From d9be744f17943062ac1bea0a68aa24a6f0a0f6a0 Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Sun, 21 Jul 2024 12:58:33 +0000 Subject: [PATCH] Mr prd --- argocd/templates/ingress.yaml | 22 +-- argocd/templates/metallb-system.yaml | 5 +- argocd/values.yaml | 6 +- authentik/templates/ingress.yaml | 2 +- authentik/values.yaml | 13 +- bitwarden/templates/deployment.yaml | 6 +- bitwarden/templates/ingress.yaml | 21 ++ ...ction.yaml => letsencrypt-production.yaml} | 0 cert-manager/templates/self-signed.yaml | 13 ++ crossplane/Chart.yaml | 2 +- crossplane/templates/gitlab.yml | 2 +- crossplane/values.yaml | 186 ++++++++++++++++++ durpapi/Chart.yaml | 8 +- longhorn/Chart.yaml | 2 +- longhorn/templates/ingress.yaml | 4 +- longhorn/values.yaml | 6 +- metallb-system/templates/config.yaml | 2 +- nfs-client/templates/provisioner.yml | 4 +- open-webui/templates/ingress.yaml | 2 +- traefik/templates/middleware-chain.yaml | 4 +- traefik/templates/middlewares.yaml | 1 - traefik/values.yaml | 16 +- uptimekuma/templates/ingress.yaml | 2 +- vault/values.yaml | 2 +- 24 files changed, 281 insertions(+), 50 deletions(-) rename cert-manager/templates/{letsencrypt-prroduction.yaml => letsencrypt-production.yaml} (100%) create mode 100644 cert-manager/templates/self-signed.yaml create mode 100644 crossplane/values.yaml diff --git a/argocd/templates/ingress.yaml b/argocd/templates/ingress.yaml index ce9ff77..67b27f1 100644 --- a/argocd/templates/ingress.yaml +++ b/argocd/templates/ingress.yaml @@ -8,17 +8,17 @@ spec: entryPoints: - websecure routes: - - match: Host(`argocd.internal.prd.durp.info`) - middlewares: - - name: internal-only - namespace: traefik - kind: Rule - services: - - name: argocd-server - port: 443 - scheme: https + - match: Host(`argocd.internal.prd.durp.info`) + middlewares: + - name: internal-only + namespace: traefik + kind: Rule + services: + - name: argocd-server + port: 443 + scheme: https tls: - secretName: argocd-tls + secretName: argocd-tls --- @@ -33,4 +33,4 @@ spec: kind: ClusterIssuer commonName: "argocd.internal.prd.durp.info" dnsNames: - - "argocd.internal.prd.durp.info" + - "argocd.internal.prd.durp.info" diff --git a/argocd/templates/metallb-system.yaml b/argocd/templates/metallb-system.yaml index 52bd139..c1b61df 100644 --- a/argocd/templates/metallb-system.yaml +++ b/argocd/templates/metallb-system.yaml @@ -15,6 +15,7 @@ spec: syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true + diff --git a/argocd/values.yaml b/argocd/values.yaml index 47a56e3..65d28c2 100644 --- a/argocd/values.yaml +++ b/argocd/values.yaml @@ -33,13 +33,13 @@ argo-cd: cm: create: true annotations: {} - url: https://argocd.internal.durp.info + url: https://argocd.internal.prd.durp.info oidc.tls.insecure.skip.verify: "true" dex.config: | connectors: - config: - issuer: https://authentik.durp.info/application/o/argocd/ - clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625 + issuer: https://authentik.prd.durp.info/application/o/argocd/ + clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl clientSecret: $client-secret:clientSecret insecureEnableGroups: true scopes: diff --git a/authentik/templates/ingress.yaml b/authentik/templates/ingress.yaml index 2c434a3..5d2b943 100644 --- a/authentik/templates/ingress.yaml +++ b/authentik/templates/ingress.yaml @@ -6,7 +6,7 @@ spec: entryPoints: - websecure routes: - - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`) + - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`) kind: Rule services: - name: authentik-server diff --git a/authentik/values.yaml b/authentik/values.yaml index a443ae4..ecc79d1 100644 --- a/authentik/values.yaml +++ b/authentik/values.yaml @@ -34,9 +34,16 @@ authentik: registry: registry.internal.durp.info repository: bitnami/postgresql pullPolicy: Always - postgresqlUsername: "authentik" - postgresqlDatabase: "authentik" - existingSecret: db-pass + auth: + username: "authentik" + existingSecret: db-pass + secretKeys: + adminPasswordKey: dbpass + userPasswordKey: dbpass + + #postgresqlUsername: "authentik" + #postgresqlDatabase: "authentik" + #existingSecret: db-pass persistence: enabled: true storageClass: longhorn diff --git a/bitwarden/templates/deployment.yaml b/bitwarden/templates/deployment.yaml index d6e1788..9a78d07 100644 --- a/bitwarden/templates/deployment.yaml +++ b/bitwarden/templates/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bitwarden - image: registry.internal.durp.info/vaultwarden/server:1.30.3 + image: registry.internal.durp.info/vaultwarden/server:1.30.5 imagePullPolicy: Always volumeMounts: - name: bitwarden-pvc @@ -28,7 +28,7 @@ spec: containerPort: 80 env: - name: SIGNUPS_ALLOWED - value: "FALSE" + value: "TRUE" - name: INVITATIONS_ALLOWED value: "FALSE" - name: WEBSOCKET_ENABLED @@ -39,7 +39,7 @@ spec: value: "80" - name: ROCKET_WORKERS value: "10" - - name: SECRET_USERNAME + - name: ADMIN_TOKEN valueFrom: secretKeyRef: name: bitwarden-secret diff --git a/bitwarden/templates/ingress.yaml b/bitwarden/templates/ingress.yaml index 75c8b28..951623f 100644 --- a/bitwarden/templates/ingress.yaml +++ b/bitwarden/templates/ingress.yaml @@ -40,3 +40,24 @@ metadata: spec: type: ExternalName externalName:.prd.durp.info + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: bitwarden-admin-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/admin`) + kind: Rule + middlewares: + - name: whitelist + namespace: traefik + services: + - name: bitwarden + port: 80 + tls: + secretName: bitwarden-tls diff --git a/cert-manager/templates/letsencrypt-prroduction.yaml b/cert-manager/templates/letsencrypt-production.yaml similarity index 100% rename from cert-manager/templates/letsencrypt-prroduction.yaml rename to cert-manager/templates/letsencrypt-production.yaml diff --git a/cert-manager/templates/self-signed.yaml b/cert-manager/templates/self-signed.yaml new file mode 100644 index 0000000..fa3ea4d --- /dev/null +++ b/cert-manager/templates/self-signed.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-cluster-issuer +spec: + selfSigned: {} diff --git a/crossplane/Chart.yaml b/crossplane/Chart.yaml index c7bf1ab..d8f781c 100644 --- a/crossplane/Chart.yaml +++ b/crossplane/Chart.yaml @@ -9,4 +9,4 @@ appVersion: "1.16.0" dependencies: - name: crossplane repository: https://charts.crossplane.io/stable - version: 1.12.0 + version: 1.16.0 diff --git a/crossplane/templates/gitlab.yml b/crossplane/templates/gitlab.yml index 3a20b9c..ea1dbdf 100644 --- a/crossplane/templates/gitlab.yml +++ b/crossplane/templates/gitlab.yml @@ -3,7 +3,7 @@ kind: Provider metadata: name: provider-gitlab spec: - package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0 + package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0 --- apiVersion: external-secrets.io/v1beta1 diff --git a/crossplane/values.yaml b/crossplane/values.yaml new file mode 100644 index 0000000..6a319f2 --- /dev/null +++ b/crossplane/values.yaml @@ -0,0 +1,186 @@ +# helm-docs renders these comments into markdown. Use markdown formatting where +# appropiate. +# +# -- The number of Crossplane pod `replicas` to deploy. +replicas: 1 + +# -- The deployment strategy for the Crossplane and RBAC Manager pods. +deploymentStrategy: RollingUpdate + +image: + # -- Repository for