diff --git a/.gitignore b/.gitignore index d32217b..485dee6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1 @@ -*/.terraform -*/.terraform.lock.hcl .idea diff --git a/Untitled b/Untitled deleted file mode 100644 index c59860f..0000000 --- a/Untitled +++ /dev/null @@ -1,4 +0,0 @@ -VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name') -TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode) -KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode) -KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}') diff --git a/infra/argocd/Chart.yaml b/argocd/Chart.yaml similarity index 91% rename from infra/argocd/Chart.yaml rename to argocd/Chart.yaml index d9a5074..07e391f 100644 --- a/infra/argocd/Chart.yaml +++ b/argocd/Chart.yaml @@ -9,4 +9,6 @@ appVersion: "1.16.0" dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm - version: 8.6.4 + version: 6.7.11 + + diff --git a/argocd/templates/InternalProxy.yaml b/argocd/templates/InternalProxy.yaml new file mode 100644 index 0000000..0553043 --- /dev/null +++ b/argocd/templates/InternalProxy.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: internalproxy + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: internalproxy + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: internalproxy + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/infra/argocd/templates/nebula-sync.yaml b/argocd/templates/argocd.yaml similarity index 62% rename from infra/argocd/templates/nebula-sync.yaml rename to argocd/templates/argocd.yaml index d19b024..9b97473 100644 --- a/infra/argocd/templates/nebula-sync.yaml +++ b/argocd/templates/argocd.yaml @@ -1,16 +1,16 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nebula-sync + name: argocd namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/nebula-sync + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: argocd destination: - namespace: nebula-sync + namespace: argocd name: in-cluster syncPolicy: automated: diff --git a/argocd/templates/cert-manager.yaml b/argocd/templates/cert-manager.yaml new file mode 100644 index 0000000..b1c7831 --- /dev/null +++ b/argocd/templates/cert-manager.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: cert-manager + destination: + namespace: cert-manager + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/external-dns.yaml b/argocd/templates/external-dns.yaml similarity index 64% rename from infra/argocd/templates/external-dns.yaml rename to argocd/templates/external-dns.yaml index caa32d9..dc98744 100644 --- a/infra/argocd/templates/external-dns.yaml +++ b/argocd/templates/external-dns.yaml @@ -1,21 +1,20 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: external-dns-dmz + name: external-dns namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/external-dns + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: external-dns destination: namespace: external-dns - name: dmz + name: in-cluster syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true - diff --git a/argocd/templates/external-secrets.yaml b/argocd/templates/external-secrets.yaml new file mode 100644 index 0000000..a6626cc --- /dev/null +++ b/argocd/templates/external-secrets.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: external-secrets + destination: + namespace: external-secrets + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/templates/gatekeeper.yaml b/argocd/templates/gatekeeper.yaml new file mode 100644 index 0000000..712d4a7 --- /dev/null +++ b/argocd/templates/gatekeeper.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gatekeeper + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: gatekeeper + destination: + namespace: gatekeeper + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/nfs.yaml b/argocd/templates/gitlab-runner.yaml similarity index 51% rename from infra/argocd/templates/nfs.yaml rename to argocd/templates/gitlab-runner.yaml index c006f32..15386e6 100644 --- a/infra/argocd/templates/nfs.yaml +++ b/argocd/templates/gitlab-runner.yaml @@ -1,18 +1,21 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: nfs + name: gitlab-runner namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/nfs + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: gitlab-runner destination: - namespace: kube-system + namespace: gitlab-runner name: in-cluster syncPolicy: automated: prune: true selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/infra/argocd/templates/kube-prometheus-stack.yaml b/argocd/templates/kube-prometheus-stack.yaml similarity index 61% rename from infra/argocd/templates/kube-prometheus-stack.yaml rename to argocd/templates/kube-prometheus-stack.yaml index bc52501..8830be4 100644 --- a/infra/argocd/templates/kube-prometheus-stack.yaml +++ b/argocd/templates/kube-prometheus-stack.yaml @@ -6,15 +6,16 @@ metadata: spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/kube-prometheus-stack + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: kube-prometheus-stack destination: namespace: kube-prometheus-stack name: in-cluster syncPolicy: automated: prune: true - selfHeal: true + selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true + diff --git a/argocd/templates/kubeclarity.yaml b/argocd/templates/kubeclarity.yaml new file mode 100644 index 0000000..c9fd0b4 --- /dev/null +++ b/argocd/templates/kubeclarity.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubeclarity + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: kubeclarity + destination: + namespace: kubeclarity + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/internalproxy.yaml b/argocd/templates/longhorn.yaml similarity index 57% rename from infra/argocd/templates/internalproxy.yaml rename to argocd/templates/longhorn.yaml index 9381c2d..60a6026 100644 --- a/infra/argocd/templates/internalproxy.yaml +++ b/argocd/templates/longhorn.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: internal-proxy + name: longhorn-system namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/internalproxy + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: longhorn destination: - namespace: internalproxy - name: dmz + namespace: longhorn-system + name: in-cluster syncPolicy: automated: prune: true diff --git a/infra/argocd/templates/gitlab-runner.yaml b/argocd/templates/metallb-system.yaml similarity index 57% rename from infra/argocd/templates/gitlab-runner.yaml rename to argocd/templates/metallb-system.yaml index 25b82bb..d88d70d 100644 --- a/infra/argocd/templates/gitlab-runner.yaml +++ b/argocd/templates/metallb-system.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: gitlab-runner-dmz + name: metallb-system namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/gitlab-runner + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: metallb-system destination: - namespace: gitlab-runner - name: dmz + namespace: metallb-system + name: in-cluster syncPolicy: automated: prune: true @@ -19,3 +19,4 @@ spec: syncOptions: - CreateNamespace=true + diff --git a/argocd/templates/traefik.yaml b/argocd/templates/traefik.yaml new file mode 100644 index 0000000..037e9ff --- /dev/null +++ b/argocd/templates/traefik.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: traefik + destination: + namespace: traefik + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra/argocd/templates/openspeedtest.yaml b/argocd/templates/uptimekuma.yaml similarity index 52% rename from infra/argocd/templates/openspeedtest.yaml rename to argocd/templates/uptimekuma.yaml index ead0679..80e6808 100644 --- a/infra/argocd/templates/openspeedtest.yaml +++ b/argocd/templates/uptimekuma.yaml @@ -1,22 +1,23 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: openspeedtest + name: uptimekuma namespace: argocd spec: project: default source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/openspeedtest + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: uptimekuma directory: recurse: true destination: - name: dmz - namespace: openspeedtest + server: https://kubernetes.default.svc + namespace: uptimekuma syncPolicy: automated: prune: true selfHeal: true syncOptions: - - CreateNamespace=true + - CreateNamespace=true + diff --git a/argocd/templates/vault.yaml b/argocd/templates/vault.yaml new file mode 100644 index 0000000..ccff355 --- /dev/null +++ b/argocd/templates/vault.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd +spec: + project: default + source: + repoURL: https://gitlab.com/developerdurp/homelab.git + targetRevision: dmz + path: vault + destination: + namespace: vault + name: in-cluster + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle diff --git a/infra/argocd/values.yaml b/argocd/values.yaml similarity index 53% rename from infra/argocd/values.yaml rename to argocd/values.yaml index 727777e..47a56e3 100644 --- a/infra/argocd/values.yaml +++ b/argocd/values.yaml @@ -1,40 +1,40 @@ argo-cd: + global: revisionHistoryLimit: 1 image: - repository: registry.durp.info/argoproj/argocd + repository: registry.internal.durp.info/argoproj/argocd imagePullPolicy: Always - #server: - #extraArgs: - # - --dex-server-plaintext - # - --dex-server=argocd-dex-server:5556 - # oidc.config: | - # name: AzureAD - # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 - # clientID: CLIENT_ID - # clientSecret: $oidc.azuread.clientSecret - # requestedIDTokenClaims: - # groups: - # essential: true - # requestedScopes: - # - openid - # - profile - # - email + server: + #extraArgs: + # - --dex-server-plaintext + # - --dex-server=argocd-dex-server:5556 + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email dex: enabled: true image: - repository: registry.durp.info/dexidp/dex + repository: registry.internal.durp.info/dexidp/dex imagePullPolicy: Always configs: cm: create: true annotations: {} - url: https://argocd.infra.durp.info + url: https://argocd.internal.durp.info oidc.tls.insecure.skip.verify: "true" - accounts.provider-argocd: apiKey dex.config: | connectors: - config: @@ -50,15 +50,13 @@ argo-cd: name: authentik type: oidc id: authentik - resource.exclusions: "" rbac: create: true policy.csv: | - g, ArgoCD Admins, role:admin - g, provider-argocd, role:admin + g, ArgoCD Admins, role:admin scopes: "[groups]" server: - route: - enabled: false \ No newline at end of file + route: + enabled: false diff --git a/infra/cert-manager/Chart.yaml b/cert-manager/Chart.yaml similarity index 91% rename from infra/cert-manager/Chart.yaml rename to cert-manager/Chart.yaml index 7280af8..8593f8c 100644 --- a/infra/cert-manager/Chart.yaml +++ b/cert-manager/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: cert-manager repository: https://charts.jetstack.io - version: v1.17.2 + version: 1.*.* diff --git a/cert-manager/templates/letsencrypt-prroduction.yaml b/cert-manager/templates/letsencrypt-prroduction.yaml new file mode 100644 index 0000000..034ed9b --- /dev/null +++ b/cert-manager/templates/letsencrypt-prroduction.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret diff --git a/cert-manager/templates/letsencrypt-staging.yaml b/cert-manager/templates/letsencrypt-staging.yaml new file mode 100644 index 0000000..b6ae4f9 --- /dev/null +++ b/cert-manager/templates/letsencrypt-staging.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + email: developerdurp@durp.info + apiTokenSecretRef: + name: cloudflare-api-token-secret + key: cloudflare-api-token-secret \ No newline at end of file diff --git a/dev/cert-manager/templates/secretvault.yaml b/cert-manager/templates/sealedsecret.yaml similarity index 69% rename from dev/cert-manager/templates/secretvault.yaml rename to cert-manager/templates/sealedsecret.yaml index 11c82bc..37a2e92 100644 --- a/dev/cert-manager/templates/secretvault.yaml +++ b/cert-manager/templates/sealedsecret.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1 +apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: cloudflare-api-token-secret @@ -11,12 +11,6 @@ spec: data: - secretKey: cloudflare-api-token-secret remoteRef: - key: kv/cert-manager + key: secrets/cert-manager property: cloudflare-api-token-secret ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dev/cert-manager/values.yaml b/cert-manager/values.yaml similarity index 92% rename from dev/cert-manager/values.yaml rename to cert-manager/values.yaml index c9cf12f..36f403b 100644 --- a/dev/cert-manager/values.yaml +++ b/cert-manager/values.yaml @@ -1,10 +1,9 @@ cert-manager: - crds: - enabled: true image: registry: registry.internal.durp.info repository: jetstack/cert-manager-controller pullPolicy: Always + installCRDs: true replicaCount: 3 extraArgs: - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 @@ -23,4 +22,4 @@ cert-manager: image: registry: registry.internal.durp.info repository: jetstack/cert-manager-cainjector - pullPolicy: Always + pullPolicy: Always \ No newline at end of file diff --git a/dev/.gitlab/.gitlab-ci.yml b/dev/.gitlab/.gitlab-ci.yml deleted file mode 100644 index 16cef81..0000000 --- a/dev/.gitlab/.gitlab-ci.yml +++ /dev/null @@ -1,95 +0,0 @@ -stages: - - plan - - apply - - destroy - -variables: - WORKDIR: $CI_PROJECT_DIR/dev/terraform - GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev - -image: - name: registry.durp.info/opentofu/opentofu:latest - entrypoint: [""] - -.tf-init: - before_script: - - cd $WORKDIR - - tofu init - -reconfigure - -backend-config="address=${GITLAB_TF_ADDRESS}" - -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="username=gitlab-ci-token" - -backend-config="password=${CI_JOB_TOKEN}" - -backend-config="lock_method=POST" - -backend-config="unlock_method=DELETE" - -backend-config="retry_wait_min=5" - -format: - stage: .pre - allow_failure: false - script: - - cd $WORKDIR - - tofu fmt -diff -check -write=false - rules: - - changes: - - "dev/terraform/*.tf" - -validate: - stage: .pre - allow_failure: false - extends: .tf-init - script: - - tofu validate - rules: - - changes: - - "dev/terraform/*.tf" - -plan-dev-infrastructure: - stage: plan - variables: - PLAN: plan.tfplan - JSON_PLAN_FILE: tfplan.json - ENVIRONMENT_NAME: dev - allow_failure: false - extends: .tf-init - script: - - apk add --update curl jq - - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - - tofu plan -out=$PLAN $ARGUMENTS - - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE - artifacts: - reports: - terraform: $WORKDIR/$JSON_PLAN_FILE - needs: ["validate","format"] - rules: - - changes: - - "dev/terraform/*.tf" - -apply-dev-infrastructure: - stage: apply - variables: - ENVIRONMENT_NAME: dev - allow_failure: false - extends: .tf-init - script: - - tofu apply -auto-approve $ARGUMENTS - rules: - - changes: - - "dev/terraform/*.tf" - when: manual - needs: ["plan-dev-infrastructure"] - -destroy-dev-infrastructure: - stage: destroy - variables: - ENVIRONMENT_NAME: dev - allow_failure: false - extends: .tf-init - script: - - tofu destroy -auto-approve $ARGUMENTS - rules: - - changes: - - "dev/terraform/*.tf" - when: manual - needs: ["plan-dev-infrastructure"] diff --git a/dev/cert-manager/templates/issuer.yaml b/dev/cert-manager/templates/issuer.yaml deleted file mode 100644 index cf61c83..0000000 --- a/dev/cert-manager/templates/issuer.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: issuer -secrets: - - name: issuer-token-lmzpj - ---- - -apiVersion: v1 -kind: Secret -metadata: - name: issuer-token-lmzpj - annotations: - kubernetes.io/service-account.name: issuer -type: kubernetes.io/service-account-token diff --git a/dev/cert-manager/templates/letsencrypt.yaml b/dev/cert-manager/templates/letsencrypt.yaml deleted file mode 100644 index 56b8374..0000000 --- a/dev/cert-manager/templates/letsencrypt.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret - ---- - -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: vault-issuer -spec: - vault: - server: https://vault.infra.durp.info - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - path: pki/sign/issue-homelab-certs - auth: - kubernetes: - mountPath: /v1/auth/dmz-cluster - role: issuer - secretRef: - name: issuer-token-lmzpj - key: token diff --git a/dev/external-dns/templates/secrets.yaml b/dev/external-dns/templates/secrets.yaml deleted file mode 100644 index 60f7466..0000000 --- a/dev/external-dns/templates/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: external-dns-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: external-dns - data: - - secretKey: cloudflare_api_email - remoteRef: - key: kv/cloudflare - property: cloudflare_api_email - - secretKey: cloudflare_api_key - remoteRef: - key: kv/cloudflare - property: cloudflare_api_key - - secretKey: cloudflare_api_token - remoteRef: - key: kv/cloudflare - property: cloudflare_api_token - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dev/external-dns/values.yaml b/dev/external-dns/values.yaml deleted file mode 100644 index 2052942..0000000 --- a/dev/external-dns/values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -external-dns: - global: - imageRegistry: "registry.durp.info" - - image: - pullPolicy: Always - - txtPrefix: "dmz-" - - sources: - - service - - provider: cloudflare - cloudflare: - secretName : "external-dns" - proxied: false - - policy: sync diff --git a/dev/external-secrets/Chart.yaml b/dev/external-secrets/Chart.yaml deleted file mode 100644 index 48645c3..0000000 --- a/dev/external-secrets/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: external-secrets -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: external-secrets - repository: https://charts.external-secrets.io - version: 0.17.0 diff --git a/dev/external-secrets/templates/ca.yaml b/dev/external-secrets/templates/ca.yaml deleted file mode 100644 index 9b2a135..0000000 --- a/dev/external-secrets/templates/ca.