5Q0=,tag:RyLYqJsyd1P6RVAjTV/22w==,type:str] - SECRET_DEFAULT_USER: ENC[AES256_GCM,data:Lmkgb2lK5jk=,iv:Y3mP5a+zZmeQX34vrZcqxGW5FNGPlMgJXYf25MPwfOc=,tag:+SBU6uRJ1Rw5IUOId3d66g==,type:str] - SECRET_DEFAULT_EMAIL: ENC[AES256_GCM,data:OUfUphd/rg3S0XIrSa5u68NSWZuveo5fufU=,iv:vDqQTu6PCuPTvpu35/DGJnCW/44R9ujXfzVSofDEZE8=,tag:NCmfn+Z/Uk3H4vePspOHMg==,type:str] - SECRET_DEFAULT_PWD: ENC[AES256_GCM,data:FzGwFKDUPeqLKH91,iv:6xRXkWMjWlijKy90HWhbFTcHzSxCvKX/lhiitiUP0q0=,tag:xOHFC8sJC1dwpGzpgQxcjQ==,type:str] - #ENC[AES256_GCM,data:2SYCRwOcuO3IwJXcyFqt05qtYnU=,iv:0IR/lYXSQJbEOcCG8/1k+UIPgTqBJ0Kw97s2lG4ojvE=,tag:UL7eGUpPFoXDAdG5uwudEg==,type:comment] - SECRET_SMTP_ADDRESS: ENC[AES256_GCM,data:AzA0adiIAyQ8Bl7pNLoBKsnwKW/8zDDQ4t+x7RHm,iv:bjJwXT9QwHdhTkubXI1dyRfslVOwR2O0PDqNXVXkYpI=,tag:FOVuNqTqJ74Qcz8+KERywA==,type:str] - SECRET_SMTP_USER: ENC[AES256_GCM,data:EIDYTOrEcqiJyABC1Iw6mIDWGAvIJVtNIjuYrQc+R4U=,iv:KFS/GFcehO2YSONWeRiPC7lLgW4Mcja4aUxKyP9pSxI=,tag:hMzH0qxwDPR5ouBZR29HLw==,type:str] - SECRET_SMTP_PWD: ENC[AES256_GCM,data:RiCZJ/2s0RW4CQdonPrOiNrWGxhrxt853hEjG0sAIdc=,iv:rzb+cATReBoYvQGzqks7NzLIqkUXt3LCFlW4FV1bFf4=,tag:JMbJWjhuc5i1+SQFtO20hw==,type:str] - SECRET_SMTP_SRV: ENC[AES256_GCM,data:Qux4Z4tuWznNpHlaq6X6BNQ=,iv:M6SD2HJA6fCiD41FdPlMHiBWoqTrDjuu5FRF37Wb7ck=,tag:HGInJH4L5LwoQnEZao0eOw==,type:str] - SECRET_SMTP_PORT: ENC[AES256_GCM,data:nEex,iv:BWgUpIE8LPuWAPb2GcKCospQSOcfuvvQ36yN4q2nFxU=,tag:+4zAkL7Q2LuXRMaJDwSrDQ==,type:str] - #ENC[AES256_GCM,data:NFmhT/9Jd8+C6o7QAA==,iv:YIkbg8XG9q4LGtdHFGbfXlxHAIqmm2rYieyIn4IFbM0=,tag:UVfejJ6V7kft0UyARkzTBQ==,type:comment] - SECRET_CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:JMgKOlhUUBBc9LO3ttOyc52bhkyc8CtX6KgQ8kibNOpYpGgkIacKCA==,iv:e0S6vFt40YHBSlSJIzjgClg+3G3KWlExlLbXJsiw2p0=,tag:FDFLMsoYIcy4ULNZzDCgaA==,type:str] - SECRET_CLOUDFLARE_TOKEN: ENC[AES256_GCM,data:xoD4tXy6pjsheY19VX2TYym2CtGyUQCvz4/LwVvQKlrhfLu0wgoj0g==,iv:loZ6/udo9/Qy7a+XV9XL8WET8rmfdzRM2HguBpJ+ShE=,tag:3Ek3hggvwy4ifgFXBBSz+w==,type:str] - #ENC[AES256_GCM,data:Xhma644Rbe8=,iv:pZOn1qMkyzEjnY9IphrIEtZ/eU8JwKQ6cBIEqB9H3Ck=,tag:Bc0CtRPx1dvvbj6SgOOQwA==,type:comment] - SECRET_MAXMIND_ACCOUNT_ID: ENC[AES256_GCM,data:MboMIaJs,iv:cPY0OhXLIQYO2b8ftiAll2s0CswegSY09UwbkIg7tiU=,tag:tNZnZyaPxRxLWekQI13gbQ==,type:str] - SECRET_MAXMIND_LICENSE_KEY: ENC[AES256_GCM,data:ps9b0nyO5BA18r9LNY9emQ==,iv:D/wwNxWp762tF/02jZrdmCXuzTlg3W3fVVJNNLccpmA=,tag:SoaXzudYIyqcD1TdZcbnHg==,type:str] - #ENC[AES256_GCM,data:ydSR8oUbuhAxv3lyaS/R,iv:JKlRDSX0Lj/R30S6dcuKdDn4qYfcU/VwF8ElmuUMIU0=,tag:0cquaAtgM9s6bNZLpiHWQw==,type:comment] - SECRET_TRUENAS_APIKEY: