diff --git a/.gitignore b/.gitignore index 485dee6..d32217b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ +*/.terraform +*/.terraform.lock.hcl .idea diff --git a/Untitled b/Untitled new file mode 100644 index 0000000..c59860f --- /dev/null +++ b/Untitled @@ -0,0 +1,4 @@ +VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name') +TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode) +KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode) +KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}') diff --git a/argocd/templates/InternalProxy.yaml b/argocd/templates/InternalProxy.yaml deleted file mode 100644 index 1769a19..0000000 --- a/argocd/templates/InternalProxy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: internalproxy - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: internalproxy - directory: - recurse: true - destination: - server: https://kubernetes.default.svc - namespace: internalproxy - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/argocd/templates/external-secrets.yaml b/argocd/templates/external-secrets.yaml deleted file mode 100644 index cf8a595..0000000 --- a/argocd/templates/external-secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: external-secrets - destination: - namespace: external-secrets - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/gatekeeper.yaml b/argocd/templates/gatekeeper.yaml deleted file mode 100644 index 5c60c12..0000000 --- a/argocd/templates/gatekeeper.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: gatekeeper - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: gatekeeper - destination: - namespace: gatekeeper - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/gitlab-runner.yaml b/argocd/templates/gitlab-runner.yaml deleted file mode 100644 index c5539d7..0000000 --- a/argocd/templates/gitlab-runner.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: gitlab-runner - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: gitlab-runner - destination: - namespace: gitlab-runner - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/argocd/templates/heimdall.yaml b/argocd/templates/heimdall.yaml deleted file mode 100644 index d695e34..0000000 --- a/argocd/templates/heimdall.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: heimdall - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: heimdall - destination: - namespace: heimdall - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/krakend.yaml b/argocd/templates/krakend.yaml deleted file mode 100644 index 68a57d1..0000000 --- a/argocd/templates/krakend.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: krakend - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: krakend - destination: - namespace: krakend - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/kubeclarity.yaml b/argocd/templates/kubeclarity.yaml deleted file mode 100644 index c812528..0000000 --- a/argocd/templates/kubeclarity.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubeclarity - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: kubeclarity - destination: - namespace: kubeclarity - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/open-webui.yaml b/argocd/templates/open-webui.yaml deleted file mode 100644 index a2b25fa..0000000 --- a/argocd/templates/open-webui.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: open-webui - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: open-webui - destination: - namespace: open-webui - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/secrets.yaml b/argocd/templates/secrets.yaml deleted file mode 100644 index baeaaee..0000000 --- a/argocd/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-argocd - labels: - app.kubernetes.io/part-of: argocd -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: client-secret - data: - - secretKey: clientSecret - remoteRef: - key: secrets/argocd/authentik - property: clientsecret diff --git a/argocd/templates/traefik.yaml b/argocd/templates/traefik.yaml deleted file mode 100644 index 3995a9f..0000000 --- a/argocd/templates/traefik.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: traefik - destination: - namespace: traefik - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/vault.yaml b/argocd/templates/vault.yaml deleted file mode 100644 index 6e243c5..0000000 --- a/argocd/templates/vault.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: main - path: vault - destination: - namespace: vault - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - .webhooks[]?.clientConfig.caBundle diff --git a/authentik/templates/authentik-pv.yaml b/authentik/templates/authentik-pv.yaml deleted file mode 100644 index 8fbc2e2..0000000 --- a/authentik/templates/authentik-pv.yaml +++ /dev/null @@ -1,24 +0,0 @@ -#apiVersion: v1 -#kind: PersistentVolume -#metadata: -# annotations: -# pv.kubernetes.io/provisioned-by: durp.info/nfs -# finalizers: -# - kubernetes.io/pv-protection -# name: authentik-pv -#spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 10Gi -# claimRef: -# apiVersion: v1 -# kind: PersistentVolumeClaim -# name: authentik-pvc -# namespace: authentik -# nfs: -# path: /mnt/user/k3s/authentik -# server: 192.168.20.253 -# persistentVolumeReclaimPolicy: Retain -# storageClassName: nfs-storage -# volumeMode: Filesystem diff --git a/authentik/templates/authentik-pvc.yaml b/authentik/templates/authentik-pvc.yaml deleted file mode 100644 index f22640b..0000000 --- a/authentik/templates/authentik-pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -#apiVersion: v1 -#kind: PersistentVolumeClaim -#metadata: -# labels: -# app.kubernetes.io/component: app -# app.kubernetes.io/instance: authentik -# app.kubernetes.io/managed-by: Helm -# app.kubernetes.io/name: authentik -# helm.sh/chart: authentik-2.14.4 -# name: authentik-pvc -# namespace: authentik -#spec: -# accessModes: -# - ReadWriteMany -# resources: -# requests: -# storage: 10Gi -# storageClassName: nfs-storage \ No newline at end of file diff --git a/bitwarden/templates/bitwarden-pv.yaml b/bitwarden/templates/bitwarden-pv.yaml deleted file mode 100644 index ff647d1..0000000 --- a/bitwarden/templates/bitwarden-pv.yaml +++ /dev/null @@ -1,25 +0,0 @@ -#apiVersion: v1 -#kind: PersistentVolume -#metadata: -# annotations: -# pv.kubernetes.io/provisioned-by: durp.info/nfs -# finalizers: -# - kubernetes.io/pv-protection -# name: bitwarden-pv -#spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 10Gi -# claimRef: -# apiVersion: v1 -# kind: PersistentVolumeClaim -# name: bitwarden-pvc -# namespace: bitwarden -# nfs: -# path: /mnt/user/k3s/bitwarden -# server: 192.168.20.253 -# persistentVolumeReclaimPolicy: Retain -# storageClassName: nfs-storage -# volumeMode: Filesystem -# \ No newline at end of file diff --git a/bitwarden/templates/deployment.yaml b/bitwarden/templates/deployment.yaml deleted file mode 100644 index d6e1788..0000000 --- a/bitwarden/templates/deployment.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: bitwarden - name: bitwarden - labels: - app: bitwarden -spec: - selector: - matchLabels: - app: bitwarden - replicas: 1 - template: - metadata: - labels: - app: bitwarden - spec: - containers: - - name: bitwarden - image: registry.internal.durp.info/vaultwarden/server:1.30.3 - imagePullPolicy: Always - volumeMounts: - - name: bitwarden-pvc - mountPath: /data - subPath: bitwaren-data - ports: - - name: http - containerPort: 80 - env: - - name: SIGNUPS_ALLOWED - value: "FALSE" - - name: INVITATIONS_ALLOWED - value: "FALSE" - - name: WEBSOCKET_ENABLED - value: "TRUE" - - name: ROCKET_ENV - value: "staging" - - name: ROCKET_PORT - value: "80" - - name: ROCKET_WORKERS - value: "10" - - name: SECRET_USERNAME - valueFrom: - secretKeyRef: - name: bitwarden-secret - key: ADMIN_TOKEN - volumes: - - name: bitwarden-pvc - persistentVolumeClaim: - claimName: bitwarden-pvc diff --git a/cert-manager/templates/letsencrypt-prroduction.yaml b/cert-manager/templates/letsencrypt-prroduction.yaml deleted file mode 100644 index 034ed9b..0000000 --- a/cert-manager/templates/letsencrypt-prroduction.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret diff --git a/cert-manager/templates/letsencrypt-staging.yaml b/cert-manager/templates/letsencrypt-staging.yaml deleted file mode 100644 index b6ae4f9..0000000 --- a/cert-manager/templates/letsencrypt-staging.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-staging - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret \ No newline at end of file diff --git a/crossplane/templates/gitlab.yml b/crossplane/templates/gitlab.yml deleted file mode 100644 index 3a20b9c..0000000 --- a/crossplane/templates/gitlab.yml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-gitlab -spec: - package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0 ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: gitlab-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: gitlab-secret - data: - - secretKey: accesstoken - remoteRef: - key: secrets/gitlab/token - property: accesstoken - ---- - -#apiVersion: gitlab.crossplane.io/v1beta1 -#kind: ProviderConfig -#metadata: -# name: gitlab-provider -#spec: -# baseURL: https://gitlab.com/ -# credentials: -# source: Secret -# secretRef: -# namespace: crossplane -# name: gitlab-secret -# key: accesstoken -# -#--- -# -#apiVersion: projects.gitlab.crossplane.io/v1alpha1 -#kind: Project -#metadata: -# name: example-project -#spec: -# deletionPolicy: Orphan -# forProvider: -# name: "Example Project" -# description: "example project description" -# providerConfigRef: -# name: gitlab-provider -# policy: -# resolution: Optional -# resolve: Always diff --git a/dashboards/nginx-dashboard.yaml b/dashboards/nginx-dashboard.yaml deleted file mode 100644 index 333a6c5..0000000 --- a/dashboards/nginx-dashboard.yaml +++ /dev/null @@ -1,1506 +0,0 @@ -apiVersion: v1 -data: - nginx-ingress-controller_rev1.json: |- - { - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "datasource", - "uid": "grafana" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "enable": true, - "expr": "sum(changes(nginx_ingress_controller_config_last_reload_successful_timestamp_seconds{instance!=\"unknown\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[30s])) by (controller_class)", - "hide": false, - "iconColor": "rgba(255, 96, 96, 1)", - "limit": 100, - "name": "Config Reloads", - "showIn": 0, - "step": "30s", - "tagKeys": "controller_class", - "tags": [], - "titleFormat": "Config Reloaded", - "type": "tags" - } - ] - }, - "description": "Ingress-nginx supports a rich collection of prometheus metrics. If you have prometheus and grafana installed on your cluster then prometheus will already be scraping this data due to the scrape annotation on the deployment.", - "editable": true, - "fiscalYearStartMonth": 0, - "gnetId": 9614, - "graphTooltip": 0, - "id": 27, - "links": [], - "liveNow": false, - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "rgb(31, 120, 193)", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "ops" - }, - "overrides": [] - }, - "id": 20, - "links": [], - "maxDataPoints": 100, - "options": { - "colorMode": "none", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.1.6", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "round(sum(irate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[2m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "title": "Controller Request Volume", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "rgb(31, 120, 193)", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 6, - "y": 0 - }, - "id": 82, - "links": [], - "maxDataPoints": 100, - "options": { - "colorMode": "none", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.1.6", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum(avg_over_time(nginx_ingress_controller_nginx_process_connections{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", - "format": "time_series", - "instant": false, - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "title": "Controller Connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "rgb(31, 120, 193)", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 95 - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 99 - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 12, - "y": 0 - }, - "id": 21, - "links": [], - "maxDataPoints": 100, - "options": { - "colorMode": "none", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.1.6", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",status!~\"[4-5].*\"}[2m])) / sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\"}[2m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "title": "Controller Success Rate (non-4|5xx responses)", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "rgb(31, 120, 193)", - "mode": "fixed" - }, - "decimals": 0, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 18, - "y": 0 - }, - "id": 81, - "links": [], - "maxDataPoints": 100, - "options": { - "colorMode": "none", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.1.6", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "avg(nginx_ingress_controller_success{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"})", - "format": "time_series", - "instant": true, - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "title": "Config Reloads", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "rgb(31, 120, 193)", - "mode": "fixed" - }, - "decimals": 0, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 21, - "y": 0 - }, - "id": 83, - "links": [], - "maxDataPoints": 100, - "options": { - "colorMode": "none", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": [ - "mean" - ], - "fields": "", - "values": false - }, - "textMode": "auto" - }, - "pluginVersion": "9.1.6", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "count(nginx_ingress_controller_config_last_reload_successful{controller_pod=~\"$controller\",controller_namespace=~\"$namespace\"} == 0)", - "format": "time_series", - "instant": true, - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "title": "Last Config Failed", - "type": "stat" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "decimals": 2, - "editable": true, - "error": false, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 3 - }, - "height": "200px", - "hiddenSeries": false, - "id": 86, - "isNew": true, - "legend": { - "alignAsTable": true, - "avg": true, - "current": false, - "hideEmpty": false, - "hideZero": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sideWidth": 300, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "9.1.6", - "pointradius": 5, - "points": false, - "renderer": "flot", - "repeatDirection": "h", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "round(sum(irate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress), 0.001)", - "format": "time_series", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "metric": "network", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Ingress Request Volume", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 2, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "mode": "time", - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "reqps", - "logBase": 1, - "show": true - }, - { - "format": "Bps", - "logBase": 1, - "show": false - } - ], - "yaxis": { - "align": false - } - }, - { - "aliasColors": { - "max - istio-proxy": "#890f02", - "max - master": "#bf1b00", - "max - prometheus": "#bf1b00" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "decimals": 2, - "editable": false, - "error": false, - "fill": 0, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 3 - }, - "hiddenSeries": false, - "id": 87, - "isNew": true, - "legend": { - "alignAsTable": true, - "avg": true, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sideWidth": 300, - "sort": "avg", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "9.1.6", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",ingress=~\"$ingress\",status!~\"[4-5].*\"}[2m])) by (ingress) / sum(rate(nginx_ingress_controller_requests{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", - "format": "time_series", - "instant": false, - "interval": "10s", - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "metric": "container_memory_usage:sort_desc", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Ingress Success Rate (non-4|5xx responses)", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 1, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "mode": "time", - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "logBase": 1, - "show": true - }, - { - "format": "short", - "logBase": 1, - "show": false - } - ], - "yaxis": { - "align": false - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "decimals": 2, - "editable": true, - "error": false, - "fill": 1, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 10 - }, - "height": "200px", - "hiddenSeries": false, - "id": 32, - "isNew": true, - "legend": { - "alignAsTable": false, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": false, - "show": false, - "sideWidth": 200, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "9.1.6", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum (irate (nginx_ingress_controller_request_size_sum{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", - "format": "time_series", - "instant": false, - "interval": "10s", - "intervalFactor": 1, - "legendFormat": "Received", - "metric": "network", - "refId": "A", - "step": 10 - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "- sum (irate (nginx_ingress_controller_response_size_sum{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m]))", - "format": "time_series", - "hide": false, - "interval": "10s", - "intervalFactor": 1, - "legendFormat": "Sent", - "metric": "network", - "refId": "B", - "step": 10 - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Network I/O pressure", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 0, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "mode": "time", - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "logBase": 1, - "show": true - }, - { - "format": "Bps", - "logBase": 1, - "show": false - } - ], - "yaxis": { - "align": false - } - }, - { - "aliasColors": { - "max - istio-proxy": "#890f02", - "max - master": "#bf1b00", - "max - prometheus": "#bf1b00" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "decimals": 2, - "editable": false, - "error": false, - "fill": 0, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 10 - }, - "hiddenSeries": false, - "id": 77, - "isNew": true, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": false, - "show": false, - "sideWidth": 200, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "9.1.6", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "avg(nginx_ingress_controller_nginx_process_resident_memory_bytes{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}) ", - "format": "time_series", - "instant": false, - "interval": "10s", - "intervalFactor": 1, - "legendFormat": "nginx", - "metric": "container_memory_usage:sort_desc", - "refId": "A", - "step": 10 - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Average Memory Usage", - "tooltip": { - "msResolution": false, - "shared": true, - "sort": 2, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "mode": "time", - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "logBase": 1, - "show": true - }, - { - "format": "short", - "logBase": 1, - "show": false - } - ], - "yaxis": { - "align": false - } - }, - { - "aliasColors": { - "max - istio-proxy": "#890f02", - "max - master": "#bf1b00" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "decimals": 3, - "editable": false, - "error": false, - "fill": 0, - "fillGradient": 0, - "grid": {}, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 10 - }, - "height": "", - "hiddenSeries": false, - "id": 79, - "isNew": true, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "max": false, - "min": false, - "rightSide": false, - "show": false, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "9.1.6", - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum (rate (nginx_ingress_controller_nginx_process_cpu_seconds_total{controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\"}[2m])) ", - "format": "time_series", - "interval": "10s", - "intervalFactor": 1, - "legendFormat": "nginx", - "metric": "container_cpu", - "refId": "A", - "step": 10 - } - ], - "thresholds": [ - { - "colorMode": "critical", - "fill": true, - "line": true, - "op": "gt" - } - ], - "timeRegions": [], - "title": "Average CPU Usage", - "tooltip": { - "msResolution": true, - "shared": true, - "sort": 2, - "value_type": "cumulative" - }, - "type": "graph", - "xaxis": { - "mode": "time", - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "none", - "label": "cores", - "logBase": 1, - "show": true - }, - { - "format": "short", - "logBase": 1, - "show": true - } - ], - "yaxis": { - "align": false - } - }, - { - "columns": [], - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fontSize": "100%", - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 16 - }, - "hideTimeOverride": false, - "id": 75, - "links": [], - "pageSize": 7, - "repeatDirection": "h", - "scroll": true, - "showHeader": true, - "sort": { - "col": 1, - "desc": true - }, - "styles": [ - { - "alias": "Ingress", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "ingress", - "preserveFormat": false, - "sanitize": false, - "thresholds": [], - "type": "string", - "unit": "short" - }, - { - "alias": "Requests", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #A", - "thresholds": [ - "" - ], - "type": "number", - "unit": "ops" - }, - { - "alias": "Errors", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #B", - "thresholds": [], - "type": "number", - "unit": "ops" - }, - { - "alias": "P50 Latency", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 0, - "link": false, - "pattern": "Value #C", - "thresholds": [], - "type": "number", - "unit": "dtdurations" - }, - { - "alias": "P90 Latency", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 0, - "pattern": "Value #D", - "thresholds": [], - "type": "number", - "unit": "dtdurations" - }, - { - "alias": "P99 Latency", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 0, - "pattern": "Value #E", - "thresholds": [], - "type": "number", - "unit": "dtdurations" - }, - { - "alias": "IN", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #F", - "thresholds": [ - "" - ], - "type": "number", - "unit": "Bps" - }, - { - "alias": "", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Time", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "OUT", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "mappingType": 1, - "pattern": "Value #G", - "thresholds": [], - "type": "number", - "unit": "Bps" - } - ], - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "histogram_quantile(0.50, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "refId": "C" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "refId": "D" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le, ingress))", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }}", - "refId": "E" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum(irate(nginx_ingress_controller_request_size_sum{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", - "format": "table", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "refId": "F" - }, - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "sum(irate(nginx_ingress_controller_response_size_sum{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (ingress)", - "format": "table", - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ ingress }}", - "refId": "G" - } - ], - "title": "Ingress Percentile Response Times and Transfer Rates", - "transform": "table", - "type": "table-old" - }, - { - "columns": [ - { - "text": "Current", - "value": "current" - } - ], - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "fontSize": "100%", - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 24 - }, - "height": "1024", - "id": 85, - "links": [], - "pageSize": 7, - "scroll": true, - "showHeader": true, - "sort": { - "col": 1, - "desc": false - }, - "styles": [ - { - "alias": "Time", - "align": "auto", - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "pattern": "Time", - "type": "date" - }, - { - "alias": "TTL", - "align": "auto", - "colorMode": "cell", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 0, - "pattern": "Current", - "thresholds": [ - "0", - "691200" - ], - "type": "number", - "unit": "s" - }, - { - "alias": "", - "align": "auto", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "decimals": 2, - "pattern": "/.*/", - "thresholds": [], - "type": "number", - "unit": "short" - } - ], - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "expr": "avg(nginx_ingress_controller_ssl_expire_time_seconds{kubernetes_pod_name=~\"$controller\",namespace=~\"$namespace\",ingress=~\"$ingress\"}) by (host) - time()", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ host }}", - "metric": "gke_letsencrypt_cert_expiration", - "refId": "A", - "step": 1 - } - ], - "title": "Ingress Certificate Expiry", - "transform": "timeseries_aggregations", - "type": "table-old" - } - ], - "refresh": "5s", - "schemaVersion": 37, - "style": "dark", - "tags": [ - "nginx" - ], - "templating": { - "list": [ - { - "allValue": ".*", - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "definition": "", - "hide": 0, - "includeAll": true, - "label": "Namespace", - "multi": false, - "name": "namespace", - "options": [], - "query": { - "query": "label_values(nginx_ingress_controller_config_hash, controller_namespace)", - "refId": "Prometheus-namespace-Variable-Query" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": ".*", - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "definition": "", - "hide": 0, - "includeAll": true, - "label": "Controller Class", - "multi": false, - "name": "controller_class", - "options": [], - "query": { - "query": "label_values(nginx_ingress_controller_config_hash{namespace=~\"$namespace\"}, controller_class) ", - "refId": "Prometheus-controller_class-Variable-Query" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": ".*", - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "definition": "", - "hide": 0, - "includeAll": true, - "label": "Controller", - "multi": false, - "name": "controller", - "options": [], - "query": { - "query": "label_values(nginx_ingress_controller_config_hash{namespace=~\"$namespace\",controller_class=~\"$controller_class\"}, controller_pod) ", - "refId": "Prometheus-controller-Variable-Query" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": ".*", - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "definition": "", - "hide": 0, - "includeAll": true, - "label": "Ingress", - "multi": false, - "name": "ingress", - "options": [], - "query": { - "query": "label_values(nginx_ingress_controller_requests{namespace=~\"$namespace\",controller_class=~\"$controller_class\",controller=~\"$controller\"}, ingress) ", - "refId": "Prometheus-ingress-Variable-Query" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 2, - "tagValuesQuery": "", - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-1h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "2m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "NGINX Ingress controller", - "uid": "nginx", - "version": 1, - "weekStart": "" - } -kind: ConfigMap -metadata: - labels: - grafana_dashboard: "1" - creationTimestamp: null - name: nginx-dashboard - namespace: kube-prometheus-stack \ No newline at end of file diff --git a/dev/.gitlab/.gitlab-ci.yml b/dev/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..16cef81 --- /dev/null +++ b/dev/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/dev/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "dev/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "dev/terraform/*.tf" + +plan-dev-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "dev/terraform/*.tf" + +apply-dev-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "dev/terraform/*.tf" + when: manual + needs: ["plan-dev-infrastructure"] + +destroy-dev-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "dev/terraform/*.tf" + when: manual + needs: ["plan-dev-infrastructure"] diff --git a/cert-manager/Chart.yaml b/dev/cert-manager/Chart.yaml similarity index 91% rename from cert-manager/Chart.yaml rename to dev/cert-manager/Chart.yaml index 8593f8c..7280af8 100644 --- a/cert-manager/Chart.yaml +++ b/dev/cert-manager/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: cert-manager repository: https://charts.jetstack.io - version: 1.*.* + version: v1.17.2 diff --git a/dev/cert-manager/templates/issuer.yaml b/dev/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/dev/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/dev/cert-manager/templates/letsencrypt.yaml b/dev/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/dev/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/cert-manager/templates/sealedsecret.yaml b/dev/cert-manager/templates/secretvault.yaml similarity index 69% rename from cert-manager/templates/sealedsecret.yaml rename to dev/cert-manager/templates/secretvault.yaml index 37a2e92..11c82bc 100644 --- a/cert-manager/templates/sealedsecret.yaml +++ b/dev/cert-manager/templates/secretvault.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: cloudflare-api-token-secret @@ -11,6 +11,12 @@ spec: data: - secretKey: cloudflare-api-token-secret remoteRef: - key: secrets/cert-manager + key: kv/cert-manager property: cloudflare-api-token-secret +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/cert-manager/values.yaml b/dev/cert-manager/values.yaml similarity index 92% rename from cert-manager/values.yaml rename to dev/cert-manager/values.yaml index 36f403b..c9cf12f 100644 --- a/cert-manager/values.yaml +++ b/dev/cert-manager/values.yaml @@ -1,9 +1,10 @@ cert-manager: + crds: + enabled: true image: registry: registry.internal.durp.info repository: jetstack/cert-manager-controller pullPolicy: Always - installCRDs: true replicaCount: 3 extraArgs: - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 @@ -22,4 +23,4 @@ cert-manager: image: registry: registry.internal.durp.info repository: jetstack/cert-manager-cainjector - pullPolicy: Always \ No newline at end of file + pullPolicy: Always diff --git a/external-dns/Chart.yaml b/dev/external-dns/Chart.yaml similarity index 92% rename from external-dns/Chart.yaml rename to dev/external-dns/Chart.yaml index 24d735c..937bc49 100644 --- a/external-dns/Chart.yaml +++ b/dev/external-dns/Chart.yaml @@ -9,4 +9,4 @@ appVersion: 0.0.1 dependencies: - name: external-dns repository: https://charts.bitnami.com/bitnami - version: 6.20.3 + version: 8.9.2 diff --git a/external-dns/templates/secrets.yaml b/dev/external-dns/templates/secrets.yaml similarity index 70% rename from external-dns/templates/secrets.yaml rename to dev/external-dns/templates/secrets.yaml index 142c03a..60f7466 100644 --- a/external-dns/templates/secrets.yaml +++ b/dev/external-dns/templates/secrets.