diff --git a/.gitignore b/.gitignore index 485dee6..d32217b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ +*/.terraform +*/.terraform.lock.hcl .idea diff --git a/Untitled b/Untitled new file mode 100644 index 0000000..c59860f --- /dev/null +++ b/Untitled @@ -0,0 +1,4 @@ +VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name') +TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode) +KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode) +KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}') diff --git a/argocd/templates/InternalProxy.yaml b/argocd/templates/InternalProxy.yaml deleted file mode 100644 index 0553043..0000000 --- a/argocd/templates/InternalProxy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: internalproxy - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: internalproxy - directory: - recurse: true - destination: - server: https://kubernetes.default.svc - namespace: internalproxy - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/argocd/templates/external-secrets.yaml b/argocd/templates/external-secrets.yaml deleted file mode 100644 index a6626cc..0000000 --- a/argocd/templates/external-secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: external-secrets - destination: - namespace: external-secrets - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/gitlab-runner.yaml b/argocd/templates/gitlab-runner.yaml deleted file mode 100644 index 15386e6..0000000 --- a/argocd/templates/gitlab-runner.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: gitlab-runner - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: gitlab-runner - destination: - namespace: gitlab-runner - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/argocd/templates/traefik.yaml b/argocd/templates/traefik.yaml deleted file mode 100644 index 037e9ff..0000000 --- a/argocd/templates/traefik.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: traefik - destination: - namespace: traefik - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/argocd/templates/vault.yaml b/argocd/templates/vault.yaml deleted file mode 100644 index ccff355..0000000 --- a/argocd/templates/vault.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: vault - destination: - namespace: vault - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - .webhooks[]?.clientConfig.caBundle diff --git a/cert-manager/templates/letsencrypt-prroduction.yaml b/cert-manager/templates/letsencrypt-prroduction.yaml deleted file mode 100644 index 034ed9b..0000000 --- a/cert-manager/templates/letsencrypt-prroduction.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret diff --git a/cert-manager/templates/letsencrypt-staging.yaml b/cert-manager/templates/letsencrypt-staging.yaml deleted file mode 100644 index b6ae4f9..0000000 --- a/cert-manager/templates/letsencrypt-staging.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-staging - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret \ No newline at end of file diff --git a/dev/.gitlab/.gitlab-ci.yml b/dev/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..16cef81 --- /dev/null +++ b/dev/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/dev/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "dev/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "dev/terraform/*.tf" + +plan-dev-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "dev/terraform/*.tf" + +apply-dev-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "dev/terraform/*.tf" + when: manual + needs: ["plan-dev-infrastructure"] + +destroy-dev-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: dev + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "dev/terraform/*.tf" + when: manual + needs: ["plan-dev-infrastructure"] diff --git a/cert-manager/Chart.yaml b/dev/cert-manager/Chart.yaml similarity index 91% rename from cert-manager/Chart.yaml rename to dev/cert-manager/Chart.yaml index 8593f8c..7280af8 100644 --- a/cert-manager/Chart.yaml +++ b/dev/cert-manager/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: cert-manager repository: https://charts.jetstack.io - version: 1.*.* + version: v1.17.2 diff --git a/dev/cert-manager/templates/issuer.yaml b/dev/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/dev/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/dev/cert-manager/templates/letsencrypt.yaml b/dev/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/dev/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/cert-manager/templates/sealedsecret.yaml b/dev/cert-manager/templates/secretvault.yaml similarity index 69% rename from cert-manager/templates/sealedsecret.yaml rename to dev/cert-manager/templates/secretvault.yaml index 37a2e92..11c82bc 100644 --- a/cert-manager/templates/sealedsecret.yaml +++ b/dev/cert-manager/templates/secretvault.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: cloudflare-api-token-secret @@ -11,6 +11,12 @@ spec: data: - secretKey: cloudflare-api-token-secret remoteRef: - key: secrets/cert-manager + key: kv/cert-manager property: cloudflare-api-token-secret +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/cert-manager/values.yaml b/dev/cert-manager/values.yaml similarity index 92% rename from cert-manager/values.yaml rename to dev/cert-manager/values.yaml index 36f403b..c9cf12f 100644 --- a/cert-manager/values.yaml +++ b/dev/cert-manager/values.yaml @@ -1,9 +1,10 @@ cert-manager: + crds: + enabled: true image: registry: registry.internal.durp.info repository: jetstack/cert-manager-controller pullPolicy: Always - installCRDs: true replicaCount: 3 extraArgs: - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 @@ -22,4 +23,4 @@ cert-manager: image: registry: registry.internal.durp.info repository: jetstack/cert-manager-cainjector - pullPolicy: Always \ No newline at end of file + pullPolicy: Always diff --git a/external-dns/Chart.yaml b/dev/external-dns/Chart.yaml similarity index 92% rename from external-dns/Chart.yaml rename to dev/external-dns/Chart.yaml index 24d735c..937bc49 100644 --- a/external-dns/Chart.yaml +++ b/dev/external-dns/Chart.yaml @@ -9,4 +9,4 @@ appVersion: 0.0.1 dependencies: - name: external-dns repository: https://charts.bitnami.com/bitnami - version: 6.20.3 + version: 8.9.2 diff --git a/external-dns/templates/secrets.yaml b/dev/external-dns/templates/secrets.yaml similarity index 70% rename from external-dns/templates/secrets.yaml rename to dev/external-dns/templates/secrets.yaml index 142c03a..60f7466 100644 --- a/external-dns/templates/secrets.yaml +++ b/dev/external-dns/templates/secrets.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: external-dns-secret @@ -11,13 +11,20 @@ spec: data: - secretKey: cloudflare_api_email remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_email - secretKey: cloudflare_api_key remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_key - secretKey: cloudflare_api_token remoteRef: - key: secrets/external-dns/cloudflare + key: kv/cloudflare property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/external-dns/values.yaml b/dev/external-dns/values.yaml similarity index 80% rename from external-dns/values.yaml rename to dev/external-dns/values.yaml index 942b41e..2052942 100644 --- a/external-dns/values.yaml +++ b/dev/external-dns/values.yaml @@ -1,13 +1,15 @@ external-dns: global: - imageRegistry: "registry.internal.durp.info" + imageRegistry: "registry.durp.info" image: pullPolicy: Always + txtPrefix: "dmz-" + sources: - service - + provider: cloudflare cloudflare: secretName : "external-dns" diff --git a/external-secrets/Chart.yaml b/dev/external-secrets/Chart.yaml similarity index 92% rename from external-secrets/Chart.yaml rename to dev/external-secrets/Chart.yaml index 96c39ce..48645c3 100644 --- a/external-secrets/Chart.yaml +++ b/dev/external-secrets/Chart.yaml @@ -8,5 +8,4 @@ appVersion: 0.0.1 dependencies: - name: external-secrets repository: https://charts.external-secrets.io - version: 0.8.1 - + version: 0.17.0 diff --git a/dev/external-secrets/templates/ca.yaml b/dev/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/dev/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/dev/external-secrets/values.yaml b/dev/external-secrets/values.yaml new file mode 100644 index 0000000..304180d --- /dev/null +++ b/dev/external-secrets/values.yaml @@ -0,0 +1,94 @@ +external-secrets: + replicaCount: 3 + revisionHistoryLimit: 1 + leaderElect: true + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/metallb-system/Chart.yaml b/dev/metallb-system/Chart.yaml similarity index 91% rename from metallb-system/Chart.yaml rename to dev/metallb-system/Chart.yaml index c90584f..c92e842 100644 --- a/metallb-system/Chart.yaml +++ b/dev/metallb-system/Chart.yaml @@ -9,5 +9,4 @@ appVersion: "1.16.0" dependencies: - name: metallb repository: https://metallb.github.io/metallb - version: 0.14.5 - + version: 0.15.2 diff --git a/metallb-system/templates/config.yaml b/dev/metallb-system/templates/config.yaml similarity index 86% rename from metallb-system/templates/config.yaml rename to dev/metallb-system/templates/config.yaml index c662007..5fb85fe 100644 --- a/metallb-system/templates/config.yaml +++ b/dev/metallb-system/templates/config.yaml @@ -4,7 +4,7 @@ metadata: name: cheap spec: addresses: - - 192.168.20.34-192.168.20.39 + - 192.168.10.130-192.168.10.140 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement diff --git a/dev/metallb-system/values.yaml b/dev/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/traefik/Chart.yaml b/dev/traefik/Chart.yaml similarity index 91% rename from traefik/Chart.yaml rename to dev/traefik/Chart.yaml index 1ebbb2d..1df1d76 100644 --- a/traefik/Chart.yaml +++ b/dev/traefik/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: traefik repository: https://traefik.github.io/charts - version: 22.1.0 + version: 34.5.0 diff --git a/dev/traefik/values.yaml b/dev/traefik/values.yaml new file mode 100644 index 0000000..3d1d660 --- /dev/null +++ b/dev/traefik/values.yaml @@ -0,0 +1,58 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/vault/Chart.yaml b/dev/vault/Chart.yaml similarity index 91% rename from vault/Chart.yaml rename to dev/vault/Chart.yaml index fc08adf..412c292 100644 --- a/vault/Chart.yaml +++ b/dev/vault/Chart.yaml @@ -8,5 +8,5 @@ appVersion: 0.0.1 dependencies: - name: vault repository: https://helm.releases.hashicorp.com - version: 0.27.0 + version: 0.30.0 diff --git a/dev/vault/templates/secret-store.yaml b/dev/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/dev/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dev/vault/values.yaml b/dev/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/dev/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/dmz/.gitlab/.gitlab-ci.yml b/dmz/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..e0532bc --- /dev/null +++ b/dmz/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/dmz/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "dmz/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "dmz/terraform/*.tf" + +plan-dmz-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "dmz/terraform/*.tf" + +apply-dmz-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "dmz/terraform/*.tf" + when: manual + needs: ["plan-dmz-infrastructure"] + +destroy-dmz-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: dmz + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "dmz/terraform/*.tf" + when: manual + needs: ["plan-dmz-infrastructure"] diff --git a/dmz/authentik/Chart.yaml b/dmz/authentik/Chart.yaml new file mode 100644 index 0000000..090214c --- /dev/null +++ b/dmz/authentik/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: authentik +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: authentik-remote-cluster + repository: https://charts.goauthentik.io + version: 2.1.0 diff --git a/dmz/authentik/templates/ingress.yaml b/dmz/authentik/templates/ingress.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/authentik/values.yaml b/dmz/authentik/values.yaml new file mode 100644 index 0000000..83be2f9 --- /dev/null +++ b/dmz/authentik/values.yaml @@ -0,0 +1,30 @@ +authentik-remote-cluster: + # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible + nameOverride: "" + # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible + fullnameOverride: "" + # -- Override the Kubernetes version, which is used to evaluate certain manifests + kubeVersionOverride: "" + + ## Globally shared configuration for authentik components. + global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- A custom namespace to override the default namespace for the deployed resources. + namespaceOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + + # -- Annotations to apply to all resources + annotations: {} + + serviceAccountSecret: + # -- Create a secret with the service account credentials + enabled: true + + clusterRole: + # -- Create a clusterole in addition to a namespaced role. + enabled: true diff --git a/dmz/cert-manager/Chart.yaml b/dmz/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/dmz/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/dmz/cert-manager/templates/issuer.yaml b/dmz/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/dmz/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/dmz/cert-manager/templates/letsencrypt.yaml b/dmz/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/dmz/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/dmz/cert-manager/templates/secretvault.yaml b/dmz/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..11c82bc --- /dev/null +++ b/dmz/cert-manager/templates/secretvault.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/cert-manager/values.yaml b/dmz/cert-manager/values.yaml new file mode 100644 index 0000000..cfb41cf --- /dev/null +++ b/dmz/cert-manager/values.yaml @@ -0,0 +1,31 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + - --dns01-recursive-nameservers-only + podDnsPolicy: None + podDnsConfig: + nameservers: + - "1.1.1.1" + - "1.0.0.1" + webhook: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always + + hostAliases: + - ip: 192.168.12.130 + hostnames: + - vault.infra.durp.info diff --git a/kubeclarity/Chart.yaml b/dmz/crowdsec/Chart.yaml similarity index 51% rename from kubeclarity/Chart.yaml rename to dmz/crowdsec/Chart.yaml index 6c050c2..a89fad6 100644 --- a/kubeclarity/Chart.yaml +++ b/dmz/crowdsec/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -name: kubeclarity +name: crowdsec description: A Helm chart for Kubernetes type: application version: 0.0.1 appVersion: 0.0.1 dependencies: -- name: kubeclarity - repository: https://openclarity.github.io/kubeclarity - version: 2.22.0 + - name: crowdsec + repository: https://crowdsecurity.github.io/helm-charts + version: 0.19.4 diff --git a/dmz/crowdsec/templates/secrets.yaml b/dmz/crowdsec/templates/secrets.yaml new file mode 100644 index 0000000..dfef6d6 --- /dev/null +++ b/dmz/crowdsec/templates/secrets.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: enroll-key +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: enroll-key + data: + - secretKey: ENROLL_INSTANCE_NAME + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_INSTANCE_NAME + - secretKey: ENROLL_KEY + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_KEY + - secretKey: ENROLL_TAGS + remoteRef: + key: kv/crowdsec/dmz-enroll + property: ENROLL_TAGS + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/crowdsec/values.yaml b/dmz/crowdsec/values.yaml new file mode 100644 index 0000000..6271eb0 --- /dev/null +++ b/dmz/crowdsec/values.yaml @@ -0,0 +1,24 @@ +crowdsec: + # + image: + repository: registry.durp.info/crowdsecurity/crowdsec + pullPolicy: Always + + # for raw logs format: json or cri (docker|containerd) + container_runtime: containerd + agent: + # Specify each pod whose logs you want to process + acquisition: + # The namespace where the pod is located + - namespace: traefik + # The pod name + podName: traefik-* + # as in crowdsec configuration, we need to specify the program name to find a matching parser + program: traefik + env: + - name: COLLECTIONS + value: "crowdsecurity/traefik" + lapi: + envFrom: + - secretRef: + name: enroll-key diff --git a/dmz/external-dns/Chart.yaml b/dmz/external-dns/Chart.yaml new file mode 100644 index 0000000..937bc49 --- /dev/null +++ b/dmz/external-dns/Chart.yaml @@ -0,0 +1,12 @@ + +apiVersion: v2 +name: external-dns +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-dns + repository: https://charts.bitnami.com/bitnami + version: 8.9.2 diff --git a/dmz/external-dns/templates/secrets.yaml b/dmz/external-dns/templates/secrets.yaml new file mode 100644 index 0000000..60f7466 --- /dev/null +++ b/dmz/external-dns/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-dns-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: external-dns + data: + - secretKey: cloudflare_api_email + remoteRef: + key: kv/cloudflare + property: cloudflare_api_email + - secretKey: cloudflare_api_key + remoteRef: + key: kv/cloudflare + property: cloudflare_api_key + - secretKey: cloudflare_api_token + remoteRef: + key: kv/cloudflare + property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/external-dns/values.yaml b/dmz/external-dns/values.yaml new file mode 100644 index 0000000..21d797e --- /dev/null +++ b/dmz/external-dns/values.yaml @@ -0,0 +1,20 @@ +external-dns: + global: + imageRegistry: "registry.durp.info" + security: + allowInsecureImages: true + + image: + pullPolicy: Always + + txtPrefix: "dmz-" + + sources: + - service + + provider: cloudflare + cloudflare: + secretName: "external-dns" + proxied: false + + policy: sync diff --git a/dmz/external-secrets/Chart.yaml b/dmz/external-secrets/Chart.yaml new file mode 100644 index 0000000..4b30288 --- /dev/null +++ b/dmz/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: + - name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/dmz/external-secrets/templates/ca.yaml b/dmz/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/dmz/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/dmz/external-secrets/values.yaml b/dmz/external-secrets/values.yaml new file mode 100644 index 0000000..3ccc294 --- /dev/null +++ b/dmz/external-secrets/values.yaml @@ -0,0 +1,100 @@ +external-secrets: + global: + security: + allowInsecureImages: true + + log: + level: debug + replicaCount: 1 + revisionHistoryLimit: 1 + leaderElect: false + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/gitlab-runner/Chart.yaml b/dmz/gitlab-runner/Chart.yaml similarity index 85% rename from gitlab-runner/Chart.yaml rename to dmz/gitlab-runner/Chart.yaml index c04efe7..17e8efe 100644 --- a/gitlab-runner/Chart.yaml +++ b/dmz/gitlab-runner/Chart.yaml @@ -8,4 +8,5 @@ appVersion: 0.0.1 dependencies: - name: gitlab-runner repository: https://charts.gitlab.io/ - version: 0.43.0 + version: 0.77.2 + alias: personal diff --git a/dmz/gitlab-runner/templates/secrets.yaml b/dmz/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..2098738 --- /dev/null +++ b/dmz/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,48 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitlab-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret + data: + - secretKey: runner-registration-token + remoteRef: + key: kv/gitlab/runner + property: runner-registration-token + - secretKey: runner-token + remoteRef: + key: kv/gitlab/runner + property: runner-token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitlab-secret-personal +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret-personal + data: + - secretKey: runner-token + remoteRef: + key: kv/gitlab/runner + property: personal-runner-token + - secretKey: runner-registration-token + remoteRef: + key: kv/gitlab/runner + property: personal-runner-token diff --git a/gitlab-runner/values.yaml b/dmz/gitlab-runner/values.yaml similarity index 63% rename from gitlab-runner/values.yaml rename to dmz/gitlab-runner/values.yaml index 0cc62b8..7ba1021 100644 --- a/gitlab-runner/values.yaml +++ b/dmz/gitlab-runner/values.yaml @@ -1,12 +1,12 @@ -gitlab-runner: +personal: image: - registry: registry.internal.durp.info + registry: registry.durp.info image: gitlab-org/gitlab-runner imagePullPolicy: Always - gitlabUrl: https://gitlab.com/ - unregisterRunner: true + gitlabUrl: https://gitlab.durp.info/ + unregisterRunner: false terminationGracePeriodSeconds: 3600 concurrent: 10 checkInterval: 30 @@ -18,15 +18,15 @@ gitlab-runner: podSecurityPolicy: enabled: false resourceNames: - - gitlab-runner + - gitlab-runner metrics: enabled: true serviceMonitor: - enabled: true + enabled: true service: enabled: true - annotations: {} + annotations: {} runners: config: | @@ -40,16 +40,16 @@ gitlab-runner: name: "k3s" runUntagged: true privileged: true - secret: gitlab-secret - #builds: - #cpuLimit: 200m - #cpuLimitOverwriteMaxAllowed: 400m - #memoryLimit: 256Mi - #memoryLimitOverwriteMaxAllowed: 512Mi - #cpuRequests: 100m - #cpuRequestsOverwriteMaxAllowed: 200m - #memoryRequests: 128Mi - #memoryRequestsOverwriteMaxAllowed: 256Mi + secret: gitlab-secret-personal + builds: + cpuLimit: 200m + cpuLimitOverwriteMaxAllowed: 400m + memoryLimit: 256Mi + memoryLimitOverwriteMaxAllowed: 512Mi + cpuRequests: 100m + cpuRequestsOverwriteMaxAllowed: 200m + memoryRequests: 128Mi + memoryRequestsOverwriteMaxAllowed: 256Mi securityContext: allowPrivilegeEscalation: false @@ -63,9 +63,9 @@ gitlab-runner: runAsUser: 100 fsGroup: 65533 - resources: + resources: limits: memory: 2Gi requests: memory: 128Mi - cpu: 500m \ No newline at end of file + cpu: 50m diff --git a/internalproxy/Chart.yaml b/dmz/internalproxy/Chart.yaml similarity index 100% rename from internalproxy/Chart.yaml rename to dmz/internalproxy/Chart.yaml diff --git a/dmz/internalproxy/templates/argocd.yaml b/dmz/internalproxy/templates/argocd.yaml new file mode 100644 index 0000000..5adf88e --- /dev/null +++ b/dmz/internalproxy/templates/argocd.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-infra-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.infra.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: infra-cluster + port: 443 + scheme: https + tls: + secretName: argocd-infra-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-infra-tls +spec: + secretName: argocd-infra-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "argocd.infra.durp.info" + dnsNames: + - "argocd.infra.durp.info" diff --git a/dmz/internalproxy/templates/authentik.yaml b/dmz/internalproxy/templates/authentik.yaml new file mode 100644 index 0000000..adf9884 --- /dev/null +++ b/dmz/internalproxy/templates/authentik.yaml @@ -0,0 +1,40 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls +spec: + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: authentik-tls + commonName: "authentik.durp.info" + dnsNames: + - "authentik.durp.info" + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: authentik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`authentik.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: authentik-tls + +--- +kind: Service +apiVersion: v1 +metadata: + name: authentik-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: authentik.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/dmz/internalproxy/templates/bitwarden.yaml b/dmz/internalproxy/templates/bitwarden.yaml new file mode 100644 index 0000000..0067f8e --- /dev/null +++ b/dmz/internalproxy/templates/bitwarden.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: bitwarden-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: bitwarden-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: bitwarden-tls +spec: + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: bitwarden-tls + commonName: "bitwarden.durp.info" + dnsNames: + - "bitwarden.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: bitwarden-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/duplicati.yaml b/dmz/internalproxy/templates/duplicati.yaml new file mode 100644 index 0000000..74475df --- /dev/null +++ b/dmz/internalproxy/templates/duplicati.yaml @@ -0,0 +1,35 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: duplicati-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: unraid + port: 8200 + tls: + secretName: duplicati-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: duplicati-tls +spec: + secretName: duplicati-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "duplicati.internal.durp.info" + dnsNames: + - "duplicati.internal.durp.info" diff --git a/dmz/internalproxy/templates/endpoints.yaml b/dmz/internalproxy/templates/endpoints.yaml new file mode 100644 index 0000000..8380a2c --- /dev/null +++ b/dmz/internalproxy/templates/endpoints.yaml @@ -0,0 +1,230 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: master-cluster +subsets: + - addresses: + - ip: 192.168.20.130 + ports: + - port: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: master-cluster +spec: + ports: + - protocol: TCP + port: 443 + targetPort: 443 + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: infra-cluster +subsets: + - addresses: + - ip: 192.168.12.130 + ports: + - port: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-cluster +spec: + ports: + - protocol: TCP + port: 443 + targetPort: 443 + +--- +apiVersion: v1 +kind: Service +metadata: + name: unraid +spec: + ports: + - name: https + protocol: TCP + port: 443 + targetPort: 443 + - name: tdarr + port: 8267 + protocol: TCP + targetPort: 8267 + - name: duplicati + port: 8200 + protocol: TCP + targetPort: 8200 + - name: forgejo + port: 3000 + protocol: TCP + - name: kuma + port: 3001 + protocol: TCP + targetPort: 3000 + - name: freshrss + port: 8085 + protocol: TCP + targetPort: 8085 + - name: gitlab-ssh + port: 9022 + protocol: TCP + targetPort: 9022 + - name: gitlab + port: 9443 + protocol: TCP + targetPort: 9443 + - name: minio + port: 9769 + protocol: TCP + targetPort: 9769 + - name: nextcloud + port: 11000 + protocol: TCP + targetPort: 11000 + - name: nexus + port: 8081 + protocol: TCP + targetPort: 8081 + - name: openweb-ui + port: 8089 + protocol: TCP + targetPort: 8089 + - name: plex + port: 32400 + protocol: TCP + targetPort: 32400 + - name: registry + port: 5000 + protocol: TCP + targetPort: 5000 + - name: gitlab-registry + port: 5002 + protocol: TCP + targetPort: 5002 + - name: root-vault + port: 8201 + protocol: TCP + targetPort: 8201 + - name: s3 + port: 9768 + protocol: TCP + targetPort: 9768 + - name: smokeping + port: 81 + protocol: TCP + targetPort: 81 + - name: gotify + port: 8070 + protocol: TCP + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: unraid +subsets: + - addresses: + - ip: 192.168.21.200 + ports: + - name: https + port: 443 + protocol: TCP + - name: tdarr + port: 8267 + protocol: TCP + - name: duplicati + port: 8200 + protocol: TCP + - name: forgejo + port: 3000 + protocol: TCP + - name: kuma + port: 3001 + protocol: TCP + - name: freshrss + port: 8085 + protocol: TCP + - name: gitlab-ssh + port: 9022 + protocol: TCP + - name: gitlab + port: 9443 + protocol: TCP + - name: minio + port: 9769 + protocol: TCP + - name: nextcloud + port: 11000 + protocol: TCP + - name: nexus + port: 8081 + protocol: TCP + - name: openweb-ui + port: 8089 + protocol: TCP + - name: plex + port: 32400 + protocol: TCP + - name: registry + port: 5000 + protocol: TCP + - name: gitlab-registry + port: 5002 + protocol: TCP + - name: root-vault + port: 8201 + protocol: TCP + - name: s3 + port: 9768 + protocol: TCP + - name: smokeping + port: 81 + protocol: TCP + - name: gotify + port: 8070 + protocol: TCP + +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: ubuntu +subsets: + - addresses: + - ip: 192.168.20.104 + ports: + - name: https + port: 443 + protocol: TCP + - name: litellm + port: 4000 + protocol: TCP + - name: ollama + port: 11435 + protocol: TCP + +--- +apiVersion: v1 +kind: Service +metadata: + name: ubuntu +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: litellm + port: 4000 + protocol: TCP + targetPort: 4000 + - name: ollama + port: 11435 + protocol: TCP + targetPort: 11435 diff --git a/dmz/internalproxy/templates/forgejo.yaml b/dmz/internalproxy/templates/forgejo.yaml new file mode 100644 index 0000000..52eb710 --- /dev/null +++ b/dmz/internalproxy/templates/forgejo.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: forgejo-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`forgejo.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 3000 + scheme: http + tls: + secretName: forgejo-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: forgejo-tls +spec: + secretName: forgejo-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "forgejo.durp.info" + dnsNames: + - "forgejo.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: forgejo-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: forgejo.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/freshrss.yaml b/dmz/internalproxy/templates/freshrss.yaml new file mode 100644 index 0000000..092854c --- /dev/null +++ b/dmz/internalproxy/templates/freshrss.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: freshrss-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`freshrss.