Merge branch 'mr-prd' into 'prd'

Mr prd

See merge request developerdurp/homelab!2

argocd/templates/ingress.yaml

@@ -8,17 +8,17 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`argocd.internal.prd.durp.info`)
+  - match: Host(`argocd.internal.prd.durp.info`)
-      middlewares:
+    middlewares:
-        - name: internal-only
+    - name: internal-only
-          namespace: traefik
+      namespace: traefik  
-      kind: Rule
+    kind: Rule
-      services:
+    services:
-        - name: argocd-server
+    - name: argocd-server
-          port: 443
+      port: 443
-          scheme: https
+      scheme: https
   tls:
-    secretName: argocd-tls
+    secretName: argocd-tls  
 
 ---
 
@@ -33,4 +33,4 @@ spec:
     kind: ClusterIssuer
   commonName: "argocd.internal.prd.durp.info"
   dnsNames:
-    - "argocd.internal.prd.durp.info"
+  - "argocd.internal.prd.durp.info"  

argocd/templates/metallb-system.yaml

@@ -15,6 +15,7 @@ spec:
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: true  
     syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true 
+

argocd/values.yaml

@@ -33,13 +33,13 @@ argo-cd:
     cm:
       create: true
       annotations: {}
-      url: https://argocd.internal.durp.info
+      url: https://argocd.internal.prd.durp.info
       oidc.tls.insecure.skip.verify: "true"
       dex.config: |
         connectors:
           - config:
-              issuer: https://authentik.durp.info/application/o/argocd/
+              issuer: https://authentik.prd.durp.info/application/o/argocd/
-              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
+              clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl
               clientSecret: $client-secret:clientSecret
               insecureEnableGroups: true
               scopes:

authentik/templates/ingress.yaml

@@ -6,7 +6,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`)
+  - match: Host(`authentik.prd.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
     - name: authentik-server

authentik/values.yaml

@@ -34,9 +34,16 @@ authentik:
       registry: registry.internal.durp.info
       repository: bitnami/postgresql
       pullPolicy: Always
-    postgresqlUsername: "authentik"
+    auth:
-    postgresqlDatabase: "authentik"
+      username: "authentik"
-    existingSecret: db-pass 
+      existingSecret: db-pass
+      secretKeys:
+        adminPasswordKey: dbpass 
+        userPasswordKey: dbpass
+        
+          #postgresqlUsername: "authentik"
+          #postgresqlDatabase: "authentik"
+          #existingSecret: db-pass 
     persistence:
       enabled: true
       storageClass: longhorn

bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: bitwarden
-        image: registry.internal.durp.info/vaultwarden/server:1.30.3
+        image: registry.internal.durp.info/vaultwarden/server:1.30.5
         imagePullPolicy: Always
         volumeMounts:
         - name: bitwarden-pvc
@@ -28,7 +28,7 @@ spec:
           containerPort: 80
         env:
           - name: SIGNUPS_ALLOWED
-            value: "FALSE"
+            value: "TRUE"
           - name: INVITATIONS_ALLOWED
             value: "FALSE"                      
           - name: WEBSOCKET_ENABLED
@@ -39,7 +39,7 @@ spec:
             value: "80"            
           - name: ROCKET_WORKERS
             value: "10"
-          - name: SECRET_USERNAME
+          - name: ADMIN_TOKEN
             valueFrom:
               secretKeyRef:
                 name: bitwarden-secret

bitwarden/templates/ingress.yaml

@@ -40,3 +40,24 @@ metadata:
 spec:
   type: ExternalName
   externalName:.prd.durp.info
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-admin-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.prd.durp.info`) && PathPrefix(`/admin`)
+    kind: Rule
+    middlewares:
+    - name: whitelist
+      namespace: traefik  
+    services:
+    - name: bitwarden
+      port: 80
+  tls:
+    secretName: bitwarden-tls

cert-manager/templates/self-signed.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
+  selfSigned: {}

crossplane/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: crossplane
   repository: https://charts.crossplane.io/stable
-  version: 1.12.0
+  version: 1.16.0

crossplane/templates/gitlab.yml

@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-gitlab
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0
 ---
 