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: external-dns-secret @@ -11,13 +11,20 @@ spec: data: - secretKey: cloudflare_api_email remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_email - secretKey: cloudflare_api_key remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_key - secretKey: cloudflare_api_token remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/external-dns/values.yaml b/dev/external-dns/values.yaml similarity index 75% rename from external-dns/values.yaml rename to dev/external-dns/values.yaml index 68abe91..2052942 100644 --- a/external-dns/values.yaml +++ b/dev/external-dns/values.yaml @@ -1,10 +1,12 @@ external-dns: global: - imageRegistry: "registry.internal.durp.info" + imageRegistry: "registry.durp.info" image: pullPolicy: Always + txtPrefix: "dmz-" + sources: - service diff --git a/external-secrets/Chart.yaml b/dev/external-secrets/Chart.yaml similarity index 92% rename from external-secrets/Chart.yaml rename to dev/external-secrets/Chart.yaml index 96c39ce..48645c3 100644 --- a/external-secrets/Chart.yaml +++ b/dev/external-secrets/Chart.yaml @@ -8,5 +8,4 @@ appVersion: 0.0.1 dependencies: - name: external-secrets repository: https://charts.external-secrets.io - version: 0.8.1 - + version: 0.17.0 diff --git a/dev/external-secrets/templates/ca.yaml b/dev/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/dev/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/dev/external-secrets/values.yaml b/dev/external-secrets/values.yaml new file mode 100644 index 0000000..304180d --- /dev/null +++ b/dev/external-secrets/values.yaml @@ -0,0 +1,94 @@ +external-secrets: + replicaCount: 3 + revisionHistoryLimit: 1 + leaderElect: true + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/metallb-system/Chart.yaml b/dev/metallb-system/Chart.yaml similarity index 91% rename from metallb-system/Chart.yaml rename to dev/metallb-system/Chart.yaml index c90584f..c92e842 100644 --- a/metallb-system/Chart.yaml +++ b/dev/metallb-system/Chart.yaml @@ -9,5 +9,4 @@ appVersion: "1.16.0" dependencies: - name: metallb repository: https://metallb.github.io/metallb - version: 0.14.5 - + version: 0.15.2 diff --git a/metallb-system/templates/config.yaml b/dev/metallb-system/templates/config.yaml similarity index 82% rename from metallb-system/templates/config.yaml rename to dev/metallb-system/templates/config.yaml index e44285d..5fb85fe 100644 --- a/metallb-system/templates/config.yaml +++ b/dev/metallb-system/templates/config.yaml @@ -4,12 +4,12 @@ metadata: name: cheap spec: addresses: - - 192.168.20.130-192.168.20.140 + - 192.168.10.130-192.168.10.140 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: - name: poop + name: pool namespace: metallb-system spec: ipAddressPools: diff --git a/littlelink/Chart.yaml b/dev/metallb-system/values.yaml similarity index 100% rename from littlelink/Chart.yaml rename to dev/metallb-system/values.yaml diff --git a/traefik/Chart.yaml b/dev/traefik/Chart.yaml similarity index 91% rename from traefik/Chart.yaml rename to dev/traefik/Chart.yaml index 1ebbb2d..1df1d76 100644 --- a/traefik/Chart.yaml +++ b/dev/traefik/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: traefik repository: https://traefik.github.io/charts - version: 22.1.0 + version: 34.5.0 diff --git a/dev/traefik/values.yaml b/dev/traefik/values.yaml new file mode 100644 index 0000000..3d1d660 --- /dev/null +++ b/dev/traefik/values.yaml @@ -0,0 +1,58 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/vault/Chart.yaml b/dev/vault/Chart.yaml similarity index 91% rename from vault/Chart.yaml rename to dev/vault/Chart.yaml index fc08adf..412c292 100644 --- a/vault/Chart.yaml +++ b/dev/vault/Chart.yaml @@ -8,5 +8,5 @@ appVersion: 0.0.1 dependencies: - name: vault repository: https://helm.releases.hashicorp.com - version: 0.27.0 + version: 0.30.0 diff --git a/dev/vault/templates/secret-store.yaml b/dev/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/dev/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dev/vault/values.yaml b/dev/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/dev/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/dmz/.gitlab/.gitlab-ci.yml b/dmz/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..e0532bc --- /dev/null +++ b/dmz/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/dmz/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "dmz/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "dmz/terraform/*.tf" + +plan-dmz-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "dmz/terraform/*.tf" + +apply-dmz-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "dmz/terraform/*.tf" + when: manual + needs: ["plan-dmz-infrastructure"] + +destroy-dmz-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "dmz/terraform/*.tf" + when: manual + needs: ["plan-dmz-infrastructure"] diff --git a/dmz/authentik/Chart.yaml b/dmz/authentik/Chart.yaml new file mode 100644 index 0000000..090214c --- /dev/null +++ b/dmz/authentik/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: authentik +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: authentik-remote-cluster + repository: https://charts.goauthentik.io + version: 2.1.0 diff --git a/dmz/authentik/templates/ingress.yaml b/dmz/authentik/templates/ingress.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/authentik/values.yaml b/dmz/authentik/values.yaml new file mode 100644 index 0000000..83be2f9 --- /dev/null +++ b/dmz/authentik/values.yaml @@ -0,0 +1,30 @@ +authentik-remote-cluster: + # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible + nameOverride: "" + # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible + fullnameOverride: "" + # -- Override the Kubernetes version, which is used to evaluate certain manifests + kubeVersionOverride: "" + + ## Globally shared configuration for authentik components. + global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- A custom namespace to override the default namespace for the deployed resources. + namespaceOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + + # -- Annotations to apply to all resources + annotations: {} + + serviceAccountSecret: + # -- Create a secret with the service account credentials + enabled: true + + clusterRole: + # -- Create a clusterole in addition to a namespaced role. + enabled: true diff --git a/dmz/cert-manager/Chart.yaml b/dmz/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/dmz/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/dmz/cert-manager/templates/issuer.yaml b/dmz/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/dmz/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/dmz/cert-manager/templates/letsencrypt.yaml b/dmz/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/dmz/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/dmz/cert-manager/templates/secretvault.yaml b/dmz/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..11c82bc --- /dev/null +++ b/dmz/cert-manager/templates/secretvault.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/cert-manager/values.yaml b/dmz/cert-manager/values.yaml new file mode 100644 index 0000000..cfb41cf --- /dev/null +++ b/dmz/cert-manager/values.yaml @@ -0,0 +1,31 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + - --dns01-recursive-nameservers-only + podDnsPolicy: None + podDnsConfig: + nameservers: + - "1.1.1.1" + - "1.0.0.1" + webhook: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always + + hostAliases: + - ip: 192.168.12.130 + hostnames: + - vault.infra.durp.info diff --git a/dmz/crowdsec/Chart.yaml b/dmz/crowdsec/Chart.yaml new file mode 100644 index 0000000..a89fad6 --- /dev/null +++ b/dmz/crowdsec/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: crowdsec +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: + - name: crowdsec + repository: https://crowdsecurity.github.io/helm-charts + version: 0.19.4 diff --git a/dmz/crowdsec/templates/secrets.yaml b/dmz/crowdsec/templates/secrets.yaml new file mode 100644 index 0000000..dfef6d6 --- /dev/null +++ b/dmz/crowdsec/templates/secrets.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: enroll-key +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: enroll-key + data: + - secretKey: ENROLL_INSTANCE_NAME + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_INSTANCE_NAME + - secretKey: ENROLL_KEY + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_KEY + - secretKey: ENROLL_TAGS + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_TAGS + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/crowdsec/values.yaml b/dmz/crowdsec/values.yaml new file mode 100644 index 0000000..6271eb0 --- /dev/null +++ b/dmz/crowdsec/values.yaml @@ -0,0 +1,24 @@ +crowdsec: + # + image: + repository: registry.durp.info/crowdsecurity/crowdsec + pullPolicy: Always + + # for raw logs format: json or cri (docker|containerd) + container_runtime: containerd + agent: + # Specify each pod whose logs you want to process + acquisition: + # The namespace where the pod is located + - namespace: traefik + # The pod name + podName: traefik-* + # as in crowdsec configuration, we need to specify the program name to find a matching parser + program: traefik + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik" + lapi: + envFrom: + - secretRef: + name: enroll-key diff --git a/durpapi/Chart.yaml b/dmz/external-dns/Chart.yaml similarity index 54% rename from durpapi/Chart.yaml rename to dmz/external-dns/Chart.yaml index 23a6be3..937bc49 100644 --- a/durpapi/Chart.yaml +++ b/dmz/external-dns/Chart.yaml @@ -1,11 +1,12 @@ -type: application -appVersion: 0.1.0 -description: A Helm chart for Kubernetes -name: durpapi -dependencies: -- condition: postgresql.enabled - version: 12.5.* - repository: https://charts.bitnami.com/bitnami - name: postgresql + apiVersion: v2 -version: test +name: external-dns +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-dns + repository: https://charts.bitnami.com/bitnami + version: 8.9.2 diff --git a/dmz/external-dns/templates/secrets.yaml b/dmz/external-dns/templates/secrets.yaml new file mode 100644 index 0000000..60f7466 --- /dev/null +++ b/dmz/external-dns/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-dns-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: external-dns + data: + - secretKey: cloudflare_api_email + remoteRef: + key: kv/cloudflare + property: cloudflare_api_email + - secretKey: cloudflare_api_key + remoteRef: + key: kv/cloudflare + property: cloudflare_api_key + - secretKey: cloudflare_api_token + remoteRef: + key: kv/cloudflare + property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/external-dns/values.yaml b/dmz/external-dns/values.yaml new file mode 100644 index 0000000..21d797e --- /dev/null +++ b/dmz/external-dns/values.yaml @@ -0,0 +1,20 @@ +external-dns: + global: + imageRegistry: "registry.durp.info" + security: + allowInsecureImages: true + + image: + pullPolicy: Always + + txtPrefix: "dmz-" + + sources: + - service + + provider: cloudflare + cloudflare: + secretName: "external-dns" + proxied: false + + policy: sync diff --git a/dmz/external-secrets/Chart.yaml b/dmz/external-secrets/Chart.yaml new file mode 100644 index 0000000..4b30288 --- /dev/null +++ b/dmz/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: + - name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/dmz/external-secrets/templates/ca.yaml b/dmz/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/dmz/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/dmz/external-secrets/values.yaml b/dmz/external-secrets/values.yaml new file mode 100644 index 0000000..3ccc294 --- /dev/null +++ b/dmz/external-secrets/values.yaml @@ -0,0 +1,100 @@ +external-secrets: + global: + security: + allowInsecureImages: true + + log: + level: debug + replicaCount: 1 + revisionHistoryLimit: 1 + leaderElect: false + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/gitlab-runner/Chart.yaml b/dmz/gitlab-runner/Chart.yaml similarity index 85% rename from gitlab-runner/Chart.yaml rename to dmz/gitlab-runner/Chart.yaml index c04efe7..17e8efe 100644 --- a/gitlab-runner/Chart.yaml +++ b/dmz/gitlab-runner/Chart.yaml @@ -8,4 +8,5 @@ appVersion: 0.0.1 dependencies: - name: gitlab-runner repository: https://charts.gitlab.io/ - version: 0.43.0 + version: 0.77.2 + alias: personal diff --git a/dmz/gitlab-runner/templates/secrets.yaml b/dmz/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..2098738 --- /dev/null +++ b/dmz/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,48 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitlab-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret + data: + - secretKey: runner-registration-token + remoteRef: + key: kv/gitlab/runner + property: runner-registration-token + - secretKey: runner-token + remoteRef: + key: kv/gitlab/runner + property: runner-token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitlab-secret-personal +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret-personal + data: + - secretKey: runner-token + remoteRef: + key: kv/gitlab/runner + property: personal-runner-token + - secretKey: runner-registration-token + remoteRef: + key: kv/gitlab/runner + property: personal-runner-token diff --git a/gitlab-runner/values.yaml b/dmz/gitlab-runner/values.yaml similarity index 63% rename from gitlab-runner/values.yaml rename to dmz/gitlab-runner/values.yaml index 0cc62b8..7ba1021 100644 --- a/gitlab-runner/values.yaml +++ b/dmz/gitlab-runner/values.yaml @@ -1,12 +1,12 @@ -gitlab-runner: +personal: image: - registry: registry.internal.durp.info + registry: registry.durp.info image: gitlab-org/gitlab-runner imagePullPolicy: Always - gitlabUrl: https://gitlab.com/ - unregisterRunner: true + gitlabUrl: https://gitlab.durp.info/ + unregisterRunner: false terminationGracePeriodSeconds: 3600 concurrent: 10 checkInterval: 30 @@ -18,15 +18,15 @@ gitlab-runner: podSecurityPolicy: enabled: false resourceNames: - - gitlab-runner + - gitlab-runner metrics: enabled: true serviceMonitor: - enabled: true + enabled: true service: enabled: true - annotations: {} + annotations: {} runners: config: | @@ -40,16 +40,16 @@ gitlab-runner: name: "k3s" runUntagged: true privileged: true - secret: gitlab-secret - #builds: - #cpuLimit: 200m - #cpuLimitOverwriteMaxAllowed: 400m - #memoryLimit: 256Mi - #memoryLimitOverwriteMaxAllowed: 512Mi - #cpuRequests: 100m - #cpuRequestsOverwriteMaxAllowed: 200m - #memoryRequests: 128Mi - #memoryRequestsOverwriteMaxAllowed: 256Mi + secret: gitlab-secret-personal + builds: + cpuLimit: 200m + cpuLimitOverwriteMaxAllowed: 400m + memoryLimit: 256Mi + memoryLimitOverwriteMaxAllowed: 512Mi + cpuRequests: 100m + cpuRequestsOverwriteMaxAllowed: 200m + memoryRequests: 128Mi + memoryRequestsOverwriteMaxAllowed: 256Mi securityContext: allowPrivilegeEscalation: false @@ -63,9 +63,9 @@ gitlab-runner: runAsUser: 100 fsGroup: 65533 - resources: + resources: limits: memory: 2Gi requests: memory: 128Mi - cpu: 500m \ No newline at end of file + cpu: 50m diff --git a/internalproxy/Chart.yaml b/dmz/internalproxy/Chart.yaml similarity index 100% rename from internalproxy/Chart.yaml rename to dmz/internalproxy/Chart.yaml diff --git a/dmz/internalproxy/templates/argocd.yaml b/dmz/internalproxy/templates/argocd.yaml new file mode 100644 index 0000000..5adf88e --- /dev/null +++ b/dmz/internalproxy/templates/argocd.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-infra-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.infra.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: infra-cluster + port: 443 + scheme: https + tls: + secretName: argocd-infra-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-infra-tls +spec: + secretName: argocd-infra-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "argocd.infra.durp.info" + dnsNames: + - "argocd.infra.durp.info" diff --git a/authentik/templates/ingress.yaml b/dmz/internalproxy/templates/authentik.yaml similarity index 71% rename from authentik/templates/ingress.yaml rename to dmz/internalproxy/templates/authentik.yaml index ac10303..adf9884 100644 --- a/authentik/templates/ingress.yaml +++ b/dmz/internalproxy/templates/authentik.yaml @@ -1,4 +1,18 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls +spec: + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: authentik-tls + commonName: "authentik.durp.info" + dnsNames: + - "authentik.durp.info" + +--- +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: authentik-ingress @@ -6,31 +20,15 @@ spec: entryPoints: - websecure routes: - - match: Host(`authentik.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: authentik-server - port: 80 + - match: Host(`authentik.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: infra-cluster + port: 443 tls: secretName: authentik-tls --- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: authentik-tls -spec: - secretName: authentik-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "authentik.durp.info" - dnsNames: - - "authentik.durp.info" - ---- - kind: Service apiVersion: v1 metadata: @@ -39,4 +37,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: authentik.durp.info spec: type: ExternalName - externalName: durp.info + externalName: durp.info \ No newline at end of file diff --git a/bitwarden/templates/ingress.yaml b/dmz/internalproxy/templates/bitwarden.yaml similarity index 75% rename from bitwarden/templates/ingress.yaml rename to dmz/internalproxy/templates/bitwarden.yaml index 8a9a628..0067f8e 100644 --- a/bitwarden/templates/ingress.yaml +++ b/dmz/internalproxy/templates/bitwarden.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: bitwarden-ingress @@ -6,11 +6,11 @@ spec: entryPoints: - websecure routes: - - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) + - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) kind: Rule services: - - name: bitwarden - port: 80 + - name: infra-cluster + port: 443 tls: secretName: bitwarden-tls @@ -21,13 +21,13 @@ kind: Certificate metadata: name: bitwarden-tls spec: - secretName: bitwarden-tls issuerRef: name: letsencrypt-production kind: ClusterIssuer + secretName: bitwarden-tls commonName: "bitwarden.durp.info" dnsNames: - - "bitwarden.durp.info" + - "bitwarden.durp.info" --- @@ -39,4 +39,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info diff --git a/dmz/internalproxy/templates/duplicati.yaml b/dmz/internalproxy/templates/duplicati.yaml new file mode 100644 index 0000000..74475df --- /dev/null +++ b/dmz/internalproxy/templates/duplicati.yaml @@ -0,0 +1,35 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: duplicati-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: unraid + port: 8200 + tls: + secretName: duplicati-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: duplicati-tls +spec: + secretName: duplicati-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "duplicati.internal.durp.info" + dnsNames: + - "duplicati.internal.durp.info" diff --git a/dmz/internalproxy/templates/endpoints.yaml b/dmz/internalproxy/templates/endpoints.yaml new file mode 100644 index 0000000..8380a2c --- /dev/null +++ b/dmz/internalproxy/templates/endpoints.yaml @@ -0,0 +1,230 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: master-cluster +subsets: + - addresses: + - ip: 192.168.20.130 + ports: + - port: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: master-cluster +spec: + ports: + - protocol: TCP + port: 443 + targetPort: 443 + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: infra-cluster +subsets: + - addresses: + - ip: 192.168.12.130 + ports: + - port: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-cluster +spec: + ports: + - protocol: TCP + port: 443 + targetPort: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: unraid +spec: + ports: + - name: https + protocol: TCP + port: 443 + targetPort: 443 + - name: tdarr + port: 8267 + protocol: TCP + targetPort: 8267 + - name: duplicati + port: 8200 + protocol: TCP + targetPort: 8200 + - name: forgejo + port: 3000 + protocol: TCP + - name: kuma + port: 3001 + protocol: TCP + targetPort: 3000 + - name: freshrss + port: 8085 + protocol: TCP + targetPort: 8085 + - name: gitlab-ssh + port: 9022 + protocol: TCP + targetPort: 9022 + - name: gitlab + port: 9443 + protocol: TCP + targetPort: 9443 + - name: minio + port: 9769 + protocol: TCP + targetPort: 9769 + - name: nextcloud + port: 11000 + protocol: TCP + targetPort: 11000 + - name: nexus + port: 8081 + protocol: TCP + targetPort: 8081 + - name: openweb-ui + port: 8089 + protocol: TCP + targetPort: 8089 + - name: plex + port: 32400 + protocol: TCP + targetPort: 32400 + - name: registry + port: 5000 + protocol: TCP + targetPort: 5000 + - name: gitlab-registry + port: 5002 + protocol: TCP + targetPort: 5002 + - name: root-vault + port: 8201 + protocol: TCP + targetPort: 8201 + - name: s3 + port: 9768 + protocol: TCP + targetPort: 9768 + - name: smokeping + port: 81 + protocol: TCP + targetPort: 81 + - name: gotify + port: 8070 + protocol: TCP + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: unraid +subsets: + - addresses: + - ip: 192.168.21.200 + ports: + - name: https + port: 443 + protocol: TCP + - name: tdarr + port: 8267 + protocol: TCP + - name: duplicati + port: 8200 + protocol: TCP + - name: forgejo + port: 3000 + protocol: TCP + - name: kuma + port: 3001 + protocol: TCP + - name: freshrss + port: 8085 + protocol: TCP + - name: gitlab-ssh + port: 9022 + protocol: TCP + - name: gitlab + port: 9443 + protocol: TCP + - name: minio + port: 9769 + protocol: TCP + - name: nextcloud + port: 11000 + protocol: TCP + - name: nexus + port: 8081 + protocol: TCP + - name: openweb-ui + port: 8089 + protocol: TCP + - name: plex + port: 32400 + protocol: TCP + - name: registry + port: 5000 + protocol: TCP + - name: gitlab-registry + port: 5002 + protocol: TCP + - name: root-vault + port: 8201 + protocol: TCP + - name: s3 + port: 9768 + protocol: TCP + - name: smokeping + port: 81 + protocol: TCP + - name: gotify + port: 8070 + protocol: TCP + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: ubuntu +subsets: + - addresses: + - ip: 192.168.20.104 + ports: + - name: https + port: 443 + protocol: TCP + - name: litellm + port: 4000 + protocol: TCP + - name: ollama + port: 11435 + protocol: TCP + +--- +apiVersion: v1 +kind: Service +metadata: + name: ubuntu +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: litellm + port: 4000 + protocol: TCP + targetPort: 4000 + - name: ollama + port: 11435 + protocol: TCP + targetPort: 11435 diff --git a/dmz/internalproxy/templates/forgejo.yaml b/dmz/internalproxy/templates/forgejo.yaml new file mode 100644 index 0000000..52eb710 --- /dev/null +++ b/dmz/internalproxy/templates/forgejo.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: forgejo-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`forgejo.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 3000 + scheme: http + tls: + secretName: forgejo-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: forgejo-tls +spec: + secretName: forgejo-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "forgejo.durp.info" + dnsNames: + - "forgejo.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: forgejo-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: forgejo.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/freshrss.yaml b/dmz/internalproxy/templates/freshrss.yaml new file mode 100644 index 0000000..092854c --- /dev/null +++ b/dmz/internalproxy/templates/freshrss.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: freshrss-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`freshrss.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8085 + tls: + secretName: freshrss-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: freshrss-tls +spec: + secretName: freshrss-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "freshrss.durp.info" + dnsNames: + - "freshrss.durp.info" diff --git a/dmz/internalproxy/templates/gitlab.yaml b/dmz/internalproxy/templates/gitlab.yaml new file mode 100644 index 0000000..d64a5aa --- /dev/null +++ b/dmz/internalproxy/templates/gitlab.yaml @@ -0,0 +1,125 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: gitlab-ssh +#spec: +# ports: +# - name: app +# port: 9022 +# protocol: TCP +# targetPort: 9022 +# clusterIP: None +# type: ClusterIP +# +#--- +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: gitlab-ssh +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 9022 +# protocol: TCP +# +#--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: gitlab-ssh +spec: + entryPoints: + - gitlab-ssh + routes: + - match: HostSNI(`*`) + services: + - name: unraid + port: 9022 + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitlab-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`gitlab.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 9443 + scheme: https + tls: + secretName: gitlab-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitlab-tls +spec: + secretName: gitlab-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "gitlab.durp.info" + dnsNames: + - "gitlab.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gitlab-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitlab-registry +spec: + entryPoints: + - websecure + routes: + - match: Host(`images.durp.info`) + kind: Rule + services: + - name: unraid + port: 5002 + scheme: http + tls: + secretName: gitlab-images-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitlab-images-tls +spec: + secretName: gitlab-images-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "images.durp.info" + dnsNames: + - "images.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gitlab-images-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: images.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/gotify.yaml b/dmz/internalproxy/templates/gotify.yaml new file mode 100644 index 0000000..6619aed --- /dev/null +++ b/dmz/internalproxy/templates/gotify.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gotify-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`gotify.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8070 + scheme: http + tls: + secretName: gotify-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gotify-tls +spec: + secretName: gotify-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "gotify.durp.info" + dnsNames: + - "gotify.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gotify-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gotify.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/grafana.yaml b/dmz/internalproxy/templates/grafana.yaml new file mode 100644 index 0000000..0de1a83 --- /dev/null +++ b/dmz/internalproxy/templates/grafana.yaml @@ -0,0 +1,40 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: grafana-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: grafana-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-tls +spec: + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: grafana-tls + commonName: "grafana.durp.info" + dnsNames: + - "grafana.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: grafana-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: grafana.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/invidious.yaml b/dmz/internalproxy/templates/invidious.yaml new file mode 100644 index 0000000..752db88 --- /dev/null +++ b/dmz/internalproxy/templates/invidious.yaml @@ -0,0 +1,75 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: invidious +#spec: +# ports: +# - name: app +# port: 3000 +# protocol: TCP +# targetPort: 3000 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: invidious +#subsets: +#- addresses: +# - ip: 192.168.20.104 +# ports: +# - name: app +# port: 3000 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: invidious-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`invidious.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# kind: Rule +# services: +# - name: invidious +# port: 3000 +# tls: +# secretName: invidious-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: invidious-tls +#spec: +# secretName: invidious-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "invidious.durp.info" +# dnsNames: +# - "invidious.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: invidious-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: invidious.durp.info +#spec: +# type: ExternalName +# externalName: durp.info +# \ No newline at end of file diff --git a/dmz/internalproxy/templates/kasm.yaml b/dmz/internalproxy/templates/kasm.yaml new file mode 100644 index 0000000..7db9d75 --- /dev/null +++ b/dmz/internalproxy/templates/kasm.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: kasm-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kasm.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: ubuntu + port: 443 + scheme: https + tls: + secretName: kasm-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kasm-tls +spec: + secretName: kasm-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kasm.durp.info" + dnsNames: + - "kasm.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: kasm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kasm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/uptimekuma/templates/ingress.yaml b/dmz/internalproxy/templates/kuma.yaml similarity index 63% rename from uptimekuma/templates/ingress.yaml rename to dmz/internalproxy/templates/kuma.yaml index 3df2689..31b040b 100644 --- a/uptimekuma/templates/ingress.yaml +++ b/dmz/internalproxy/templates/kuma.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: kuma-ingress @@ -6,19 +6,16 @@ spec: entryPoints: - websecure routes: - - match: Host(`kuma.durp.info`) && PathPrefix(`/`) - middlewares: - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: service - port: 3001 + - match: Host(`kuma.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 3001 + scheme: http tls: secretName: kuma-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -30,14 +27,13 @@ spec: kind: ClusterIssuer commonName: "kuma.durp.info" dnsNames: - - "kuma.durp.info" + - "kuma.durp.info" --- - kind: Service apiVersion: v1 metadata: - name: heimdall-external-dns + name: kuma-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: kuma.durp.info spec: diff --git a/dmz/internalproxy/templates/litellm.yaml b/dmz/internalproxy/templates/litellm.yaml new file mode 100644 index 0000000..11a87ac --- /dev/null +++ b/dmz/internalproxy/templates/litellm.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: litellm-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`litellm.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: ubuntu + port: 4000 + tls: + secretName: litellm-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: litellm-tls +spec: + secretName: litellm-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "litellm.durp.info" + dnsNames: + - "litellm.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: litellm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: litellm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/longhorn.yaml b/dmz/internalproxy/templates/longhorn.yaml new file mode 100644 index 0000000..9eeda9e --- /dev/null +++ b/dmz/internalproxy/templates/longhorn.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-infra-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: infra-cluster + port: 443 + tls: + secretName: longhorn-infra-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-infra-tls +spec: + secretName: longhorn-infra-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.infra.durp.info" + dnsNames: + - "longhorn.infra.durp.info" diff --git a/dmz/internalproxy/templates/minio.yaml b/dmz/internalproxy/templates/minio.yaml new file mode 100644 index 0000000..8622240 --- /dev/null +++ b/dmz/internalproxy/templates/minio.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: minio-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 9769 + scheme: http + tls: + secretName: minio-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-tls +spec: + secretName: minio-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "minio.internal.durp.info" + dnsNames: + - "minio.internal.durp.info" diff --git a/dmz/internalproxy/templates/n8n.yaml b/dmz/internalproxy/templates/n8n.yaml new file mode 100644 index 0000000..adfebc7 --- /dev/null +++ b/dmz/internalproxy/templates/n8n.yaml @@ -0,0 +1,68 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: n8n +#spec: +# ports: +# - name: app +# port: 5678 +# protocol: TCP +# targetPort: 5678 +# clusterIP: None +# type: ClusterIP +# +#--- +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: n8n +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 5678 +# protocol: TCP +# +#--- +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: n8n-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`n8n.durp.info`) && PathPrefix(`/`) +# kind: Rule +# services: +# - name: n8n +# port: 5678 +# scheme: http +# tls: +# secretName: n8n-tls +# +#--- +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: n8n-tls +#spec: +# secretName: n8n-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "n8n.durp.info" +# dnsNames: +# - "n8n.durp.info" +# +#--- +#kind: Service +#apiVersion: v1 +#metadata: +# name: n8n-dns +# annotations: +# dns.alpha.kubernetes.io/hostname: n8n.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/nextcloud.yaml b/dmz/internalproxy/templates/nextcloud.yaml new file mode 100644 index 0000000..77b04e5 --- /dev/null +++ b/dmz/internalproxy/templates/nextcloud.yaml @@ -0,0 +1,74 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: nextcloud-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`nextcloud.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: nextcloud-chain + services: + - name: unraid + port: 11000 + scheme: http + tls: + secretName: nextcloud-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nextcloud-tls +spec: + secretName: nextcloud-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "nextcloud.durp.info" + dnsNames: + - "nextcloud.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: nextcloud-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: nextcloud.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-secure-headers +spec: + headers: + hostsProxyHeaders: + - "X-Forwarded-Host" + referrerPolicy: "same-origin" + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect +spec: + redirectScheme: + scheme: https + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-chain +spec: + chain: + middlewares: + - name: https-redirect + - name: nextcloud-secure-headers \ No newline at end of file diff --git a/internalproxy/templates/nexus.yaml b/dmz/internalproxy/templates/nexus.yaml similarity index 60% rename from internalproxy/templates/nexus.yaml rename to dmz/internalproxy/templates/nexus.yaml index 7074102..8e9ca70 100644 --- a/internalproxy/templates/nexus.yaml +++ b/dmz/internalproxy/templates/nexus.