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8085 + tls: + secretName: freshrss-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: freshrss-tls +spec: + secretName: freshrss-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "freshrss.durp.info" + dnsNames: + - "freshrss.durp.info" diff --git a/dmz/internalproxy/templates/gitlab.yaml b/dmz/internalproxy/templates/gitlab.yaml new file mode 100644 index 0000000..d64a5aa --- /dev/null +++ b/dmz/internalproxy/templates/gitlab.yaml @@ -0,0 +1,125 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: gitlab-ssh +#spec: +# ports: +# - name: app +# port: 9022 +# protocol: TCP +# targetPort: 9022 +# clusterIP: None +# type: ClusterIP +# +#--- +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: gitlab-ssh +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 9022 +# protocol: TCP +# +#--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: gitlab-ssh +spec: + entryPoints: + - gitlab-ssh + routes: + - match: HostSNI(`*`) + services: + - name: unraid + port: 9022 + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitlab-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`gitlab.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 9443 + scheme: https + tls: + secretName: gitlab-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitlab-tls +spec: + secretName: gitlab-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "gitlab.durp.info" + dnsNames: + - "gitlab.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gitlab-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gitlab-registry +spec: + entryPoints: + - websecure + routes: + - match: Host(`images.durp.info`) + kind: Rule + services: + - name: unraid + port: 5002 + scheme: http + tls: + secretName: gitlab-images-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gitlab-images-tls +spec: + secretName: gitlab-images-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "images.durp.info" + dnsNames: + - "images.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gitlab-images-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: images.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/gotify.yaml b/dmz/internalproxy/templates/gotify.yaml new file mode 100644 index 0000000..6619aed --- /dev/null +++ b/dmz/internalproxy/templates/gotify.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: gotify-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`gotify.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8070 + scheme: http + tls: + secretName: gotify-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: gotify-tls +spec: + secretName: gotify-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "gotify.durp.info" + dnsNames: + - "gotify.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: gotify-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gotify.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/grafana.yaml b/dmz/internalproxy/templates/grafana.yaml new file mode 100644 index 0000000..0de1a83 --- /dev/null +++ b/dmz/internalproxy/templates/grafana.yaml @@ -0,0 +1,40 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: grafana-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: grafana-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-tls +spec: + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + secretName: grafana-tls + commonName: "grafana.durp.info" + dnsNames: + - "grafana.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: grafana-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: grafana.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/invidious.yaml b/dmz/internalproxy/templates/invidious.yaml new file mode 100644 index 0000000..752db88 --- /dev/null +++ b/dmz/internalproxy/templates/invidious.yaml @@ -0,0 +1,75 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: invidious +#spec: +# ports: +# - name: app +# port: 3000 +# protocol: TCP +# targetPort: 3000 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: invidious +#subsets: +#- addresses: +# - ip: 192.168.20.104 +# ports: +# - name: app +# port: 3000 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: invidious-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`invidious.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# kind: Rule +# services: +# - name: invidious +# port: 3000 +# tls: +# secretName: invidious-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: invidious-tls +#spec: +# secretName: invidious-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "invidious.durp.info" +# dnsNames: +# - "invidious.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: invidious-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: invidious.durp.info +#spec: +# type: ExternalName +# externalName: durp.info +# \ No newline at end of file diff --git a/dmz/internalproxy/templates/kasm.yaml b/dmz/internalproxy/templates/kasm.yaml new file mode 100644 index 0000000..7db9d75 --- /dev/null +++ b/dmz/internalproxy/templates/kasm.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: kasm-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kasm.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: ubuntu + port: 443 + scheme: https + tls: + secretName: kasm-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kasm-tls +spec: + secretName: kasm-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kasm.durp.info" + dnsNames: + - "kasm.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: kasm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kasm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/uptimekuma/templates/ingress.yaml b/dmz/internalproxy/templates/kuma.yaml similarity index 63% rename from uptimekuma/templates/ingress.yaml rename to dmz/internalproxy/templates/kuma.yaml index 3df2689..31b040b 100644 --- a/uptimekuma/templates/ingress.yaml +++ b/dmz/internalproxy/templates/kuma.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: kuma-ingress @@ -6,19 +6,16 @@ spec: entryPoints: - websecure routes: - - match: Host(`kuma.durp.info`) && PathPrefix(`/`) - middlewares: - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: service - port: 3001 + - match: Host(`kuma.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 3001 + scheme: http tls: secretName: kuma-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -30,14 +27,13 @@ spec: kind: ClusterIssuer commonName: "kuma.durp.info" dnsNames: - - "kuma.durp.info" + - "kuma.durp.info" --- - kind: Service apiVersion: v1 metadata: - name: heimdall-external-dns + name: kuma-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: kuma.durp.info spec: diff --git a/dmz/internalproxy/templates/litellm.yaml b/dmz/internalproxy/templates/litellm.yaml new file mode 100644 index 0000000..11a87ac --- /dev/null +++ b/dmz/internalproxy/templates/litellm.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: litellm-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`litellm.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: ubuntu + port: 4000 + tls: + secretName: litellm-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: litellm-tls +spec: + secretName: litellm-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "litellm.durp.info" + dnsNames: + - "litellm.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: litellm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: litellm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/longhorn.yaml b/dmz/internalproxy/templates/longhorn.yaml new file mode 100644 index 0000000..9eeda9e --- /dev/null +++ b/dmz/internalproxy/templates/longhorn.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-infra-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: infra-cluster + port: 443 + tls: + secretName: longhorn-infra-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-infra-tls +spec: + secretName: longhorn-infra-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.infra.durp.info" + dnsNames: + - "longhorn.infra.durp.info" diff --git a/dmz/internalproxy/templates/minio.yaml b/dmz/internalproxy/templates/minio.yaml new file mode 100644 index 0000000..8622240 --- /dev/null +++ b/dmz/internalproxy/templates/minio.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: minio-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 9769 + scheme: http + tls: + secretName: minio-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-tls +spec: + secretName: minio-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "minio.internal.durp.info" + dnsNames: + - "minio.internal.durp.info" diff --git a/dmz/internalproxy/templates/n8n.yaml b/dmz/internalproxy/templates/n8n.yaml new file mode 100644 index 0000000..adfebc7 --- /dev/null +++ b/dmz/internalproxy/templates/n8n.yaml @@ -0,0 +1,68 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: n8n +#spec: +# ports: +# - name: app +# port: 5678 +# protocol: TCP +# targetPort: 5678 +# clusterIP: None +# type: ClusterIP +# +#--- +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: n8n +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 5678 +# protocol: TCP +# +#--- +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: n8n-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`n8n.durp.info`) && PathPrefix(`/`) +# kind: Rule +# services: +# - name: n8n +# port: 5678 +# scheme: http +# tls: +# secretName: n8n-tls +# +#--- +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: n8n-tls +#spec: +# secretName: n8n-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "n8n.durp.info" +# dnsNames: +# - "n8n.durp.info" +# +#--- +#kind: Service +#apiVersion: v1 +#metadata: +# name: n8n-dns +# annotations: +# dns.alpha.kubernetes.io/hostname: n8n.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/nextcloud.yaml b/dmz/internalproxy/templates/nextcloud.yaml new file mode 100644 index 0000000..77b04e5 --- /dev/null +++ b/dmz/internalproxy/templates/nextcloud.yaml @@ -0,0 +1,74 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: nextcloud-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`nextcloud.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: nextcloud-chain + services: + - name: unraid + port: 11000 + scheme: http + tls: + secretName: nextcloud-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nextcloud-tls +spec: + secretName: nextcloud-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "nextcloud.durp.info" + dnsNames: + - "nextcloud.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: nextcloud-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: nextcloud.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-secure-headers +spec: + headers: + hostsProxyHeaders: + - "X-Forwarded-Host" + referrerPolicy: "same-origin" + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect +spec: + redirectScheme: + scheme: https + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-chain +spec: + chain: + middlewares: + - name: https-redirect + - name: nextcloud-secure-headers \ No newline at end of file diff --git a/internalproxy/templates/nexus.yaml b/dmz/internalproxy/templates/nexus.yaml similarity index 60% rename from internalproxy/templates/nexus.yaml rename to dmz/internalproxy/templates/nexus.yaml index 7074102..8e9ca70 100644 --- a/internalproxy/templates/nexus.yaml +++ b/dmz/internalproxy/templates/nexus.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: nexus -spec: - ports: - - name: app - port: 8081 - protocol: TCP - targetPort: 8081 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: nexus -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8081 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: nexus-ingress @@ -38,7 +9,7 @@ spec: - match: Host(`nexus.durp.info`) && PathPrefix(`/`) kind: Rule services: - - name: nexus + - name: unraid port: 8081 tls: secretName: nexus-tls @@ -68,4 +39,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: nexus.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info diff --git a/dmz/internalproxy/templates/ollama.yaml b/dmz/internalproxy/templates/ollama.yaml new file mode 100644 index 0000000..f03ca52 --- /dev/null +++ b/dmz/internalproxy/templates/ollama.yaml @@ -0,0 +1,69 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: ollama-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: ollama-secret + data: + - secretKey: users + remoteRef: + key: kv/ollama + property: users + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: ollama-basic-auth +spec: + basicAuth: + headerField: x-api-key + secret: ollama-secret + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: ollama-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`ollama.durp.info`) && PathPrefix(`/`) + middlewares: + - name: ollama-basic-auth + kind: Rule + services: + - name: ubuntu + port: 11435 + tls: + secretName: ollama-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ollama-tls +spec: + secretName: ollama-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "ollama.durp.info" + dnsNames: + - "ollama.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: ollama-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: ollama.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/open-webui.yaml b/dmz/internalproxy/templates/open-webui.yaml new file mode 100644 index 0000000..f3e7f89 --- /dev/null +++ b/dmz/internalproxy/templates/open-webui.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: open-webui-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`open-webui.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 8089 + scheme: http + tls: + secretName: open-webui-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: open-webui-tls +spec: + secretName: open-webui-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "open-webui.durp.info" + dnsNames: + - "open-webui.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: open-webui-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/plex.yaml b/dmz/internalproxy/templates/plex.yaml new file mode 100644 index 0000000..7fbc5f8 --- /dev/null +++ b/dmz/internalproxy/templates/plex.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: plex-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`plex.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 32400 + scheme: https + tls: + secretName: plex-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: plex-tls +spec: + secretName: plex-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "plex.durp.info" + dnsNames: + - "plex.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: plex-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: plex.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/portainer.yaml b/dmz/internalproxy/templates/portainer.yaml new file mode 100644 index 0000000..ae89690 --- /dev/null +++ b/dmz/internalproxy/templates/portainer.yaml @@ -0,0 +1,33 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: portainer-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: infra-cluster + port: 443 + tls: + secretName: portainer-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: portainer-tls +spec: + secretName: portainer-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "portainer.internal.durp.info" + dnsNames: + - "portainer.internal.durp.info" diff --git a/dmz/internalproxy/templates/proxmox.yaml b/dmz/internalproxy/templates/proxmox.yaml new file mode 100644 index 0000000..14d301d --- /dev/null +++ b/dmz/internalproxy/templates/proxmox.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: proxmox +spec: + ports: + - name: app + port: 8006 + protocol: TCP + targetPort: 8006 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: proxmox +subsets: + - addresses: + - ip: 192.168.21.254 + ports: + - name: app + port: 8006 + protocol: TCP + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: proxmox-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: proxmox + port: 8006 + scheme: https + tls: + secretName: proxmox-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: proxmox-tls +spec: + secretName: proxmox-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "proxmox.internal.durp.info" + dnsNames: + - "proxmox.internal.durp.info" diff --git a/dmz/internalproxy/templates/redlib.yaml b/dmz/internalproxy/templates/redlib.yaml new file mode 100644 index 0000000..43b54fb --- /dev/null +++ b/dmz/internalproxy/templates/redlib.yaml @@ -0,0 +1,74 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: redlib +#spec: +# ports: +# - name: app +# port: 8082 +# protocol: TCP +# targetPort: 8082 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: redlib +#subsets: +#- addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 8082 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: redlib-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`redlib.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# kind: Rule +# services: +# - name: redlib +# port: 8082 +# tls: +# secretName: redlib-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: redlib-tls +#spec: +# secretName: redlib-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "redlib.durp.info" +# dnsNames: +# - "redlib.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: redlib-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: redlib.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/registry.yaml b/dmz/internalproxy/templates/registry.yaml new file mode 100644 index 0000000..b9b6ed4 --- /dev/null +++ b/dmz/internalproxy/templates/registry.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: whitelist + namespace: traefik + services: + - name: unraid + port: 5000 + tls: + secretName: registry-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-tls +spec: + secretName: registry-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.durp.info" + dnsNames: + - "registry.durp.info" + +--- +#kind: Service +#apiVersion: v1 +#metadata: +# name: registry-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: registry.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/dmz/internalproxy/templates/root-vault.yaml b/dmz/internalproxy/templates/root-vault.yaml new file mode 100644 index 0000000..76d4b94 --- /dev/null +++ b/dmz/internalproxy/templates/root-vault.yaml @@ -0,0 +1,33 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: root-vault-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 8201 + scheme: https + tls: + secretName: root-vault-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: root-vault-tls +spec: + secretName: root-vault-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "root-vault.internal.durp.info" + dnsNames: + - "root-vault.internal.durp.info" diff --git a/dmz/internalproxy/templates/s3.yaml b/dmz/internalproxy/templates/s3.yaml new file mode 100644 index 0000000..5bf203e --- /dev/null +++ b/dmz/internalproxy/templates/s3.yaml @@ -0,0 +1,80 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: s3-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 9768 + scheme: http + tls: + secretName: s3-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3-tls +spec: + secretName: s3-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "s3.internal.durp.info" + dnsNames: + - "s3.internal.durp.info" + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: s3-ingress-external +spec: + entryPoints: + - websecure + routes: + - match: Host(`s3.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: unraid + port: 9768 + scheme: http + tls: + secretName: s3-external-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: s3-external-tls +spec: + secretName: s3-external-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "s3.durp.info" + dnsNames: + - "s3.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: s3-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: s3.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/semaphore.yaml b/dmz/internalproxy/templates/semaphore.yaml new file mode 100644 index 0000000..145d1ca --- /dev/null +++ b/dmz/internalproxy/templates/semaphore.yaml @@ -0,0 +1,65 @@ +# +#apiVersion: v1 +#kind: Service +#metadata: +# name: semaphore +#spec: +# ports: +# - name: app +# port: 3001 +# protocol: TCP +# targetPort: 3001 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: semaphore +#subsets: +# - addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 3001 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: semaphore-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`) +# middlewares: +# - name: whitelist +# namespace: traefik +# kind: Rule +# services: +# - name: semaphore +# port: 3001 +# scheme: http +# tls: +# secretName: semaphore-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: semaphore-tls +#spec: +# secretName: semaphore-tls +# issuerRef: +# name: vault-issuer +# kind: ClusterIssuer +# commonName: "semaphore.internal.durp.info" +# dnsNames: +# - "semaphore.internal.durp.info" +# \ No newline at end of file diff --git a/dmz/internalproxy/templates/serviceaccount.yaml b/dmz/internalproxy/templates/serviceaccount.yaml new file mode 100644 index 0000000..ddac6a5 --- /dev/null +++ b/dmz/internalproxy/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/internalproxy/templates/smokeping.yaml b/dmz/internalproxy/templates/smokeping.yaml similarity index 56% rename from internalproxy/templates/smokeping.yaml rename to dmz/internalproxy/templates/smokeping.yaml index 8a76738..9808876 100644 --- a/internalproxy/templates/smokeping.yaml +++ b/dmz/internalproxy/templates/smokeping.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: smokeping -spec: - ports: - - name: app - port: 81 - protocol: TCP - targetPort: 81 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: smokeping -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 81 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: smokeping-ingress @@ -43,19 +14,12 @@ spec: namespace: traefik kind: Rule services: - - name: smokeping + - name: unraid port: 81 - - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 tls: secretName: smokeping-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -70,7 +34,6 @@ spec: - "smokeping.durp.info" --- - kind: Service apiVersion: v1 metadata: @@ -79,4 +42,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info diff --git a/dmz/internalproxy/templates/speedtest.yaml b/dmz/internalproxy/templates/speedtest.yaml new file mode 100644 index 0000000..c75d3a6 --- /dev/null +++ b/dmz/internalproxy/templates/speedtest.yaml @@ -0,0 +1,74 @@ +#apiVersion: v1 +#kind: Service +#metadata: +# name: speedtest +#spec: +# ports: +# - name: app +# port: 6580 +# protocol: TCP +# targetPort: 6580 +# clusterIP: None +# type: ClusterIP +# +#--- +# +#apiVersion: v1 +#kind: Endpoints +#metadata: +# name: speedtest +#subsets: +#- addresses: +# - ip: 192.168.21.200 +# ports: +# - name: app +# port: 6580 +# protocol: TCP +# +#--- +# +#apiVersion: traefik.io/v1alpha1 +#kind: IngressRoute +#metadata: +# name: speedtest-ingress +#spec: +# entryPoints: +# - websecure +# routes: +# - match: Host(`speedtest.durp.info`) && PathPrefix(`/`) +# kind: Rule +# middlewares: +# - name: authentik-proxy-provider +# namespace: traefik +# services: +# - name: speedtest +# port: 6580 +# tls: +# secretName: speedtest-tls +# +#--- +# +#apiVersion: cert-manager.io/v1 +#kind: Certificate +#metadata: +# name: speedtest-tls +#spec: +# secretName: speedtest-tls +# issuerRef: +# name: letsencrypt-production +# kind: ClusterIssuer +# commonName: "speedtest.durp.info" +# dnsNames: +# - "speedtest.durp.info" +# +#--- +# +#kind: Service +#apiVersion: v1 +#metadata: +# name: speedtest-external-dns +# annotations: +# external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info +#spec: +# type: ExternalName +# externalName: durp.info diff --git a/internalproxy/templates/tdarr.yaml b/dmz/internalproxy/templates/tdarr.yaml similarity index 61% rename from internalproxy/templates/tdarr.yaml rename to dmz/internalproxy/templates/tdarr.yaml index c4403b9..35b9485 100644 --- a/internalproxy/templates/tdarr.yaml +++ b/dmz/internalproxy/templates/tdarr.yaml @@ -1,33 +1,4 @@ -apiVersion: v1 -kind: Service -metadata: - name: tdarr -spec: - ports: - - name: app - port: 8267 - protocol: TCP - targetPort: 8267 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: tdarr -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8267 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: tdarr-ingress @@ -45,7 +16,7 @@ spec: namespace: traefik kind: Rule services: - - name: tdarr + - name: unraid port: 8267 scheme: http tls: @@ -60,7 +31,7 @@ metadata: spec: secretName: tdarr-tls issuerRef: - name: letsencrypt-production + name: vault-issuer kind: ClusterIssuer commonName: "tdarr.internal.durp.info" dnsNames: diff --git a/dmz/internalproxy/templates/unifi.yaml b/dmz/internalproxy/templates/unifi.yaml new file mode 100644 index 0000000..d33a8af --- /dev/null +++ b/dmz/internalproxy/templates/unifi.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: unifi +spec: + ports: + - name: app + port: 443 + protocol: TCP + targetPort: 443 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: unifi +subsets: + - addresses: + - ip: 192.168.98.1 + ports: + - name: app + port: 443 + protocol: TCP + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: unifi-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`unifi.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unifi + port: 443 + scheme: https + tls: + secretName: unifi-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: unifi-tls +spec: + secretName: unifi-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "unifi.internal.durp.info" + dnsNames: + - "unifi.internal.durp.info" diff --git a/dmz/internalproxy/templates/unraid.yaml b/dmz/internalproxy/templates/unraid.yaml new file mode 100644 index 0000000..10e1015 --- /dev/null +++ b/dmz/internalproxy/templates/unraid.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: unraid-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: unraid + port: 443 + scheme: https + tls: + secretName: unraid-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: unraid-tls +spec: + secretName: unraid-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "unraid.internal.durp.info" + dnsNames: + - "unraid.internal.durp.info" diff --git a/dmz/istio-system/Chart.yaml b/dmz/istio-system/Chart.yaml new file mode 100644 index 0000000..dfc92b1 --- /dev/null +++ b/dmz/istio-system/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: istio-system +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: + - name: base + repository: https://istio-release.storage.googleapis.com/charts + version: 1.29.0 + - name: istiod + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 + - name: gateway + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 \ No newline at end of file diff --git a/dmz/istio-system/templates/annotate.yaml b/dmz/istio-system/templates/annotate.yaml new file mode 100644 index 0000000..620b2af --- /dev/null +++ b/dmz/istio-system/templates/annotate.yaml @@ -0,0 +1,14 @@ +#apiVersion: v1 +#kind: Namespace +#metadata: +# annotations: +# topology.istio.io/controlPlaneClusters: cluster1 +# labels: +# kubernetes.io/metadata.name: istio-system +# name: istio-system +#spec: +# finalizers: +# - kubernetes +#status: +# phase: Active +# \ No newline at end of file diff --git a/dmz/istio-system/templates/expose.yaml b/dmz/istio-system/templates/expose.yaml new file mode 100644 index 0000000..eb693e0 --- /dev/null +++ b/dmz/istio-system/templates/expose.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: cross-network-gateway +spec: + selector: + istio: eastwestgateway + servers: + - port: + number: 15443 + name: tls + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*.local" diff --git a/dmz/istio-system/values.yaml b/dmz/istio-system/values.yaml new file mode 100644 index 0000000..5778ed0 --- /dev/null +++ b/dmz/istio-system/values.yaml @@ -0,0 +1,10 @@ +istiod: + global: + network: network2 + meshID: mesh1 + multiCluster: + clusterName: dmz + +gateway: + name: istio-eastwestgateway + networkGateway: network2 \ No newline at end of file diff --git a/dmz/littlelink/Chart.yaml b/dmz/littlelink/Chart.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/littlelink/templates/deployment.yaml b/dmz/littlelink/templates/deployment.yaml new file mode 100644 index 0000000..6d31068 --- /dev/null +++ b/dmz/littlelink/templates/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: littlelink + name: littlelink + labels: + app: littlelink +spec: + selector: + matchLabels: + app: littlelink + replicas: 1 + template: + metadata: + labels: + app: littlelink + spec: + containers: + - name: littlelink + image: registry.durp.info/techno-tim/littlelink-server:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthcheck + port: 3000 + readinessProbe: + httpGet: + path: /healthcheck + port: 3000 + env: + - name: META_TITLE + value: DeveloperDurp + - name: META_DESCRIPTION + value: The Durpy Developer + - name: META_AUTHOR + value: DeveloperDurp + - name: LANG + value: en + - name: META_INDEX_STATUS + value: all + - name: OG_TITLE + value: DeveloperDurp + - name: OG_DESCRIPTION + value: DeveloperDurp + - name: OG_URL + value: https://gitlab.com/developerdurp + - name: OG_IMAGE + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : OG_IMAGE_WIDTH + value: "400" + - name : OG_IMAGE_HEIGHT + value: "400" + - name : THEME + value: Dark + - name : FAVICON_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_2X_URL + value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png + - name : AVATAR_ALT + value: DeveloperDurp Profile Pic + - name : NAME + value: DeveloperDurp + - name : BIO + value: Sup Nerd, + - name : BUTTON_ORDER + value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL + - name : TWITTER + value: https://twitter.com/developerdurp + - name : GITHUB + value: https://github.com/DeveloperDurp + - name: INSTAGRAM + value: https://instagram.com/developerdurp + - name : GITLAB + value: https://gitlab.com/developerdurp + - name: YOUTUBE + value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ + - name : EMAIL + value: DeveloperDurp@durp.info + - name : EMAIL_TEXT + value: DeveloperDurp@durp.info + - name : FOOTER + value: DeveloperDurp © 2022 + - name: CUSTOM_BUTTON_TEXT + value: BuyMeACoffee,BlueSky + - name: CUSTOM_BUTTON_URL + value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info + - name: CUSTOM_BUTTON_COLOR + value: '#ffdd00,#1185fe' + - name: CUSTOM_BUTTON_TEXT_COLOR + value: '#000000,#FFFFFF' + - name: CUSTOM_BUTTON_ALT_TEXT + value: Support,BlueSky + - name: CUSTOM_BUTTON_NAME + value: COFFEE,BLUESKY + - name: CUSTOM_BUTTON_ICON + value: fa-solid fa-cup-togo + ports: + - name: http + containerPort: 3000 diff --git a/dmz/littlelink/templates/ingress.yaml b/dmz/littlelink/templates/ingress.yaml new file mode 100644 index 0000000..9590fc5 --- /dev/null +++ b/dmz/littlelink/templates/ingress.yaml @@ -0,0 +1,42 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: littlelink-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`links.