the Crossplane pod image. + repository: xpkg.upbound.io/crossplane/crossplane + # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. + tag: "" + # -- The image pull policy used for Crossplane and RBAC Manager pods. + pullPolicy: IfNotPresent + +# -- Add `nodeSelectors` to the Crossplane pod deployment. +nodeSelector: {} +# -- Add `tolerations` to the Crossplane pod deployment. +tolerations: [] +# -- Add `affinities` to the Crossplane pod deployment. +affinity: {} + +# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`. +hostNetwork: false + +# -- Specify the `dnsPolicy` to be used by the Crossplane pod. +dnsPolicy: "" + +# -- Add custom `labels` to the Crossplane pod deployment. +customLabels: {} + +# -- Add custom `annotations` to the Crossplane pod deployment. +customAnnotations: {} + +serviceAccount: + # -- Add custom `annotations` to the Crossplane ServiceAccount. + customAnnotations: {} + +# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod. +leaderElection: true +# -- Add custom arguments to the Crossplane pod. +args: [] + +provider: + # -- A list of Provider packages to install. + packages: [] + +configuration: + # -- A list of Configuration packages to install. + packages: [] + +function: + # -- A list of Function packages to install + packages: [] + +# -- The imagePullSecret names to add to the Crossplane ServiceAccount. +imagePullSecrets: [] + +registryCaBundleConfig: + # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + name: "" + # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + key: "" + +service: + # -- Configure annotations on the service object. Only enabled when webhooks.enabled = true + customAnnotations: {} + +webhooks: + # -- Enable webhooks for Crossplane and installed Provider packages. + enabled: true + +rbacManager: + # -- Deploy the RBAC Manager pod and its required roles. + deploy: true + # -- Don't install aggregated Crossplane ClusterRoles. + skipAggregatedClusterRoles: false + # -- The number of RBAC Manager pod `replicas` to deploy. + replicas: 1 + # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod. + leaderElection: true + # -- Add custom arguments to the RBAC Manager pod. + args: [] + # -- Add `nodeSelectors` to the RBAC Manager pod deployment. + nodeSelector: {} + # -- Add `tolerations` to the RBAC Manager pod deployment. + tolerations: [] + # -- Add `affinities` to the RBAC Manager pod deployment. + affinity: {} + +# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods. +priorityClassName: "" + +resourcesCrossplane: + limits: + # -- CPU resource limits for the Crossplane pod. + cpu: 500m + # -- Memory resource limits for the Crossplane pod. + memory: 1024Mi + requests: + # -- CPU resource requests for the Crossplane pod. + cpu: 100m + # -- Memory resource requests for the Crossplane pod. + memory: 256Mi + +securityContextCrossplane: + # -- The user ID used by the Crossplane pod. + runAsUser: 65532 + # -- The group ID used by the Crossplane pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the Crossplane pod. + allowPrivilegeEscalation: false + # -- Set the Crossplane pod root file system as read-only. + readOnlyRootFilesystem: true + +packageCache: + # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development. + medium: "" + # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory. + sizeLimit: 20Mi + # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume. + pvc: "" + # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume. + configMap: "" + +resourcesRBACManager: + limits: + # -- CPU resource limits for the RBAC Manager pod. + cpu: 100m + # -- Memory resource limits for the