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -data: - vault.pem: | - -----BEGIN CERTIFICATE----- - MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy - MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN - BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq - scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW - 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I - jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr - XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS - 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB - o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O - BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 - dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 - Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo - dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw - MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp - L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy - cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu - Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx - L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k - dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L - 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k - /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 - GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj - tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo - 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 - +Q/cdsO5lg== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH - 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ - S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk - U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 - 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ - +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD - VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V - 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 - BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw - LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt - dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC - hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF - BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br - aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 - cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz - Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq - hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE - QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB - ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN - Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 - zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls - AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox - p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb - /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ - l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 - GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE - N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B - Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 - 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R - BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k - r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 - AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y - rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD - dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx - Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv - 55Fn - -----END CERTIFICATE----- -kind: ConfigMap -metadata: - name: ca-pemstore diff --git a/dev/external-secrets/values.yaml b/dev/external-secrets/values.yaml deleted file mode 100644 index 304180d..0000000 --- a/dev/external-secrets/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -external-secrets: - replicaCount: 3 - revisionHistoryLimit: 1 - leaderElect: true - - installCRDs: true - crds: - createClusterExternalSecret: true - createClusterSecretStore: true - createClusterGenerator: true - createPushSecret: true - conversion: - enabled: false - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - webhook: - create: false - failurePolicy: Ignore - log: - level: debug - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - certController: - create: false - revisionHistoryLimit: 1 - log: - level: debug - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - tag: "" - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true diff --git a/dev/metallb-system/templates/config.yaml b/dev/metallb-system/templates/config.yaml deleted file mode 100644 index 5fb85fe..0000000 --- a/dev/metallb-system/templates/config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: cheap -spec: - addresses: - - 192.168.10.130-192.168.10.140 ---- -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: pool - namespace: metallb-system -spec: - ipAddressPools: - - cheap - diff --git a/dev/metallb-system/values.yaml b/dev/metallb-system/values.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/dev/traefik/values.yaml b/dev/traefik/values.yaml deleted file mode 100644 index 3d1d660..0000000 --- a/dev/traefik/values.yaml +++ /dev/null @@ -1,58 +0,0 @@ -traefik: - image: - # registry: registry.durp.info - # repository: traefik - pullPolicy: Always - - providers: - kubernetesCRD: - allowCrossNamespace: true - allowExternalNameServices: true - allowEmptyServices: false - - deployment: - replicas: 3 - revisionHistoryLimit: 1 - - # volumes: - # - name: traefik-configmap - # mountPath: "/config" - # type: configMap - - ingressRoute: - dashboard: - enabled: true - - additionalArguments: - # - "--providers.file.filename=/config/config.yml" - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - autoscaling: - enabled: true - minReplicas: 3 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - memory: "512Mi" diff --git a/dev/vault/Chart.yaml b/dev/vault/Chart.yaml deleted file mode 100644 index 412c292..0000000 --- a/dev/vault/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: vault -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: vault - repository: https://helm.releases.hashicorp.com - version: 0.30.0 - diff --git a/dev/vault/templates/secret-store.yaml b/dev/vault/templates/secret-store.yaml deleted file mode 100644 index c48e52f..0000000 --- a/dev/vault/templates/secret-store.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: vault -spec: - provider: - vault: - server: "https://vault.infra.durp.info" - path: "kv" - version: "v2" - auth: - kubernetes: - mountPath: "dmz-cluster" - role: "external-secrets" - serviceAccountRef: - name: "vault" - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dev/vault/values.yaml b/dev/vault/values.yaml deleted file mode 100644 index 877d8fe..0000000 --- a/dev/vault/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -vault: - global: - enabled: true - tlsDisable: false - externalVaultAddr: "https://vault.infra.durp.info" - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - diff --git a/dmz/.gitlab/.gitlab-ci.yml b/dmz/.gitlab/.gitlab-ci.yml deleted file mode 100644 index e0532bc..0000000 --- a/dmz/.gitlab/.gitlab-ci.yml +++ /dev/null @@ -1,95 +0,0 @@ -stages: - - plan - - apply - - destroy - -variables: - WORKDIR: $CI_PROJECT_DIR/dmz/terraform - GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz - -image: - name: registry.durp.info/opentofu/opentofu:latest - entrypoint: [""] - -.tf-init: - before_script: - - cd $WORKDIR - - tofu init - -reconfigure - -backend-config="address=${GITLAB_TF_ADDRESS}" - -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="username=gitlab-ci-token" - -backend-config="password=${CI_JOB_TOKEN}" - -backend-config="lock_method=POST" - -backend-config="unlock_method=DELETE" - -backend-config="retry_wait_min=5" - -format: - stage: .pre - allow_failure: false - script: - - cd $WORKDIR - - tofu fmt -diff -check -write=false - rules: - - changes: - - "dmz/terraform/*.tf" - -validate: - stage: .pre - allow_failure: false - extends: .tf-init - script: - - tofu validate - rules: - - changes: - - "dmz/terraform/*.tf" - -plan-dmz-infrastructure: - stage: plan - variables: - PLAN: plan.tfplan - JSON_PLAN_FILE: tfplan.json - ENVIRONMENT_NAME: dmz - allow_failure: false - extends: .tf-init - script: - - apk add --update curl jq - - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - - tofu plan -out=$PLAN $ARGUMENTS - - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE - artifacts: - reports: - terraform: $WORKDIR/$JSON_PLAN_FILE - needs: ["validate","format"] - rules: - - changes: - - "dmz/terraform/*.tf" - -apply-dmz-infrastructure: - stage: apply - variables: - ENVIRONMENT_NAME: dmz - allow_failure: false - extends: .tf-init - script: - - tofu apply -auto-approve $ARGUMENTS - rules: - - changes: - - "dmz/terraform/*.tf" - when: manual - needs: ["plan-dmz-infrastructure"] - -destroy-dmz-infrastructure: - stage: destroy - variables: - ENVIRONMENT_NAME: dmz - allow_failure: false - extends: .tf-init - script: - - tofu destroy -auto-approve $ARGUMENTS - rules: - - changes: - - "dmz/terraform/*.tf" - when: manual - needs: ["plan-dmz-infrastructure"] diff --git a/dmz/authentik/Chart.yaml b/dmz/authentik/Chart.yaml deleted file mode 100644 index 090214c..0000000 --- a/dmz/authentik/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: authentik -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: authentik-remote-cluster - repository: https://charts.goauthentik.io - version: 2.1.0 diff --git a/dmz/authentik/templates/ingress.yaml b/dmz/authentik/templates/ingress.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/dmz/authentik/values.yaml b/dmz/authentik/values.yaml deleted file mode 100644 index 83be2f9..0000000 --- a/dmz/authentik/values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -authentik-remote-cluster: - # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible - nameOverride: "" - # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible - fullnameOverride: "" - # -- Override the Kubernetes version, which is used to evaluate certain manifests - kubeVersionOverride: "" - - ## Globally shared configuration for authentik components. - global: - # -- Provide a name in place of `authentik` - nameOverride: "" - # -- String to fully override `"authentik.fullname"` - fullnameOverride: "" - # -- A custom namespace to override the default namespace for the deployed resources. - namespaceOverride: "" - # -- Common labels for all resources. - additionalLabels: {} - # app: authentik - - # -- Annotations to apply to all resources - annotations: {} - - serviceAccountSecret: - # -- Create a secret with the service account credentials - enabled: true - - clusterRole: - # -- Create a clusterole in addition to a namespaced role. - enabled: true diff --git a/dmz/cert-manager/Chart.yaml b/dmz/cert-manager/Chart.yaml deleted file mode 100644 index 7280af8..0000000 --- a/dmz/cert-manager/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: cert-manager -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.17.2 diff --git a/dmz/cert-manager/templates/issuer.yaml b/dmz/cert-manager/templates/issuer.yaml deleted file mode 100644 index cf61c83..0000000 --- a/dmz/cert-manager/templates/issuer.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: issuer -secrets: - - name: issuer-token-lmzpj - ---- - -apiVersion: v1 -kind: Secret -metadata: - name: issuer-token-lmzpj - annotations: - kubernetes.io/service-account.name: issuer -type: kubernetes.io/service-account-token diff --git a/dmz/cert-manager/templates/letsencrypt.yaml b/dmz/cert-manager/templates/letsencrypt.yaml deleted file mode 100644 index 56b8374..0000000 --- a/dmz/cert-manager/templates/letsencrypt.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret - ---- - -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: vault-issuer -spec: - vault: - server: https://vault.infra.durp.info - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - path: pki/sign/issue-homelab-certs - auth: - kubernetes: - mountPath: /v1/auth/dmz-cluster - role: issuer - secretRef: - name: issuer-token-lmzpj - key: token diff --git a/dmz/cert-manager/templates/secretvault.yaml b/dmz/cert-manager/templates/secretvault.yaml deleted file mode 100644 index 11c82bc..0000000 --- a/dmz/cert-manager/templates/secretvault.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cloudflare-api-token-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: cloudflare-api-token-secret - data: - - secretKey: cloudflare-api-token-secret - remoteRef: - key: kv/cert-manager - property: cloudflare-api-token-secret - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/cert-manager/values.yaml b/dmz/cert-manager/values.yaml deleted file mode 100644 index cfb41cf..0000000 --- a/dmz/cert-manager/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -cert-manager: - crds: - enabled: true - image: - registry: registry.durp.info - repository: jetstack/cert-manager-controller - pullPolicy: Always - replicaCount: 3 - extraArgs: - - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 - - --dns01-recursive-nameservers-only - podDnsPolicy: None - podDnsConfig: - nameservers: - - "1.1.1.1" - - "1.0.0.1" - webhook: - image: - registry: registry.durp.info - repository: jetstack/cert-manager-webhook - pullPolicy: Always - cainjector: - image: - registry: registry.durp.info - repository: jetstack/cert-manager-cainjector - pullPolicy: Always - - hostAliases: - - ip: 192.168.12.130 - hostnames: - - vault.infra.durp.info diff --git a/dmz/crowdsec/Chart.yaml b/dmz/crowdsec/Chart.yaml deleted file mode 100644 index a89fad6..0000000 --- a/dmz/crowdsec/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: crowdsec -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: - - name: crowdsec - repository: https://crowdsecurity.github.io/helm-charts - version: 0.19.4 diff --git a/dmz/crowdsec/templates/secrets.yaml b/dmz/crowdsec/templates/secrets.yaml deleted file mode 100644 index dfef6d6..0000000 --- a/dmz/crowdsec/templates/secrets.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: enroll-key -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: enroll-key - data: - - secretKey: ENROLL_INSTANCE_NAME - remoteRef: - key: kv/crowdsec/dmz-enroll - property: ENROLL_INSTANCE_NAME - - secretKey: ENROLL_KEY - remoteRef: - key: kv/crowdsec/dmz-enroll - property: ENROLL_KEY - - secretKey: ENROLL_TAGS - remoteRef: - key: kv/crowdsec/dmz-enroll - property: ENROLL_TAGS - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/crowdsec/values.yaml b/dmz/crowdsec/values.yaml deleted file mode 100644 index 6271eb0..0000000 --- a/dmz/crowdsec/values.yaml +++ /dev/null @@ -1,24 +0,0 @@ -crowdsec: - # - image: - repository: registry.durp.info/crowdsecurity/crowdsec - pullPolicy: Always - - # for raw logs format: json or cri (docker|containerd) - container_runtime: containerd - agent: - # Specify each pod whose logs you want to process - acquisition: - # The namespace where the pod is located - - namespace: traefik - # The pod name - podName: traefik-* - # as in crowdsec configuration, we need to specify the program name to find a matching parser - program: traefik - env: - - name: COLLECTIONS - value: "crowdsecurity/traefik" - lapi: - envFrom: - - secretRef: - name: enroll-key diff --git a/dmz/external-dns/templates/secrets.yaml b/dmz/external-dns/templates/secrets.yaml deleted file mode 100644 index 60f7466..0000000 --- a/dmz/external-dns/templates/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: external-dns-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: external-dns - data: - - secretKey: cloudflare_api_email - remoteRef: - key: kv/cloudflare - property: cloudflare_api_email - - secretKey: cloudflare_api_key - remoteRef: - key: kv/cloudflare - property: cloudflare_api_key - - secretKey: cloudflare_api_token - remoteRef: - key: kv/cloudflare - property: cloudflare_api_token - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/external-dns/values.yaml b/dmz/external-dns/values.yaml deleted file mode 100644 index 21d797e..0000000 --- a/dmz/external-dns/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -external-dns: - global: - imageRegistry: "registry.durp.info" - security: - allowInsecureImages: true - - image: - pullPolicy: Always - - txtPrefix: "dmz-" - - sources: - - service - - provider: cloudflare - cloudflare: - secretName: "external-dns" - proxied: false - - policy: sync diff --git a/dmz/external-secrets/Chart.yaml b/dmz/external-secrets/Chart.yaml deleted file mode 100644 index 4b30288..0000000 --- a/dmz/external-secrets/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: external-secrets -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: - - name: external-secrets - repository: https://charts.external-secrets.io - version: 0.17.0 diff --git a/dmz/external-secrets/templates/ca.yaml b/dmz/external-secrets/templates/ca.yaml deleted file mode 100644 index 9b2a135..0000000 --- a/dmz/external-secrets/templates/ca.