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: littlelink + port: 80 + tls: + secretName: littlelink-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: littlelink-tls +spec: + secretName: littlelink-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "links.durp.info" + dnsNames: + - "links.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: links-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: links.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/dmz/littlelink/templates/service.yaml b/dmz/littlelink/templates/service.yaml new file mode 100644 index 0000000..445d527 --- /dev/null +++ b/dmz/littlelink/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: littlelink +spec: + ports: + - name: http + port: 80 + targetPort: 3000 + protocol: TCP + selector: + app: littlelink \ No newline at end of file diff --git a/longhorn/Chart.yaml b/dmz/longhorn/Chart.yaml similarity index 92% rename from longhorn/Chart.yaml rename to dmz/longhorn/Chart.yaml index b7b6417..c699fa5 100644 --- a/longhorn/Chart.yaml +++ b/dmz/longhorn/Chart.yaml @@ -9,4 +9,4 @@ appVersion: "1.16.0" dependencies: - name: longhorn repository: https://charts.longhorn.io - version: 1.3.2 + version: 1.9.0 diff --git a/dmz/longhorn/templates/ingress.yaml b/dmz/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..7067a2d --- /dev/null +++ b/dmz/longhorn/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: longhorn-frontend + port: 80 + tls: + secretName: longhorn-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.dmz.durp.info" + dnsNames: + - "longhorn.dmz.durp.info" diff --git a/longhorn/templates/secrets.yaml b/dmz/longhorn/templates/secrets.yaml similarity index 70% rename from longhorn/templates/secrets.yaml rename to dmz/longhorn/templates/secrets.yaml index c10ab89..e3d18af 100644 --- a/longhorn/templates/secrets.yaml +++ b/dmz/longhorn/templates/secrets.yaml @@ -1,5 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault -apiVersion: external-secrets.io/v1beta1 +--- + +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: external-longhorn-backup-token-secret @@ -12,13 +18,13 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_ACCESS_KEY_ID - secretKey: AWS_ENDPOINTS remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_ENDPOINTS - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: secrets/longhorn/backup + key: kv/longhorn/backup property: AWS_SECRET_ACCESS_KEY diff --git a/longhorn/values.yaml b/dmz/longhorn/values.yaml similarity index 66% rename from longhorn/values.yaml rename to dmz/longhorn/values.yaml index 5343300..e34a1ee 100644 --- a/longhorn/values.yaml +++ b/dmz/longhorn/values.yaml @@ -1,8 +1,4 @@ longhorn: - - # Default values for longhorn. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. global: cattle: systemDefaultRegistry: "" @@ -49,7 +45,7 @@ longhorn: defaultFsType: ext4 defaultClassReplicaCount: 3 defaultDataLocality: disabled # best-effort otherwise - reclaimPolicy: Retain + reclaimPolicy: Delete migratable: false recurringJobSelector: enable: true @@ -57,7 +53,7 @@ longhorn: { "name":"backup", "task":"backup", - "cron":"0 */6 * * *", + "cron":"0 0 * * *", "retain":24 } ]' @@ -76,7 +72,7 @@ longhorn: snapshotterReplicaCount: ~ defaultSettings: - backupTarget: S3://longhorn@us-east-1/ + backupTarget: S3://longhorn-master@us-east-1/ backupTargetCredentialSecret: longhorn-backup-token-secret allowRecurringJobWhileVolumeDetached: ~ createDefaultDiskLabeledNodes: ~ @@ -181,65 +177,8 @@ longhorn: # ingress: - ## Set to true to enable ingress record generation enabled: false - ## Add ingressClassName to the Ingress - ## Can replace the kubernetes.io/ingress.class annotation on v1.18+ - ingressClassName: nginx - - host: longhorn.internal.durp.info - - ## Set this to true in order to enable TLS on the ingress record - ## A side effect of this will be that the backend service will be connected at port 443 - tls: - - secretName: longhorn-tls - hosts: - - longhorn.internal.durp.info - - ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS - tlsSecret: longhorn-tls - - ## If ingress is enabled you can set the default ingress path - ## then you can access the UI by using the following full path {{host}}+{{path}} - path: / - - ## Ingress annotations done as key:value pairs - ## If you're using kube-lego, you will want to add: - ## kubernetes.io/tls-acme: true - ## - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md - ## - ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://longhorn.internal.durp.info/outpost.goauthentik.io/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; - - secrets: - ## If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - # - name: longhorn.local-tls - # key: - # certificate: - - # Configure a pod security policy in the Longhorn namespace to allow privileged pods - enablePSP: true - ## Specify override namespace, specifically this is useful for using longhorn as sub-chart ## and its release namespace is not the `longhorn-system` namespaceOverride: "" diff --git a/dmz/metallb-system/Chart.yaml b/dmz/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/dmz/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/dmz/metallb-system/templates/config.yaml b/dmz/metallb-system/templates/config.yaml new file mode 100644 index 0000000..f08a885 --- /dev/null +++ b/dmz/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.98.130-192.168.98.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/dmz/metallb-system/values.yaml b/dmz/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/openspeedtest/Chart.yaml b/dmz/openspeedtest/Chart.yaml new file mode 100644 index 0000000..c8f712e --- /dev/null +++ b/dmz/openspeedtest/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: openspeedtest +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/dmz/openspeedtest/templates/deployment.yaml b/dmz/openspeedtest/templates/deployment.yaml new file mode 100644 index 0000000..062de32 --- /dev/null +++ b/dmz/openspeedtest/templates/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openspeedtest + name: openspeedtest + labels: + app: openspeedtest +spec: + selector: + matchLabels: + app: openspeedtest + replicas: 1 + template: + metadata: + labels: + app: openspeedtest + spec: + containers: + - name: openspeedtest + image: registry.durp.info/openspeedtest/latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: / + port: 3000 + readinessProbe: + httpGet: + path: / + port: 3000 + env: + ports: + - name: http + containerPort: 3000 diff --git a/internalproxy/templates/speedtest.yaml b/dmz/openspeedtest/templates/ingress.yaml similarity index 50% rename from internalproxy/templates/speedtest.yaml rename to dmz/openspeedtest/templates/ingress.yaml index e034917..063a751 100644 --- a/internalproxy/templates/speedtest.yaml +++ b/dmz/openspeedtest/templates/ingress.yaml @@ -1,36 +1,7 @@ -apiVersion: v1 -kind: Service -metadata: - name: speedtest -spec: - ports: - - name: app - port: 6580 - protocol: TCP - targetPort: 6580 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: speedtest -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 6580 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: - name: speedtest-ingress + name: openspeedtest-ingress spec: entryPoints: - websecure @@ -39,21 +10,22 @@ spec: kind: Rule middlewares: - name: authentik-proxy-provider - namespace: traefik + namespace: traefik + - name: limit-buffering services: - - name: speedtest - port: 6580 + - name: openspeedtest + port: 3000 tls: - secretName: speedtest-tls + secretName: openspeedtest-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: speedtest-tls + name: openspeedtest-tls spec: - secretName: speedtest-tls + secretName: openspeedtest-tls issuerRef: name: letsencrypt-production kind: ClusterIssuer @@ -66,9 +38,19 @@ spec: kind: Service apiVersion: v1 metadata: - name: speedtest-external-dns + name: openspeedtest-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info + +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: limit-buffering +spec: + buffering: + maxRequestBodyBytes: 10000000000 diff --git a/dmz/openspeedtest/templates/service.yaml b/dmz/openspeedtest/templates/service.yaml new file mode 100644 index 0000000..c31f9b5 --- /dev/null +++ b/dmz/openspeedtest/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: openspeedtest +spec: + ports: + - name: http + port: 3000 + targetPort: 3000 + protocol: TCP + selector: + app: openspeedtest diff --git a/uptimekuma/Chart.yaml b/dmz/redlib/Chart.yaml similarity index 86% rename from uptimekuma/Chart.yaml rename to dmz/redlib/Chart.yaml index 0dcf730..ef0a939 100644 --- a/uptimekuma/Chart.yaml +++ b/dmz/redlib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: uptimekuma +name: redlib description: A Helm chart for Kubernetes type: application diff --git a/dmz/redlib/templates/deployment.yaml b/dmz/redlib/templates/deployment.yaml new file mode 100644 index 0000000..c09a144 --- /dev/null +++ b/dmz/redlib/templates/deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: redlib + name: redlib + labels: + app: redlib +spec: + selector: + matchLabels: + app: redlib + replicas: 1 + template: + metadata: + labels: + app: redlib + spec: + containers: + - name: redlib + image: registry.durp.info/redlib/redlib:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: / + port: 8080 + readinessProbe: + httpGet: + path: / + port: 8080 + env: + ports: + - name: http + containerPort: 8080 diff --git a/dmz/redlib/templates/ingress.yaml b/dmz/redlib/templates/ingress.yaml new file mode 100644 index 0000000..b2cc4e3 --- /dev/null +++ b/dmz/redlib/templates/ingress.yaml @@ -0,0 +1,43 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: redlib-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`redlib.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: redlib + port: 8080 + tls: + secretName: redlib-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: redlib-tls +spec: + secretName: redlib-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "redlib.durp.info" + dnsNames: + - "redlib.durp.info" + +--- +kind: Service +apiVersion: v1 +metadata: + name: redlib-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: redlib.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/redlib/templates/service.yaml b/dmz/redlib/templates/service.yaml new file mode 100644 index 0000000..36c50c5 --- /dev/null +++ b/dmz/redlib/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: redlib +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: redlib diff --git a/dmz/redlib/values.yaml b/dmz/redlib/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/dmz/searxng/Chart.yaml b/dmz/searxng/Chart.yaml new file mode 100644 index 0000000..263432f --- /dev/null +++ b/dmz/searxng/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: latest +description: SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. +name: searxng +version: 1.0.1 +#dependencies: +# - name: common +# repository: https://library-charts.k8s-at-home.com +# version: 4.4.2 +# \ No newline at end of file diff --git a/dmz/searxng/templates/confligmap.yaml b/dmz/searxng/templates/confligmap.yaml new file mode 100644 index 0000000..edc1ca6 --- /dev/null +++ b/dmz/searxng/templates/confligmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: searxng-config +data: + settings.yml: |- + use_default_settings: true + search: + formats: + - html + - json diff --git a/dmz/searxng/templates/deployment.yaml b/dmz/searxng/templates/deployment.yaml new file mode 100644 index 0000000..e1677ed --- /dev/null +++ b/dmz/searxng/templates/deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: searxng + name: searxng + labels: + app: searxng +spec: + selector: + matchLabels: + app: searxng + replicas: 1 + template: + metadata: + labels: + app: searxng + spec: + containers: + - name: searxng + image: registry.durp.info/searxng/searxng:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + env: + - name: SEARXNG_BASE_URL + value: https://searxng.durp.info + - name: SEARXNG_SECRET + valueFrom: + secretKeyRef: + name: searxng-secret + key: SEARXNG_SECRET + volumeMounts: + - name: searxng-config-volume + mountPath: /etc/searxng/settings.yml + subPath: settings.yml + volumes: + - name: searxng-config-volume + configMap: + name: searxng-config diff --git a/dmz/searxng/templates/ingress.yaml b/dmz/searxng/templates/ingress.yaml new file mode 100644 index 0000000..ab8b641 --- /dev/null +++ b/dmz/searxng/templates/ingress.yaml @@ -0,0 +1,76 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: searxng-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`searxng.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + - name: authentik-proxy-provider + namespace: traefik + services: + - name: searxng-service + port: 8080 + tls: + secretName: searxng-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: searxng-tls +spec: + secretName: searxng-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "searxng.durp.info" + dnsNames: + - "searxng.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: searxng-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: searxng.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: searxng-internal-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`searxng.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: searxng-service + port: 8080 + tls: + secretName: searxng-internal-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: searxng-internal-tls +spec: + secretName: searxng-internal-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "searxng.internal.durp.info" + dnsNames: + - "searxng.internal.durp.info" diff --git a/dmz/searxng/templates/secret.yaml b/dmz/searxng/templates/secret.yaml new file mode 100644 index 0000000..6d4781b --- /dev/null +++ b/dmz/searxng/templates/secret.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: searxng-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: searxng-secret + data: + - secretKey: SEARXNG_SECRET + remoteRef: + key: kv/searxng + property: searxng-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/dmz/searxng/templates/service.yaml b/dmz/searxng/templates/service.yaml new file mode 100644 index 0000000..8498428 --- /dev/null +++ b/dmz/searxng/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: searxng-service +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + protocol: TCP + selector: + app: searxng diff --git a/dmz/searxng/values.yaml b/dmz/searxng/values.yaml new file mode 100644 index 0000000..0f92a3b --- /dev/null +++ b/dmz/searxng/values.yaml @@ -0,0 +1,83 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml +# + +image: + # -- image repository + repository: registry.durp.info/searxng/searxng + # -- image tag + tag: latest + # -- image pull policy + pullPolicy: Always + +# Explanation about each environment variables here: +# https://docs.searxng.org/admin/installation-docker.html#command-line +env: + INSTANCE_NAME: "durp.info" + BASE_URL: "https://searx.durp.info" + AUTOCOMPLETE: "false" + # MORTY_URL: "http://morty:8080" + # MORTY_KEY: "mysecretkey" + # BIND_ADDRESS: "0.0.0.0:8080" + +controller: + strategy: "RollingUpdate" + +# -- Configures service settings for the chart. +# @default -- See values.yaml +service: + main: + ports: + http: + port: 8080 + +# -- Configure persistence settings for the chart under this key. +# @default -- See values.yaml +persistence: + config: + enabled: false + +ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: false + +searxng: + config: + use_default_settings: true + #server: + # secret_key: pleasechangeme + # Uncomment when using the builtin rate limiter + # See https://docs.searxng.org/src/searx.plugins.limiter.html#limiter-plugin + # server.limiter: true + # redis.url: redis://@searxng-redis:6379/0 + +probes: + readiness: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + liveness: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + startup: + custom: true + spec: + httpGet: + path: /healthz + port: 8080 + +# Enable when using searxng builtin rate limiter +# Values: https://github.com/pascaliske/helm-charts/tree/master/charts/redis +redis: + enabled: false + \ No newline at end of file diff --git a/dmz/traefik/Chart.yaml b/dmz/traefik/Chart.yaml new file mode 100644 index 0000000..1df1d76 --- /dev/null +++ b/dmz/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/dmz/traefik/templates/config.yaml b/dmz/traefik/templates/config.yaml new file mode 100644 index 0000000..06a9d11 --- /dev/null +++ b/dmz/traefik/templates/config.yaml @@ -0,0 +1,16 @@ +#apiVersion: v1 +#kind: ConfigMap +#metadata: +# name: traefik-configmap +#data: +# config.yml: | +# http: +# routers: +# router0: +# service: service0 +# rule: Host(`testing.durp.info`) +# services: +# service0: +# loadBalancer: +# servers: +# - url: https://192.168.20.130 diff --git a/dmz/traefik/templates/middleware.yaml b/dmz/traefik/templates/middleware.yaml new file mode 100644 index 0000000..2dad3ee --- /dev/null +++ b/dmz/traefik/templates/middleware.yaml @@ -0,0 +1,54 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-proxy-provider + namespace: traefik +spec: + forwardAuth: + address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: whitelist + namespace: traefik +spec: + ipWhiteList: + sourceRange: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + +--- +#apiVersion: traefik.io/v1alpha1 +#kind: Middleware +#metadata: +# name: bouncer +# namespace: traefik +#spec: +# plugin: +# bouncer: +# enabled: true +# crowdsecMode: stream +# crowdsecLapiScheme: https +# crowdsecLapiTLSInsecureVerify: true +# crowdsecLapiHost: crowdsec-service.crowdsec:8080 +# crowdsecLapiKey: +# valueFrom: +# secretKeyRef: +# name: crowdsec-lapi-key +# key: lapi-key diff --git a/dmz/traefik/templates/secrets.yaml b/dmz/traefik/templates/secrets.yaml new file mode 100644 index 0000000..413afbe --- /dev/null +++ b/dmz/traefik/templates/secrets.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: crowdsec-lapi-key +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: crowdsec-lapi-key + data: + - secretKey: lapi-key + remoteRef: + key: kv/crowdsec/api + property: key + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/traefik/templates/traefik-dashboard.yaml b/dmz/traefik/templates/traefik-dashboard.yaml new file mode 100644 index 0000000..539c911 --- /dev/null +++ b/dmz/traefik/templates/traefik-dashboard.yaml @@ -0,0 +1,35 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.dmz.durp.info`) + kind: Rule + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + services: + - name: api@internal + kind: TraefikService + tls: + secretName: traefik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: traefik-tls + namespace: traefik +spec: + secretName: traefik-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "traefik.dmz.durp.info" + dnsNames: + - "traefik.dmz.durp.info" diff --git a/dmz/traefik/values.yaml b/dmz/traefik/values.yaml new file mode 100644 index 0000000..c762b94 --- /dev/null +++ b/dmz/traefik/values.yaml @@ -0,0 +1,67 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + ports: + gitlab-ssh: + port: 9022 + expose: + default: true + exposedPort: 9022 + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + - --experimental.plugins.bouncer.version=v1.4.2 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/dmz/vault/Chart.yaml b/dmz/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/dmz/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/dmz/vault/templates/secret-store.yaml b/dmz/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/dmz/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/dmz/vault/values.yaml b/dmz/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/dmz/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/external-secrets/templates/secret-store.yaml b/external-secrets/templates/secret-store.yaml deleted file mode 100644 index dbde280..0000000 --- a/external-secrets/templates/secret-store.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault -spec: - provider: - vault: - server: "https://vault.internal.prd.durp.info" - path: "secrets" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "dmz-external-secrets" - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: cloudflare-api-token-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: cloudflare-api-token-secret - data: - - secretKey: cloudflare-api-token-secret - remoteRef: - key: secrets/cert-manager - property: cloudflare-api-token-secret - diff --git a/external-secrets/values.yaml b/external-secrets/values.yaml deleted file mode 100644 index a720adb..0000000 --- a/external-secrets/values.yaml +++ /dev/null @@ -1,463 +0,0 @@ -external-secrets: - replicaCount: 3 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: Always - # -- The image tag to use. The default is the chart appVersion. - # There are different image flavours available, like distroless and ubi. - # Please see GitHub release notes for image tags for these flavors. - # By default the distroless image is used. - tag: "" - - # -- If set, install and upgrade CRDs through helm chart. - installCRDs: true - - crds: - # -- If true, create CRDs for Cluster External Secret. - createClusterExternalSecret: true - # -- If true, create CRDs for Cluster Secret Store. - createClusterSecretStore: true - # -- If true, create CRDs for Push Secret. - createPushSecret: true - annotations: {} - conversion: - enabled: true - - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - - # -- If true, external-secrets will perform leader election between instances to ensure no more - # than one instance of external-secrets operates at a time. - leaderElect: true - - # -- If set external secrets will filter matching - # Secret Stores with the appropriate controller values. - controllerClass: "" - - # -- If true external secrets will use recommended kubernetes - # annotations as prometheus metric labels. - extendedMetricLabels: false - - # -- If set external secrets are only reconciled in the - # provided namespace - scopedNamespace: "" - - # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace - # and implicitly disable cluster stores and cluster external secrets - scopedRBAC: false - - # -- if true, the operator will process cluster external secret. Else, it will ignore them. - processClusterExternalSecret: true - - # -- if true, the operator will process cluster store. Else, it will ignore them. - processClusterStore: true - - # -- Specifies whether an external secret operator deployment be created. - createOperator: true - - # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at - # a time. - concurrent: 1 - - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - ## -- Extra containers to add to the pod. - extraContainers: [] - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- namespace where you want to install ServiceMonitors - namespace: "" - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - # -- Let prometheus add an exported_ prefix to conflicting labels - honorLabels: false - - # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - metricRelabelings: [] - # - action: replace - # regex: (.*) - # replacement: $1 - # sourceLabels: - # - exported_namespace - # targetLabel: namespace - - # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - - # -- Run the controller on the host network - hostNetwork: false - - webhook: - # -- Specifies whether a webhook deployment be created. - create: true - # -- Specifices the time to check if the cert is valid - certCheckInterval: "5m" - # -- Specifices the lookaheadInterval for certificate validity - lookaheadInterval: "" - replicaCount: 1 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - certDir: /tmp/certs - # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore - failurePolicy: Fail - # -- Specifies if webhook pod should use hostNetwork or not. - hostNetwork: false - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: IfNotPresent - # -- The image tag to use. The default is the chart appVersion. - tag: "" - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - # -- The port the webhook will listen to - port: 10250 - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - - readinessProbe: - # -- Address for readiness probe - address: "" - # -- ReadinessProbe port for kubelet - port: 8081 - - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - # -- Annotations to add to Secret - secretAnnotations: {} - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - certController: - # -- Specifies whether a certificate controller deployment be created. - create: true - requeueInterval: "5m" - replicaCount: 1 - - # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) - revisionHistoryLimit: 10 - - image: - repository: ghcr.io/external-secrets/external-secrets - pullPolicy: Always - tag: "" - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - rbac: - # -- Specifies whether role and rolebinding resources should be created. - create: true - serviceAccount: - # -- Specifies whether a service account should be created. - create: true - # -- Automounts the service account token in all containers of the pod - automount: true - # -- Annotations to add to the service account. - annotations: {} - # -- Extra Labels to add to the service account. - extraLabels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # -- Run the certController on the host network - hostNetwork: false - - # -- Pod priority class name. - priorityClassName: "" - - # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 - - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - port: 8080 - - serviceMonitor: - # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics - enabled: false - - # -- Additional labels - additionalLabels: {} - - # -- Interval to scrape metrics - interval: 30s - - # -- Timeout if metrics can't be retrieved in given time interval - scrapeTimeout: 25s - - metrics: - service: - # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics - enabled: false - - # -- Metrics service port to scrape - port: 8080 - - # -- Additional service annotations - annotations: {} - - ## -- Extra environment variables to add to container. - extraEnv: [] - - ## -- Map of extra arguments to pass to container. - extraArgs: {} - - - ## -- Extra volumes to pass to pod. - extraVolumes: [] - - ## -- Extra volumes to mount to the container. - extraVolumeMounts: [] - - # -- Annotations to add to Deployment - deploymentAnnotations: {} - - # -- Annotations to add to Pod - podAnnotations: {} - - podLabels: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - - # -- Specifies `dnsOptions` to deployment - dnsConfig: {} diff --git a/gatekeeper/Chart.yaml b/gatekeeper/Chart.yaml deleted file mode 100644 index ebd28af..0000000 --- a/gatekeeper/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: gatekeeper -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: gatekeeper - repository: https://open-policy-agent.github.io/gatekeeper/charts - version: 3.14.0 diff --git a/gatekeeper/values.yaml b/gatekeeper/values.yaml deleted file mode 100644 index d01ace9..0000000 --- a/gatekeeper/values.yaml +++ /dev/null @@ -1,277 +0,0 @@ -gatekeeper: - replicas: 3 - revisionHistoryLimit: 10 - auditInterval: 60 - metricsBackends: ["prometheus"] - auditMatchKindOnly: false - constraintViolationsLimit: 20 - auditFromCache: false - disableMutation: false - disableValidatingWebhook: false - validatingWebhookName: gatekeeper-validating-webhook-configuration - validatingWebhookTimeoutSeconds: 3 - validatingWebhookFailurePolicy: Ignore - validatingWebhookAnnotations: {} - validatingWebhookExemptNamespacesLabels: {} - validatingWebhookObjectSelector: {} - validatingWebhookCheckIgnoreFailurePolicy: Fail - validatingWebhookCustomRules: {} - validatingWebhookURL: null - enableDeleteOperations: false - enableExternalData: true - enableGeneratorResourceExpansion: true - enableTLSHealthcheck: false - maxServingThreads: -1 - mutatingWebhookName: gatekeeper-mutating-webhook-configuration - mutatingWebhookFailurePolicy: Ignore - mutatingWebhookReinvocationPolicy: Never - mutatingWebhookAnnotations: {} - mutatingWebhookExemptNamespacesLabels: {} - mutatingWebhookObjectSelector: {} - mutatingWebhookTimeoutSeconds: 1 - mutatingWebhookCustomRules: {} - mutatingWebhookURL: null - mutationAnnotations: false - auditChunkSize: 500 - logLevel: INFO - logDenies: false - logMutations: false - emitAdmissionEvents: false - emitAuditEvents: false - admissionEventsInvolvedNamespace: false - auditEventsInvolvedNamespace: false - resourceQuota: true - externaldataProviderResponseCacheTTL: 3m - image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 - pullPolicy: Always - pullSecrets: [] - preInstall: - crdRepository: - image: - repository: null - tag: v3.15.0-beta.0 - postUpgrade: - labelNamespace: - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - postInstall: - labelNamespace: - enabled: true - extraRules: [] - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - priorityClassName: "" - probeWebhook: - enabled: true - image: - repository: curlimages/curl - tag: 7.83.1 - pullPolicy: IfNotPresent - pullSecrets: [] - waitTimeout: 60 - httpTimeout: 2 - insecureHTTPS: false - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - preUninstall: - deleteWebhookConfigurations: - extraRules: [] - enabled: false - image: - repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] - priorityClassName: "" - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podAnnotations: {} - auditPodAnnotations: {} - podLabels: {} - podCountLimit: "100" - secretAnnotations: {} - enableRuntimeDefaultSeccompProfile: true - controllerManager: - exemptNamespaces: [] - exemptNamespacePrefixes: [] - hostNetwork: false - dnsPolicy: ClusterFirst - port: 8443 - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - tlsMinVersion: 1.3 - clientCertName: "" - strategyType: RollingUpdate - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - topologySpreadConstraints: [] - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - extraRules: [] - networkPolicy: - enabled: false - ingress: { } - # - from: - # - ipBlock: - # cidr: 0.0.0.0/0 - audit: - enablePubsub: false - connection: audit-connection - channel: audit-channel - hostNetwork: false - dnsPolicy: ClusterFirst - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - writeToRAMDisk: false - extraRules: [] - crds: - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - pdb: - controllerManager: - minAvailable: 1 - service: {} - disabledBuiltins: ["{http.send}"] - psp: - enabled: true - upgradeCRDs: - enabled: true - extraRules: [] - priorityClassName: "" - rbac: - create: true - externalCertInjection: - enabled: false - secretName: gatekeeper-webhook-server-cert diff --git a/gitlab-runner/templates/secrets.yaml b/gitlab-runner/templates/secrets.yaml deleted file mode 100644 index 784ef11..0000000 --- a/gitlab-runner/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: gitlab-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: gitlab-secret - data: - - secretKey: runner-registration-token - remoteRef: - key: secrets/gitlab/runner - property: runner-registration-token - - secretKey: runner-token - remoteRef: - key: secrets/gitlab/runner - property: runner-token diff --git a/infra/.gitlab/.gitlab-ci.yml b/infra/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..78c6ee1 --- /dev/null +++ b/infra/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/infra/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "infra/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "infra/terraform/*.tf" + +plan-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "infra/terraform/*.tf" + +apply-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "infra/terraform/*.tf" + when: manual + needs: ["plan-infrastructure"] + +destroy-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: infra + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "infra/terraform/*.tf" + when: manual + needs: ["plan-infrastructure"] diff --git a/argocd/Chart.yaml b/infra/argocd/Chart.yaml similarity index 91% rename from argocd/Chart.yaml rename to infra/argocd/Chart.yaml index 07e391f..d9a5074 100644 --- a/argocd/Chart.yaml +++ b/infra/argocd/Chart.yaml @@ -9,6 +9,4 @@ appVersion: "1.16.0" dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm - version: 6.7.11 - - + version: 8.6.4 diff --git a/infra/argocd/templates/argocd.yaml b/infra/argocd/templates/argocd.yaml new file mode 100644 index 0000000..14141da --- /dev/null +++ b/infra/argocd/templates/argocd.yaml @@ -0,0 +1,85 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/argocd + destination: + namespace: argocd + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-argocd + labels: + app.kubernetes.io/part-of: argocd +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: client-secret + data: + - secretKey: clientSecret + remoteRef: + key: kv/authentik/argocd + property: clientsecret + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.infra.durp.info`) + #middlewares: + # - name: whitelist + # namespace: traefik + kind: Rule + services: + - name: argocd-server + port: 443 + scheme: https + tls: + secretName: argocd-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-tls +spec: + secretName: argocd-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "argocd.infra.durp.info" + dnsNames: + - "argocd.infra.durp.info" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/argocd/templates/authentik.yaml b/infra/argocd/templates/authentik.yaml new file mode 100644 index 0000000..ac5f8dc --- /dev/null +++ b/infra/argocd/templates/authentik.yaml @@ -0,0 +1,45 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/authentik + destination: + namespace: authentik + name: in-cluster + syncPolicy: + #managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/authentik + destination: + namespace: authentik + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/cert-manager.yaml b/infra/argocd/templates/bitwarden.yaml similarity index 51% rename from argocd/templates/cert-manager.yaml rename to infra/argocd/templates/bitwarden.yaml index b1c7831..a42abbc 100644 --- a/argocd/templates/cert-manager.yaml +++ b/infra/argocd/templates/bitwarden.yaml @@ -1,20 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: cert-manager + name: bitwarden namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: cert-manager + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/bitwarden destination: - namespace: cert-manager + namespace: bitwarden name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/infra/argocd/templates/cert-manager.yaml b/infra/argocd/templates/cert-manager.yaml new file mode 100644 index 0000000..31ef868 --- /dev/null +++ b/infra/argocd/templates/cert-manager.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/cert-manager + destination: + namespace: cert-manager + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/cert-manager + destination: + namespace: cert-manager + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/templates/external-dns.yaml b/infra/argocd/templates/external-dns.yaml similarity index 64% rename from argocd/templates/external-dns.yaml rename to infra/argocd/templates/external-dns.yaml index dc98744..caa32d9 100644 --- a/argocd/templates/external-dns.yaml +++ b/infra/argocd/templates/external-dns.yaml @@ -1,20 +1,21 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: external-dns + name: external-dns-dmz namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: external-dns + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/external-dns destination: namespace: external-dns - name: in-cluster + name: dmz syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true + diff --git a/infra/argocd/templates/external-secrets.yaml b/infra/argocd/templates/external-secrets.yaml new file mode 100644 index 0000000..7787a03 --- /dev/null +++ b/infra/argocd/templates/external-secrets.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/external-secrets + destination: + namespace: external-secrets + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/external-secrets + destination: + namespace: external-secrets + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/templates/metallb-system.yaml b/infra/argocd/templates/gitlab-runner.yaml similarity index 57% rename from argocd/templates/metallb-system.yaml rename to infra/argocd/templates/gitlab-runner.yaml index d88d70d..25b82bb 100644 --- a/argocd/templates/metallb-system.yaml +++ b/infra/argocd/templates/gitlab-runner.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: metallb-system + name: gitlab-runner-dmz namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: metallb-system + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/gitlab-runner destination: - namespace: metallb-system - name: in-cluster + namespace: gitlab-runner + name: dmz syncPolicy: automated: prune: true @@ -19,4 +19,3 @@ spec: syncOptions: - CreateNamespace=true - diff --git a/argocd/templates/longhorn.yaml b/infra/argocd/templates/internalproxy.yaml similarity index 57% rename from argocd/templates/longhorn.yaml rename to infra/argocd/templates/internalproxy.yaml index 60a6026..9381c2d 100644 --- a/argocd/templates/longhorn.yaml +++ b/infra/argocd/templates/internalproxy.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: longhorn-system + name: internal-proxy namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: longhorn + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/internalproxy destination: - namespace: longhorn-system - name: in-cluster + namespace: internalproxy + name: dmz syncPolicy: automated: prune: true diff --git a/infra/argocd/templates/istio.yaml b/infra/argocd/templates/istio.yaml new file mode 100644 index 0000000..615a43f --- /dev/null +++ b/infra/argocd/templates/istio.yaml @@ -0,0 +1,58 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/istio-system + destination: + namespace: istio-system + name: in-cluster + syncPolicy: + managedNamespaceMetadata: + labels: + topology.istio.io/network: network1 + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/failurePolicy + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/istio-system + destination: + namespace: istio-system + name: dmz + syncPolicy: + managedNamespaceMetadata: + labels: + topology.istio.io/network: network2 + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/failurePolicy diff --git a/argocd/templates/kube-prometheus-stack.yaml b/infra/argocd/templates/kube-prometheus-stack.yaml similarity index 61% rename from argocd/templates/kube-prometheus-stack.yaml rename to infra/argocd/templates/kube-prometheus-stack.yaml index 8830be4..bc52501 100644 --- a/argocd/templates/kube-prometheus-stack.yaml +++ b/infra/argocd/templates/kube-prometheus-stack.yaml @@ -6,16 +6,15 @@ metadata: spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: kube-prometheus-stack + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/kube-prometheus-stack destination: namespace: kube-prometheus-stack name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/infra/argocd/templates/litellm.yaml b/infra/argocd/templates/litellm.yaml new file mode 100644 index 0000000..d8e225a --- /dev/null +++ b/infra/argocd/templates/litellm.yaml @@ -0,0 +1,20 @@ +#apiVersion: argoproj.io/v1alpha1 +#kind: Application +#metadata: +# name: litellm +# namespace: argocd +#spec: +# project: default +# source: +# repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git +# targetRevision: main +# path: infra/litellm +# destination: +# namespace: litellm +# name: in-cluster +# syncPolicy: +# automated: +# prune: true +# selfHeal: true +# syncOptions: +# - CreateNamespace=true diff --git a/argocd/templates/uptimekuma.yaml b/infra/argocd/templates/littlelink.yaml similarity index 52% rename from argocd/templates/uptimekuma.yaml rename to infra/argocd/templates/littlelink.yaml index 80e6808..2d6011f 100644 --- a/argocd/templates/uptimekuma.yaml +++ b/infra/argocd/templates/littlelink.yaml @@ -1,23 +1,22 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: uptimekuma + name: littlelink namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: uptimekuma + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/littlelink directory: recurse: true destination: - server: https://kubernetes.default.svc - namespace: uptimekuma + name: dmz + namespace: littlelink syncPolicy: automated: prune: true selfHeal: true syncOptions: - - CreateNamespace=true - + - CreateNamespace=true diff --git a/infra/argocd/templates/longhorn.yaml b/infra/argocd/templates/longhorn.yaml new file mode 100644 index 0000000..f28a74c --- /dev/null +++ b/infra/argocd/templates/longhorn.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: longhorn-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/longhorn + destination: + namespace: longhorn-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: engineimages.longhorn.io + jsonPointers: + - /spec/preserveUnknownFields + kind: CustomResourceDefinition + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: longhorn-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/longhorn + destination: + namespace: longhorn-system + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/metallb-system.yaml b/infra/argocd/templates/metallb-system.yaml new file mode 100644 index 0000000..a9b33d0 --- /dev/null +++ b/infra/argocd/templates/metallb-system.yaml @@ -0,0 +1,66 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/metallb-system + destination: + namespace: metallb-system + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/metallb-system + destination: + namespace: metallb-system + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-system-dev + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dev/metallb-system + destination: + namespace: metallb-system + name: dev + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/gatekeeper.yaml b/infra/argocd/templates/nebula-sync.yaml similarity index 62% rename from argocd/templates/gatekeeper.yaml rename to infra/argocd/templates/nebula-sync.yaml index 712d4a7..d19b024 100644 --- a/argocd/templates/gatekeeper.yaml +++ b/infra/argocd/templates/nebula-sync.yaml @@ -1,16 +1,16 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: gatekeeper + name: nebula-sync namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: gatekeeper + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/nebula-sync destination: - namespace: gatekeeper + namespace: nebula-sync name: in-cluster syncPolicy: automated: diff --git a/argocd/templates/argocd.yaml b/infra/argocd/templates/nfs.yaml similarity index 54% rename from argocd/templates/argocd.yaml rename to infra/argocd/templates/nfs.yaml index 9b97473..c006f32 100644 --- a/argocd/templates/argocd.yaml +++ b/infra/argocd/templates/nfs.yaml @@ -1,20 +1,18 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: argocd + name: nfs namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: argocd + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/nfs destination: - namespace: argocd + namespace: kube-system name: in-cluster syncPolicy: automated: prune: true selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/openclarity.yaml b/infra/argocd/templates/openclarity.yaml new file mode 100644 index 0000000..57c1995 --- /dev/null +++ b/infra/argocd/templates/openclarity.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openclarity + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/openclarity + destination: + namespace: openclarity + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/openspeedtest.yaml b/infra/argocd/templates/openspeedtest.yaml new file mode 100644 index 0000000..ead0679 --- /dev/null +++ b/infra/argocd/templates/openspeedtest.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openspeedtest + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/openspeedtest + directory: + recurse: true + destination: + name: dmz + namespace: openspeedtest + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/portainer.yaml b/infra/argocd/templates/portainer.yaml new file mode 100644 index 0000000..22b2a9b --- /dev/null +++ b/infra/argocd/templates/portainer.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: portainer + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/portainer + destination: + namespace: portainer + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/redlib.yaml b/infra/argocd/templates/redlib.yaml new file mode 100644 index 0000000..3867fb7 --- /dev/null +++ b/infra/argocd/templates/redlib.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: redlib + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/redlib + directory: + recurse: true + destination: + name: dmz + namespace: redlib + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/kubeclarity.yaml b/infra/argocd/templates/renovate.yaml similarity index 51% rename from argocd/templates/kubeclarity.yaml rename to infra/argocd/templates/renovate.yaml index c9fd0b4..debce7a 100644 --- a/argocd/templates/kubeclarity.yaml +++ b/infra/argocd/templates/renovate.yaml @@ -1,20 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: kubeclarity + name: renovate namespace: argocd spec: project: default source: - repoURL: https://gitlab.com/developerdurp/homelab.git - targetRevision: dmz - path: kubeclarity + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/renovate destination: - namespace: kubeclarity + namespace: renovate name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true diff --git a/infra/argocd/templates/searxng.yaml b/infra/argocd/templates/searxng.yaml new file mode 100644 index 0000000..9e05411 --- /dev/null +++ b/infra/argocd/templates/searxng.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: searxng + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/searxng + directory: + recurse: true + destination: + name: dmz + namespace: searxng + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/traefik.yaml b/infra/argocd/templates/traefik.yaml new file mode 100644 index 0000000..0ea06aa --- /dev/null +++ b/infra/argocd/templates/traefik.yaml @@ -0,0 +1,76 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/traefik + destination: + namespace: traefik + name: in-cluster + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/traefik + destination: + namespace: traefik + name: dmz + syncPolicy: + # managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-dev + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dev/traefik + destination: + namespace: traefik + name: dev + syncPolicy: + # managedNamespaceMetadata: + # labels: + # istio-injection: enabled + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/infra/argocd/templates/vault.yaml b/infra/argocd/templates/vault.yaml new file mode 100644 index 0000000..b5f6a0b --- /dev/null +++ b/infra/argocd/templates/vault.yaml @@ -0,0 +1,53 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: infra/vault + destination: + namespace: vault + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle + +--- + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-dmz + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git + targetRevision: main + path: dmz/vault + destination: + namespace: vault + name: dmz + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle diff --git a/argocd/values.yaml b/infra/argocd/values.yaml similarity index 53% rename from argocd/values.yaml rename to infra/argocd/values.yaml index 47a56e3..727777e 100644 --- a/argocd/values.yaml +++ b/infra/argocd/values.yaml @@ -1,40 +1,40 @@ argo-cd: - global: revisionHistoryLimit: 1 image: - repository: registry.internal.durp.info/argoproj/argocd + repository: registry.durp.info/argoproj/argocd imagePullPolicy: Always - server: - #extraArgs: - # - --dex-server-plaintext - # - --dex-server=argocd-dex-server:5556 - # oidc.config: | - # name: AzureAD - # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 - # clientID: CLIENT_ID - # clientSecret: $oidc.azuread.clientSecret - # requestedIDTokenClaims: - # groups: - # essential: true - # requestedScopes: - # - openid - # - profile - # - email + #server: + #extraArgs: + # - --dex-server-plaintext + # - --dex-server=argocd-dex-server:5556 + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email dex: enabled: true image: - repository: registry.internal.durp.info/dexidp/dex + repository: registry.durp.info/dexidp/dex imagePullPolicy: Always configs: cm: create: true annotations: {} - url: https://argocd.internal.durp.info + url: https://argocd.infra.durp.info oidc.tls.insecure.skip.verify: "true" + accounts.provider-argocd: apiKey dex.config: | connectors: - config: @@ -50,13 +50,15 @@ argo-cd: name: authentik type: oidc id: authentik + resource.exclusions: "" rbac: create: true policy.csv: | - g, ArgoCD Admins, role:admin + g, ArgoCD Admins, role:admin + g, provider-argocd, role:admin scopes: "[groups]" server: - route: - enabled: false + route: + enabled: false \ No newline at end of file diff --git a/infra/authentik/Chart.yaml b/infra/authentik/Chart.yaml new file mode 100644 index 0000000..d5927e6 --- /dev/null +++ b/infra/authentik/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: authentik +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: authentik + repository: https://charts.goauthentik.io + version: 2025.4.1 + diff --git a/infra/authentik/templates/ingress.yaml b/infra/authentik/templates/ingress.yaml new file mode 100644 index 0000000..8e0c956 --- /dev/null +++ b/infra/authentik/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: authentik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`authentik.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: authentik-server + port: 80 + - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + port: 9000 + tls: + secretName: authentik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: authentik-tls +spec: + secretName: authentik-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "authentik.durp.info" + dnsNames: + - "authentik.durp.info" diff --git a/infra/authentik/templates/secrets.yaml b/infra/authentik/templates/secrets.yaml new file mode 100644 index 0000000..df9f37e --- /dev/null +++ b/infra/authentik/templates/secrets.yaml @@ -0,0 +1,35 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: authentik-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: db-pass + data: + - secretKey: dbpass + remoteRef: + key: kv/authentik/database + property: dbpass + - secretKey: secretkey + remoteRef: + key: kv/authentik/database + property: secretkey + - secretKey: postgresql-postgres-password + remoteRef: + key: kv/authentik/database + property: dbpass + - secretKey: postgresql-password + remoteRef: + key: kv/authentik/database + property: dbpass + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/authentik/values.yaml b/infra/authentik/values.yaml new file mode 100644 index 0000000..7b75190 --- /dev/null +++ b/infra/authentik/values.yaml @@ -0,0 +1,59 @@ +authentik: + global: + security: + allowInsecureImages: true + env: + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: db-pass + key: dbpass + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: db-pass + key: secretkey + revisionHistoryLimit: 1 + image: + repository: registry.durp.info/goauthentik/server + pullPolicy: Always + authentik: + outposts: + container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s + postgresql: + host: "{{ .Release.Name }}-postgresql-hl" + name: "authentik" + user: "authentik" + port: 5432 + server: + name: server + replicas: 3 + worker: + replicas: 3 + postgresql: + enabled: true + image: + registry: registry.durp.info + repository: bitnamilegacy/postgresql + pullPolicy: Always + postgresqlUsername: "authentik" + postgresqlDatabase: "authentik" + existingSecret: db-pass + persistence: + enabled: true + storageClass: longhorn + size: 16Gi + accessModes: + - ReadWriteMany + redis: + enabled: true + master: + persistence: + enabled: false + image: + registry: registry.durp.info + repository: bitnamilegacy/redis + pullPolicy: Always + architecture: standalone + auth: + enabled: false diff --git a/infra/bitwarden/Chart.yaml b/infra/bitwarden/Chart.yaml new file mode 100644 index 0000000..cfdd821 --- /dev/null +++ b/infra/bitwarden/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: bitwarden +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/uptimekuma/templates/kuma-pvc.yaml b/infra/bitwarden/templates/bitwarden-pvc.yaml similarity index 65% rename from uptimekuma/templates/kuma-pvc.yaml rename to infra/bitwarden/templates/bitwarden-pvc.yaml index ab76bf0..333af4d 100644 --- a/uptimekuma/templates/kuma-pvc.yaml +++ b/infra/bitwarden/templates/bitwarden-pvc.yaml @@ -1,12 +1,11 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: uptimekuma-pvc - namespace: uptimekuma + name: bitwarden-pvc spec: + storageClassName: longhorn accessModes: - ReadWriteMany resources: requests: storage: 10Gi - storageClassName: longhorn \ No newline at end of file diff --git a/infra/bitwarden/templates/deployment.yaml b/infra/bitwarden/templates/deployment.yaml new file mode 100644 index 0000000..b915246 --- /dev/null +++ b/infra/bitwarden/templates/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: bitwarden + name: bitwarden + labels: + app: bitwarden +spec: + selector: + matchLabels: + app: bitwarden + replicas: 1 + template: + metadata: + labels: + app: bitwarden + spec: + containers: + - name: bitwarden + image: registry.durp.info/vaultwarden/server:1.35.4 + imagePullPolicy: Always + volumeMounts: + - name: bitwarden-pvc + mountPath: /data + subPath: bitwaren-data + ports: + - name: http + containerPort: 80 + env: + - name: SIGNUPS_ALLOWED + value: "FALSE" + - name: INVITATIONS_ALLOWED + value: "FALSE" + - name: WEBSOCKET_ENABLED + value: "TRUE" + - name: ROCKET_ENV + value: "staging" + - name: ROCKET_PORT + value: "80" + - name: ROCKET_WORKERS + value: "10" + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: bitwarden-secret + key: ADMIN_TOKEN + volumes: + - name: bitwarden-pvc + persistentVolumeClaim: + claimName: bitwarden-pvc diff --git a/infra/bitwarden/templates/ingress.yaml b/infra/bitwarden/templates/ingress.yaml new file mode 100644 index 0000000..f69bc78 --- /dev/null +++ b/infra/bitwarden/templates/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: bitwarden-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: bitwarden + port: 80 + tls: + secretName: bitwarden-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: bitwarden-tls +spec: + secretName: bitwarden-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "bitwarden.durp.info" + dnsNames: + - "bitwarden.durp.info" \ No newline at end of file diff --git a/infra/bitwarden/templates/secrets.yaml b/infra/bitwarden/templates/secrets.yaml new file mode 100644 index 0000000..45e2d64 --- /dev/null +++ b/infra/bitwarden/templates/secrets.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: bitwarden-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: bitwarden-secret + data: + - secretKey: ADMIN_TOKEN + remoteRef: + key: kv/bitwarden + property: admin_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/bitwarden/templates/service.yaml b/infra/bitwarden/templates/service.yaml new file mode 100644 index 0000000..df30857 --- /dev/null +++ b/infra/bitwarden/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: bitwarden +spec: + ports: + - name: http + port: 80 + targetPort: 80 + protocol: TCP + selector: + app: bitwarden \ No newline at end of file diff --git a/infra/cert-manager/Chart.yaml b/infra/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/infra/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/infra/cert-manager/templates/issuer.yaml b/infra/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..6b889c7 --- /dev/null +++ b/infra/cert-manager/templates/issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj \ No newline at end of file diff --git a/infra/cert-manager/templates/letsencrypt.yaml b/infra/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..0203412 --- /dev/null +++ b/infra/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/kubernetes + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/infra/cert-manager/templates/secretvault.yaml b/infra/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..241e9a6 --- /dev/null +++ b/infra/cert-manager/templates/secretvault.