diff --git a/argocd/templates/InternalProxy.yaml b/argocd/templates/InternalProxy.yaml index 1769a19..ca9bcc0 100644 --- a/argocd/templates/InternalProxy.yaml +++ b/argocd/templates/InternalProxy.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: internalproxy + path: master/internalproxy directory: recurse: true destination: diff --git a/argocd/templates/argocd.yaml b/argocd/templates/argocd.yaml index 417915e..e93aa4f 100644 --- a/argocd/templates/argocd.yaml +++ b/argocd/templates/argocd.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: argocd + path: master/argocd destination: namespace: argocd name: in-cluster diff --git a/argocd/templates/authentik.yaml b/argocd/templates/authentik.yaml index 735fa1a..5abfb3b 100644 --- a/argocd/templates/authentik.yaml +++ b/argocd/templates/authentik.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: authentik + path: master/authentik destination: namespace: authentik name: in-cluster diff --git a/argocd/templates/bitwarden.yaml b/argocd/templates/bitwarden.yaml index 6aad52f..ed56924 100644 --- a/argocd/templates/bitwarden.yaml +++ b/argocd/templates/bitwarden.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: bitwarden + path: master/bitwarden directory: recurse: true destination: diff --git a/argocd/templates/cert-manager.yaml b/argocd/templates/cert-manager.yaml index 1eb8fe2..fc11c13 100644 --- a/argocd/templates/cert-manager.yaml +++ b/argocd/templates/cert-manager.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: cert-manager + path: master/cert-manager destination: namespace: cert-manager name: in-cluster diff --git a/argocd/templates/crossplane.yml b/argocd/templates/crossplane.yml index e079c78..91473eb 100644 --- a/argocd/templates/crossplane.yml +++ b/argocd/templates/crossplane.yml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: crossplane + path: master/crossplane destination: namespace: crossplane name: in-cluster diff --git a/argocd/templates/durpapi.yaml b/argocd/templates/durpapi.yaml index 53c2db6..aeefcc1 100644 --- a/argocd/templates/durpapi.yaml +++ b/argocd/templates/durpapi.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: durpapi + path: master/durpapi destination: namespace: durpapi name: in-cluster diff --git a/argocd/templates/durpot.yaml b/argocd/templates/durpot.yaml index 1bfcd37..7a97eb4 100644 --- a/argocd/templates/durpot.yaml +++ b/argocd/templates/durpot.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: durpot + path: master/durpot destination: namespace: durpot name: in-cluster diff --git a/argocd/templates/external-dns.yaml b/argocd/templates/external-dns.yaml index ba05f2c..5cf21a5 100644 --- a/argocd/templates/external-dns.yaml +++ b/argocd/templates/external-dns.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: external-dns + path: master/external-dns destination: namespace: external-dns name: in-cluster diff --git a/argocd/templates/external-secrets.yaml b/argocd/templates/external-secrets.yaml index cf8a595..04f8f1d 100644 --- a/argocd/templates/external-secrets.yaml +++ b/argocd/templates/external-secrets.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: external-secrets + path: master/external-secrets destination: namespace: external-secrets name: in-cluster diff --git a/argocd/templates/gatekeeper.yaml b/argocd/templates/gatekeeper.yaml index 5c60c12..d9a0265 100644 --- a/argocd/templates/gatekeeper.yaml +++ b/argocd/templates/gatekeeper.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: gatekeeper + path: master/gatekeeper destination: namespace: gatekeeper name: in-cluster diff --git a/argocd/templates/gitlab-runner.yaml b/argocd/templates/gitlab-runner.yaml index c5539d7..13f4ebd 100644 --- a/argocd/templates/gitlab-runner.yaml +++ b/argocd/templates/gitlab-runner.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: gitlab-runner + path: master/gitlab-runner destination: namespace: gitlab-runner name: in-cluster diff --git a/argocd/templates/heimdall.yaml b/argocd/templates/heimdall.yaml index d695e34..333a761 100644 --- a/argocd/templates/heimdall.yaml +++ b/argocd/templates/heimdall.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: heimdall + path: master/heimdall destination: namespace: heimdall name: in-cluster diff --git a/argocd/templates/krakend.yaml b/argocd/templates/krakend.yaml index 68a57d1..e5ed113 100644 --- a/argocd/templates/krakend.yaml +++ b/argocd/templates/krakend.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: krakend + path: master/krakend destination: namespace: krakend name: in-cluster diff --git a/argocd/templates/kube-prometheus-stack.yaml b/argocd/templates/kube-prometheus-stack.yaml index 02f8261..ab57dfa 100644 --- a/argocd/templates/kube-prometheus-stack.yaml +++ b/argocd/templates/kube-prometheus-stack.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: kube-prometheus-stack + path: master/kube-prometheus-stack destination: namespace: kube-prometheus-stack name: in-cluster diff --git a/argocd/templates/kubeclarity.yaml b/argocd/templates/kubeclarity.yaml index c812528..f2db3c0 100644 --- a/argocd/templates/kubeclarity.yaml +++ b/argocd/templates/kubeclarity.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: kubeclarity + path: master/kubeclarity destination: namespace: kubeclarity name: in-cluster diff --git a/argocd/templates/littlelink.yaml b/argocd/templates/littlelink.yaml index 99b08fe..856ac87 100644 --- a/argocd/templates/littlelink.yaml +++ b/argocd/templates/littlelink.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: littlelink + path: master/littlelink directory: recurse: true destination: diff --git a/argocd/templates/longhorn.yaml b/argocd/templates/longhorn.yaml index 017da6f..1e857c5 100644 --- a/argocd/templates/longhorn.yaml +++ b/argocd/templates/longhorn.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: longhorn + path: master/longhorn destination: namespace: longhorn-system name: in-cluster diff --git a/argocd/templates/metallb-system.yaml b/argocd/templates/metallb-system.yaml index 051be57..d343453 100644 --- a/argocd/templates/metallb-system.yaml +++ b/argocd/templates/metallb-system.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: metallb-system + path: master/metallb-system destination: namespace: metallb-system name: in-cluster diff --git a/argocd/templates/nfs-client.yaml b/argocd/templates/nfs-client.yaml index e374885..a299095 100644 --- a/argocd/templates/nfs-client.yaml +++ b/argocd/templates/nfs-client.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: nfs-client + path: master/nfs-client directory: recurse: true destination: diff --git a/argocd/templates/open-webui.yaml b/argocd/templates/open-webui.yaml index a2b25fa..beb59a6 100644 --- a/argocd/templates/open-webui.yaml +++ b/argocd/templates/open-webui.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: open-webui + path: master/open-webui destination: namespace: open-webui name: in-cluster diff --git a/argocd/templates/traefik.yaml b/argocd/templates/traefik.yaml index 3995a9f..e336d57 100644 --- a/argocd/templates/traefik.yaml +++ b/argocd/templates/traefik.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: traefik + path: master/traefik destination: namespace: traefik name: in-cluster diff --git a/argocd/templates/uptimekuma.yaml b/argocd/templates/uptimekuma.yaml index ff0e1af..1d2c5e6 100644 --- a/argocd/templates/uptimekuma.yaml +++ b/argocd/templates/uptimekuma.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: uptimekuma + path: master/uptimekuma directory: recurse: true destination: diff --git a/argocd/templates/vault.yaml b/argocd/templates/vault.yaml index 6e243c5..7a5e227 100644 --- a/argocd/templates/vault.yaml +++ b/argocd/templates/vault.yaml @@ -8,7 +8,7 @@ spec: source: repoURL: https://gitlab.com/developerdurp/homelab.git targetRevision: main - path: vault + path: master/vault destination: namespace: vault name: in-cluster @@ -16,7 +16,7 @@ spec: automated: prune: true selfHeal: true - syncOptions: + syncOptions: Gc - CreateNamespace=true ignoreDifferences: - group: admissionregistration.k8s.io diff --git a/master/argocd/Chart.yaml b/master/argocd/Chart.yaml new file mode 100644 index 0000000..cdccf8c --- /dev/null +++ b/master/argocd/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: argocd +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: argo-cd + repository: https://argoproj.github.io/argo-helm + version: 6.11.1 + + diff --git a/master/argocd/templates/InternalProxy.yaml b/master/argocd/templates/InternalProxy.yaml new file mode 100644 index 0000000..1769a19 --- /dev/null +++ b/master/argocd/templates/InternalProxy.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: internalproxy + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: internalproxy + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: internalproxy + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/argocd.yaml b/master/argocd/templates/argocd.yaml new file mode 100644 index 0000000..417915e --- /dev/null +++ b/master/argocd/templates/argocd.yaml @@ -0,0 +1,59 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: argocd + destination: + namespace: argocd + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.internal.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: argocd-server + port: 443 + scheme: https + tls: + secretName: argocd-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-tls +spec: + secretName: argocd-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "argocd.internal.durp.info" + dnsNames: + - "argocd.internal.durp.info" diff --git a/master/argocd/templates/authentik.yaml b/master/argocd/templates/authentik.yaml new file mode 100644 index 0000000..735fa1a --- /dev/null +++ b/master/argocd/templates/authentik.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: authentik + destination: + namespace: authentik + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/bitwarden.yaml b/master/argocd/templates/bitwarden.yaml new file mode 100644 index 0000000..6aad52f --- /dev/null +++ b/master/argocd/templates/bitwarden.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bitwarden + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: bitwarden + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: bitwarden + syncPolicy: + automated: + prune: true + selfHeal: false + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/cert-manager.yaml b/master/argocd/templates/cert-manager.yaml new file mode 100644 index 0000000..1eb8fe2 --- /dev/null +++ b/master/argocd/templates/cert-manager.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: cert-manager + destination: + namespace: cert-manager + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/crossplane.yml b/master/argocd/templates/crossplane.yml new file mode 100644 index 0000000..e079c78 --- /dev/null +++ b/master/argocd/templates/crossplane.yml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: crossplane + destination: + namespace: crossplane + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/durpapi.yaml b/master/argocd/templates/durpapi.yaml new file mode 100644 index 0000000..53c2db6 --- /dev/null +++ b/master/argocd/templates/durpapi.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: durpapi + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: durpapi + destination: + namespace: durpapi + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/durpot.yaml b/master/argocd/templates/durpot.yaml new file mode 100644 index 0000000..1bfcd37 --- /dev/null +++ b/master/argocd/templates/durpot.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: durpot + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: durpot + destination: + namespace: durpot + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/external-dns.yaml b/master/argocd/templates/external-dns.yaml new file mode 100644 index 0000000..ba05f2c --- /dev/null +++ b/master/argocd/templates/external-dns.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-dns + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: external-dns + destination: + namespace: external-dns + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/external-secrets.yaml b/master/argocd/templates/external-secrets.yaml new file mode 100644 index 0000000..cf8a595 --- /dev/null +++ b/master/argocd/templates/external-secrets.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: external-secrets + destination: + namespace: external-secrets + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/gatekeeper.yaml b/master/argocd/templates/gatekeeper.yaml new file mode 100644 index 0000000..5c60c12 --- /dev/null +++ b/master/argocd/templates/gatekeeper.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gatekeeper + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: gatekeeper + destination: + namespace: gatekeeper + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/gitlab-runner.yaml b/master/argocd/templates/gitlab-runner.yaml new file mode 100644 index 0000000..c5539d7 --- /dev/null +++ b/master/argocd/templates/gitlab-runner.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gitlab-runner + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: gitlab-runner + destination: + namespace: gitlab-runner + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/heimdall.yaml b/master/argocd/templates/heimdall.yaml new file mode 100644 index 0000000..d695e34 --- /dev/null +++ b/master/argocd/templates/heimdall.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: heimdall + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: heimdall + destination: + namespace: heimdall + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/krakend.yaml b/master/argocd/templates/krakend.yaml new file mode 100644 index 0000000..68a57d1 --- /dev/null +++ b/master/argocd/templates/krakend.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: krakend + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: krakend + destination: + namespace: krakend + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/kube-prometheus-stack.yaml b/master/argocd/templates/kube-prometheus-stack.yaml new file mode 100644 index 0000000..02f8261 --- /dev/null +++ b/master/argocd/templates/kube-prometheus-stack.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kube-prometheus-stack + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: kube-prometheus-stack + destination: + namespace: kube-prometheus-stack + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/kubeclarity.yaml b/master/argocd/templates/kubeclarity.yaml new file mode 100644 index 0000000..c812528 --- /dev/null +++ b/master/argocd/templates/kubeclarity.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubeclarity + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: kubeclarity + destination: + namespace: kubeclarity + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/littlelink.yaml b/master/argocd/templates/littlelink.yaml new file mode 100644 index 0000000..99b08fe --- /dev/null +++ b/master/argocd/templates/littlelink.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: littlelink + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: littlelink + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: littlelink + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/longhorn.yaml b/master/argocd/templates/longhorn.yaml new file mode 100644 index 0000000..017da6f --- /dev/null +++ b/master/argocd/templates/longhorn.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: longhorn-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: longhorn + destination: + namespace: longhorn-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/metallb-system.yaml b/master/argocd/templates/metallb-system.yaml new file mode 100644 index 0000000..051be57 --- /dev/null +++ b/master/argocd/templates/metallb-system.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: metallb-system + destination: + namespace: metallb-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + + diff --git a/master/argocd/templates/nfs-client.yaml b/master/argocd/templates/nfs-client.yaml new file mode 100644 index 0000000..e374885 --- /dev/null +++ b/master/argocd/templates/nfs-client.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nfs-client + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: nfs-client + directory: + recurse: true + destination: + namespace: nfs-client + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/open-webui.yaml b/master/argocd/templates/open-webui.yaml new file mode 100644 index 0000000..a2b25fa --- /dev/null +++ b/master/argocd/templates/open-webui.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: open-webui + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: open-webui + destination: + namespace: open-webui + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/secrets.yaml b/master/argocd/templates/secrets.yaml new file mode 100644 index 0000000..baeaaee --- /dev/null +++ b/master/argocd/templates/secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-argocd + labels: + app.kubernetes.io/part-of: argocd +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: client-secret + data: + - secretKey: clientSecret + remoteRef: + key: secrets/argocd/authentik + property: clientsecret diff --git a/master/argocd/templates/traefik.yaml b/master/argocd/templates/traefik.yaml new file mode 100644 index 0000000..3995a9f --- /dev/null +++ b/master/argocd/templates/traefik.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: traefik + destination: + namespace: traefik + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/master/argocd/templates/uptimekuma.yaml b/master/argocd/templates/uptimekuma.yaml new file mode 100644 index 0000000..ff0e1af --- /dev/null +++ b/master/argocd/templates/uptimekuma.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: uptimekuma + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: uptimekuma + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: uptimekuma + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/master/argocd/templates/vault.yaml b/master/argocd/templates/vault.yaml new file mode 100644 index 0000000..6e243c5 --- /dev/null +++ b/master/argocd/templates/vault.