 apiVersion: external-secrets.io/v1beta1

crossplane/values.yaml

@@ -0,0 +1,186 @@
+# helm-docs renders these comments into markdown. Use markdown formatting where
+# appropiate.
+#
+# -- The number of Crossplane pod `replicas` to deploy.
+replicas: 1
+
+# -- The deployment strategy for the Crossplane and RBAC Manager pods.
+deploymentStrategy: RollingUpdate
+
+image:
+  # -- Repository for the Crossplane pod image.
+  repository: xpkg.upbound.io/crossplane/crossplane
+  # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
+  tag: ""
+  # -- The image pull policy used for Crossplane and RBAC Manager pods.
+  pullPolicy: IfNotPresent
+
+# -- Add `nodeSelectors` to the Crossplane pod deployment.
+nodeSelector: {}
+# -- Add `tolerations` to the Crossplane pod deployment.
+tolerations: []
+# -- Add `affinities` to the Crossplane pod deployment.
+affinity: {}
+
+# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`.
+hostNetwork: false
+
+# -- Specify the `dnsPolicy` to be used by the Crossplane pod.
+dnsPolicy: ""
+
+# -- Add custom `labels` to the Crossplane pod deployment.
+customLabels: {}
+
+# -- Add custom `annotations` to the Crossplane pod deployment.
+customAnnotations: {}
+
+serviceAccount:
+  # -- Add custom `annotations` to the Crossplane ServiceAccount.
+  customAnnotations: {}
+
+# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod.
+leaderElection: true
+# -- Add custom arguments to the Crossplane pod.
+args: []
+
+provider:
+  # -- A list of Provider packages to install.
+  packages: []
+
+configuration:
+  # -- A list of Configuration packages to install.
+  packages: []
+
+function:
+  # -- A list of Function packages to install
+  packages: []
+
+# -- The imagePullSecret names to add to the Crossplane ServiceAccount.
+imagePullSecrets: []
+
+registryCaBundleConfig:
+  # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  name: ""
+  # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
+  key: ""
+
+service:
+  # -- Configure annotations on the service object. Only enabled when webhooks.enabled = true
+  customAnnotations: {}
+
+webhooks:
+  # -- Enable webhooks for Crossplane and installed Provider packages.
+  enabled: true
+
+rbacManager:
+  # -- Deploy the RBAC Manager pod and its required roles.
+  deploy: true
+  # -- Don't install aggregated Crossplane ClusterRoles.
+  skipAggregatedClusterRoles: false
+  # -- The number of RBAC Manager pod `replicas` to deploy.
+  replicas: 1
+  # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod.
+  leaderElection: true
+  # -- Add custom arguments to the RBAC Manager pod.
+  args: []
+  # -- Add `nodeSelectors` to the RBAC Manager pod deployment.
+  nodeSelector: {}
+  # -- Add `tolerations` to the RBAC Manager pod deployment.
+  tolerations: []
+  # -- Add `affinities` to the RBAC Manager pod deployment.
+  affinity: {}
+
+# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods.
+priorityClassName: ""
+
+resourcesCrossplane:
+  limits:
+    # -- CPU resource limits for the Crossplane pod.
+    cpu: 500m
+    # -- Memory resource limits for the Crossplane pod.
+    memory: 1024Mi
+  requests:
+    # -- CPU resource requests for the Crossplane pod.
+    cpu: 100m
+    # -- Memory resource requests for the Crossplane pod.
+    memory: 256Mi
+
+securityContextCrossplane:
+  # -- The user ID used by the Crossplane pod.
+  runAsUser: 65532
+  # -- The group ID used by the Crossplane pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the Crossplane pod.
+  allowPrivilegeEscalation: false
+  # -- Set the Crossplane pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+packageCache:
+  # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development.
+  medium: ""
+  # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory.
+  sizeLimit: 20Mi
+  # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  pvc: ""
+  # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume.
+  configMap: ""
+
+resourcesRBACManager:
+  limits:
+    # -- CPU resource limits for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource limits for the RBAC Manager pod.
+    memory: 512Mi
+  requests:
+    # -- CPU resource requests for the RBAC Manager pod.
+    cpu: 100m
+    # -- Memory resource requests for the RBAC Manager pod.
+    memory: 256Mi
+
+securityContextRBACManager:
+  # -- The user ID used by the RBAC Manager pod.
+  runAsUser: 65532
+  # -- The group ID used by the RBAC Manager pod.
+  runAsGroup: 65532
+  # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod.
+  allowPrivilegeEscalation: false
+  # -- Set the RBAC Manager pod root file system as read-only.
+  readOnlyRootFilesystem: true
+
+metrics:
+  # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods.
+  enabled: false
+
+# -- Add custom environmental variables to the Crossplane pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsCrossplane: {}
+
+# -- Add custom environmental variables to the RBAC Manager pod deployment.
+# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
+extraEnvVarsRBACManager: {}
+
+# -- Add a custom `securityContext` to the Crossplane pod.
+podSecurityContextCrossplane: {}
+
+# -- Add a custom `securityContext` to the RBAC Manager pod.
+podSecurityContextRBACManager: {}
+
+# -- Add custom `volumes` to the Crossplane pod.
+extraVolumesCrossplane: {}
+
+# -- Add custom `volumeMounts` to the Crossplane pod.
+extraVolumeMountsCrossplane: {}
+
+# -- To add arbitrary Kubernetes Objects during a Helm Install
+extraObjects: []
+  # - apiVersion: pkg.crossplane.io/v1alpha1
+  #   kind: ControllerConfig
+  #   metadata:
+  #     name: aws-config
+  #     annotations:
+  #       eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example
+  #       helm.sh/hook: post-install
+  #   spec:
+  #     podSecurityContext:
+  #       fsGroup: 2000
+