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/cert-manager/values.yaml b/infra/cert-manager/values.yaml new file mode 100644 index 0000000..295c5e6 --- /dev/null +++ b/infra/cert-manager/values.yaml @@ -0,0 +1,26 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + #extraArgs: + # - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + # - --dns01-recursive-nameservers-only + #podDnsPolicy: None + #podDnsConfig: + # nameservers: + # - "1.1.1.1" + # - "1.0.0.1" + webhook: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always diff --git a/infra/external-secrets/Chart.yaml b/infra/external-secrets/Chart.yaml new file mode 100644 index 0000000..48645c3 --- /dev/null +++ b/infra/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/infra/external-secrets/templates/ca.yaml b/infra/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/infra/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/infra/external-secrets/values.yaml b/infra/external-secrets/values.yaml new file mode 100644 index 0000000..e61f2f1 --- /dev/null +++ b/infra/external-secrets/values.yaml @@ -0,0 +1,76 @@ +external-secrets: + global: + security: + allowInsecureImages: true + + log: + level: debug + replicaCount: 1 + revisionHistoryLimit: 1 + leaderElect: false + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + webhook: + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + # resources: + # requests: + # memory: 32Mi + # cpu: 10m + # limits: + # memory: 32Mi + # cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m diff --git a/infra/istio-system/Chart.yaml b/infra/istio-system/Chart.yaml new file mode 100644 index 0000000..7bb5fc3 --- /dev/null +++ b/infra/istio-system/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: istio-system +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: base + repository: https://istio-release.storage.googleapis.com/charts + version: 1.29.0 +- name: istiod + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 +- name: gateway + repository: https://istio-release.storage.googleapis.com/charts + version: 1.26.2 diff --git a/infra/istio-system/templates/expose.yaml b/infra/istio-system/templates/expose.yaml new file mode 100644 index 0000000..34c77f7 --- /dev/null +++ b/infra/istio-system/templates/expose.yaml @@ -0,0 +1,70 @@ +#apiVersion: networking.istio.io/v1 +#kind: Gateway +#metadata: +# name: istiod-gateway +#spec: +# selector: +# istio: eastwestgateway +# servers: +# - port: +# name: tls-istiod +# number: 15012 +# protocol: tls +# tls: +# mode: PASSTHROUGH +# hosts: +# - "*" +# - port: +# name: tls-istiodwebhook +# number: 15017 +# protocol: tls +# tls: +# mode: PASSTHROUGH +# hosts: +# - "*" +#--- +#apiVersion: networking.istio.io/v1 +#kind: VirtualService +#metadata: +# name: istiod-vs +#spec: +# hosts: +# - "*" +# gateways: +# - istiod-gateway +# tls: +# - match: +# - port: 15012 +# sniHosts: +# - "*" +# route: +# - destination: +# host: istiod.istio-system.svc.cluster.local +# port: +# number: 15012 +# - match: +# - port: 15017 +# sniHosts: +# - "*" +# route: +# - destination: +# host: istiod.istio-system.svc.cluster.local +# port: +# number: 443 +--- +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: cross-network-gateway +spec: + selector: + istio: eastwestgateway + servers: + - port: + number: 15443 + name: tls + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*.local" diff --git a/infra/istio-system/templates/issuer.yaml b/infra/istio-system/templates/issuer.yaml new file mode 100644 index 0000000..4480773 --- /dev/null +++ b/infra/istio-system/templates/issuer.yaml @@ -0,0 +1,8 @@ +#apiVersion: cert-manager.io/v1 +#kind: Issuer +#metadata: +# name: vault-issuer +# namespace: istio-system +#spec: +# ca: +# secretName: ca-key-pair diff --git a/infra/istio-system/values.yaml b/infra/istio-system/values.yaml new file mode 100644 index 0000000..5cd90bd --- /dev/null +++ b/infra/istio-system/values.yaml @@ -0,0 +1,10 @@ +istiod: + global: + network: network1 + meshID: mesh1 + multiCluster: + clusterName: infra + +gateway: + name: istio-eastwestgateway + networkGateway: network1 \ No newline at end of file diff --git a/kube-prometheus-stack/Chart.yaml b/infra/kube-prometheus-stack/Chart.yaml similarity index 56% rename from kube-prometheus-stack/Chart.yaml rename to infra/kube-prometheus-stack/Chart.yaml index 3cd9e24..d2de063 100644 --- a/kube-prometheus-stack/Chart.yaml +++ b/infra/kube-prometheus-stack/Chart.yaml @@ -7,6 +7,6 @@ version: 0.1.0 appVersion: "1.16.0" dependencies: -- name: kube-prometheus-stack - repository: https://prometheus-community.github.io/helm-charts - version: 40.5.0 + - name: kube-prometheus-stack + repository: https://prometheus-community.github.io/helm-charts + version: 77.10.0 diff --git a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml new file mode 100644 index 0000000..3328c18 --- /dev/null +++ b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-grafana-oauth +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-oauth + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: kv/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: kv/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-admin-credentials +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-admin-credentials + data: + - secretKey: admin-password + remoteRef: + key: kv/grafana/admin + property: password + - secretKey: admin-user + remoteRef: + key: kv/grafana/admin + property: user diff --git a/kube-prometheus-stack/templates/ingress.yaml b/infra/kube-prometheus-stack/templates/ingress.yaml similarity index 61% rename from kube-prometheus-stack/templates/ingress.yaml rename to infra/kube-prometheus-stack/templates/ingress.yaml index caf0ee1..5638d6a 100644 --- a/kube-prometheus-stack/templates/ingress.yaml +++ b/infra/kube-prometheus-stack/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: grafana-ingress @@ -6,16 +6,15 @@ spec: entryPoints: - websecure routes: - - match: Host(`grafana.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: grafana - port: 80 + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: grafana + port: 80 tls: secretName: grafana-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -27,11 +26,10 @@ spec: kind: ClusterIssuer commonName: "grafana.durp.info" dnsNames: - - "grafana.durp.info" + - "grafana.durp.info" --- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: alertmanager-ingress @@ -39,21 +37,20 @@ spec: entryPoints: - websecure routes: - - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: prometheus-alertmanager - port: 9093 + - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: prometheus-alertmanager + port: 9093 tls: secretName: alertmanager-tls --- - apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -65,10 +62,9 @@ spec: kind: ClusterIssuer commonName: "alertmanager.durp.info" dnsNames: - - "alertmanager.durp.info" + - "alertmanager.durp.info" --- - kind: Service apiVersion: v1 metadata: @@ -77,4 +73,5 @@ metadata: external-dns.alpha.kubernetes.io/hostname: grafana.durp.info spec: type: ExternalName - externalName: durp.info \ No newline at end of file + externalName: durp.info + diff --git a/kube-prometheus-stack/values.yaml b/infra/kube-prometheus-stack/values.yaml similarity index 85% rename from kube-prometheus-stack/values.yaml rename to infra/kube-prometheus-stack/values.yaml index 19436ac..df68eba 100644 --- a/kube-prometheus-stack/values.yaml +++ b/infra/kube-prometheus-stack/values.yaml @@ -1,4 +1,4 @@ -kube-prometheus-stack: +kube-prometheus-stack: fullnameOverride: prometheus defaultRules: @@ -51,16 +51,16 @@ kube-prometheus-stack: userKey: admin-user passwordKey: admin-password ingress: - enabled: false + enabled: false grafana.ini: server: root_url: https://grafana.durp.info auth.generic_oauth: - enabled: true - scopes: openid profile email - auth_url: https://authentik.durp.info/application/o/authorize/ - token_url: https://authentik.durp.info/application/o/token/ - api_url: https://authentik.durp.info/application/o/userinfo/ + enabled: true + scopes: openid profile email + auth_url: https://authentik.durp.info/application/o/authorize/ + token_url: https://authentik.durp.info/application/o/token/ + api_url: https://authentik.durp.info/application/o/userinfo/ envFromSecret: "grafana-oauth" kubeApiServer: @@ -77,10 +77,10 @@ kube-prometheus-stack: kubeControllerManager: enabled: true - endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + endpoints: # ips of servers + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 coreDns: enabled: false @@ -91,9 +91,9 @@ kube-prometheus-stack: kubeEtcd: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 service: enabled: true port: 2381 @@ -102,16 +102,16 @@ kube-prometheus-stack: kubeScheduler: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 kubeProxy: enabled: true endpoints: # ips of servers - - 192.168.20.121 - - 192.168.20.122 - - 192.168.20.123 + - 192.168.12.11 + - 192.168.12.12 + - 192.168.12.13 kubeStateMetrics: enabled: true @@ -190,14 +190,14 @@ kube-prometheus-stack: retention: 6h enableAdminAPI: true walCompression: true - storageSpec: + storageSpec: volumeClaimTemplate: spec: - storageClassName: nfs-storage + storageClassName: longhorn accessModes: ["ReadWriteMany"] resources: requests: - storage: 50Gi + storage: 20Gi thanosRuler: enabled: false diff --git a/infra/litellm/Chart.yaml b/infra/litellm/Chart.yaml new file mode 100644 index 0000000..1444a2c --- /dev/null +++ b/infra/litellm/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: litellm +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: "litellm-helm" + version: 0.1.643 + repository: oci://ghcr.io/berriai/litellm-helm diff --git a/infra/litellm/values.yaml b/infra/litellm/values.yaml new file mode 100644 index 0000000..b7ce066 --- /dev/null +++ b/infra/litellm/values.yaml @@ -0,0 +1,197 @@ +litellm: + # Default values for litellm. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + # Use "ghcr.io/berriai/litellm-database" for optimized image with database + repository: ghcr.io/berriai/litellm-database + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + # tag: "main-latest" + tag: "" + + imagePullSecrets: [] + nameOverride: "litellm" + fullnameOverride: "" + + serviceAccount: + # Specifies whether a service account should be created + create: false + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + podLabels: {} + + # At the time of writing, the litellm docker image requires write access to the + # filesystem on startup so that prisma can install some dependencies. + podSecurityContext: {} + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: false + # runAsNonRoot: true + # runAsUser: 1000 + + # A list of Kubernetes Secret objects that will be exported to the LiteLLM proxy + # pod as environment variables. These secrets can then be referenced in the + # configuration file (or "litellm" ConfigMap) with `os.environ/` + environmentSecrets: [] + # - litellm-env-secret + + # A list of Kubernetes ConfigMap objects that will be exported to the LiteLLM proxy + # pod as environment variables. The ConfigMap kv-pairs can then be referenced in the + # configuration file (or "litellm" ConfigMap) with `os.environ/` + environmentConfigMaps: [] + # - litellm-env-configmap + + service: + type: ClusterIP + port: 4000 + + ingress: + enabled: false + className: "nginx" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: api.example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # masterkey: changeit + + # The elements within proxy_config are rendered as config.yaml for the proxy + # Examples: https://github.com/BerriAI/litellm/tree/main/litellm/proxy/example_config_yaml + # Reference: https://docs.litellm.ai/docs/proxy/configs + proxy_config: + model_list: + # At least one model must exist for the proxy to start. + - model_name: gpt-3.5-turbo + litellm_params: + model: gpt-3.5-turbo + api_key: eXaMpLeOnLy + - model_name: fake-openai-endpoint + litellm_params: + model: openai/fake + api_key: fake-key + api_base: https://exampleopenaiendpoint-production.up.railway.app/ + general_settings: + master_key: os.environ/PROXY_MASTER_KEY + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + # Additional volumes on the output Deployment definition. + volumes: [] + # - name: foo + # secret: + # secretName: mysecret + # optional: false + + # Additional volumeMounts on the output Deployment definition. + volumeMounts: [] + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + db: + # Use an existing postgres server/cluster + useExisting: false + + # How to connect to the existing postgres server/cluster + endpoint: localhost + database: litellm + url: postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_HOST)/$(DATABASE_NAME) + secret: + name: postgres + usernameKey: username + passwordKey: password + + # Use the Stackgres Helm chart to deploy an instance of a Stackgres cluster. + # The Stackgres Operator must already be installed within the target + # Kubernetes cluster. + # TODO: Stackgres deployment currently unsupported + useStackgresOperator: false + + # Use the Postgres Helm chart to create a single node, stand alone postgres + # instance. See the "postgresql" top level key for additional configuration. + deployStandalone: true + + # Settings for Bitnami postgresql chart (if db.deployStandalone is true, ignored + # otherwise) + postgresql: + architecture: standalone + auth: + username: litellm + database: litellm + + # You should override these on the helm command line with + # `--set postgresql.auth.postgres-password=,postgresql.auth.password=` + password: NoTaGrEaTpAsSwOrD + postgres-password: NoTaGrEaTpAsSwOrD + + # A secret is created by this chart (litellm-helm) with the credentials that + # the new Postgres instance should use. + # existingSecret: "" + # secretKeys: + # userPasswordKey: password + + # requires cache: true in config file + # either enable this or pass a secret for REDIS_HOST, REDIS_PORT, REDIS_PASSWORD or REDIS_URL + # with cache: true to use existing redis instance + redis: + enabled: false + architecture: standalone + + # Prisma migration job settings + migrationJob: + enabled: true # Enable or disable the schema migration Job + retries: 3 # Number of retries for the Job in case of failure + backoffLimit: 4 # Backoff limit for Job restarts + disableSchemaUpdate: false # Skip schema migrations for specific environments. When True, the job will exit with code 0. + annotations: {} + ttlSecondsAfterFinished: 120 + + # Additional environment variables to be added to the deployment + envVars: { + # USE_DDTRACE: "true" + } + diff --git a/infra/longhorn/Chart.yaml b/infra/longhorn/Chart.yaml new file mode 100644 index 0000000..c699fa5 --- /dev/null +++ b/infra/longhorn/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: longhorn-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: longhorn + repository: https://charts.longhorn.io + version: 1.9.0 diff --git a/infra/longhorn/templates/ingress.yaml b/infra/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..ad4ebd3 --- /dev/null +++ b/infra/longhorn/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress + annotations: + cert-manager.io/cluster-issuer: vault-issuer +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) + kind: Rule + middlewares: + #- name: authentik-proxy-provider + # namespace: traefik + services: + - name: longhorn-frontend + port: 80 + tls: + secretName: longhorn-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "longhorn.infra.durp.info" + dnsNames: + - "longhorn.infra.durp.info" diff --git a/infra/longhorn/templates/secrets.yaml b/infra/longhorn/templates/secrets.yaml new file mode 100644 index 0000000..e3d18af --- /dev/null +++ b/infra/longhorn/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-longhorn-backup-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: longhorn-backup-token-secret + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: kv/longhorn/backup + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_ENDPOINTS + remoteRef: + key: kv/longhorn/backup + property: AWS_ENDPOINTS + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: kv/longhorn/backup + property: AWS_SECRET_ACCESS_KEY diff --git a/infra/longhorn/values.yaml b/infra/longhorn/values.yaml new file mode 100644 index 0000000..e34a1ee --- /dev/null +++ b/infra/longhorn/values.yaml @@ -0,0 +1,192 @@ +longhorn: + global: + cattle: + systemDefaultRegistry: "" + + image: + longhorn: + engine: + repository: longhornio/longhorn-engine + manager: + repository: longhornio/longhorn-manager + ui: + repository: longhornio/longhorn-ui + instanceManager: + repository: longhornio/longhorn-instance-manager + shareManager: + repository: longhornio/longhorn-share-manager + backingImageManager: + repository: longhornio/backing-image-manager + csi: + attacher: + repository: longhornio/csi-attacher + provisioner: + repository: longhornio/csi-provisioner + nodeDriverRegistrar: + repository: longhornio/csi-node-driver-registrar + resizer: + repository: longhornio/csi-resizer + snapshotter: + repository: longhornio/csi-snapshotter + pullPolicy: Always + + service: + ui: + type: ClusterIP + nodePort: null + manager: + type: ClusterIP + nodePort: "" + loadBalancerIP: "" + loadBalancerSourceRanges: "" + + persistence: + defaultClass: true + defaultFsType: ext4 + defaultClassReplicaCount: 3 + defaultDataLocality: disabled # best-effort otherwise + reclaimPolicy: Delete + migratable: false + recurringJobSelector: + enable: true + jobList: '[ + { + "name":"backup", + "task":"backup", + "cron":"0 0 * * *", + "retain":24 + } + ]' + backingImage: + enable: false + name: ~ + dataSourceType: ~ + dataSourceParameters: ~ + expectedChecksum: ~ + + csi: + kubeletRootDir: ~ + attacherReplicaCount: ~ + provisionerReplicaCount: ~ + resizerReplicaCount: ~ + snapshotterReplicaCount: ~ + + defaultSettings: + backupTarget: S3://longhorn-master@us-east-1/ + backupTargetCredentialSecret: longhorn-backup-token-secret + allowRecurringJobWhileVolumeDetached: ~ + createDefaultDiskLabeledNodes: ~ + defaultDataPath: ~ + defaultDataLocality: ~ + replicaSoftAntiAffinity: ~ + replicaAutoBalance: ~ + storageOverProvisioningPercentage: ~ + storageMinimalAvailablePercentage: ~ + upgradeChecker: ~ + defaultReplicaCount: ~ + defaultLonghornStaticStorageClass: longhorn + backupstorePollInterval: ~ + taintToleration: ~ + systemManagedComponentsNodeSelector: ~ + priorityClass: ~ + autoSalvage: ~ + autoDeletePodWhenVolumeDetachedUnexpectedly: ~ + disableSchedulingOnCordonedNode: ~ + replicaZoneSoftAntiAffinity: ~ + nodeDownPodDeletionPolicy: ~ + allowNodeDrainWithLastHealthyReplica: ~ + mkfsExt4Parameters: ~ + disableReplicaRebuild: ~ + replicaReplenishmentWaitInterval: ~ + concurrentReplicaRebuildPerNodeLimit: ~ + disableRevisionCounter: ~ + systemManagedPodsImagePullPolicy: ~ + allowVolumeCreationWithDegradedAvailability: ~ + autoCleanupSystemGeneratedSnapshot: ~ + concurrentAutomaticEngineUpgradePerNodeLimit: ~ + backingImageCleanupWaitInterval: ~ + backingImageRecoveryWaitInterval: ~ + guaranteedEngineManagerCPU: ~ + guaranteedReplicaManagerCPU: ~ + kubernetesClusterAutoscalerEnabled: ~ + orphanAutoDeletion: ~ + storageNetwork: ~ + privateRegistry: + createSecret: ~ + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + registrySecret: ~ + + longhornManager: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornDriver: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + longhornUI: + priorityClass: ~ + tolerations: [] + ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + nodeSelector: {} + ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # + + ingress: + enabled: false + + ## Specify override namespace, specifically this is useful for using longhorn as sub-chart + ## and its release namespace is not the `longhorn-system` + namespaceOverride: "" + + # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional. + annotations: {} + + serviceAccount: + # Annotations to add to the service account + annotations: {} + diff --git a/infra/metallb-system/Chart.yaml b/infra/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/infra/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/infra/metallb-system/templates/config.yaml b/infra/metallb-system/templates/config.yaml new file mode 100644 index 0000000..457130f --- /dev/null +++ b/infra/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.12.130-192.168.12.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/infra/metallb-system/values.yaml b/infra/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/infra/nebula-sync/Chart.yaml b/infra/nebula-sync/Chart.yaml new file mode 100644 index 0000000..114f728 --- /dev/null +++ b/infra/nebula-sync/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: nebula-sync +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" diff --git a/infra/nebula-sync/templates/deployment.yaml b/infra/nebula-sync/templates/deployment.yaml new file mode 100644 index 0000000..51e2607 --- /dev/null +++ b/infra/nebula-sync/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: nebula-sync + name: nebula-sync + labels: + app: nebula-sync +spec: + selector: + matchLabels: + app: nebula-sync + replicas: 1 + template: + metadata: + labels: + app: nebula-sync + spec: + containers: + - name: nebula-sync + image: registry.durp.info/lovelaze/nebula-sync:latest + imagePullPolicy: Always + env: + - name: PRIMARY + valueFrom: + secretKeyRef: + name: nebula-sync-secret + key: primary + - name: REPLICAS + valueFrom: + secretKeyRef: + name: nebula-sync-secret + key: replicas + - name: FULL_SYNC + value: "false" + - name: RUN_GRAVITY + value: "false" + - name: CRON + value: "*/15 * * * *" + - name: CLIENT_SKIP_TLS_VERIFICATION + value: "true" + - name: TZ + value: America/Chicago + - name: SYNC_CONFIG_DNS + value: "true" + - name: SYNC_CONFIG_DHCP + value: "true" + - name: SYNC_CONFIG_NTP + value: "true" + - name: SYNC_CONFIG_RESOLVER + value: "true" + - name: SYNC_CONFIG_DATABASE + value: "true" + - name: SYNC_CONFIG_MISC + value: "true" + - name: SYNC_CONFIG_DEBUG + value: "true" + - name: SYNC_GRAVITY_DHCP_LEASES + value: "true" + - name: SYNC_GRAVITY_GROUP + value: "true" + - name: SYNC_GRAVITY_AD_LIST + value: "true" + - name: SYNC_GRAVITY_AD_LIST_BY_GROUP + value: "true" + - name: SYNC_GRAVITY_DOMAIN_LIST + value: "true" + - name: SYNC_GRAVITY_DOMAIN_LIST_BY_GROUP + value: "true" + - name: SYNC_GRAVITY_CLIENT + value: "true" + - name: SYNC_GRAVITY_CLIENT_BY_GROUP + value: "true" + diff --git a/infra/nebula-sync/templates/secrets.yaml b/infra/nebula-sync/templates/secrets.yaml new file mode 100644 index 0000000..3ab65df --- /dev/null +++ b/infra/nebula-sync/templates/secrets.yaml @@ -0,0 +1,27 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: nebula-sync-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: nebula-sync-secret + data: + - secretKey: primary + remoteRef: + key: kv/pihole + property: primary + - secretKey: replicas + remoteRef: + key: kv/pihole + property: replicas + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + diff --git a/infra/nfs/Chart.yaml b/infra/nfs/Chart.yaml new file mode 100644 index 0000000..1a9ffb9 --- /dev/null +++ b/infra/nfs/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: nfs-csi +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: csi-driver-nfs + repository: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts + version: 4.11.0 diff --git a/infra/openclarity/Chart.yaml b/infra/openclarity/Chart.yaml new file mode 100644 index 0000000..e4028f3 --- /dev/null +++ b/infra/openclarity/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: openclarity +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: openclarity + repository: oci://ghcr.io/openclarity/charts + version: 1.1.3 diff --git a/infra/openclarity/templates/secret.yaml b/infra/openclarity/templates/secret.yaml new file mode 100644 index 0000000..51ba410 --- /dev/null +++ b/infra/openclarity/templates/secret.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- + +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openclarity-postgres-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: openclarity-postgres-secret + data: + - secretKey: username + remoteRef: + key: kv/openclarity/postgres + property: username + - secretKey: postgres-password + remoteRef: + key: kv/openclarity/postgres + property: password + - secretKey: password + remoteRef: + key: kv/openclarity/postgres + property: password + - secretKey: database + remoteRef: + key: kv/openclarity/postgres + property: database diff --git a/infra/openclarity/values.yaml b/infra/openclarity/values.yaml new file mode 100644 index 0000000..c8f1629 --- /dev/null +++ b/infra/openclarity/values.yaml @@ -0,0 +1,915 @@ +openclarity: + global: + imageRegistry: registry.durp.info + + apiserver: + # -- Number of replicas for the API Server + replicas: 1 + + database: + postgresql: + # -- Enable/disable Postgresql database + enabled: true + externalPostgresql: + # -- Enable/disable external Postgresql database + enabled: false + # -- External Postgreqsl database host + host: "" + # -- External Postgresql database port + port: 5432 + auth: + # -- Name of existing secret to use for PostgreSQL credentials that has the following keys: + # username + # password + # database + existingSecret: "" + + image: + # -- API Server image registry + registry: ghcr.io + # -- API Server image repository + repository: openclarity/openclarity-api-server + # -- API Server image tag (immutable tags are recommended) + tag: latest + # -- API Server image digest. If set will override the tag. + digest: "" + # -- API Server image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- API Server log level + logLevel: info + + resources: + # -- The resources limits for the apiserver containers + limits: {} + # -- The requested resources for the apiserver containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + orchestrator: + # -- Number of replicas for the Orchestrator service + # Currently 1 supported. + replicas: 1 + + image: + # -- Orchestrator image registry + registry: ghcr.io + # -- Orchestrator image repository + repository: openclarity/openclarity-orchestrator + # -- Orchestrator image tag (immutable tags are recommended) + tag: latest + # -- Orchestrator image digest. If set will override the tag. + digest: "" + # -- Orchestrator image pull policy + pullPolicy: IfNotPresent + + podSecurityContext: + # -- Whether Orchestrator pod security context is enabled + enabled: true + # -- Orchestrator pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Orchestrator service log level + logLevel: info + + resources: + # -- The resources limits for the orchestrator containers + limits: {} + # -- The requested resources for the orchestrator containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: true + + # -- Global policy used to determine when to clean up an AssetScan. + # Possible options are: + # Always - All AssetScans are cleaned up + # OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging + # Never - No AssetScans are cleaned up + deleteJobPolicy: Always + + scannerImage: + # -- Scanner Container image registry + registry: ghcr.io + # -- Scanner Container image repository + repository: openclarity/openclarity-cli + # -- Scanner Container image tag (immutable tags are recommended) + tag: latest + # -- Scanner Container image digest. If set will override the tag. + digest: "" + + # -- Address that scanners can use to reach back to the API server + scannerApiserverAddress: "" + + # -- Address that scanners can use to reach back to the Exploits server + exploitsDBAddress: "" + + # -- Address that scanners can use to reach trivy server + trivyServerAddress: "" + + # -- Address that scanners can use to reach the grype server + grypeServerAddress: "" + + # -- Address that scanners can use to reach the freshclam mirror + freshclamMirrorAddress: "" + + # -- Address that scanner can use to reach the yara rule server + yaraRuleServerAddress: "" + + # -- Which provider driver to enable. + # If enabling the Kubernetes provider ensure that the orchestrator + # serviceAccount section is configured to allow access to the Kubernetes API. + provider: "kubernetes" + + kubernetes: {} + + # Only for testing purposes + docker: {} + + ui: + # -- Number of replicas for the UI service + replicas: 1 + + image: + # -- UI image registry + registry: ghcr.io + # -- UI image repository + repository: openclarity/openclarity-ui + # -- UI image tag + tag: latest + # -- UI image digest. If set will override the tag + digest: "" + # -- UI Image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI containers + limits: {} + # -- The requested resources for the UI containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: true + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + uibackend: + # -- Number of replicas for the UI Backend service + replicas: 1 + + image: + # -- UI Backend image registry + registry: ghcr.io + # -- UI Backend image repository + repository: openclarity/openclarity-ui-backend + # -- UI Backend image tag + tag: latest + # -- UI Backend image digest. If set will override the tag. + digest: "" + # -- UI Backend image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the UI backend containers + limits: {} + # -- The requested resources for the UI backend containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the UI backend service + logLevel: info + + gateway: + # -- Number of replicas for the gateway + replicas: 1 + + image: + # -- Gateway service container registry + registry: docker.io + # -- Gateway service container repository + repository: nginxinc/nginx-unprivileged + # -- Gateway service container tag + tag: 1.29.0 + # -- Gateway image digest. If set will override the tag. + digest: "" + # -- Gateway service container pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the gateway containers + limits: {} + # -- The requested resources for the gateway containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 101 + # -- Group ID which the containers should run as + runAsGroup: 101 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + # -- Service type: ClusterIP, NodePort, LoadBalancer + type: ClusterIP + # -- Port configurations + ports: + http: 80 + # -- NodePort configurations + nodePorts: + http: "" + # -- Dedicated IP address used for service + clusterIP: "" + # -- Annotations set for service + annotations: {} + # -- External Traffic Policy configuration + # Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node + # local endpoints. + externalTrafficPolicy: Cluster + + ingress: + # -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible. + # Make sure the ingress remains internal if you decide to enable it. + enabled: false + labels: {} + annotations: {} + + # -- Optionally use ingressClassName instead of default ingress class. + ingressClassName: "" + + hosts: + # Hostname you want to use to access the UI + - host: chart-example.local + # paths will default to: + # paths: + # - pathType: Prefix + # path: / + paths: [] + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + postgresql: + image: + # -- Postgresql container registry + registry: docker.io + # -- Postgresql container repository + repository: bitnami/postgresql + # -- Postgresql container tag + tag: 16.6.0-debian-12-r1 + # -- Postgresql image digest. If set will override the tag. + digest: "" + # -- Postgresql container image pull policy + pullPolicy: IfNotPresent + primary: + # -- Postgresql container resource preset + # For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + resourcesPreset: "small" + + resources: + # -- The resources limits for the postgresql containers + limits: {} + # -- The requested resources for the postgresql containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + auth: + existingSecret: openclarity-postgres-secret + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + service: + ports: + # -- PostgreSQL service port + postgresql: 5432 + + exploitDBServer: + # -- Number of replicas for the exploit-db-server service + replicas: 1 + + image: + # -- Exploit DB Server container registry + registry: ghcr.io + # -- Exploit DB Server container repository + repository: openclarity/exploit-db-server + # -- Exploit DB Server container tag + tag: v0.3.0 + # -- Exploit DB Server image digest. If set will override the tag. + digest: "" + # -- Exploit DB Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the exploit-db-server containers + limits: {} + # -- The requested resources for the exploit-db-server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + trivyServer: + # -- Number of replicas for the trivy server service + replicas: 1 + + image: + # -- Trivy Server container registry + registry: docker.io + # -- Trivy Server container repository + repository: aquasec/trivy + # -- Trivy Server container tag + tag: 0.69.3 + # -- Trivy Server image digest. If set will override the tag. + digest: "" + # -- Trivy Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the trivy server containers + limits: {} + # -- The requested resources for the trivy server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + grypeServer: + # -- Number of replicas for the grype server service + replicas: 1 + + image: + # -- Grype server container registry + registry: ghcr.io + # -- Grype server container repository + repository: openclarity/grype-server + # -- Grype server container tag + tag: v0.7.5 + # -- Grype server image digest. If set will override the tag. + digest: "" + # -- Grype server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the grype server containers + limits: {} + # -- The requested resources for the grype server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: true + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: true + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + # -- Log level for the grype-server service + logLevel: info + + freshclamMirror: + # -- Number of replicas for the freshclam mirror service + replicas: 1 + + image: + # -- Freshclam Mirror container registry + registry: ghcr.io + # -- Freshclam Mirror container repository + repository: openclarity/freshclam-mirror + # -- Freshclam Mirror container tag + tag: v0.3.1 + # -- Freshclam Mirror image digest. If set will override the tag. + digest: "" + # -- Freshclam Mirror image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the freshclam mirror containers + limits: {} + # -- The requested resources for the freshclam mirror containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + swaggerUI: + # -- Number of replicas for the swagger-ui service + replicas: 1 + + image: + # -- Swagger UI container registry + registry: docker.io + # -- Swagger UI container repository + repository: swaggerapi/swagger-ui + # -- Swagger UI container tag + tag: v5.26.2 + # -- Swagger UI image digest. If set will override the tag. + digest: "" + # -- Swagger UI image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the swagger ui containers + limits: {} + # -- The requested resources for the swagger ui containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 101 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 0 + # -- Group ID which the containers should run as + runAsGroup: 0 + # -- Whether the containers should run as a non-root user + runAsNonRoot: false + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + yaraRuleServer: + # -- Number of replicas for the Yara Rule Server service + replicas: 1 + + image: + # -- Yara Rule Server container registry + registry: ghcr.io + # -- Yara Rule Server container repository + repository: openclarity/yara-rule-server + # -- Yara Rule Server container tag + tag: v0.3.0 + # -- Yara Rule Server image digest. If set will override the tag. + digest: "" + # -- Yara Rule Server image pull policy + pullPolicy: IfNotPresent + + resources: + # -- The resources limits for the Yara Rule Server containers + limits: {} + # -- The requested resources for the Yara Rule Server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + #false -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL + + crDiscoveryServer: + nodeSelector: {} + tolerations: [] + affinity: {} + image: + # -- Container Runtime Discovery Server container registry + registry: ghcr.io + # -- Container Runtime Discovery Server container repository + repository: openclarity/openclarity-cr-discovery-server + # -- Container Runtime Discovery Server container tag + tag: latest + # -- Container Runtime Discovery Server image digest. If set will override the tag. + digest: "" + # -- Container Runtime Discovery Server image pull policy + pullPolicy: IfNotPresent + + # -- Environment variables to set in the Container Runtime Discovery Server container + env: [] + # - name: CONTAINERD_SOCK_ADDRESS + # value: /var/run/containerd/containerd.sock + containerRuntimePaths: + - name: containerd + path: /var/run/containerd + readOnly: true + - name: k3s-containerd + path: /run/k3s/containerd + readOnly: true + - name: docker + path: /var/lib/docker + readOnly: true + - name: crio + path: /var/run/crio + readOnly: true + - name: crio-lib + path: /var/lib/containers + - name: crio-run + path: /var/run/containers + - name: crio-containers + path: /etc/containers + readOnly: true + resources: + # -- The resources limits for the container runtime discovery server containers + limits: {} + # -- The requested resources for the container runtime discovery server containers + requests: {} + + serviceAccount: + # -- Enable creation of ServiceAccount + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, it will use the component's calculated name. + name: "" + # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. + # Can be set to false if pods using this serviceAccount do not need to use K8s API. + automountServiceAccountToken: false + + podSecurityContext: + # -- Pod security context enabled + enabled: false + # -- Pod security context fsGroup + fsGroup: 1001 + + # In order to use CRI-O runtime you need to run OpenClarity + # with the following configuration: + # + # containerSecurityContext: + # enabled: true + # privileged: true + # readOnlyRootFilesystem: false + containerSecurityContext: + # -- Container security context enabled + enabled: false + # -- User ID which the containers should run as + runAsUser: 1001 + # -- Group ID which the containers should run as + runAsGroup: 1001 + # -- Whether the containers should run as a non-root user + runAsNonRoot: true + # -- Whether the container should run in privileged mode + privileged: false + # -- Force the child process to run as non-privileged + allowPrivilegeEscalation: false + # -- Mounts the container file system as ReadOnly + readOnlyRootFilesystem: true + capabilities: + # -- List of capabilities to be dropped + drop: + - ALL \ No newline at end of file diff --git a/infra/portainer/Chart.yaml b/infra/portainer/Chart.yaml new file mode 100644 index 0000000..6bedd0a --- /dev/null +++ b/infra/portainer/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: portainer +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: portainer + repository: https://portainer.github.io/k8s/ + version: 2.33.6 diff --git a/infra/portainer/templates/ingress.yaml b/infra/portainer/templates/ingress.yaml new file mode 100644 index 0000000..c1e0e38 --- /dev/null +++ b/infra/portainer/templates/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: portainer-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: portainer + port: 9000 + tls: + secretName: portainer-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: portainer-tls +spec: + secretName: portainer-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "portainer.internal.durp.info" + dnsNames: + - "portainer.internal.durp.info" diff --git a/infra/portainer/values.yaml b/infra/portainer/values.yaml new file mode 100644 index 0000000..a3779f7 --- /dev/null +++ b/infra/portainer/values.yaml @@ -0,0 +1,78 @@ +portainer: + replicaCount: 1 + image: + repository: registry.durp.info/portainer/portainer-ce + tag: 2.39.1 + pullPolicy: Always + + imagePullSecrets: [] + + nodeSelector: {} + tolerations: [] + + serviceAccount: + annotations: {} + name: portainer-sa-clusteradmin + + # This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application + # If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true + localMgmt: true + + service: + # Set the httpNodePort and edgeNodePort only if the type is NodePort + # For Ingress, set the type to be ClusterIP and set ingress.enabled to true + # For Cloud Providers, set the type to be LoadBalancer + type: NodePort + httpPort: 9000 + httpsPort: 9443 + httpNodePort: 30777 + httpsNodePort: 30779 + edgePort: 8000 + edgeNodePort: 30776 + annotations: {} + + tls: + # If set, Portainer will be configured to use TLS only + force: false + # If set, will mount the existing secret into the pod + existingSecret: "" + + trusted_origins: + # If set, Portainer will be configured to trust the domains specified in domains + enabled: false + # specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy + # example: portainer.mydomain.com,portainer.example.com + domains: "" + + mtls: + # If set, Portainer will be configured to use mTLS only + enable: false + # If set, will mount the existing secret into the pod + existingSecret: "" + + feature: + flags: [] + + ingress: + enabled: false + ingressClassName: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # Only use below if tls.force=true + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # Note: Hosts and paths are of type array + hosts: + - host: + paths: [] + # - path: "/" + tls: [] + + resources: {} + + persistence: + enabled: true + size: "10Gi" + annotations: {} + storageClass: longhorn + existingClaim: + diff --git a/infra/renovate/Chart.yaml b/infra/renovate/Chart.yaml new file mode 100644 index 0000000..b20d1e8 --- /dev/null +++ b/infra/renovate/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: renovate +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: + - name: renovate + repository: https://docs.renovatebot.com/helm-charts + version: 39.264.0 + alias: "renovate-personal" diff --git a/infra/renovate/templates/secrets.yaml b/infra/renovate/templates/secrets.yaml new file mode 100644 index 0000000..d42ab7e --- /dev/null +++ b/infra/renovate/templates/secrets.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-config-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: renovate-config-secret + data: + - secretKey: renovate.json + remoteRef: + key: kv/renovate + property: config + - secretKey: RENOVATE_AUTODISCOVER + remoteRef: + key: kv/renovate + property: RENOVATE_AUTODISCOVER + - secretKey: RENOVATE_ENDPOINT + remoteRef: + key: kv/renovate + property: RENOVATE_ENDPOINT + - secretKey: RENOVATE_GIT_AUTHOR + remoteRef: + key: kv/renovate + property: RENOVATE_GIT_AUTHOR + - secretKey: RENOVATE_PLATFORM + remoteRef: + key: kv/renovate + property: RENOVATE_PLATFORM + - secretKey: RENOVATE_TOKEN + remoteRef: + key: kv/renovate + property: RENOVATE_TOKEN + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-personal-config-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: renovate-personal-config-secret + data: + - secretKey: RENOVATE_TOKEN + remoteRef: + key: kv/renoatePersonal + property: RENOVATE_TOKEN + - secretKey: RENOVATE_GITHUB_COM_TOKEN + remoteRef: + key: kv/renoatePersonal + property: RENOVATE_GITHUB_COM_TOKEN diff --git a/infra/renovate/values.yaml b/infra/renovate/values.yaml new file mode 100644 index 0000000..4754bc7 --- /dev/null +++ b/infra/renovate/values.yaml @@ -0,0 +1,330 @@ +renovate-personal: + global: + # -- Additional labels to be set on all renovate resources + commonLabels: {} + compatibility: + openshift: + # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: `auto` (apply if the detected running cluster is Openshift), `force` (perform the adaptation always), `disabled` (do not perform adaptation) + adaptSecurityContext: "auto" + + # -- Override the name of the chart + nameOverride: "" + # -- Override the fully qualified app name + fullnameOverride: "" + # -- Annotations to add to secret + secretAnnotations: {} + + cronjob: + # -- Schedules the job to run using cron notation + schedule: "0 1 * * *" # At 01:00 every day + # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) + timeZone: "" # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names + # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. + suspend: false + # -- Annotations to set on the cronjob + annotations: {} + # -- Labels to set on the cronjob + labels: {} + # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run + concurrencyPolicy: "" + # -- "Number of successful completions is reached to mark the job as complete" + completions: "" + # -- "Where the jobs should be NonIndexed or Indexed" + completionMode: "" + # -- Amount of failed jobs to keep in history + failedJobsHistoryLimit: "" + # -- Amount of completed jobs to keep in history + successfulJobsHistoryLimit: "" + # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails + jobRestartPolicy: Never + # -- Time to keep the job after it finished before automatically deleting it + ttlSecondsAfterFinished: "" + # -- Deadline for the job to finish + activeDeadlineSeconds: "" + # -- Number of times to retry running the pod before considering the job as being failed + jobBackoffLimit: "" + # -- Maximal number of failures per index + backoffLimitPerIndex: "" + # -- Maximal number of failed indexes before terminating the Job execution + maxFailedIndexes: "" + # -- Deadline to start the job, skips execution if job misses it's configured deadline + startingDeadlineSeconds: "" + # -- Additional initContainers that can be executed before renovate + initContainers: [] + # initContainers: + # - name: INIT_CONTAINER_NAME + # image: INIT_CONTAINER_IMAGE + # -- Number of pods to run in parallel + parallelism: "" + # -- Custom command to run in the container + commandOverride: [] + # -- Custom arguments to run in the container + argsOverride: [] + # -- Prepend shell commands before renovate runs + #preCommand: '' + #preCommand: | + # ls /config + # cat /config/renovate.json + + postCommand: "" + # postCommand: | + # echo hello + # echo world + + pod: + # -- Annotations to set on the pod + annotations: {} + # -- Labels to set on the pod + labels: {} + + image: + # -- Registry to pull image from + registry: registry.durp.info + # -- Image name to pull + repository: renovatebot/renovate + # -- Renovate image tag to pull + #tag: 39.264.0 + # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images + pullPolicy: Always + # -- Set `true` to use the full image. See https://docs.renovatebot.com/getting-started/running/#the-full-image + useFull: false + + # -- Secret to use to pull the image from the repository + imagePullSecrets: {} + + renovate: + # -- Custom exiting global renovate config + #existingConfigFile: "/config/renovate.json" + # -- Inline global renovate config.json + config: | + { + "platform": "gitlab", + "endpoint": "https://gitlab.durp.info/api/v4", + "autodiscover": true, + "dryRun": null, + "printConfig": false, + "autodiscoverFilter": ["durfy/**"], + "assignees": ["durp"] + } + # See https://docs.renovatebot.com/self-hosted-configuration + # config: | + # { + # "": "gitlab", + # "endpoint": "https://gitlab.example.com/api/v4", + # "token": "your-gitlab-renovate-user-token", + # "autodiscover": "false", + # "dryRun": true, + # "printConfig": true, + # "repositories": ["username/repo", "orgname/repo"] + # } + + # -- Use the Helm tpl function on your configuration. See README for how to use this value + configEnableHelmTpl: false + + # -- Use this to create the renovate-config as a secret instead of a configmap + configIsSecret: true + + # -- Use this to create a config.js instead of a config.json + configIsJavaScript: false + + # -- Renovate Container-level security-context + securityContext: {} + + # Instead of a file system cache, it is highly recommended to use the redis subchart. + # Alternatively, SQLite is also a good choice. + # Take a look at https://github.com/renovatebot/renovate/discussions/30525 for more information. + # -- Options related to persistence + persistence: + cache: + # -- Allow the cache to persist between runs + enabled: false + # -- Storage class of the cache PVC + storageClass: "" + # -- Storage size of the cache PVC + storageSize: "512Mi" + # -- Existing volume, enables binding the pvc to an existing volume + volumeName: "" + # -- Labels to set on the cache PVC + labels: {} + + ssh_config: + # -- Whether to enable the use and creation of a secret containing .ssh files + enabled: false + + # Provide .ssh config file contents + # -- Contents of the id_rsa file + id_rsa: "" + # -- Contents of the id_rsa_pub file + id_rsa_pub: "" + # -- Contents of the config file + config: "" + + # or provide the name of an existing secret to be read instead. + # -- Name of the existing secret containing a valid .ssh configuration + existingSecret: "" + + # -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set + secrets: {} + # -- k8s secret to reference environment variables from. Overrides secrets if set + existingSecret: "renovate-personal-config-secret" + + # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config + extraConfigmaps: [] + # extraConfigmaps: + # - name: netrc-config + # data: + # .netrc: |- + # machine gitlab.example.com + # login gitlab-ci-token + # password some-pass + # - name: yet-another-config + # data: + # ya-config.yaml: |- + # "key"="value" + # "key1"="value1" + + #extraVolumes: + # - name: renovate-config-secret + # secretName: + # name: renovate-config-secret + # items: + # - key: renovate.json + # path: renovate.json + + #extraVolumeMounts: + # - name: renovate-config-secret + # mountPath: /config + # subPath: renovate.json + + # -- Additional containers to the pod + extraContainers: [] + # extraContainers: + # - name: vault-agent + # image: vault:1.6.2 + # args: + # - agent + # - -config + # - /vault/config/config.hcl + # env: + # - name: VAULT_ADDR + # value: https://vault:8200 + # - name: VAULT_SKIP_VERIFY + # value: "false" + # - name: VAULT_CACERT + # value: /vault/tls/ca.crt + + serviceAccount: + # -- Specifies whether a service account should be created + create: false + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use + # If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Specify resource limits and requests for the renovate container + resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Environment variables to add from existing secrets/configmaps. Uses the keys as variable name + envFrom: [] + # envFrom: + # - secretRef: + # name: env-secrets + # - configMapRef: + # name: env-configmap + + # -- Environment variables to set on the renovate container + env: + RENOVATE_AUTODISCOVER: true + #LOG_LEVEL: debug + # env: + # VARIABLE_NAME: "value" + + # -- Additional env. Helpful too if you want to use anything other than a `value` source. + envList: [] + # envList: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + + redis: + # Configuration for a Redis subchart. Additional documentation at + # https://github.com/bitnami/charts/tree/master/bitnami/redis + + # -- Enable the Redis subchart? + enabled: false + + # -- Override the prefix of the redisHost + nameOverride: "" + + # -- Disable replication by default + architecture: standalone + + auth: + # -- Don't require a password by default + enabled: false + + # -- Override Kubernetes version for redis chart + kubeVersion: "" + + # -- Override hostname resolution + hostAliases: [] + # See: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ + # hostAliases: + # - ip: "your-ip" + # hostnames: + # - "your-hostname" + + # -- Pod-level security-context + securityContext: {} + + # -- Select the node using labels to specify where the cronjob pod should run on + nodeSelector: {} + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # renovate: true + + # -- Configure the pod(Anti)Affinity and/or node(Anti)Affinity + affinity: {} + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + + # -- Configure which node taints the pod should tolerate + tolerations: [] + # See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + + # -- Create extra manifests via values. Would be passed through `tpl` for templating + extraObjects: [] + # extraObjects: + # - apiVersion: external-secrets.io/v1 + # kind: ExternalSecret + # metadata: + # name: '{{ include "renovate.fullname" . }}-token' + # spec: + # secretStoreRef: + # name: default + # data: + # - secretKey: token + # remoteRef: + # key: github-token + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: {{ include "renovate.fullname" . }}-config + # data: + # config.json: | + # { + # "platform": "github", + # "repositories": ["username/repo", "orgname/repo"] + # } diff --git a/infra/traefik/Chart.yaml b/infra/traefik/Chart.yaml new file mode 100644 index 0000000..1df1d76 --- /dev/null +++ b/infra/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/traefik/templates/middlewares.yaml b/infra/traefik/templates/middleware.yaml similarity index 69% rename from traefik/templates/middlewares.yaml rename to infra/traefik/templates/middleware.yaml index aaf45ab..e888129 100644 --- a/traefik/templates/middlewares.yaml +++ b/infra/traefik/templates/middleware.yaml @@ -1,11 +1,11 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: authentik-proxy-provider - namespace: traefik + name: authentik-proxy-provider + namespace: traefik spec: forwardAuth: - address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri trustForwardHeader: true authResponseHeaders: - X-authentik-username @@ -19,10 +19,8 @@ spec: - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version - --- - -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: whitelist @@ -30,5 +28,6 @@ metadata: spec: ipWhiteList: sourceRange: - - 192.168.20.1/32 + - 192.168.0.0/16 + - 172.16.0.0/12 - 10.0.0.0/8 diff --git a/infra/traefik/values.yaml b/infra/traefik/values.yaml new file mode 100644 index 0000000..3c75dd1 --- /dev/null +++ b/infra/traefik/values.yaml @@ -0,0 +1,53 @@ +traefik: + image: + registry: registry.durp.info + repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/infra/vault/Chart.yaml b/infra/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/infra/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/infra/vault/templates/ingress.yaml b/infra/vault/templates/ingress.yaml new file mode 100644 index 0000000..547cde8 --- /dev/null +++ b/infra/vault/templates/ingress.yaml @@ -0,0 +1,33 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: vault-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`vault.infra.durp.info`) + kind: Rule + services: + - name: vault + port: 8200 + scheme: https + tls: + secretName: vault-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vault-tls +spec: + secretName: vault-tls + issuerRef: + name: vault-issuer + kind: ClusterIssuer + commonName: "vault.infra.durp.info" + dnsNames: + - "vault.infra.durp.info" diff --git a/infra/vault/templates/sa.yaml b/infra/vault/templates/sa.yaml new file mode 100644 index 0000000..e298701 --- /dev/null +++ b/infra/vault/templates/sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer diff --git a/infra/vault/templates/secret-store.yaml b/infra/vault/templates/secret-store.yaml new file mode 100644 index 0000000..f17884e --- /dev/null +++ b/infra/vault/templates/secret-store.yaml @@ -0,0 +1,17 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "external-secrets" + serviceAccountRef: + name: "vault" + diff --git a/infra/vault/values.yaml b/infra/vault/values.yaml new file mode 100644 index 0000000..913df48 --- /dev/null +++ b/infra/vault/values.yaml @@ -0,0 +1,140 @@ +vault: + global: + enabled: true + tlsDisable: false + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + + server: + image: + repository: "hashicorp/vault" + # These Resource Limits are in line with node requirements in the + # Vault Reference Architecture for a Small Cluster + #resources: + # requests: + # memory: 8Gi + # cpu: 2000m + # limits: + # memory: 16Gi + # cpu: 2000m + + # For HA configuration and because we need to manually init the vault, + # we need to define custom readiness/liveness Probe settings + readinessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" + livenessProbe: + enabled: true + path: "/v1/sys/health?standbyok=true" + initialDelaySeconds: 60 + + # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be + # used to include variables required for auto-unseal. + extraEnvironmentVars: + VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca + + extraSecretEnvironmentVars: + - envName: VAULT_TOKEN + secretName: autounseal + secretKey: VAULT_TOKEN + + volumes: + - name: userconfig-vault-server-tls + secret: + defaultMode: 420 + secretName: vault-server-tls + + volumeMounts: + - mountPath: /vault/userconfig/vault-server-tls + name: userconfig-vault-server-tls + readOnly: true + + # This configures the Vault Statefulset to create a PVC for audit logs. + # See https://www.vaultproject.io/docs/audit/index.html to know more + auditStorage: + enabled: true + + standalone: + enabled: false + + config: | + disable_mlock = true + ui = true + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + + seal "transit" { + address = "https://root-vault.internal.durp.info" + disable_renewal = "false" + key_name = "autounseal" + mount_path = "transit/" + tls_skip_verify = "true" + } + + storage "raft" { + path = "/vault/data" + } + + # Run Vault in "HA" mode. + ha: + enabled: true + replicas: 3 + raft: + enabled: true + setNodeId: true + + config: | + ui = true + cluster_name = "vault-integrated-storage" + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + + seal "transit" { + address = "https://root-vault.internal.durp.info" + disable_renewal = "false" + key_name = "autounseal" + mount_path = "transit/" + tls_skip_verify = "true" + } + + storage "raft" { + path = "/vault/data" + retry_join { + leader_api_addr = "https://vault-0.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + retry_join { + leader_api_addr = "https://vault-1.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + retry_join { + leader_api_addr = "https://vault-2.vault-internal:8200" + leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" + leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" + leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" + } + } + + # Vault UI + ui: + enabled: false + serviceType: "LoadBalancer" + serviceNodePort: null + externalPort: 8200 diff --git a/internalproxy/templates/argocd.yaml b/internalproxy/templates/argocd.yaml deleted file mode 100644 index 15dfaf9..0000000 --- a/internalproxy/templates/argocd.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: argocd-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production -spec: - entryPoints: - - websecure - routes: - - match: Host(`argocd.internal.durp.info`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: argocd-server - port: 443 - scheme: https - tls: - secretName: argocd-tls - ---- - -kind: Service -apiVersion: v1 -metadata: - name: argocd-server -spec: - type: ExternalName - externalName: argocd-server.argocd.svc.cluster.local - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argocd-tls -spec: - secretName: argocd-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "argocd.internal.durp.info" - dnsNames: - - "argocd.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/duplicati-ingress.yaml b/internalproxy/templates/duplicati-ingress.yaml deleted file mode 100644 index d51c391..0000000 --- a/internalproxy/templates/duplicati-ingress.