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -data: - vault.pem: | - -----BEGIN CERTIFICATE----- - MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy - MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN - BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq - scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW - 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I - jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr - XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS - 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB - o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O - BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 - dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 - Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo - dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw - MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp - L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy - cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu - Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx - L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k - dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L - 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k - /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 - GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj - tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo - 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 - +Q/cdsO5lg== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH - 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ - S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk - U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 - 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ - +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD - VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V - 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 - BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw - LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt - dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC - hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF - BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br - aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 - cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz - Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq - hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE - QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB - ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN - Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 - zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls - AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox - p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb - /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ - l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 - GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE - N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B - Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 - 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R - BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k - r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 - AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y - rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD - dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx - Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv - 55Fn - -----END CERTIFICATE----- -kind: ConfigMap -metadata: - name: ca-pemstore diff --git a/dmz/external-secrets/values.yaml b/dmz/external-secrets/values.yaml deleted file mode 100644 index 3ccc294..0000000 --- a/dmz/external-secrets/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -external-secrets: - global: - security: - allowInsecureImages: true - - log: - level: debug - replicaCount: 1 - revisionHistoryLimit: 1 - leaderElect: false - - installCRDs: true - crds: - createClusterExternalSecret: true - createClusterSecretStore: true - createClusterGenerator: true - createPushSecret: true - conversion: - enabled: false - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - # resources: - # requests: - # memory: 32Mi - # cpu: 10m - # limits: - # memory: 32Mi - # cpu: 10m - - webhook: - create: false - failurePolicy: Ignore - log: - level: debug - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - # resources: - # requests: - # memory: 32Mi - # cpu: 10m - # limits: - # memory: 32Mi - # cpu: 10m - - certController: - create: false - revisionHistoryLimit: 1 - log: - level: debug - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - tag: "" - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true diff --git a/dmz/gitlab-runner/templates/secrets.yaml b/dmz/gitlab-runner/templates/secrets.yaml deleted file mode 100644 index 2098738..0000000 --- a/dmz/gitlab-runner/templates/secrets.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitlab-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: gitlab-secret - data: - - secretKey: runner-registration-token - remoteRef: - key: kv/gitlab/runner - property: runner-registration-token - - secretKey: runner-token - remoteRef: - key: kv/gitlab/runner - property: runner-token - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - ---- - -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitlab-secret-personal -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: gitlab-secret-personal - data: - - secretKey: runner-token - remoteRef: - key: kv/gitlab/runner - property: personal-runner-token - - secretKey: runner-registration-token - remoteRef: - key: kv/gitlab/runner - property: personal-runner-token diff --git a/dmz/internalproxy/templates/argocd.yaml b/dmz/internalproxy/templates/argocd.yaml deleted file mode 100644 index 5adf88e..0000000 --- a/dmz/internalproxy/templates/argocd.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: argocd-infra-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`argocd.infra.durp.info`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: infra-cluster - port: 443 - scheme: https - tls: - secretName: argocd-infra-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argocd-infra-tls -spec: - secretName: argocd-infra-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "argocd.infra.durp.info" - dnsNames: - - "argocd.infra.durp.info" diff --git a/dmz/internalproxy/templates/authentik.yaml b/dmz/internalproxy/templates/authentik.yaml deleted file mode 100644 index adf9884..0000000 --- a/dmz/internalproxy/templates/authentik.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: authentik-tls -spec: - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - secretName: authentik-tls - commonName: "authentik.durp.info" - dnsNames: - - "authentik.durp.info" - ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: authentik-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`authentik.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: infra-cluster - port: 443 - tls: - secretName: authentik-tls - ---- -kind: Service -apiVersion: v1 -metadata: - name: authentik-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: authentik.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/dmz/internalproxy/templates/bitwarden.yaml b/dmz/internalproxy/templates/bitwarden.yaml deleted file mode 100644 index 0067f8e..0000000 --- a/dmz/internalproxy/templates/bitwarden.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: bitwarden-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: infra-cluster - port: 443 - tls: - secretName: bitwarden-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: bitwarden-tls -spec: - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - secretName: bitwarden-tls - commonName: "bitwarden.durp.info" - dnsNames: - - "bitwarden.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: bitwarden-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/duplicati.yaml b/dmz/internalproxy/templates/duplicati.yaml deleted file mode 100644 index 74475df..0000000 --- a/dmz/internalproxy/templates/duplicati.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: duplicati-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: unraid - port: 8200 - tls: - secretName: duplicati-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: duplicati-tls -spec: - secretName: duplicati-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "duplicati.internal.durp.info" - dnsNames: - - "duplicati.internal.durp.info" diff --git a/dmz/internalproxy/templates/endpoints.yaml b/dmz/internalproxy/templates/endpoints.yaml deleted file mode 100644 index 8380a2c..0000000 --- a/dmz/internalproxy/templates/endpoints.yaml +++ /dev/null @@ -1,230 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: master-cluster -subsets: - - addresses: - - ip: 192.168.20.130 - ports: - - port: 443 - ---- -apiVersion: v1 -kind: Service -metadata: - name: master-cluster -spec: - ports: - - protocol: TCP - port: 443 - targetPort: 443 - ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: infra-cluster -subsets: - - addresses: - - ip: 192.168.12.130 - ports: - - port: 443 - ---- -apiVersion: v1 -kind: Service -metadata: - name: infra-cluster -spec: - ports: - - protocol: TCP - port: 443 - targetPort: 443 - ---- -apiVersion: v1 -kind: Service -metadata: - name: unraid -spec: - ports: - - name: https - protocol: TCP - port: 443 - targetPort: 443 - - name: tdarr - port: 8267 - protocol: TCP - targetPort: 8267 - - name: duplicati - port: 8200 - protocol: TCP - targetPort: 8200 - - name: forgejo - port: 3000 - protocol: TCP - - name: kuma - port: 3001 - protocol: TCP - targetPort: 3000 - - name: freshrss - port: 8085 - protocol: TCP - targetPort: 8085 - - name: gitlab-ssh - port: 9022 - protocol: TCP - targetPort: 9022 - - name: gitlab - port: 9443 - protocol: TCP - targetPort: 9443 - - name: minio - port: 9769 - protocol: TCP - targetPort: 9769 - - name: nextcloud - port: 11000 - protocol: TCP - targetPort: 11000 - - name: nexus - port: 8081 - protocol: TCP - targetPort: 8081 - - name: openweb-ui - port: 8089 - protocol: TCP - targetPort: 8089 - - name: plex - port: 32400 - protocol: TCP - targetPort: 32400 - - name: registry - port: 5000 - protocol: TCP - targetPort: 5000 - - name: gitlab-registry - port: 5002 - protocol: TCP - targetPort: 5002 - - name: root-vault - port: 8201 - protocol: TCP - targetPort: 8201 - - name: s3 - port: 9768 - protocol: TCP - targetPort: 9768 - - name: smokeping - port: 81 - protocol: TCP - targetPort: 81 - - name: gotify - port: 8070 - protocol: TCP - ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: unraid -subsets: - - addresses: - - ip: 192.168.21.200 - ports: - - name: https - port: 443 - protocol: TCP - - name: tdarr - port: 8267 - protocol: TCP - - name: duplicati - port: 8200 - protocol: TCP - - name: forgejo - port: 3000 - protocol: TCP - - name: kuma - port: 3001 - protocol: TCP - - name: freshrss - port: 8085 - protocol: TCP - - name: gitlab-ssh - port: 9022 - protocol: TCP - - name: gitlab - port: 9443 - protocol: TCP - - name: minio - port: 9769 - protocol: TCP - - name: nextcloud - port: 11000 - protocol: TCP - - name: nexus - port: 8081 - protocol: TCP - - name: openweb-ui - port: 8089 - protocol: TCP - - name: plex - port: 32400 - protocol: TCP - - name: registry - port: 5000 - protocol: TCP - - name: gitlab-registry - port: 5002 - protocol: TCP - - name: root-vault - port: 8201 - protocol: TCP - - name: s3 - port: 9768 - protocol: TCP - - name: smokeping - port: 81 - protocol: TCP - - name: gotify - port: 8070 - protocol: TCP - ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: ubuntu -subsets: - - addresses: - - ip: 192.168.20.104 - ports: - - name: https - port: 443 - protocol: TCP - - name: litellm - port: 4000 - protocol: TCP - - name: ollama - port: 11435 - protocol: TCP - ---- -apiVersion: v1 -kind: Service -metadata: - name: ubuntu -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 443 - - name: litellm - port: 4000 - protocol: TCP - targetPort: 4000 - - name: ollama - port: 11435 - protocol: TCP - targetPort: 11435 diff --git a/dmz/internalproxy/templates/forgejo.yaml b/dmz/internalproxy/templates/forgejo.yaml deleted file mode 100644 index 52eb710..0000000 --- a/dmz/internalproxy/templates/forgejo.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: forgejo-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`forgejo.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 3000 - scheme: http - tls: - secretName: forgejo-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: forgejo-tls -spec: - secretName: forgejo-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "forgejo.durp.info" - dnsNames: - - "forgejo.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: forgejo-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: forgejo.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/freshrss.yaml b/dmz/internalproxy/templates/freshrss.yaml deleted file mode 100644 index 092854c..0000000 --- a/dmz/internalproxy/templates/freshrss.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: freshrss-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`freshrss.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 8085 - tls: - secretName: freshrss-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: freshrss-tls -spec: - secretName: freshrss-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "freshrss.durp.info" - dnsNames: - - "freshrss.durp.info" diff --git a/dmz/internalproxy/templates/gitlab.yaml b/dmz/internalproxy/templates/gitlab.yaml deleted file mode 100644 index d64a5aa..0000000 --- a/dmz/internalproxy/templates/gitlab.yaml +++ /dev/null @@ -1,125 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: gitlab-ssh -#spec: -# ports: -# - name: app -# port: 9022 -# protocol: TCP -# targetPort: 9022 -# clusterIP: None -# type: ClusterIP -# -#--- -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: gitlab-ssh -#subsets: -# - addresses: -# - ip: 192.168.21.200 -# ports: -# - name: app -# port: 9022 -# protocol: TCP -# -#--- -apiVersion: traefik.io/v1alpha1 -kind: IngressRouteTCP -metadata: - name: gitlab-ssh -spec: - entryPoints: - - gitlab-ssh - routes: - - match: HostSNI(`*`) - services: - - name: unraid - port: 9022 - ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: gitlab-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`gitlab.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 9443 - scheme: https - tls: - secretName: gitlab-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: gitlab-tls -spec: - secretName: gitlab-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "gitlab.durp.info" - dnsNames: - - "gitlab.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: gitlab-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: gitlab-registry -spec: - entryPoints: - - websecure - routes: - - match: Host(`images.durp.info`) - kind: Rule - services: - - name: unraid - port: 5002 - scheme: http - tls: - secretName: gitlab-images-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: gitlab-images-tls -spec: - secretName: gitlab-images-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "images.durp.info" - dnsNames: - - "images.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: gitlab-images-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: images.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/gotify.yaml b/dmz/internalproxy/templates/gotify.yaml deleted file mode 100644 index 6619aed..0000000 --- a/dmz/internalproxy/templates/gotify.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: gotify-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`gotify.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 8070 - scheme: http - tls: - secretName: gotify-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: gotify-tls -spec: - secretName: gotify-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "gotify.durp.info" - dnsNames: - - "gotify.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: gotify-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: gotify.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/grafana.yaml b/dmz/internalproxy/templates/grafana.yaml deleted file mode 100644 index 0de1a83..0000000 --- a/dmz/internalproxy/templates/grafana.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: grafana-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`grafana.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: infra-cluster - port: 443 - tls: - secretName: grafana-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: grafana-tls -spec: - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - secretName: grafana-tls - commonName: "grafana.durp.info" - dnsNames: - - "grafana.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: grafana-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: grafana.