durpapi/Chart.yaml

@@ -1,11 +1,11 @@
+description: A Helm chart for Kubernetes
 name: durpapi
-version: 0.1.0-dev0180
+appVersion: 0.1.0
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
   version: 12.5.*
   repository: https://charts.bitnami.com/bitnami
-type: application
+version: 0.1.0-dev0184
-appVersion: 0.1.0
 apiVersion: v2
-description: A Helm chart for Kubernetes
+type: application

longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.3.2
+  version: 1.6.1

longhorn/templates/ingress.yaml

@@ -10,8 +10,8 @@ spec:
     middlewares:
     - name: whitelist
       namespace: traefik
-    - name: authentik-proxy-provider
+        #- name: authentik-proxy-provider
-      namespace: traefik  
+        #  namespace: traefik  
     kind: Rule
     services:
     - name: longhorn-frontend

longhorn/values.yaml

@@ -47,7 +47,7 @@ longhorn:
   persistence:
     defaultClass: true
     defaultFsType: ext4
-    defaultClassReplicaCount: 3
+    defaultClassReplicaCount: 1
     defaultDataLocality: disabled # best-effort otherwise
     reclaimPolicy: Retain
     migratable: false
@@ -76,7 +76,7 @@ longhorn:
     snapshotterReplicaCount: ~
   
   defaultSettings:
-    backupTarget: S3://longhorn@us-east-1/
+    backupTarget: S3://longhorn-prd@us-east-1/
     backupTargetCredentialSecret: longhorn-backup-token-secret
     allowRecurringJobWhileVolumeDetached: ~
     createDefaultDiskLabeledNodes: ~
@@ -238,7 +238,7 @@ longhorn:
     #   certificate:
   
   # Configure a pod security policy in the Longhorn namespace to allow privileged pods
-  enablePSP: true
+  enablePSP: false
   
   ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
   ## and its release namespace is not the `longhorn-system`

metallb-system/templates/config.yaml

@@ -13,4 +13,4 @@ metadata:
   namespace: metallb-system
 spec:
   ipAddressPools:
-    - cheap
+  - cheap

nfs-client/templates/provisioner.yml

@@ -34,9 +34,9 @@ spec:
             - name: NFS_SERVER
               value: 192.168.20.253
             - name: NFS_PATH
-              value: /mnt/user/k3s 
+              value: /mnt/user/k3s-dev 
       volumes:
         - name: nfs-client-ssd
           nfs:
             server: 192.168.20.253
-            path: /mnt/user/k3s
+            path: /mnt/user/k3s-dev

open-webui/templates/ingress.yaml

@@ -39,4 +39,4 @@ metadata:
     external-dns.alpha.kubernetes.io/hostname: open-webui.prd.durp.info
 spec:
   type: ExternalName
-  externalName:.prd.durp.info
+  externalName: prd.durp.info

traefik/templates/middleware-chain.yaml

@@ -5,5 +5,5 @@ metadata:
 spec:
   chain:
     middlewares:
-      - name: traefik-real-ip
+    - name: traefik-real-ip
-      - name: whitelist
+    - name: whitelist

traefik/templates/middlewares.yaml

@@ -47,4 +47,3 @@ spec:
     traefik-real-ip:
       excludednets:
         - "1.1.1.1/24"
-

traefik/values.yaml

@@ -502,6 +502,8 @@ traefik:
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
+    - --experimental.plugins.traefik-real-ip.moduleName=github.com/soulbalz/traefik-real-ip
+    - --experimental.plugins.traefik-real-ip.version=v1.0.3
 
 
   # Environment variables to be passed to Traefik's binary
@@ -578,9 +580,10 @@ traefik:
       redirectTo: websecure
       #
       # Trust forwarded  headers information (X-Forwarded-*).
-      # forwardedHeaders:
+      forwardedHeaders:
-      #   trustedIPs: []
+        trustedIPs: 
-      #   insecure: false
+          - "192.168.11.1"
+        insecure: false
       #
       # Enable the Proxy Protocol header parsing for the entry point
       # proxyProtocol:
@@ -608,9 +611,10 @@ traefik:
       # advertisedPort: 4443
       #
       ## Trust forwarded  headers information (X-Forwarded-*).
-      #forwardedHeaders:
+      forwardedHeaders:
-      #  trustedIPs: []
+        trustedIPs: 
-      #  insecure: false
+          - "192.168.11.1"
+        insecure: false
       #
       ## Enable the Proxy Protocol header parsing for the entry point
       #proxyProtocol:

uptimekuma/templates/ingress.yaml

@@ -42,4 +42,4 @@ metadata:
     external-dns.alpha.kubernetes.io/hostname: kuma.prd.durp.info
 spec:
   type: ExternalName
-  externalName:.prd.durp.info
+  externalName: prd.durp.info

vault/values.yaml

@@ -14,7 +14,7 @@ vault:
   injector:
     enabled: "-"
 
-    replicas: 3
+    replicas: 2
     leaderElector:
       enabled: true