ENC[AES256_GCM,data:rZgEmS9KBidrWb8ZzkeBBQ7ehBZQMc96umlheLJTwihra5hQ9H225CnlLjBFZykXCro/VSAUkqR8xrd+LTIWNWrG,iv:rtzj9p6ev7bzadCOyLz0xDz8Rl5945mcy1Ugb7PFHD8=,tag:j8xixpDKdWiiphcjdKyhGw==,type:str] - SECRET_TRUENAS_IP: ENC[AES256_GCM,data:P8LUxODUDBM=,iv:sJk2TYndeU/VdeqgbC428IuU2QaDegMoWQNToekEpBg=,tag:CLeNx4bGdamGrHB70Zh6AA==,type:str] - SECRET_TRUENAS_USER: ENC[AES256_GCM,data:6Veg,iv:hVlz1drNpqjjvhlyuzqKVnmIiQf9UhV62ss/l3veI+0=,tag:0xvD/Wd3FYySHt1hjvMTKA==,type:str] - #ENC[AES256_GCM,data:KIffzQKTEqRF3Sc=,iv:3SU4j3jLy7KK8tDbYFtfSjAALRftC07s+FXFslqkm9s=,tag:SbIVFIJDDQuzZw5np39bTw==,type:comment] - SECRET_S3_ENDPOINT: ENC[AES256_GCM,data:a4xPhcf6GR36yfMX9ayCs/ANxZX74904gA0pgPmu,iv:DoJbxrXDzap37EHJH8dgOMSEd5ausRIsf3KEI2Khdmg=,tag:L6VghfIQvzvIlrYipuxBbQ==,type:str] - #ENC[AES256_GCM,data:X7HVI+UObArgq0pP7A==,iv:VbOD/kSBwpmXK9RsHIFY5EDnqtz/3vLrqh6nARG8JpY=,tag:rxN0GEUSlveceBg/+BYlBA==,type:comment] - SECRET_DB_ROOT_PWD: ENC[AES256_GCM,data:LroOgyh7wxb+OTBc,iv:GNBtqxR2XVL7Ncu/pTvwHgiE5TSZfYFoNlysxmlSa/Q=,tag:YXpZQXh7XPXHK0OVCJ9l4g==,type:str] - SECRET_DB_USER_PWD: ENC[AES256_GCM,data:HpwQokmb7BNpww==,iv:GY7SpZe0qAE74ZadS1DpVd3OZJ3D5r+2iOMyTBn0tKQ=,tag:sFKDZRjcZybIJQIo9UDboQ==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:fREfh7JhcleCwiutz/jKmAcm/U+vv4Ih8FPDVGE0zGqsHYwNqxu9HQ==,iv:cGn+gGR8NIwyqpLyin+rIXlaAKE139il6dELO86n0tc=,tag:RncmTWlUIG4BHL5Ms+VP1w==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:QRT8qUYLw23MytrxARnyWsQX5elVzDou3A0KtNQxM/fAKBve,iv:i6pm5bUEyEqX8atwPGO7O9AoZlb4N/fULbLROAc0AvQ=,tag:By2gB9TZrFMYp0LIMrqULw==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:QW0wNFSiXwImZXFcSRqoqIk=,iv:w7MDjfHBTBZ+C4Wm94Zeyb65qhz6BdbnE+OZRMEO8ls=,tag:xHJHa0vOEVyZt4UY7ryR8Q==,type:str] sops: kms: [] gcp_kms: [] @@ -42,14 +16,14 @@ sops: - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUV2taR2tJa1hSNndQNjd4 - Nnh3Y1V0UkUxS0Rjd282SGM0MHp6c1Q0TVNVCk9yaHU1WS9jWlIvbFYxdUdIYks5 - ZFJpSmk1TUgrMHowMzVOTE43azFWSWcKLS0tIFFOKzdyODhPTVJGaHZBSDBwOEtO - dHdjWjdBaTY4MmEyNnoyYlJqVVRRdTgKeDi8+lObpobuIIXaP+1g1b8KxMepDQA0 - nhsOilYP8MAQm+qComC2hI731P6r2gVORqC/ESkQwcA+DFBH2JxLBA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSnpVQXNON3BuR01yRGcw + bW1oWUlyZFJJT0RVQzZRWE0zUHBxdG9Ua3gwCkVjc3ZmYjZtYzU4TEJhd0pHS29p + OU1qQTdVRHRKbUdYT0JqNVBtR3hWbmcKLS0tIE5QU2Y3OEpqNEJvRDlGMktpSlZs + VzQ5RGdCZ1VSU1ZyU3JUbUliV052Z28KAapqWVwaG+cesDHt6iOlKaEXRA9ei0/v + 8knBmNtXOtq17c6/H5zc6/XQUQnHOWSLoDV5E03aKH/+HGD7MuJNBw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-16T22:09:16Z" - mac: ENC[AES256_GCM,data:6PEkOXkOG2V1552DWKwQY2UL+wHKctkRd80W2CidAxmkqjak0rwSKvLBvePQTCdJjhiA2Lc/0rYuM+mYjDWKXwFZTfhn1vdZY5yk1JGaTjkcPDYpgM0OYe8LuSF1jc3Dvwl7la4zCPREwgjosa/yaCYBREovzTA1YPlmiRO22Ac=,iv:b1TWlQLGiBFxgCGRGmAr6f+HKBC+RYvfXW+Z8yoSrus=,tag:x9foucRbKqwzieIcX5Qsow==,type:str] + lastmodified: "2023-09-05T01:23:39Z" + mac: ENC[AES256_GCM,data:Um5knNJiym1As3oFRTnIQHWatu46Xp9o25qRSTwZRa/+oXba5V9EH4Cl92Yz+A7vLSdCLj1Em2fhFS0v2xLNdKFnIHHSu5LYrlzAtJPhlWMCias0Sijhm9m+8eqzS4+LAflPnFutswlL+Bfan+OdJaISV+UkYTS4N7cyXvnGUJA=,iv:PPHQdBPEAjdwV/58sTeVC1X93o8359b+jP9iTzqeGPE=,tag:fathh8pttPVCOA3j1dk2CQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml.tmpl b/kubernetes/flux/vars/cluster-secrets.sops.yaml.tmpl deleted file mode 100644 index 66b2d2d31..000000000 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml.tmpl +++ /dev/null @@ -1,36 +0,0 @@ ---- -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: cluster-secrets - namespace: flux-system -stringData: - # defaults - SECRET_DOMAIN: "${SECRET_DOMAIN}" - SECRET_ADMIN_USER: "${SECRET_ADMIN_USER}" - SECRET_ADMIN_EMAIL: "${SECRET_ADMIN_EMAIL}" - SECRET_DEFAULT_USER: "${SECRET_DEFAULT_USER}" - SECRET_DEFAULT_EMAIL: "${SECRET_DEFAULT_EMAIL}" - SECRET_DEFAULT_PWD: "${SECRET_DEFAULT_PWD}" - # email notifications - SECRET_SMTP_ADDRESS: "${SECRET_SMTP_ADDRESS}" - SECRET_SMTP_USER: "${SECRET_SMTP_USER}" - SECRET_SMTP_PWD: "${SECRET_SMTP_PWD}" - SECRET_SMTP_SRV: "${SECRET_SMTP_SRV}" - SECRET_SMTP_PORT: "${SECRET_SMTP_PORT}" - # cert-manager - SECRET_CLOUDFLARE_EMAIL: "${SECRET_CLOUDFLARE_EMAIL}" - SECRET_CLOUDFLARE_TOKEN: "${SECRET_CLOUDFLARE_TOKEN}" - # maxmind - SECRET_MAXMIND_ACCOUNT_ID: "${SECRET_MAXMIND_ACCOUNT_ID}" - SECRET_MAXMIND_LICENSE_KEY: "${SECRET_MAXMIND_LICENSE_KEY}" - # democratic-csi - SECRET_TRUENAS_APIKEY: "${SECRET_TRUENAS_APIKEY}" - SECRET_TRUENAS_IP: "${SECRET_TRUENAS_IP}" - SECRET_TRUENAS_USER: "${SECRET_TRUENAS_USER}" - # s3 / minio - SECRET_S3_ENDPOINT: "${SECRET_S3_ENDPOINT}" - # db (generic) - SECRET_DB_ROOT_PWD: "${SECRET_DB_ROOT_PWD}" - SECRET_DB_USER_PWD: "${SECRET_DB_USER_PWD}" diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index 2f4a2f673..ad9e2295b 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -1,18 +1,13 @@ --- -# yamllint disable apiVersion: v1 kind: ConfigMap metadata: name: cluster-settings namespace: flux-system - annotations: - reloader.stakater.com/match: "true" data: - TIMEZONE: America/New_York - NET_NODE_CIDR: 10.2.118.0/24 - NET_POD_CIDR: 10.42.0.0/16 - NET_SVC_CIDR: 10.43.0.0/16 - LB_GATEWAY: 10.2.113.2 - LB_INGRESS: 10.2.113.3 - LB_AUTH: 10.2.113.4 - LB_DEFAULT_RANGE: 10.2.113.128-10.2.113.250 + TIMEZONE: "America/New_York" + COREDNS_ADDR: "10.43.0.10" + KUBE_VIP_ADDR: "10.2.118.1" + CLUSTER_CIDR: "10.42.0.0/16" + SERVICE_CIDR: "10.43.0.0/16" + NODE_CIDR: "10.2.118.0/24" diff --git a/kubernetes/flux/vars/cluster-settings.yaml.tmpl b/kubernetes/flux/vars/cluster-settings.yaml.tmpl deleted file mode 100644 index 005ca8377..000000000 --- a/kubernetes/flux/vars/cluster-settings.yaml.tmpl +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yamllint disable -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-settings - namespace: flux-system - annotations: - reloader.stakater.com/match: "true" -data: - TIMEZONE: ${TIMEZONE} - NET_NODE_CIDR: ${NET_NODE_CIDR} - NET_POD_CIDR: ${NET_POD_CIDR} - NET_SVC_CIDR: ${NET_SVC_CIDR} - LB_GATEWAY: ${LB_GATEWAY} - LB_INGRESS: ${LB_INGRESS} - LB_AUTH: ${LB_AUTH} - LB_DEFAULT_RANGE: ${LB_DEFAULT_RANGE} diff --git a/kubernetes/flux/vars/custom-secrets.sops.yaml b/kubernetes/flux/vars/custom-secrets.sops.yaml new file mode 100644 index 000000000..4b0503980 --- /dev/null +++ b/kubernetes/flux/vars/custom-secrets.sops.yaml @@ -0,0 +1,38 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: custom-secrets + namespace: flux-system + annotations: + reloader.stakater.com/match: "true" +stringData: + #ENC[AES256_GCM,data:ApZt9r2RarFfX51TQIA7cIm5QdfGPQ==,iv:kMQpPHSEpwRTSCq1meyfE1OWU+npOXIg5ihOHu82L54=,tag:ItOnLBtuY2w9r0s09Xh1ug==,type:comment] + SECRET_DEFAULT_EMAIL: ENC[AES256_GCM,data:FVHhHPGhFOFL0R2pITN9utJJBeDC9a9Fld0=,iv:Aq3DRWP2Tzdc9tgAcgPEWWbDaHe+k6UL58A6QxnzCXk=,tag:VvM1onTQ+AHvWm/Id2X9Rw==,type:str] + #ENC[AES256_GCM,data:Dkbi4pX5GW5YGF+FitFA6el9dg1rpIYD4+/lbA5ccjYp3m1pmMnWyDfWTr9WUy9zNg==,iv:3GsVNIU1ZA2cHXizhG6bjiELhult8u1st4HADCHge9Q=,tag:/29Ekj+RHYzmZ6P1Ot3EEw==,type:comment] + #ENC[AES256_GCM,data:x3C4Of/A71AJKvZgBIhN472uMxM2VbKVR//oMyOZ7yCOhG2zzSPPw992hjtwgaXL,iv:1SPAidLkQCQaIBmWJla8lIOFURB+4TWeXaW9Sv3riMY=,tag:hjikpH5dZosROsZB1ysWcw==,type:comment] + SECRET_SMTP_ADDRESS: ENC[AES256_GCM,data:FECYAvFotj8Rogz6XNmp4KO15GeOhj7U/FZhB1WF,iv:eejl5m/DNCVMQRtJt8bCZV42qFw12SUNT+WIF4CbJ/0=,tag:SVHDEAVcaHoqKOho3rbGdA==,type:str] + SECRET_SMTP_SRV: ENC[AES256_GCM,data:mx6hyCtTAGLsKIPpXgMrb9Y=,iv:LL+0LNRcl3ahs90xE9J8iWSjd7v+AGZrNHccCEjr7kI=,tag:STxlFhhHPF5HN73fyJEL0A==,type:str] + SECRET_SMTP_PORT: ENC[AES256_GCM,data:+wiz,iv:jGLeckaq394wocfxF9UbIs6BDW2K97B/10oWVZZnjdI=,tag:qfO12xg/fH14j+KXrUpIIA==,type:str] + #ENC[AES256_GCM,data:dqbPX0UqvfmjMLVJbw==,iv:yHkGN5F/Zwzo7d5vVAGywMJne9t73v1YYv8SQmTH7pE=,tag:+aKxoVHJHa4s++9BvlPhwg==,type:comment] + SECRET_S3_ENDPOINT: ENC[AES256_GCM,data:nXkg+mt+TGvNq9Y3n6QfW73zxfoXUEXNgu1hugAC,iv:ArW3oeyT+druaU5MfGQnOAeII1iFkix3T3aEuA0fflw=,tag:ejyjbQJ38GCnlaykW+rlcA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYmRENmRoeWVIS1NoZWha + eWdOZmtrdEgxdS96aEhHVWZ4c1ZVblc1SGpZCmhvRTVhcFlEWlJ4eXhpQ2lIb2FE + ZnVUZ2dCT2NMK084dEVRbE5mRmZOZlUKLS0tIEtNWGY3SlJsRjdnRjJBNGQ0NzZq + S1V2QnVjbzVhNW9iMy9GQ3FFTEhPcmMKxswfNgO6Vo7sChTtR7dGrgzKpUtjaDhS + VMi3viNiG6e4pnQjIGP+CERjt0vvxP1LVDnotVx2BNO6oFprvk8HUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-15T23:05:26Z" + mac: ENC[AES256_GCM,data:i6suGbn8gpJ5idPZksmpul0Bu831rQwjgQNlcBi+Dc4Bl4GQOOqBQHlr3tJ5y7Oohc5mdA1z5C3WQfb9jbKn7pxg7YYySoqan1IcrRq+JDZv1tBn6RfUrbqPj6wjJo1xr8XIiAhR8FlrxVgsAM4ZqpYRpuP6Dy7ytDaF02D6jks=,iv:aWMiY82irryPJcOiWlsuHuwflbSb9hMP0jt7GLhRkSU=,tag:w6CHgjBC/Ars/gJWIsO6mA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/flux/vars/custom-secrets.sops.yaml.tmpl b/kubernetes/flux/vars/custom-secrets.sops.yaml.tmpl new file mode 100644 index 000000000..fed5cf4f6 --- /dev/null +++ b/kubernetes/flux/vars/custom-secrets.sops.yaml.tmpl @@ -0,0 +1,19 @@ +--- +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: custom-secrets + namespace: flux-system + annotations: + reloader.stakater.com/match: "true" +stringData: + ### email notifications + SECRET_DEFAULT_EMAIL: "${DEFAULT_EMAIL}" + # SECRET_SMTP_USER: "..." # provide as app secret + # SECRET_SMTP_PWD: "..." # provide as app secret + SECRET_SMTP_ADDRESS: "${SMTP_ADDRESS}" + SECRET_SMTP_SRV: "${SMTP_SRV}" + SECRET_SMTP_PORT: "${SMTP_PORT}" + ### s3 / minio + SECRET_S3_ENDPOINT: "${S3_ENDPOINT}" diff --git a/kubernetes/flux/vars/custom-settings.yaml b/kubernetes/flux/vars/custom-settings.yaml new file mode 100644 index 000000000..a00289606 --- /dev/null +++ b/kubernetes/flux/vars/custom-settings.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: custom-settings + namespace: flux-system + annotations: + reloader.stakater.com/match: "true" +data: + TIMEZONE: "America/New_York" diff --git a/kubernetes/flux/vars/kustomization.yaml b/kubernetes/flux/vars/kustomization.yaml index 3b96efbcb..a10250a6a 100644 --- a/kubernetes/flux/vars/kustomization.yaml +++ b/kubernetes/flux/vars/kustomization.yaml @@ -3,5 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./cluster-secrets.sops.yaml - ./cluster-settings.yaml + - ./custom-settings.yaml + - ./cluster-secrets.sops.yaml + - ./custom-secrets.sops.yaml diff --git a/scripts/sops.sh b/scripts/sops.sh deleted file mode 100755 index 167d9d9f9..000000000 --- a/scripts/sops.