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/invidious.yaml b/dmz/internalproxy/templates/invidious.yaml deleted file mode 100644 index 752db88..0000000 --- a/dmz/internalproxy/templates/invidious.yaml +++ /dev/null @@ -1,75 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: invidious -#spec: -# ports: -# - name: app -# port: 3000 -# protocol: TCP -# targetPort: 3000 -# clusterIP: None -# type: ClusterIP -# -#--- -# -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: invidious -#subsets: -#- addresses: -# - ip: 192.168.20.104 -# ports: -# - name: app -# port: 3000 -# protocol: TCP -# -#--- -# -#apiVersion: traefik.io/v1alpha1 -#kind: IngressRoute -#metadata: -# name: invidious-ingress -#spec: -# entryPoints: -# - websecure -# routes: -# - match: Host(`invidious.durp.info`) && PathPrefix(`/`) -# middlewares: -# - name: authentik-proxy-provider -# namespace: traefik -# kind: Rule -# services: -# - name: invidious -# port: 3000 -# tls: -# secretName: invidious-tls -# -#--- -# -#apiVersion: cert-manager.io/v1 -#kind: Certificate -#metadata: -# name: invidious-tls -#spec: -# secretName: invidious-tls -# issuerRef: -# name: letsencrypt-production -# kind: ClusterIssuer -# commonName: "invidious.durp.info" -# dnsNames: -# - "invidious.durp.info" -# -#--- -# -#kind: Service -#apiVersion: v1 -#metadata: -# name: invidious-external-dns -# annotations: -# external-dns.alpha.kubernetes.io/hostname: invidious.durp.info -#spec: -# type: ExternalName -# externalName: durp.info -# \ No newline at end of file diff --git a/dmz/internalproxy/templates/kasm.yaml b/dmz/internalproxy/templates/kasm.yaml deleted file mode 100644 index 7db9d75..0000000 --- a/dmz/internalproxy/templates/kasm.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: kasm-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`kasm.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: ubuntu - port: 443 - scheme: https - tls: - secretName: kasm-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: kasm-tls -spec: - secretName: kasm-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "kasm.durp.info" - dnsNames: - - "kasm.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: kasm-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: kasm.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/litellm.yaml b/dmz/internalproxy/templates/litellm.yaml deleted file mode 100644 index 11a87ac..0000000 --- a/dmz/internalproxy/templates/litellm.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: litellm-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`litellm.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: ubuntu - port: 4000 - tls: - secretName: litellm-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: litellm-tls -spec: - secretName: litellm-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "litellm.durp.info" - dnsNames: - - "litellm.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: litellm-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: litellm.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/longhorn.yaml b/dmz/internalproxy/templates/longhorn.yaml deleted file mode 100644 index 9eeda9e..0000000 --- a/dmz/internalproxy/templates/longhorn.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: longhorn-infra-ingress - annotations: - cert-manager.io/cluster-issuer: vault-issuer -spec: - entryPoints: - - websecure - routes: - - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: authentik-proxy-provider - namespace: traefik - services: - - name: infra-cluster - port: 443 - tls: - secretName: longhorn-infra-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: longhorn-infra-tls -spec: - secretName: longhorn-infra-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "longhorn.infra.durp.info" - dnsNames: - - "longhorn.infra.durp.info" diff --git a/dmz/internalproxy/templates/minio.yaml b/dmz/internalproxy/templates/minio.yaml deleted file mode 100644 index 8622240..0000000 --- a/dmz/internalproxy/templates/minio.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: minio-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: unraid - port: 9769 - scheme: http - tls: - secretName: minio-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: minio-tls -spec: - secretName: minio-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "minio.internal.durp.info" - dnsNames: - - "minio.internal.durp.info" diff --git a/dmz/internalproxy/templates/n8n.yaml b/dmz/internalproxy/templates/n8n.yaml deleted file mode 100644 index adfebc7..0000000 --- a/dmz/internalproxy/templates/n8n.yaml +++ /dev/null @@ -1,68 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: n8n -#spec: -# ports: -# - name: app -# port: 5678 -# protocol: TCP -# targetPort: 5678 -# clusterIP: None -# type: ClusterIP -# -#--- -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: n8n -#subsets: -# - addresses: -# - ip: 192.168.21.200 -# ports: -# - name: app -# port: 5678 -# protocol: TCP -# -#--- -#apiVersion: traefik.io/v1alpha1 -#kind: IngressRoute -#metadata: -# name: n8n-ingress -#spec: -# entryPoints: -# - websecure -# routes: -# - match: Host(`n8n.durp.info`) && PathPrefix(`/`) -# kind: Rule -# services: -# - name: n8n -# port: 5678 -# scheme: http -# tls: -# secretName: n8n-tls -# -#--- -#apiVersion: cert-manager.io/v1 -#kind: Certificate -#metadata: -# name: n8n-tls -#spec: -# secretName: n8n-tls -# issuerRef: -# name: letsencrypt-production -# kind: ClusterIssuer -# commonName: "n8n.durp.info" -# dnsNames: -# - "n8n.durp.info" -# -#--- -#kind: Service -#apiVersion: v1 -#metadata: -# name: n8n-dns -# annotations: -# dns.alpha.kubernetes.io/hostname: n8n.durp.info -#spec: -# type: ExternalName -# externalName: durp.info diff --git a/dmz/internalproxy/templates/nextcloud.yaml b/dmz/internalproxy/templates/nextcloud.yaml deleted file mode 100644 index 77b04e5..0000000 --- a/dmz/internalproxy/templates/nextcloud.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: nextcloud-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`nextcloud.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: nextcloud-chain - services: - - name: unraid - port: 11000 - scheme: http - tls: - secretName: nextcloud-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: nextcloud-tls -spec: - secretName: nextcloud-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "nextcloud.durp.info" - dnsNames: - - "nextcloud.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: nextcloud-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: nextcloud.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: nextcloud-secure-headers -spec: - headers: - hostsProxyHeaders: - - "X-Forwarded-Host" - referrerPolicy: "same-origin" - ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: https-redirect -spec: - redirectScheme: - scheme: https - ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: nextcloud-chain -spec: - chain: - middlewares: - - name: https-redirect - - name: nextcloud-secure-headers \ No newline at end of file diff --git a/dmz/internalproxy/templates/ollama.yaml b/dmz/internalproxy/templates/ollama.yaml deleted file mode 100644 index f03ca52..0000000 --- a/dmz/internalproxy/templates/ollama.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ollama-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: ollama-secret - data: - - secretKey: users - remoteRef: - key: kv/ollama - property: users - ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: ollama-basic-auth -spec: - basicAuth: - headerField: x-api-key - secret: ollama-secret - ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: ollama-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`ollama.durp.info`) && PathPrefix(`/`) - middlewares: - - name: ollama-basic-auth - kind: Rule - services: - - name: ubuntu - port: 11435 - tls: - secretName: ollama-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: ollama-tls -spec: - secretName: ollama-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "ollama.durp.info" - dnsNames: - - "ollama.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: ollama-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: ollama.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/open-webui.yaml b/dmz/internalproxy/templates/open-webui.yaml deleted file mode 100644 index f3e7f89..0000000 --- a/dmz/internalproxy/templates/open-webui.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: open-webui-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`open-webui.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 8089 - scheme: http - tls: - secretName: open-webui-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: open-webui-tls -spec: - secretName: open-webui-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "open-webui.durp.info" - dnsNames: - - "open-webui.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: open-webui-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/plex.yaml b/dmz/internalproxy/templates/plex.yaml deleted file mode 100644 index 7fbc5f8..0000000 --- a/dmz/internalproxy/templates/plex.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: plex-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`plex.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 32400 - scheme: https - tls: - secretName: plex-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: plex-tls -spec: - secretName: plex-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "plex.durp.info" - dnsNames: - - "plex.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: plex-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: plex.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/portainer.yaml b/dmz/internalproxy/templates/portainer.yaml deleted file mode 100644 index ae89690..0000000 --- a/dmz/internalproxy/templates/portainer.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: portainer-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: infra-cluster - port: 443 - tls: - secretName: portainer-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: portainer-tls -spec: - secretName: portainer-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "portainer.internal.durp.info" - dnsNames: - - "portainer.internal.durp.info" diff --git a/dmz/internalproxy/templates/proxmox.yaml b/dmz/internalproxy/templates/proxmox.yaml deleted file mode 100644 index 14d301d..0000000 --- a/dmz/internalproxy/templates/proxmox.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: proxmox -spec: - ports: - - name: app - port: 8006 - protocol: TCP - targetPort: 8006 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: proxmox -subsets: - - addresses: - - ip: 192.168.21.254 - ports: - - name: app - port: 8006 - protocol: TCP - ---- - -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: proxmox-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: proxmox - port: 8006 - scheme: https - tls: - secretName: proxmox-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: proxmox-tls -spec: - secretName: proxmox-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "proxmox.internal.durp.info" - dnsNames: - - "proxmox.internal.durp.info" diff --git a/dmz/internalproxy/templates/redlib.yaml b/dmz/internalproxy/templates/redlib.yaml deleted file mode 100644 index 43b54fb..0000000 --- a/dmz/internalproxy/templates/redlib.yaml +++ /dev/null @@ -1,74 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: redlib -#spec: -# ports: -# - name: app -# port: 8082 -# protocol: TCP -# targetPort: 8082 -# clusterIP: None -# type: ClusterIP -# -#--- -# -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: redlib -#subsets: -#- addresses: -# - ip: 192.168.21.200 -# ports: -# - name: app -# port: 8082 -# protocol: TCP -# -#--- -# -#apiVersion: traefik.io/v1alpha1 -#kind: IngressRoute -#metadata: -# name: redlib-ingress -#spec: -# entryPoints: -# - websecure -# routes: -# - match: Host(`redlib.durp.info`) && PathPrefix(`/`) -# middlewares: -# - name: authentik-proxy-provider -# namespace: traefik -# kind: Rule -# services: -# - name: redlib -# port: 8082 -# tls: -# secretName: redlib-tls -# -#--- -# -#apiVersion: cert-manager.io/v1 -#kind: Certificate -#metadata: -# name: redlib-tls -#spec: -# secretName: redlib-tls -# issuerRef: -# name: letsencrypt-production -# kind: ClusterIssuer -# commonName: "redlib.durp.info" -# dnsNames: -# - "redlib.durp.info" -# -#--- -# -#kind: Service -#apiVersion: v1 -#metadata: -# name: redlib-external-dns -# annotations: -# external-dns.alpha.kubernetes.io/hostname: redlib.durp.info -#spec: -# type: ExternalName -# externalName: durp.info diff --git a/dmz/internalproxy/templates/registry.yaml b/dmz/internalproxy/templates/registry.yaml deleted file mode 100644 index b9b6ed4..0000000 --- a/dmz/internalproxy/templates/registry.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: registry-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`registry.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: whitelist - namespace: traefik - services: - - name: unraid - port: 5000 - tls: - secretName: registry-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: registry-tls -spec: - secretName: registry-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "registry.durp.info" - dnsNames: - - "registry.durp.info" - ---- -#kind: Service -#apiVersion: v1 -#metadata: -# name: registry-external-dns -# annotations: -# external-dns.alpha.kubernetes.io/hostname: registry.durp.info -#spec: -# type: ExternalName -# externalName: durp.info diff --git a/dmz/internalproxy/templates/root-vault.yaml b/dmz/internalproxy/templates/root-vault.yaml deleted file mode 100644 index 76d4b94..0000000 --- a/dmz/internalproxy/templates/root-vault.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: root-vault-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: unraid - port: 8201 - scheme: https - tls: - secretName: root-vault-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: root-vault-tls -spec: - secretName: root-vault-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "root-vault.internal.durp.info" - dnsNames: - - "root-vault.internal.durp.info" diff --git a/dmz/internalproxy/templates/s3.yaml b/dmz/internalproxy/templates/s3.yaml deleted file mode 100644 index 5bf203e..0000000 --- a/dmz/internalproxy/templates/s3.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: s3-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: unraid - port: 9768 - scheme: http - tls: - secretName: s3-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: s3-tls -spec: - secretName: s3-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "s3.internal.durp.info" - dnsNames: - - "s3.internal.durp.info" - ---- - -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: s3-ingress-external -spec: - entryPoints: - - websecure - routes: - - match: Host(`s3.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 9768 - scheme: http - tls: - secretName: s3-external-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: s3-external-tls -spec: - secretName: s3-external-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "s3.durp.info" - dnsNames: - - "s3.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: s3-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: s3.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/internalproxy/templates/semaphore.yaml b/dmz/internalproxy/templates/semaphore.yaml deleted file mode 100644 index 145d1ca..0000000 --- a/dmz/internalproxy/templates/semaphore.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# -#apiVersion: v1 -#kind: Service -#metadata: -# name: semaphore -#spec: -# ports: -# - name: app -# port: 3001 -# protocol: TCP -# targetPort: 3001 -# clusterIP: None -# type: ClusterIP -# -#--- -# -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: semaphore -#subsets: -# - addresses: -# - ip: 192.168.21.200 -# ports: -# - name: app -# port: 3001 -# protocol: TCP -# -#--- -# -#apiVersion: traefik.io/v1alpha1 -#kind: IngressRoute -#metadata: -# name: semaphore-ingress -#spec: -# entryPoints: -# - websecure -# routes: -# - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`) -# middlewares: -# - name: whitelist -# namespace: traefik -# kind: Rule -# services: -# - name: semaphore -# port: 3001 -# scheme: http -# tls: -# secretName: semaphore-tls -# -#--- -# -#apiVersion: cert-manager.io/v1 -#kind: Certificate -#metadata: -# name: semaphore-tls -#spec: -# secretName: semaphore-tls -# issuerRef: -# name: vault-issuer -# kind: ClusterIssuer -# commonName: "semaphore.internal.durp.info" -# dnsNames: -# - "semaphore.internal.durp.info" -# \ No newline at end of file diff --git a/dmz/internalproxy/templates/serviceaccount.yaml b/dmz/internalproxy/templates/serviceaccount.yaml deleted file mode 100644 index ddac6a5..0000000 --- a/dmz/internalproxy/templates/serviceaccount.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/internalproxy/templates/speedtest.yaml b/dmz/internalproxy/templates/speedtest.yaml deleted file mode 100644 index c75d3a6..0000000 --- a/dmz/internalproxy/templates/speedtest.yaml +++ /dev/null @@ -1,74 +0,0 @@ -#apiVersion: v1 -#kind: Service -#metadata: -# name: speedtest -#spec: -# ports: -# - name: app -# port: 6580 -# protocol: TCP -# targetPort: 6580 -# clusterIP: None -# type: ClusterIP -# -#--- -# -#apiVersion: v1 -#kind: Endpoints -#metadata: -# name: speedtest -#subsets: -#- addresses: -# - ip: 192.168.21.200 -# ports: -# - name: app -# port: 6580 -# protocol: TCP -# -#--- -# -#apiVersion: traefik.io/v1alpha1 -#kind: IngressRoute -#metadata: -# name: speedtest-ingress -#spec: -# entryPoints: -# - websecure -# routes: -# - match: Host(`speedtest.durp.info`) && PathPrefix(`/`) -# kind: Rule -# middlewares: -# - name: authentik-proxy-provider -# namespace: traefik -# services: -# - name: speedtest -# port: 6580 -# tls: -# secretName: speedtest-tls -# -#--- -# -#apiVersion: cert-manager.io/v1 -#kind: Certificate -#metadata: -# name: speedtest-tls -#spec: -# secretName: speedtest-tls -# issuerRef: -# name: letsencrypt-production -# kind: ClusterIssuer -# commonName: "speedtest.durp.info" -# dnsNames: -# - "speedtest.durp.info" -# -#--- -# -#kind: Service -#apiVersion: v1 -#metadata: -# name: speedtest-external-dns -# annotations: -# external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info -#spec: -# type: ExternalName -# externalName: durp.info diff --git a/dmz/internalproxy/templates/unifi.yaml b/dmz/internalproxy/templates/unifi.yaml deleted file mode 100644 index d33a8af..0000000 --- a/dmz/internalproxy/templates/unifi.