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: nexus -spec: - ports: - - name: app - port: 8081 - protocol: TCP - targetPort: 8081 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: nexus -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8081 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: nexus-ingress @@ -38,7 +9,7 @@ spec: - match: Host(`nexus.durp.info`) && PathPrefix(`/`) kind: Rule services: - - name: nexus + - name: unraid port: 8081 tls: secretName: nexus-tls @@ -68,4 +39,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: nexus.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info diff --git a/dmz/internalproxy/templates/ollama.yaml b/dmz/internalproxy/templates/ollama.yaml new file mode 100644 index 0000000..f03ca52 --- /dev/null +++ b/dmz/internalproxy/templates/ollama.yaml @@ -0,0 +1,69 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: ollama-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: ollama-secret + data: + - secretKey: users + remoteRef: + key: kv/ollama + property: users + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: ollama-basic-auth +spec: + basicAuth: + headerField: x-api-key + secret: ollama-secret + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: ollama-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`ollama.durp.info`) && PathPrefix(`/`) + middlewares: + - name: ollama-basic-auth + kind: Rule + services: + - name: ubuntu + port: 11435 + tls: + secretName: ollama-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ollama-tls +spec: + secretName: ollama-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "ollama.durp.info" + dnsNames: + - "ollama.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: ollama-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: ollama.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/open-webui/templates/ingress.yaml b/dmz/internalproxy/templates/open-webui.yaml similarity index 72% rename from open-webui/templates/ingress.yaml rename to dmz/internalproxy/templates/open-webui.yaml index 6331e92..f3e7f89 100644 --- a/open-webui/templates/ingress.yaml +++ b/dmz/internalproxy/templates/open-webui.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: open-webui-ingress @@ -6,16 +6,16 @@ spec: entryPoints: - websecure routes: - - match: Host(`open-webui.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: open-webui - port: 8080 + - match: Host(`open-webui.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8089 + scheme: http tls: secretName: open-webui-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -27,10 +27,9 @@ spec: kind: ClusterIssuer commonName: "open-webui.durp.info" dnsNames: - - "open-webui.durp.info" + - "open-webui.durp.info" --- - kind: Service apiVersion: v1 metadata: diff --git a/dmz/internalproxy/templates/plex.yaml b/dmz/internalproxy/templates/plex.yaml new file mode 100644 index 0000000..7fbc5f8 --- /dev/null +++ b/dmz/internalproxy/templates/plex.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: plex-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`plex.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 32400 + scheme: https + tls: + secretName: plex-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: plex-tls +spec: + secretName: plex-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "plex.durp.info" + dnsNames: + - "plex.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: plex-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: plex.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/portainer.yaml b/dmz/internalproxy/templates/portainer.yaml new file mode 100644 index 0000000..ae89690 --- /dev/null +++ b/dmz/internalproxy/templates/portainer.yaml @@ -0,0 +1,33 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: portainer-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: portainer-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: portainer-tls +spec: + secretName: portainer-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "portainer.internal.durp.info" + dnsNames: + - "portainer.internal.durp.info" diff --git a/dmz/internalproxy/templates/proxmox.yaml b/dmz/internalproxy/templates/proxmox.yaml new file mode 100644 index 0000000..14d301d --- /dev/null +++ b/dmz/internalproxy/templates/proxmox.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: proxmox +spec: + ports: + - name: app + port: 8006 + protocol: TCP + targetPort: 8006 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: proxmox +subsets: + - addresses: + - ip: 192.168.21.254 + ports: + - name: app + port: 8006 + protocol: TCP + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: proxmox-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: proxmox + port: 8006 + scheme: https + tls: + secretName: proxmox-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: proxmox-tls +spec: + secretName: proxmox-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "proxmox.internal.durp.info" + dnsNames: + - "proxmox.internal.durp.info" diff --git a/dmz/internalproxy/templates/redlib.yaml b/dmz/internalproxy/templates/redlib.yaml new file mode 100644 index 0000000..43b54fb --- /dev/null +++ b/dmz/internalproxy/templates/redlib.yaml @@ -0,0 +1,74 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: redlib +#spec: +# ports: +# - name: app +# port: 8082 +# protocol: TCP +# targetPort: 8082 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: redlib +#subsets: +#- addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 8082 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: redlib-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`redlib.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# kind: Rule +# services: +# - name: redlib +# port: 8082 +# tls: +# secretName: redlib-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: redlib-tls +#spec: +# secretName: redlib-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "redlib.durp.info" +# dnsNames: +# - "redlib.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: redlib-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: redlib.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/registry.yaml b/dmz/internalproxy/templates/registry.yaml new file mode 100644 index 0000000..b9b6ed4 --- /dev/null +++ b/dmz/internalproxy/templates/registry.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: whitelist + namespace: traefik + services: + - name: unraid + port: 5000 + tls: + secretName: registry-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-tls +spec: + secretName: registry-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.durp.info" + dnsNames: + - "registry.durp.info" + +--- +#kind: Service +#apiVersion: v1 +#metadata: +# name: registry-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: registry.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/root-vault.yaml b/dmz/internalproxy/templates/root-vault.yaml new file mode 100644 index 0000000..76d4b94 --- /dev/null +++ b/dmz/internalproxy/templates/root-vault.yaml @@ -0,0 +1,33 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: root-vault-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 8201 + scheme: https + tls: + secretName: root-vault-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: root-vault-tls +spec: + secretName: root-vault-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "root-vault.internal.durp.info" + dnsNames: + - "root-vault.internal.durp.info" diff --git a/dmz/internalproxy/templates/s3.yaml b/dmz/internalproxy/templates/s3.yaml new file mode 100644 index 0000000..5bf203e --- /dev/null +++ b/dmz/internalproxy/templates/s3.yaml @@ -0,0 +1,80 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: s3-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 9768 + scheme: http + tls: + secretName: s3-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3-tls +spec: + secretName: s3-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "s3.internal.durp.info" + dnsNames: + - "s3.internal.durp.info" + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: s3-ingress-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`s3.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 9768 + scheme: http + tls: + secretName: s3-external-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3-external-tls +spec: + secretName: s3-external-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "s3.durp.info" + dnsNames: + - "s3.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: s3-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: s3.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/semaphore.yaml b/dmz/internalproxy/templates/semaphore.yaml new file mode 100644 index 0000000..145d1ca --- /dev/null +++ b/dmz/internalproxy/templates/semaphore.yaml @@ -0,0 +1,65 @@ +# +#apiVersion: v1 +#kind: Service +#metadata: +# name: semaphore +#spec: +# ports: +# - name: app +# port: 3001 +# protocol: TCP +# targetPort: 3001 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: semaphore +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 3001 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: semaphore-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: whitelist +# namespace: traefik +# kind: Rule +# services: +# - name: semaphore +# port: 3001 +# scheme: http +# tls: +# secretName: semaphore-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: semaphore-tls +#spec: +# secretName: semaphore-tls +# issuerRef: +# name: vault-issuer +# kind: ClusterIssuer +# commonName: "semaphore.internal.durp.info" +# dnsNames: +# - "semaphore.internal.durp.info" +# \ No newline at end of file diff --git a/dmz/internalproxy/templates/serviceaccount.yaml b/dmz/internalproxy/templates/serviceaccount.yaml new file mode 100644 index 0000000..ddac6a5 --- /dev/null +++ b/dmz/internalproxy/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/internalproxy/templates/smokeping.yaml b/dmz/internalproxy/templates/smokeping.yaml similarity index 56% rename from internalproxy/templates/smokeping.yaml rename to dmz/internalproxy/templates/smokeping.yaml index 8a76738..9808876 100644 --- a/internalproxy/templates/smokeping.yaml +++ b/dmz/internalproxy/templates/smokeping.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: smokeping -spec: - ports: - - name: app - port: 81 - protocol: TCP - targetPort: 81 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: smokeping -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 81 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: smokeping-ingress @@ -43,19 +14,12 @@ spec: namespace: traefik kind: Rule services: - - name: smokeping + - name: unraid port: 81 - - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 tls: secretName: smokeping-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -70,7 +34,6 @@ spec: - "smokeping.durp.info" --- - kind: Service apiVersion: v1 metadata: @@ -79,4 +42,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info diff --git a/dmz/internalproxy/templates/speedtest.yaml b/dmz/internalproxy/templates/speedtest.yaml new file mode 100644 index 0000000..c75d3a6 --- /dev/null +++ b/dmz/internalproxy/templates/speedtest.yaml @@ -0,0 +1,74 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: speedtest +#spec: +# ports: +# - name: app +# port: 6580 +# protocol: TCP +# targetPort: 6580 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: speedtest +#subsets: +#- addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 6580 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: speedtest-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`speedtest.durp.info`) && PathPrefix(`/`) +# kind: Rule +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# services: +# - name: speedtest +# port: 6580 +# tls: +# secretName: speedtest-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: speedtest-tls +#spec: +# secretName: speedtest-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "speedtest.durp.info" +# dnsNames: +# - "speedtest.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: speedtest-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/internalproxy/templates/tdarr.yaml b/dmz/internalproxy/templates/tdarr.yaml similarity index 61% rename from internalproxy/templates/tdarr.yaml rename to dmz/internalproxy/templates/tdarr.yaml index c4403b9..35b9485 100644 --- a/internalproxy/templates/tdarr.yaml +++ b/dmz/internalproxy/templates/tdarr.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: tdarr -spec: - ports: - - name: app - port: 8267 - protocol: TCP - targetPort: 8267 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: tdarr -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8267 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: tdarr-ingress @@ -45,7 +16,7 @@ spec: namespace: traefik kind: Rule services: - - name: tdarr + - name: unraid port: 8267 scheme: http tls: @@ -60,7 +31,7 @@ metadata: spec: secretName: tdarr-tls issuerRef: - name: letsencrypt-production + name: vault-issuer kind: ClusterIssuer commonName: "tdarr.internal.durp.info" dnsNames: diff --git a/dmz/internalproxy/templates/unifi.yaml b/dmz/internalproxy/templates/unifi.yaml new file mode 100644 index 0000000..d33a8af --- /dev/null +++ b/dmz/internalproxy/templates/unifi.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: unifi +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: unifi +subsets: + - addresses: + - ip: 192.168.98.1 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: unifi-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`unifi.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unifi + port: 443 + scheme: https + tls: + secretName: unifi-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: unifi-tls +spec: + secretName: unifi-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "unifi.internal.durp.info" + dnsNames: + - "unifi.internal.durp.info" diff --git a/dmz/internalproxy/templates/unraid.yaml b/dmz/internalproxy/templates/unraid.yaml new file mode 100644 index 0000000..10e1015 --- /dev/null +++ b/dmz/internalproxy/templates/unraid.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: unraid-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 443 + scheme: https + tls: + secretName: unraid-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: unraid-tls +spec: + secretName: unraid-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "unraid.internal.durp.info" + dnsNames: + - "unraid.internal.durp.info" diff --git a/dmz/istio-system/Chart.yaml b/dmz/istio-system/Chart.yaml new file mode 100644 index 0000000..dfc92b1 --- /dev/null +++ b/dmz/istio-system/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: istio-system +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: + - name: base + repository: https://istio-release.storage.googleapis.com/charts + version: 1.29.0 + - name: istiod + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 + - name: gateway + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 \ No newline at end of file diff --git a/dmz/istio-system/templates/annotate.yaml b/dmz/istio-system/templates/annotate.yaml new file mode 100644 index 0000000..620b2af --- /dev/null +++ b/dmz/istio-system/templates/annotate.yaml @@ -0,0 +1,14 @@ +#apiVersion: v1 +#kind: Namespace +#metadata: +# annotations: +# topology.istio.io/controlPlaneClusters: cluster1 +# labels: +# kubernetes.io/metadata.name: istio-system +# name: istio-system +#spec: +# finalizers: +# - kubernetes +#status: +# phase: Active +# \ No newline at end of file diff --git a/dmz/istio-system/templates/expose.yaml b/dmz/istio-system/templates/expose.yaml new file mode 100644 index 0000000..eb693e0 --- /dev/null +++ b/dmz/istio-system/templates/expose.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: cross-network-gateway +spec: + selector: + istio: eastwestgateway + servers: + - port: + number: 15443 + name: tls + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*.local" diff --git a/dmz/istio-system/values.yaml b/dmz/istio-system/values.yaml new file mode 100644 index 0000000..5778ed0 --- /dev/null +++ b/dmz/istio-system/values.yaml @@ -0,0 +1,10 @@ +istiod: + global: + network: network2 + meshID: mesh1 + multiCluster: + clusterName: dmz + +gateway: + name: istio-eastwestgateway + networkGateway: network2 \ No newline at end of file diff --git a/dmz/littlelink/Chart.yaml b/dmz/littlelink/Chart.yaml new file mode 100644 index 0000000..e69de29 diff --git a/littlelink/templates/deployment.yaml b/dmz/littlelink/templates/deployment.yaml similarity index 84% rename from littlelink/templates/deployment.yaml rename to dmz/littlelink/templates/deployment.yaml index b713b86..6d31068 100644 --- a/littlelink/templates/deployment.yaml +++ b/dmz/littlelink/templates/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: littlelink - image: registry.internal.durp.info/techno-tim/littlelink-server:latest + image: registry.durp.info/techno-tim/littlelink-server:latest imagePullPolicy: Always livenessProbe: httpGet: @@ -65,11 +65,13 @@ spec: - name : BIO value: Sup Nerd, - name : BUTTON_ORDER - value: GITHUB,GITLAB,YOUTUBE,TWITTER,COFFEE,EMAIL + value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL - name : TWITTER value: https://twitter.com/developerdurp - name : GITHUB value: https://github.com/DeveloperDurp + - name: INSTAGRAM + value: https://instagram.com/developerdurp - name : GITLAB value: https://gitlab.com/developerdurp - name: YOUTUBE @@ -81,17 +83,17 @@ spec: - name : FOOTER value: DeveloperDurp © 2022 - name: CUSTOM_BUTTON_TEXT - value: BuyMeACoffee + value: BuyMeACoffee,BlueSky - name: CUSTOM_BUTTON_URL - value: https://www.buymeacoffee.com/DeveloperDurp + value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info - name: CUSTOM_BUTTON_COLOR - value: '#ffdd00' + value: '#ffdd00,#1185fe' - name: CUSTOM_BUTTON_TEXT_COLOR - value: '#000000' + value: '#000000,#FFFFFF' - name: CUSTOM_BUTTON_ALT_TEXT - value: Support + value: Support,BlueSky - name: CUSTOM_BUTTON_NAME - value: COFFEE + value: COFFEE,BLUESKY - name: CUSTOM_BUTTON_ICON value: fa-solid fa-cup-togo ports: diff --git a/littlelink/templates/ingress.yaml b/dmz/littlelink/templates/ingress.yaml similarity index 94% rename from littlelink/templates/ingress.yaml rename to dmz/littlelink/templates/ingress.yaml index 194f31e..9590fc5 100644 --- a/littlelink/templates/ingress.yaml +++ b/dmz/littlelink/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: littlelink-ingress diff --git a/littlelink/templates/service.yaml b/dmz/littlelink/templates/service.yaml similarity index 100% rename from littlelink/templates/service.yaml rename to dmz/littlelink/templates/service.yaml diff --git a/longhorn/Chart.yaml b/dmz/longhorn/Chart.yaml similarity index 92% rename from longhorn/Chart.yaml rename to dmz/longhorn/Chart.yaml index b7b6417..c699fa5 100644 --- a/longhorn/Chart.yaml +++ b/dmz/longhorn/Chart.yaml @@ -9,4 +9,4 @@ appVersion: "1.16.0" dependencies: - name: longhorn repository: https://charts.longhorn.io - version: 1.3.2 + version: 1.9.0 diff --git a/dmz/longhorn/templates/ingress.yaml b/dmz/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..7067a2d --- /dev/null +++ b/dmz/longhorn/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: longhorn-frontend + port: 80 + tls: + secretName: longhorn-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.dmz.durp.info" + dnsNames: + - "longhorn.dmz.durp.info" diff --git a/longhorn/templates/secrets.yaml b/dmz/longhorn/templates/secrets.yaml similarity index 70% rename from longhorn/templates/secrets.yaml rename to dmz/longhorn/templates/secrets.yaml index c10ab89..e3d18af 100644 --- a/longhorn/templates/secrets.yaml +++ b/dmz/longhorn/templates/secrets.yaml @@ -1,5 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault -apiVersion: external-secrets.io/v1beta1 +--- + +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: external-longhorn-backup-token-secret @@ -12,13 +18,13 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_ACCESS_KEY_ID - secretKey: AWS_ENDPOINTS remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_ENDPOINTS - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_SECRET_ACCESS_KEY diff --git a/longhorn/values.yaml b/dmz/longhorn/values.yaml similarity index 66% rename from longhorn/values.yaml rename to dmz/longhorn/values.yaml index 5343300..e34a1ee 100644 --- a/longhorn/values.yaml +++ b/dmz/longhorn/values.yaml @@ -1,8 +1,4 @@ longhorn: - - # Default values for longhorn. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. global: cattle: systemDefaultRegistry: "" @@ -49,7 +45,7 @@ longhorn: defaultFsType: ext4 defaultClassReplicaCount: 3 defaultDataLocality: disabled # best-effort otherwise - reclaimPolicy: Retain + reclaimPolicy: Delete migratable: false recurringJobSelector: enable: true @@ -57,7 +53,7 @@ longhorn: { "name":"backup", "task":"backup", - "cron":"0 */6 * * *", + "cron":"0 0 * * *", "retain":24 } ]' @@ -76,7 +72,7 @@ longhorn: snapshotterReplicaCount: ~ defaultSettings: - backupTarget: S3://longhorn@us-east-1/ + backupTarget: S3://longhorn-master@us-east-1/ backupTargetCredentialSecret: longhorn-backup-token-secret allowRecurringJobWhileVolumeDetached: ~ createDefaultDiskLabeledNodes: ~ @@ -181,65 +177,8 @@ longhorn: # ingress: - ## Set to true to enable ingress record generation enabled: false - ## Add ingressClassName to the Ingress - ## Can replace the kubernetes.io/ingress.class annotation on v1.18+ - ingressClassName: nginx - - host: longhorn.internal.durp.info - - ## Set this to true in order to enable TLS on the ingress record - ## A side effect of this will be that the backend service will be connected at port 443 - tls: - - secretName: longhorn-tls - hosts: - - longhorn.internal.durp.info - - ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS - tlsSecret: longhorn-tls - - ## If ingress is enabled you can set the default ingress path - ## then you can access the UI by using the following full path {{host}}+{{path}} - path: / - - ## Ingress annotations done as key:value pairs - ## If you're using kube-lego, you will want to add: - ## kubernetes.io/tls-acme: true - ## - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md - ## - ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://longhorn.internal.durp.info/outpost.goauthentik.io/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; - - secrets: - ## If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - # - name: longhorn.local-tls - # key: - # certificate: - - # Configure a pod security policy in the Longhorn namespace to allow privileged pods - enablePSP: true - ## Specify override namespace, specifically this is useful for using longhorn as sub-chart ## and its release namespace is not the `longhorn-system` namespaceOverride: "" diff --git a/dmz/metallb-system/Chart.yaml b/dmz/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/dmz/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/dmz/metallb-system/templates/config.yaml b/dmz/metallb-system/templates/config.yaml new file mode 100644 index 0000000..f08a885 --- /dev/null +++ b/dmz/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.98.130-192.168.98.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/dmz/metallb-system/values.yaml b/dmz/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/nfs-client/Chart.yml b/dmz/openspeedtest/Chart.yaml similarity index 84% rename from nfs-client/Chart.yml rename to dmz/openspeedtest/Chart.yaml index 217f2c1..c8f712e 100644 --- a/nfs-client/Chart.yml +++ b/dmz/openspeedtest/Chart.yaml @@ -1,8 +1,7 @@ apiVersion: v2 -name: nfs-client +name: openspeedtest description: A Helm chart for Kubernetes type: application version: 0.1.0 appVersion: "1.16.0" - diff --git a/dmz/openspeedtest/templates/deployment.yaml b/dmz/openspeedtest/templates/deployment.yaml new file mode 100644 index 0000000..062de32 --- /dev/null +++ b/dmz/openspeedtest/templates/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openspeedtest + name: openspeedtest + labels: + app: openspeedtest +spec: + selector: + matchLabels: + app: openspeedtest + replicas: 1 + template: + metadata: + labels: + app: openspeedtest + spec: + containers: + - name: openspeedtest + image: registry.durp.info/openspeedtest/latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: / + port: 3000 + readinessProbe: + httpGet: + path: / + port: 3000 + env: + ports: + - name: http + containerPort: 3000 diff --git a/internalproxy/templates/speedtest.yaml b/dmz/openspeedtest/templates/ingress.yaml similarity index 50% rename from internalproxy/templates/speedtest.yaml rename to dmz/openspeedtest/templates/ingress.yaml index e034917..063a751 100644 --- a/internalproxy/templates/speedtest.yaml +++ b/dmz/openspeedtest/templates/ingress.yaml @@ -1,36 +1,7 @@ -apiVersion: v1 -kind: Service -metadata: - name: speedtest -spec: - ports: - - name: app - port: 6580 - protocol: TCP - targetPort: 6580 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: speedtest -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 6580 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: speedtest-ingress + name: openspeedtest-ingress spec: entryPoints: - websecure @@ -39,21 +10,22 @@ spec: kind: Rule middlewares: - name: authentik-proxy-provider - namespace: traefik + namespace: traefik + - name: limit-buffering services: - - name: speedtest - port: 6580 + - name: openspeedtest + port: 3000 tls: - secretName: speedtest-tls + secretName: openspeedtest-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: speedtest-tls + name: openspeedtest-tls spec: - secretName: speedtest-tls + secretName: openspeedtest-tls issuerRef: name: letsencrypt-production kind: ClusterIssuer @@ -66,9 +38,19 @@ spec: kind: Service apiVersion: v1 metadata: - name: speedtest-external-dns + name: openspeedtest-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info + +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: limit-buffering +spec: + buffering: + maxRequestBodyBytes: 10000000000 diff --git a/dmz/openspeedtest/templates/service.yaml b/dmz/openspeedtest/templates/service.yaml new file mode 100644 index 0000000..c31f9b5 --- /dev/null +++ b/dmz/openspeedtest/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: openspeedtest +spec: + ports: + - name: http + port: 3000 + targetPort: 3000 + protocol: TCP + selector: + app: openspeedtest diff --git a/open-webui/Chart.yaml b/dmz/redlib/Chart.yaml similarity index 86% rename from open-webui/Chart.yaml rename to dmz/redlib/Chart.yaml index 1561d60..ef0a939 100644 --- a/open-webui/Chart.yaml +++ b/dmz/redlib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: open-webui +name: redlib description: A Helm chart for Kubernetes type: application diff --git a/dmz/redlib/templates/deployment.yaml b/dmz/redlib/templates/deployment.yaml new file mode 100644 index 0000000..c09a144 --- /dev/null +++ b/dmz/redlib/templates/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: redlib + name: redlib + labels: + app: redlib +spec: + selector: + matchLabels: + app: redlib + replicas: 1 + template: + metadata: + labels: + app: redlib + spec: + containers: + - name: redlib + image: registry.durp.info/redlib/redlib:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: / + port: 8080 + readinessProbe: + httpGet: + path: / + port: 8080 + env: + ports: + - name: http + containerPort: 8080 diff --git a/dmz/redlib/templates/ingress.yaml b/dmz/redlib/templates/ingress.yaml new file mode 100644 index 0000000..b2cc4e3 --- /dev/null +++ b/dmz/redlib/templates/ingress.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: redlib-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`redlib.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: redlib + port: 8080 + tls: + secretName: redlib-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: redlib-tls +spec: + secretName: redlib-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "redlib.durp.info" + dnsNames: + - "redlib.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: redlib-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: redlib.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/open-webui/templates/service.yaml b/dmz/redlib/templates/service.yaml similarity index 67% rename from open-webui/templates/service.yaml rename to dmz/redlib/templates/service.yaml index cd93455..36c50c5 100644 --- a/open-webui/templates/service.yaml +++ b/dmz/redlib/templates/service.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Service metadata: - name: open-webui + name: redlib spec: ports: - name: http port: 8080 targetPort: 8080 - protocol: TCP + protocol: TCP selector: - app: open-webui + app: redlib diff --git a/dmz/redlib/values.yaml b/dmz/redlib/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/searxng/Chart.yaml b/dmz/searxng/Chart.yaml new file mode 100644 index 0000000..263432f --- /dev/null +++ b/dmz/searxng/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: latest +description: SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. +name: searxng +version: 1.0.1 +#dependencies: +# - name: common +# repository: https://library-charts.k8s-at-home.com +# version: 4.4.2 +# \ No newline at end of file diff --git a/dmz/searxng/templates/confligmap.yaml b/dmz/searxng/templates/confligmap.yaml new file mode 100644 index 0000000..edc1ca6 --- /dev/null +++ b/dmz/searxng/templates/confligmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: searxng-config +data: + settings.yml: |- + use_default_settings: true + search: + formats: + - html + - json diff --git a/dmz/searxng/templates/deployment.yaml b/dmz/searxng/templates/deployment.yaml new file mode 100644 index 0000000..e1677ed --- /dev/null +++ b/dmz/searxng/templates/deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: searxng + name: searxng + labels: + app: searxng +spec: + selector: + matchLabels: + app: searxng + replicas: 1 + template: + metadata: + labels: + app: searxng + spec: + containers: + - name: searxng + image: registry.durp.info/searxng/searxng:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + env: + - name: SEARXNG_BASE_URL + value: https://searxng.durp.info + - name: SEARXNG_SECRET + valueFrom: + secretKeyRef: + name: searxng-secret + key: SEARXNG_SECRET + volumeMounts: + - name: searxng-config-volume + mountPath: /etc/searxng/settings.yml + subPath: settings.yml + volumes: + - name: searxng-config-volume + configMap: + name: searxng-config diff --git a/dmz/searxng/templates/ingress.yaml b/dmz/searxng/templates/ingress.yaml new file mode 100644 index 0000000..ab8b641 --- /dev/null +++ b/dmz/searxng/templates/ingress.yaml @@ -0,0 +1,76 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: searxng-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`searxng.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: searxng-service + port: 8080 + tls: + secretName: searxng-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: searxng-tls +spec: + secretName: searxng-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "searxng.durp.info" + dnsNames: + - "searxng.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: searxng-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: searxng.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: searxng-internal-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`searxng.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: searxng-service + port: 8080 + tls: + secretName: searxng-internal-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: searxng-internal-tls +spec: + secretName: searxng-internal-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "searxng.internal.durp.info" + dnsNames: + - "searxng.internal.durp.info" diff --git a/dmz/searxng/templates/secret.yaml b/dmz/searxng/templates/secret.yaml new file mode 100644 index 0000000..6d4781b --- /dev/null +++ b/dmz/searxng/templates/secret.