RBAC Manager pod. + memory: 512Mi + requests: + # -- CPU resource requests for the RBAC Manager pod. + cpu: 100m + # -- Memory resource requests for the RBAC Manager pod. + memory: 256Mi + +securityContextRBACManager: + # -- The user ID used by the RBAC Manager pod. + runAsUser: 65532 + # -- The group ID used by the RBAC Manager pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod. + allowPrivilegeEscalation: false + # -- Set the RBAC Manager pod root file system as read-only. + readOnlyRootFilesystem: true + +metrics: + # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. + enabled: false + +# -- Add custom environmental variables to the Crossplane pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsCrossplane: {} + +# -- Add custom environmental variables to the RBAC Manager pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsRBACManager: {} + +# -- Add a custom `securityContext` to the Crossplane pod. +podSecurityContextCrossplane: {} + +# -- Add a custom `securityContext` to the RBAC Manager pod. +podSecurityContextRBACManager: {} + +# -- Add custom `volumes` to the Crossplane pod. +extraVolumesCrossplane: {} + +# -- Add custom `volumeMounts` to the Crossplane pod. +extraVolumeMountsCrossplane: {} + +# -- To add arbitrary Kubernetes Objects during a Helm Install +extraObjects: [] + # - apiVersion: pkg.crossplane.io/v1alpha1 + # kind: ControllerConfig + # metadata: + # name: aws-config + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example + # helm.sh/hook: post-install + # spec: + # podSecurityContext: + # fsGroup: 2000 + diff --git a/durpapi/Chart.yaml b/durpapi/Chart.yaml index 3bd35e6..5a5784e 100644 --- a/durpapi/Chart.yaml +++ b/durpapi/Chart.yaml @@ -1,11 +1,11 @@ +description: A Helm chart for Kubernetes name: durpapi -version: 0.1.0-dev0180 +appVersion: 0.1.0 dependencies: - condition: postgresql.enabled name: postgresql version: 12.5.* repository: https://charts.bitnami.com/bitnami -type: application -appVersion: 0.1.0 +version: 0.1.0-dev0184 apiVersion: v2 -description: A Helm chart for Kubernetes +type: application diff --git a/longhorn/Chart.yaml b/longhorn/Chart.yaml index b7b6417..8c0a8ae 100644 --- a/longhorn/Chart.yaml +++ b/longhorn/Chart.yaml @@ -9,4 +9,4 @@ appVersion: "1.16.0" dependencies: - name: longhorn repository: https://charts.longhorn.io - version: 1.3.2 + version: 1.6.1 diff --git a/longhorn/templates/ingress.yaml b/longhorn/templates/ingress.yaml index a6ea9ec..20f65cd 100644 --- a/longhorn/templates/ingress.yaml +++ b/longhorn/templates/ingress.yaml @@ -10,8 +10,8 @@ spec: middlewares: - name: whitelist namespace: traefik - - name: authentik-proxy-provider - namespace: traefik + #- name: authentik-proxy-provider + # namespace: traefik kind: Rule services: - name: longhorn-frontend diff --git a/longhorn/values.yaml b/longhorn/values.yaml index 5343300..414281b 100644 --- a/longhorn/values.yaml +++ b/longhorn/values.yaml @@ -47,7 +47,7 @@ longhorn: persistence: defaultClass: true defaultFsType: ext4 - defaultClassReplicaCount: 3 + defaultClassReplicaCount: 1 defaultDataLocality: disabled # best-effort otherwise reclaimPolicy: Retain migratable: false @@ -76,7 +76,7 @@ longhorn: snapshotterReplicaCount: ~ defaultSettings: - backupTarget: S3://longhorn@us-east-1/ + backupTarget: S3://longhorn-prd@us-east-1/ backupTargetCredentialSecret: longhorn-backup-token-secret allowRecurringJobWhileVolumeDetached: ~ createDefaultDiskLabeledNodes: ~ @@ -238,7 +238,7 @@ longhorn: # certificate: # Configure a pod security policy in the Longhorn namespace to allow privileged pods - enablePSP: true + enablePSP: false ## Specify override namespace, specifically this is useful for using longhorn as sub-chart ## and its release namespace is not the `longhorn-system` diff --git a/metallb-system/templates/config.yaml b/metallb-system/templates/config.yaml index c001228..8ebd75d 100644 --- a/metallb-system/templates/config.yaml +++ b/metallb-system/templates/config.yaml @@ -13,4 +13,4 @@ metadata: namespace: metallb-system spec: ipAddressPools: - - cheap + - cheap diff --git a/nfs-client/templates/provisioner.yml b/nfs-client/templates/provisioner.yml index c76fe8c..b79da69 100644 --- a/nfs-client/templates/provisioner.yml +++ b/nfs-client/templates/provisioner.yml @@ -34,9 +34,9 @@ spec: - name: NFS_SERVER value: 192.168.20.253 - name: NFS_PATH - value: /mnt/user/k3s + value: /mnt/user/k3s-dev volumes: - name: nfs-client-ssd nfs: server: 192.168.20.253 - path: /mnt/user/k3s + path: /mnt/user/k3s-dev diff --git a/open-webui/templates/ingress.yaml b/open-webui/templates/ingress.yaml index 2e72da4..81d9a39 100644 --- a/open-webui/templates/ingress.yaml +++ b/open-webui/templates/ingress.yaml @@ -39,4 +39,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: open-webui.prd.durp.info spec: type: ExternalName - externalName:.prd.durp.info + externalName: prd.durp.info diff --git a/traefik/templates/middleware-chain.yaml b/traefik/templates/middleware-chain.yaml index dd966a0..4f21880 100644 --- a/traefik/templates/middleware-chain.yaml +++ b/traefik/templates/middleware-chain.yaml @@ -5,5 +5,5 @@ metadata: spec: chain: middlewares: - - name: traefik-real-ip - - name: whitelist + - name: traefik-real-ip + - name: whitelist diff --git a/traefik/templates/middlewares.yaml b/traefik/templates/middlewares.yaml index e512223..b9f6362 100644 --- a/traefik/templates/middlewares.yaml +++ b/traefik/templates/middlewares.yaml @@ -47,4 +47,3 @@ spec: traefik-real-ip: excludednets: - "1.1.1.1/24" - diff --git a/traefik/values.yaml b/traefik/values.yaml index 362a574..e2cbbc9 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -502,6 +502,8 @@ traefik: - "--log.level=DEBUG" - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - --experimental.plugins.jwt.version=v0.7.0 + - --experimental.plugins.traefik-real-ip.moduleName=github.com/soulbalz/traefik-real-ip + - --experimental.plugins.traefik-real-ip.version=v1.0.3 # Environment variables to be passed to Traefik's binary @@ -578,9 +580,10 @@ traefik: redirectTo: websecure # # Trust forwarded headers information (X-Forwarded-*). - # forwardedHeaders: - # trustedIPs: [] - # insecure: false + forwardedHeaders: + trustedIPs: + - "192.168.11.1" + insecure: false # # Enable the Proxy Protocol header parsing for the entry point # proxyProtocol: @@ -608,9 +611,10 @@ traefik: # advertisedPort: 4443 # ## Trust forwarded headers information (X-Forwarded-*). - #forwardedHeaders: - # trustedIPs: [] - # insecure: false + forwardedHeaders: + trustedIPs: + - "192.168.11.1" + insecure: false # ## Enable the Proxy Protocol header parsing for the entry point #proxyProtocol: diff --git a/uptimekuma/templates/ingress.yaml b/uptimekuma/templates/ingress.yaml index dde19a6..ae36954 100644 --- a/uptimekuma/templates/ingress.yaml +++ b/uptimekuma/templates/ingress.yaml @@ -42,4 +42,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: kuma.prd.durp.info spec: type: ExternalName - externalName:.prd.durp.info + externalName: prd.durp.info diff --git a/vault/values.yaml b/vault/values.yaml index d77a898..857f973 100644 --- a/vault/values.yaml +++ b/vault/values.yaml @@ -14,7 +14,7 @@ vault: injector: enabled: "-" - replicas: 3 + replicas: 2 leaderElector: enabled: true