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: unifi -spec: - ports: - - name: app - port: 443 - protocol: TCP - targetPort: 443 - clusterIP: None - type: ClusterIP - ---- - -apiVersion: v1 -kind: Endpoints -metadata: - name: unifi -subsets: - - addresses: - - ip: 192.168.98.1 - ports: - - name: app - port: 443 - protocol: TCP - ---- - -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: unifi-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`unifi.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: unifi - port: 443 - scheme: https - tls: - secretName: unifi-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: unifi-tls -spec: - secretName: unifi-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "unifi.internal.durp.info" - dnsNames: - - "unifi.internal.durp.info" diff --git a/dmz/internalproxy/templates/unraid.yaml b/dmz/internalproxy/templates/unraid.yaml deleted file mode 100644 index 10e1015..0000000 --- a/dmz/internalproxy/templates/unraid.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: unraid-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - kind: Rule - services: - - name: unraid - port: 443 - scheme: https - tls: - secretName: unraid-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: unraid-tls -spec: - secretName: unraid-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "unraid.internal.durp.info" - dnsNames: - - "unraid.internal.durp.info" diff --git a/dmz/istio-system/Chart.yaml b/dmz/istio-system/Chart.yaml deleted file mode 100644 index dfc92b1..0000000 --- a/dmz/istio-system/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -name: istio-system -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: - - name: base - repository: https://istio-release.storage.googleapis.com/charts - version: 1.29.0 - - name: istiod - repository: https://istio-release.storage.googleapis.com/charts - version: 1.26.2 - - name: gateway - repository: https://istio-release.storage.googleapis.com/charts - version: 1.26.2 \ No newline at end of file diff --git a/dmz/istio-system/templates/annotate.yaml b/dmz/istio-system/templates/annotate.yaml deleted file mode 100644 index 620b2af..0000000 --- a/dmz/istio-system/templates/annotate.yaml +++ /dev/null @@ -1,14 +0,0 @@ -#apiVersion: v1 -#kind: Namespace -#metadata: -# annotations: -# topology.istio.io/controlPlaneClusters: cluster1 -# labels: -# kubernetes.io/metadata.name: istio-system -# name: istio-system -#spec: -# finalizers: -# - kubernetes -#status: -# phase: Active -# \ No newline at end of file diff --git a/dmz/istio-system/templates/expose.yaml b/dmz/istio-system/templates/expose.yaml deleted file mode 100644 index eb693e0..0000000 --- a/dmz/istio-system/templates/expose.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: cross-network-gateway -spec: - selector: - istio: eastwestgateway - servers: - - port: - number: 15443 - name: tls - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH - hosts: - - "*.local" diff --git a/dmz/istio-system/values.yaml b/dmz/istio-system/values.yaml deleted file mode 100644 index 5778ed0..0000000 --- a/dmz/istio-system/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -istiod: - global: - network: network2 - meshID: mesh1 - multiCluster: - clusterName: dmz - -gateway: - name: istio-eastwestgateway - networkGateway: network2 \ No newline at end of file diff --git a/dmz/littlelink/Chart.yaml b/dmz/littlelink/Chart.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/dmz/littlelink/templates/deployment.yaml b/dmz/littlelink/templates/deployment.yaml deleted file mode 100644 index 6d31068..0000000 --- a/dmz/littlelink/templates/deployment.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: littlelink - name: littlelink - labels: - app: littlelink -spec: - selector: - matchLabels: - app: littlelink - replicas: 1 - template: - metadata: - labels: - app: littlelink - spec: - containers: - - name: littlelink - image: registry.durp.info/techno-tim/littlelink-server:latest - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthcheck - port: 3000 - readinessProbe: - httpGet: - path: /healthcheck - port: 3000 - env: - - name: META_TITLE - value: DeveloperDurp - - name: META_DESCRIPTION - value: The Durpy Developer - - name: META_AUTHOR - value: DeveloperDurp - - name: LANG - value: en - - name: META_INDEX_STATUS - value: all - - name: OG_TITLE - value: DeveloperDurp - - name: OG_DESCRIPTION - value: DeveloperDurp - - name: OG_URL - value: https://gitlab.com/developerdurp - - name: OG_IMAGE - value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png - - name : OG_IMAGE_WIDTH - value: "400" - - name : OG_IMAGE_HEIGHT - value: "400" - - name : THEME - value: Dark - - name : FAVICON_URL - value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png - - name : AVATAR_URL - value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png - - name : AVATAR_2X_URL - value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png - - name : AVATAR_ALT - value: DeveloperDurp Profile Pic - - name : NAME - value: DeveloperDurp - - name : BIO - value: Sup Nerd, - - name : BUTTON_ORDER - value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL - - name : TWITTER - value: https://twitter.com/developerdurp - - name : GITHUB - value: https://github.com/DeveloperDurp - - name: INSTAGRAM - value: https://instagram.com/developerdurp - - name : GITLAB - value: https://gitlab.com/developerdurp - - name: YOUTUBE - value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ - - name : EMAIL - value: DeveloperDurp@durp.info - - name : EMAIL_TEXT - value: DeveloperDurp@durp.info - - name : FOOTER - value: DeveloperDurp © 2022 - - name: CUSTOM_BUTTON_TEXT - value: BuyMeACoffee,BlueSky - - name: CUSTOM_BUTTON_URL - value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info - - name: CUSTOM_BUTTON_COLOR - value: '#ffdd00,#1185fe' - - name: CUSTOM_BUTTON_TEXT_COLOR - value: '#000000,#FFFFFF' - - name: CUSTOM_BUTTON_ALT_TEXT - value: Support,BlueSky - - name: CUSTOM_BUTTON_NAME - value: COFFEE,BLUESKY - - name: CUSTOM_BUTTON_ICON - value: fa-solid fa-cup-togo - ports: - - name: http - containerPort: 3000 diff --git a/dmz/littlelink/templates/ingress.yaml b/dmz/littlelink/templates/ingress.yaml deleted file mode 100644 index 9590fc5..0000000 --- a/dmz/littlelink/templates/ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: littlelink-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`links.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: littlelink - port: 80 - tls: - secretName: littlelink-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: littlelink-tls -spec: - secretName: littlelink-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "links.durp.info" - dnsNames: - - "links.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: links-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: links.durp.info -spec: - type: ExternalName - externalName: durp.info \ No newline at end of file diff --git a/dmz/littlelink/templates/service.yaml b/dmz/littlelink/templates/service.yaml deleted file mode 100644 index 445d527..0000000 --- a/dmz/littlelink/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: littlelink -spec: - ports: - - name: http - port: 80 - targetPort: 3000 - protocol: TCP - selector: - app: littlelink \ No newline at end of file diff --git a/dmz/longhorn/Chart.yaml b/dmz/longhorn/Chart.yaml deleted file mode 100644 index c699fa5..0000000 --- a/dmz/longhorn/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: longhorn-system -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: -- name: longhorn - repository: https://charts.longhorn.io - version: 1.9.0 diff --git a/dmz/longhorn/templates/ingress.yaml b/dmz/longhorn/templates/ingress.yaml deleted file mode 100644 index 7067a2d..0000000 --- a/dmz/longhorn/templates/ingress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: longhorn-ingress - annotations: - cert-manager.io/cluster-issuer: vault-issuer -spec: - entryPoints: - - websecure - routes: - - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: authentik-proxy-provider - namespace: traefik - services: - - name: longhorn-frontend - port: 80 - tls: - secretName: longhorn-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: longhorn-tls -spec: - secretName: longhorn-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "longhorn.dmz.durp.info" - dnsNames: - - "longhorn.dmz.durp.info" diff --git a/dmz/metallb-system/Chart.yaml b/dmz/metallb-system/Chart.yaml deleted file mode 100644 index c92e842..0000000 --- a/dmz/metallb-system/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: metallb-system -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: -- name: metallb - repository: https://metallb.github.io/metallb - version: 0.15.2 diff --git a/dmz/metallb-system/templates/config.yaml b/dmz/metallb-system/templates/config.yaml deleted file mode 100644 index f08a885..0000000 --- a/dmz/metallb-system/templates/config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: cheap -spec: - addresses: - - 192.168.98.130-192.168.98.140 ---- -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: pool - namespace: metallb-system -spec: - ipAddressPools: - - cheap - diff --git a/dmz/metallb-system/values.yaml b/dmz/metallb-system/values.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/dmz/openspeedtest/Chart.yaml b/dmz/openspeedtest/Chart.yaml deleted file mode 100644 index c8f712e..0000000 --- a/dmz/openspeedtest/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: openspeedtest -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" diff --git a/dmz/openspeedtest/templates/deployment.yaml b/dmz/openspeedtest/templates/deployment.yaml deleted file mode 100644 index 062de32..0000000 --- a/dmz/openspeedtest/templates/deployment.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: openspeedtest - name: openspeedtest - labels: - app: openspeedtest -spec: - selector: - matchLabels: - app: openspeedtest - replicas: 1 - template: - metadata: - labels: - app: openspeedtest - spec: - containers: - - name: openspeedtest - image: registry.durp.info/openspeedtest/latest - imagePullPolicy: Always - livenessProbe: - httpGet: - path: / - port: 3000 - readinessProbe: - httpGet: - path: / - port: 3000 - env: - ports: - - name: http - containerPort: 3000 diff --git a/dmz/openspeedtest/templates/service.yaml b/dmz/openspeedtest/templates/service.yaml deleted file mode 100644 index c31f9b5..0000000 --- a/dmz/openspeedtest/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: openspeedtest -spec: - ports: - - name: http - port: 3000 - targetPort: 3000 - protocol: TCP - selector: - app: openspeedtest diff --git a/dmz/redlib/Chart.yaml b/dmz/redlib/Chart.yaml deleted file mode 100644 index ef0a939..0000000 --- a/dmz/redlib/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: redlib -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" diff --git a/dmz/redlib/templates/deployment.yaml b/dmz/redlib/templates/deployment.yaml deleted file mode 100644 index c09a144..0000000 --- a/dmz/redlib/templates/deployment.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: redlib - name: redlib - labels: - app: redlib -spec: - selector: - matchLabels: - app: redlib - replicas: 1 - template: - metadata: - labels: - app: redlib - spec: - containers: - - name: redlib - image: registry.durp.info/redlib/redlib:latest - imagePullPolicy: Always - livenessProbe: - httpGet: - path: / - port: 8080 - readinessProbe: - httpGet: - path: / - port: 8080 - env: - ports: - - name: http - containerPort: 8080 diff --git a/dmz/redlib/templates/ingress.yaml b/dmz/redlib/templates/ingress.yaml deleted file mode 100644 index b2cc4e3..0000000 --- a/dmz/redlib/templates/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: redlib-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`redlib.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: authentik-proxy-provider - namespace: traefik - services: - - name: redlib - port: 8080 - tls: - secretName: redlib-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: redlib-tls -spec: - secretName: redlib-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "redlib.durp.info" - dnsNames: - - "redlib.durp.info" - ---- -kind: Service -apiVersion: v1 -metadata: - name: redlib-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: redlib.durp.info -spec: - type: ExternalName - externalName: durp.info diff --git a/dmz/redlib/templates/service.yaml b/dmz/redlib/templates/service.yaml deleted file mode 100644 index 36c50c5..0000000 --- a/dmz/redlib/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: redlib -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - app: redlib diff --git a/dmz/redlib/values.yaml b/dmz/redlib/values.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/dmz/searxng/Chart.yaml b/dmz/searxng/Chart.yaml deleted file mode 100644 index 263432f..0000000 --- a/dmz/searxng/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: latest -description: SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. -name: searxng -version: 1.0.1 -#dependencies: -# - name: common -# repository: https://library-charts.k8s-at-home.com -# version: 4.4.2 -# \ No newline at end of file diff --git a/dmz/searxng/templates/confligmap.yaml b/dmz/searxng/templates/confligmap.yaml deleted file mode 100644 index edc1ca6..0000000 --- a/dmz/searxng/templates/confligmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: searxng-config -data: - settings.yml: |- - use_default_settings: true - search: - formats: - - html - - json diff --git a/dmz/searxng/templates/deployment.yaml b/dmz/searxng/templates/deployment.yaml deleted file mode 100644 index e1677ed..0000000 --- a/dmz/searxng/templates/deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: searxng - name: searxng - labels: - app: searxng -spec: - selector: - matchLabels: - app: searxng - replicas: 1 - template: - metadata: - labels: - app: searxng - spec: - containers: - - name: searxng - image: registry.durp.info/searxng/searxng:latest - imagePullPolicy: Always - ports: - - name: http - containerPort: 8080 - env: - - name: SEARXNG_BASE_URL - value: https://searxng.durp.info - - name: SEARXNG_SECRET - valueFrom: - secretKeyRef: - name: searxng-secret - key: SEARXNG_SECRET - volumeMounts: - - name: searxng-config-volume - mountPath: /etc/searxng/settings.yml - subPath: settings.yml - volumes: - - name: searxng-config-volume - configMap: - name: searxng-config diff --git a/dmz/searxng/templates/ingress.yaml b/dmz/searxng/templates/ingress.yaml deleted file mode 100644 index ab8b641..0000000 --- a/dmz/searxng/templates/ingress.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: searxng-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`searxng.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - - name: authentik-proxy-provider - namespace: traefik - services: - - name: searxng-service - port: 8080 - tls: - secretName: searxng-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: searxng-tls -spec: - secretName: searxng-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "searxng.durp.info" - dnsNames: - - "searxng.durp.info" - ---- - -kind: Service -apiVersion: v1 -metadata: - name: searxng-external-dns - annotations: - external-dns.alpha.kubernetes.io/hostname: searxng.durp.info -spec: - type: ExternalName - externalName: durp.info - ---- -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: searxng-internal-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`searxng.internal.