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: searxng-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: searxng-secret + data: + - secretKey: SEARXNG_SECRET + remoteRef: + key: kv/searxng + property: searxng-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/dmz/searxng/templates/service.yaml b/dmz/searxng/templates/service.yaml new file mode 100644 index 0000000..8498428 --- /dev/null +++ b/dmz/searxng/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: searxng-service +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: searxng diff --git a/dmz/searxng/values.yaml b/dmz/searxng/values.yaml new file mode 100644 index 0000000..0f92a3b --- /dev/null +++ b/dmz/searxng/values.yaml @@ -0,0 +1,83 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml +# + +image: + # -- image repository + repository: registry.durp.info/searxng/searxng + # -- image tag + tag: latest + # -- image pull policy + pullPolicy: Always + +# Explanation about each environment variables here: +# https://docs.searxng.org/admin/installation-docker.html#command-line +env: + INSTANCE_NAME: "durp.info" + BASE_URL: "https://searx.durp.info" + AUTOCOMPLETE: "false" + # MORTY_URL: "http://morty:8080" + # MORTY_KEY: "mysecretkey" + # BIND_ADDRESS: "0.0.0.0:8080" + +controller: + strategy: "RollingUpdate" + +# -- Configures service settings for the chart. +# @default -- See values.yaml +service: + main: + ports: + http: + port: 8080 + +# -- Configure persistence settings for the chart under this key. +# @default -- See values.yaml +persistence: + config: + enabled: false + +ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: false + +searxng: + config: + use_default_settings: true + #server: + # secret_key: pleasechangeme + # Uncomment when using the builtin rate limiter + # See https://docs.searxng.org/src/searx.plugins.limiter.html#limiter-plugin + # server.limiter: true + # redis.url: redis://@searxng-redis:6379/0 + +probes: + readiness: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + liveness: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + startup: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + +# Enable when using searxng builtin rate limiter +# Values: https://github.com/pascaliske/helm-charts/tree/master/charts/redis +redis: + enabled: false + \ No newline at end of file diff --git a/heimdall/Chart.yaml b/dmz/traefik/Chart.yaml similarity index 55% rename from heimdall/Chart.yaml rename to dmz/traefik/Chart.yaml index 8351778..1df1d76 100644 --- a/heimdall/Chart.yaml +++ b/dmz/traefik/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -name: heimdall +name: traefik description: A Helm chart for Kubernetes type: application version: 0.0.1 appVersion: 0.0.1 dependencies: -- name: heimdall - repository: https://djjudas21.github.io/charts/ - version: 8.5.2 +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/dmz/traefik/templates/config.yaml b/dmz/traefik/templates/config.yaml new file mode 100644 index 0000000..06a9d11 --- /dev/null +++ b/dmz/traefik/templates/config.yaml @@ -0,0 +1,16 @@ +#apiVersion: v1 +#kind: ConfigMap +#metadata: +# name: traefik-configmap +#data: +# config.yml: | +# http: +# routers: +# router0: +# service: service0 +# rule: Host(`testing.durp.info`) +# services: +# service0: +# loadBalancer: +# servers: +# - url: https://192.168.20.130 diff --git a/dmz/traefik/templates/middleware.yaml b/dmz/traefik/templates/middleware.yaml new file mode 100644 index 0000000..2dad3ee --- /dev/null +++ b/dmz/traefik/templates/middleware.yaml @@ -0,0 +1,54 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-proxy-provider + namespace: traefik +spec: + forwardAuth: + address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: whitelist + namespace: traefik +spec: + ipWhiteList: + sourceRange: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + +--- +#apiVersion: traefik.io/v1alpha1 +#kind: Middleware +#metadata: +# name: bouncer +# namespace: traefik +#spec: +# plugin: +# bouncer: +# enabled: true +# crowdsecMode: stream +# crowdsecLapiScheme: https +# crowdsecLapiTLSInsecureVerify: true +# crowdsecLapiHost: crowdsec-service.crowdsec:8080 +# crowdsecLapiKey: +# valueFrom: +# secretKeyRef: +# name: crowdsec-lapi-key +# key: lapi-key diff --git a/dmz/traefik/templates/secrets.yaml b/dmz/traefik/templates/secrets.yaml new file mode 100644 index 0000000..413afbe --- /dev/null +++ b/dmz/traefik/templates/secrets.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: crowdsec-lapi-key +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: crowdsec-lapi-key + data: + - secretKey: lapi-key + remoteRef: + key: kv/crowdsec/api + property: key + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/traefik/templates/traefik-dashboard.yaml b/dmz/traefik/templates/traefik-dashboard.yaml new file mode 100644 index 0000000..539c911 --- /dev/null +++ b/dmz/traefik/templates/traefik-dashboard.yaml @@ -0,0 +1,35 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.dmz.durp.info`) + kind: Rule + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + services: + - name: api@internal + kind: TraefikService + tls: + secretName: traefik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: traefik-tls + namespace: traefik +spec: + secretName: traefik-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "traefik.dmz.durp.info" + dnsNames: + - "traefik.dmz.durp.info" diff --git a/dmz/traefik/values.yaml b/dmz/traefik/values.yaml new file mode 100644 index 0000000..c762b94 --- /dev/null +++ b/dmz/traefik/values.yaml @@ -0,0 +1,67 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + ports: + gitlab-ssh: + port: 9022 + expose: + default: true + exposedPort: 9022 + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + - --experimental.plugins.bouncer.version=v1.4.2 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/dmz/vault/Chart.yaml b/dmz/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/dmz/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/dmz/vault/templates/secret-store.yaml b/dmz/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/dmz/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/vault/values.yaml b/dmz/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/dmz/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/durpapi/templates/deployment.yaml b/durpapi/templates/deployment.yaml deleted file mode 100644 index 0f42dfb..0000000 --- a/durpapi/templates/deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }} - labels: - app: {{ .Chart.Name }} -spec: - revisionHistoryLimit: 1 - selector: - matchLabels: - app: {{ .Chart.Name }} - replicas: {{ .Values.deployment.hpa.minReplicas }} - template: - metadata: - labels: - app: {{ .Chart.Name }} - spec: - containers: - - name: api - image: "{{ .Values.deployment.image }}:{{ default .Chart.Version .Values.deployment.tag }}" - imagePullPolicy: {{ .Values.deployment.imagePullPolicy }} - readinessProbe: - {{- toYaml .Values.deployment.probe.readiness | nindent 12 }} - livenessProbe: - {{- toYaml .Values.deployment.probe.liveness | nindent 12 }} - startupProbe: - {{- toYaml .Values.deployment.probe.startup | nindent 12 }} - ports: - - name: http - containerPort: {{ .Values.service.targetport }} - env: - - name: host - value: {{ .Values.swagger.host }} - - name: version - value: {{ default .Chart.Version .Values.deployment.tag }} - envFrom: - - secretRef: - name: {{ .Values.deployment.secretfile }} diff --git a/durpapi/templates/hpa.yaml b/durpapi/templates/hpa.yaml deleted file mode 100644 index 68d484d..0000000 --- a/durpapi/templates/hpa.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: "{{ .Chart.Name }}-hpa" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: {{ .Values.deployment.hpa.minReplicas }} - maxReplicas: {{ .Values.deployment.hpa.maxReplicas }} - metrics: - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: 80 - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 40 diff --git a/durpapi/templates/ingress.yaml b/durpapi/templates/ingress.yaml deleted file mode 100644 index bd268dd..0000000 --- a/durpapi/templates/ingress.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: "{{ .Chart.Name }}-ingress" -spec: - entryPoints: - - websecure - routes: - - match: Host("api.durp.info") && PathPrefix(`/api`) - kind: Rule - middlewares: - - name: jwt - services: - - name: "durpapi-service" - port: 80 - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: "{{ .Chart.Name }}-swagger" -spec: - entryPoints: - - websecure - routes: - - match: Host("api.durp.info") && PathPrefix(`/swagger`) - kind: Rule - services: - - name: "durpapi-service" - port: 80 - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: jwt -spec: - plugin: - jwt: - Required: true - Keys: - - https://authentik.durp.info/application/o/api/jwks diff --git a/durpapi/templates/secrets.yaml b/durpapi/templates/secrets.yaml deleted file mode 100644 index 0157b5b..0000000 --- a/durpapi/templates/secrets.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: durpapi-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: durpapi-secret - data: - - secretKey: db_host - remoteRef: - key: secrets/durpapi/postgres - property: db_host - - secretKey: db_port - remoteRef: - key: secrets/durpapi/postgres - property: db_port - - secretKey: db_pass - remoteRef: - key: secrets/durpapi/postgres - property: db_pass - - secretKey: db_user - remoteRef: - key: secrets/durpapi/postgres - property: db_user - - secretKey: db_sslmode - remoteRef: - key: secrets/durpapi/postgres - property: db_sslmode - - secretKey: db_name - remoteRef: - key: secrets/durpapi/postgres - property: db_name - - secretKey: llamaurl - remoteRef: - key: secrets/durpapi/llamaurl - property: llamaurl \ No newline at end of file diff --git a/durpapi/templates/service.yaml b/durpapi/templates/service.yaml deleted file mode 100644 index 2cab669..0000000 --- a/durpapi/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ .Chart.Name }}-service" -spec: - ports: - - name: http - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetport }} - protocol: TCP - selector: - app: {{ .Chart.Name }} diff --git a/durpapi/values.yaml b/durpapi/values.yaml deleted file mode 100644 index 65f1b4c..0000000 --- a/durpapi/values.yaml +++ /dev/null @@ -1,39 +0,0 @@ -ingress: - enabled: false -deployment: - image: registry.internal.durp.info/developerdurp/durpapi - secretfile: durpapi-secret - imagePullPolicy: Always - hpa: - minReplicas: 3 - maxReplicas: 10 - probe: - readiness: - httpGet: - path: /api/health/gethealth - port: 8080 - liveness: - httpGet: - path: /api/health/gethealth - port: 8080 - startup: - httpGet: - path: /api/health/gethealth - port: 8080 -service: - type: ClusterIP - port: 80 - targetport: 8080 - -swagger: - host: api.durp.info -postgresql: - enabled: true - auth: - existingSecret: durpapi-secret - secretKeys: - adminPasswordKey: db_pass - userPasswordKey: db_pass - replicationPasswordKey: db_pass - database: postgres - username: postgres diff --git a/durpot/Chart.yaml b/durpot/Chart.yaml deleted file mode 100644 index c21a834..0000000 --- a/durpot/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: durpapi -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: durpot - repository: https://gitlab.com/api/v4/projects/45025485/packages/helm/stable - version: 0.1.0-dev0038 diff --git a/durpot/templates/secrets.yaml b/durpot/templates/secrets.yaml deleted file mode 100644 index 792f909..0000000 --- a/durpot/templates/secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: durpot-secert -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: durpot-secret - data: - - secretKey: OPENAI_API_KEY - remoteRef: - key: secrets/durpot/openai - property: OPENAI_API_KEY - - secretKey: BOTPREFIX - remoteRef: - key: secrets/durpot/discord - property: BOTPREFIX - - secretKey: ChannelID - remoteRef: - key: secrets/durpot/discord - property: ChannelID - - secretKey: TOKEN - remoteRef: - key: secrets/durpot/discord - property: TOKEN - - secretKey: ClientID - remoteRef: - key: secrets/durpot/auth - property: ClientID - - secretKey: Password - remoteRef: - key: secrets/durpot/auth - property: Password - - secretKey: TokenURL - remoteRef: - key: secrets/durpot/auth - property: TokenURL - - secretKey: Username - remoteRef: - key: secrets/durpot/auth - property: Username diff --git a/external-secrets/values.yaml b/external-secrets/values.yaml deleted file mode 100644 index a720adb..0000000 --- a/external-secrets/values.yaml +++ /dev/null @@ -1,463 +0,0 @@ -external-secrets: - replicaCount: 3 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: Always - # -- The image tag to use. The default is the chart appVersion. - # There are different image flavours available, like distroless and ubi. - # Please see GitHub release notes for image tags for these flavors. - # By default the distroless image is used. - tag: "" - - # -- If set, install and upgrade CRDs through helm chart. - installCRDs: true - - crds: - # -- If true, create CRDs for Cluster External Secret. - createClusterExternalSecret: true - # -- If true, create CRDs for Cluster Secret Store. - createClusterSecretStore: true - # -- If true, create CRDs for Push Secret. - createPushSecret: true - annotations: {} - conversion: - enabled: true - - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - - # -- If true, external-secrets will perform leader election between instances to ensure no more - # than one instance of external-secrets operates at a time. - leaderElect: true - - # -- If set external secrets will filter matching - # Secret Stores with the appropriate controller values. - controllerClass: "" - - # -- If true external secrets will use recommended kubernetes - # annotations as prometheus metric labels. - extendedMetricLabels: false - - # -- If set external secrets are only reconciled in the - # provided namespace - scopedNamespace: "" - - # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace - # and implicitly disable cluster stores and cluster external secrets - scopedRBAC: false - - # -- if true, the operator will process cluster external secret. Else, it will ignore them. - processClusterExternalSecret: true - - # -- if true, the operator will process cluster store. Else, it will ignore them. - processClusterStore: true - - # -- Specifies whether an external secret operator deployment be created. - createOperator: true - - # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at - # a time. - concurrent: 1 - - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - ## -- Extra containers to add to the pod. - extraContainers: [] - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- namespace where you want to install ServiceMonitors - namespace: "" - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - # -- Let prometheus add an exported_ prefix to conflicting labels - honorLabels: false - - # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - metricRelabelings: [] - # - action: replace - # regex: (.*) - # replacement: $1 - # sourceLabels: - # - exported_namespace - # targetLabel: namespace - - # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - - # -- Run the controller on the host network - hostNetwork: false - - webhook: - # -- Specifies whether a webhook deployment be created. - create: true - # -- Specifices the time to check if the cert is valid - certCheckInterval: "5m" - # -- Specifices the lookaheadInterval for certificate validity - lookaheadInterval: "" - replicaCount: 1 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - certDir: /tmp/certs - # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore - failurePolicy: Fail - # -- Specifies if webhook pod should use hostNetwork or not. - hostNetwork: false - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: IfNotPresent - # -- The image tag to use. The default is the chart appVersion. - tag: "" - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - # -- The port the webhook will listen to - port: 10250 - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - - readinessProbe: - # -- Address for readiness probe - address: "" - # -- ReadinessProbe port for kubelet - port: 8081 - - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - # -- Annotations to add to Secret - secretAnnotations: {} - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - certController: - # -- Specifies whether a certificate controller deployment be created. - create: true - requeueInterval: "5m" - replicaCount: 1 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: Always - tag: "" - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Run the certController on the host network - hostNetwork: false - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - # -- Specifies `dnsOptions` to deployment - dnsConfig: {} diff --git a/gatekeeper/Chart.yaml b/gatekeeper/Chart.yaml deleted file mode 100644 index ebd28af..0000000 --- a/gatekeeper/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: gatekeeper -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: gatekeeper - repository: https://open-policy-agent.github.io/gatekeeper/charts - version: 3.14.0 diff --git a/gatekeeper/values.yaml b/gatekeeper/values.yaml deleted file mode 100644 index d01ace9..0000000 --- a/gatekeeper/values.yaml +++ /dev/null @@ -1,277 +0,0 @@ -gatekeeper: - replicas: 3 - revisionHistoryLimit: 10 - auditInterval: 60 - metricsBackends: ["prometheus"] - auditMatchKindOnly: false - constraintViolationsLimit: 20 - auditFromCache: false - disableMutation: false - disableValidatingWebhook: false - validatingWebhookName: gatekeeper-validating-webhook-configuration - validatingWebhookTimeoutSeconds: 3 - validatingWebhookFailurePolicy: Ignore - validatingWebhookAnnotations: {} - validatingWebhookExemptNamespacesLabels: {} - validatingWebhookObjectSelector: {} - validatingWebhookCheckIgnoreFailurePolicy: Fail - validatingWebhookCustomRules: {} - validatingWebhookURL: null - enableDeleteOperations: false - enableExternalData: true - enableGeneratorResourceExpansion: true - enableTLSHealthcheck: false - maxServingThreads: -1 - mutatingWebhookName: gatekeeper-mutating-webhook-configuration - mutatingWebhookFailurePolicy: Ignore - mutatingWebhookReinvocationPolicy: Never - mutatingWebhookAnnotations: {} - mutatingWebhookExemptNamespacesLabels: {} - mutatingWebhookObjectSelector: {} - mutatingWebhookTimeoutSeconds: 1 - mutatingWebhookCustomRules: {} - mutatingWebhookURL: null - mutationAnnotations: false - auditChunkSize: 500 - logLevel: INFO - logDenies: false - logMutations: false - emitAdmissionEvents: false - emitAuditEvents: false - admissionEventsInvolvedNamespace: false - auditEventsInvolvedNamespace: false - resourceQuota: true - externaldataProviderResponseCacheTTL: 3m - image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 - pullPolicy: Always - pullSecrets: [] - preInstall: - crdRepository: - image: - repository: null - tag: v3.15.0-beta.0 - postUpgrade: - labelNamespace: - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - postInstall: - labelNamespace: - enabled: true - extraRules: [] - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - probeWebhook: - enabled: true - image: - repository: curlimages/curl - tag: 7.83.1 - pullPolicy: IfNotPresent - pullSecrets: [] - waitTimeout: 60 - httpTimeout: 2 - insecureHTTPS: false - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - preUninstall: - deleteWebhookConfigurations: - extraRules: [] - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podAnnotations: {} - auditPodAnnotations: {} - podLabels: {} - podCountLimit: "100" - secretAnnotations: {} - enableRuntimeDefaultSeccompProfile: true - controllerManager: - exemptNamespaces: [] - exemptNamespacePrefixes: [] - hostNetwork: false - dnsPolicy: ClusterFirst - port: 8443 - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - tlsMinVersion: 1.3 - clientCertName: "" - strategyType: RollingUpdate - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - topologySpreadConstraints: [] - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - extraRules: [] - networkPolicy: - enabled: false - ingress: { } - # - from: - # - ipBlock: - # cidr: 0.0.0.0/0 - audit: - enablePubsub: false - connection: audit-connection - channel: audit-channel - hostNetwork: false - dnsPolicy: ClusterFirst - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - writeToRAMDisk: false - extraRules: [] - crds: - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - pdb: - controllerManager: - minAvailable: 1 - service: {} - disabledBuiltins: ["{http.send}"] - psp: - enabled: true - upgradeCRDs: - enabled: true - extraRules: [] - priorityClassName: "" - rbac: - create: true - externalCertInjection: - enabled: false - secretName: gatekeeper-webhook-server-cert diff --git a/gitlab-runner/templates/secrets.yaml b/gitlab-runner/templates/secrets.yaml deleted file mode 100644 index 784ef11..0000000 --- a/gitlab-runner/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: gitlab-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: gitlab-secret - data: - - secretKey: runner-registration-token - remoteRef: - key: secrets/gitlab/runner - property: runner-registration-token - - secretKey: runner-token - remoteRef: - key: secrets/gitlab/runner - property: runner-token diff --git a/heimdall/templates/ingress.yaml b/heimdall/templates/ingress.yaml deleted file mode 100644 index 98b6144..0000000 --- a/heimdall/templates/ingress.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - annotations: - name: heimdall-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`heimdall.durp.info`) && PathPrefix(`/`) - middlewares: - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: heimdall - port: 80 - - match: Host(`heimdall.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: heimdall-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: heimdall-tls -spec: - secretName: heimdall-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "heimdall.durp.info" - dnsNames: - - "heimdall.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: heimdall-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/heimdall/values.yaml b/heimdall/values.yaml deleted file mode 100644 index e93ca43..0000000 --- a/heimdall/values.yaml +++ /dev/null @@ -1,28 +0,0 @@ -heimdall: - - image: - registry: - repository: registry.internal.durp.info/linuxserver/heimdall - pullPolicy: Always - - env: - TZ: UTC - PUID: "1000" - PGID: "1000" - - service: - main: - annotations: - external-dns.alpha.kubernetes.io/hostname: heimdall.durp.info - external-dns.alpha.kubernetes.io/target: home.durp.info - ports: - http: - port: 80 - - ingress: - main: - enabled: false - - persistence: - config: - enabled: true diff --git a/infra/.gitlab/.gitlab-ci.yml b/infra/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..78c6ee1 --- /dev/null +++ b/infra/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/infra/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "infra/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "infra/terraform/*.tf" + +plan-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "infra/terraform/*.tf" + +apply-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "infra/terraform/*.tf" + when: manual + needs: ["plan-infrastructure"] + +destroy-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "infra/terraform/*.tf" + when: manual + needs: ["plan-infrastructure"] diff --git a/argocd/Chart.yaml b/infra/argocd/Chart.yaml similarity index 91% rename from argocd/Chart.yaml rename to infra/argocd/Chart.yaml index 07e391f..d9a5074 100644 --- a/argocd/Chart.yaml +++ b/infra/argocd/Chart.yaml @@ -9,6 +9,4 @@ appVersion: "1.16.0" dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm - version: 6.7.11 - - + version: 8.6.4 diff --git a/infra/argocd/templates/argocd.yaml b/infra/argocd/templates/argocd.yaml new file mode 100644 index 0000000..14141da --- /dev/null +++ b/infra/argocd/templates/argocd.yaml @@ -0,0 +1,85 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/argocd + destination: + namespace: argocd + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-argocd + labels: + app.kubernetes.io/part-of: argocd +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: client-secret + data: + - secretKey: clientSecret + remoteRef: + key: kv/authentik/argocd + property: clientsecret + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.infra.durp.info`) + #middlewares: + # - name: whitelist + # namespace: traefik + kind: Rule + services: + - name: argocd-server + port: 443 + scheme: https + tls: + secretName: argocd-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-tls +spec: + secretName: argocd-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "argocd.infra.durp.info" + dnsNames: + - "argocd.infra.durp.info" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/argocd/templates/authentik.yaml b/infra/argocd/templates/authentik.yaml new file mode 100644 index 0000000..ac5f8dc --- /dev/null +++ b/infra/argocd/templates/authentik.yaml @@ -0,0 +1,45 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/authentik + destination: + namespace: authentik + name: in-cluster + syncPolicy: + #managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/authentik + destination: + namespace: authentik + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/durpapi.yaml b/infra/argocd/templates/bitwarden.yaml similarity index 56% rename from argocd/templates/durpapi.yaml rename to infra/argocd/templates/bitwarden.yaml index 53c2db6..a42abbc 100644 --- a/argocd/templates/durpapi.yaml +++ b/infra/argocd/templates/bitwarden.yaml @@ -1,20 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: durpapi + name: bitwarden namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: durpapi + path: infra/bitwarden destination: - namespace: durpapi + namespace: bitwarden name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/infra/argocd/templates/cert-manager.yaml b/infra/argocd/templates/cert-manager.yaml new file mode 100644 index 0000000..31ef868 --- /dev/null +++ b/infra/argocd/templates/cert-manager.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/cert-manager + destination: + namespace: cert-manager + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/cert-manager + destination: + namespace: cert-manager + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/templates/external-dns.yaml b/infra/argocd/templates/external-dns.yaml similarity index 69% rename from argocd/templates/external-dns.yaml rename to infra/argocd/templates/external-dns.yaml index ba05f2c..caa32d9 100644 --- a/argocd/templates/external-dns.yaml +++ b/infra/argocd/templates/external-dns.yaml @@ -1,20 +1,21 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: external-dns + name: external-dns-dmz namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: external-dns + path: dmz/external-dns destination: namespace: external-dns - name: in-cluster + name: dmz syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true + diff --git a/infra/argocd/templates/external-secrets.yaml b/infra/argocd/templates/external-secrets.yaml new file mode 100644 index 0000000..7787a03 --- /dev/null +++ b/infra/argocd/templates/external-secrets.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/external-secrets + destination: + namespace: external-secrets + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/external-secrets + destination: + namespace: external-secrets + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/templates/metallb-system.yaml b/infra/argocd/templates/gitlab-runner.yaml similarity index 63% rename from argocd/templates/metallb-system.yaml rename to infra/argocd/templates/gitlab-runner.yaml index 051be57..25b82bb 100644 --- a/argocd/templates/metallb-system.yaml +++ b/infra/argocd/templates/gitlab-runner.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: metallb-system + name: gitlab-runner-dmz namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: metallb-system + path: dmz/gitlab-runner destination: - namespace: metallb-system - name: in-cluster + namespace: gitlab-runner + name: dmz syncPolicy: automated: prune: true @@ -19,4 +19,3 @@ spec: syncOptions: - CreateNamespace=true - diff --git a/argocd/templates/longhorn.yaml b/infra/argocd/templates/internalproxy.yaml similarity index 63% rename from argocd/templates/longhorn.yaml rename to infra/argocd/templates/internalproxy.yaml index 017da6f..9381c2d 100644 --- a/argocd/templates/longhorn.yaml +++ b/infra/argocd/templates/internalproxy.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: longhorn-system + name: internal-proxy namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: longhorn + path: dmz/internalproxy destination: - namespace: longhorn-system - name: in-cluster + namespace: internalproxy + name: dmz syncPolicy: automated: prune: true diff --git a/infra/argocd/templates/istio.yaml b/infra/argocd/templates/istio.yaml new file mode 100644 index 0000000..615a43f --- /dev/null +++ b/infra/argocd/templates/istio.yaml @@ -0,0 +1,58 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/istio-system + destination: + namespace: istio-system + name: in-cluster + syncPolicy: + managedNamespaceMetadata: + labels: + topology.istio.io/network: network1 + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/failurePolicy + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/istio-system + destination: + namespace: istio-system + name: dmz + syncPolicy: + managedNamespaceMetadata: + labels: + topology.istio.io/network: network2 + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/failurePolicy diff --git a/argocd/templates/kube-prometheus-stack.yaml b/infra/argocd/templates/kube-prometheus-stack.yaml similarity index 67% rename from argocd/templates/kube-prometheus-stack.yaml rename to infra/argocd/templates/kube-prometheus-stack.yaml index 02f8261..bc52501 100644 --- a/argocd/templates/kube-prometheus-stack.yaml +++ b/infra/argocd/templates/kube-prometheus-stack.yaml @@ -6,16 +6,15 @@ metadata: spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: kube-prometheus-stack + path: infra/kube-prometheus-stack destination: namespace: kube-prometheus-stack name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/infra/argocd/templates/litellm.yaml b/infra/argocd/templates/litellm.yaml new file mode 100644 index 0000000..d8e225a --- /dev/null +++ b/infra/argocd/templates/litellm.yaml @@ -0,0 +1,20 @@ +#apiVersion: argoproj.io/v1alpha1 +#kind: Application +#metadata: +# name: litellm +# namespace: argocd +#spec: +# project: default +# source: +# repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git +# targetRevision: main +# path: infra/litellm +# destination: +# namespace: litellm +# name: in-cluster +# syncPolicy: +# automated: +# prune: true +# selfHeal: true +# syncOptions: +# - CreateNamespace=true diff --git a/argocd/templates/littlelink.yaml b/infra/argocd/templates/littlelink.yaml similarity index 66% rename from argocd/templates/littlelink.yaml rename to infra/argocd/templates/littlelink.yaml index 99b08fe..2d6011f 100644 --- a/argocd/templates/littlelink.yaml +++ b/infra/argocd/templates/littlelink.yaml @@ -6,17 +6,17 @@ metadata: spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: littlelink + path: dmz/littlelink directory: recurse: true destination: - server: https://kubernetes.default.svc + name: dmz namespace: littlelink syncPolicy: automated: prune: true selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/infra/argocd/templates/longhorn.yaml b/infra/argocd/templates/longhorn.yaml new file mode 100644 index 0000000..f28a74c --- /dev/null +++ b/infra/argocd/templates/longhorn.