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o nounset -set -o pipefail - -# shellcheck disable=SC2155 -PROJECT_DIR=$(git rev-parse --show-toplevel) -# shellcheck disable=SC2155 -SOPS_AGE_KEY_FILE="${HOME}/Library/Application Support/sops/age/keys.txt" -AGE_PUBLIC_KEY="$(grep public """${SOPS_AGE_KEY_FILE}""" | awk '{ print $NF }')" -export PROJECT_DIR SOPS_AGE_KEY_FILE AGE_PUBLIC_KEY - -main() { - - # assumes files requiring encryption will be named ".sops.yaml" - templates=() - while IFS='' read -r line; do templates+=("${line}"); done < <(fd ".sops.yaml$" "${PROJECT_DIR}/cluster") - - echo "Encrypting: " - for tmpl in "${templates[@]}"; do - echo "${tmpl}" - sops --encrypt --in-place "${tmpl}" - done - -} - -_has_envar() { - local option="${1}" - # shellcheck disable=SC2015 - [[ "${!option}" == "" ]] && { - _log "ERROR" "Unset variable ${option}" - exit 1 - } || { - _log "INFO" "Found variable '${option}' with value '${!option}'" - } -} - -validate_age() { - _has_envar "AGE_PUBLIC_KEY" - _has_envar "SOPS_AGE_KEY_FILE" - - if [[ ! "${AGE_PUBLIC_KEY}" =~ ^age.* ]]; then - _log "ERROR" "BOOTSTRAP_AGE_PUBLIC_KEY does not start with age" - exit 1 - fi - - if [[ ! -f "${SOPS_AGE_KEY_FILE}" ]]; then - _log "ERROR" "Unable to find Age file keys.txt in ~/.config/sops/age" - exit 1 - fi -} - -_has_binary() { - command -v "${1}" >/dev/null 2>&1 || { - _log "ERROR" "${1} is not installed or not found in \$PATH" - exit 1 - } -} - -verify_binaries() { - _has_binary "fd" -} - -_log() { - local type="${1}" - local msg="${2}" - printf "[%s] [%s] %s\n" "$(date -u)" "${type}" "${msg}" -} - -validate_age -verify_binaries -main diff --git a/scripts/substitute.sh b/scripts/substitute.sh deleted file mode 100755 index f0c5cf66c..000000000 --- a/scripts/substitute.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o nounset -set -o pipefail - -# shellcheck disable=SC2155 -export PROJECT_DIR=$(git rev-parse --show-toplevel) - -main() { - - # assumes files requiring substitution will be named or ".yaml.tmpl" - templates=() - while IFS='' read -r line; do templates+=("${line}"); done < <(fd ".yaml.tmpl$" "${PROJECT_DIR}/cluster") - - echo "Substituting: " - for tmpl in "${templates[@]}"; do - # remove final '.tmpl' extension - rename="${tmpl/yaml.tmpl/yaml}" - [[ -f "${rename}" ]] && rm "${rename}" - envsubst <"${tmpl}" >"${rename}" - echo "${tmpl} --> ${rename}" - done - -} - -_has_binary() { - command -v "${1}" >/dev/null 2>&1 || { - _log "ERROR" "${1} is not installed or not found in \$PATH" - exit 1 - } -} - -verify_binaries() { - _has_binary "fd" -} - -_log() { - local type="${1}" - local msg="${2}" - printf "[%s] [%s] %s\n" "$(date -u)" "${type}" "${msg}" -} - -verify_binaries -main