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: searxng-service - port: 8080 - tls: - secretName: searxng-internal-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: searxng-internal-tls -spec: - secretName: searxng-internal-tls - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "searxng.internal.durp.info" - dnsNames: - - "searxng.internal.durp.info" diff --git a/dmz/searxng/templates/secret.yaml b/dmz/searxng/templates/secret.yaml deleted file mode 100644 index 6d4781b..0000000 --- a/dmz/searxng/templates/secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: searxng-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: searxng-secret - data: - - secretKey: SEARXNG_SECRET - remoteRef: - key: kv/searxng - property: searxng-secret - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/dmz/searxng/templates/service.yaml b/dmz/searxng/templates/service.yaml deleted file mode 100644 index 8498428..0000000 --- a/dmz/searxng/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: searxng-service -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - protocol: TCP - selector: - app: searxng diff --git a/dmz/searxng/values.yaml b/dmz/searxng/values.yaml deleted file mode 100644 index 0f92a3b..0000000 --- a/dmz/searxng/values.yaml +++ /dev/null @@ -1,83 +0,0 @@ -# -# IMPORTANT NOTE -# -# This chart inherits from our common library chart. You can check the default values/options here: -# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml -# - -image: - # -- image repository - repository: registry.durp.info/searxng/searxng - # -- image tag - tag: latest - # -- image pull policy - pullPolicy: Always - -# Explanation about each environment variables here: -# https://docs.searxng.org/admin/installation-docker.html#command-line -env: - INSTANCE_NAME: "durp.info" - BASE_URL: "https://searx.durp.info" - AUTOCOMPLETE: "false" - # MORTY_URL: "http://morty:8080" - # MORTY_KEY: "mysecretkey" - # BIND_ADDRESS: "0.0.0.0:8080" - -controller: - strategy: "RollingUpdate" - -# -- Configures service settings for the chart. -# @default -- See values.yaml -service: - main: - ports: - http: - port: 8080 - -# -- Configure persistence settings for the chart under this key. -# @default -- See values.yaml -persistence: - config: - enabled: false - -ingress: - # -- Enable and configure ingress settings for the chart under this key. - # @default -- See values.yaml - main: - enabled: false - -searxng: - config: - use_default_settings: true - #server: - # secret_key: pleasechangeme - # Uncomment when using the builtin rate limiter - # See https://docs.searxng.org/src/searx.plugins.limiter.html#limiter-plugin - # server.limiter: true - # redis.url: redis://@searxng-redis:6379/0 - -probes: - readiness: - custom: true - spec: - httpGet: - path: /healthz - port: 8080 - liveness: - custom: true - spec: - httpGet: - path: /healthz - port: 8080 - startup: - custom: true - spec: - httpGet: - path: /healthz - port: 8080 - -# Enable when using searxng builtin rate limiter -# Values: https://github.com/pascaliske/helm-charts/tree/master/charts/redis -redis: - enabled: false - \ No newline at end of file diff --git a/dmz/traefik/Chart.yaml b/dmz/traefik/Chart.yaml deleted file mode 100644 index 1df1d76..0000000 --- a/dmz/traefik/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: traefik -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: traefik - repository: https://traefik.github.io/charts - version: 34.5.0 diff --git a/dmz/traefik/templates/config.yaml b/dmz/traefik/templates/config.yaml deleted file mode 100644 index 06a9d11..0000000 --- a/dmz/traefik/templates/config.yaml +++ /dev/null @@ -1,16 +0,0 @@ -#apiVersion: v1 -#kind: ConfigMap -#metadata: -# name: traefik-configmap -#data: -# config.yml: | -# http: -# routers: -# router0: -# service: service0 -# rule: Host(`testing.durp.info`) -# services: -# service0: -# loadBalancer: -# servers: -# - url: https://192.168.20.130 diff --git a/dmz/traefik/templates/middleware.yaml b/dmz/traefik/templates/middleware.yaml deleted file mode 100644 index 2dad3ee..0000000 --- a/dmz/traefik/templates/middleware.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: authentik-proxy-provider - namespace: traefik -spec: - forwardAuth: - address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version - ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: whitelist - namespace: traefik -spec: - ipWhiteList: - sourceRange: - - 192.168.0.0/16 - - 172.16.0.0/12 - - 10.0.0.0/8 - ---- -#apiVersion: traefik.io/v1alpha1 -#kind: Middleware -#metadata: -# name: bouncer -# namespace: traefik -#spec: -# plugin: -# bouncer: -# enabled: true -# crowdsecMode: stream -# crowdsecLapiScheme: https -# crowdsecLapiTLSInsecureVerify: true -# crowdsecLapiHost: crowdsec-service.crowdsec:8080 -# crowdsecLapiKey: -# valueFrom: -# secretKeyRef: -# name: crowdsec-lapi-key -# key: lapi-key diff --git a/dmz/traefik/templates/secrets.yaml b/dmz/traefik/templates/secrets.yaml deleted file mode 100644 index 413afbe..0000000 --- a/dmz/traefik/templates/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: crowdsec-lapi-key -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: crowdsec-lapi-key - data: - - secretKey: lapi-key - remoteRef: - key: kv/crowdsec/api - property: key - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/traefik/templates/traefik-dashboard.yaml b/dmz/traefik/templates/traefik-dashboard.yaml deleted file mode 100644 index 539c911..0000000 --- a/dmz/traefik/templates/traefik-dashboard.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`traefik.dmz.durp.info`) - kind: Rule - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - services: - - name: api@internal - kind: TraefikService - tls: - secretName: traefik-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: traefik-tls - namespace: traefik -spec: - secretName: traefik-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "traefik.dmz.durp.info" - dnsNames: - - "traefik.dmz.durp.info" diff --git a/dmz/traefik/values.yaml b/dmz/traefik/values.yaml deleted file mode 100644 index c762b94..0000000 --- a/dmz/traefik/values.yaml +++ /dev/null @@ -1,67 +0,0 @@ -traefik: - image: - # registry: registry.durp.info - # repository: traefik - pullPolicy: Always - - providers: - kubernetesCRD: - allowCrossNamespace: true - allowExternalNameServices: true - allowEmptyServices: false - - deployment: - replicas: 3 - revisionHistoryLimit: 1 - - # volumes: - # - name: traefik-configmap - # mountPath: "/config" - # type: configMap - - ingressRoute: - dashboard: - enabled: true - - ports: - gitlab-ssh: - port: 9022 - expose: - default: true - exposedPort: 9022 - - additionalArguments: - # - "--providers.file.filename=/config/config.yml" - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin - - --experimental.plugins.bouncer.version=v1.4.2 - - autoscaling: - enabled: true - minReplicas: 3 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - memory: "512Mi" diff --git a/dmz/vault/Chart.yaml b/dmz/vault/Chart.yaml deleted file mode 100644 index 412c292..0000000 --- a/dmz/vault/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: vault -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: vault - repository: https://helm.releases.hashicorp.com - version: 0.30.0 - diff --git a/dmz/vault/templates/secret-store.yaml b/dmz/vault/templates/secret-store.yaml deleted file mode 100644 index c48e52f..0000000 --- a/dmz/vault/templates/secret-store.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: vault -spec: - provider: - vault: - server: "https://vault.infra.durp.info" - path: "kv" - version: "v2" - auth: - kubernetes: - mountPath: "dmz-cluster" - role: "external-secrets" - serviceAccountRef: - name: "vault" - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/dmz/vault/values.yaml b/dmz/vault/values.yaml deleted file mode 100644 index 877d8fe..0000000 --- a/dmz/vault/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -vault: - global: - enabled: true - tlsDisable: false - externalVaultAddr: "https://vault.infra.durp.info" - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - diff --git a/dmz/external-dns/Chart.yaml b/external-dns/Chart.yaml similarity index 92% rename from dmz/external-dns/Chart.yaml rename to external-dns/Chart.yaml index 937bc49..24d735c 100644 --- a/dmz/external-dns/Chart.yaml +++ b/external-dns/Chart.yaml @@ -9,4 +9,4 @@ appVersion: 0.0.1 dependencies: - name: external-dns repository: https://charts.bitnami.com/bitnami - version: 8.9.2 + version: 6.20.3 diff --git a/prd/external-dns/templates/secrets.yaml b/external-dns/templates/secrets.yaml similarity index 70% rename from prd/external-dns/templates/secrets.yaml rename to external-dns/templates/secrets.yaml index 60f7466..142c03a 100644 --- a/prd/external-dns/templates/secrets.yaml +++ b/external-dns/templates/secrets.yaml @@ -1,4 +1,4 @@ -apiVersion: external-secrets.io/v1 +apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-dns-secret @@ -11,20 +11,13 @@ spec: data: - secretKey: cloudflare_api_email remoteRef: - key: kv/cloudflare + key: secrets/external-dns/cloudflare property: cloudflare_api_email - secretKey: cloudflare_api_key remoteRef: - key: kv/cloudflare + key: secrets/external-dns/cloudflare property: cloudflare_api_key - secretKey: cloudflare_api_token remoteRef: - key: kv/cloudflare + key: secrets/external-dns/cloudflare property: cloudflare_api_token - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/prd/external-dns/values.yaml b/external-dns/values.yaml similarity index 80% rename from prd/external-dns/values.yaml rename to external-dns/values.yaml index 2052942..942b41e 100644 --- a/prd/external-dns/values.yaml +++ b/external-dns/values.yaml @@ -1,15 +1,13 @@ external-dns: global: - imageRegistry: "registry.durp.info" + imageRegistry: "registry.internal.durp.info" image: pullPolicy: Always - txtPrefix: "dmz-" - sources: - service - + provider: cloudflare cloudflare: secretName : "external-dns" diff --git a/infra/external-secrets/Chart.yaml b/external-secrets/Chart.yaml similarity index 92% rename from infra/external-secrets/Chart.yaml rename to external-secrets/Chart.yaml index 48645c3..96c39ce 100644 --- a/infra/external-secrets/Chart.yaml +++ b/external-secrets/Chart.yaml @@ -8,4 +8,5 @@ appVersion: 0.0.1 dependencies: - name: external-secrets repository: https://charts.external-secrets.io - version: 0.17.0 + version: 0.8.1 + diff --git a/external-secrets/templates/secret-store.yaml b/external-secrets/templates/secret-store.yaml new file mode 100644 index 0000000..dbde280 --- /dev/null +++ b/external-secrets/templates/secret-store.yaml @@ -0,0 +1,33 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.internal.prd.durp.info" + path: "secrets" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "dmz-external-secrets" + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: cloudflare-api-token-secret + data: + - secretKey: cloudflare-api-token-secret + remoteRef: + key: secrets/cert-manager + property: cloudflare-api-token-secret + diff --git a/external-secrets/values.yaml b/external-secrets/values.yaml new file mode 100644 index 0000000..a720adb --- /dev/null +++ b/external-secrets/values.yaml @@ -0,0 +1,463 @@ +external-secrets: + replicaCount: 3 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: Always + # -- The image tag to use. The default is the chart appVersion. + # There are different image flavours available, like distroless and ubi. + # Please see GitHub release notes for image tags for these flavors. + # By default the distroless image is used. + tag: "" + + # -- If set, install and upgrade CRDs through helm chart. + installCRDs: true + + crds: + # -- If true, create CRDs for Cluster External Secret. + createClusterExternalSecret: true + # -- If true, create CRDs for Cluster Secret Store. + createClusterSecretStore: true + # -- If true, create CRDs for Push Secret. + createPushSecret: true + annotations: {} + conversion: + enabled: true + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + # -- If true, external-secrets will perform leader election between instances to ensure no more + # than one instance of external-secrets operates at a time. + leaderElect: true + + # -- If set external secrets will filter matching + # Secret Stores with the appropriate controller values. + controllerClass: "" + + # -- If true external secrets will use recommended kubernetes + # annotations as prometheus metric labels. + extendedMetricLabels: false + + # -- If set external secrets are only reconciled in the + # provided namespace + scopedNamespace: "" + + # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace + # and implicitly disable cluster stores and cluster external secrets + scopedRBAC: false + + # -- if true, the operator will process cluster external secret. Else, it will ignore them. + processClusterExternalSecret: true + + # -- if true, the operator will process cluster store. Else, it will ignore them. + processClusterStore: true + + # -- Specifies whether an external secret operator deployment be created. + createOperator: true + + # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at + # a time. + concurrent: 1 + + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + ## -- Extra containers to add to the pod. + extraContainers: [] + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- namespace where you want to install ServiceMonitors + namespace: "" + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + # -- Let prometheus add an exported_ prefix to conflicting labels + honorLabels: false + + # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: replace + # regex: (.*) + # replacement: $1 + # sourceLabels: + # - exported_namespace + # targetLabel: namespace + + # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + + # -- Run the controller on the host network + hostNetwork: false + + webhook: + # -- Specifies whether a webhook deployment be created. + create: true + # -- Specifices the time to check if the cert is valid + certCheckInterval: "5m" + # -- Specifices the lookaheadInterval for certificate validity + lookaheadInterval: "" + replicaCount: 1 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + certDir: /tmp/certs + # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore + failurePolicy: Fail + # -- Specifies if webhook pod should use hostNetwork or not. + hostNetwork: false + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: IfNotPresent + # -- The image tag to use. The default is the chart appVersion. + tag: "" + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + # -- The port the webhook will listen to + port: 10250 + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + + readinessProbe: + # -- Address for readiness probe + address: "" + # -- ReadinessProbe port for kubelet + port: 8081 + + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + # -- Annotations to add to Secret + secretAnnotations: {} + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + certController: + # -- Specifies whether a certificate controller deployment be created. + create: true + requeueInterval: "5m" + replicaCount: 1 + + # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) + revisionHistoryLimit: 10 + + image: + repository: ghcr.io/external-secrets/external-secrets + pullPolicy: Always + tag: "" + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + rbac: + # -- Specifies whether role and rolebinding resources should be created. + create: true + serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Automounts the service account token in all containers of the pod + automount: true + # -- Annotations to add to the service account. + annotations: {} + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # -- Run the certController on the host network + hostNetwork: false + + # -- Pod priority class name. + priorityClassName: "" + + # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 + + prometheus: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + enabled: false + service: + # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + port: 8080 + + serviceMonitor: + # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics + enabled: false + + # -- Additional labels + additionalLabels: {} + + # -- Interval to scrape metrics + interval: 30s + + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + + metrics: + service: + # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics + enabled: false + + # -- Metrics service port to scrape + port: 8080 + + # -- Additional service annotations + annotations: {} + + ## -- Extra environment variables to add to container. + extraEnv: [] + + ## -- Map of extra arguments to pass to container. + extraArgs: {} + + + ## -- Extra volumes to pass to pod. + extraVolumes: [] + + ## -- Extra volumes to mount to the container. + extraVolumeMounts: [] + + # -- Annotations to add to Deployment + deploymentAnnotations: {} + + # -- Annotations to add to Pod + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + # -- Specifies `dnsOptions` to deployment + dnsConfig: {} diff --git a/dev/cert-manager/Chart.yaml b/gatekeeper/Chart.yaml similarity index 50% rename from dev/cert-manager/Chart.yaml rename to gatekeeper/Chart.yaml index 7280af8..ebd28af 100644 --- a/dev/cert-manager/Chart.yaml +++ b/gatekeeper/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -name: cert-manager +name: gatekeeper description: A Helm chart for Kubernetes type: application version: 0.0.1 appVersion: 0.0.1 dependencies: -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.17.2 +- name: gatekeeper + repository: https://open-policy-agent.github.io/gatekeeper/charts + version: 3.14.0 diff --git a/gatekeeper/values.yaml b/gatekeeper/values.yaml new file mode 100644 index 0000000..d01ace9 --- /dev/null +++ b/gatekeeper/values.yaml @@ -0,0 +1,277 @@ +gatekeeper: + replicas: 3 + revisionHistoryLimit: 10 + auditInterval: 60 + metricsBackends: ["prometheus"] + auditMatchKindOnly: false + constraintViolationsLimit: 20 + auditFromCache: false + disableMutation: false + disableValidatingWebhook: false + validatingWebhookName: gatekeeper-validating-webhook-configuration + validatingWebhookTimeoutSeconds: 3 + validatingWebhookFailurePolicy: Ignore + validatingWebhookAnnotations: {} + validatingWebhookExemptNamespacesLabels: {} + validatingWebhookObjectSelector: {} + validatingWebhookCheckIgnoreFailurePolicy: Fail + validatingWebhookCustomRules: {} + validatingWebhookURL: null + enableDeleteOperations: false + enableExternalData: true + enableGeneratorResourceExpansion: true + enableTLSHealthcheck: false + maxServingThreads: -1 + mutatingWebhookName: gatekeeper-mutating-webhook-configuration + mutatingWebhookFailurePolicy: Ignore + mutatingWebhookReinvocationPolicy: Never + mutatingWebhookAnnotations: {} + mutatingWebhookExemptNamespacesLabels: {} + mutatingWebhookObjectSelector: {} + mutatingWebhookTimeoutSeconds: 1 + mutatingWebhookCustomRules: {} + mutatingWebhookURL: null + mutationAnnotations: false + auditChunkSize: 500 + logLevel: INFO + logDenies: false + logMutations: false + emitAdmissionEvents: false + emitAuditEvents: false + admissionEventsInvolvedNamespace: false + auditEventsInvolvedNamespace: false + resourceQuota: true + externaldataProviderResponseCacheTTL: 3m + image: + repository: openpolicyagent/gatekeeper + crdRepository: openpolicyagent/gatekeeper-crds + release: v3.15.0-beta.0 + pullPolicy: Always + pullSecrets: [] + preInstall: + crdRepository: + image: + repository: null + tag: v3.15.0-beta.0 + postUpgrade: + labelNamespace: + enabled: false + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.15.0-beta.