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: longhorn-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/longhorn + destination: + namespace: longhorn-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: engineimages.longhorn.io + jsonPointers: + - /spec/preserveUnknownFields + kind: CustomResourceDefinition + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: longhorn-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/longhorn + destination: + namespace: longhorn-system + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/metallb-system.yaml b/infra/argocd/templates/metallb-system.yaml new file mode 100644 index 0000000..a9b33d0 --- /dev/null +++ b/infra/argocd/templates/metallb-system.yaml @@ -0,0 +1,66 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/metallb-system + destination: + namespace: metallb-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/metallb-system + destination: + namespace: metallb-system + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system-dev + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dev/metallb-system + destination: + namespace: metallb-system + name: dev + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/cert-manager.yaml b/infra/argocd/templates/nebula-sync.yaml similarity index 68% rename from argocd/templates/cert-manager.yaml rename to infra/argocd/templates/nebula-sync.yaml index 1eb8fe2..d19b024 100644 --- a/argocd/templates/cert-manager.yaml +++ b/infra/argocd/templates/nebula-sync.yaml @@ -1,16 +1,16 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: cert-manager + name: nebula-sync namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: cert-manager + path: infra/nebula-sync destination: - namespace: cert-manager + namespace: nebula-sync name: in-cluster syncPolicy: automated: diff --git a/argocd/templates/durpot.yaml b/infra/argocd/templates/nfs.yaml similarity index 60% rename from argocd/templates/durpot.yaml rename to infra/argocd/templates/nfs.yaml index 1bfcd37..c006f32 100644 --- a/argocd/templates/durpot.yaml +++ b/infra/argocd/templates/nfs.yaml @@ -1,20 +1,18 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: durpot + name: nfs namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: durpot + path: infra/nfs destination: - namespace: durpot + namespace: kube-system name: in-cluster syncPolicy: automated: prune: true selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/authentik.yaml b/infra/argocd/templates/openclarity.yaml similarity index 56% rename from argocd/templates/authentik.yaml rename to infra/argocd/templates/openclarity.yaml index 735fa1a..57c1995 100644 --- a/argocd/templates/authentik.yaml +++ b/infra/argocd/templates/openclarity.yaml @@ -1,21 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: authentik + name: openclarity namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: authentik + path: infra/openclarity destination: - namespace: authentik + namespace: openclarity name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/argocd/templates/uptimekuma.yaml b/infra/argocd/templates/openspeedtest.yaml similarity index 57% rename from argocd/templates/uptimekuma.yaml rename to infra/argocd/templates/openspeedtest.yaml index ff0e1af..ead0679 100644 --- a/argocd/templates/uptimekuma.yaml +++ b/infra/argocd/templates/openspeedtest.yaml @@ -1,23 +1,22 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: uptimekuma + name: openspeedtest namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: uptimekuma + path: dmz/openspeedtest directory: recurse: true destination: - server: https://kubernetes.default.svc - namespace: uptimekuma + name: dmz + namespace: openspeedtest syncPolicy: automated: prune: true selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/argocd/templates/argocd.yaml b/infra/argocd/templates/portainer.yaml similarity index 56% rename from argocd/templates/argocd.yaml rename to infra/argocd/templates/portainer.yaml index d8f0fd3..22b2a9b 100644 --- a/argocd/templates/argocd.yaml +++ b/infra/argocd/templates/portainer.yaml @@ -1,20 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: argocd + name: portainer namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: argocd + path: infra/portainer destination: - namespace: argocd + namespace: portainer name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/argocd/templates/nfs-client.yaml b/infra/argocd/templates/redlib.yaml similarity index 56% rename from argocd/templates/nfs-client.yaml rename to infra/argocd/templates/redlib.yaml index e374885..3867fb7 100644 --- a/argocd/templates/nfs-client.yaml +++ b/infra/argocd/templates/redlib.yaml @@ -1,23 +1,22 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nfs-client + name: redlib namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: nfs-client + path: dmz/redlib directory: recurse: true destination: - namespace: nfs-client - name: in-cluster + name: dmz + namespace: redlib syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/argocd/templates/crossplane.yml b/infra/argocd/templates/renovate.yaml similarity index 57% rename from argocd/templates/crossplane.yml rename to infra/argocd/templates/renovate.yaml index e079c78..debce7a 100644 --- a/argocd/templates/crossplane.yml +++ b/infra/argocd/templates/renovate.yaml @@ -1,20 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: crossplane + name: renovate namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: crossplane + path: infra/renovate destination: - namespace: crossplane + namespace: renovate name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/argocd/templates/bitwarden.yaml b/infra/argocd/templates/searxng.yaml similarity index 53% rename from argocd/templates/bitwarden.yaml rename to infra/argocd/templates/searxng.yaml index 6aad52f..9e05411 100644 --- a/argocd/templates/bitwarden.yaml +++ b/infra/argocd/templates/searxng.yaml @@ -1,23 +1,22 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: bitwarden + name: searxng namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git targetRevision: main - path: bitwarden + path: dmz/searxng directory: recurse: true destination: - server: https://kubernetes.default.svc - namespace: bitwarden + name: dmz + namespace: searxng syncPolicy: automated: prune: true - selfHeal: false + selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/infra/argocd/templates/traefik.yaml b/infra/argocd/templates/traefik.yaml new file mode 100644 index 0000000..0ea06aa --- /dev/null +++ b/infra/argocd/templates/traefik.yaml @@ -0,0 +1,76 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/traefik + destination: + namespace: traefik + name: in-cluster + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/traefik + destination: + namespace: traefik + name: dmz + syncPolicy: + # managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-dev + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dev/traefik + destination: + namespace: traefik + name: dev + syncPolicy: + # managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/infra/argocd/templates/vault.yaml b/infra/argocd/templates/vault.yaml new file mode 100644 index 0000000..b5f6a0b --- /dev/null +++ b/infra/argocd/templates/vault.yaml @@ -0,0 +1,53 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/vault + destination: + namespace: vault + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/vault + destination: + namespace: vault + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle diff --git a/argocd/values.yaml b/infra/argocd/values.yaml similarity index 53% rename from argocd/values.yaml rename to infra/argocd/values.yaml index 47a56e3..727777e 100644 --- a/argocd/values.yaml +++ b/infra/argocd/values.yaml @@ -1,40 +1,40 @@ argo-cd: - global: revisionHistoryLimit: 1 image: - repository: registry.internal.durp.info/argoproj/argocd + repository: registry.durp.info/argoproj/argocd imagePullPolicy: Always - server: - #extraArgs: - # - --dex-server-plaintext - # - --dex-server=argocd-dex-server:5556 - # oidc.config: | - # name: AzureAD - # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 - # clientID: CLIENT_ID - # clientSecret: $oidc.azuread.clientSecret - # requestedIDTokenClaims: - # groups: - # essential: true - # requestedScopes: - # - openid - # - profile - # - email + #server: + #extraArgs: + # - --dex-server-plaintext + # - --dex-server=argocd-dex-server:5556 + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email dex: enabled: true image: - repository: registry.internal.durp.info/dexidp/dex + repository: registry.durp.info/dexidp/dex imagePullPolicy: Always configs: cm: create: true annotations: {} - url: https://argocd.internal.durp.info + url: https://argocd.infra.durp.info oidc.tls.insecure.skip.verify: "true" + accounts.provider-argocd: apiKey dex.config: | connectors: - config: @@ -50,13 +50,15 @@ argo-cd: name: authentik type: oidc id: authentik + resource.exclusions: "" rbac: create: true policy.csv: | - g, ArgoCD Admins, role:admin + g, ArgoCD Admins, role:admin + g, provider-argocd, role:admin scopes: "[groups]" server: - route: - enabled: false + route: + enabled: false \ No newline at end of file diff --git a/authentik/Chart.yaml b/infra/authentik/Chart.yaml similarity index 61% rename from authentik/Chart.yaml rename to infra/authentik/Chart.yaml index 640dc35..d5927e6 100644 --- a/authentik/Chart.yaml +++ b/infra/authentik/Chart.yaml @@ -7,6 +7,7 @@ version: 0.1.0 appVersion: "1.16.0" dependencies: -- name: authentik - repository: https://charts.goauthentik.io - version: 2024.4.1 + - name: authentik + repository: https://charts.goauthentik.io + version: 2025.4.1 + diff --git a/infra/authentik/templates/ingress.yaml b/infra/authentik/templates/ingress.yaml new file mode 100644 index 0000000..8e0c956 --- /dev/null +++ b/infra/authentik/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: authentik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`authentik.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: authentik-server + port: 80 + - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + port: 9000 + tls: + secretName: authentik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls +spec: + secretName: authentik-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "authentik.durp.info" + dnsNames: + - "authentik.durp.info" diff --git a/authentik/templates/secrets.yaml b/infra/authentik/templates/secrets.yaml similarity index 65% rename from authentik/templates/secrets.yaml rename to infra/authentik/templates/secrets.yaml index 07b7747..df9f37e 100644 --- a/authentik/templates/secrets.yaml +++ b/infra/authentik/templates/secrets.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: authentik-secret @@ -11,18 +11,25 @@ spec: data: - secretKey: dbpass remoteRef: - key: secrets/authentik/database + key: kv/authentik/database property: dbpass - secretKey: secretkey remoteRef: - key: secrets/authentik/database + key: kv/authentik/database property: secretkey - secretKey: postgresql-postgres-password remoteRef: - key: secrets/authentik/database + key: kv/authentik/database property: dbpass - secretKey: postgresql-password remoteRef: - key: secrets/authentik/database + key: kv/authentik/database property: dbpass - + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/authentik/values.yaml b/infra/authentik/values.yaml similarity index 63% rename from authentik/values.yaml rename to infra/authentik/values.yaml index bd03ad1..7b75190 100644 --- a/authentik/values.yaml +++ b/infra/authentik/values.yaml @@ -1,6 +1,8 @@ authentik: global: - env: + security: + allowInsecureImages: true + env: - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: @@ -13,38 +15,44 @@ authentik: key: secretkey revisionHistoryLimit: 1 image: - repository: registry.internal.durp.info/goauthentik/server + repository: registry.durp.info/goauthentik/server pullPolicy: Always authentik: outposts: - container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s + container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s postgresql: - host: '{{ .Release.Name }}-postgresql-hl' + host: "{{ .Release.Name }}-postgresql-hl" name: "authentik" user: "authentik" port: 5432 server: name: server replicas: 3 + worker: + replicas: 3 postgresql: enabled: true image: - registry: registry.internal.durp.info - repository: bitnami/postgresql + registry: registry.durp.info + repository: bitnamilegacy/postgresql pullPolicy: Always postgresqlUsername: "authentik" postgresqlDatabase: "authentik" - existingSecret: db-pass + existingSecret: db-pass persistence: enabled: true storageClass: longhorn + size: 16Gi accessModes: - ReadWriteMany redis: enabled: true + master: + persistence: + enabled: false image: - registry: registry.internal.durp.info - repository: bitnami/redis + registry: registry.durp.info + repository: bitnamilegacy/redis pullPolicy: Always architecture: standalone auth: diff --git a/bitwarden/Chart.yaml b/infra/bitwarden/Chart.yaml similarity index 100% rename from bitwarden/Chart.yaml rename to infra/bitwarden/Chart.yaml diff --git a/bitwarden/templates/bitwarden-pvc.yaml b/infra/bitwarden/templates/bitwarden-pvc.yaml similarity index 100% rename from bitwarden/templates/bitwarden-pvc.yaml rename to infra/bitwarden/templates/bitwarden-pvc.yaml diff --git a/infra/bitwarden/templates/deployment.yaml b/infra/bitwarden/templates/deployment.yaml new file mode 100644 index 0000000..b915246 --- /dev/null +++ b/infra/bitwarden/templates/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: bitwarden + name: bitwarden + labels: + app: bitwarden +spec: + selector: + matchLabels: + app: bitwarden + replicas: 1 + template: + metadata: + labels: + app: bitwarden + spec: + containers: + - name: bitwarden + image: registry.durp.info/vaultwarden/server:1.35.4 + imagePullPolicy: Always + volumeMounts: + - name: bitwarden-pvc + mountPath: /data + subPath: bitwaren-data + ports: + - name: http + containerPort: 80 + env: + - name: SIGNUPS_ALLOWED + value: "FALSE" + - name: INVITATIONS_ALLOWED + value: "FALSE" + - name: WEBSOCKET_ENABLED + value: "TRUE" + - name: ROCKET_ENV + value: "staging" + - name: ROCKET_PORT + value: "80" + - name: ROCKET_WORKERS + value: "10" + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: bitwarden-secret + key: ADMIN_TOKEN + volumes: + - name: bitwarden-pvc + persistentVolumeClaim: + claimName: bitwarden-pvc diff --git a/infra/bitwarden/templates/ingress.yaml b/infra/bitwarden/templates/ingress.yaml new file mode 100644 index 0000000..f69bc78 --- /dev/null +++ b/infra/bitwarden/templates/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: bitwarden-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: bitwarden + port: 80 + tls: + secretName: bitwarden-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: bitwarden-tls +spec: + secretName: bitwarden-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "bitwarden.durp.info" + dnsNames: + - "bitwarden.durp.info" \ No newline at end of file diff --git a/bitwarden/templates/secrets.yaml b/infra/bitwarden/templates/secrets.yaml similarity index 58% rename from bitwarden/templates/secrets.yaml rename to infra/bitwarden/templates/secrets.yaml index 7a8d858..45e2d64 100644 --- a/bitwarden/templates/secrets.yaml +++ b/infra/bitwarden/templates/secrets.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: bitwarden-secret @@ -11,6 +11,13 @@ spec: data: - secretKey: ADMIN_TOKEN remoteRef: - key: secrets/bitwarden/admin - property: ADMIN_TOKEN + key: kv/bitwarden + property: admin_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/bitwarden/templates/service.yaml b/infra/bitwarden/templates/service.yaml similarity index 100% rename from bitwarden/templates/service.yaml rename to infra/bitwarden/templates/service.yaml diff --git a/infra/cert-manager/Chart.yaml b/infra/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/infra/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/infra/cert-manager/templates/issuer.yaml b/infra/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..6b889c7 --- /dev/null +++ b/infra/cert-manager/templates/issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj \ No newline at end of file diff --git a/infra/cert-manager/templates/letsencrypt.yaml b/infra/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..0203412 --- /dev/null +++ b/infra/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/kubernetes + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/infra/cert-manager/templates/secretvault.yaml b/infra/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..241e9a6 --- /dev/null +++ b/infra/cert-manager/templates/secretvault.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/cert-manager/values.yaml b/infra/cert-manager/values.yaml new file mode 100644 index 0000000..295c5e6 --- /dev/null +++ b/infra/cert-manager/values.yaml @@ -0,0 +1,26 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + #extraArgs: + # - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + # - --dns01-recursive-nameservers-only + #podDnsPolicy: None + #podDnsConfig: + # nameservers: + # - "1.1.1.1" + # - "1.0.0.1" + webhook: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always diff --git a/infra/external-secrets/Chart.yaml b/infra/external-secrets/Chart.yaml new file mode 100644 index 0000000..48645c3 --- /dev/null +++ b/infra/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/infra/external-secrets/templates/ca.yaml b/infra/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/infra/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/infra/external-secrets/values.yaml b/infra/external-secrets/values.yaml new file mode 100644 index 0000000..e61f2f1 --- /dev/null +++ b/infra/external-secrets/values.yaml @@ -0,0 +1,76 @@ +external-secrets: + global: + security: + allowInsecureImages: true + + log: + level: debug + replicaCount: 1 + revisionHistoryLimit: 1 + leaderElect: false + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + webhook: + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m diff --git a/infra/istio-system/Chart.yaml b/infra/istio-system/Chart.yaml new file mode 100644 index 0000000..7bb5fc3 --- /dev/null +++ b/infra/istio-system/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: istio-system +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: base + repository: https://istio-release.storage.googleapis.com/charts + version: 1.29.0 +- name: istiod + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 +- name: gateway + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 diff --git a/infra/istio-system/templates/expose.yaml b/infra/istio-system/templates/expose.yaml new file mode 100644 index 0000000..34c77f7 --- /dev/null +++ b/infra/istio-system/templates/expose.yaml @@ -0,0 +1,70 @@ +#apiVersion: networking.istio.io/v1 +#kind: Gateway +#metadata: +# name: istiod-gateway +#spec: +# selector: +# istio: eastwestgateway +# servers: +# - port: +# name: tls-istiod +# number: 15012 +# protocol: tls +# tls: +# mode: PASSTHROUGH +# hosts: +# - "*" +# - port: +# name: tls-istiodwebhook +# number: 15017 +# protocol: tls +# tls: +# mode: PASSTHROUGH +# hosts: +# - "*" +#--- +#apiVersion: networking.istio.io/v1 +#kind: VirtualService +#metadata: +# name: istiod-vs +#spec: +# hosts: +# - "*" +# gateways: +# - istiod-gateway +# tls: +# - match: +# - port: 15012 +# sniHosts: +# - "*" +# route: +# - destination: +# host: istiod.istio-system.svc.cluster.local +# port: +# number: 15012 +# - match: +# - port: 15017 +# sniHosts: +# - "*" +# route: +# - destination: +# host: istiod.istio-system.svc.cluster.local +# port: +# number: 443 +--- +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: cross-network-gateway +spec: + selector: + istio: eastwestgateway + servers: + - port: + number: 15443 + name: tls + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*.local" diff --git a/infra/istio-system/templates/issuer.yaml b/infra/istio-system/templates/issuer.yaml new file mode 100644 index 0000000..4480773 --- /dev/null +++ b/infra/istio-system/templates/issuer.yaml @@ -0,0 +1,8 @@ +#apiVersion: cert-manager.io/v1 +#kind: Issuer +#metadata: +# name: vault-issuer +# namespace: istio-system +#spec: +# ca: +# secretName: ca-key-pair diff --git a/infra/istio-system/values.yaml b/infra/istio-system/values.yaml new file mode 100644 index 0000000..5cd90bd --- /dev/null +++ b/infra/istio-system/values.yaml @@ -0,0 +1,10 @@ +istiod: + global: + network: network1 + meshID: mesh1 + multiCluster: + clusterName: infra + +gateway: + name: istio-eastwestgateway + networkGateway: network1 \ No newline at end of file diff --git a/kube-prometheus-stack/Chart.yaml b/infra/kube-prometheus-stack/Chart.yaml similarity index 56% rename from kube-prometheus-stack/Chart.yaml rename to infra/kube-prometheus-stack/Chart.yaml index 3cd9e24..d2de063 100644 --- a/kube-prometheus-stack/Chart.yaml +++ b/infra/kube-prometheus-stack/Chart.yaml @@ -7,6 +7,6 @@ version: 0.1.0 appVersion: "1.16.0" dependencies: -- name: kube-prometheus-stack - repository: https://prometheus-community.github.io/helm-charts - version: 40.5.0 + - name: kube-prometheus-stack + repository: https://prometheus-community.github.io/helm-charts + version: 77.10.0 diff --git a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml new file mode 100644 index 0000000..3328c18 --- /dev/null +++ b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-grafana-oauth +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-oauth + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: kv/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: kv/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-admin-credentials +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-admin-credentials + data: + - secretKey: admin-password + remoteRef: + key: kv/grafana/admin + property: password + - secretKey: admin-user + remoteRef: + key: kv/grafana/admin + property: user diff --git a/kube-prometheus-stack/templates/ingress.yaml b/infra/kube-prometheus-stack/templates/ingress.yaml similarity index 61% rename from kube-prometheus-stack/templates/ingress.yaml rename to infra/kube-prometheus-stack/templates/ingress.yaml index caf0ee1..5638d6a 100644 --- a/kube-prometheus-stack/templates/ingress.yaml +++ b/infra/kube-prometheus-stack/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: grafana-ingress @@ -6,16 +6,15 @@ spec: entryPoints: - websecure routes: - - match: Host(`grafana.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: grafana - port: 80 + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: grafana + port: 80 tls: secretName: grafana-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -27,11 +26,10 @@ spec: kind: ClusterIssuer commonName: "grafana.durp.info" dnsNames: - - "grafana.durp.info" + - "grafana.durp.info" --- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: alertmanager-ingress @@ -39,21 +37,20 @@ spec: entryPoints: - websecure routes: - - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: prometheus-alertmanager - port: 9093 + - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: prometheus-alertmanager + port: 9093 tls: secretName: alertmanager-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -65,10 +62,9 @@ spec: kind: ClusterIssuer commonName: "alertmanager.durp.info" dnsNames: - - "alertmanager.durp.info" + - "alertmanager.durp.info" --- - kind: Service apiVersion: v1 metadata: @@ -77,4 +73,5 @@ metadata: external-dns.alpha.kubernetes.io/hostname: grafana.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info + diff --git a/kube-prometheus-stack/values.yaml b/infra/kube-prometheus-stack/values.yaml similarity index 85% rename from kube-prometheus-stack/values.yaml rename to infra/kube-prometheus-stack/values.yaml index 19436ac..df68eba 100644 --- a/kube-prometheus-stack/values.yaml +++ b/infra/kube-prometheus-stack/values.yaml @@ -1,4 +1,4 @@ -kube-prometheus-stack: +kube-prometheus-stack: fullnameOverride: prometheus defaultRules: @@ -51,16 +51,16 @@ kube-prometheus-stack: userKey: admin-user passwordKey: admin-password ingress: - enabled: false + enabled: false grafana.ini: server: root_url: https://grafana.durp.info auth.generic_oauth: - enabled: true - scopes: openid profile email - auth_url: https://authentik.durp.info/application/o/authorize/ - token_url: https://authentik.durp.info/application/o/token/ - api_url: https://authentik.durp.info/application/o/userinfo/ + enabled: true + scopes: openid profile email + auth_url: https://authentik.durp.info/application/o/authorize/ + token_url: https://authentik.durp.info/application/o/token/ + api_url: https://authentik.durp.info/application/o/userinfo/ envFromSecret: "grafana-oauth" kubeApiServer: @@ -77,10 +77,10 @@ kube-prometheus-stack: kubeControllerManager: enabled: true - endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + endpoints: # ips of servers + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 coreDns: enabled: false @@ -91,9 +91,9 @@ kube-prometheus-stack: kubeEtcd: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 service: enabled: true port: 2381 @@ -102,16 +102,16 @@ kube-prometheus-stack: kubeScheduler: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 kubeProxy: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 kubeStateMetrics: enabled: true @@ -190,14 +190,14 @@ kube-prometheus-stack: retention: 6h enableAdminAPI: true walCompression: true - storageSpec: + storageSpec: volumeClaimTemplate: spec: - storageClassName: nfs-storage + storageClassName: longhorn accessModes: ["ReadWriteMany"] resources: requests: - storage: 50Gi + storage: 20Gi thanosRuler: enabled: false diff --git a/infra/litellm/Chart.yaml b/infra/litellm/Chart.yaml new file mode 100644 index 0000000..1444a2c --- /dev/null +++ b/infra/litellm/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: litellm +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: "litellm-helm" + version: 0.1.643 + repository: oci://ghcr.io/berriai/litellm-helm diff --git a/infra/litellm/values.yaml b/infra/litellm/values.yaml new file mode 100644 index 0000000..b7ce066 --- /dev/null +++ b/infra/litellm/values.yaml @@ -0,0 +1,197 @@ +litellm: + # Default values for litellm. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + # Use "ghcr.io/berriai/litellm-database" for optimized image with database + repository: ghcr.io/berriai/litellm-database + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + # tag: "main-latest" + tag: "" + + imagePullSecrets: [] + nameOverride: "litellm" + fullnameOverride: "" + + serviceAccount: + # Specifies whether a service account should be created + create: false + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + podLabels: {} + + # At the time of writing, the litellm docker image requires write access to the + # filesystem on startup so that prisma can install some dependencies. + podSecurityContext: {} + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: false + # runAsNonRoot: true + # runAsUser: 1000 + + # A list of Kubernetes Secret objects that will be exported to the LiteLLM proxy + # pod as environment variables. These secrets can then be referenced in the + # configuration file (or "litellm" ConfigMap) with `os.environ/` + environmentSecrets: [] + # - litellm-env-secret + + # A list of Kubernetes ConfigMap objects that will be exported to the LiteLLM proxy + # pod as environment variables. The ConfigMap kv-pairs can then be referenced in the + # configuration file (or "litellm" ConfigMap) with `os.environ/` + environmentConfigMaps: [] + # - litellm-env-configmap + + service: + type: ClusterIP + port: 4000 + + ingress: + enabled: false + className: "nginx" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: api.example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # masterkey: changeit + + # The elements within proxy_config are rendered as config.yaml for the proxy + # Examples: https://github.com/BerriAI/litellm/tree/main/litellm/proxy/example_config_yaml + # Reference: https://docs.litellm.ai/docs/proxy/configs + proxy_config: + model_list: + # At least one model must exist for the proxy to start. + - model_name: gpt-3.5-turbo + litellm_params: + model: gpt-3.5-turbo + api_key: eXaMpLeOnLy + - model_name: fake-openai-endpoint + litellm_params: + model: openai/fake + api_key: fake-key + api_base: https://exampleopenaiendpoint-production.up.railway.app/ + general_settings: + master_key: os.environ/PROXY_MASTER_KEY + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + # Additional volumes on the output Deployment definition. + volumes: [] + # - name: foo + # secret: + # secretName: mysecret + # optional: false + + # Additional volumeMounts on the output Deployment definition. + volumeMounts: [] + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + db: + # Use an existing postgres server/cluster + useExisting: false + + # How to connect to the existing postgres server/cluster + endpoint: localhost + database: litellm + url: postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_HOST)/$(DATABASE_NAME) + secret: + name: postgres + usernameKey: username + passwordKey: password + + # Use the Stackgres Helm chart to deploy an instance of a Stackgres cluster. + # The Stackgres Operator must already be installed within the target + # Kubernetes cluster. + # TODO: Stackgres deployment currently unsupported + useStackgresOperator: false + + # Use the Postgres Helm chart to create a single node, stand alone postgres + # instance. See the "postgresql" top level key for additional configuration. + deployStandalone: true + + # Settings for Bitnami postgresql chart (if db.deployStandalone is true, ignored + # otherwise) + postgresql: + architecture: standalone + auth: + username: litellm + database: litellm + + # You should override these on the helm command line with + # `--set postgresql.auth.postgres-password=,postgresql.auth.password=` + password: NoTaGrEaTpAsSwOrD + postgres-password: NoTaGrEaTpAsSwOrD + + # A secret is created by this chart (litellm-helm) with the credentials that + # the new Postgres instance should use. + # existingSecret: "" + # secretKeys: + # userPasswordKey: password + + # requires cache: true in config file + # either enable this or pass a secret for REDIS_HOST, REDIS_PORT, REDIS_PASSWORD or REDIS_URL + # with cache: true to use existing redis instance + redis: + enabled: false + architecture: standalone + + # Prisma migration job settings + migrationJob: + enabled: true # Enable or disable the schema migration Job + retries: 3 # Number of retries for the Job in case of failure + backoffLimit: 4 # Backoff limit for Job restarts + disableSchemaUpdate: false # Skip schema migrations for specific environments. When True, the job will exit with code 0. + annotations: {} + ttlSecondsAfterFinished: 120 + + # Additional environment variables to be added to the deployment + envVars: { + # USE_DDTRACE: "true" + } + diff --git a/crossplane/Chart.yaml b/infra/longhorn/Chart.yaml similarity index 54% rename from crossplane/Chart.yaml rename to infra/longhorn/Chart.yaml index c7bf1ab..c699fa5 100644 --- a/crossplane/Chart.yaml +++ b/infra/longhorn/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: crossplane +name: longhorn-system description: A Helm chart for Kubernetes type: application @@ -7,6 +7,6 @@ version: 0.1.0 appVersion: "1.16.0" dependencies: -- name: crossplane - repository: https://charts.crossplane.io/stable - version: 1.12.0 +- name: longhorn + repository: https://charts.longhorn.io + version: 1.9.0 diff --git a/infra/longhorn/templates/ingress.yaml b/infra/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..ad4ebd3 --- /dev/null +++ b/infra/longhorn/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + #- name: authentik-proxy-provider + # namespace: traefik + services: + - name: longhorn-frontend + port: 80 + tls: + secretName: longhorn-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.infra.durp.info" + dnsNames: + - "longhorn.infra.durp.info" diff --git a/infra/longhorn/templates/secrets.yaml b/infra/longhorn/templates/secrets.yaml new file mode 100644 index 0000000..e3d18af --- /dev/null +++ b/infra/longhorn/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-longhorn-backup-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: longhorn-backup-token-secret + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: kv/longhorn/backup + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_ENDPOINTS + remoteRef: + key: kv/longhorn/backup + property: AWS_ENDPOINTS + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: kv/longhorn/backup + property: AWS_SECRET_ACCESS_KEY diff --git a/infra/longhorn/values.yaml b/infra/longhorn/values.yaml new file mode 100644 index 0000000..e34a1ee --- /dev/null +++ b/infra/longhorn/values.yaml @@ -0,0 +1,192 @@ +longhorn: + global: + cattle: + systemDefaultRegistry: "" + + image: + longhorn: + engine: + repository: longhornio/longhorn-engine + manager: + repository: longhornio/longhorn-manager + ui: + repository: longhornio/longhorn-ui + instanceManager: + repository: longhornio/longhorn-instance-manager + shareManager: + repository: longhornio/longhorn-share-manager + backingImageManager: + repository: longhornio/backing-image-manager + csi: + attacher: + repository: longhornio/csi-attacher + provisioner: + repository: longhornio/csi-provisioner + nodeDriverRegistrar: + repository: longhornio/csi-node-driver-registrar + resizer: + repository: longhornio/csi-resizer + snapshotter: + repository: longhornio/csi-snapshotter + pullPolicy: Always + + service: + ui: + type: ClusterIP + nodePort: null + manager: + type: ClusterIP + nodePort: "" + loadBalancerIP: "" + loadBalancerSourceRanges: "" + + persistence: + defaultClass: true + defaultFsType: ext4 + defaultClassReplicaCount: 3 + defaultDataLocality: disabled # best-effort otherwise + reclaimPolicy: Delete + migratable: false + recurringJobSelector: + enable: true + jobList: '[ + { + "name":"backup", + "task":"backup", + "cron":"0 0 * * *", + "retain":24 + } + ]' + backingImage: + enable: false + name: ~ + dataSourceType: ~ + dataSourceParameters: ~ + expectedChecksum: ~ + + csi: + kubeletRootDir: ~ + attacherReplicaCount: ~ + provisionerReplicaCount: ~ + resizerReplicaCount: ~ + snapshotterReplicaCount: ~ + + defaultSettings: + backupTarget: S3://longhorn-master@us-east-1/ + backupTargetCredentialSecret: longhorn-backup-token-secret + allowRecurringJobWhileVolumeDetached: ~ + createDefaultDiskLabeledNodes: ~ + defaultDataPath: ~ + defaultDataLocality: ~ + replicaSoftAntiAffinity: ~ + replicaAutoBalance: ~ + storageOverProvisioningPercentage: ~ + storageMinimalAvailablePercentage: ~ + upgradeChecker: ~ + defaultReplicaCount: ~ + defaultLonghornStaticStorageClass: longhorn + backupstorePollInterval: ~ + taintToleration: ~ + systemManagedComponentsNodeSelector: ~ + priorityClass: ~ + autoSalvage: ~ + autoDeletePodWhenVolumeDetachedUnexpectedly: ~ + disableSchedulingOnCordonedNode: ~ + replicaZoneSoftAntiAffinity: ~ + nodeDownPodDeletionPolicy: ~ + allowNodeDrainWithLastHealthyReplica: ~ + mkfsExt4Parameters: ~ + disableReplicaRebuild: ~ + replicaReplenishmentWaitInterval: ~ + concurrentReplicaRebuildPerNodeLimit: ~ + disableRevisionCounter: ~ + systemManagedPodsImagePullPolicy: ~ + allowVolumeCreationWithDegradedAvailability: ~ + autoCleanupSystemGeneratedSnapshot: ~ + concurrentAutomaticEngineUpgradePerNodeLimit: ~ + backingImageCleanupWaitInterval: ~ + backingImageRecoveryWaitInterval: ~ + guaranteedEngineManagerCPU: ~ + guaranteedReplicaManagerCPU: ~ + kubernetesClusterAutoscalerEnabled: ~ + orphanAutoDeletion: ~ + storageNetwork: ~ + privateRegistry: + createSecret: ~ + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + registrySecret: ~ + + longhornManager: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornDriver: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornUI: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # + + ingress: + enabled: false + + ## Specify override namespace, specifically this is useful for using longhorn as sub-chart + ## and its release namespace is not the `longhorn-system` + namespaceOverride: "" + + # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional. + annotations: {} + + serviceAccount: + # Annotations to add to the service account + annotations: {} + diff --git a/infra/metallb-system/Chart.yaml b/infra/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/infra/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/infra/metallb-system/templates/config.yaml b/infra/metallb-system/templates/config.yaml new file mode 100644 index 0000000..457130f --- /dev/null +++ b/infra/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.12.130-192.168.12.