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: main + path: vault + destination: + namespace: vault + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle diff --git a/master/argocd/values.yaml b/master/argocd/values.yaml new file mode 100644 index 0000000..47a56e3 --- /dev/null +++ b/master/argocd/values.yaml @@ -0,0 +1,62 @@ +argo-cd: + + global: + revisionHistoryLimit: 1 + image: + repository: registry.internal.durp.info/argoproj/argocd + imagePullPolicy: Always + + server: + #extraArgs: + # - --dex-server-plaintext + # - --dex-server=argocd-dex-server:5556 + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email + + dex: + enabled: true + image: + repository: registry.internal.durp.info/dexidp/dex + imagePullPolicy: Always + + configs: + cm: + create: true + annotations: {} + url: https://argocd.internal.durp.info + oidc.tls.insecure.skip.verify: "true" + dex.config: | + connectors: + - config: + issuer: https://authentik.durp.info/application/o/argocd/ + clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625 + clientSecret: $client-secret:clientSecret + insecureEnableGroups: true + scopes: + - openid + - profile + - email + - groups + name: authentik + type: oidc + id: authentik + + rbac: + create: true + policy.csv: | + g, ArgoCD Admins, role:admin + scopes: "[groups]" + + server: + route: + enabled: false diff --git a/master/authentik/Chart.yaml b/master/authentik/Chart.yaml new file mode 100644 index 0000000..c87b677 --- /dev/null +++ b/master/authentik/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: authentik +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: authentik + repository: https://charts.goauthentik.io + version: 2024.8.3 \ No newline at end of file diff --git a/master/authentik/templates/authentik-pv.yaml b/master/authentik/templates/authentik-pv.yaml new file mode 100644 index 0000000..8fbc2e2 --- /dev/null +++ b/master/authentik/templates/authentik-pv.yaml @@ -0,0 +1,24 @@ +#apiVersion: v1 +#kind: PersistentVolume +#metadata: +# annotations: +# pv.kubernetes.io/provisioned-by: durp.info/nfs +# finalizers: +# - kubernetes.io/pv-protection +# name: authentik-pv +#spec: +# accessModes: +# - ReadWriteMany +# capacity: +# storage: 10Gi +# claimRef: +# apiVersion: v1 +# kind: PersistentVolumeClaim +# name: authentik-pvc +# namespace: authentik +# nfs: +# path: /mnt/user/k3s/authentik +# server: 192.168.20.253 +# persistentVolumeReclaimPolicy: Retain +# storageClassName: nfs-storage +# volumeMode: Filesystem diff --git a/master/authentik/templates/authentik-pvc.yaml b/master/authentik/templates/authentik-pvc.yaml new file mode 100644 index 0000000..f22640b --- /dev/null +++ b/master/authentik/templates/authentik-pvc.yaml @@ -0,0 +1,18 @@ +#apiVersion: v1 +#kind: PersistentVolumeClaim +#metadata: +# labels: +# app.kubernetes.io/component: app +# app.kubernetes.io/instance: authentik +# app.kubernetes.io/managed-by: Helm +# app.kubernetes.io/name: authentik +# helm.sh/chart: authentik-2.14.4 +# name: authentik-pvc +# namespace: authentik +#spec: +# accessModes: +# - ReadWriteMany +# resources: +# requests: +# storage: 10Gi +# storageClassName: nfs-storage \ No newline at end of file diff --git a/master/authentik/templates/ingress.yaml b/master/authentik/templates/ingress.yaml new file mode 100644 index 0000000..ac10303 --- /dev/null +++ b/master/authentik/templates/ingress.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: authentik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`authentik.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: authentik-server + port: 80 + tls: + secretName: authentik-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls +spec: + secretName: authentik-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "authentik.durp.info" + dnsNames: + - "authentik.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: authentik-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: authentik.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/authentik/templates/secrets.yaml b/master/authentik/templates/secrets.yaml new file mode 100644 index 0000000..07b7747 --- /dev/null +++ b/master/authentik/templates/secrets.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: db-pass + data: + - secretKey: dbpass + remoteRef: + key: secrets/authentik/database + property: dbpass + - secretKey: secretkey + remoteRef: + key: secrets/authentik/database + property: secretkey + - secretKey: postgresql-postgres-password + remoteRef: + key: secrets/authentik/database + property: dbpass + - secretKey: postgresql-password + remoteRef: + key: secrets/authentik/database + property: dbpass + diff --git a/master/authentik/values.yaml b/master/authentik/values.yaml new file mode 100644 index 0000000..716e081 --- /dev/null +++ b/master/authentik/values.yaml @@ -0,0 +1,56 @@ +authentik: + global: + env: + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: db-pass + key: dbpass + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: db-pass + key: secretkey + revisionHistoryLimit: 1 + image: + repository: registry.internal.durp.info/goauthentik/server + pullPolicy: Always + authentik: + outposts: + container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s + postgresql: + host: '{{ .Release.Name }}-postgresql-hl' + name: "authentik" + user: "authentik" + port: 5432 + server: + name: server + replicas: 3 + worker: + replicas: 3 + postgresql: + enabled: true + image: + registry: registry.internal.durp.info + repository: bitnami/postgresql + pullPolicy: Always + postgresqlUsername: "authentik" + postgresqlDatabase: "authentik" + existingSecret: db-pass + persistence: + enabled: true + storageClass: longhorn + accessModes: + - ReadWriteMany + redis: + enabled: true + master: + persistence: + enabled: false + image: + registry: registry.internal.durp.info + repository: bitnami/redis + pullPolicy: Always + architecture: standalone + auth: + enabled: false diff --git a/master/bitwarden/Chart.yaml b/master/bitwarden/Chart.yaml new file mode 100644 index 0000000..cfdd821 --- /dev/null +++ b/master/bitwarden/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: bitwarden +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/master/bitwarden/templates/bitwarden-pv.yaml b/master/bitwarden/templates/bitwarden-pv.yaml new file mode 100644 index 0000000..ff647d1 --- /dev/null +++ b/master/bitwarden/templates/bitwarden-pv.yaml @@ -0,0 +1,25 @@ +#apiVersion: v1 +#kind: PersistentVolume +#metadata: +# annotations: +# pv.kubernetes.io/provisioned-by: durp.info/nfs +# finalizers: +# - kubernetes.io/pv-protection +# name: bitwarden-pv +#spec: +# accessModes: +# - ReadWriteMany +# capacity: +# storage: 10Gi +# claimRef: +# apiVersion: v1 +# kind: PersistentVolumeClaim +# name: bitwarden-pvc +# namespace: bitwarden +# nfs: +# path: /mnt/user/k3s/bitwarden +# server: 192.168.20.253 +# persistentVolumeReclaimPolicy: Retain +# storageClassName: nfs-storage +# volumeMode: Filesystem +# \ No newline at end of file diff --git a/master/bitwarden/templates/bitwarden-pvc.yaml b/master/bitwarden/templates/bitwarden-pvc.yaml new file mode 100644 index 0000000..333af4d --- /dev/null +++ b/master/bitwarden/templates/bitwarden-pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: bitwarden-pvc +spec: + storageClassName: longhorn + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi diff --git a/master/bitwarden/templates/deployment.yaml b/master/bitwarden/templates/deployment.yaml new file mode 100644 index 0000000..7d9c28b --- /dev/null +++ b/master/bitwarden/templates/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: bitwarden + name: bitwarden + labels: + app: bitwarden +spec: + selector: + matchLabels: + app: bitwarden + replicas: 1 + template: + metadata: + labels: + app: bitwarden + spec: + containers: + - name: bitwarden + image: registry.internal.durp.info/vaultwarden/server:1.32.0 + imagePullPolicy: Always + volumeMounts: + - name: bitwarden-pvc + mountPath: /data + subPath: bitwaren-data + ports: + - name: http + containerPort: 80 + env: + - name: SIGNUPS_ALLOWED + value: "FALSE" + - name: INVITATIONS_ALLOWED + value: "FALSE" + - name: WEBSOCKET_ENABLED + value: "TRUE" + - name: ROCKET_ENV + value: "staging" + - name: ROCKET_PORT + value: "80" + - name: ROCKET_WORKERS + value: "10" + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: bitwarden-secret + key: ADMIN_TOKEN + volumes: + - name: bitwarden-pvc + persistentVolumeClaim: + claimName: bitwarden-pvc diff --git a/master/bitwarden/templates/ingress.yaml b/master/bitwarden/templates/ingress.yaml new file mode 100644 index 0000000..8a9a628 --- /dev/null +++ b/master/bitwarden/templates/ingress.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: bitwarden-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: bitwarden + port: 80 + tls: + secretName: bitwarden-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: bitwarden-tls +spec: + secretName: bitwarden-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "bitwarden.durp.info" + dnsNames: + - "bitwarden.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: bitwarden-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/bitwarden/templates/secrets.yaml b/master/bitwarden/templates/secrets.yaml new file mode 100644 index 0000000..7a8d858 --- /dev/null +++ b/master/bitwarden/templates/secrets.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: bitwarden-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: bitwarden-secret + data: + - secretKey: ADMIN_TOKEN + remoteRef: + key: secrets/bitwarden/admin + property: ADMIN_TOKEN + diff --git a/master/bitwarden/templates/service.yaml b/master/bitwarden/templates/service.yaml new file mode 100644 index 0000000..df30857 --- /dev/null +++ b/master/bitwarden/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: bitwarden +spec: + ports: + - name: http + port: 80 + targetPort: 80 + protocol: TCP + selector: + app: bitwarden \ No newline at end of file diff --git a/master/cert-manager/Chart.yaml b/master/cert-manager/Chart.yaml new file mode 100644 index 0000000..e14d98b --- /dev/null +++ b/master/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.15.3 diff --git a/master/cert-manager/templates/letsencrypt-prroduction.yaml b/master/cert-manager/templates/letsencrypt-prroduction.yaml new file mode 100644 index 0000000..034ed9b --- /dev/null +++ b/master/cert-manager/templates/letsencrypt-prroduction.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret diff --git a/master/cert-manager/templates/letsencrypt-staging.yaml b/master/cert-manager/templates/letsencrypt-staging.yaml new file mode 100644 index 0000000..b6ae4f9 --- /dev/null +++ b/master/cert-manager/templates/letsencrypt-staging.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret \ No newline at end of file diff --git a/master/cert-manager/templates/sealedsecret.yaml b/master/cert-manager/templates/sealedsecret.yaml new file mode 100644 index 0000000..37a2e92 --- /dev/null +++ b/master/cert-manager/templates/sealedsecret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: secrets/cert-manager + property: cloudflare-api-token-secret + diff --git a/master/cert-manager/values.yaml b/master/cert-manager/values.yaml new file mode 100644 index 0000000..36f403b --- /dev/null +++ b/master/cert-manager/values.yaml @@ -0,0 +1,25 @@ +cert-manager: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + installCRDs: true + replicaCount: 3 + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + - --dns01-recursive-nameservers-only + podDnsPolicy: None + podDnsConfig: + nameservers: + - "1.1.1.1" + - "1.0.0.1" + webhook: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always \ No newline at end of file diff --git a/master/crossplane/Chart.yaml b/master/crossplane/Chart.yaml new file mode 100644 index 0000000..b0a80b7 --- /dev/null +++ b/master/crossplane/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: crossplane +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: crossplane + repository: https://charts.crossplane.io/stable + version: 1.17.1 diff --git a/master/crossplane/templates/gitlab.yml b/master/crossplane/templates/gitlab.yml new file mode 100644 index 0000000..3a20b9c --- /dev/null +++ b/master/crossplane/templates/gitlab.yml @@ -0,0 +1,55 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-gitlab +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0 +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: gitlab-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret + data: + - secretKey: accesstoken + remoteRef: + key: secrets/gitlab/token + property: accesstoken + +--- + +#apiVersion: gitlab.crossplane.io/v1beta1 +#kind: ProviderConfig +#metadata: +# name: gitlab-provider +#spec: +# baseURL: https://gitlab.com/ +# credentials: +# source: Secret +# secretRef: +# namespace: crossplane +# name: gitlab-secret +# key: accesstoken +# +#--- +# +#apiVersion: projects.gitlab.crossplane.io/v1alpha1 +#kind: Project +#metadata: +# name: example-project +#spec: +# deletionPolicy: Orphan +# forProvider: +# name: "Example Project" +# description: "example project description" +# providerConfigRef: +# name: gitlab-provider +# policy: +# resolution: Optional +# resolve: Always diff --git a/master/dashboards/nginx-dashboard.yaml b/master/dashboards/nginx-dashboard.yaml new file mode 100644 index 0000000..333a6c5 --- /dev/null +++ b/master/dashboards/nginx-dashboard.yaml @@ -0,0 +1,1506 @@ +apiVersion: v1 +data: + nginx-ingress-controller_rev1.json: |- + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "enable": true, + "expr": "sum(changes(nginx_ingress_controller_config_last_reload_successful_timestamp_seconds{instance!=\"unknown\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[30s])) by (controller_class)", + "hide": false, + "iconColor": "rgba(255, 96, 96, 1)", + "limit": 100, + "name": "Config Reloads", + "showIn": 0, + "step": "30s", + "tagKeys": "controller_class", + "tags": [], + "titleFormat": "Config Reloaded", + "type": "tags" + } + ] + }, + "description": "Ingress-nginx supports a rich collection of prometheus metrics. If you have prometheus and grafana installed on your cluster then prometheus will already be scraping this data due to the scrape annotation on the deployment.", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 9614, + "graphTooltip": 0, + "id": 27, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(31, 120, 193)", + "mode": "fixed" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "id": 20, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.1.6", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "round(sum(irate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[2m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "title": "Controller Request Volume", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(31, 120, 193)", + "mode": "fixed" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 0 + }, + "id": 82, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.1.6", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(avg_over_time(nginx_ingress_controller_nginx_process_connections{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "title": "Controller Connections", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(31, 120, 193)", + "mode": "fixed" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgba(245, 54, 54, 0.9)", + "value": null + }, + { + "color": "rgba(237, 129, 40, 0.89)", + "value": 95 + }, + { + "color": "rgba(50, 172, 45, 0.97)", + "value": 99 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 0 + }, + "id": 21, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.1.6", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",status!~\"[4-5].*\"}[2m])) / sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[2m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "title": "Controller Success Rate (non-4|5xx responses)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(31, 120, 193)", + "mode": "fixed" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 18, + "y": 0 + }, + "id": 81, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.1.6", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "avg(nginx_ingress_controller_success{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"})", + "format": "time_series", + "instant": true, + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "title": "Config Reloads", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "rgb(31, 120, 193)", + "mode": "fixed" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 21, + "y": 0 + }, + "id": 83, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "9.1.6", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "count(nginx_ingress_controller_config_last_reload_successful{controller_pod=~\"$controller\",controller_namespace=~\"$namespace\"} == 0)", + "format": "time_series", + "instant": true, + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "title": "Last Config Failed", + "type": "stat" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "decimals": 2, + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 3 + }, + "height": "200px", + "hiddenSeries": false, + "id": 86, + "isNew": true, + "legend": { + "alignAsTable": true, + "avg": true, + "current": false, + "hideEmpty": false, + "hideZero": true, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "sideWidth": 300, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "repeatDirection": "h", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "round(sum(irate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress), 0.001)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "metric": "network", + "refId": "A", + "step": 10 + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Ingress Request Volume", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "reqps", + "logBase": 1, + "show": true + }, + { + "format": "Bps", + "logBase": 1, + "show": false + } + ], + "yaxis": { + "align": false + } + }, + { + "aliasColors": { + "max - istio-proxy": "#890f02", + "max - master": "#bf1b00", + "max - prometheus": "#bf1b00" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "decimals": 2, + "editable": false, + "error": false, + "fill": 0, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 3 + }, + "hiddenSeries": false, + "id": 87, + "isNew": true, + "legend": { + "alignAsTable": true, + "avg": true, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "sideWidth": 300, + "sort": "avg", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",ingress=~\"$ingress\",status!~\"[4-5].