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.15.0-beta.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + probeWebhook: + enabled: true + image: + repository: curlimages/curl + tag: 7.83.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.15.0-beta.0 + pullPolicy: IfNotPresent + pullSecrets: [] + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podAnnotations: {} + auditPodAnnotations: {} + podLabels: {} + podCountLimit: "100" + secretAnnotations: {} + enableRuntimeDefaultSeccompProfile: true + controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + strategyType: RollingUpdate + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 + audit: + enablePubsub: false + connection: audit-connection + channel: audit-channel + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] + crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + pdb: + controllerManager: + minAvailable: 1 + service: {} + disabledBuiltins: ["{http.send}"] + psp: + enabled: true + upgradeCRDs: + enabled: true + extraRules: [] + priorityClassName: "" + rbac: + create: true + externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/dmz/gitlab-runner/Chart.yaml b/gitlab-runner/Chart.yaml similarity index 85% rename from dmz/gitlab-runner/Chart.yaml rename to gitlab-runner/Chart.yaml index 17e8efe..c04efe7 100644 --- a/dmz/gitlab-runner/Chart.yaml +++ b/gitlab-runner/Chart.yaml @@ -8,5 +8,4 @@ appVersion: 0.0.1 dependencies: - name: gitlab-runner repository: https://charts.gitlab.io/ - version: 0.77.2 - alias: personal + version: 0.43.0 diff --git a/gitlab-runner/templates/secrets.yaml b/gitlab-runner/templates/secrets.yaml new file mode 100644 index 0000000..784ef11 --- /dev/null +++ b/gitlab-runner/templates/secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: gitlab-secret +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: gitlab-secret + data: + - secretKey: runner-registration-token + remoteRef: + key: secrets/gitlab/runner + property: runner-registration-token + - secretKey: runner-token + remoteRef: + key: secrets/gitlab/runner + property: runner-token diff --git a/dmz/gitlab-runner/values.yaml b/gitlab-runner/values.yaml similarity index 63% rename from dmz/gitlab-runner/values.yaml rename to gitlab-runner/values.yaml index 7ba1021..0cc62b8 100644 --- a/dmz/gitlab-runner/values.yaml +++ b/gitlab-runner/values.yaml @@ -1,12 +1,12 @@ -personal: +gitlab-runner: image: - registry: registry.durp.info + registry: registry.internal.durp.info image: gitlab-org/gitlab-runner imagePullPolicy: Always - gitlabUrl: https://gitlab.durp.info/ - unregisterRunner: false + gitlabUrl: https://gitlab.com/ + unregisterRunner: true terminationGracePeriodSeconds: 3600 concurrent: 10 checkInterval: 30 @@ -18,15 +18,15 @@ personal: podSecurityPolicy: enabled: false resourceNames: - - gitlab-runner + - gitlab-runner metrics: enabled: true serviceMonitor: - enabled: true + enabled: true service: enabled: true - annotations: {} + annotations: {} runners: config: | @@ -40,16 +40,16 @@ personal: name: "k3s" runUntagged: true privileged: true - secret: gitlab-secret-personal - builds: - cpuLimit: 200m - cpuLimitOverwriteMaxAllowed: 400m - memoryLimit: 256Mi - memoryLimitOverwriteMaxAllowed: 512Mi - cpuRequests: 100m - cpuRequestsOverwriteMaxAllowed: 200m - memoryRequests: 128Mi - memoryRequestsOverwriteMaxAllowed: 256Mi + secret: gitlab-secret + #builds: + #cpuLimit: 200m + #cpuLimitOverwriteMaxAllowed: 400m + #memoryLimit: 256Mi + #memoryLimitOverwriteMaxAllowed: 512Mi + #cpuRequests: 100m + #cpuRequestsOverwriteMaxAllowed: 200m + #memoryRequests: 128Mi + #memoryRequestsOverwriteMaxAllowed: 256Mi securityContext: allowPrivilegeEscalation: false @@ -63,9 +63,9 @@ personal: runAsUser: 100 fsGroup: 65533 - resources: + resources: limits: memory: 2Gi requests: memory: 128Mi - cpu: 50m + cpu: 500m \ No newline at end of file diff --git a/infra/.gitlab/.gitlab-ci.yml b/infra/.gitlab/.gitlab-ci.yml deleted file mode 100644 index 78c6ee1..0000000 --- a/infra/.gitlab/.gitlab-ci.yml +++ /dev/null @@ -1,95 +0,0 @@ -stages: - - plan - - apply - - destroy - -variables: - WORKDIR: $CI_PROJECT_DIR/infra/terraform - GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra - -image: - name: registry.durp.info/opentofu/opentofu:latest - entrypoint: [""] - -.tf-init: - before_script: - - cd $WORKDIR - - tofu init - -reconfigure - -backend-config="address=${GITLAB_TF_ADDRESS}" - -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="username=gitlab-ci-token" - -backend-config="password=${CI_JOB_TOKEN}" - -backend-config="lock_method=POST" - -backend-config="unlock_method=DELETE" - -backend-config="retry_wait_min=5" - -format: - stage: .pre - allow_failure: false - script: - - cd $WORKDIR - - tofu fmt -diff -check -write=false - rules: - - changes: - - "infra/terraform/*.tf" - -validate: - stage: .pre - allow_failure: false - extends: .tf-init - script: - - tofu validate - rules: - - changes: - - "infra/terraform/*.tf" - -plan-infrastructure: - stage: plan - variables: - PLAN: plan.tfplan - JSON_PLAN_FILE: tfplan.json - ENVIRONMENT_NAME: infra - allow_failure: false - extends: .tf-init - script: - - apk add --update curl jq - - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - - tofu plan -out=$PLAN $ARGUMENTS - - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE - artifacts: - reports: - terraform: $WORKDIR/$JSON_PLAN_FILE - needs: ["validate","format"] - rules: - - changes: - - "infra/terraform/*.tf" - -apply-infrastructure: - stage: apply - variables: - ENVIRONMENT_NAME: infra - allow_failure: false - extends: .tf-init - script: - - tofu apply -auto-approve $ARGUMENTS - rules: - - changes: - - "infra/terraform/*.tf" - when: manual - needs: ["plan-infrastructure"] - -destroy-infrastructure: - stage: destroy - variables: - ENVIRONMENT_NAME: infra - allow_failure: false - extends: .tf-init - script: - - tofu destroy -auto-approve $ARGUMENTS - rules: - - changes: - - "infra/terraform/*.tf" - when: manual - needs: ["plan-infrastructure"] diff --git a/infra/argocd/templates/argocd.yaml b/infra/argocd/templates/argocd.yaml deleted file mode 100644 index 14141da..0000000 --- a/infra/argocd/templates/argocd.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: argocd - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/argocd - destination: - namespace: argocd - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-argocd - labels: - app.kubernetes.io/part-of: argocd -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: client-secret - data: - - secretKey: clientSecret - remoteRef: - key: kv/authentik/argocd - property: clientsecret - ---- - -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: argocd-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`argocd.infra.durp.info`) - #middlewares: - # - name: whitelist - # namespace: traefik - kind: Rule - services: - - name: argocd-server - port: 443 - scheme: https - tls: - secretName: argocd-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: argocd-tls -spec: - secretName: argocd-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "argocd.infra.durp.info" - dnsNames: - - "argocd.infra.durp.info" - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/infra/argocd/templates/authentik.yaml b/infra/argocd/templates/authentik.yaml deleted file mode 100644 index ac5f8dc..0000000 --- a/infra/argocd/templates/authentik.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: authentik - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/authentik - destination: - namespace: authentik - name: in-cluster - syncPolicy: - #managedNamespaceMetadata: - # labels: - # istio-injection: enabled - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: authentik-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/authentik - destination: - namespace: authentik - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/bitwarden.yaml b/infra/argocd/templates/bitwarden.yaml deleted file mode 100644 index a42abbc..0000000 --- a/infra/argocd/templates/bitwarden.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: bitwarden - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/bitwarden - destination: - namespace: bitwarden - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/cert-manager.yaml b/infra/argocd/templates/cert-manager.yaml deleted file mode 100644 index 31ef868..0000000 --- a/infra/argocd/templates/cert-manager.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cert-manager - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/cert-manager - destination: - namespace: cert-manager - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: cert-manager-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/cert-manager - destination: - namespace: cert-manager - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/infra/argocd/templates/external-secrets.yaml b/infra/argocd/templates/external-secrets.yaml deleted file mode 100644 index 7787a03..0000000 --- a/infra/argocd/templates/external-secrets.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/external-secrets - destination: - namespace: external-secrets - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/external-secrets - destination: - namespace: external-secrets - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/infra/argocd/templates/istio.yaml b/infra/argocd/templates/istio.yaml deleted file mode 100644 index 615a43f..0000000 --- a/infra/argocd/templates/istio.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-system - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/istio-system - destination: - namespace: istio-system - name: in-cluster - syncPolicy: - managedNamespaceMetadata: - labels: - topology.istio.io/network: network1 - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jsonPointers: - - /webhooks/0/failurePolicy - ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: istio-system-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/istio-system - destination: - namespace: istio-system - name: dmz - syncPolicy: - managedNamespaceMetadata: - labels: - topology.istio.io/network: network2 - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jsonPointers: - - /webhooks/0/failurePolicy diff --git a/infra/argocd/templates/litellm.yaml b/infra/argocd/templates/litellm.yaml deleted file mode 100644 index d8e225a..0000000 --- a/infra/argocd/templates/litellm.yaml +++ /dev/null @@ -1,20 +0,0 @@ -#apiVersion: argoproj.io/v1alpha1 -#kind: Application -#metadata: -# name: litellm -# namespace: argocd -#spec: -# project: default -# source: -# repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git -# targetRevision: main -# path: infra/litellm -# destination: -# namespace: litellm -# name: in-cluster -# syncPolicy: -# automated: -# prune: true -# selfHeal: true -# syncOptions: -# - CreateNamespace=true diff --git a/infra/argocd/templates/littlelink.yaml b/infra/argocd/templates/littlelink.yaml deleted file mode 100644 index 2d6011f..0000000 --- a/infra/argocd/templates/littlelink.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: littlelink - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/littlelink - directory: - recurse: true - destination: - name: dmz - namespace: littlelink - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/longhorn.yaml b/infra/argocd/templates/longhorn.yaml deleted file mode 100644 index f28a74c..0000000 --- a/infra/argocd/templates/longhorn.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: longhorn-system - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/longhorn - destination: - namespace: longhorn-system - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: engineimages.longhorn.io - jsonPointers: - - /spec/preserveUnknownFields - kind: CustomResourceDefinition - ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: longhorn-system-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/longhorn - destination: - namespace: longhorn-system - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/metallb-system.yaml b/infra/argocd/templates/metallb-system.yaml deleted file mode 100644 index a9b33d0..0000000 --- a/infra/argocd/templates/metallb-system.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: metallb-system - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/metallb-system - destination: - namespace: metallb-system - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: metallb-system-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/metallb-system - destination: - namespace: metallb-system - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: metallb-system-dev - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dev/metallb-system - destination: - namespace: metallb-system - name: dev - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/openclarity.yaml b/infra/argocd/templates/openclarity.yaml deleted file mode 100644 index 57c1995..0000000 --- a/infra/argocd/templates/openclarity.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: openclarity - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/openclarity - destination: - namespace: openclarity - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/portainer.yaml b/infra/argocd/templates/portainer.yaml deleted file mode 100644 index 22b2a9b..0000000 --- a/infra/argocd/templates/portainer.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: portainer - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/portainer - destination: - namespace: portainer - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/redlib.yaml b/infra/argocd/templates/redlib.yaml deleted file mode 100644 index 3867fb7..0000000 --- a/infra/argocd/templates/redlib.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: redlib - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/redlib - directory: - recurse: true - destination: - name: dmz - namespace: redlib - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/renovate.yaml b/infra/argocd/templates/renovate.yaml deleted file mode 100644 index debce7a..0000000 --- a/infra/argocd/templates/renovate.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: renovate - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/renovate - destination: - namespace: renovate - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/searxng.yaml b/infra/argocd/templates/searxng.yaml deleted file mode 100644 index 9e05411..0000000 --- a/infra/argocd/templates/searxng.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: searxng - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/searxng - directory: - recurse: true - destination: - name: dmz - namespace: searxng - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/infra/argocd/templates/traefik.yaml b/infra/argocd/templates/traefik.yaml deleted file mode 100644 index 0ea06aa..0000000 --- a/infra/argocd/templates/traefik.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/traefik - destination: - namespace: traefik - name: in-cluster - syncPolicy: - managedNamespaceMetadata: - labels: - istio-injection: enabled - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/traefik - destination: - namespace: traefik - name: dmz - syncPolicy: - # managedNamespaceMetadata: - # labels: - # istio-injection: enabled - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: traefik-dev - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dev/traefik - destination: - namespace: traefik - name: dev - syncPolicy: - # managedNamespaceMetadata: - # labels: - # istio-injection: enabled - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - diff --git a/infra/argocd/templates/vault.yaml b/infra/argocd/templates/vault.yaml deleted file mode 100644 index b5f6a0b..0000000 --- a/infra/argocd/templates/vault.