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/infra/metallb-system/values.yaml b/infra/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/uptimekuma/Chart.yaml b/infra/nebula-sync/Chart.yaml similarity index 86% rename from uptimekuma/Chart.yaml rename to infra/nebula-sync/Chart.yaml index 0dcf730..114f728 100644 --- a/uptimekuma/Chart.yaml +++ b/infra/nebula-sync/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: uptimekuma +name: nebula-sync description: A Helm chart for Kubernetes type: application diff --git a/infra/nebula-sync/templates/deployment.yaml b/infra/nebula-sync/templates/deployment.yaml new file mode 100644 index 0000000..51e2607 --- /dev/null +++ b/infra/nebula-sync/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: nebula-sync + name: nebula-sync + labels: + app: nebula-sync +spec: + selector: + matchLabels: + app: nebula-sync + replicas: 1 + template: + metadata: + labels: + app: nebula-sync + spec: + containers: + - name: nebula-sync + image: registry.durp.info/lovelaze/nebula-sync:latest + imagePullPolicy: Always + env: + - name: PRIMARY + valueFrom: + secretKeyRef: + name: nebula-sync-secret + key: primary + - name: REPLICAS + valueFrom: + secretKeyRef: + name: nebula-sync-secret + key: replicas + - name: FULL_SYNC + value: "false" + - name: RUN_GRAVITY + value: "false" + - name: CRON + value: "*/15 * * * *" + - name: CLIENT_SKIP_TLS_VERIFICATION + value: "true" + - name: TZ + value: America/Chicago + - name: SYNC_CONFIG_DNS + value: "true" + - name: SYNC_CONFIG_DHCP + value: "true" + - name: SYNC_CONFIG_NTP + value: "true" + - name: SYNC_CONFIG_RESOLVER + value: "true" + - name: SYNC_CONFIG_DATABASE + value: "true" + - name: SYNC_CONFIG_MISC + value: "true" + - name: SYNC_CONFIG_DEBUG + value: "true" + - name: SYNC_GRAVITY_DHCP_LEASES + value: "true" + - name: SYNC_GRAVITY_GROUP + value: "true" + - name: SYNC_GRAVITY_AD_LIST + value: "true" + - name: SYNC_GRAVITY_AD_LIST_BY_GROUP + value: "true" + - name: SYNC_GRAVITY_DOMAIN_LIST + value: "true" + - name: SYNC_GRAVITY_DOMAIN_LIST_BY_GROUP + value: "true" + - name: SYNC_GRAVITY_CLIENT + value: "true" + - name: SYNC_GRAVITY_CLIENT_BY_GROUP + value: "true" + diff --git a/infra/nebula-sync/templates/secrets.yaml b/infra/nebula-sync/templates/secrets.yaml new file mode 100644 index 0000000..3ab65df --- /dev/null +++ b/infra/nebula-sync/templates/secrets.yaml @@ -0,0 +1,27 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: nebula-sync-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: nebula-sync-secret + data: + - secretKey: primary + remoteRef: + key: kv/pihole + property: primary + - secretKey: replicas + remoteRef: + key: kv/pihole + property: replicas + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/nfs/Chart.yaml b/infra/nfs/Chart.yaml new file mode 100644 index 0000000..1a9ffb9 --- /dev/null +++ b/infra/nfs/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: nfs-csi +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: csi-driver-nfs + repository: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts + version: 4.11.0 diff --git a/infra/openclarity/Chart.yaml b/infra/openclarity/Chart.yaml new file mode 100644 index 0000000..e4028f3 --- /dev/null +++ b/infra/openclarity/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: openclarity +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: openclarity + repository: oci://ghcr.io/openclarity/charts + version: 1.1.3 diff --git a/infra/openclarity/templates/secret.yaml b/infra/openclarity/templates/secret.yaml new file mode 100644 index 0000000..51ba410 --- /dev/null +++ b/infra/openclarity/templates/secret.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openclarity-postgres-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: openclarity-postgres-secret + data: + - secretKey: username + remoteRef: + key: kv/openclarity/postgres + property: username + - secretKey: postgres-password + remoteRef: + key: kv/openclarity/postgres + property: password + - secretKey: password + remoteRef: + key: kv/openclarity/postgres + property: password + - secretKey: database + remoteRef: + key: kv/openclarity/postgres + property: database diff --git a/infra/openclarity/values.yaml b/infra/openclarity/values.yaml new file mode 100644 index 0000000..c8f1629 --- /dev/null +++ b/infra/openclarity/values.yaml @@ -0,0 +1,915 @@ +openclarity: + global: + imageRegistry: registry.durp.info + + apiserver: + # -- Number of replicas for the API Server + replicas: 1 + + database: + postgresql: + # -- Enable/disable Postgresql database + enabled: true + externalPostgresql: + # -- Enable/disable external Postgresql database + enabled: false + # -- External Postgreqsl database host + host: "" + # -- External Postgresql database port + port: 5432 + auth: + # -- Name of existing secret to use for PostgreSQL credentials that has the following keys: + # username + # password + # database + existingSecret: "" + + image: + # -- API Server image registry + registry: ghcr.io + # -- API Server image repository + repository: openclarity/openclarity-api-server + # -- API Server image tag (immutable tags are recommended) + tag: latest + # -- API Server image digest. If set will override the tag. + digest: "" + # -- API Server image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- API Server log level + logLevel: info + + resources: + # -- The resources limits for the apiserver containers + limits: {} + # -- The requested resources for the apiserver containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + orchestrator: + # -- Number of replicas for the Orchestrator service + # Currently 1 supported. + replicas: 1 + + image: + # -- Orchestrator image registry + registry: ghcr.io + # -- Orchestrator image repository + repository: openclarity/openclarity-orchestrator + # -- Orchestrator image tag (immutable tags are recommended) + tag: latest + # -- Orchestrator image digest. If set will override the tag. + digest: "" + # -- Orchestrator image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Whether Orchestrator pod security context is enabled + enabled: true + # -- Orchestrator pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Orchestrator service log level + logLevel: info + + resources: + # -- The resources limits for the orchestrator containers + limits: {} + # -- The requested resources for the orchestrator containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: true + + # -- Global policy used to determine when to clean up an AssetScan. + # Possible options are: + # Always - All AssetScans are cleaned up + # OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging + # Never - No AssetScans are cleaned up + deleteJobPolicy: Always + + scannerImage: + # -- Scanner Container image registry + registry: ghcr.io + # -- Scanner Container image repository + repository: openclarity/openclarity-cli + # -- Scanner Container image tag (immutable tags are recommended) + tag: latest + # -- Scanner Container image digest. If set will override the tag. + digest: "" + + # -- Address that scanners can use to reach back to the API server + scannerApiserverAddress: "" + + # -- Address that scanners can use to reach back to the Exploits server + exploitsDBAddress: "" + + # -- Address that scanners can use to reach trivy server + trivyServerAddress: "" + + # -- Address that scanners can use to reach the grype server + grypeServerAddress: "" + + # -- Address that scanners can use to reach the freshclam mirror + freshclamMirrorAddress: "" + + # -- Address that scanner can use to reach the yara rule server + yaraRuleServerAddress: "" + + # -- Which provider driver to enable. + # If enabling the Kubernetes provider ensure that the orchestrator + # serviceAccount section is configured to allow access to the Kubernetes API. + provider: "kubernetes" + + kubernetes: {} + + # Only for testing purposes + docker: {} + + ui: + # -- Number of replicas for the UI service + replicas: 1 + + image: + # -- UI image registry + registry: ghcr.io + # -- UI image repository + repository: openclarity/openclarity-ui + # -- UI image tag + tag: latest + # -- UI image digest. If set will override the tag + digest: "" + # -- UI Image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI containers + limits: {} + # -- The requested resources for the UI containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: true + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + uibackend: + # -- Number of replicas for the UI Backend service + replicas: 1 + + image: + # -- UI Backend image registry + registry: ghcr.io + # -- UI Backend image repository + repository: openclarity/openclarity-ui-backend + # -- UI Backend image tag + tag: latest + # -- UI Backend image digest. If set will override the tag. + digest: "" + # -- UI Backend image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI backend containers + limits: {} + # -- The requested resources for the UI backend containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the UI backend service + logLevel: info + + gateway: + # -- Number of replicas for the gateway + replicas: 1 + + image: + # -- Gateway service container registry + registry: docker.io + # -- Gateway service container repository + repository: nginxinc/nginx-unprivileged + # -- Gateway service container tag + tag: 1.29.0 + # -- Gateway image digest. If set will override the tag. + digest: "" + # -- Gateway service container pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the gateway containers + limits: {} + # -- The requested resources for the gateway containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + # -- Service type: ClusterIP, NodePort, LoadBalancer + type: ClusterIP + # -- Port configurations + ports: + http: 80 + # -- NodePort configurations + nodePorts: + http: "" + # -- Dedicated IP address used for service + clusterIP: "" + # -- Annotations set for service + annotations: {} + # -- External Traffic Policy configuration + # Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node + # local endpoints. + externalTrafficPolicy: Cluster + + ingress: + # -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible. + # Make sure the ingress remains internal if you decide to enable it. + enabled: false + labels: {} + annotations: {} + + # -- Optionally use ingressClassName instead of default ingress class. + ingressClassName: "" + + hosts: + # Hostname you want to use to access the UI + - host: chart-example.local + # paths will default to: + # paths: + # - pathType: Prefix + # path: / + paths: [] + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + postgresql: + image: + # -- Postgresql container registry + registry: docker.io + # -- Postgresql container repository + repository: bitnami/postgresql + # -- Postgresql container tag + tag: 16.6.0-debian-12-r1 + # -- Postgresql image digest. If set will override the tag. + digest: "" + # -- Postgresql container image pull policy + pullPolicy: IfNotPresent + primary: + # -- Postgresql container resource preset + # For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + resourcesPreset: "small" + + resources: + # -- The resources limits for the postgresql containers + limits: {} + # -- The requested resources for the postgresql containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + auth: + existingSecret: openclarity-postgres-secret + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + ports: + # -- PostgreSQL service port + postgresql: 5432 + + exploitDBServer: + # -- Number of replicas for the exploit-db-server service + replicas: 1 + + image: + # -- Exploit DB Server container registry + registry: ghcr.io + # -- Exploit DB Server container repository + repository: openclarity/exploit-db-server + # -- Exploit DB Server container tag + tag: v0.3.0 + # -- Exploit DB Server image digest. If set will override the tag. + digest: "" + # -- Exploit DB Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the exploit-db-server containers + limits: {} + # -- The requested resources for the exploit-db-server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + trivyServer: + # -- Number of replicas for the trivy server service + replicas: 1 + + image: + # -- Trivy Server container registry + registry: docker.io + # -- Trivy Server container repository + repository: aquasec/trivy + # -- Trivy Server container tag + tag: 0.69.3 + # -- Trivy Server image digest. If set will override the tag. + digest: "" + # -- Trivy Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the trivy server containers + limits: {} + # -- The requested resources for the trivy server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + grypeServer: + # -- Number of replicas for the grype server service + replicas: 1 + + image: + # -- Grype server container registry + registry: ghcr.io + # -- Grype server container repository + repository: openclarity/grype-server + # -- Grype server container tag + tag: v0.7.5 + # -- Grype server image digest. If set will override the tag. + digest: "" + # -- Grype server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the grype server containers + limits: {} + # -- The requested resources for the grype server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the grype-server service + logLevel: info + + freshclamMirror: + # -- Number of replicas for the freshclam mirror service + replicas: 1 + + image: + # -- Freshclam Mirror container registry + registry: ghcr.io + # -- Freshclam Mirror container repository + repository: openclarity/freshclam-mirror + # -- Freshclam Mirror container tag + tag: v0.3.1 + # -- Freshclam Mirror image digest. If set will override the tag. + digest: "" + # -- Freshclam Mirror image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the freshclam mirror containers + limits: {} + # -- The requested resources for the freshclam mirror containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + swaggerUI: + # -- Number of replicas for the swagger-ui service + replicas: 1 + + image: + # -- Swagger UI container registry + registry: docker.io + # -- Swagger UI container repository + repository: swaggerapi/swagger-ui + # -- Swagger UI container tag + tag: v5.26.2 + # -- Swagger UI image digest. If set will override the tag. + digest: "" + # -- Swagger UI image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the swagger ui containers + limits: {} + # -- The requested resources for the swagger ui containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 0 + # -- Group ID which the containers should run as + runAsGroup: 0 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + yaraRuleServer: + # -- Number of replicas for the Yara Rule Server service + replicas: 1 + + image: + # -- Yara Rule Server container registry + registry: ghcr.io + # -- Yara Rule Server container repository + repository: openclarity/yara-rule-server + # -- Yara Rule Server container tag + tag: v0.3.0 + # -- Yara Rule Server image digest. If set will override the tag. + digest: "" + # -- Yara Rule Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the Yara Rule Server containers + limits: {} + # -- The requested resources for the Yara Rule Server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + #false -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + crDiscoveryServer: + nodeSelector: {} + tolerations: [] + affinity: {} + image: + # -- Container Runtime Discovery Server container registry + registry: ghcr.io + # -- Container Runtime Discovery Server container repository + repository: openclarity/openclarity-cr-discovery-server + # -- Container Runtime Discovery Server container tag + tag: latest + # -- Container Runtime Discovery Server image digest. If set will override the tag. + digest: "" + # -- Container Runtime Discovery Server image pull policy + pullPolicy: IfNotPresent + + # -- Environment variables to set in the Container Runtime Discovery Server container + env: [] + # - name: CONTAINERD_SOCK_ADDRESS + # value: /var/run/containerd/containerd.sock + containerRuntimePaths: + - name: containerd + path: /var/run/containerd + readOnly: true + - name: k3s-containerd + path: /run/k3s/containerd + readOnly: true + - name: docker + path: /var/lib/docker + readOnly: true + - name: crio + path: /var/run/crio + readOnly: true + - name: crio-lib + path: /var/lib/containers + - name: crio-run + path: /var/run/containers + - name: crio-containers + path: /etc/containers + readOnly: true + resources: + # -- The resources limits for the container runtime discovery server containers + limits: {} + # -- The requested resources for the container runtime discovery server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + # In order to use CRI-O runtime you need to run OpenClarity + # with the following configuration: + # + # containerSecurityContext: + # enabled: true + # privileged: true + # readOnlyRootFilesystem: false + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL \ No newline at end of file diff --git a/infra/portainer/Chart.yaml b/infra/portainer/Chart.yaml new file mode 100644 index 0000000..6bedd0a --- /dev/null +++ b/infra/portainer/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: portainer +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: portainer + repository: https://portainer.github.io/k8s/ + version: 2.33.6 diff --git a/infra/portainer/templates/ingress.yaml b/infra/portainer/templates/ingress.yaml new file mode 100644 index 0000000..c1e0e38 --- /dev/null +++ b/infra/portainer/templates/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: portainer-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: portainer + port: 9000 + tls: + secretName: portainer-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: portainer-tls +spec: + secretName: portainer-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "portainer.internal.durp.info" + dnsNames: + - "portainer.internal.durp.info" diff --git a/infra/portainer/values.yaml b/infra/portainer/values.yaml new file mode 100644 index 0000000..a3779f7 --- /dev/null +++ b/infra/portainer/values.yaml @@ -0,0 +1,78 @@ +portainer: + replicaCount: 1 + image: + repository: registry.durp.info/portainer/portainer-ce + tag: 2.39.1 + pullPolicy: Always + + imagePullSecrets: [] + + nodeSelector: {} + tolerations: [] + + serviceAccount: + annotations: {} + name: portainer-sa-clusteradmin + + # This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application + # If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true + localMgmt: true + + service: + # Set the httpNodePort and edgeNodePort only if the type is NodePort + # For Ingress, set the type to be ClusterIP and set ingress.enabled to true + # For Cloud Providers, set the type to be LoadBalancer + type: NodePort + httpPort: 9000 + httpsPort: 9443 + httpNodePort: 30777 + httpsNodePort: 30779 + edgePort: 8000 + edgeNodePort: 30776 + annotations: {} + + tls: + # If set, Portainer will be configured to use TLS only + force: false + # If set, will mount the existing secret into the pod + existingSecret: "" + + trusted_origins: + # If set, Portainer will be configured to trust the domains specified in domains + enabled: false + # specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy + # example: portainer.mydomain.com,portainer.example.com + domains: "" + + mtls: + # If set, Portainer will be configured to use mTLS only + enable: false + # If set, will mount the existing secret into the pod + existingSecret: "" + + feature: + flags: [] + + ingress: + enabled: false + ingressClassName: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # Only use below if tls.force=true + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # Note: Hosts and paths are of type array + hosts: + - host: + paths: [] + # - path: "/" + tls: [] + + resources: {} + + persistence: + enabled: true + size: "10Gi" + annotations: {} + storageClass: longhorn + existingClaim: + diff --git a/infra/renovate/Chart.yaml b/infra/renovate/Chart.yaml new file mode 100644 index 0000000..b20d1e8 --- /dev/null +++ b/infra/renovate/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: renovate +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: renovate + repository: https://docs.renovatebot.com/helm-charts + version: 39.264.0 + alias: "renovate-personal" diff --git a/infra/renovate/templates/secrets.yaml b/infra/renovate/templates/secrets.yaml new file mode 100644 index 0000000..d42ab7e --- /dev/null +++ b/infra/renovate/templates/secrets.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-config-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: renovate-config-secret + data: + - secretKey: renovate.json + remoteRef: + key: kv/renovate + property: config + - secretKey: RENOVATE_AUTODISCOVER + remoteRef: + key: kv/renovate + property: RENOVATE_AUTODISCOVER + - secretKey: RENOVATE_ENDPOINT + remoteRef: + key: kv/renovate + property: RENOVATE_ENDPOINT + - secretKey: RENOVATE_GIT_AUTHOR + remoteRef: + key: kv/renovate + property: RENOVATE_GIT_AUTHOR + - secretKey: RENOVATE_PLATFORM + remoteRef: + key: kv/renovate + property: RENOVATE_PLATFORM + - secretKey: RENOVATE_TOKEN + remoteRef: + key: kv/renovate + property: RENOVATE_TOKEN + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-personal-config-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: renovate-personal-config-secret + data: + - secretKey: RENOVATE_TOKEN + remoteRef: + key: kv/renoatePersonal + property: RENOVATE_TOKEN + - secretKey: RENOVATE_GITHUB_COM_TOKEN + remoteRef: + key: kv/renoatePersonal + property: RENOVATE_GITHUB_COM_TOKEN diff --git a/infra/renovate/values.yaml b/infra/renovate/values.yaml new file mode 100644 index 0000000..4754bc7 --- /dev/null +++ b/infra/renovate/values.yaml @@ -0,0 +1,330 @@ +renovate-personal: + global: + # -- Additional labels to be set on all renovate resources + commonLabels: {} + compatibility: + openshift: + # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: `auto` (apply if the detected running cluster is Openshift), `force` (perform the adaptation always), `disabled` (do not perform adaptation) + adaptSecurityContext: "auto" + + # -- Override the name of the chart + nameOverride: "" + # -- Override the fully qualified app name + fullnameOverride: "" + # -- Annotations to add to secret + secretAnnotations: {} + + cronjob: + # -- Schedules the job to run using cron notation + schedule: "0 1 * * *" # At 01:00 every day + # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) + timeZone: "" # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names + # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. + suspend: false + # -- Annotations to set on the cronjob + annotations: {} + # -- Labels to set on the cronjob + labels: {} + # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run + concurrencyPolicy: "" + # -- "Number of successful completions is reached to mark the job as complete" + completions: "" + # -- "Where the jobs should be NonIndexed or Indexed" + completionMode: "" + # -- Amount of failed jobs to keep in history + failedJobsHistoryLimit: "" + # -- Amount of completed jobs to keep in history + successfulJobsHistoryLimit: "" + # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails + jobRestartPolicy: Never + # -- Time to keep the job after it finished before automatically deleting it + ttlSecondsAfterFinished: "" + # -- Deadline for the job to finish + activeDeadlineSeconds: "" + # -- Number of times to retry running the pod before considering the job as being failed + jobBackoffLimit: "" + # -- Maximal number of failures per index + backoffLimitPerIndex: "" + # -- Maximal number of failed indexes before terminating the Job execution + maxFailedIndexes: "" + # -- Deadline to start the job, skips execution if job misses it's configured deadline + startingDeadlineSeconds: "" + # -- Additional initContainers that can be executed before renovate + initContainers: [] + # initContainers: + # - name: INIT_CONTAINER_NAME + # image: INIT_CONTAINER_IMAGE + # -- Number of pods to run in parallel + parallelism: "" + # -- Custom command to run in the container + commandOverride: [] + # -- Custom arguments to run in the container + argsOverride: [] + # -- Prepend shell commands before renovate runs + #preCommand: '' + #preCommand: | + # ls /config + # cat /config/renovate.json + + postCommand: "" + # postCommand: | + # echo hello + # echo world + + pod: + # -- Annotations to set on the pod + annotations: {} + # -- Labels to set on the pod + labels: {} + + image: + # -- Registry to pull image from + registry: registry.durp.info + # -- Image name to pull + repository: renovatebot/renovate + # -- Renovate image tag to pull + #tag: 39.264.0 + # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images + pullPolicy: Always + # -- Set `true` to use the full image. See https://docs.renovatebot.com/getting-started/running/#the-full-image + useFull: false + + # -- Secret to use to pull the image from the repository + imagePullSecrets: {} + + renovate: + # -- Custom exiting global renovate config + #existingConfigFile: "/config/renovate.json" + # -- Inline global renovate config.json + config: | + { + "platform": "gitlab", + "endpoint": "https://gitlab.durp.info/api/v4", + "autodiscover": true, + "dryRun": null, + "printConfig": false, + "autodiscoverFilter": ["durfy/**"], + "assignees": ["durp"] + } + # See https://docs.renovatebot.com/self-hosted-configuration + # config: | + # { + # "": "gitlab", + # "endpoint": "https://gitlab.example.com/api/v4", + # "token": "your-gitlab-renovate-user-token", + # "autodiscover": "false", + # "dryRun": true, + # "printConfig": true, + # "repositories": ["username/repo", "orgname/repo"] + # } + + # -- Use the Helm tpl function on your configuration. See README for how to use this value + configEnableHelmTpl: false + + # -- Use this to create the renovate-config as a secret instead of a configmap + configIsSecret: true + + # -- Use this to create a config.js instead of a config.json + configIsJavaScript: false + + # -- Renovate Container-level security-context + securityContext: {} + + # Instead of a file system cache, it is highly recommended to use the redis subchart. + # Alternatively, SQLite is also a good choice. + # Take a look at https://github.com/renovatebot/renovate/discussions/30525 for more information. + # -- Options related to persistence + persistence: + cache: + # -- Allow the cache to persist between runs + enabled: false + # -- Storage class of the cache PVC + storageClass: "" + # -- Storage size of the cache PVC + storageSize: "512Mi" + # -- Existing volume, enables binding the pvc to an existing volume + volumeName: "" + # -- Labels to set on the cache PVC + labels: {} + + ssh_config: + # -- Whether to enable the use and creation of a secret containing .ssh files + enabled: false + + # Provide .ssh config file contents + # -- Contents of the id_rsa file + id_rsa: "" + # -- Contents of the id_rsa_pub file + id_rsa_pub: "" + # -- Contents of the config file + config: "" + + # or provide the name of an existing secret to be read instead. + # -- Name of the existing secret containing a valid .ssh configuration + existingSecret: "" + + # -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set + secrets: {} + # -- k8s secret to reference environment variables from. Overrides secrets if set + existingSecret: "renovate-personal-config-secret" + + # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config + extraConfigmaps: [] + # extraConfigmaps: + # - name: netrc-config + # data: + # .netrc: |- + # machine gitlab.example.com + # login gitlab-ci-token + # password some-pass + # - name: yet-another-config + # data: + # ya-config.yaml: |- + # "key"="value" + # "key1"="value1" + + #extraVolumes: + # - name: renovate-config-secret + # secretName: + # name: renovate-config-secret + # items: + # - key: renovate.json + # path: renovate.json + + #extraVolumeMounts: + # - name: renovate-config-secret + # mountPath: /config + # subPath: renovate.json + + # -- Additional containers to the pod + extraContainers: [] + # extraContainers: + # - name: vault-agent + # image: vault:1.6.2 + # args: + # - agent + # - -config + # - /vault/config/config.hcl + # env: + # - name: VAULT_ADDR + # value: https://vault:8200 + # - name: VAULT_SKIP_VERIFY + # value: "false" + # - name: VAULT_CACERT + # value: /vault/tls/ca.crt + + serviceAccount: + # -- Specifies whether a service account should be created + create: false + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use + # If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Specify resource limits and requests for the renovate container + resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Environment variables to add from existing secrets/configmaps. Uses the keys as variable name + envFrom: [] + # envFrom: + # - secretRef: + # name: env-secrets + # - configMapRef: + # name: env-configmap + + # -- Environment variables to set on the renovate container + env: + RENOVATE_AUTODISCOVER: true + #LOG_LEVEL: debug + # env: + # VARIABLE_NAME: "value" + + # -- Additional env. Helpful too if you want to use anything other than a `value` source. + envList: [] + # envList: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + + redis: + # Configuration for a Redis subchart. Additional documentation at + # https://github.com/bitnami/charts/tree/master/bitnami/redis + + # -- Enable the Redis subchart? + enabled: false + + # -- Override the prefix of the redisHost + nameOverride: "" + + # -- Disable replication by default + architecture: standalone + + auth: + # -- Don't require a password by default + enabled: false + + # -- Override Kubernetes version for redis chart + kubeVersion: "" + + # -- Override hostname resolution + hostAliases: [] + # See: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ + # hostAliases: + # - ip: "your-ip" + # hostnames: + # - "your-hostname" + + # -- Pod-level security-context + securityContext: {} + + # -- Select the node using labels to specify where the cronjob pod should run on + nodeSelector: {} + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # renovate: true + + # -- Configure the pod(Anti)Affinity and/or node(Anti)Affinity + affinity: {} + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + + # -- Configure which node taints