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: duplicati -spec: - ports: - - name: app - port: 8200 - protocol: TCP - targetPort: 8200 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: duplicati -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8200 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: duplicati-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: duplicati - port: 8200 - - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: duplicati-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: duplicati-tls -spec: - secretName: duplicati-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "duplicati.internal.durp.info" - dnsNames: - - "duplicati.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/gitea.yaml b/internalproxy/templates/gitea.yaml deleted file mode 100644 index 8443aaf..0000000 --- a/internalproxy/templates/gitea.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: gitea-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: gitea.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/internalproxy/templates/guac.yaml b/internalproxy/templates/guac.yaml deleted file mode 100644 index a69b685..0000000 --- a/internalproxy/templates/guac.yaml +++ /dev/null @@ -1,71 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: guac-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: guac.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- - -apiVersion: v1 -kind: Service -metadata: - name: guac -spec: - ports: - - name: app - port: 8082 - protocol: TCP - targetPort: 8082 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: guac -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 8082 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: guac-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`guac.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: guac - port: 8082 - tls: - secretName: guac-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: guac-tls -spec: - secretName: guac-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "guac.durp.info" - dnsNames: - - "guac.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/jellyfin.yaml b/internalproxy/templates/jellyfin.yaml deleted file mode 100644 index 61d86a5..0000000 --- a/internalproxy/templates/jellyfin.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: jellyfin-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/kasm.yaml b/internalproxy/templates/kasm.yaml deleted file mode 100644 index 28b25ae..0000000 --- a/internalproxy/templates/kasm.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kasm-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: kasm.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/plex.yaml b/internalproxy/templates/plex.yaml deleted file mode 100644 index 2e70286..0000000 --- a/internalproxy/templates/plex.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: plex-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: plex.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/internalproxy/templates/registry-internal.yaml b/internalproxy/templates/registry-internal.yaml deleted file mode 100644 index a1c584f..0000000 --- a/internalproxy/templates/registry-internal.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: registry-internal -spec: - ports: - - name: app - port: 5001 - protocol: TCP - targetPort: 5001 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: registry-internal -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 5001 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: registry-internal-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: registry-internal - port: 5001 - tls: - secretName: registry-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: registry-internal-tls -spec: - secretName: registry-internal-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "registry.durp.info" - dnsNames: - - "registry.durp.info" diff --git a/internalproxy/templates/registry.yaml b/internalproxy/templates/registry.yaml deleted file mode 100644 index b4ac19a..0000000 --- a/internalproxy/templates/registry.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: registry -spec: - ports: - - name: app - port: 5000 - protocol: TCP - targetPort: 5000 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: registry -subsets: -- addresses: - - ip: 192.168.20.253 - ports: - - name: app - port: 5000 - protocol: TCP - ---- - -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: registry-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`registry.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: registry - port: 5000 - tls: - secretName: registry-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: registry-tls -spec: - secretName: registry-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "registry.durp.info" - dnsNames: - - "registry.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: registry-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: registry.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml deleted file mode 100644 index 716d4e5..0000000 --- a/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-grafana-oauth -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-oauth - data: - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - remoteRef: - key: secrets/kube-prometheus/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - remoteRef: - key: secrets/kube-prometheus/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vault-admin-credentials -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-admin-credentials - data: - - secretKey: admin-password - remoteRef: - key: secrets/kube-prometheus/grafana/admin - property: admin-password - - secretKey: admin-user - remoteRef: - key: secrets/kube-prometheus/grafana/admin - property: admin-user diff --git a/kubeclarity/templates/ingress.yaml b/kubeclarity/templates/ingress.yaml deleted file mode 100644 index 77b67a7..0000000 --- a/kubeclarity/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: kubeclarity-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: kubeclarity-kubeclarity - port: 8080 - tls: - secretName: kubeclarity-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kubeclarity-tls -spec: - secretName: kubeclarity-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "kubeclarity.durp.info" - dnsNames: - - "kubeclarity.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: kubeclarity-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/kubeclarity/values.yaml b/kubeclarity/values.yaml deleted file mode 100644 index 0bb5078..0000000 --- a/kubeclarity/values.yaml +++ /dev/null @@ -1,235 +0,0 @@ -kubeclarity: - global: - databasePassword: kubeclarity - docker: - registry: "registry.internal.durp.info/openclarity" - tag: "latest" - imagePullPolicy: Always - - curl: - image: - registry: "registry.internal.durp.info" - repository: curlimages/curl - tag: 7.87.0 - - kubeclarity: - docker: - imageName: "" - - logLevel: warning - - enableDBInfoLog: false - - prometheus: - enabled: false - - podAnnotations: {} - - service: - type: ClusterIP - port: 8080 - annotations: {} - - ingress: - enabled: false - - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "1000Mi" - cpu: "1000m" - - initContainers: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "200Mi" - cpu: "200m" - - kubeclarity-runtime-scan: - httpsProxy: "" - httpProxy: "" - resultServicePort: 8888 - - labels: - app: kubeclarity-scanner - sidecar.istio.io/inject: "false" - - namespace: "" - - registry: - skipVerifyTlS: "false" - useHTTP: "false" - - cis-docker-benchmark-scanner: - resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "1000Mi" - cpu: "1000m" - - vulnerability-scanner: - resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "1000Mi" - cpu: "1000m" - - analyzer: - analyzerList: "syft gomod trivy" - analyzerScope: "squashed" - - trivy: - enabled: true - timeout: "300" - - scanner: - scannerList: "grype trivy" - - grype: - enabled: true - mode: "REMOTE" - - remote-grype: - timeout: "2m" - - dependency-track: - enabled: false - insecureSkipVerify: "true" - disableTls: "true" - apiserverAddress: "dependency-track-apiserver.dependency-track" - apiKey: "" - - trivy: - enabled: true - timeout: "300" - - kubeclarity-grype-server: - enabled: true - - docker: - imageRepo: "registry.internal.durp.info/openclarity" - imageTag: "v0.6.0" - imagePullPolicy: Always - - logLevel: warning - - servicePort: 9991 - - resources: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1G" - - kubeclarity-trivy-server: - enabled: true - - ## Docker Image values. - image: - registry: registry.internal.durp.info - repository: aquasec/trivy - tag: 0.44.1 - pullPolicy: Always - - persistence: - enabled: false - - podSecurityContext: - runAsUser: 1001 - runAsNonRoot: true - fsGroup: 1001 - - securityContext: - privileged: false - readOnlyRootFilesystem: true - - trivy: - debugMode: false - - service: - port: 9992 - - resources: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1G" - - - kubeclarity-sbom-db: - docker: - imageName: "" - logLevel: warning - - servicePort: 8080 - - resources: - requests: - memory: "20Mi" - cpu: "10m" - limits: - memory: "1Gi" - cpu: "200m" - - kubeclarity-postgresql: - enabled: true - - image: - registry: registry.internal.durp.info - repository: bitnami/postgresql - tag: 14.6.0-debian-11-r31 - - auth: - existingSecret: kubeclarity-postgresql-secret - username: postgres - database: kubeclarity - sslMode: disable - - service: - ports: - postgresql: 5432 - - serviceAccount: - enabled: true - securityContext: - enabled: true - fsGroup: 1001 - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - volumePermissions: - enabled: false - securityContext: - runAsUser: 1001 - shmVolume: - chmod: - enabled: true - - resources: - requests: - memory: "256Mi" - cpu: "250m" - limits: - memory: "1000Mi" - cpu: "1000m" - - kubeclarity-postgresql-external: - enabled: false - - kubeclarity-postgresql-secret: - create: true - secretKey: "postgres-password" diff --git a/longhorn/templates/ingress.yaml b/longhorn/templates/ingress.yaml deleted file mode 100644 index df2e071..0000000 --- a/longhorn/templates/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: longhorn-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: longhorn-frontend - port: 80 - - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: longhorn-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: longhorn-tls -spec: - secretName: longhorn-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "longhorn.internal.durp.info" - dnsNames: - - "longhorn.internal.durp.info" diff --git a/metallb-system/values.yaml b/metallb-system/values.yaml deleted file mode 100644 index 260551d..0000000 --- a/metallb-system/values.yaml +++ /dev/null @@ -1,197 +0,0 @@ -metallb: - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - loadBalancerClass: "" - - rbac: - create: true - - prometheus: - scrapeAnnotations: false - metricsPort: 7472 - speakerMetricsTLSSecret: "" - controllerMetricsTLSSecret: "" - rbacPrometheus: true - serviceAccount: "" - namespace: "" - rbacProxy: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.12.0 - pullPolicy: - podMonitor: - enabled: false - additionalLabels: {} - annotations: {} - jobLabel: "app.kubernetes.io/name" - interval: - metricRelabelings: [] - relabelings: [] - serviceMonitor: - enabled: false - speaker: - additionalLabels: {} - annotations: {} - tlsConfig: - insecureSkipVerify: true - controller: - additionalLabels: {} - annotations: {} - tlsConfig: - insecureSkipVerify: true - jobLabel: "app.kubernetes.io/name" - interval: - metricRelabelings: [] - relabelings: [] - prometheusRule: - enabled: false - additionalLabels: {} - annotations: {} - staleConfig: - enabled: true - labels: - severity: warning - configNotLoaded: - enabled: true - labels: - severity: warning - addressPoolExhausted: - enabled: true - labels: - severity: alert - addressPoolUsage: - enabled: true - thresholds: - - percent: 75 - labels: - severity: warning - - percent: 85 - labels: - severity: warning - - percent: 95 - labels: - severity: alert - bgpSessionDown: - enabled: true - labels: - severity: alert - - extraAlerts: [] - - controller: - enabled: true - # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` - logLevel: info - image: - repository: quay.io/metallb/controller - tag: - pullPolicy: - strategy: - type: RollingUpdate - serviceAccount: - create: true - name: "" - annotations: {} - securityContext: - runAsNonRoot: true - runAsUser: 65534 - fsGroup: 65534 - resources: {} - nodeSelector: {} - tolerations: [] - priorityClassName: "" - runtimeClassName: "" - affinity: {} - podAnnotations: {} - labels: {} - livenessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - tlsMinVersion: "VersionTLS12" - tlsCipherSuites: "" - - extraContainers: [] - - speaker: - enabled: true - logLevel: debug - tolerateMaster: true - memberlist: - enabled: true - mlBindPort: 7946 - mlBindAddrOverride: "" - mlSecretKeyPath: "/etc/ml_secret_key" - excludeInterfaces: - enabled: true - ignoreExcludeLB: false - - image: - repository: quay.io/metallb/speaker - tag: - pullPolicy: - updateStrategy: - type: RollingUpdate - serviceAccount: - create: true - name: "" - annotations: {} - securityContext: {} - resources: {} - nodeSelector: {} - tolerations: [] - priorityClassName: "" - affinity: {} - runtimeClassName: "" - podAnnotations: {} - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/warn: privileged - livenessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - enabled: true - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - startupProbe: - enabled: true - failureThreshold: 30 - periodSeconds: 5 - frr: - enabled: true - image: - repository: quay.io/frrouting/frr - tag: 9.0.2 - pullPolicy: - metricsPort: 7473 - resources: {} - reloader: - resources: {} - frrMetrics: - resources: {} - extraContainers: [] - crds: - enabled: true - validationFailurePolicy: Fail - frrk8s: - enabled: false - diff --git a/prd/.gitlab/.gitlab-ci.yml b/prd/.gitlab/.gitlab-ci.yml new file mode 100644 index 0000000..99ddf7b --- /dev/null +++ b/prd/.gitlab/.gitlab-ci.yml @@ -0,0 +1,95 @@ +stages: + - plan + - apply + - destroy + +variables: + WORKDIR: $CI_PROJECT_DIR/prd/terraform + GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/prd + +image: + name: registry.durp.info/opentofu/opentofu:latest + entrypoint: [""] + +.tf-init: + before_script: + - cd $WORKDIR + - tofu init + -reconfigure + -backend-config="address=${GITLAB_TF_ADDRESS}" + -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" + -backend-config="username=gitlab-ci-token" + -backend-config="password=${CI_JOB_TOKEN}" + -backend-config="lock_method=POST" + -backend-config="unlock_method=DELETE" + -backend-config="retry_wait_min=5" + +format: + stage: .pre + allow_failure: false + script: + - cd $WORKDIR + - tofu fmt -diff -check -write=false + rules: + - changes: + - "prd/terraform/*.tf" + +validate: + stage: .pre + allow_failure: false + extends: .tf-init + script: + - tofu validate + rules: + - changes: + - "prd/terraform/*.tf" + +plan-prd-infrastructure: + stage: plan + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - apk add --update curl jq + - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + - tofu plan -out=$PLAN $ARGUMENTS + - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE + artifacts: + reports: + terraform: $WORKDIR/$JSON_PLAN_FILE + needs: ["validate","format"] + rules: + - changes: + - "prd/terraform/*.tf" + +apply-prd-infrastructure: + stage: apply + variables: + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - tofu apply -auto-approve $ARGUMENTS + rules: + - changes: + - "prd/terraform/*.tf" + when: manual + needs: ["plan-prd-infrastructure"] + +destroy-prd-infrastructure: + stage: destroy + variables: + ENVIRONMENT_NAME: prd + allow_failure: false + extends: .tf-init + script: + - tofu destroy -auto-approve $ARGUMENTS + rules: + - changes: + - "prd/terraform/*.tf" + when: manual + needs: ["plan-prd-infrastructure"] diff --git a/prd/cert-manager/Chart.yaml b/prd/cert-manager/Chart.yaml new file mode 100644 index 0000000..7280af8 --- /dev/null +++ b/prd/cert-manager/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: cert-manager +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.17.2 diff --git a/prd/cert-manager/templates/issuer.yaml b/prd/cert-manager/templates/issuer.yaml new file mode 100644 index 0000000..cf61c83 --- /dev/null +++ b/prd/cert-manager/templates/issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issuer +secrets: + - name: issuer-token-lmzpj + +--- + +apiVersion: v1 +kind: Secret +metadata: + name: issuer-token-lmzpj + annotations: + kubernetes.io/service-account.name: issuer +type: kubernetes.io/service-account-token diff --git a/prd/cert-manager/templates/letsencrypt.yaml b/prd/cert-manager/templates/letsencrypt.yaml new file mode 100644 index 0000000..56b8374 --- /dev/null +++ b/prd/cert-manager/templates/letsencrypt.yaml @@ -0,0 +1,35 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret + +--- + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: vault-issuer +spec: + vault: + server: https://vault.infra.durp.info + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + path: pki/sign/issue-homelab-certs + auth: + kubernetes: + mountPath: /v1/auth/dmz-cluster + role: issuer + secretRef: + name: issuer-token-lmzpj + key: token diff --git a/prd/cert-manager/templates/secretvault.yaml b/prd/cert-manager/templates/secretvault.yaml new file mode 100644 index 0000000..11c82bc --- /dev/null +++ b/prd/cert-manager/templates/secretvault.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: kv/cert-manager + property: cloudflare-api-token-secret + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/cert-manager/values.yaml b/prd/cert-manager/values.yaml new file mode 100644 index 0000000..c9cf12f --- /dev/null +++ b/prd/cert-manager/values.yaml @@ -0,0 +1,26 @@ +cert-manager: + crds: + enabled: true + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-controller + pullPolicy: Always + replicaCount: 3 + extraArgs: + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 + - --dns01-recursive-nameservers-only + podDnsPolicy: None + podDnsConfig: + nameservers: + - "1.1.1.1" + - "1.0.0.1" + webhook: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-webhook + pullPolicy: Always + cainjector: + image: + registry: registry.internal.durp.info + repository: jetstack/cert-manager-cainjector + pullPolicy: Always diff --git a/prd/external-dns/Chart.yaml b/prd/external-dns/Chart.yaml new file mode 100644 index 0000000..937bc49 --- /dev/null +++ b/prd/external-dns/Chart.yaml @@ -0,0 +1,12 @@ + +apiVersion: v2 +name: external-dns +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-dns + repository: https://charts.bitnami.com/bitnami + version: 8.9.2 diff --git a/prd/external-dns/templates/secrets.yaml b/prd/external-dns/templates/secrets.yaml new file mode 100644 index 0000000..60f7466 --- /dev/null +++ b/prd/external-dns/templates/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-dns-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: external-dns + data: + - secretKey: cloudflare_api_email + remoteRef: + key: kv/cloudflare + property: cloudflare_api_email + - secretKey: cloudflare_api_key + remoteRef: + key: kv/cloudflare + property: cloudflare_api_key + - secretKey: cloudflare_api_token + remoteRef: + key: kv/cloudflare + property: cloudflare_api_token + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/external-dns/values.yaml b/prd/external-dns/values.yaml new file mode 100644 index 0000000..2052942 --- /dev/null +++ b/prd/external-dns/values.yaml @@ -0,0 +1,18 @@ +external-dns: + global: + imageRegistry: "registry.durp.info" + + image: + pullPolicy: Always + + txtPrefix: "dmz-" + + sources: + - service + + provider: cloudflare + cloudflare: + secretName : "external-dns" + proxied: false + + policy: sync diff --git a/prd/external-secrets/Chart.yaml b/prd/external-secrets/Chart.yaml new file mode 100644 index 0000000..48645c3 --- /dev/null +++ b/prd/external-secrets/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: external-secrets +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: external-secrets + repository: https://charts.external-secrets.io + version: 0.17.0 diff --git a/prd/external-secrets/templates/ca.yaml b/prd/external-secrets/templates/ca.yaml new file mode 100644 index 0000000..9b2a135 --- /dev/null +++ b/prd/external-secrets/templates/ca.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +data: + vault.pem: | + -----BEGIN CERTIFICATE----- + MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy + MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN + BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq + scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW + 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I + jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr + XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS + 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB + o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O + BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 + dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 + Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo + dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw + MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp + L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy + cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu + Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx + L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k + dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L + 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k + /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 + GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj + tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo + 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 + +Q/cdsO5lg== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH + 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ + S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk + U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 + 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ + +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD + VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V + 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 + BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw + LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt + dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC + hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF + BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br + aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 + cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz + Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq + hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE + QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB + ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN + Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 + zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls + AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy + MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox + p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb + /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ + l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 + GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE + N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 + 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R + BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k + r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 + AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y + rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD + dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx + Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv + 55Fn + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: ca-pemstore diff --git a/prd/external-secrets/values.yaml b/prd/external-secrets/values.yaml new file mode 100644 index 0000000..304180d --- /dev/null +++ b/prd/external-secrets/values.yaml @@ -0,0 +1,94 @@ +external-secrets: + replicaCount: 3 + revisionHistoryLimit: 1 + leaderElect: true + + installCRDs: true + crds: + createClusterExternalSecret: true + createClusterSecretStore: true + createClusterGenerator: true + createPushSecret: true + conversion: + enabled: false + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + webhook: + create: false + failurePolicy: Ignore + log: + level: debug + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + certController: + create: false + revisionHistoryLimit: 1 + log: + level: debug + + image: + repository: registry.durp.info/external-secrets/external-secrets + pullPolicy: Always + tag: "" + + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 32Mi + cpu: 10m + + extraVolumes: + - name: ca-pemstore + configMap: + name: ca-pemstore + + extraVolumeMounts: + - name: ca-pemstore + mountPath: /etc/ssl/certs/vault.pem + subPath: vault.pem + readOnly: true diff --git a/prd/metallb-system/Chart.yaml b/prd/metallb-system/Chart.yaml new file mode 100644 index 0000000..c92e842 --- /dev/null +++ b/prd/metallb-system/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: metallb-system +description: A Helm chart for Kubernetes +type: application + +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: metallb + repository: https://metallb.github.io/metallb + version: 0.15.2 diff --git a/prd/metallb-system/templates/config.yaml b/prd/metallb-system/templates/config.yaml new file mode 100644 index 0000000..03314b3 --- /dev/null +++ b/prd/metallb-system/templates/config.yaml @@ -0,0 +1,17 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: cheap +spec: + addresses: + - 192.168.11.130-192.168.11.140 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pool + namespace: metallb-system +spec: + ipAddressPools: + - cheap + diff --git a/prd/metallb-system/values.yaml b/prd/metallb-system/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/prd/traefik/Chart.yaml b/prd/traefik/Chart.yaml new file mode 100644 index 0000000..1df1d76 --- /dev/null +++ b/prd/traefik/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: traefik +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: traefik + repository: https://traefik.github.io/charts + version: 34.5.0 diff --git a/prd/traefik/values.yaml b/prd/traefik/values.yaml new file mode 100644 index 0000000..3d1d660 --- /dev/null +++ b/prd/traefik/values.yaml @@ -0,0 +1,58 @@ +traefik: + image: + # registry: registry.durp.info + # repository: traefik + pullPolicy: Always + + providers: + kubernetesCRD: + allowCrossNamespace: true + allowExternalNameServices: true + allowEmptyServices: false + + deployment: + replicas: 3 + revisionHistoryLimit: 1 + + # volumes: + # - name: traefik-configmap + # mountPath: "/config" + # type: configMap + + ingressRoute: + dashboard: + enabled: true + + additionalArguments: + # - "--providers.file.filename=/config/config.yml" + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: + requests: + cpu: "100m" + memory: "512Mi" + limits: + memory: "512Mi" diff --git a/prd/vault/Chart.yaml b/prd/vault/Chart.yaml new file mode 100644 index 0000000..412c292 --- /dev/null +++ b/prd/vault/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: vault +description: A Helm chart for Kubernetes +type: application +version: 0.0.1 +appVersion: 0.0.1 + +dependencies: +- name: vault + repository: https://helm.releases.hashicorp.com + version: 0.30.0 + diff --git a/prd/vault/templates/secret-store.yaml b/prd/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c48e52f --- /dev/null +++ b/prd/vault/templates/secret-store.yaml @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.infra.durp.info" + path: "kv" + version: "v2" + auth: + kubernetes: + mountPath: "dmz-cluster" + role: "external-secrets" + serviceAccountRef: + name: "vault" + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault diff --git a/prd/vault/values.yaml b/prd/vault/values.yaml new file mode 100644 index 0000000..877d8fe --- /dev/null +++ b/prd/vault/values.yaml @@ -0,0 +1,13 @@ +vault: + global: + enabled: true + tlsDisable: false + externalVaultAddr: "https://vault.infra.durp.info" + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 256Mi + cpu: 250m + diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..7190a60 --- /dev/null +++ b/renovate.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json" +} diff --git a/traefik/templates/ingress.yaml b/traefik/templates/ingress.yaml deleted file mode 100644 index a165566..0000000 --- a/traefik/templates/ingress.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`traefik.internal.durp.info`) - middlewares: - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: api@internal - kind: TraefikService - - match: Host(`traefik.