*\"}[2m])) by (ingress) / sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", + "format": "time_series", + "instant": false, + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "metric": "container_memory_usage:sort_desc", + "refId": "A", + "step": 10 + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Ingress Success Rate (non-4|5xx responses)", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 1, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "logBase": 1, + "show": true + }, + { + "format": "short", + "logBase": 1, + "show": false + } + ], + "yaxis": { + "align": false + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "decimals": 2, + "editable": true, + "error": false, + "fill": 1, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 10 + }, + "height": "200px", + "hiddenSeries": false, + "id": 32, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": true, + "current": true, + "max": false, + "min": false, + "rightSide": false, + "show": false, + "sideWidth": 200, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum (irate (nginx_ingress_controller_request_size_sum{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", + "format": "time_series", + "instant": false, + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "Received", + "metric": "network", + "refId": "A", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "- sum (irate (nginx_ingress_controller_response_size_sum{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", + "format": "time_series", + "hide": false, + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "Sent", + "metric": "network", + "refId": "B", + "step": 10 + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Network I/O pressure", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 0, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "logBase": 1, + "show": true + }, + { + "format": "Bps", + "logBase": 1, + "show": false + } + ], + "yaxis": { + "align": false + } + }, + { + "aliasColors": { + "max - istio-proxy": "#890f02", + "max - master": "#bf1b00", + "max - prometheus": "#bf1b00" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "decimals": 2, + "editable": false, + "error": false, + "fill": 0, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 10 + }, + "hiddenSeries": false, + "id": 77, + "isNew": true, + "legend": { + "alignAsTable": true, + "avg": true, + "current": true, + "max": false, + "min": false, + "rightSide": false, + "show": false, + "sideWidth": 200, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "avg(nginx_ingress_controller_nginx_process_resident_memory_bytes{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}) ", + "format": "time_series", + "instant": false, + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "nginx", + "metric": "container_memory_usage:sort_desc", + "refId": "A", + "step": 10 + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Average Memory Usage", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "logBase": 1, + "show": true + }, + { + "format": "short", + "logBase": 1, + "show": false + } + ], + "yaxis": { + "align": false + } + }, + { + "aliasColors": { + "max - istio-proxy": "#890f02", + "max - master": "#bf1b00" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "decimals": 3, + "editable": false, + "error": false, + "fill": 0, + "fillGradient": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 10 + }, + "height": "", + "hiddenSeries": false, + "id": 79, + "isNew": true, + "legend": { + "alignAsTable": true, + "avg": true, + "current": true, + "max": false, + "min": false, + "rightSide": false, + "show": false, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.6", + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum (rate (nginx_ingress_controller_nginx_process_cpu_seconds_total{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m])) ", + "format": "time_series", + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "nginx", + "metric": "container_cpu", + "refId": "A", + "step": 10 + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "gt" + } + ], + "timeRegions": [], + "title": "Average CPU Usage", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "none", + "label": "cores", + "logBase": 1, + "show": true + }, + { + "format": "short", + "logBase": 1, + "show": true + } + ], + "yaxis": { + "align": false + } + }, + { + "columns": [], + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fontSize": "100%", + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 16 + }, + "hideTimeOverride": false, + "id": 75, + "links": [], + "pageSize": 7, + "repeatDirection": "h", + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Ingress", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "ingress", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Requests", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "ops" + }, + { + "alias": "Errors", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 0, + "link": false, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "dtdurations" + }, + { + "alias": "P90 Latency", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 0, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "dtdurations" + }, + { + "alias": "P99 Latency", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 0, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "dtdurations" + }, + { + "alias": "IN", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "OUT", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #G", + "thresholds": [], + "type": "number", + "unit": "Bps" + } + ], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "histogram_quantile(0.50, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "refId": "D" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "E" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(irate(nginx_ingress_controller_request_size_sum{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "refId": "F" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(irate(nginx_ingress_controller_response_size_sum{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ ingress }}", + "refId": "G" + } + ], + "title": "Ingress Percentile Response Times and Transfer Rates", + "transform": "table", + "type": "table-old" + }, + { + "columns": [ + { + "text": "Current", + "value": "current" + } + ], + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fontSize": "100%", + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 24 + }, + "height": "1024", + "id": 85, + "links": [], + "pageSize": 7, + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": false + }, + "styles": [ + { + "alias": "Time", + "align": "auto", + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "pattern": "Time", + "type": "date" + }, + { + "alias": "TTL", + "align": "auto", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 0, + "pattern": "Current", + "thresholds": [ + "0", + "691200" + ], + "type": "number", + "unit": "s" + }, + { + "alias": "", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 2, + "pattern": "/.*/", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "avg(nginx_ingress_controller_ssl_expire_time_seconds{kubernetes_pod_name=~\"$controller\",namespace=~\"$namespace\",ingress=~\"$ingress\"}) by (host) - time()", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ host }}", + "metric": "gke_letsencrypt_cert_expiration", + "refId": "A", + "step": 1 + } + ], + "title": "Ingress Certificate Expiry", + "transform": "timeseries_aggregations", + "type": "table-old" + } + ], + "refresh": "5s", + "schemaVersion": 37, + "style": "dark", + "tags": [ + "nginx" + ], + "templating": { + "list": [ + { + "allValue": ".*", + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": { + "query": "label_values(nginx_ingress_controller_config_hash, controller_namespace)", + "refId": "Prometheus-namespace-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Controller Class", + "multi": false, + "name": "controller_class", + "options": [], + "query": { + "query": "label_values(nginx_ingress_controller_config_hash{namespace=~\"$namespace\"}, controller_class) ", + "refId": "Prometheus-controller_class-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Controller", + "multi": false, + "name": "controller", + "options": [], + "query": { + "query": "label_values(nginx_ingress_controller_config_hash{namespace=~\"$namespace\",controller_class=~\"$controller_class\"}, controller_pod) ", + "refId": "Prometheus-controller-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "definition": "", + "hide": 0, + "includeAll": true, + "label": "Ingress", + "multi": false, + "name": "ingress", + "options": [], + "query": { + "query": "label_values(nginx_ingress_controller_requests{namespace=~\"$namespace\",controller_class=~\"$controller_class\",controller=~\"$controller\"}, ingress) ", + "refId": "Prometheus-ingress-Variable-Query" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 2, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "2m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "NGINX Ingress controller", + "uid": "nginx", + "version": 1, + "weekStart": "" + } +kind: ConfigMap +metadata: + labels: + grafana_dashboard: "1" + creationTimestamp: null + name: nginx-dashboard + namespace: kube-prometheus-stack \ No newline at end of file diff --git a/master/durpapi/Chart.yaml b/master/durpapi/Chart.yaml new file mode 100644 index 0000000..078c7e0 --- /dev/null +++ b/master/durpapi/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: durpapi +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0-dev0184 +appVersion: 0.1.0 + +dependencies: +- condition: postgresql.enabled + version: 12.5.* + repository: https://charts.bitnami.com/bitnami + name: postgresql diff --git a/master/durpapi/templates/deployment.yaml b/master/durpapi/templates/deployment.yaml new file mode 100644 index 0000000..0f42dfb --- /dev/null +++ b/master/durpapi/templates/deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + labels: + app: {{ .Chart.Name }} +spec: + revisionHistoryLimit: 1 + selector: + matchLabels: + app: {{ .Chart.Name }} + replicas: {{ .Values.deployment.hpa.minReplicas }} + template: + metadata: + labels: + app: {{ .Chart.Name }} + spec: + containers: + - name: api + image: "{{ .Values.deployment.image }}:{{ default .Chart.Version .Values.deployment.tag }}" + imagePullPolicy: {{ .Values.deployment.imagePullPolicy }} + readinessProbe: + {{- toYaml .Values.deployment.probe.readiness | nindent 12 }} + livenessProbe: + {{- toYaml .Values.deployment.probe.liveness | nindent 12 }} + startupProbe: + {{- toYaml .Values.deployment.probe.startup | nindent 12 }} + ports: + - name: http + containerPort: {{ .Values.service.targetport }} + env: + - name: host + value: {{ .Values.swagger.host }} + - name: version + value: {{ default .Chart.Version .Values.deployment.tag }} + envFrom: + - secretRef: + name: {{ .Values.deployment.secretfile }} diff --git a/master/durpapi/templates/hpa.yaml b/master/durpapi/templates/hpa.yaml new file mode 100644 index 0000000..68d484d --- /dev/null +++ b/master/durpapi/templates/hpa.yaml @@ -0,0 +1,24 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: "{{ .Chart.Name }}-hpa" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ .Chart.Name }} + minReplicas: {{ .Values.deployment.hpa.minReplicas }} + maxReplicas: {{ .Values.deployment.hpa.maxReplicas }} + metrics: + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 80 + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 40 diff --git a/master/durpapi/templates/ingress.yaml b/master/durpapi/templates/ingress.yaml new file mode 100644 index 0000000..bd268dd --- /dev/null +++ b/master/durpapi/templates/ingress.yaml @@ -0,0 +1,44 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: "{{ .Chart.Name }}-ingress" +spec: + entryPoints: + - websecure + routes: + - match: Host("api.durp.info") && PathPrefix(`/api`) + kind: Rule + middlewares: + - name: jwt + services: + - name: "durpapi-service" + port: 80 + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: "{{ .Chart.Name }}-swagger" +spec: + entryPoints: + - websecure + routes: + - match: Host("api.durp.info") && PathPrefix(`/swagger`) + kind: Rule + services: + - name: "durpapi-service" + port: 80 + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: jwt +spec: + plugin: + jwt: + Required: true + Keys: + - https://authentik.durp.info/application/o/api/jwks diff --git a/master/durpapi/templates/secrets.yaml b/master/durpapi/templates/secrets.yaml new file mode 100644 index 0000000..0157b5b --- /dev/null +++ b/master/durpapi/templates/secrets.yaml @@ -0,0 +1,39 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: durpapi-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: durpapi-secret + data: + - secretKey: db_host + remoteRef: + key: secrets/durpapi/postgres + property: db_host + - secretKey: db_port + remoteRef: + key: secrets/durpapi/postgres + property: db_port + - secretKey: db_pass + remoteRef: + key: secrets/durpapi/postgres + property: db_pass + - secretKey: db_user + remoteRef: + key: secrets/durpapi/postgres + property: db_user + - secretKey: db_sslmode + remoteRef: + key: secrets/durpapi/postgres + property: db_sslmode + - secretKey: db_name + remoteRef: + key: secrets/durpapi/postgres + property: db_name + - secretKey: llamaurl + remoteRef: + key: secrets/durpapi/llamaurl + property: llamaurl \ No newline at end of file diff --git a/master/durpapi/templates/service.yaml b/master/durpapi/templates/service.yaml new file mode 100644 index 0000000..2cab669 --- /dev/null +++ b/master/durpapi/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ .Chart.Name }}-service" +spec: + ports: + - name: http + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetport }} + protocol: TCP + selector: + app: {{ .Chart.Name }} diff --git a/master/durpapi/values.yaml b/master/durpapi/values.yaml new file mode 100644 index 0000000..9e9eeab --- /dev/null +++ b/master/durpapi/values.yaml @@ -0,0 +1,39 @@ +ingress: + enabled: false +deployment: + image: registry.internal.durp.info/developerdurp/durpapi + secretfile: durpapi-secret + imagePullPolicy: Always + hpa: + minReplicas: 3 + maxReplicas: 10 + probe: + readiness: + httpGet: + path: /health/gethealth + port: 8080 + liveness: + httpGet: + path: /health/gethealth + port: 8080 + startup: + httpGet: + path: /health/gethealth + port: 8080 +service: + type: ClusterIP + port: 80 + targetport: 8080 + +swagger: + host: api.durp.info +postgresql: + enabled: true + auth: + existingSecret: durpapi-secret + secretKeys: + adminPasswordKey: db_pass + userPasswordKey: db_pass + replicationPasswordKey: db_pass + database: postgres + username: postgres diff --git a/master/durpot/Chart.yaml b/master/durpot/Chart.yaml new file mode 100644 index 0000000..c21a834 --- /dev/null +++ b/master/durpot/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: durpapi +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: durpot + repository: https://gitlab.com/api/v4/projects/45025485/packages/helm/stable + version: 0.1.0-dev0038 diff --git a/master/durpot/templates/secrets.yaml b/master/durpot/templates/secrets.yaml new file mode 100644 index 0000000..792f909 --- /dev/null +++ b/master/durpot/templates/secrets.yaml @@ -0,0 +1,43 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: durpot-secert +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: durpot-secret + data: + - secretKey: OPENAI_API_KEY + remoteRef: + key: secrets/durpot/openai + property: OPENAI_API_KEY + - secretKey: BOTPREFIX + remoteRef: + key: secrets/durpot/discord + property: BOTPREFIX + - secretKey: ChannelID + remoteRef: + key: secrets/durpot/discord + property: ChannelID + - secretKey: TOKEN + remoteRef: + key: secrets/durpot/discord + property: TOKEN + - secretKey: ClientID + remoteRef: + key: secrets/durpot/auth + property: ClientID + - secretKey: Password + remoteRef: + key: secrets/durpot/auth + property: Password + - secretKey: TokenURL + remoteRef: + key: secrets/durpot/auth + property: TokenURL + - secretKey: Username + remoteRef: + key: secrets/durpot/auth + property: Username diff --git a/master/external-dns/Chart.yaml b/master/external-dns/Chart.yaml new file mode 100644 index 0000000..8fb36bc --- /dev/null +++ b/master/external-dns/Chart.yaml @@ -0,0 +1,12 @@ + +apiVersion: v2 +name: external-dns +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-dns + repository: https://charts.bitnami.com/bitnami + version: 8.3.8 diff --git a/master/external-dns/templates/secrets.yaml b/master/external-dns/templates/secrets.yaml new file mode 100644 index 0000000..142c03a --- /dev/null +++ b/master/external-dns/templates/secrets.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-dns-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: external-dns + data: + - secretKey: cloudflare_api_email + remoteRef: + key: secrets/external-dns/cloudflare + property: cloudflare_api_email + - secretKey: cloudflare_api_key + remoteRef: + key: secrets/external-dns/cloudflare + property: cloudflare_api_key + - secretKey: cloudflare_api_token + remoteRef: + key: secrets/external-dns/cloudflare + property: cloudflare_api_token diff --git a/master/external-dns/values.yaml b/master/external-dns/values.yaml new file mode 100644 index 0000000..68abe91 --- /dev/null +++ b/master/external-dns/values.yaml @@ -0,0 +1,16 @@ +external-dns: + global: + imageRegistry: "registry.internal.durp.info" + + image: + pullPolicy: Always + + sources: + - service + + provider: cloudflare + cloudflare: + secretName : "external-dns" + proxied: false + + policy: sync diff --git a/master/external-secrets/Chart.yaml b/master/external-secrets/Chart.yaml new file mode 100644 index 0000000..5b9982f --- /dev/null +++ b/master/external-secrets/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-secrets + repository: https://charts.external-secrets.io + version: 0.10.4 + diff --git a/master/external-secrets/values.yaml b/master/external-secrets/values.yaml new file mode 100644 index 0000000..a720adb --- /dev/null +++ b/master/external-secrets/values.yaml @@ -0,0 +1,463 @@ +external-secrets: + replicaCount: 3 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: Always + # -- The image tag to use. The default is the chart appVersion. + # There are different image flavours available, like distroless and ubi. + # Please see GitHub release notes for image tags for these flavors. + # By default the distroless image is used. + tag: "" + + # -- If set, install and upgrade CRDs through helm chart. + installCRDs: true + + crds: + # -- If true, create CRDs for Cluster External Secret. + createClusterExternalSecret: true + # -- If true, create CRDs for Cluster Secret Store. + createClusterSecretStore: true + # -- If true, create CRDs for Push Secret. + createPushSecret: true + annotations: {} + conversion: + enabled: true + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + # -- If true, external-secrets will perform leader election between instances to ensure no more + # than one instance of external-secrets operates at a time. + leaderElect: true + + # -- If set external secrets will filter matching + # Secret Stores with the appropriate controller values. + controllerClass: "" + + # -- If true external secrets will use recommended kubernetes + # annotations as prometheus metric labels. + extendedMetricLabels: false + + # -- If set external secrets are only reconciled in the + # provided namespace + scopedNamespace: "" + + # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace + # and implicitly disable cluster stores and cluster external secrets + scopedRBAC: false + + # -- if true, the operator will process cluster external secret. Else, it will ignore them. + processClusterExternalSecret: true + + # -- if true, the operator will process cluster store. Else, it will ignore them. + processClusterStore: true + + # -- Specifies whether an external secret operator deployment be created. + createOperator: true + + # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at + # a time. + concurrent: 1 + + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + ## -- Extra containers to add to the pod. + extraContainers: [] + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- namespace where you want to install ServiceMonitors + namespace: "" + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + # -- Let prometheus add an exported_ prefix to conflicting labels + honorLabels: false + + # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: replace + # regex: (.