the pod should tolerate + tolerations: [] + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + + # -- Create extra manifests via values. Would be passed through `tpl` for templating + extraObjects: [] + # extraObjects: + # - apiVersion: external-secrets.io/v1 + # kind: ExternalSecret + # metadata: + # name: '{{ include "renovate.fullname" . }}-token' + # spec: + # secretStoreRef: + # name: default + # data: + # - secretKey: token + # remoteRef: + # key: github-token + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: {{ include "renovate.fullname" . }}-config + # data: + # config.json: | + # { + # "platform": "github", + # "repositories": ["username/repo", "orgname/repo"] + # } diff --git a/infra/traefik/Chart.yaml b/infra/traefik/Chart.yaml new file mode 100644 index 0000000..1df1d76 --- /dev/null +++ b/infra/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/traefik/templates/middlewares.yaml b/infra/traefik/templates/middleware.yaml similarity index 69% rename from traefik/templates/middlewares.yaml rename to infra/traefik/templates/middleware.yaml index aaf45ab..e888129 100644 --- a/traefik/templates/middlewares.yaml +++ b/infra/traefik/templates/middleware.yaml @@ -1,11 +1,11 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: authentik-proxy-provider - namespace: traefik + name: authentik-proxy-provider + namespace: traefik spec: forwardAuth: - address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri trustForwardHeader: true authResponseHeaders: - X-authentik-username @@ -19,10 +19,8 @@ spec: - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version - --- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: whitelist @@ -30,5 +28,6 @@ metadata: spec: ipWhiteList: sourceRange: - - 192.168.20.1/32 + - 192.168.0.0/16 + - 172.16.0.0/12 - 10.0.0.0/8 diff --git a/infra/traefik/values.yaml b/infra/traefik/values.yaml new file mode 100644 index 0000000..3c75dd1 --- /dev/null +++ b/infra/traefik/values.yaml @@ -0,0 +1,53 @@ +traefik: + image: + registry: registry.durp.info + repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/infra/vault/Chart.yaml b/infra/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/infra/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/vault/templates/ingress.yaml b/infra/vault/templates/ingress.yaml similarity index 60% rename from vault/templates/ingress.yaml rename to infra/vault/templates/ingress.yaml index 8998087..547cde8 100644 --- a/vault/templates/ingress.yaml +++ b/infra/vault/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: vault-ingress @@ -8,15 +8,12 @@ spec: entryPoints: - websecure routes: - - match: Host(`vault.internal.durp.info`) - middlewares: - - name: whitelist - namespace: traefik + - match: Host(`vault.infra.durp.info`) kind: Rule services: - name: vault port: 8200 - scheme: http + scheme: https tls: secretName: vault-tls @@ -29,9 +26,8 @@ metadata: spec: secretName: vault-tls issuerRef: - name: letsencrypt-production + name: vault-issuer kind: ClusterIssuer - commonName: "vault.internal.durp.info" + commonName: "vault.infra.durp.info" dnsNames: - - "vault.internal.durp.info" - + - "vault.infra.durp.info" diff --git a/infra/vault/templates/sa.yaml b/infra/vault/templates/sa.yaml new file mode 100644 index 0000000..e298701 --- /dev/null +++ b/infra/vault/templates/sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer diff --git a/vault/templates/secret-store.yaml b/infra/vault/templates/secret-store.yaml similarity index 56% rename from vault/templates/secret-store.yaml rename to infra/vault/templates/secret-store.yaml index e7cca3a..f17884e 100644 --- a/vault/templates/secret-store.yaml +++ b/infra/vault/templates/secret-store.yaml @@ -1,14 +1,17 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: name: vault spec: provider: vault: - server: "http://vault.vault.svc.cluster.local:8200" - path: "secrets" + server: "https://vault.infra.durp.info" + path: "kv" version: "v2" auth: kubernetes: mountPath: "kubernetes" role: "external-secrets" + serviceAccountRef: + name: "vault" + diff --git a/infra/vault/values.yaml b/infra/vault/values.yaml new file mode 100644 index 0000000..913df48 --- /dev/null +++ b/infra/vault/values.yaml @@ -0,0 +1,140 @@ +vault: + global: + enabled: true + tlsDisable: false + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + + server: + image: + repository: "hashicorp/vault" + # These Resource Limits are in line with node requirements in the + # Vault Reference Architecture for a Small Cluster + #resources: + # requests: + # memory: 8Gi + # cpu: 2000m + # limits: + # memory: 16Gi + # cpu: 2000m + + # For HA configuration and because we need to manually init the vault, + # we need to define custom readiness/liveness Probe settings + readinessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" + livenessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true" + initialDelaySeconds: 60 + + # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be + # used to include variables required for auto-unseal. + extraEnvironmentVars: + VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca + + extraSecretEnvironmentVars: + - envName: VAULT_TOKEN + secretName: autounseal + secretKey: VAULT_TOKEN + + volumes: + - name: userconfig-vault-server-tls + secret: + defaultMode: 420 + secretName: vault-server-tls + + volumeMounts: + - mountPath: /vault/userconfig/vault-server-tls + name: userconfig-vault-server-tls + readOnly: true + + # This configures the Vault Statefulset to create a PVC for audit logs. + # See https://www.vaultproject.io/docs/audit/index.html to know more + auditStorage: + enabled: true + + standalone: + enabled: false + + config: | + disable_mlock = true + ui = true + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + + seal "transit" { + address = "https://root-vault.internal.durp.info" + disable_renewal = "false" + key_name = "autounseal" + mount_path = "transit/" + tls_skip_verify = "true" + } + + storage "raft" { + path = "/vault/data" + } + + # Run Vault in "HA" mode. + ha: + enabled: true + replicas: 3 + raft: + enabled: true + setNodeId: true + + config: | + ui = true + cluster_name = "vault-integrated-storage" + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + + seal "transit" { + address = "https://root-vault.internal.durp.info" + disable_renewal = "false" + key_name = "autounseal" + mount_path = "transit/" + tls_skip_verify = "true" + } + + storage "raft" { + path = "/vault/data" + retry_join { + leader_api_addr = "https://vault-0.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + retry_join { + leader_api_addr = "https://vault-1.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + retry_join { + leader_api_addr = "https://vault-2.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + } + + # Vault UI + ui: + enabled: false + serviceType: "LoadBalancer" + serviceNodePort: null + externalPort: 8200 diff --git a/internalproxy/templates/argocd.yaml b/internalproxy/templates/argocd.yaml deleted file mode 100644 index 15dfaf9..0000000 --- a/internalproxy/templates/argocd.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: argocd-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production -spec: - entryPoints: - - websecure - routes: - - match: Host(`argocd.internal.durp.info`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: argocd-server - port: 443 - scheme: https - tls: - secretName: argocd-tls - ---- - -kind: Service -apiVersion: v1 -metadata: - name: argocd-server -spec: - type: ExternalName - externalName: argocd-server.argocd.svc.cluster.local - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argocd-tls -spec: - secretName: argocd-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "argocd.internal.durp.info" - dnsNames: - - "argocd.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/duplicati-ingress.yaml b/internalproxy/templates/duplicati-ingress.yaml deleted file mode 100644 index d51c391..0000000 --- a/internalproxy/templates/duplicati-ingress.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: duplicati -spec: - ports: - - name: app - port: 8200 - protocol: TCP - targetPort: 8200 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: duplicati -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8200 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: duplicati-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: duplicati - port: 8200 - - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: duplicati-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: duplicati-tls -spec: - secretName: duplicati-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "duplicati.internal.durp.info" - dnsNames: - - "duplicati.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/gitea.yaml b/internalproxy/templates/gitea.yaml deleted file mode 100644 index 8443aaf..0000000 --- a/internalproxy/templates/gitea.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: gitea-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: gitea.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/internalproxy/templates/guac.yaml b/internalproxy/templates/guac.yaml deleted file mode 100644 index a69b685..0000000 --- a/internalproxy/templates/guac.yaml +++ /dev/null @@ -1,71 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: guac-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: guac.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- - -apiVersion: v1 -kind: Service -metadata: - name: guac -spec: - ports: - - name: app - port: 8082 - protocol: TCP - targetPort: 8082 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: guac -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8082 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: guac-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`guac.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: guac - port: 8082 - tls: - secretName: guac-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: guac-tls -spec: - secretName: guac-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "guac.durp.info" - dnsNames: - - "guac.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/jellyfin.yaml b/internalproxy/templates/jellyfin.yaml deleted file mode 100644 index 61d86a5..0000000 --- a/internalproxy/templates/jellyfin.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: jellyfin-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/kasm.yaml b/internalproxy/templates/kasm.yaml deleted file mode 100644 index 28b25ae..0000000 --- a/internalproxy/templates/kasm.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kasm-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: kasm.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/plex.yaml b/internalproxy/templates/plex.yaml deleted file mode 100644 index 2e70286..0000000 --- a/internalproxy/templates/plex.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: plex-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: plex.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/registry-internal.yaml b/internalproxy/templates/registry-internal.yaml deleted file mode 100644 index a1c584f..0000000 --- a/internalproxy/templates/registry-internal.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: registry-internal -spec: - ports: - - name: app - port: 5001 - protocol: TCP - targetPort: 5001 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: registry-internal -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 5001 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: registry-internal-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: registry-internal - port: 5001 - tls: - secretName: registry-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: registry-internal-tls -spec: - secretName: registry-internal-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "registry.durp.info" - dnsNames: - - "registry.durp.info" diff --git a/internalproxy/templates/registry.yaml b/internalproxy/templates/registry.yaml deleted file mode 100644 index b4ac19a..0000000 --- a/internalproxy/templates/registry.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: registry -spec: - ports: - - name: app - port: 5000 - protocol: TCP - targetPort: 5000 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: registry -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 5000 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: registry-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`registry.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: registry - port: 5000 - tls: - secretName: registry-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: registry-tls -spec: - secretName: registry-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "registry.durp.info" - dnsNames: - - "registry.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: registry-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: registry.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/krakend/Chart.yaml b/krakend/Chart.yaml deleted file mode 100644 index d998c9f..0000000 --- a/krakend/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: krakend -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" \ No newline at end of file diff --git a/krakend/templates/deployments.yaml b/krakend/templates/deployments.yaml deleted file mode 100644 index ce50302..0000000 --- a/krakend/templates/deployments.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: krakend - name: krakend - labels: - app: krakend -spec: - selector: - matchLabels: - app: krakend - replicas: 1 - template: - metadata: - labels: - app: krakend - spec: - volumes: - - name: krakend-secret - secret: - secretName: krakend-secret - containers: - - name: krakend - image: registry.internal.durp.info/devopsfaith/krakend:2.4.3 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /__health - port: 8080 - readinessProbe: - httpGet: - path: /__health - port: 8080 - ports: - - name: http - containerPort: 8080 - volumeMounts: - - name: krakend-secret - mountPath: /etc/krakend \ No newline at end of file diff --git a/krakend/templates/ingress.yaml b/krakend/templates/ingress.yaml deleted file mode 100644 index a8c08eb..0000000 --- a/krakend/templates/ingress.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: api-tls -spec: - secretName: api-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "api.durp.info" - dnsNames: - - "api.durp.info" - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: krakend-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`api.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: krakend-service - port: 8080 - scheme: http - tls: - secretName: api-tls - ---- - -kind: Service -apiVersion: v1 -metadata: - name: api-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: api.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- - -kind: Service -apiVersion: v1 -metadata: - name: api-developer-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: developer.durp.info - external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" -spec: - type: ExternalName - externalName: developerdurp.github.io diff --git a/krakend/templates/secrets.yaml b/krakend/templates/secrets.yaml deleted file mode 100644 index 2eb1a9d..0000000 --- a/krakend/templates/secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: krakend-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: krakend-secret - data: - - secretKey: krakend.json - remoteRef: - key: secrets/krakend/config - property: config \ No newline at end of file diff --git a/krakend/templates/service.yaml b/krakend/templates/service.yaml deleted file mode 100644 index d5393f3..0000000 --- a/krakend/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: krakend-service -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - app: krakend \ No newline at end of file diff --git a/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml deleted file mode 100644 index 716d4e5..0000000 --- a/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-grafana-oauth -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-oauth - data: - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - remoteRef: - key: secrets/kube-prometheus/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - remoteRef: - key: secrets/kube-prometheus/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-admin-credentials -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-admin-credentials - data: - - secretKey: admin-password - remoteRef: - key: secrets/kube-prometheus/grafana/admin - property: admin-password - - secretKey: admin-user - remoteRef: - key: secrets/kube-prometheus/grafana/admin - property: admin-user diff --git a/kubeclarity/Chart.yaml b/kubeclarity/Chart.yaml deleted file mode 100644 index 6c050c2..0000000 --- a/kubeclarity/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: kubeclarity -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: kubeclarity - repository: https://openclarity.github.io/kubeclarity - version: 2.22.0 diff --git a/kubeclarity/templates/ingress.yaml b/kubeclarity/templates/ingress.yaml deleted file mode 100644 index 77b67a7..0000000 --- a/kubeclarity/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: kubeclarity-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: kubeclarity-kubeclarity - port: 8080 - tls: - secretName: kubeclarity-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kubeclarity-tls -spec: - secretName: kubeclarity-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "kubeclarity.durp.info" - dnsNames: - - "kubeclarity.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: kubeclarity-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/kubeclarity/values.yaml b/kubeclarity/values.yaml deleted file mode 100644 index 0bb5078..0000000 --- a/kubeclarity/values.yaml +++ /dev/null @@ -1,235 +0,0 @@ -kubeclarity: - global: - databasePassword: kubeclarity - docker: - registry: "registry.internal.durp.info/openclarity" - tag: "latest" - imagePullPolicy: Always - - curl: - image: - registry: "registry.internal.durp.info" - repository: curlimages/curl - tag: 7.87.0 - - kubeclarity: - docker: - imageName: "" - - logLevel: warning - - enableDBInfoLog: false - - prometheus: - enabled: false - - podAnnotations: {} - - service: - type: ClusterIP - port: 8080 - annotations: {} - - ingress: - enabled: false - - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "1000Mi" - cpu: "1000m" - - initContainers: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "200Mi" - cpu: "200m" - - kubeclarity-runtime-scan: - httpsProxy: "" - httpProxy: "" - resultServicePort: 8888 - - labels: - app: kubeclarity-scanner - sidecar.istio.io/inject: "false" - - namespace: "" - - registry: - skipVerifyTlS: "false" - useHTTP: "false" - - cis-docker-benchmark-scanner: - resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "1000Mi" - cpu: "1000m" - - vulnerability-scanner: - resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "1000Mi" - cpu: "1000m" - - analyzer: - analyzerList: "syft gomod trivy" - analyzerScope: "squashed" - - trivy: - enabled: true - timeout: "300" - - scanner: - scannerList: "grype trivy" - - grype: - enabled: true - mode: "REMOTE" - - remote-grype: - timeout: "2m" - - dependency-track: - enabled: false - insecureSkipVerify: "true" - disableTls: "true" - apiserverAddress: "dependency-track-apiserver.dependency-track" - apiKey: "" - - trivy: - enabled: true - timeout: "300" - - kubeclarity-grype-server: - enabled: true - - docker: - imageRepo: "registry.internal.durp.info/openclarity" - imageTag: "v0.6.0" - imagePullPolicy: Always - - logLevel: warning - - servicePort: 9991 - - resources: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1G" - - kubeclarity-trivy-server: - enabled: true - - ## Docker Image values. - image: - registry: registry.internal.durp.info - repository: aquasec/trivy - tag: 0.44.1 - pullPolicy: Always - - persistence: - enabled: false - - podSecurityContext: - runAsUser: 1001 - runAsNonRoot: true - fsGroup: 1001 - - securityContext: - privileged: false - readOnlyRootFilesystem: true - - trivy: - debugMode: false - - service: - port: 9992 - - resources: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1G" - - - kubeclarity-sbom-db: - docker: - imageName: "" - logLevel: warning - - servicePort: 8080 - - resources: - requests: - memory: "20Mi" - cpu: "10m" - limits: - memory: "1Gi" - cpu: "200m" - - kubeclarity-postgresql: - enabled: true - - image: - registry: registry.internal.durp.info - repository: bitnami/postgresql - tag: 14.6.0-debian-11-r31 - - auth: - existingSecret: kubeclarity-postgresql-secret - username: postgres - database: kubeclarity - sslMode: disable - - service: - ports: - postgresql: 5432 - - serviceAccount: - enabled: true - securityContext: - enabled: true - fsGroup: 1001 - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - volumePermissions: - enabled: false - securityContext: - runAsUser: 1001 - shmVolume: - chmod: - enabled: true - - resources: - requests: - memory: "256Mi" - cpu: "250m" - limits: - memory: "1000Mi" - cpu: "1000m" - - kubeclarity-postgresql-external: - enabled: false - - kubeclarity-postgresql-secret: - create: true - secretKey: "postgres-password" diff --git a/longhorn/templates/ingress.yaml b/longhorn/templates/ingress.yaml deleted file mode 100644 index df2e071..0000000 --- a/longhorn/templates/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: longhorn-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: longhorn-frontend - port: 80 - - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: longhorn-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: longhorn-tls -spec: - secretName: longhorn-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "longhorn.internal.durp.info" - dnsNames: - - "longhorn.internal.durp.info" diff --git a/metallb-system/values.yaml b/metallb-system/values.yaml deleted file mode 100644 index 260551d..0000000 --- a/metallb-system/values.yaml +++ /dev/null @@ -1,197 +0,0 @@ -metallb: - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - loadBalancerClass: "" - - rbac: - create: true - - prometheus: - scrapeAnnotations: false - metricsPort: 7472 - speakerMetricsTLSSecret: "" - controllerMetricsTLSSecret: "" - rbacPrometheus: true - serviceAccount: "" - namespace: "" - rbacProxy: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.12.0 - pullPolicy: - podMonitor: - enabled: false - additionalLabels: {} - annotations: {} - jobLabel: "app.kubernetes.io/name" - interval: - metricRelabelings: [] - relabelings: [] - serviceMonitor: - enabled: false - speaker: - additionalLabels: {} - annotations: {} - tlsConfig: - insecureSkipVerify: true - controller: - additionalLabels: {} - annotations: {} - tlsConfig: - insecureSkipVerify: true - jobLabel: "app.kubernetes.io/name" - interval: - metricRelabelings: [] - relabelings: [] - prometheusRule: - enabled: false - additionalLabels: {} - annotations: {} - staleConfig: - enabled: true - labels: - severity: warning - configNotLoaded: - enabled: true - labels: - severity: warning - addressPoolExhausted: - enabled: true - labels: - severity: alert - addressPoolUsage: - enabled: true - thresholds: - - percent: 75 - labels: - severity: warning - - percent: 85 - labels: - severity: warning - - percent: 95 - labels: - severity: alert - bgpSessionDown: - enabled: true - labels: - severity: alert - - extraAlerts: [] - - controller: - enabled: true - # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` - logLevel: info - image: - repository: quay.io/metallb/controller - tag: - pullPolicy: - strategy: - type: RollingUpdate - serviceAccount: - create: true - name: "" - annotations: {} - securityContext: - runAsNonRoot: true - runAsUser: 65534 - fsGroup: 65534 - resources: {} - nodeSelector: {} - tolerations: [] - priorityClassName: "" - runtimeClassName: "" - affinity: {} - podAnnotations: {} - labels: {} - livenessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - tlsMinVersion: "VersionTLS12" - tlsCipherSuites: "" - - extraContainers: [] - - speaker: - enabled: true - logLevel: debug - tolerateMaster: true - memberlist: - enabled: true - mlBindPort: 7946 - mlBindAddrOverride: "" - mlSecretKeyPath: "/etc/ml_secret_key" - excludeInterfaces: - enabled: true - ignoreExcludeLB: false - - image: - repository: quay.io/metallb/speaker - tag: - pullPolicy: - updateStrategy: - type: RollingUpdate - serviceAccount: - create: true - name: "" - annotations: {} - securityContext: {} - resources: {} - nodeSelector: {} - tolerations: [] - priorityClassName: "" - affinity: {} - runtimeClassName: "" - podAnnotations: {} - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/warn: privileged - livenessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - startupProbe: - enabled: true - failureThreshold: 30 - periodSeconds: 5 - frr: - enabled: true - image: - repository: quay.io/frrouting/frr - tag: 9.0.2 - pullPolicy: - metricsPort: 7473 - resources: {} - reloader: - resources: {} - frrMetrics: - resources: {} - extraContainers: [] - crds: - enabled: true - validationFailurePolicy: Fail - frrk8s: - enabled: false - diff --git a/nfs-client/templates/cluster-role-binding.yml b/nfs-client/templates/cluster-role-binding.yml deleted file mode 100644 index 427d8c6..0000000 --- a/nfs-client/templates/cluster-role-binding.yml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: run-nfs-client-provisioner -subjects: - - kind: ServiceAccount - name: nfs-client-provisioner - namespace: nfs-client -roleRef: - kind: ClusterRole - name: nfs-client-provisioner-runner - apiGroup: rbac.authorization.k8s.io diff --git a/nfs-client/templates/cluster-role.yml b/nfs-client/templates/cluster-role.yml deleted file mode 100644 index fa6ed20..0000000 --- a/nfs-client/templates/cluster-role.yml +++ /dev/null @@ -1,20 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-client-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/nfs-client/templates/provisioner.yml b/nfs-client/templates/provisioner.yml deleted file mode 100644 index c76fe8c..0000000 --- a/nfs-client/templates/provisioner.yml +++ /dev/null @@ -1,42 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: nfs-client-provisioner - namespace: nfs-client -spec: - selector: - matchLabels: - app: nfs-client-provisioner - replicas: 1 - strategy: - type: Recreate - template: - metadata: - labels: - app: nfs-client-provisioner - spec: - serviceAccountName: nfs-client-provisioner - containers: - - name: nfs-client-provisioner - image: gcr.io/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.0 - resources: - requests: - cpu: 500m - memory: 512Mi - limits: - memory: 1Gi - volumeMounts: - - name: nfs-client-ssd - mountPath: /persistentvolumes - env: - - name: PROVISIONER_NAME - value: durp.info/nfs - - name: NFS_SERVER - value: 192.168.20.253 - - name: NFS_PATH - value: /mnt/user/k3s - volumes: - - name: nfs-client-ssd - nfs: - server: 192.168.20.253 - path: /mnt/user/k3s diff --git a/nfs-client/templates/role-binding.yml b/nfs-client/templates/role-binding.yml deleted file mode 100644 index fb0f085..0000000 --- a/nfs-client/templates/role-binding.yml +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: leader-locking-nfs-client-provisioner - namespace: nfs-client -subjects: - - kind: ServiceAccount - name: nfs-client-provisioner - namespace: nfs-client -roleRef: - kind: Role - name: leader-locking-nfs-client-provisioner - apiGroup: rbac.authorization.k8s.io diff --git a/nfs-client/templates/role.yml b/nfs-client/templates/role.yml deleted file mode 100644 index 910346d..0000000 --- a/nfs-client/templates/role.yml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: leader-locking-nfs-client-provisioner - namespace: nfs-client -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/nfs-client/templates/service-account.yml b/nfs-client/templates/service-account.yml deleted file mode 100644 index ef9b4d7..0000000 --- a/nfs-client/templates/service-account.yml +++ /dev/null @@ -1,5 +0,0 @@ -kind: ServiceAccount -apiVersion: v1 -metadata: - name: nfs-client-provisioner - namespace: nfs-client diff --git a/nfs-client/templates/storage-class.yml b/nfs-client/templates/storage-class.yml deleted file mode 100644 index b615fe1..0000000 --- a/nfs-client/templates/storage-class.yml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: nfs-storage - annotations: - storageclass.kubernetes.io/is-default-class: "false" -provisioner: durp.info/nfs -parameters: - archiveOnDelete: "false" -reclaimPolicy: Retain diff --git a/open-webui/templates/deployment.yaml b/open-webui/templates/deployment.yaml deleted file mode 100644 index 7a51d0f..0000000 --- a/open-webui/templates/deployment.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: open-webui - name: open-webui - labels: - app: open-webui -spec: - selector: - matchLabels: - app: open-webui - replicas: 1 - template: - metadata: - labels: - app: open-webui - spec: - containers: - - name: open-webui - image: registry.internal.durp.info/open-webui/open-webui:main - imagePullPolicy: Always - volumeMounts: - - name: open-webui-pvc - mountPath: /app/backend/data - ports: - - name: http - containerPort: 8080 - env: - - name: OLLAMA_BASE_URL - valueFrom: - secretKeyRef: - name: open-webui-secret - key: OLLAMA_BASE_URL - volumes: - - name: open-webui-pvc - persistentVolumeClaim: - claimName: open-webui-pvc diff --git a/open-webui/templates/pvc.yaml b/open-webui/templates/pvc.yaml deleted file mode 100644 index 63a3280..0000000 --- a/open-webui/templates/pvc.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: open-webui-pvc -spec: - storageClassName: longhorn - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi diff --git a/open-webui/templates/secrets.yaml b/open-webui/templates/secrets.yaml deleted file mode 100644 index 1fe6fec..0000000 --- a/open-webui/templates/secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: open-webui-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: open-webui-secret - data: - - secretKey: OLLAMA_BASE_URL - remoteRef: - key: secrets/open-webui - property: OLLAMA_BASE_URL - diff --git a/prd/.gitlab/.gitlab-ci.yml b/prd/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..99ddf7b --- /dev/null +++ b/prd/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/prd/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/prd + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "prd/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "prd/terraform/*.tf" + +plan-prd-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "prd/terraform/*.tf" + +apply-prd-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "prd/terraform/*.tf" + when: manual + needs: ["plan-prd-infrastructure"] + +destroy-prd-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "prd/terraform/*.tf" + when: manual + needs: ["plan-prd-infrastructure"] diff --git a/prd/cert-manager/Chart.yaml b/prd/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/prd/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/prd/cert-manager/templates/issuer.yaml b/prd/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/prd/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/prd/cert-manager/templates/letsencrypt.yaml b/prd/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/prd/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/prd/cert-manager/templates/secretvault.yaml b/prd/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..11c82bc --- /dev/null +++ b/prd/cert-manager/templates/secretvault.