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - namespace: authentik - port: 9000 - tls: - secretName: traefik-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: traefik-tls - namespace: traefik -spec: - secretName: traefik-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "traefik.internal.durp.info" - dnsNames: - - "traefik.internal.durp.info" \ No newline at end of file diff --git a/traefik/values.yaml b/traefik/values.yaml deleted file mode 100644 index 362a574..0000000 --- a/traefik/values.yaml +++ /dev/null @@ -1,887 +0,0 @@ -traefik: - # Default values for Traefik - image: - registry: docker.io - repository: traefik - # defaults to appVersion - tag: "" - pullPolicy: Always - - # - # Configure integration with Traefik Hub - # - hub: - ## Enabling Hub will: - # * enable Traefik Hub integration on Traefik - # * add `traefikhub-tunl` endpoint - # * enable Prometheus metrics with addRoutersLabels - # * enable allowExternalNameServices on KubernetesIngress provider - # * enable allowCrossNamespace on KubernetesCRD provider - # * add an internal (ClusterIP) Service, dedicated for Traefik Hub - enabled: true - ## Default port can be changed - # tunnelPort: 9901 - ## TLS is optional. Insecure is mutually exclusive with any other options - # tls: - # insecure: false - # ca: "/path/to/ca.pem" - # cert: "/path/to/cert.pem" - # key: "/path/to/key.pem" - - # - # Configure the deployment - # - deployment: - enabled: true - # Can be either Deployment or DaemonSet - kind: Deployment - # Number of pods of the deployment (only applies when kind == Deployment) - replicas: 3 - # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) - revisionHistoryLimit: 1 - # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down - terminationGracePeriodSeconds: 60 - # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available - minReadySeconds: 0 - # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) - annotations: {} - # Additional deployment labels (e.g. for filtering deployment by custom labels) - labels: {} - # Additional pod annotations (e.g. for mesh injection or prometheus scraping) - podAnnotations: {} - # Additional Pod labels (e.g. for filtering Pod by custom labels) - podLabels: {} - # Additional containers (e.g. for metric offloading sidecars) - additionalContainers: [] - # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host - # - name: socat-proxy - # image: alpine/socat:1.0.5 - # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] - # volumeMounts: - # - name: dsdsocket - # mountPath: /socket - # Additional volumes available for use with initContainers and additionalContainers - additionalVolumes: [] - # - name: dsdsocket - # hostPath: - # path: /var/run/statsd-exporter - # Additional initContainers (e.g. for setting file permission as shown below) - initContainers: [] - # The "volume-permissions" init container is required if you run into permission issues. - # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 - # - name: volume-permissions - # image: busybox:latest - # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] - # securityContext: - # runAsNonRoot: true - # runAsGroup: 65532 - # runAsUser: 65532 - # volumeMounts: - # - name: data - # mountPath: /data - # Use process namespace sharing - shareProcessNamespace: false - # Custom pod DNS policy. Apply if `hostNetwork: true` - # dnsPolicy: ClusterFirstWithHostNet - # Additional imagePullSecrets - imagePullSecrets: [] - # - name: myRegistryKeySecretName - # Pod lifecycle actions - lifecycle: {} - # preStop: - # exec: - # command: ["/bin/sh", "-c", "sleep 40"] - # postStart: - # httpGet: - # path: /ping - # port: 9000 - # host: localhost - # scheme: HTTP - - # Pod disruption budget - podDisruptionBudget: - enabled: false - # maxUnavailable: 1 - # maxUnavailable: 33% - # minAvailable: 0 - # minAvailable: 25% - - # Create a default IngressClass for Traefik - ingressClass: - enabled: true - isDefaultClass: false - - # Enable experimental features - experimental: - v3: - enabled: false - plugins: - enabled: true - kubernetesGateway: - enabled: false - gateway: - enabled: true - # certificate: - # group: "core" - # kind: "Secret" - # name: "mysecret" - # By default, Gateway would be created to the Namespace you are deploying Traefik to. - # You may create that Gateway in another namespace, setting its name below: - # namespace: default - # Additional gateway annotations (e.g. for cert-manager.io/issuer) - # annotations: - # cert-manager.io/issuer: letsencrypt - - # Create an IngressRoute for the dashboard - ingressRoute: - dashboard: - enabled: true - # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) - annotations: {} - # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) - labels: {} - # The router match rule used for the dashboard ingressRoute - matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) - # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). - # By default, it's using traefik entrypoint, which is not exposed. - # /!\ Do not expose your dashboard without any protection over the internet /!\ - entryPoints: ["traefik"] - # Additional ingressRoute middlewares (e.g. for authentication) - middlewares: [] - # TLS options (e.g. secret containing certificate) - tls: {} - - # Customize updateStrategy of traefik pods - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - - # Customize liveness and readiness probe values. - readinessProbe: - failureThreshold: 1 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 2 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 2 - - # - # Configure providers - # - providers: - kubernetesCRD: - enabled: true - allowCrossNamespace: true - allowExternalNameServices: false - allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik - namespaces: [] - # - "default" - - kubernetesIngress: - enabled: true - allowExternalNameServices: false - allowEmptyServices: false - # ingressClass: traefik-internal - # labelSelector: environment=production,method=traefik - namespaces: [] - # - "default" - # IP used for Kubernetes Ingress endpoints - publishedService: - enabled: false - # Published Kubernetes Service to copy status from. Format: namespace/servicename - # By default this Traefik service - # pathOverride: "" - - # - # Add volumes to the traefik pod. The volume name will be passed to tpl. - # This can be used to mount a cert pair or a configmap that holds a config.toml file. - # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: - # additionalArguments: - # - "--providers.file.filename=/config/dynamic.toml" - # - "--ping" - # - "--ping.entrypoint=web" - volumes: [] - # - name: public-cert - # mountPath: "/certs" - # type: secret - # - name: '{{ printf "%s-configs" .Release.Name }}' - # mountPath: "/config" - # type: configMap - - # Additional volumeMounts to add to the Traefik container - additionalVolumeMounts: [] - # For instance when using a logshipper for access logs - # - name: traefik-logs - # mountPath: /var/log/traefik - - ## Logs - ## https://docs.traefik.io/observability/logs/ - logs: - ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). - general: - # By default, the logs use a text format (common), but you can - # also ask for the json format in the format option - # format: json - # By default, the level is set to ERROR. - # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. - level: ERROR - access: - # To enable access logs - enabled: false - ## By default, logs are written using the Common Log Format (CLF) on stdout. - ## To write logs in JSON, use json in the format option. - ## If the given format is unsupported, the default (CLF) is used instead. - # format: json - # filePath: "/var/log/traefik/access.log - ## To write the logs in an asynchronous fashion, specify a bufferingSize option. - ## This option represents the number of log lines Traefik will keep in memory before writing - ## them to the selected output. In some cases, this option can greatly help performances. - # bufferingSize: 100 - ## Filtering https://docs.traefik.io/observability/access-logs/#filtering - filters: {} - # statuscodes: "200,300-302" - # retryattempts: true - # minduration: 10ms - ## Fields - ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers - fields: - general: - defaultmode: keep - names: {} - ## Examples: - # ClientUsername: drop - headers: - defaultmode: drop - names: {} - ## Examples: - # User-Agent: redact - # Authorization: drop - # Content-Type: keep - - metrics: - ## Prometheus is enabled by default. - ## It can be disabled by setting "prometheus: null" - prometheus: - ## Entry point used to expose metrics. - entryPoint: metrics - ## Enable metrics on entry points. Default=true - # addEntryPointsLabels: false - ## Enable metrics on routers. Default=false - # addRoutersLabels: true - ## Enable metrics on services. Default=true - # addServicesLabels: false - ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" - # buckets: "0.5,1.0,2.5" - ## When manualRouting is true, it disables the default internal router in - ## order to allow creating a custom router for prometheus@internal service. - # manualRouting: true - # datadog: - # ## Address instructs exporter to send metrics to datadog-agent at this address. - # address: "127.0.0.1:8125" - # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s - # # pushInterval: 30s - # ## The prefix to use for metrics collection. Default="traefik" - # # prefix: traefik - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # influxdb: - # ## Address instructs exporter to send metrics to influxdb at this address. - # address: localhost:8089 - # ## InfluxDB's address protocol (udp or http). Default="udp" - # protocol: udp - # ## InfluxDB database used when protocol is http. Default="" - # # database: "" - # ## InfluxDB retention policy used when protocol is http. Default="" - # # retentionPolicy: "" - # ## InfluxDB username (only with http). Default="" - # # username: "" - # ## InfluxDB password (only with http). Default="" - # # password: "" - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## Additional labels (influxdb tags) on all metrics. - # # additionalLabels: - # # env: production - # # foo: bar - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # influxdb2: - # ## Address instructs exporter to send metrics to influxdb v2 at this address. - # address: localhost:8086 - # ## Token with which to connect to InfluxDB v2. - # token: xxx - # ## Organisation where metrics will be stored. - # org: "" - # ## Bucket where metrics will be stored. - # bucket: "" - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## Additional labels (influxdb tags) on all metrics. - # # additionalLabels: - # # env: production - # # foo: bar - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # statsd: - # ## Address instructs exporter to send metrics to statsd at this address. - # address: localhost:8125 - # ## The interval used by the exporter to push metrics to influxdb. Default=10s - # # pushInterval: 30s - # ## The prefix to use for metrics collection. Default="traefik" - # # prefix: traefik - # ## Enable metrics on entry points. Default=true - # # addEntryPointsLabels: false - # ## Enable metrics on routers. Default=false - # # addRoutersLabels: true - # ## Enable metrics on services. Default=true - # # addServicesLabels: false - # openTelemetry: - # ## Address of the OpenTelemetry Collector to send metrics to. - # address: "localhost:4318" - # ## Enable metrics on entry points. - # addEntryPointsLabels: true - # ## Enable metrics on routers. - # addRoutersLabels: true - # ## Enable metrics on services. - # addServicesLabels: true - # ## Explicit boundaries for Histogram data points. - # explicitBoundaries: - # - "0.1" - # - "0.3" - # - "1.2" - # - "5.0" - # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. - # headers: - # foo: bar - # test: test - # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. - # insecure: true - # ## Interval at which metrics are sent to the OpenTelemetry Collector. - # pushInterval: 10s - # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. - # path: /foo/v1/traces - # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. - # tls: - # ## The path to the certificate authority, it defaults to the system bundle. - # ca: path/to/ca.crt - # ## The path to the public certificate. When using this option, setting the key option is required. - # cert: path/to/foo.cert - # ## The path to the private key. When using this option, setting the cert option is required. - # key: path/to/key.key - # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. - # insecureSkipVerify: true - # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. - # grpc: true - - ## - ## enable optional CRDs for Prometheus Operator - ## - ## Create a dedicated metrics service for use with ServiceMonitor - ## When hub.enabled is set to true, it's not needed: it will use hub service. - # service: - # enabled: false - # labels: {} - # annotations: {} - ## When set to true, it won't check if Prometheus Operator CRDs are deployed - # disableAPICheck: false - # serviceMonitor: - # metricRelabelings: [] - # - sourceLabels: [__name__] - # separator: ; - # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ - # replacement: $1 - # action: drop - # relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - # jobLabel: traefik - # interval: 30s - # honorLabels: true - # # (Optional) - # # scrapeTimeout: 5s - # # honorTimestamps: true - # # enableHttp2: true - # # followRedirects: true - # # additionalLabels: - # # foo: bar - # # namespace: "another-namespace" - # # namespaceSelector: {} - # prometheusRule: - # additionalLabels: {} - # namespace: "another-namespace" - # rules: - # - alert: TraefikDown - # expr: up{job="traefik"} == 0 - # for: 5m - # labels: - # context: traefik - # severity: warning - # annotations: - # summary: "Traefik Down" - # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" - - tracing: {} - # instana: - # localAgentHost: 127.0.0.1 - # localAgentPort: 42699 - # logLevel: info - # enableAutoProfile: true - # datadog: - # localAgentHostPort: 127.0.0.1:8126 - # debug: false - # globalTag: "" - # prioritySampling: false - # jaeger: - # samplingServerURL: http://localhost:5778/sampling - # samplingType: const - # samplingParam: 1.0 - # localAgentHostPort: 127.0.0.1:6831 - # gen128Bit: false - # propagation: jaeger - # traceContextHeaderName: uber-trace-id - # disableAttemptReconnecting: true - # collector: - # endpoint: "" - # user: "" - # password: "" - # zipkin: - # httpEndpoint: http://localhost:9411/api/v2/spans - # sameSpan: false - # id128Bit: true - # sampleRate: 1.0 - # haystack: - # localAgentHost: 127.0.0.1 - # localAgentPort: 35000 - # globalTag: "" - # traceIDHeaderName: "" - # parentIDHeaderName: "" - # spanIDHeaderName: "" - # baggagePrefixHeaderName: "" - # elastic: - # serverURL: http://localhost:8200 - # secretToken: "" - # serviceEnvironment: "" - - globalArguments: - - "--global.checknewversion=false" - - "--global.sendanonymoususage=false" - - # - # Configure Traefik static configuration - # Additional arguments to be passed at Traefik's binary - # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ - ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` - additionalArguments: - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - - # Environment variables to be passed to Traefik's binary - env: [] - # - name: SOME_VAR - # value: some-var-value - # - name: SOME_VAR_FROM_CONFIG_MAP - # valueFrom: - # configMapRef: - # name: configmap-name - # key: config-key - # - name: SOME_SECRET - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # Configure ports - ports: - # The name of this one can't be changed as it is used for the readiness and - # liveness probes, but you can adjust its config to your liking - traefik: - port: 9000 - # Use hostPort if set. - # hostPort: 9000 - # - # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which - # means it's listening on all your interfaces and all your IPs. You may want - # to set this value if you need traefik to listen on specific interface - # only. - # hostIP: 192.168.100.10 - - # Override the liveness/readiness port. This is useful to integrate traefik - # with an external Load Balancer that performs healthchecks. - # Default: ports.traefik.port - # healthchecksPort: 9000 - - # Override the liveness/readiness scheme. Useful for getting ping to - # respond on websecure entryPoint. - # healthchecksScheme: HTTPS - - # Defines whether the port is exposed if service.type is LoadBalancer or - # NodePort. - # - # You SHOULD NOT expose the traefik port on production deployments. - # If you want to access it from outside of your cluster, - # use `kubectl port-forward` or create a secure ingress - expose: false - # The exposed port for this service - exposedPort: 9000 - # The port protocol (TCP/UDP) - protocol: TCP - web: - ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. - # asDefault: true - port: 8000 - # hostPort: 8000 - expose: true - exposedPort: 80 - # The port protocol (TCP/UDP) - protocol: TCP - # Use nodeport if set. This is useful if you have configured Traefik in a - # LoadBalancer. - # nodePort: 32080 - # Port Redirections - # Added in 2.2, you can make permanent redirects via entrypoints. - # https://docs.traefik.io/routing/entrypoints/#redirection - redirectTo: websecure - # - # Trust forwarded headers information (X-Forwarded-*). - # forwardedHeaders: - # trustedIPs: [] - # insecure: false - # - # Enable the Proxy Protocol header parsing for the entry point - # proxyProtocol: - # trustedIPs: [] - # insecure: false - websecure: - ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. - # asDefault: true - port: 8443 - # hostPort: 8443 - expose: true - exposedPort: 443 - ## The port protocol (TCP/UDP) - protocol: TCP - # nodePort: 32443 - # - ## Enable HTTP/3 on the entrypoint - ## Enabling it will also enable http3 experimental feature - ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 - ## There are known limitations when trying to listen on same ports for - ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. - ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 - http3: - enabled: false - # advertisedPort: 4443 - # - ## Trust forwarded headers information (X-Forwarded-*). - #forwardedHeaders: - # trustedIPs: [] - # insecure: false - # - ## Enable the Proxy Protocol header parsing for the entry point - #proxyProtocol: - # trustedIPs: [] - # insecure: false - # - ## Set TLS at the entrypoint - ## https://doc.traefik.io/traefik/routing/entrypoints/#tls - tls: - enabled: true - # this is the name of a TLSOption definition - options: "" - certResolver: "" - domains: [] - # - main: example.com - # sans: - # - foo.example.com - # - bar.example.com - # - # One can apply Middlewares on an entrypoint - # https://doc.traefik.io/traefik/middlewares/overview/ - # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares - # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ - # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - # middlewares: - # - namespace-name1@kubernetescrd - # - namespace-name2@kubernetescrd - middlewares: [] - metrics: - # When using hostNetwork, use another port to avoid conflict with node exporter: - # https://github.com/prometheus/prometheus/wiki/Default-port-allocations - port: 9100 - # hostPort: 9100 - # Defines whether the port is exposed if service.type is LoadBalancer or - # NodePort. - # - # You may not want to expose the metrics port on production deployments. - # If you want to access it from outside of your cluster, - # use `kubectl port-forward` or create a secure ingress - expose: false - # The exposed port for this service - exposedPort: 9100 - # The port protocol (TCP/UDP) - protocol: TCP - - # TLS Options are created as TLSOption CRDs - # https://doc.traefik.io/traefik/https/tls/#tls-options - # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. - # Example: - # tlsOptions: - # default: - # labels: {} - # sniStrict: true - # preferServerCipherSuites: true - # customOptions: - # labels: {} - # curvePreferences: - # - CurveP521 - # - CurveP384 - tlsOptions: {} - - # TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate - # https://doc.traefik.io/traefik/https/tls/#default-certificate - # Example: - # tlsStore: - # default: - # defaultCertificate: - # secretName: tls-cert - tlsStore: {} - - # Options for the main traefik service, where the entrypoints traffic comes - # from. - service: - enabled: true - ## Single service is using `MixedProtocolLBService` feature gate. - ## When set to false, it will create two Service, one for TCP and one for UDP. - single: true - type: LoadBalancer - # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) - annotations: {} - # Additional annotations for TCP service only - annotationsTCP: {} - # Additional annotations for UDP service only - annotationsUDP: {} - # Additional service labels (e.g. for filtering Service by custom labels) - labels: {} - # Additional entries here will be added to the service spec. - # Cannot contain type, selector or ports entries. - spec: - externalTrafficPolicy: Local - # loadBalancerIP: "1.2.3.4" - # clusterIP: "2.3.4.5" - loadBalancerSourceRanges: [] - # - 192.168.0.1/32 - # - 172.16.0.0/16 - externalIPs: [] - # - 1.2.3.4 - ## One of SingleStack, PreferDualStack, or RequireDualStack. - # ipFamilyPolicy: SingleStack - ## List of IP families (e.g. IPv4 and/or IPv6). - ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # ipFamilies: - # - IPv4 - # - IPv6 - ## - ## An additionnal and optional internal Service. - ## Same parameters as external Service - # internal: - # type: ClusterIP - # # labels: {} - # # annotations: {} - # # spec: {} - # # loadBalancerSourceRanges: [] - # # externalIPs: [] - # # ipFamilies: [ "IPv4","IPv6" ] - - ## Create HorizontalPodAutoscaler object. - ## - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 60 - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: 60 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - # Enable persistence using Persistent Volume Claims - # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - # It can be used to store TLS certificates, see `storage` in certResolvers - persistence: - enabled: false - name: data - # existingClaim: "" - accessMode: ReadWriteOnce - size: 128Mi - # storageClass: "" - # volumeName: "" - path: /data - annotations: {} - # subPath: "" # only mount a subpath of the Volume into the pod - - certResolvers: {} - # letsencrypt: - # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ - # email: email@example.com - # dnsChallenge: - # # also add the provider's required configuration under env - # # or expand then from secrets/configmaps with envfrom - # # cf. https://doc.traefik.io/traefik/https/acme/#providers - # provider: digitalocean - # # add futher options for the dns challenge as needed - # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge - # delayBeforeCheck: 30 - # resolvers: - # - 1.1.1.1 - # - 8.8.8.8 - # tlsChallenge: true - # httpChallenge: - # entryPoint: "web" - # # It has to match the path with a persistent volume - # storage: /data/acme.json - - # If hostNetwork is true, runs traefik in the host network namespace - # To prevent unschedulabel pods due to port collisions, if hostNetwork=true - # and replicas>1, a pod anti-affinity is recommended and will be set if the - # affinity is left as default. - hostNetwork: false - - # Whether Role Based Access Control objects like roles and rolebindings should be created - rbac: - enabled: true - # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. - # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. - namespaced: false - # Enable user-facing roles - # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles - # aggregateTo: [ "admin" ] - - # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding - podSecurityPolicy: - enabled: false - - # The service account the pods will use to interact with the Kubernetes API - serviceAccount: - # If set, an existing service account is used - # If not set, a service account is created automatically using the fullname template - name: "" - - # Additional serviceAccount annotations (e.g. for oidc authentication) - serviceAccountAnnotations: {} - - resources: {} - # requests: - # cpu: "100m" - # memory: "50Mi" - # limits: - # cpu: "300m" - # memory: "150Mi" - - # This example pod anti-affinity forces the scheduler to put traefik pods - # on nodes where no other traefik pods are scheduled. - # It should be used when hostNetwork: true to prevent port conflicts - affinity: {} - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchLabels: - # app.kubernetes.io/name: '{{ template "traefik.name" . }}' - # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' - # topologyKey: kubernetes.io/hostname - - nodeSelector: {} - tolerations: [] - topologySpreadConstraints: [] - # # This example topologySpreadConstraints forces the scheduler to put traefik pods - # # on nodes where no other traefik pods are scheduled. - # - labelSelector: - # matchLabels: - # app: '{{ template "traefik.name" . }}' - # maxSkew: 1 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - - # Pods can have priority. - # Priority indicates the importance of a Pod relative to other Pods. - priorityClassName: "" - - # Set the container security context - # To run the container with ports below 1024 this will need to be adjust to run as root - securityContext: - capabilities: - drop: [ALL] - readOnlyRootFilesystem: true - - podSecurityContext: - # # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and - # # permissions for the contents of each volume to match the fsGroup. This can - # # be an issue when storing sensitive content like TLS Certificates /!\ - # fsGroup: 65532 - fsGroupChangePolicy: "OnRootMismatch" - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - - # - # Extra objects to deploy (value evaluated as a template) - # - # In some cases, it can avoid the need for additional, extended or adhoc deployments. - # See #595 for more details and traefik/tests/values/extra.yaml for example. - extraObjects: [] - - # This will override the default Release Namespace for Helm. - # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` - # namespaceOverride: traefik - # - ## This will override the default app.kubernetes.io/instance label for all Objects. - # instanceLabelOverride: traefik diff --git a/uptimekuma/templates/deployment.yaml b/uptimekuma/templates/deployment.yaml deleted file mode 100644 index 21ce3c0..0000000 --- a/uptimekuma/templates/deployment.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - component: uptime-kuma - name: deployment -spec: - selector: - matchLabels: - component: uptime-kuma - replicas: 1 - strategy: - type: Recreate - - template: - metadata: - labels: - component: uptime-kuma - spec: - containers: - - name: app - image: registry.internal.durp.info/louislam/uptime-kuma:1 - ports: - - containerPort: 3001 - volumeMounts: - - mountPath: /app/data - name: storage - #livenessProbe: - #exec: - #command: - #- node - #- extra/healthcheck.js - readinessProbe: - httpGet: - path: / - port: 3001 - scheme: HTTP - - volumes: - - name: storage - persistentVolumeClaim: - claimName: uptimekuma-pvc diff --git a/uptimekuma/templates/kuma-pv.yaml b/uptimekuma/templates/kuma-pv.yaml deleted file mode 100644 index e17e5a7..0000000 --- a/uptimekuma/templates/kuma-pv.yaml +++ /dev/null @@ -1,25 +0,0 @@ -#apiVersion: v1 -#kind: PersistentVolume -#metadata: -# annotations: -# pv.kubernetes.io/provisioned-by: durp.info/nfs -# finalizers: -# - kubernetes.io/pv-protection -# name: uptimekuma-pv -#spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 10Gi -# claimRef: -# apiVersion: v1 -# kind: PersistentVolumeClaim -# name: uptimekuma-pvc -# namespace: uptimekuma -# nfs: -# path: /mnt/user/k3s/uptimekuma -# server: 192.168.20.253 -# persistentVolumeReclaimPolicy: Retain -# storageClassName: nfs-storage -# volumeMode: Filesystem -# \ No newline at end of file diff --git a/uptimekuma/templates/service.yaml b/uptimekuma/templates/service.yaml deleted file mode 100644 index cad08e7..0000000 --- a/uptimekuma/templates/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: service -spec: - selector: - component: uptime-kuma - type: ClusterIP - ports: - - name: http - port: 3001 - targetPort: 3001 - protocol: TCP \ No newline at end of file diff --git a/vault/templates/secret-store.yaml b/vault/templates/secret-store.yaml deleted file mode 100644 index c2da892..0000000 --- a/vault/templates/secret-store.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#apiVersion: external-secrets.io/v1beta1 -#kind: ClusterSecretStore -#metadata: -# name: vault -#spec: -# provider: -# vault: -# server: "http://vault.vault.svc.cluster.local:8200" -# path: "secrets" -# version: "v2" -# auth: -# kubernetes: -# mountPath: "kubernetes" -# role: "dmz-external-secrets" -#--- -#apiVersion: external-secrets.io/v1beta1 -#kind: ClusterSecretStore -#metadata: -# name: vault -#spec: -# provider: -# vault: -# server: "https://vault.internal.prd.durp.info" -# path: "secrets" -# version: "v2" -# auth: -# tokenSecretRef: -# name: vault-token -# key: token -# namespace: external-secrets diff --git a/vault/values.yaml b/vault/values.yaml deleted file mode 100644 index 61048a7..0000000 --- a/vault/values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -vault: - - global: - externalVaultAddr: "https://vault.internal.prd.durp.info" - - image: - repository: "registry.internal.durp.info/hashicorp/vault-k8s" - tag: "1.3.1" - pullPolicy: Always - - agentImage: - repository: "registry.internal.durp.info/hashicorp/vault" - tag: "1.15.2" - - - injector: - enabled: "-" - - replicas: 2 - leaderElector: - enabled: true - - metrics: - enabled: true - - image: - repository: "registry.internal.durp.info/hashicorp/vault-k8s" - tag: "1.3.1" - pullPolicy: Always - - agentImage: - repository: "registry.internal.durp.info/hashicorp/vault" - tag: "1.15.2" -