*) + # replacement: $1 + # sourceLabels: + # - exported_namespace + # targetLabel: namespace + + # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + + # -- Run the controller on the host network + hostNetwork: false + + webhook: + # -- Specifies whether a webhook deployment be created. + create: true + # -- Specifices the time to check if the cert is valid + certCheckInterval: "5m" + # -- Specifices the lookaheadInterval for certificate validity + lookaheadInterval: "" + replicaCount: 1 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + certDir: /tmp/certs + # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore + failurePolicy: Fail + # -- Specifies if webhook pod should use hostNetwork or not. + hostNetwork: false + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: IfNotPresent + # -- The image tag to use. The default is the chart appVersion. + tag: "" + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + # -- The port the webhook will listen to + port: 10250 + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + + readinessProbe: + # -- Address for readiness probe + address: "" + # -- ReadinessProbe port for kubelet + port: 8081 + + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + # -- Annotations to add to Secret + secretAnnotations: {} + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + certController: + # -- Specifies whether a certificate controller deployment be created. + create: true + requeueInterval: "5m" + replicaCount: 1 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: Always + tag: "" + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Run the certController on the host network + hostNetwork: false + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + # -- Specifies `dnsOptions` to deployment + dnsConfig: {} diff --git a/master/gatekeeper/Chart.yaml b/master/gatekeeper/Chart.yaml new file mode 100644 index 0000000..ec42676 --- /dev/null +++ b/master/gatekeeper/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: gatekeeper +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: gatekeeper + repository: https://open-policy-agent.github.io/gatekeeper/charts + version: 3.17.1 diff --git a/master/gatekeeper/values.yaml b/master/gatekeeper/values.yaml new file mode 100644 index 0000000..0b0c6e7 --- /dev/null +++ b/master/gatekeeper/values.yaml @@ -0,0 +1,278 @@ +#gatekeeper: +# replicas: 3 +# revisionHistoryLimit: 10 +# auditInterval: 60 +# metricsBackends: ["prometheus"] +# auditMatchKindOnly: false +# constraintViolationsLimit: 20 +# auditFromCache: false +# disableMutation: false +# disableValidatingWebhook: false +# validatingWebhookName: gatekeeper-validating-webhook-configuration +# validatingWebhookTimeoutSeconds: 3 +# validatingWebhookFailurePolicy: Ignore +# validatingWebhookAnnotations: {} +# validatingWebhookExemptNamespacesLabels: {} +# validatingWebhookObjectSelector: {} +# validatingWebhookCheckIgnoreFailurePolicy: Fail +# validatingWebhookCustomRules: {} +# validatingWebhookURL: null +# enableDeleteOperations: false +# enableExternalData: true +# enableGeneratorResourceExpansion: true +# enableTLSHealthcheck: false +# maxServingThreads: -1 +# mutatingWebhookName: gatekeeper-mutating-webhook-configuration +# mutatingWebhookFailurePolicy: Ignore +# mutatingWebhookReinvocationPolicy: Never +# mutatingWebhookAnnotations: {} +# mutatingWebhookExemptNamespacesLabels: {} +# mutatingWebhookObjectSelector: {} +# mutatingWebhookTimeoutSeconds: 1 +# mutatingWebhookCustomRules: {} +# mutatingWebhookURL: null +# mutationAnnotations: false +# auditChunkSize: 500 +# logLevel: INFO +# logDenies: false +# logMutations: false +# emitAdmissionEvents: false +# emitAuditEvents: false +# admissionEventsInvolvedNamespace: false +# auditEventsInvolvedNamespace: false +# resourceQuota: true +# externaldataProviderResponseCacheTTL: 3m +# image: +# repository: openpolicyagent/gatekeeper +# crdRepository: openpolicyagent/gatekeeper-crds +# release: v3.15.0-beta.0 +# pullPolicy: Always +# pullSecrets: [] +# preInstall: +# crdRepository: +# image: +# repository: null +# tag: v3.15.0-beta.0 +# postUpgrade: +# labelNamespace: +# enabled: false +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# extraNamespaces: [] +# podSecurity: ["pod-security.kubernetes.io/audit=restricted", +# "pod-security.kubernetes.io/audit-version=latest", +# "pod-security.kubernetes.io/warn=restricted", +# "pod-security.kubernetes.io/warn-version=latest", +# "pod-security.kubernetes.io/enforce=restricted", +# "pod-security.kubernetes.io/enforce-version=v1.24"] +# extraAnnotations: {} +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# postInstall: +# labelNamespace: +# enabled: true +# extraRules: [] +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# extraNamespaces: [] +# podSecurity: ["pod-security.kubernetes.io/audit=restricted", +# "pod-security.kubernetes.io/audit-version=latest", +# "pod-security.kubernetes.io/warn=restricted", +# "pod-security.kubernetes.io/warn-version=latest", +# "pod-security.kubernetes.io/enforce=restricted", +# "pod-security.kubernetes.io/enforce-version=v1.24"] +# extraAnnotations: {} +# priorityClassName: "" +# probeWebhook: +# enabled: true +# image: +# repository: curlimages/curl +# tag: 7.83.1 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# waitTimeout: 60 +# httpTimeout: 2 +# insecureHTTPS: false +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# preUninstall: +# deleteWebhookConfigurations: +# extraRules: [] +# enabled: false +# image: +# repository: openpolicyagent/gatekeeper-crds +# tag: v3.15.0-beta.0 +# pullPolicy: IfNotPresent +# pullSecrets: [] +# priorityClassName: "" +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podAnnotations: {} +# auditPodAnnotations: {} +# podLabels: {} +# podCountLimit: "100" +# secretAnnotations: {} +# enableRuntimeDefaultSeccompProfile: true +# controllerManager: +# exemptNamespaces: [] +# exemptNamespacePrefixes: [] +# hostNetwork: false +# dnsPolicy: ClusterFirst +# port: 8443 +# metricsPort: 8888 +# healthPort: 9090 +# readinessTimeout: 1 +# livenessTimeout: 1 +# priorityClassName: system-cluster-critical +# disableCertRotation: false +# tlsMinVersion: 1.3 +# clientCertName: "" +# strategyType: RollingUpdate +# affinity: +# podAntiAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - podAffinityTerm: +# labelSelector: +# matchExpressions: +# - key: gatekeeper.sh/operation +# operator: In +# values: +# - webhook +# topologyKey: kubernetes.io/hostname +# weight: 100 +# topologySpreadConstraints: [] +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: +# limits: +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 512Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podSecurityContext: +# fsGroup: 999 +# supplementalGroups: +# - 999 +# extraRules: [] +# networkPolicy: +# enabled: false +# ingress: { } +# # - from: +# # - ipBlock: +# # cidr: 0.0.0.0/0 +# audit: +# enablePubsub: false +# connection: audit-connection +# channel: audit-channel +# hostNetwork: false +# dnsPolicy: ClusterFirst +# metricsPort: 8888 +# healthPort: 9090 +# readinessTimeout: 1 +# livenessTimeout: 1 +# priorityClassName: system-cluster-critical +# disableCertRotation: false +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: +# limits: +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 512Mi +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 999 +# runAsNonRoot: true +# runAsUser: 1000 +# podSecurityContext: +# fsGroup: 999 +# supplementalGroups: +# - 999 +# writeToRAMDisk: false +# extraRules: [] +# crds: +# affinity: {} +# tolerations: [] +# nodeSelector: {kubernetes.io/os: linux} +# resources: {} +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsGroup: 65532 +# runAsNonRoot: true +# runAsUser: 65532 +# pdb: +# controllerManager: +# minAvailable: 1 +# service: {} +# disabledBuiltins: ["{http.send}"] +# psp: +# enabled: true +# upgradeCRDs: +# enabled: true +# extraRules: [] +# priorityClassName: "" +# rbac: +# create: true +# externalCertInjection: +# enabled: false +# secretName: gatekeeper-webhook-server-cert +# \ No newline at end of file diff --git a/master/gitlab-runner/Chart.yaml b/master/gitlab-runner/Chart.yaml new file mode 100644 index 0000000..f64e829 --- /dev/null +++ b/master/gitlab-runner/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: gitlab-runner +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: gitlab-runner + repository: https://charts.gitlab.io/ + version: 0.69.0 diff --git a/master/gitlab-runner/Dockerfile b/master/gitlab-runner/Dockerfile new file mode 100644 index 0000000..498fcc3 --- /dev/null +++ b/master/gitlab-runner/Dockerfile @@ -0,0 +1,4 @@ +FROM ubuntu:latest +LABEL authors="user" + +ENTRYPOINT ["top", "-b"] \ No newline at end of file diff --git a/master/gitlab-runner/templates/secrets.yaml b/master/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..784ef11 --- /dev/null +++ b/master/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: gitlab-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret + data: + - secretKey: runner-registration-token + remoteRef: + key: secrets/gitlab/runner + property: runner-registration-token + - secretKey: runner-token + remoteRef: + key: secrets/gitlab/runner + property: runner-token diff --git a/master/gitlab-runner/values.yaml b/master/gitlab-runner/values.yaml new file mode 100644 index 0000000..0cc62b8 --- /dev/null +++ b/master/gitlab-runner/values.yaml @@ -0,0 +1,71 @@ +gitlab-runner: + + image: + registry: registry.internal.durp.info + image: gitlab-org/gitlab-runner + + imagePullPolicy: Always + gitlabUrl: https://gitlab.com/ + unregisterRunner: true + terminationGracePeriodSeconds: 3600 + concurrent: 10 + checkInterval: 30 + + rbac: + create: true + rules: [] + clusterWideAccess: false + podSecurityPolicy: + enabled: false + resourceNames: + - gitlab-runner + + metrics: + enabled: true + serviceMonitor: + enabled: true + service: + enabled: true + annotations: {} + + runners: + config: | + [[runners]] + [runners.kubernetes] + namespace = "{{.Release.Namespace}}" + image = "ubuntu:22.04" + privileged = true + + executor: kubernetes + name: "k3s" + runUntagged: true + privileged: true + secret: gitlab-secret + #builds: + #cpuLimit: 200m + #cpuLimitOverwriteMaxAllowed: 400m + #memoryLimit: 256Mi + #memoryLimitOverwriteMaxAllowed: 512Mi + #cpuRequests: 100m + #cpuRequestsOverwriteMaxAllowed: 200m + #memoryRequests: 128Mi + #memoryRequestsOverwriteMaxAllowed: 256Mi + + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + privileged: false + capabilities: + drop: ["ALL"] + + podSecurityContext: + runAsUser: 100 + fsGroup: 65533 + + resources: + limits: + memory: 2Gi + requests: + memory: 128Mi + cpu: 500m \ No newline at end of file diff --git a/master/heimdall/Chart.yaml b/master/heimdall/Chart.yaml new file mode 100644 index 0000000..39dbf54 --- /dev/null +++ b/master/heimdall/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: heimdall +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: heimdall + repository: https://djjudas21.github.io/charts/ + version: 8.5.4 diff --git a/master/heimdall/templates/ingress.yaml b/master/heimdall/templates/ingress.yaml new file mode 100644 index 0000000..98b6144 --- /dev/null +++ b/master/heimdall/templates/ingress.yaml @@ -0,0 +1,52 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + annotations: + name: heimdall-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`heimdall.durp.info`) && PathPrefix(`/`) + middlewares: + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: heimdall + port: 80 + - match: Host(`heimdall.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: heimdall-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: heimdall-tls +spec: + secretName: heimdall-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "heimdall.durp.info" + dnsNames: + - "heimdall.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: heimdall-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/heimdall/values.yaml b/master/heimdall/values.yaml new file mode 100644 index 0000000..e93ca43 --- /dev/null +++ b/master/heimdall/values.yaml @@ -0,0 +1,28 @@ +heimdall: + + image: + registry: + repository: registry.internal.durp.info/linuxserver/heimdall + pullPolicy: Always + + env: + TZ: UTC + PUID: "1000" + PGID: "1000" + + service: + main: + annotations: + external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info + external-dns.alpha.kubernetes.io/target: home.durp.info + ports: + http: + port: 80 + + ingress: + main: + enabled: false + + persistence: + config: + enabled: true diff --git a/master/internalproxy/Chart.yaml b/master/internalproxy/Chart.yaml new file mode 100644 index 0000000..71c9b0d --- /dev/null +++ b/master/internalproxy/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: internalproxy +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "0.1.0" diff --git a/master/internalproxy/templates/argocd.yaml b/master/internalproxy/templates/argocd.yaml new file mode 100644 index 0000000..9a82e9e --- /dev/null +++ b/master/internalproxy/templates/argocd.yaml @@ -0,0 +1,46 @@ +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: argocd-ingress +# annotations: +# cert-manager.io/cluster-issuer: letsencrypt-production +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`argocd.internal.durp.info`) +# middlewares: +# - name: whitelist +# namespace: traefik +# kind: Rule +# services: +# - name: argocd-server +# port: 443 +# scheme: https +# tls: +# secretName: argocd-tls +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: argocd-server +#spec: +# type: ExternalName +# externalName: argocd-server.argocd.svc.cluster.local +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: argocd-tls +#spec: +# secretName: argocd-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "argocd.internal.durp.info" +# dnsNames: +# - "argocd.internal.durp.info" \ No newline at end of file diff --git a/master/internalproxy/templates/blueiris.yaml b/master/internalproxy/templates/blueiris.yaml new file mode 100644 index 0000000..5f120c9 --- /dev/null +++ b/master/internalproxy/templates/blueiris.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: blueiris +spec: + ports: + - name: app + port: 81 + protocol: TCP + targetPort: 81 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: blueiris +subsets: + - addresses: + - ip: 192.168.99.2 + ports: + - name: app + port: 81 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: blueiris-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`blueiris.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: blueiris + port: 81 + scheme: http + tls: + secretName: blueiris-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: blueiris-tls +spec: + secretName: blueiris-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "blueiris.internal.durp.info" + dnsNames: + - "blueiris.internal.durp.info" diff --git a/master/internalproxy/templates/duplicati-ingress.yaml b/master/internalproxy/templates/duplicati-ingress.yaml new file mode 100644 index 0000000..d51c391 --- /dev/null +++ b/master/internalproxy/templates/duplicati-ingress.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: duplicati +spec: + ports: + - name: app + port: 8200 + protocol: TCP + targetPort: 8200 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: duplicati +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8200 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: duplicati-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: duplicati + port: 8200 + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: duplicati-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: duplicati-tls +spec: + secretName: duplicati-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "duplicati.internal.durp.info" + dnsNames: + - "duplicati.internal.durp.info" \ No newline at end of file diff --git a/master/internalproxy/templates/gitea.yaml b/master/internalproxy/templates/gitea.yaml new file mode 100644 index 0000000..ec29631 --- /dev/null +++ b/master/internalproxy/templates/gitea.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea +spec: + ports: + - name: app + port: 3000 + protocol: TCP + targetPort: 3000 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: gitea +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 3000 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: gitea-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`gitea.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: gitea + port: 3000 + scheme: http + tls: + secretName: gitea-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitea-tls +spec: + secretName: gitea-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "gitea.durp.info" + dnsNames: + - "gitea.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: gitea-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gitea.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/internalproxy/templates/jellyfin.yaml b/master/internalproxy/templates/jellyfin.yaml new file mode 100644 index 0000000..1b919bf --- /dev/null +++ b/master/internalproxy/templates/jellyfin.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: jellyfin +spec: + ports: + - name: app + port: 8096 + protocol: TCP + targetPort: 8096 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: jellyfin +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8096 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: jellyfin-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`jellyfin.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: jellyfin + port: 8096 + scheme: http + tls: + secretName: jellyfin-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: jellyfin-tls +spec: + secretName: jellyfin-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "jellyfin.durp.info" + dnsNames: + - "jellyfin.