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/cert-manager/values.yaml b/prd/cert-manager/values.yaml new file mode 100644 index 0000000..c9cf12f --- /dev/null +++ b/prd/cert-manager/values.yaml @@ -0,0 +1,26 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + - --dns01-recursive-nameservers-only + podDnsPolicy: None + podDnsConfig: + nameservers: + - "1.1.1.1" + - "1.0.0.1" + webhook: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always diff --git a/prd/external-dns/Chart.yaml b/prd/external-dns/Chart.yaml new file mode 100644 index 0000000..937bc49 --- /dev/null +++ b/prd/external-dns/Chart.yaml @@ -0,0 +1,12 @@ + +apiVersion: v2 +name: external-dns +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-dns + repository: https://charts.bitnami.com/bitnami + version: 8.9.2 diff --git a/prd/external-dns/templates/secrets.yaml b/prd/external-dns/templates/secrets.yaml new file mode 100644 index 0000000..60f7466 --- /dev/null +++ b/prd/external-dns/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-dns-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: external-dns + data: + - secretKey: cloudflare_api_email + remoteRef: + key: kv/cloudflare + property: cloudflare_api_email + - secretKey: cloudflare_api_key + remoteRef: + key: kv/cloudflare + property: cloudflare_api_key + - secretKey: cloudflare_api_token + remoteRef: + key: kv/cloudflare + property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/external-dns/values.yaml b/prd/external-dns/values.yaml new file mode 100644 index 0000000..2052942 --- /dev/null +++ b/prd/external-dns/values.yaml @@ -0,0 +1,18 @@ +external-dns: + global: + imageRegistry: "registry.durp.info" + + image: + pullPolicy: Always + + txtPrefix: "dmz-" + + sources: + - service + + provider: cloudflare + cloudflare: + secretName : "external-dns" + proxied: false + + policy: sync diff --git a/prd/external-secrets/Chart.yaml b/prd/external-secrets/Chart.yaml new file mode 100644 index 0000000..48645c3 --- /dev/null +++ b/prd/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/prd/external-secrets/templates/ca.yaml b/prd/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/prd/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/prd/external-secrets/values.yaml b/prd/external-secrets/values.yaml new file mode 100644 index 0000000..304180d --- /dev/null +++ b/prd/external-secrets/values.yaml @@ -0,0 +1,94 @@ +external-secrets: + replicaCount: 3 + revisionHistoryLimit: 1 + leaderElect: true + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/prd/metallb-system/Chart.yaml b/prd/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/prd/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/prd/metallb-system/templates/config.yaml b/prd/metallb-system/templates/config.yaml new file mode 100644 index 0000000..03314b3 --- /dev/null +++ b/prd/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.11.130-192.168.11.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/prd/metallb-system/values.yaml b/prd/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/prd/traefik/Chart.yaml b/prd/traefik/Chart.yaml new file mode 100644 index 0000000..1df1d76 --- /dev/null +++ b/prd/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/prd/traefik/values.yaml b/prd/traefik/values.yaml new file mode 100644 index 0000000..3d1d660 --- /dev/null +++ b/prd/traefik/values.yaml @@ -0,0 +1,58 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/prd/vault/Chart.yaml b/prd/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/prd/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/prd/vault/templates/secret-store.yaml b/prd/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/prd/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/vault/values.yaml b/prd/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/prd/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..7190a60 --- /dev/null +++ b/renovate.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json" +} diff --git a/traefik/templates/ingress.yaml b/traefik/templates/ingress.yaml deleted file mode 100644 index a165566..0000000 --- a/traefik/templates/ingress.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`traefik.internal.durp.info`) - middlewares: - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: api@internal - kind: TraefikService - - match: Host(`traefik.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: traefik-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: traefik-tls - namespace: traefik -spec: - secretName: traefik-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "traefik.internal.durp.info" - dnsNames: - - "traefik.internal.durp.info" \ No newline at end of file diff --git a/traefik/values.yaml b/traefik/values.yaml deleted file mode 100644 index 362a574..0000000 --- a/traefik/values.yaml +++ /dev/null @@ -1,887 +0,0 @@ -traefik: - # Default values for Traefik - image: - registry: docker.io - repository: traefik - # defaults to appVersion - tag: "" - pullPolicy: Always - - # - # Configure integration with Traefik Hub - # - hub: - ## Enabling Hub will: - # * enable Traefik Hub integration on Traefik - # * add `traefikhub-tunl` endpoint - # * enable Prometheus metrics with addRoutersLabels - # * enable allowExternalNameServices on KubernetesIngress provider - # * enable allowCrossNamespace on KubernetesCRD provider - # * add an internal (ClusterIP) Service, dedicated for Traefik Hub - enabled: true - ## Default port can be changed - # tunnelPort: 9901 - ## TLS is optional. Insecure is mutually exclusive with any other options - # tls: - # insecure: false - # ca: "/path/to/ca.pem" - # cert: "/path/to/cert.pem" - # key: "/path/to/key.pem" - - # - # Configure the deployment - # - deployment: - enabled: true - # Can be either Deployment or DaemonSet - kind: Deployment - # Number of pods of the deployment (only applies when kind == Deployment) - replicas: 3 - # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) - revisionHistoryLimit: 1 - # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down - terminationGracePeriodSeconds: 60 - # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available - minReadySeconds: 0 - # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) - annotations: {} - # Additional deployment labels (e.g. for filtering deployment by custom labels) - labels: {} - # Additional pod annotations (e.g. for mesh injection or prometheus scraping) - podAnnotations: {} - # Additional Pod labels (e.g. for filtering Pod by custom labels) - podLabels: {} - # Additional containers (e.g. for metric offloading sidecars) - additionalContainers: [] - # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host - # - name: socat-proxy - # image: alpine/socat:1.0.5 - # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] - # volumeMounts: - # - name: dsdsocket - # mountPath: /socket - # Additional volumes available for use with initContainers and additionalContainers - additionalVolumes: [] - # - name: dsdsocket - # hostPath: - # path: /var/run/statsd-exporter - # Additional initContainers (e.g. for setting file permission as shown below) - initContainers: [] - # The "volume-permissions" init container is required if you run into permission issues. - # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 - # - name: volume-permissions - # image: busybox:latest - # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] - # securityContext: - # runAsNonRoot: true - # runAsGroup: 65532 - # runAsUser: 65532 - # volumeMounts: - # - name: data - # mountPath: /data - # Use process namespace sharing - shareProcessNamespace: false - # Custom pod DNS policy. Apply if `hostNetwork: true` - # dnsPolicy: ClusterFirstWithHostNet - # Additional imagePullSecrets - imagePullSecrets: [] - # - name: myRegistryKeySecretName - # Pod lifecycle actions - lifecycle: {} - # preStop: - # exec: - # command: ["/bin/sh", "-c", "sleep 40"] - # postStart: - # httpGet: - # path: /ping - # port: 9000 - # host: localhost - # scheme: HTTP - - # Pod disruption budget - podDisruptionBudget: - enabled: false - # maxUnavailable: 1 - # maxUnavailable: 33% - # minAvailable: 0 - # minAvailable: 25% - - # Create a default IngressClass for Traefik - ingressClass: - enabled: true - isDefaultClass: false - - # Enable experimental features - experimental: - v3: - enabled: false - plugins: - enabled: true - kubernetesGateway: - enabled: false - gateway: - enabled: true - # certificate: - # group: "core" - # kind: "Secret" - # name: "mysecret" - # By default, Gateway would be created to the Namespace you are deploying Traefik to. - # You may create that Gateway in another namespace, setting its name below: - # namespace: default - # Additional gateway annotations (e.g. for cert-manager.io/issuer) - # annotations: - # cert-manager.io/issuer: letsencrypt - - # Create an IngressRoute for the dashboard - ingressRoute: - dashboard: - enabled: true - # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) - annotations: {} - # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) - labels: {} - # The router match rule used for the dashboard ingressRoute - matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). - # By default, it's using traefik entrypoint, which is not exposed. - # /!\ Do not expose your dashboard without any protection over the internet /!\ - entryPoints: ["traefik"] - # Additional ingressRoute middlewares (e.g. for authentication) - middlewares: [] - # TLS options (e.g. secret containing certificate) - tls: {} - - # Customize updateStrategy of traefik pods - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - - # Customize liveness and readiness probe values. - readinessProbe: - failureThreshold: 1 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - - # - # Configure providers - # - providers: - kubernetesCRD: - enabled: true - allowCrossNamespace: true - allowExternalNameServices: false - allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik - namespaces: [] - # - "default" - - kubernetesIngress: - enabled: true - allowExternalNameServices: false - allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik - namespaces: [] - # - "default" - # IP used for Kubernetes Ingress endpoints - publishedService: - enabled: false - # Published Kubernetes Service to copy status from. Format: namespace/servicename - # By default this Traefik service - # pathOverride: "" - - # - # Add volumes to the traefik pod. The volume name will be passed to tpl. - # This can be used to mount a cert pair or a configmap that holds a config.toml file. - # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: - # additionalArguments: - # - "--providers.file.filename=/config/dynamic.toml" - # - "--ping" - # - "--ping.entrypoint=web" - volumes: [] - # - name: public-cert - # mountPath: "/certs" - # type: secret - # - name: '{{ printf "%s-configs" .Release.Name }}' - # mountPath: "/config" - # type: configMap - - # Additional volumeMounts to add to the Traefik container - additionalVolumeMounts: [] - # For instance when using a logshipper for access logs - # - name: traefik-logs - # mountPath: /var/log/traefik - - ## Logs - ## https://docs.traefik.io/observability/logs/ - logs: - ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). - general: - # By default, the logs use a text format (common), but you can - # also ask for the json format in the format option - # format: json - # By default, the level is set to ERROR. - # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. - level: ERROR - access: - # To enable access logs - enabled: false - ## By default, logs are written using the Common Log Format (CLF) on stdout. - ## To write logs in JSON, use json in the format option. - ## If the given format is unsupported, the default (CLF) is used instead. - # format: json - # filePath: "/var/log/traefik/access.log - ## To write the logs in an asynchronous fashion, specify a bufferingSize option. - ## This option represents the number of log lines Traefik will keep in memory before writing - ## them to the selected output. In some cases, this option can greatly help performances. - # bufferingSize: 100 - ## Filtering https://docs.traefik.io/observability/access-logs/#filtering - filters: {} - # statuscodes: "200,300-302" - # retryattempts: true - # minduration: 10ms - ## Fields - ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers - fields: - general: - defaultmode: keep - names: {} - ## Examples: - # ClientUsername: drop - headers: - defaultmode: drop - names: {} - ## Examples: - # User-Agent: redact - # Authorization: drop - # Content-Type: keep - - metrics: - ## Prometheus is enabled by default. - ## It can be disabled by setting "prometheus: null" - prometheus: - ## Entry point used to expose metrics. - entryPoint: metrics - ## Enable metrics on entry points. Default=true - # addEntryPointsLabels: false - ## Enable metrics on routers. Default=false - # addRoutersLabels: true - ## Enable metrics on services. Default=true - # addServicesLabels: false - ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" - # buckets: "0.5,1.0,2.5" - ## When manualRouting is true, it disables the default internal router in - ## order to allow creating a custom router for prometheus@internal service. - # manualRouting: true - # datadog: - # ## Address instructs exporter to send metrics to datadog-agent at this address. - # address: "127.0.0.1:8125" - # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s - # # pushInterval: 30s - # ## The prefix to use for metrics collection. Default="traefik" - # # prefix: traefik - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # influxdb: - # ## Address instructs exporter to send metrics to influxdb at this address. - # address: localhost:8089 - # ## InfluxDB's address protocol (udp or http). Default="udp" - # protocol: udp - # ## InfluxDB database used when protocol is http. Default="" - # # database: "" - # ## InfluxDB retention policy used when protocol is http. Default="" - # # retentionPolicy: "" - # ## InfluxDB username (only with http). Default="" - # # username: "" - # ## InfluxDB password (only with http). Default="" - # # password: "" - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## Additional labels (influxdb tags) on all metrics. - # # additionalLabels: - # # env: production - # # foo: bar - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # influxdb2: - # ## Address instructs exporter to send metrics to influxdb v2 at this address. - # address: localhost:8086 - # ## Token with which to connect to InfluxDB v2. - # token: xxx - # ## Organisation where metrics will be stored. - # org: "" - # ## Bucket where metrics will be stored. - # bucket: "" - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## Additional labels (influxdb tags) on all metrics. - # # additionalLabels: - # # env: production - # # foo: bar - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # statsd: - # ## Address instructs exporter to send metrics to statsd at this address. - # address: localhost:8125 - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## The prefix to use for metrics collection. Default="traefik" - # # prefix: traefik - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # openTelemetry: - # ## Address of the OpenTelemetry Collector to send metrics to. - # address: "localhost:4318" - # ## Enable metrics on entry points. - # addEntryPointsLabels: true - # ## Enable metrics on routers. - # addRoutersLabels: true - # ## Enable metrics on services. - # addServicesLabels: true - # ## Explicit boundaries for Histogram data points. - # explicitBoundaries: - # - "0.1" - # - "0.3" - # - "1.2" - # - "5.0" - # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. - # headers: - # foo: bar - # test: test - # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. - # insecure: true - # ## Interval at which metrics are sent to the OpenTelemetry Collector. - # pushInterval: 10s - # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. - # path: /foo/v1/traces - # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. - # tls: - # ## The path to the certificate authority, it defaults to the system bundle. - # ca: path/to/ca.crt - # ## The path to the public certificate. When using this option, setting the key option is required. - # cert: path/to/foo.cert - # ## The path to the private key. When using this option, setting the cert option is required. - # key: path/to/key.key - # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. - # insecureSkipVerify: true - # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. - # grpc: true - - ## - ## enable optional CRDs for Prometheus Operator - ## - ## Create a dedicated metrics service for use with ServiceMonitor - ## When hub.enabled is set to true, it's not needed: it will use hub service. - # service: - # enabled: false - # labels: {} - # annotations: {} - ## When set to true, it won't check if Prometheus Operator CRDs are deployed - # disableAPICheck: false - # serviceMonitor: - # metricRelabelings: [] - # - sourceLabels: [__name__] - # separator: ; - # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ - # replacement: $1 - # action: drop - # relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - # jobLabel: traefik - # interval: 30s - # honorLabels: true - # # (Optional) - # # scrapeTimeout: 5s - # # honorTimestamps: true - # # enableHttp2: true - # # followRedirects: true - # # additionalLabels: - # # foo: bar - # # namespace: "another-namespace" - # # namespaceSelector: {} - # prometheusRule: - # additionalLabels: {} - # namespace: "another-namespace" - # rules: - # - alert: TraefikDown - # expr: up{job="traefik"} == 0 - # for: 5m - # labels: - # context: traefik - # severity: warning - # annotations: - # summary: "Traefik Down" - # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" - - tracing: {} - # instana: - # localAgentHost: 127.0.0.1 - # localAgentPort: 42699 - # logLevel: info - # enableAutoProfile: true - # datadog: - # localAgentHostPort: 127.0.0.1:8126 - # debug: false - # globalTag: "" - # prioritySampling: false - # jaeger: - # samplingServerURL: http://localhost:5778/sampling - # samplingType: const - # samplingParam: 1.0 - # localAgentHostPort: 127.0.0.1:6831 - # gen128Bit: false - # propagation: jaeger - # traceContextHeaderName: uber-trace-id - # disableAttemptReconnecting: true - # collector: - # endpoint: "" - # user: "" - # password: "" - # zipkin: - # httpEndpoint: http://localhost:9411/api/v2/spans - # sameSpan: false - # id128Bit: true - # sampleRate: 1.0 - # haystack: - # localAgentHost: 127.0.0.1 - # localAgentPort: 35000 - # globalTag: "" - # traceIDHeaderName: "" - # parentIDHeaderName: "" - # spanIDHeaderName: "" - # baggagePrefixHeaderName: "" - # elastic: - # serverURL: http://localhost:8200 - # secretToken: "" - # serviceEnvironment: "" - - globalArguments: - - "--global.checknewversion=false" - - "--global.sendanonymoususage=false" - - # - # Configure Traefik static configuration - # Additional arguments to be passed at Traefik's binary - # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ - ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` - additionalArguments: - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - - # Environment variables to be passed to Traefik's binary - env: [] - # - name: SOME_VAR - # value: some-var-value - # - name: SOME_VAR_FROM_CONFIG_MAP - # valueFrom: - # configMapRef: - # name: configmap-name - # key: config-key - # - name: SOME_SECRET - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # Configure ports - ports: - # The name of this one can't be changed as it is used for the readiness and - # liveness probes, but you can adjust its config to your liking - traefik: - port: 9000 - # Use hostPort if set. - # hostPort: 9000 - # - # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which - # means it's listening on all your interfaces and all your IPs. You may want - # to set this value if you need traefik to listen on specific interface - # only. - # hostIP: 192.168.100.10 - - # Override the liveness/readiness port. This is useful to integrate traefik - # with an external Load Balancer that performs healthchecks. - # Default: ports.traefik.port - # healthchecksPort: 9000 - - # Override the liveness/readiness scheme. Useful for getting ping to - # respond on websecure entryPoint. - # healthchecksScheme: HTTPS - - # Defines whether the port is exposed if service.type is LoadBalancer or - # NodePort. - # - # You SHOULD NOT expose the traefik port on production deployments. - # If you want to access it from outside of your cluster, - # use `kubectl port-forward` or create a secure ingress - expose: false - # The exposed port for this service - exposedPort: 9000 - # The port protocol (TCP/UDP) - protocol: TCP - web: - ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. - # asDefault: true - port: 8000 - # hostPort: 8000 - expose: true - exposedPort: 80 - # The port protocol (TCP/UDP) - protocol: TCP - # Use nodeport if set. This is useful if you have configured Traefik in a - # LoadBalancer. - # nodePort: 32080 - # Port Redirections - # Added in 2.2, you can make permanent redirects via entrypoints. - # https://docs.traefik.io/routing/entrypoints/#redirection - redirectTo: websecure - # - # Trust forwarded headers information (X-Forwarded-*). - # forwardedHeaders: - # trustedIPs: [] - # insecure: false - # - # Enable the Proxy Protocol header parsing for the entry point - # proxyProtocol: - # trustedIPs: [] - # insecure: false - websecure: - ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. - # asDefault: true - port: 8443 - # hostPort: 8443 - expose: true - exposedPort: 443 - ## The port protocol (TCP/UDP) - protocol: TCP - # nodePort: 32443 - # - ## Enable HTTP/3 on the entrypoint - ## Enabling it will also enable http3 experimental feature - ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 - ## There are known limitations when trying to listen on same ports for - ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. - ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 - http3: - enabled: false - # advertisedPort: 4443 - # - ## Trust forwarded headers information (X-Forwarded-*). - #forwardedHeaders: - # trustedIPs: [] - # insecure: false - # - ## Enable the Proxy Protocol header parsing for the entry point - #proxyProtocol: - # trustedIPs: [] - # insecure: false - # - ## Set TLS at the entrypoint - ## https://doc.traefik.io/traefik/routing/entrypoints/#tls - tls: - enabled: true - # this is the name of a TLSOption definition - options: "" - certResolver: "" - domains: [] - # - main: example.com - # sans: - # - foo.example.com - # - bar.example.com - # - # One can apply Middlewares on an entrypoint - # https://doc.traefik.io/traefik/middlewares/overview/ - # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares - # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ - # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - # middlewares: - # - namespace-name1@kubernetescrd - # - namespace-name2@kubernetescrd - middlewares: [] - metrics: - # When using hostNetwork, use another port to avoid conflict with node exporter: - # https://github.com/prometheus/prometheus/wiki/Default-port-allocations - port: 9100 - # hostPort: 9100 - # Defines whether the port is exposed if service.type is LoadBalancer or - # NodePort. - # - # You may not want to expose the metrics port on production deployments. - # If you want to access it from outside of your cluster, - # use `kubectl port-forward` or create a secure ingress - expose: false - # The exposed port for this service - exposedPort: 9100 - # The port protocol (TCP/UDP) - protocol: TCP - - # TLS Options are created as TLSOption CRDs - # https://doc.traefik.io/traefik/https/tls/#tls-options - # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. - # Example: - # tlsOptions: - # default: - # labels: {} - # sniStrict: true - # preferServerCipherSuites: true - # customOptions: - # labels: {} - # curvePreferences: - # - CurveP521 - # - CurveP384 - tlsOptions: {} - - # TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate - # https://doc.traefik.io/traefik/https/tls/#default-certificate - # Example: - # tlsStore: - # default: - # defaultCertificate: - # secretName: tls-cert - tlsStore: {} - - # Options for the main traefik service, where the entrypoints traffic comes - # from. - service: - enabled: true - ## Single service is using `MixedProtocolLBService` feature gate. - ## When set to false, it will create two Service, one for TCP and one for UDP. - single: true - type: LoadBalancer - # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) - annotations: {} - # Additional annotations for TCP service only - annotationsTCP: {} - # Additional annotations for UDP service only - annotationsUDP: {} - # Additional service labels (e.g. for filtering Service by custom labels) - labels: {} - # Additional entries here will be added to the service spec. - # Cannot contain type, selector or ports entries. - spec: - externalTrafficPolicy: Local - # loadBalancerIP: "1.2.3.4" - # clusterIP: "2.3.4.5" - loadBalancerSourceRanges: [] - # - 192.168.0.1/32 - # - 172.16.0.0/16 - externalIPs: [] - # - 1.2.3.4 - ## One of SingleStack, PreferDualStack, or RequireDualStack. - # ipFamilyPolicy: SingleStack - ## List of IP families (e.g. IPv4 and/or IPv6). - ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # ipFamilies: - # - IPv4 - # - IPv6 - ## - ## An additionnal and optional internal Service. - ## Same parameters as external Service - # internal: - # type: ClusterIP - # # labels: {} - # # annotations: {} - # # spec: {} - # # loadBalancerSourceRanges: [] - # # externalIPs: [] - # # ipFamilies: [ "IPv4","IPv6" ] - - ## Create HorizontalPodAutoscaler object. - ## - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 60 - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: 60 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - # Enable persistence using Persistent Volume Claims - # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - # It can be used to store TLS certificates, see `storage` in certResolvers - persistence: - enabled: false - name: data - # existingClaim: "" - accessMode: ReadWriteOnce - size: 128Mi - # storageClass: "" - # volumeName: "" - path: /data - annotations: {} - # subPath: "" # only mount a subpath of the Volume into the pod - - certResolvers: {} - # letsencrypt: - # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ - # email: email@example.com - # dnsChallenge: - # # also add the provider's required configuration under env - # # or expand then from secrets/configmaps with envfrom - # # cf. https://doc.traefik.io/traefik/https/acme/#providers - # provider: digitalocean - # # add futher options for the dns challenge as needed - # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge - # delayBeforeCheck: 30 - # resolvers: - # - 1.1.1.1 - # - 8.8.8.8 - # tlsChallenge: true - # httpChallenge: - # entryPoint: "web" - # # It has to match the path with a persistent volume - # storage: /data/acme.json - - # If hostNetwork is true, runs traefik in the host network namespace - # To prevent unschedulabel pods due to port collisions, if hostNetwork=true - # and replicas>1, a pod anti-affinity is recommended and will be set if the - # affinity is left as default. - hostNetwork: false - - # Whether Role Based Access Control objects like roles and rolebindings should be created - rbac: - enabled: true - # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. - # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. - namespaced: false - # Enable user-facing roles - # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles - # aggregateTo: [ "admin" ] - - # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding - podSecurityPolicy: - enabled: false - - # The service account the pods will use to interact with the Kubernetes API - serviceAccount: - # If set, an existing service account is used - # If not set, a service account is created automatically using the fullname template - name: "" - - # Additional serviceAccount annotations (e.g. for oidc authentication) - serviceAccountAnnotations: {} - - resources: {} - # requests: - # cpu: "100m" - # memory: "50Mi" - # limits: - # cpu: "300m" - # memory: "150Mi" - - # This example pod anti-affinity forces the scheduler to put traefik pods - # on nodes where no other traefik pods are scheduled. - # It should be used when hostNetwork: true to prevent port conflicts - affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchLabels: - # app.kubernetes.io/name: '{{ template "traefik.name" . }}' - # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' - # topologyKey: kubernetes.io/hostname - - nodeSelector: {} - tolerations: [] - topologySpreadConstraints: [] - # # This example topologySpreadConstraints forces the scheduler to put traefik pods - # # on nodes where no other traefik pods are scheduled. - # - labelSelector: - # matchLabels: - # app: '{{ template "traefik.name" . }}' - # maxSkew: 1 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - - # Pods can have priority. - # Priority indicates the importance of a Pod relative to other Pods. - priorityClassName: "" - - # Set the container security context - # To run the container with ports below 1024 this will need to be adjust to run as root - securityContext: - capabilities: - drop: [ALL] - readOnlyRootFilesystem: true - - podSecurityContext: - # # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and - # # permissions for the contents of each volume to match the fsGroup. This can - # # be an issue when storing sensitive content like TLS Certificates /!\ - # fsGroup: 65532 - fsGroupChangePolicy: "OnRootMismatch" - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - - # - # Extra objects to deploy (value evaluated as a template) - # - # In some cases, it can avoid the need for additional, extended or adhoc deployments. - # See #595 for more details and traefik/tests/values/extra.yaml for example. - extraObjects: [] - - # This will override the default Release Namespace for Helm. - # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` - # namespaceOverride: traefik - # - ## This will override the default app.kubernetes.io/instance label for all Objects. - # instanceLabelOverride: traefik diff --git a/uptimekuma/templates/deployment.yaml b/uptimekuma/templates/deployment.yaml deleted file mode 100644 index 21ce3c0..0000000 --- a/uptimekuma/templates/deployment.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: uptime-kuma - name: deployment -spec: - selector: - matchLabels: - component: uptime-kuma - replicas: 1 - strategy: - type: Recreate - - template: - metadata: - labels: - component: uptime-kuma - spec: - containers: - - name: app - image: registry.internal.durp.info/louislam/uptime-kuma:1 - ports: - - containerPort: 3001 - volumeMounts: - - mountPath: /app/data - name: storage - #livenessProbe: - #exec: - #command: - #- node - #- extra/healthcheck.js - readinessProbe: - httpGet: - path: / - port: 3001 - scheme: HTTP - - volumes: - - name: storage - persistentVolumeClaim: - claimName: uptimekuma-pvc diff --git a/uptimekuma/templates/kuma-pv.yaml b/uptimekuma/templates/kuma-pv.yaml deleted file mode 100644 index e17e5a7..0000000 --- a/uptimekuma/templates/kuma-pv.yaml +++ /dev/null @@ -1,25 +0,0 @@ -#apiVersion: v1 -#kind: PersistentVolume -#metadata: -# annotations: -# pv.kubernetes.io/provisioned-by: durp.info/nfs -# finalizers: -# - kubernetes.io/pv-protection -# name: uptimekuma-pv -#spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 10Gi -# claimRef: -# apiVersion: v1 -# kind: PersistentVolumeClaim -# name: uptimekuma-pvc -# namespace: uptimekuma -# nfs: -# path: /mnt/user/k3s/uptimekuma -# server: 192.168.20.253 -# persistentVolumeReclaimPolicy: Retain -# storageClassName: nfs-storage -# volumeMode: Filesystem -# \ No newline at end of file diff --git a/uptimekuma/templates/kuma-pvc.yaml b/uptimekuma/templates/kuma-pvc.yaml deleted file mode 100644 index ab76bf0..0000000 --- a/uptimekuma/templates/kuma-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: uptimekuma-pvc - namespace: uptimekuma -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: longhorn \ No newline at end of file diff --git a/uptimekuma/templates/service.yaml b/uptimekuma/templates/service.yaml deleted file mode 100644 index cad08e7..0000000 --- a/uptimekuma/templates/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: service -spec: - selector: - component: uptime-kuma - type: ClusterIP - ports: - - name: http - port: 3001 - targetPort: 3001 - protocol: TCP \ No newline at end of file diff --git a/vault/values.yaml b/vault/values.yaml deleted file mode 100644 index d77a898..0000000 --- a/vault/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -vault: - - global: - - image: - repository: "registry.internal.durp.info/hashicorp/vault-k8s" - tag: "1.3.1" - pullPolicy: Always - - agentImage: - repository: "registry.internal.durp.info/hashicorp/vault" - tag: "1.15.2" - - injector: - enabled: "-" - - replicas: 3 - leaderElector: - enabled: true - - metrics: - enabled: true - - image: - repository: "registry.internal.durp.info/hashicorp/vault-k8s" - tag: "1.3.1" - pullPolicy: Always - - agentImage: - repository: "registry.internal.durp.info/hashicorp/vault" - tag: "1.15.2" - - server: - enabled: "-" - image: - repository: "registry.internal.durp.info/hashicorp/vault" - tag: "1.15.2" - pullPolicy: Always - ha: - enabled: false - replicas: 3 - resources: {} - # resources: - # requests: - # memory: 256Mi - # cpu: 250m - # limits: - # memory: 256Mi - # cpu: 250m - - dataStorage: - enabled: true - size: 10Gi - storageClass: longhorn - accessMode: ReadWriteOnce - auditStorage: - enabled: false - size: 10Gi - mountPath: "/vault/audit" - storageClass: longhorn - accessMode: ReadWriteOnce - ui: - enabled: false - externalPort: 8200 - targetPort: 8200 -