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: jellyfin-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/internalproxy/templates/kasm.yaml b/master/internalproxy/templates/kasm.yaml new file mode 100644 index 0000000..7f756e0 --- /dev/null +++ b/master/internalproxy/templates/kasm.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: kasm +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: kasm +subsets: + - addresses: + - ip: 192.168.20.104 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: kasm-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kasm.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: kasm + port: 443 + scheme: https + tls: + secretName: kasm-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kasm-tls +spec: + secretName: kasm-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kasm.durp.info" + dnsNames: + - "kasm.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: kasm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kasm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/internalproxy/templates/minio.yaml b/master/internalproxy/templates/minio.yaml new file mode 100644 index 0000000..aa191b6 --- /dev/null +++ b/master/internalproxy/templates/minio.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio +spec: + ports: + - name: app + port: 9769 + protocol: TCP + targetPort: 9769 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: minio +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 9769 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: minio-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: minio + port: 9769 + scheme: http + tls: + secretName: minio-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-tls +spec: + secretName: minio-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "minio.internal.durp.info" + dnsNames: + - "minio.internal.durp.info" diff --git a/master/internalproxy/templates/nexus.yaml b/master/internalproxy/templates/nexus.yaml new file mode 100644 index 0000000..7074102 --- /dev/null +++ b/master/internalproxy/templates/nexus.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: Service +metadata: + name: nexus +spec: + ports: + - name: app + port: 8081 + protocol: TCP + targetPort: 8081 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: nexus +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8081 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: nexus-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`nexus.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: nexus + port: 8081 + tls: + secretName: nexus-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nexus-tls +spec: + secretName: nexus-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "nexus.durp.info" + dnsNames: + - "nexus.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: nexus-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: nexus.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/internalproxy/templates/octopus.yaml b/master/internalproxy/templates/octopus.yaml new file mode 100644 index 0000000..e0e5d78 --- /dev/null +++ b/master/internalproxy/templates/octopus.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: octopus +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: octopus +subsets: + - addresses: + - ip: 192.168.20.105 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: octopus-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`octopus.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: octopus + port: 443 + scheme: https + tls: + secretName: octopus-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: octopus-tls +spec: + secretName: octopus-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "octopus.internal.durp.info" + dnsNames: + - "octopus.internal.durp.info" diff --git a/master/internalproxy/templates/ollama.yaml b/master/internalproxy/templates/ollama.yaml new file mode 100644 index 0000000..75e8691 --- /dev/null +++ b/master/internalproxy/templates/ollama.yaml @@ -0,0 +1,102 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ollama-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: ollama-secret + data: + - secretKey: users + remoteRef: + key: secrets/internalproxy/ollama + property: users + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: ollama-basic-auth +spec: + basicAuth: + headerField: x-api-key + secret: ollama-secret + +--- + +apiVersion: v1 +kind: Service +metadata: + name: ollama +spec: + ports: + - name: app + port: 11435 + protocol: TCP + targetPort: 11435 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: ollama +subsets: + - addresses: + - ip: 192.168.20.104 + ports: + - name: app + port: 11435 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: ollama-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`ollama.durp.info`) && PathPrefix(`/`) + middlewares: + - name: ollama-basic-auth + kind: Rule + services: + - name: ollama + port: 11435 + tls: + secretName: ollama-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ollama-tls +spec: + secretName: ollama-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "ollama.durp.info" + dnsNames: + - "ollama.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: ollama-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: ollama.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/internalproxy/templates/pfsense.yaml b/master/internalproxy/templates/pfsense.yaml new file mode 100644 index 0000000..45d45e8 --- /dev/null +++ b/master/internalproxy/templates/pfsense.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: pfsense +spec: + ports: + - name: app + port: 10443 + protocol: TCP + targetPort: 10443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: pfsense +subsets: + - addresses: + - ip: 192.168.20.1 + ports: + - name: app + port: 10443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: pfsense-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`pfsense.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: pfsense + port: 10443 + scheme: https + tls: + secretName: pfsense-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: pfsense-tls +spec: + secretName: pfsense-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "pfsense.internal.durp.info" + dnsNames: + - "pfsense.internal.durp.info" diff --git a/master/internalproxy/templates/plex.yaml b/master/internalproxy/templates/plex.yaml new file mode 100644 index 0000000..81f6426 --- /dev/null +++ b/master/internalproxy/templates/plex.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: Service +metadata: + name: plex +spec: + ports: + - name: app + port: 32400 + protocol: TCP + targetPort: 32400 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: plex +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 32400 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: plex-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`plex.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: plex + port: 32400 + scheme: https + tls: + secretName: plex-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: plex-tls +spec: + secretName: plex-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "plex.durp.info" + dnsNames: + - "plex.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: plex-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: plex.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/internalproxy/templates/portainer.yaml b/master/internalproxy/templates/portainer.yaml new file mode 100644 index 0000000..5c22061 --- /dev/null +++ b/master/internalproxy/templates/portainer.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: portainer +spec: + ports: + - name: app + port: 9443 + protocol: TCP + targetPort: 9443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: portainer +subsets: + - addresses: + - ip: 192.168.20.104 + ports: + - name: app + port: 9443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: portainer-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: portainer + port: 9443 + scheme: https + tls: + secretName: portainer-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: portainer-tls +spec: + secretName: portainer-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "portainer.internal.durp.info" + dnsNames: + - "portainer.internal.durp.info" diff --git a/master/internalproxy/templates/proxmox.yaml b/master/internalproxy/templates/proxmox.yaml new file mode 100644 index 0000000..fd0343a --- /dev/null +++ b/master/internalproxy/templates/proxmox.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: proxmox +spec: + ports: + - name: app + port: 8006 + protocol: TCP + targetPort: 8006 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: proxmox +subsets: + - addresses: + - ip: 192.168.21.252 + ports: + - name: app + port: 8006 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: proxmox-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: proxmox + port: 8006 + scheme: https + tls: + secretName: proxmox-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: proxmox-tls +spec: + secretName: proxmox-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "proxmox.internal.durp.info" + dnsNames: + - "proxmox.internal.durp.info" diff --git a/master/internalproxy/templates/registry-internal.yaml b/master/internalproxy/templates/registry-internal.yaml new file mode 100644 index 0000000..27561fe --- /dev/null +++ b/master/internalproxy/templates/registry-internal.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Service +metadata: + name: registry-internal +spec: + ports: + - name: app + port: 5000 + protocol: TCP + targetPort: 5000 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: registry-internal +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 5000 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: registry-internal-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: registry-internal + port: 5000 + tls: + secretName: registry-internal-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-internal-tls +spec: + secretName: registry-internal-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.internal.durp.info" + dnsNames: + - "registry.internal.durp.info" diff --git a/master/internalproxy/templates/registry.yaml b/master/internalproxy/templates/registry.yaml new file mode 100644 index 0000000..b4ac19a --- /dev/null +++ b/master/internalproxy/templates/registry.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: Service +metadata: + name: registry +spec: + ports: + - name: app + port: 5000 + protocol: TCP + targetPort: 5000 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: registry +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 5000 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: registry + port: 5000 + tls: + secretName: registry-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-tls +spec: + secretName: registry-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.durp.info" + dnsNames: + - "registry.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: registry-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: registry.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/internalproxy/templates/s3.yaml b/master/internalproxy/templates/s3.yaml new file mode 100644 index 0000000..cd52fb6 --- /dev/null +++ b/master/internalproxy/templates/s3.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: s3 +spec: + ports: + - name: app + port: 9768 + protocol: TCP + targetPort: 9768 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: s3 +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 9768 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: s3-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: s3 + port: 9768 + scheme: http + tls: + secretName: s3-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3-tls +spec: + secretName: s3-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "s3.internal.durp.info" + dnsNames: + - "s3.internal.durp.info" diff --git a/master/internalproxy/templates/semaphore.yaml b/master/internalproxy/templates/semaphore.yaml new file mode 100644 index 0000000..ffd81dc --- /dev/null +++ b/master/internalproxy/templates/semaphore.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: semaphore +spec: + ports: + - name: app + port: 3001 + protocol: TCP + targetPort: 3001 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: semaphore +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 3001 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: semaphore-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: semaphore + port: 3001 + scheme: http + tls: + secretName: semaphore-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: semaphore-tls +spec: + secretName: semaphore-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "semaphore.internal.durp.info" + dnsNames: + - "semaphore.internal.durp.info" diff --git a/master/internalproxy/templates/smokeping.yaml b/master/internalproxy/templates/smokeping.yaml new file mode 100644 index 0000000..8a76738 --- /dev/null +++ b/master/internalproxy/templates/smokeping.yaml @@ -0,0 +1,82 @@ +apiVersion: v1 +kind: Service +metadata: + name: smokeping +spec: + ports: + - name: app + port: 81 + protocol: TCP + targetPort: 81 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: smokeping +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 81 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: smokeping-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`smokeping.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: smokeping + port: 81 + - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: smokeping-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: smokeping-tls +spec: + secretName: smokeping-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "smokeping.durp.info" + dnsNames: + - "smokeping.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: smokeping-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/internalproxy/templates/speedtest.yaml b/master/internalproxy/templates/speedtest.yaml new file mode 100644 index 0000000..e034917 --- /dev/null +++ b/master/internalproxy/templates/speedtest.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: Service +metadata: + name: speedtest +spec: + ports: + - name: app + port: 6580 + protocol: TCP + targetPort: 6580 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: speedtest +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 6580 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: speedtest-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`speedtest.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: speedtest + port: 6580 + tls: + secretName: speedtest-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: speedtest-tls +spec: + secretName: speedtest-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "speedtest.durp.info" + dnsNames: + - "speedtest.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: speedtest-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/internalproxy/templates/tdarr.yaml b/master/internalproxy/templates/tdarr.yaml new file mode 100644 index 0000000..c4403b9 --- /dev/null +++ b/master/internalproxy/templates/tdarr.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: Service +metadata: + name: tdarr +spec: + ports: + - name: app + port: 8267 + protocol: TCP + targetPort: 8267 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: tdarr +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8267 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: tdarr-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`tdarr.internal.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: tdarr + port: 8267 + scheme: http + tls: + secretName: tdarr-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: tdarr-tls +spec: + secretName: tdarr-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "tdarr.internal.durp.info" + dnsNames: + - "tdarr.internal.durp.info" diff --git a/master/internalproxy/templates/unraid.yaml b/master/internalproxy/templates/unraid.yaml new file mode 100644 index 0000000..9c62edc --- /dev/null +++ b/master/internalproxy/templates/unraid.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: unraid +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: unraid +subsets: + - addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: unraid-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 443 + scheme: https + tls: + secretName: unraid-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: unraid-tls +spec: + secretName: unraid-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "unraid.internal.durp.info" + dnsNames: + - "unraid.internal.durp.info" diff --git a/master/internalproxy/templates/wazuh.yaml b/master/internalproxy/templates/wazuh.yaml new file mode 100644 index 0000000..5a5d853 --- /dev/null +++ b/master/internalproxy/templates/wazuh.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: wazuh +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: wazuh +subsets: + - addresses: + - ip: 192.168.20.102 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: wazuh-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`wazuh.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: wazuh + port: 443 + scheme: https + tls: + secretName: wazuh-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wazuh-tls +spec: + secretName: wazuh-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "wazuh.internal.durp.info" + dnsNames: + - "wazuh.internal.durp.info" diff --git a/master/krakend/Chart.yaml b/master/krakend/Chart.yaml new file mode 100644 index 0000000..d998c9f --- /dev/null +++ b/master/krakend/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: krakend +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" \ No newline at end of file diff --git a/master/krakend/templates/deployments.yaml b/master/krakend/templates/deployments.yaml new file mode 100644 index 0000000..ce50302 --- /dev/null +++ b/master/krakend/templates/deployments.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: krakend + name: krakend + labels: + app: krakend +spec: + selector: + matchLabels: + app: krakend + replicas: 1 + template: + metadata: + labels: + app: krakend + spec: + volumes: + - name: krakend-secret + secret: + secretName: krakend-secret + containers: + - name: krakend + image: registry.internal.durp.info/devopsfaith/krakend:2.4.3 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /__health + port: 8080 + readinessProbe: + httpGet: + path: /__health + port: 8080 + ports: + - name: http + containerPort: 8080 + volumeMounts: + - name: krakend-secret + mountPath: /etc/krakend \ No newline at end of file diff --git a/master/krakend/templates/ingress.yaml b/master/krakend/templates/ingress.yaml new file mode 100644 index 0000000..a8c08eb --- /dev/null +++ b/master/krakend/templates/ingress.yaml @@ -0,0 +1,56 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: api-tls +spec: + secretName: api-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "api.durp.info" + dnsNames: + - "api.durp.info" + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: krakend-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`api.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: krakend-service + port: 8080 + scheme: http + tls: + secretName: api-tls + +--- + +kind: Service +apiVersion: v1 +metadata: + name: api-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: api.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- + +kind: Service +apiVersion: v1 +metadata: + name: api-developer-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: developer.durp.info + external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" +spec: + type: ExternalName + externalName: developerdurp.github.io diff --git a/master/krakend/templates/secrets.yaml b/master/krakend/templates/secrets.yaml new file mode 100644 index 0000000..2eb1a9d --- /dev/null +++ b/master/krakend/templates/secrets.yaml @@ -0,0 +1,15 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: krakend-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: krakend-secret + data: + - secretKey: krakend.json + remoteRef: + key: secrets/krakend/config + property: config \ No newline at end of file diff --git a/master/krakend/templates/service.yaml b/master/krakend/templates/service.yaml new file mode 100644 index 0000000..d5393f3 --- /dev/null +++ b/master/krakend/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: krakend-service +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: krakend \ No newline at end of file diff --git a/master/kube-prometheus-stack/Chart.yaml b/master/kube-prometheus-stack/Chart.yaml new file mode 100644 index 0000000..ecb4ab2 --- /dev/null +++ b/master/kube-prometheus-stack/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: kube-prometheus-stack +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: kube-prometheus-stack + repository: https://prometheus-community.github.io/helm-charts + version: 63.1.0 diff --git a/master/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/master/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml new file mode 100644 index 0000000..716d4e5 --- /dev/null +++ b/master/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml @@ -0,0 +1,41 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-grafana-oauth +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-oauth + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: secrets/kube-prometheus/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: secrets/kube-prometheus/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-admin-credentials +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-admin-credentials + data: + - secretKey: admin-password + remoteRef: + key: secrets/kube-prometheus/grafana/admin + property: admin-password + - secretKey: admin-user + remoteRef: + key: secrets/kube-prometheus/grafana/admin + property: admin-user diff --git a/master/kube-prometheus-stack/templates/ingress.yaml b/master/kube-prometheus-stack/templates/ingress.yaml new file mode 100644 index 0000000..caf0ee1 --- /dev/null +++ b/master/kube-prometheus-stack/templates/ingress.yaml @@ -0,0 +1,80 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: grafana-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: grafana + port: 80 + tls: + secretName: grafana-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-tls +spec: + secretName: grafana-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "grafana.durp.info" + dnsNames: + - "grafana.durp.info" + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: alertmanager-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: prometheus-alertmanager + port: 9093 + tls: + secretName: alertmanager-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: alertmanager-tls +spec: + secretName: alertmanager-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "alertmanager.durp.info" + dnsNames: + - "alertmanager.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: grafana-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: grafana.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/kube-prometheus-stack/values.yaml b/master/kube-prometheus-stack/values.yaml new file mode 100644 index 0000000..19436ac --- /dev/null +++ b/master/kube-prometheus-stack/values.yaml @@ -0,0 +1,203 @@ +kube-prometheus-stack: + fullnameOverride: prometheus + + defaultRules: + create: true + rules: + alertmanager: true + etcd: true + configReloaders: true + general: true + k8s: true + kubeApiserverAvailability: true + kubeApiserverBurnrate: true + kubeApiserverHistogram: true + kubeApiserverSlos: true + kubelet: true + kubeProxy: true + kubePrometheusGeneral: true + kubePrometheusNodeRecording: true + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + kubeScheduler: true + kubeStateMetrics: true + network: true + node: true + nodeExporterAlerting: true + nodeExporterRecording: true + prometheus: true + prometheusOperator: true + + alertmanager: + fullnameOverride: alertmanager + enabled: true + ingress: + enabled: false + grafana: + enabled: true + fullnameOverride: grafana + forceDeployDatasources: false + forceDeployDashboards: false + defaultDashboardsEnabled: true + defaultDashboardsTimezone: utc + plugins: + - grafana-polystat-panel + serviceMonitor: + enabled: true + admin: + existingSecret: grafana-admin-credentials + userKey: admin-user + passwordKey: admin-password + ingress: + enabled: false + grafana.ini: + server: + root_url: https://grafana.durp.info + auth.generic_oauth: + enabled: true + scopes: openid profile email + auth_url: https://authentik.durp.info/application/o/authorize/ + token_url: https://authentik.durp.info/application/o/token/ + api_url: https://authentik.durp.info/application/o/userinfo/ + envFromSecret: "grafana-oauth" + + kubeApiServer: + enabled: true + + kubelet: + enabled: true + serviceMonitor: + metricRelabelings: + - action: replace + sourceLabels: + - node + targetLabel: instance + + kubeControllerManager: + enabled: true + endpoints: # ips of servers + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 + + coreDns: + enabled: false + + kubeDns: + enabled: false + + kubeEtcd: + enabled: true + endpoints: # ips of servers + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 + service: + enabled: true + port: 2381 + targetPort: 2381 + + kubeScheduler: + enabled: true + endpoints: # ips of servers + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 + + kubeProxy: + enabled: true + endpoints: # ips of servers + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 + + kubeStateMetrics: + enabled: true + + kube-state-metrics: + fullnameOverride: kube-state-metrics + selfMonitor: + enabled: true + prometheus: + monitor: + enabled: true + relabelings: + - action: replace + regex: (.*) + replacement: $1 + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: kubernetes_node + + nodeExporter: + enabled: true + serviceMonitor: + relabelings: + - action: replace + regex: (.*) + replacement: $1 + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: kubernetes_node + + prometheus-node-exporter: + fullnameOverride: node-exporter + podLabels: + jobLabel: node-exporter + extraArgs: + - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/) + - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ + service: + portName: http-metrics + prometheus: + monitor: + enabled: true + relabelings: + - action: replace + regex: (.*) + replacement: $1 + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: kubernetes_node + resources: + requests: + memory: 512Mi + cpu: 250m + limits: + memory: 2048Mi + + prometheusOperator: + enabled: true + prometheusConfigReloader: + resources: + requests: + cpu: 200m + memory: 50Mi + limits: + memory: 100Mi + + prometheus: + enabled: true + prometheusSpec: + replicas: 1 + replicaExternalLabelName: "replica" + ruleSelectorNilUsesHelmValues: false + serviceMonitorSelectorNilUsesHelmValues: false + podMonitorSelectorNilUsesHelmValues: false + probeSelectorNilUsesHelmValues: false + retention: 6h + enableAdminAPI: true + walCompression: true + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: nfs-storage + accessModes: ["ReadWriteMany"] + resources: + requests: + storage: 50Gi + + thanosRuler: + enabled: false diff --git a/master/kubeclarity/Chart.yaml b/master/kubeclarity/Chart.yaml new file mode 100644 index 0000000..4eef59a --- /dev/null +++ b/master/kubeclarity/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: kubeclarity +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: kubeclarity + repository: https://openclarity.github.io/kubeclarity + version: 2.23.3 diff --git a/master/kubeclarity/templates/ingress.yaml b/master/kubeclarity/templates/ingress.yaml new file mode 100644 index 0000000..77b67a7 --- /dev/null +++ b/master/kubeclarity/templates/ingress.yaml @@ -0,0 +1,47 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: kubeclarity-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: kubeclarity-kubeclarity + port: 8080 + tls: + secretName: kubeclarity-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubeclarity-tls +spec: + secretName: kubeclarity-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kubeclarity.durp.info" + dnsNames: + - "kubeclarity.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: kubeclarity-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/kubeclarity/values.yaml b/master/kubeclarity/values.yaml new file mode 100644 index 0000000..0bb5078 --- /dev/null +++ b/master/kubeclarity/values.yaml @@ -0,0 +1,235 @@ +kubeclarity: + global: + databasePassword: kubeclarity + docker: + registry: "registry.internal.durp.info/openclarity" + tag: "latest" + imagePullPolicy: Always + + curl: + image: + registry: "registry.internal.durp.info" + repository: curlimages/curl + tag: 7.87.0 + + kubeclarity: + docker: + imageName: "" + + logLevel: warning + + enableDBInfoLog: false + + prometheus: + enabled: false + + podAnnotations: {} + + service: + type: ClusterIP + port: 8080 + annotations: {} + + ingress: + enabled: false + + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "1000Mi" + cpu: "1000m" + + initContainers: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "200m" + + kubeclarity-runtime-scan: + httpsProxy: "" + httpProxy: "" + resultServicePort: 8888 + + labels: + app: kubeclarity-scanner + sidecar.istio.io/inject: "false" + + namespace: "" + + registry: + skipVerifyTlS: "false" + useHTTP: "false" + + cis-docker-benchmark-scanner: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "1000Mi" + cpu: "1000m" + + vulnerability-scanner: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "1000Mi" + cpu: "1000m" + + analyzer: + analyzerList: "syft gomod trivy" + analyzerScope: "squashed" + + trivy: + enabled: true + timeout: "300" + + scanner: + scannerList: "grype trivy" + + grype: + enabled: true + mode: "REMOTE" + + remote-grype: + timeout: "2m" + + dependency-track: + enabled: false + insecureSkipVerify: "true" + disableTls: "true" + apiserverAddress: "dependency-track-apiserver.dependency-track" + apiKey: "" + + trivy: + enabled: true + timeout: "300" + + kubeclarity-grype-server: + enabled: true + + docker: + imageRepo: "registry.internal.durp.info/openclarity" + imageTag: "v0.6.0" + imagePullPolicy: Always + + logLevel: warning + + servicePort: 9991 + + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1G" + + kubeclarity-trivy-server: + enabled: true + + ## Docker Image values. + image: + registry: registry.internal.durp.info + repository: aquasec/trivy + tag: 0.44.1 + pullPolicy: Always + + persistence: + enabled: false + + podSecurityContext: + runAsUser: 1001 + runAsNonRoot: true + fsGroup: 1001 + + securityContext: + privileged: false + readOnlyRootFilesystem: true + + trivy: + debugMode: false + + service: + port: 9992 + + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1G" + + + kubeclarity-sbom-db: + docker: + imageName: "" + logLevel: warning + + servicePort: 8080 + + resources: + requests: + memory: "20Mi" + cpu: "10m" + limits: + memory: "1Gi" + cpu: "200m" + + kubeclarity-postgresql: + enabled: true + + image: + registry: registry.internal.durp.info + repository: bitnami/postgresql + tag: 14.6.0-debian-11-r31 + + auth: + existingSecret: kubeclarity-postgresql-secret + username: postgres + database: kubeclarity + sslMode: disable + + service: + ports: + postgresql: 5432 + + serviceAccount: + enabled: true + securityContext: + enabled: true + fsGroup: 1001 + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + volumePermissions: + enabled: false + securityContext: + runAsUser: 1001 + shmVolume: + chmod: + enabled: true + + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "1000Mi" + cpu: "1000m" + + kubeclarity-postgresql-external: + enabled: false + + kubeclarity-postgresql-secret: + create: true + secretKey: "postgres-password" diff --git a/master/littlelink/Chart.yaml b/master/littlelink/Chart.yaml new file mode 100644 index 0000000..e69de29 diff --git a/master/littlelink/templates/deployment.yaml b/master/littlelink/templates/deployment.yaml new file mode 100644 index 0000000..b713b86 --- /dev/null +++ b/master/littlelink/templates/deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: littlelink + name: littlelink + labels: + app: littlelink +spec: + selector: + matchLabels: + app: littlelink + replicas: 1 + template: + metadata: + labels: + app: littlelink + spec: + containers: + - name: littlelink + image: registry.internal.durp.info/techno-tim/littlelink-server:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthcheck + port: 3000 + readinessProbe: + httpGet: + path: /healthcheck + port: 3000 + env: + - name: META_TITLE + value: DeveloperDurp + - name: META_DESCRIPTION + value: The Durpy Developer + - name: META_AUTHOR + value: DeveloperDurp + - name: LANG + value: en + - name: META_INDEX_STATUS + value: all + - name: OG_TITLE + value: DeveloperDurp + - name: OG_DESCRIPTION + value: DeveloperDurp + - name: OG_URL + value: https://gitlab.com/developerdurp + - name: OG_IMAGE + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : OG_IMAGE_WIDTH + value: "400" + - name : OG_IMAGE_HEIGHT + value: "400" + - name : THEME + value: Dark + - name : FAVICON_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_2X_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_ALT + value: DeveloperDurp Profile Pic + - name : NAME + value: DeveloperDurp + - name : BIO + value: Sup Nerd, + - name : BUTTON_ORDER + value: GITHUB,GITLAB,YOUTUBE,TWITTER,COFFEE,EMAIL + - name : TWITTER + value: https://twitter.com/developerdurp + - name : GITHUB + value: https://github.com/DeveloperDurp + - name : GITLAB + value: https://gitlab.com/developerdurp + - name: YOUTUBE + value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ + - name : EMAIL + value: DeveloperDurp@durp.info + - name : EMAIL_TEXT + value: DeveloperDurp@durp.info + - name : FOOTER + value: DeveloperDurp © 2022 + - name: CUSTOM_BUTTON_TEXT + value: BuyMeACoffee + - name: CUSTOM_BUTTON_URL + value: https://www.buymeacoffee.com/DeveloperDurp + - name: CUSTOM_BUTTON_COLOR + value: '#ffdd00' + - name: CUSTOM_BUTTON_TEXT_COLOR + value: '#000000' + - name: CUSTOM_BUTTON_ALT_TEXT + value: Support + - name: CUSTOM_BUTTON_NAME + value: COFFEE + - name: CUSTOM_BUTTON_ICON + value: fa-solid fa-cup-togo + ports: + - name: http + containerPort: 3000 diff --git a/master/littlelink/templates/ingress.yaml b/master/littlelink/templates/ingress.yaml new file mode 100644 index 0000000..194f31e --- /dev/null +++ b/master/littlelink/templates/ingress.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: littlelink-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`links.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: littlelink + port: 80 + tls: + secretName: littlelink-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: littlelink-tls +spec: + secretName: littlelink-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "links.durp.info" + dnsNames: + - "links.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: links-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: links.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/master/littlelink/templates/service.yaml b/master/littlelink/templates/service.yaml new file mode 100644 index 0000000..445d527 --- /dev/null +++ b/master/littlelink/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: littlelink +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + protocol: TCP + selector: + app: littlelink \ No newline at end of file diff --git a/master/longhorn/Chart.yaml b/master/longhorn/Chart.yaml new file mode 100644 index 0000000..fde2188 --- /dev/null +++ b/master/longhorn/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: longhorn-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: longhorn + repository: https://charts.longhorn.io + version: 1.7.1 \ No newline at end of file diff --git a/master/longhorn/templates/ingress.yaml b/master/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..df2e071 --- /dev/null +++ b/master/longhorn/templates/ingress.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: longhorn-frontend + port: 80 + - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: longhorn-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "longhorn.internal.durp.info" + dnsNames: + - "longhorn.internal.durp.info" diff --git a/master/longhorn/templates/secrets.yaml b/master/longhorn/templates/secrets.yaml new file mode 100644 index 0000000..c10ab89 --- /dev/null +++ b/master/longhorn/templates/secrets.yaml @@ -0,0 +1,24 @@ + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-longhorn-backup-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: longhorn-backup-token-secret + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: secrets/longhorn/backup + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_ENDPOINTS + remoteRef: + key: secrets/longhorn/backup + property: AWS_ENDPOINTS + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: secrets/longhorn/backup + property: AWS_SECRET_ACCESS_KEY diff --git a/master/longhorn/values.yaml b/master/longhorn/values.yaml new file mode 100644 index 0000000..647385b --- /dev/null +++ b/master/longhorn/values.yaml @@ -0,0 +1,253 @@ +longhorn: + + # Default values for longhorn. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + global: + cattle: + systemDefaultRegistry: "" + + image: + longhorn: + engine: + repository: longhornio/longhorn-engine + manager: + repository: longhornio/longhorn-manager + ui: + repository: longhornio/longhorn-ui + instanceManager: + repository: longhornio/longhorn-instance-manager + shareManager: + repository: longhornio/longhorn-share-manager + backingImageManager: + repository: longhornio/backing-image-manager + csi: + attacher: + repository: longhornio/csi-attacher + provisioner: + repository: longhornio/csi-provisioner + nodeDriverRegistrar: + repository: longhornio/csi-node-driver-registrar + resizer: + repository: longhornio/csi-resizer + snapshotter: + repository: longhornio/csi-snapshotter + pullPolicy: Always + + service: + ui: + type: ClusterIP + nodePort: null + manager: + type: ClusterIP + nodePort: "" + loadBalancerIP: "" + loadBalancerSourceRanges: "" + + persistence: + defaultClass: true + defaultFsType: ext4 + defaultClassReplicaCount: 3 + defaultDataLocality: disabled # best-effort otherwise + reclaimPolicy: Retain + migratable: false + recurringJobSelector: + enable: true + jobList: '[ + { + "name":"backup", + "task":"backup", + "cron":"0 0 * * ?", + "retain":24 + } + ]' + backingImage: + enable: false + name: ~ + dataSourceType: ~ + dataSourceParameters: ~ + expectedChecksum: ~ + + csi: + kubeletRootDir: ~ + attacherReplicaCount: ~ + provisionerReplicaCount: ~ + resizerReplicaCount: ~ + snapshotterReplicaCount: ~ + + defaultSettings: + backupTarget: S3://longhorn-master@us-east-1/ + backupTargetCredentialSecret: longhorn-backup-token-secret + allowRecurringJobWhileVolumeDetached: ~ + createDefaultDiskLabeledNodes: ~ + defaultDataPath: ~ + defaultDataLocality: ~ + replicaSoftAntiAffinity: ~ + replicaAutoBalance: ~ + storageOverProvisioningPercentage: ~ + storageMinimalAvailablePercentage: ~ + upgradeChecker: ~ + defaultReplicaCount: ~ + defaultLonghornStaticStorageClass: longhorn + backupstorePollInterval: ~ + taintToleration: ~ + systemManagedComponentsNodeSelector: ~ + priorityClass: ~ + autoSalvage: ~ + autoDeletePodWhenVolumeDetachedUnexpectedly: ~ + disableSchedulingOnCordonedNode: ~ + replicaZoneSoftAntiAffinity: ~ + nodeDownPodDeletionPolicy: ~ + allowNodeDrainWithLastHealthyReplica: ~ + mkfsExt4Parameters: ~ + disableReplicaRebuild: ~ + replicaReplenishmentWaitInterval: ~ + concurrentReplicaRebuildPerNodeLimit: ~ + disableRevisionCounter: ~ + systemManagedPodsImagePullPolicy: ~ + allowVolumeCreationWithDegradedAvailability: ~ + autoCleanupSystemGeneratedSnapshot: ~ + concurrentAutomaticEngineUpgradePerNodeLimit: ~ + backingImageCleanupWaitInterval: ~ + backingImageRecoveryWaitInterval: ~ + guaranteedEngineManagerCPU: ~ + guaranteedReplicaManagerCPU: ~ + kubernetesClusterAutoscalerEnabled: ~ + orphanAutoDeletion: ~ + storageNetwork: ~ + privateRegistry: + createSecret: ~ + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + registrySecret: ~ + + longhornManager: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornDriver: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornUI: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # + + ingress: + ## Set to true to enable ingress record generation + enabled: false + + ## Add ingressClassName to the Ingress + ## Can replace the kubernetes.io/ingress.class annotation on v1.18+ + ingressClassName: nginx + + host: longhorn.internal.durp.info + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend service will be connected at port 443 + tls: + - secretName: longhorn-tls + hosts: + - longhorn.internal.durp.info + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: longhorn-tls + + ## If ingress is enabled you can set the default ingress path + ## then you can access the UI by using the following full path {{host}}+{{path}} + path: / + + ## Ingress annotations done as key:value pairs + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/auth-url: |- + http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: |- + https://longhorn.internal.durp.info/outpost.goauthentik.io/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + + secrets: + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + # - name: longhorn.local-tls + # key: + # certificate: + + # Configure a pod security policy in the Longhorn namespace to allow privileged pods + enablePSP: true + + ## Specify override namespace, specifically this is useful for using longhorn as sub-chart + ## and its release namespace is not the `longhorn-system` + namespaceOverride: "" + + # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional. + annotations: {} + + serviceAccount: + # Annotations to add to the service account + annotations: {} + diff --git a/master/metallb-system/Chart.yaml b/master/metallb-system/Chart.yaml new file mode 100644 index 0000000..0f6506f --- /dev/null +++ b/master/metallb-system/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.14.8 + diff --git a/master/metallb-system/templates/config.yaml b/master/metallb-system/templates/config.yaml new file mode 100644 index 0000000..e44285d --- /dev/null +++ b/master/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.20.130-192.168.20.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: poop + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/master/metallb-system/values.yaml b/master/metallb-system/values.yaml new file mode 100644 index 0000000..260551d --- /dev/null +++ b/master/metallb-system/values.yaml @@ -0,0 +1,197 @@ +metallb: + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + loadBalancerClass: "" + + rbac: + create: true + + prometheus: + scrapeAnnotations: false + metricsPort: 7472 + speakerMetricsTLSSecret: "" + controllerMetricsTLSSecret: "" + rbacPrometheus: true + serviceAccount: "" + namespace: "" + rbacProxy: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.12.0 + pullPolicy: + podMonitor: + enabled: false + additionalLabels: {} + annotations: {} + jobLabel: "app.kubernetes.io/name" + interval: + metricRelabelings: [] + relabelings: [] + serviceMonitor: + enabled: false + speaker: + additionalLabels: {} + annotations: {} + tlsConfig: + insecureSkipVerify: true + controller: + additionalLabels: {} + annotations: {} + tlsConfig: + insecureSkipVerify: true + jobLabel: "app.kubernetes.io/name" + interval: + metricRelabelings: [] + relabelings: [] + prometheusRule: + enabled: false + additionalLabels: {} + annotations: {} + staleConfig: + enabled: true + labels: + severity: warning + configNotLoaded: + enabled: true + labels: + severity: warning + addressPoolExhausted: + enabled: true + labels: + severity: alert + addressPoolUsage: + enabled: true + thresholds: + - percent: 75 + labels: + severity: warning + - percent: 85 + labels: + severity: warning + - percent: 95 + labels: + severity: alert + bgpSessionDown: + enabled: true + labels: + severity: alert + + extraAlerts: [] + + controller: + enabled: true + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + image: + repository: quay.io/metallb/controller + tag: + pullPolicy: + strategy: + type: RollingUpdate + serviceAccount: + create: true + name: "" + annotations: {} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + resources: {} + nodeSelector: {} + tolerations: [] + priorityClassName: "" + runtimeClassName: "" + affinity: {} + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] + + speaker: + enabled: true + logLevel: debug + tolerateMaster: true + memberlist: + enabled: true + mlBindPort: 7946 + mlBindAddrOverride: "" + mlSecretKeyPath: "/etc/ml_secret_key" + excludeInterfaces: + enabled: true + ignoreExcludeLB: false + + image: + repository: quay.io/metallb/speaker + tag: + pullPolicy: + updateStrategy: + type: RollingUpdate + serviceAccount: + create: true + name: "" + annotations: {} + securityContext: {} + resources: {} + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + runtimeClassName: "" + podAnnotations: {} + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + frr: + enabled: true + image: + repository: quay.io/frrouting/frr + tag: 9.0.2 + pullPolicy: + metricsPort: 7473 + resources: {} + reloader: + resources: {} + frrMetrics: + resources: {} + extraContainers: [] + crds: + enabled: true + validationFailurePolicy: Fail + frrk8s: + enabled: false + diff --git a/master/nfs-client/Chart.yml b/master/nfs-client/Chart.yml new file mode 100644 index 0000000..217f2c1 --- /dev/null +++ b/master/nfs-client/Chart.yml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: nfs-client +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + diff --git a/master/nfs-client/templates/cluster-role-binding.yml b/master/nfs-client/templates/cluster-role-binding.yml new file mode 100644 index 0000000..427d8c6 --- /dev/null +++ b/master/nfs-client/templates/cluster-role-binding.yml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: run-nfs-client-provisioner +subjects: + - kind: ServiceAccount + name: nfs-client-provisioner + namespace: nfs-client +roleRef: + kind: ClusterRole + name: nfs-client-provisioner-runner + apiGroup: rbac.authorization.k8s.io diff --git a/master/nfs-client/templates/cluster-role.yml b/master/nfs-client/templates/cluster-role.yml new file mode 100644 index 0000000..fa6ed20 --- /dev/null +++ b/master/nfs-client/templates/cluster-role.yml @@ -0,0 +1,20 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: nfs-client-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/master/nfs-client/templates/provisioner.yml b/master/nfs-client/templates/provisioner.yml new file mode 100644 index 0000000..c76fe8c --- /dev/null +++ b/master/nfs-client/templates/provisioner.yml @@ -0,0 +1,42 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: nfs-client-provisioner + namespace: nfs-client +spec: + selector: + matchLabels: + app: nfs-client-provisioner + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: nfs-client-provisioner + spec: + serviceAccountName: nfs-client-provisioner + containers: + - name: nfs-client-provisioner + image: gcr.io/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.0 + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + memory: 1Gi + volumeMounts: + - name: nfs-client-ssd + mountPath: /persistentvolumes + env: + - name: PROVISIONER_NAME + value: durp.info/nfs + - name: NFS_SERVER + value: 192.168.20.253 + - name: NFS_PATH + value: /mnt/user/k3s + volumes: + - name: nfs-client-ssd + nfs: + server: 192.168.20.253 + path: /mnt/user/k3s diff --git a/master/nfs-client/templates/role-binding.yml b/master/nfs-client/templates/role-binding.yml new file mode 100644 index 0000000..fb0f085 --- /dev/null +++ b/master/nfs-client/templates/role-binding.yml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-client-provisioner + namespace: nfs-client +subjects: + - kind: ServiceAccount + name: nfs-client-provisioner + namespace: nfs-client +roleRef: + kind: Role + name: leader-locking-nfs-client-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/master/nfs-client/templates/role.yml b/master/nfs-client/templates/role.yml new file mode 100644 index 0000000..910346d --- /dev/null +++ b/master/nfs-client/templates/role.yml @@ -0,0 +1,9 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-client-provisioner + namespace: nfs-client +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/master/nfs-client/templates/service-account.yml b/master/nfs-client/templates/service-account.yml new file mode 100644 index 0000000..ef9b4d7 --- /dev/null +++ b/master/nfs-client/templates/service-account.yml @@ -0,0 +1,5 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: nfs-client-provisioner + namespace: nfs-client diff --git a/master/nfs-client/templates/storage-class.yml b/master/nfs-client/templates/storage-class.yml new file mode 100644 index 0000000..b615fe1 --- /dev/null +++ b/master/nfs-client/templates/storage-class.yml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: nfs-storage + annotations: + storageclass.kubernetes.io/is-default-class: "false" +provisioner: durp.info/nfs +parameters: + archiveOnDelete: "false" +reclaimPolicy: Retain diff --git a/master/open-webui/Chart.yaml b/master/open-webui/Chart.yaml new file mode 100644 index 0000000..1561d60 --- /dev/null +++ b/master/open-webui/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: open-webui +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/master/open-webui/templates/deployment.yaml b/master/open-webui/templates/deployment.yaml new file mode 100644 index 0000000..7a51d0f --- /dev/null +++ b/master/open-webui/templates/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: open-webui + name: open-webui + labels: + app: open-webui +spec: + selector: + matchLabels: + app: open-webui + replicas: 1 + template: + metadata: + labels: + app: open-webui + spec: + containers: + - name: open-webui + image: registry.internal.durp.info/open-webui/open-webui:main + imagePullPolicy: Always + volumeMounts: + - name: open-webui-pvc + mountPath: /app/backend/data + ports: + - name: http + containerPort: 8080 + env: + - name: OLLAMA_BASE_URL + valueFrom: + secretKeyRef: + name: open-webui-secret + key: OLLAMA_BASE_URL + volumes: + - name: open-webui-pvc + persistentVolumeClaim: + claimName: open-webui-pvc diff --git a/master/open-webui/templates/ingress.yaml b/master/open-webui/templates/ingress.yaml new file mode 100644 index 0000000..6331e92 --- /dev/null +++ b/master/open-webui/templates/ingress.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: open-webui-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`open-webui.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: open-webui + port: 8080 + tls: + secretName: open-webui-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: open-webui-tls +spec: + secretName: open-webui-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "open-webui.durp.info" + dnsNames: + - "open-webui.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: open-webui-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/open-webui/templates/pvc.yaml b/master/open-webui/templates/pvc.yaml new file mode 100644 index 0000000..63a3280 --- /dev/null +++ b/master/open-webui/templates/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: open-webui-pvc +spec: + storageClassName: longhorn + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi diff --git a/master/open-webui/templates/secrets.yaml b/master/open-webui/templates/secrets.yaml new file mode 100644 index 0000000..1fe6fec --- /dev/null +++ b/master/open-webui/templates/secrets.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: open-webui-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: open-webui-secret + data: + - secretKey: OLLAMA_BASE_URL + remoteRef: + key: secrets/open-webui + property: OLLAMA_BASE_URL + diff --git a/master/open-webui/templates/service.yaml b/master/open-webui/templates/service.yaml new file mode 100644 index 0000000..cd93455 --- /dev/null +++ b/master/open-webui/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: open-webui +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: open-webui diff --git a/master/traefik/Chart.yaml b/master/traefik/Chart.yaml new file mode 100644 index 0000000..5378476 --- /dev/null +++ b/master/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 24.0.0 diff --git a/master/traefik/templates/ingress.yaml b/master/traefik/templates/ingress.yaml new file mode 100644 index 0000000..a165566 --- /dev/null +++ b/master/traefik/templates/ingress.yaml @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.internal.durp.info`) + middlewares: + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: api@internal + kind: TraefikService + - match: Host(`traefik.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: traefik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: traefik-tls + namespace: traefik +spec: + secretName: traefik-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "traefik.internal.durp.info" + dnsNames: + - "traefik.internal.durp.info" \ No newline at end of file diff --git a/master/traefik/templates/middlewares.yaml b/master/traefik/templates/middlewares.yaml new file mode 100644 index 0000000..6ed5f31 --- /dev/null +++ b/master/traefik/templates/middlewares.yaml @@ -0,0 +1,37 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: authentik-proxy-provider + namespace: traefik +spec: + forwardAuth: + address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: whitelist + namespace: traefik +spec: + ipWhiteList: + sourceRange: + - 192.168.20.0/24 + - 10.0.0.0/8 + - 192.168.30.0/24 + - 192.168.130.0/24 + - 192.168.131.0/24 diff --git a/master/traefik/values.yaml b/master/traefik/values.yaml new file mode 100644 index 0000000..de51762 --- /dev/null +++ b/master/traefik/values.yaml @@ -0,0 +1,887 @@ +traefik: + # Default values for Traefik + image: + registry: docker.io + repository: traefik + # defaults to appVersion + tag: "" + pullPolicy: Always + + # + # Configure integration with Traefik Hub + # + hub: + ## Enabling Hub will: + # * enable Traefik Hub integration on Traefik + # * add `traefikhub-tunl` endpoint + # * enable Prometheus metrics with addRoutersLabels + # * enable allowExternalNameServices on KubernetesIngress provider + # * enable allowCrossNamespace on KubernetesCRD provider + # * add an internal (ClusterIP) Service, dedicated for Traefik Hub + enabled: true + ## Default port can be changed + # tunnelPort: 9901 + ## TLS is optional. Insecure is mutually exclusive with any other options + # tls: + # insecure: false + # ca: "/path/to/ca.pem" + # cert: "/path/to/cert.pem" + # key: "/path/to/key.pem" + + # + # Configure the deployment + # + deployment: + enabled: true + # Can be either Deployment or DaemonSet + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 3 + # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 + # - name: volume-permissions + # image: busybox:latest + # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + # securityContext: + # runAsNonRoot: true + # runAsGroup: 65532 + # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + # Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "sleep 40"] + # postStart: + # httpGet: + # path: /ping + # port: 9000 + # host: localhost + # scheme: HTTP + + # Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + + # Create a default IngressClass for Traefik + ingressClass: + enabled: true + isDefaultClass: false + + # Enable experimental features + experimental: + v3: + enabled: false + plugins: + enabled: true + kubernetesGateway: + enabled: false + gateway: + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt + + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + # The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + # Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] + # TLS options (e.g. secret containing certificate) + tls: {} + + # Customize updateStrategy of traefik pods + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + # + # Configure providers + # + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + + # + # Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" + # - "--ping" + # - "--ping.entrypoint=web" + volumes: [] + # - name: public-cert + # mountPath: "/certs" + # type: secret + # - name: '{{ printf "%s-configs" .Release.Name }}' + # mountPath: "/config" + # type: configMap + + # Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] + # For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + + ## Logs + ## https://docs.traefik.io/observability/logs/ + logs: + ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. + # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + ## By default, logs are written using the Common Log Format (CLF) on stdout. + ## To write logs in JSON, use json in the format option. + ## If the given format is unsupported, the default (CLF) is used instead. + # format: json + # filePath: "/var/log/traefik/access.log + ## To write the logs in an asynchronous fashion, specify a bufferingSize option. + ## This option represents the number of log lines Traefik will keep in memory before writing + ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + ## Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + ## Fields + ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + ## Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + ## Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + + metrics: + ## Prometheus is enabled by default. + ## It can be disabled by setting "prometheus: null" + prometheus: + ## Entry point used to expose metrics. + entryPoint: metrics + ## Enable metrics on entry points. Default=true + # addEntryPointsLabels: false + ## Enable metrics on routers. Default=false + # addRoutersLabels: true + ## Enable metrics on services. Default=true + # addServicesLabels: false + ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" + # buckets: "0.5,1.0,2.5" + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. + # address: "127.0.0.1:8125" + # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s + # # pushInterval: 30s + # ## The prefix to use for metrics collection. Default="traefik" + # # prefix: traefik + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # influxdb: + # ## Address instructs exporter to send metrics to influxdb at this address. + # address: localhost:8089 + # ## InfluxDB's address protocol (udp or http). Default="udp" + # protocol: udp + # ## InfluxDB database used when protocol is http. Default="" + # # database: "" + # ## InfluxDB retention policy used when protocol is http. Default="" + # # retentionPolicy: "" + # ## InfluxDB username (only with http). Default="" + # # username: "" + # ## InfluxDB password (only with http). Default="" + # # password: "" + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## Additional labels (influxdb tags) on all metrics. + # # additionalLabels: + # # env: production + # # foo: bar + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # influxdb2: + # ## Address instructs exporter to send metrics to influxdb v2 at this address. + # address: localhost:8086 + # ## Token with which to connect to InfluxDB v2. + # token: xxx + # ## Organisation where metrics will be stored. + # org: "" + # ## Bucket where metrics will be stored. + # bucket: "" + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## Additional labels (influxdb tags) on all metrics. + # # additionalLabels: + # # env: production + # # foo: bar + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # statsd: + # ## Address instructs exporter to send metrics to statsd at this address. + # address: localhost:8125 + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## The prefix to use for metrics collection. Default="traefik" + # # prefix: traefik + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # openTelemetry: + # ## Address of the OpenTelemetry Collector to send metrics to. + # address: "localhost:4318" + # ## Enable metrics on entry points. + # addEntryPointsLabels: true + # ## Enable metrics on routers. + # addRoutersLabels: true + # ## Enable metrics on services. + # addServicesLabels: true + # ## Explicit boundaries for Histogram data points. + # explicitBoundaries: + # - "0.1" + # - "0.3" + # - "1.2" + # - "5.0" + # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + # headers: + # foo: bar + # test: test + # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + # insecure: true + # ## Interval at which metrics are sent to the OpenTelemetry Collector. + # pushInterval: 10s + # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. + # path: /foo/v1/traces + # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + # tls: + # ## The path to the certificate authority, it defaults to the system bundle. + # ca: path/to/ca.crt + # ## The path to the public certificate. When using this option, setting the key option is required. + # cert: path/to/foo.cert + # ## The path to the private key. When using this option, setting the cert option is required. + # key: path/to/key.key + # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + # insecureSkipVerify: true + # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. + # grpc: true + + ## + ## enable optional CRDs for Prometheus Operator + ## + ## Create a dedicated metrics service for use with ServiceMonitor + ## When hub.enabled is set to true, it's not needed: it will use hub service. + # service: + # enabled: false + # labels: {} + # annotations: {} + ## When set to true, it won't check if Prometheus Operator CRDs are deployed + # disableAPICheck: false + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; + # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + # replacement: $1 + # action: drop + # relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + # jobLabel: traefik + # interval: 30s + # honorLabels: true + # # (Optional) + # # scrapeTimeout: 5s + # # honorTimestamps: true + # # enableHttp2: true + # # followRedirects: true + # # additionalLabels: + # # foo: bar + # # namespace: "another-namespace" + # # namespaceSelector: {} + # prometheusRule: + # additionalLabels: {} + # namespace: "another-namespace" + # rules: + # - alert: TraefikDown + # expr: up{job="traefik"} == 0 + # for: 5m + # labels: + # context: traefik + # severity: warning + # annotations: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + + tracing: {} + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 + # logLevel: info + # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + # jaeger: + # samplingServerURL: http://localhost:5778/sampling + # samplingType: const + # samplingParam: 1.0 + # localAgentHostPort: 127.0.0.1:6831 + # gen128Bit: false + # propagation: jaeger + # traceContextHeaderName: uber-trace-id + # disableAttemptReconnecting: true + # collector: + # endpoint: "" + # user: "" + # password: "" + # zipkin: + # httpEndpoint: http://localhost:9411/api/v2/spans + # sameSpan: false + # id128Bit: true + # sampleRate: 1.0 + # haystack: + # localAgentHost: 127.0.0.1 + # localAgentPort: 35000 + # globalTag: "" + # traceIDHeaderName: "" + # parentIDHeaderName: "" + # spanIDHeaderName: "" + # baggagePrefixHeaderName: "" + # elastic: + # serverURL: http://localhost:8200 + # secretToken: "" + # serviceEnvironment: "" + + globalArguments: + - "--global.checknewversion=false" + - "--global.sendanonymoususage=false" + + # + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + + # Environment variables to be passed to Traefik's binary + env: [] + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP + # valueFrom: + # configMapRef: + # name: configmap-name + # key: config-key + # - name: SOME_SECRET + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # Default: ports.traefik.port + # healthchecksPort: 9000 + + # Override the liveness/readiness scheme. Useful for getting ping to + # respond on websecure entryPoint. + # healthchecksScheme: HTTPS + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + redirectTo: websecure + # + # Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + # Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false + websecure: + ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # + ## Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for + ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. + ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + http3: + enabled: false + # advertisedPort: 4443 + # + ## Trust forwarded headers information (X-Forwarded-*). + #forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + ## Enable the Proxy Protocol header parsing for the entry point + #proxyProtocol: + # trustedIPs: [] + # insecure: false + # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: + # tlsOptions: + # default: + # labels: {} + # sniStrict: true + # preferServerCipherSuites: true + # customOptions: + # labels: {} + # curvePreferences: + # - CurveP521 + # - CurveP384 + tlsOptions: {} + + # TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate + # https://doc.traefik.io/traefik/https/tls/#default-certificate + # Example: + # tlsStore: + # default: + # defaultCertificate: + # secretName: tls-cert + tlsStore: {} + + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: + enabled: true + ## Single service is using `MixedProtocolLBService` feature gate. + ## When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # Additional annotations for TCP service only + annotationsTCP: {} + # Additional annotations for UDP service only + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. + # Cannot contain type, selector or ports entries. + spec: + externalTrafficPolicy: Local + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + ## + ## An additionnal and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP + # # labels: {} + # # annotations: {} + # # spec: {} + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + + ## Create HorizontalPodAutoscaler object. + ## + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 80 + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # It can be used to store TLS certificates, see `storage` in certResolvers + persistence: + enabled: false + name: data + # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + # volumeName: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + # email: email@example.com + # dnsChallenge: + # # also add the provider's required configuration under env + # # or expand then from secrets/configmaps with envfrom + # # cf. https://doc.traefik.io/traefik/https/acme/#providers + # provider: digitalocean + # # add futher options for the dns challenge as needed + # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge + # delayBeforeCheck: 30 + # resolvers: + # - 1.1.1.1 + # - 8.8.8.8 + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" + # # It has to match the path with a persistent volume + # storage: /data/acme.json + + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the + # affinity is left as default. + hostNetwork: false + + # Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + + # The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + + # Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "300m" + memory: "256Mi" + + # This example pod anti-affinity forces the scheduler to put traefik pods + # on nodes where no other traefik pods are scheduled. + # It should be used when hostNetwork: true to prevent port conflicts + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ template "traefik.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + + nodeSelector: {} + tolerations: [] + topologySpreadConstraints: [] + # # This example topologySpreadConstraints forces the scheduler to put traefik pods + # # on nodes where no other traefik pods are scheduled. + # - labelSelector: + # matchLabels: + # app: '{{ template "traefik.name" . }}' + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + + # Pods can have priority. + # Priority indicates the importance of a Pod relative to other Pods. + priorityClassName: "" + + # Set the container security context + # To run the container with ports below 1024 this will need to be adjust to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + + podSecurityContext: + # # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and + # # permissions for the contents of each volume to match the fsGroup. This can + # # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + + # + # Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. + # See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] + + # This will override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik + # + ## This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik diff --git a/master/uptimekuma/Chart.yaml b/master/uptimekuma/Chart.yaml new file mode 100644 index 0000000..0dcf730 --- /dev/null +++ b/master/uptimekuma/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: uptimekuma +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/master/uptimekuma/templates/deployment.yaml b/master/uptimekuma/templates/deployment.yaml new file mode 100644 index 0000000..21ce3c0 --- /dev/null +++ b/master/uptimekuma/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: uptime-kuma + name: deployment +spec: + selector: + matchLabels: + component: uptime-kuma + replicas: 1 + strategy: + type: Recreate + + template: + metadata: + labels: + component: uptime-kuma + spec: + containers: + - name: app + image: registry.internal.durp.info/louislam/uptime-kuma:1 + ports: + - containerPort: 3001 + volumeMounts: + - mountPath: /app/data + name: storage + #livenessProbe: + #exec: + #command: + #- node + #- extra/healthcheck.js + readinessProbe: + httpGet: + path: / + port: 3001 + scheme: HTTP + + volumes: + - name: storage + persistentVolumeClaim: + claimName: uptimekuma-pvc diff --git a/master/uptimekuma/templates/ingress.yaml b/master/uptimekuma/templates/ingress.yaml new file mode 100644 index 0000000..3df2689 --- /dev/null +++ b/master/uptimekuma/templates/ingress.yaml @@ -0,0 +1,45 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: kuma-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kuma.durp.info`) && PathPrefix(`/`) + middlewares: + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: service + port: 3001 + tls: + secretName: kuma-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kuma-tls +spec: + secretName: kuma-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kuma.durp.info" + dnsNames: + - "kuma.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: heimdall-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kuma.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/master/uptimekuma/templates/kuma-pv.yaml b/master/uptimekuma/templates/kuma-pv.yaml new file mode 100644 index 0000000..e17e5a7 --- /dev/null +++ b/master/uptimekuma/templates/kuma-pv.yaml @@ -0,0 +1,25 @@ +#apiVersion: v1 +#kind: PersistentVolume +#metadata: +# annotations: +# pv.kubernetes.io/provisioned-by: durp.info/nfs +# finalizers: +# - kubernetes.io/pv-protection +# name: uptimekuma-pv +#spec: +# accessModes: +# - ReadWriteMany +# capacity: +# storage: 10Gi +# claimRef: +# apiVersion: v1 +# kind: PersistentVolumeClaim +# name: uptimekuma-pvc +# namespace: uptimekuma +# nfs: +# path: /mnt/user/k3s/uptimekuma +# server: 192.168.20.253 +# persistentVolumeReclaimPolicy: Retain +# storageClassName: nfs-storage +# volumeMode: Filesystem +# \ No newline at end of file diff --git a/master/uptimekuma/templates/kuma-pvc.yaml b/master/uptimekuma/templates/kuma-pvc.yaml new file mode 100644 index 0000000..ab76bf0 --- /dev/null +++ b/master/uptimekuma/templates/kuma-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptimekuma-pvc + namespace: uptimekuma +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: longhorn \ No newline at end of file diff --git a/master/uptimekuma/templates/service.yaml b/master/uptimekuma/templates/service.yaml new file mode 100644 index 0000000..cad08e7 --- /dev/null +++ b/master/uptimekuma/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + selector: + component: uptime-kuma + type: ClusterIP + ports: + - name: http + port: 3001 + targetPort: 3001 + protocol: TCP \ No newline at end of file diff --git a/master/vault/Chart.yaml b/master/vault/Chart.yaml new file mode 100644 index 0000000..1ad2d4a --- /dev/null +++ b/master/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.28.1 + diff --git a/master/vault/templates/ingress.yaml b/master/vault/templates/ingress.yaml new file mode 100644 index 0000000..8998087 --- /dev/null +++ b/master/vault/templates/ingress.yaml @@ -0,0 +1,37 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: vault-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`vault.internal.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: vault + port: 8200 + scheme: http + tls: + secretName: vault-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vault-tls +spec: + secretName: vault-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "vault.internal.durp.info" + dnsNames: + - "vault.internal.durp.info" + diff --git a/master/vault/templates/secret-store.yaml b/master/vault/templates/secret-store.yaml new file mode 100644 index 0000000..e7cca3a --- /dev/null +++ b/master/vault/templates/secret-store.yaml @@ -0,0 +1,14 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "http://vault.vault.svc.cluster.local:8200" + path: "secrets" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "external-secrets" diff --git a/master/vault/values.yaml b/master/vault/values.yaml new file mode 100644 index 0000000..b7c6d88 --- /dev/null +++ b/master/vault/values.yaml @@ -0,0 +1,65 @@ +vault: + + global: + + image: + repository: "registry.internal.durp.info/hashicorp/vault-k8s" + tag: "1.4.2" + pullPolicy: Always + + agentImage: + repository: "registry.internal.durp.info/hashicorp/vault" + tag: "1.17.6" + + injector: + enabled: "-" + + replicas: 3 + leaderElector: + enabled: true + + metrics: + enabled: true + + image: + repository: "registry.internal.durp.info/hashicorp/vault-k8s" + tag: "1.4.2" + pullPolicy: Always + + agentImage: + repository: "registry.internal.durp.info/hashicorp/vault" + tag: "1.17.6" + + server: + enabled: "-" + image: + repository: "registry.internal.durp.info/hashicorp/vault" + tag: "1.17.6" + pullPolicy: Always + ha: + enabled: false + replicas: 3 + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + + dataStorage: + enabled: true + size: 10Gi + storageClass: longhorn + accessMode: ReadWriteOnce + auditStorage: + enabled: false + size: 10Gi + mountPath: "/vault/audit" + storageClass: longhorn + accessMode: ReadWriteOnce + ui: + enabled: false + externalPort: 8200 + targetPort: 8200 +