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: infra/vault - destination: - namespace: vault - name: in-cluster - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - .webhooks[]?.clientConfig.caBundle - ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: vault-dmz - namespace: argocd -spec: - project: default - source: - repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git - targetRevision: main - path: dmz/vault - destination: - namespace: vault - name: dmz - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - ignoreDifferences: - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - .webhooks[]?.clientConfig.caBundle diff --git a/infra/authentik/Chart.yaml b/infra/authentik/Chart.yaml deleted file mode 100644 index d5927e6..0000000 --- a/infra/authentik/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v2 -name: authentik -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: authentik - repository: https://charts.goauthentik.io - version: 2025.4.1 - diff --git a/infra/authentik/templates/ingress.yaml b/infra/authentik/templates/ingress.yaml deleted file mode 100644 index 8e0c956..0000000 --- a/infra/authentik/templates/ingress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: authentik-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`authentik.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: authentik-server - port: 80 - - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) - kind: Rule - services: - - name: ak-outpost-authentik-embedded-outpost - port: 9000 - tls: - secretName: authentik-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: authentik-tls -spec: - secretName: authentik-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "authentik.durp.info" - dnsNames: - - "authentik.durp.info" diff --git a/infra/authentik/templates/secrets.yaml b/infra/authentik/templates/secrets.yaml deleted file mode 100644 index df9f37e..0000000 --- a/infra/authentik/templates/secrets.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: authentik-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: db-pass - data: - - secretKey: dbpass - remoteRef: - key: kv/authentik/database - property: dbpass - - secretKey: secretkey - remoteRef: - key: kv/authentik/database - property: secretkey - - secretKey: postgresql-postgres-password - remoteRef: - key: kv/authentik/database - property: dbpass - - secretKey: postgresql-password - remoteRef: - key: kv/authentik/database - property: dbpass - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/infra/authentik/values.yaml b/infra/authentik/values.yaml deleted file mode 100644 index 7b75190..0000000 --- a/infra/authentik/values.yaml +++ /dev/null @@ -1,59 +0,0 @@ -authentik: - global: - security: - allowInsecureImages: true - env: - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: db-pass - key: dbpass - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: db-pass - key: secretkey - revisionHistoryLimit: 1 - image: - repository: registry.durp.info/goauthentik/server - pullPolicy: Always - authentik: - outposts: - container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s - postgresql: - host: "{{ .Release.Name }}-postgresql-hl" - name: "authentik" - user: "authentik" - port: 5432 - server: - name: server - replicas: 3 - worker: - replicas: 3 - postgresql: - enabled: true - image: - registry: registry.durp.info - repository: bitnamilegacy/postgresql - pullPolicy: Always - postgresqlUsername: "authentik" - postgresqlDatabase: "authentik" - existingSecret: db-pass - persistence: - enabled: true - storageClass: longhorn - size: 16Gi - accessModes: - - ReadWriteMany - redis: - enabled: true - master: - persistence: - enabled: false - image: - registry: registry.durp.info - repository: bitnamilegacy/redis - pullPolicy: Always - architecture: standalone - auth: - enabled: false diff --git a/infra/bitwarden/templates/deployment.yaml b/infra/bitwarden/templates/deployment.yaml deleted file mode 100644 index b915246..0000000 --- a/infra/bitwarden/templates/deployment.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: bitwarden - name: bitwarden - labels: - app: bitwarden -spec: - selector: - matchLabels: - app: bitwarden - replicas: 1 - template: - metadata: - labels: - app: bitwarden - spec: - containers: - - name: bitwarden - image: registry.durp.info/vaultwarden/server:1.35.4 - imagePullPolicy: Always - volumeMounts: - - name: bitwarden-pvc - mountPath: /data - subPath: bitwaren-data - ports: - - name: http - containerPort: 80 - env: - - name: SIGNUPS_ALLOWED - value: "FALSE" - - name: INVITATIONS_ALLOWED - value: "FALSE" - - name: WEBSOCKET_ENABLED - value: "TRUE" - - name: ROCKET_ENV - value: "staging" - - name: ROCKET_PORT - value: "80" - - name: ROCKET_WORKERS - value: "10" - - name: SECRET_USERNAME - valueFrom: - secretKeyRef: - name: bitwarden-secret - key: ADMIN_TOKEN - volumes: - - name: bitwarden-pvc - persistentVolumeClaim: - claimName: bitwarden-pvc diff --git a/infra/bitwarden/templates/ingress.yaml b/infra/bitwarden/templates/ingress.yaml deleted file mode 100644 index f69bc78..0000000 --- a/infra/bitwarden/templates/ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: bitwarden-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: bitwarden - port: 80 - tls: - secretName: bitwarden-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: bitwarden-tls -spec: - secretName: bitwarden-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "bitwarden.durp.info" - dnsNames: - - "bitwarden.durp.info" \ No newline at end of file diff --git a/infra/bitwarden/templates/secrets.yaml b/infra/bitwarden/templates/secrets.yaml deleted file mode 100644 index 45e2d64..0000000 --- a/infra/bitwarden/templates/secrets.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: bitwarden-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: bitwarden-secret - data: - - secretKey: ADMIN_TOKEN - remoteRef: - key: kv/bitwarden - property: admin_token - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/infra/bitwarden/templates/service.yaml b/infra/bitwarden/templates/service.yaml deleted file mode 100644 index df30857..0000000 --- a/infra/bitwarden/templates/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: bitwarden -spec: - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - selector: - app: bitwarden \ No newline at end of file diff --git a/infra/cert-manager/templates/issuer.yaml b/infra/cert-manager/templates/issuer.yaml deleted file mode 100644 index 6b889c7..0000000 --- a/infra/cert-manager/templates/issuer.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: issuer -secrets: - - name: issuer-token-lmzpj \ No newline at end of file diff --git a/infra/cert-manager/templates/letsencrypt.yaml b/infra/cert-manager/templates/letsencrypt.yaml deleted file mode 100644 index 0203412..0000000 --- a/infra/cert-manager/templates/letsencrypt.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret - ---- - -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: vault-issuer -spec: - vault: - server: https://vault.infra.durp.info - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - path: pki/sign/issue-homelab-certs - auth: - kubernetes: - mountPath: /v1/auth/kubernetes - role: issuer - secretRef: - name: issuer-token-lmzpj - key: token diff --git a/infra/cert-manager/templates/secretvault.yaml b/infra/cert-manager/templates/secretvault.yaml deleted file mode 100644 index 241e9a6..0000000 --- a/infra/cert-manager/templates/secretvault.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cloudflare-api-token-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: cloudflare-api-token-secret - data: - - secretKey: cloudflare-api-token-secret - remoteRef: - key: kv/cert-manager - property: cloudflare-api-token-secret - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/infra/cert-manager/values.yaml b/infra/cert-manager/values.yaml deleted file mode 100644 index 295c5e6..0000000 --- a/infra/cert-manager/values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -cert-manager: - crds: - enabled: true - image: - registry: registry.durp.info - repository: jetstack/cert-manager-controller - pullPolicy: Always - replicaCount: 3 - #extraArgs: - # - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 - # - --dns01-recursive-nameservers-only - #podDnsPolicy: None - #podDnsConfig: - # nameservers: - # - "1.1.1.1" - # - "1.0.0.1" - webhook: - image: - registry: registry.durp.info - repository: jetstack/cert-manager-webhook - pullPolicy: Always - cainjector: - image: - registry: registry.durp.info - repository: jetstack/cert-manager-cainjector - pullPolicy: Always diff --git a/infra/external-secrets/templates/ca.yaml b/infra/external-secrets/templates/ca.yaml deleted file mode 100644 index 9b2a135..0000000 --- a/infra/external-secrets/templates/ca.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -data: - vault.pem: | - -----BEGIN CERTIFICATE----- - MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy - MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN - BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq - scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW - 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I - jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr - XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS - 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB - o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O - BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 - dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 - Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo - dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw - MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp - L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy - cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu - Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx - L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k - dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L - 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k - /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 - GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj - tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo - 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 - +Q/cdsO5lg== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH - 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ - S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk - U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 - 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ - +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD - VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V - 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 - BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw - LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt - dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC - hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF - BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br - aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 - cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz - Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq - hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE - QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB - ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN - Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 - zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls - AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox - p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb - /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ - l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 - GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE - N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B - Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 - 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R - BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k - r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 - AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y - rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD - dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx - Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv - 55Fn - -----END CERTIFICATE----- -kind: ConfigMap -metadata: - name: ca-pemstore diff --git a/infra/external-secrets/values.yaml b/infra/external-secrets/values.yaml deleted file mode 100644 index e61f2f1..0000000 --- a/infra/external-secrets/values.yaml +++ /dev/null @@ -1,76 +0,0 @@ -external-secrets: - global: - security: - allowInsecureImages: true - - log: - level: debug - replicaCount: 1 - revisionHistoryLimit: 1 - leaderElect: false - - installCRDs: true - crds: - createClusterExternalSecret: true - createClusterSecretStore: true - createClusterGenerator: true - createPushSecret: true - conversion: - enabled: false - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - # resources: - # requests: - # memory: 32Mi - # cpu: 10m - # limits: - # memory: 32Mi - # cpu: 10m - - webhook: - log: - level: debug - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - # resources: - # requests: - # memory: 32Mi - # cpu: 10m - # limits: - # memory: 32Mi - # cpu: 10m - - certController: - create: false - revisionHistoryLimit: 1 - log: - level: debug - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - tag: "" - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m diff --git a/infra/istio-system/Chart.yaml b/infra/istio-system/Chart.yaml deleted file mode 100644 index 7bb5fc3..0000000 --- a/infra/istio-system/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -name: istio-system -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: base - repository: https://istio-release.storage.googleapis.com/charts - version: 1.29.0 -- name: istiod - repository: https://istio-release.storage.googleapis.com/charts - version: 1.26.2 -- name: gateway - repository: https://istio-release.storage.googleapis.com/charts - version: 1.26.2 diff --git a/infra/istio-system/templates/expose.yaml b/infra/istio-system/templates/expose.yaml deleted file mode 100644 index 34c77f7..0000000 --- a/infra/istio-system/templates/expose.yaml +++ /dev/null @@ -1,70 +0,0 @@ -#apiVersion: networking.istio.io/v1 -#kind: Gateway -#metadata: -# name: istiod-gateway -#spec: -# selector: -# istio: eastwestgateway -# servers: -# - port: -# name: tls-istiod -# number: 15012 -# protocol: tls -# tls: -# mode: PASSTHROUGH -# hosts: -# - "*" -# - port: -# name: tls-istiodwebhook -# number: 15017 -# protocol: tls -# tls: -# mode: PASSTHROUGH -# hosts: -# - "*" -#--- -#apiVersion: networking.istio.io/v1 -#kind: VirtualService -#metadata: -# name: istiod-vs -#spec: -# hosts: -# - "*" -# gateways: -# - istiod-gateway -# tls: -# - match: -# - port: 15012 -# sniHosts: -# - "*" -# route: -# - destination: -# host: istiod.istio-system.svc.cluster.local -# port: -# number: 15012 -# - match: -# - port: 15017 -# sniHosts: -# - "*" -# route: -# - destination: -# host: istiod.istio-system.svc.cluster.local -# port: -# number: 443 ---- -apiVersion: networking.istio.io/v1 -kind: Gateway -metadata: - name: cross-network-gateway -spec: - selector: - istio: eastwestgateway - servers: - - port: - number: 15443 - name: tls - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH - hosts: - - "*.local" diff --git a/infra/istio-system/templates/issuer.yaml b/infra/istio-system/templates/issuer.yaml deleted file mode 100644 index 4480773..0000000 --- a/infra/istio-system/templates/issuer.yaml +++ /dev/null @@ -1,8 +0,0 @@ -#apiVersion: cert-manager.io/v1 -#kind: Issuer -#metadata: -# name: vault-issuer -# namespace: istio-system -#spec: -# ca: -# secretName: ca-key-pair diff --git a/infra/istio-system/values.yaml b/infra/istio-system/values.yaml deleted file mode 100644 index 5cd90bd..0000000 --- a/infra/istio-system/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -istiod: - global: - network: network1 - meshID: mesh1 - multiCluster: - clusterName: infra - -gateway: - name: istio-eastwestgateway - networkGateway: network1 \ No newline at end of file diff --git a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml deleted file mode 100644 index 3328c18..0000000 --- a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-grafana-oauth -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-oauth - data: - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - remoteRef: - key: kv/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID - - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - remoteRef: - key: kv/grafana/oauth - property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-admin-credentials -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grafana-admin-credentials - data: - - secretKey: admin-password - remoteRef: - key: kv/grafana/admin - property: password - - secretKey: admin-user - remoteRef: - key: kv/grafana/admin - property: user diff --git a/infra/litellm/Chart.yaml b/infra/litellm/Chart.yaml deleted file mode 100644 index 1444a2c..0000000 --- a/infra/litellm/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: litellm -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: "litellm-helm" - version: 0.1.643 - repository: oci://ghcr.io/berriai/litellm-helm diff --git a/infra/litellm/values.yaml b/infra/litellm/values.yaml deleted file mode 100644 index b7ce066..0000000 --- a/infra/litellm/values.yaml +++ /dev/null @@ -1,197 +0,0 @@ -litellm: - # Default values for litellm. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - replicaCount: 1 - - image: - # Use "ghcr.io/berriai/litellm-database" for optimized image with database - repository: ghcr.io/berriai/litellm-database - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - # tag: "main-latest" - tag: "" - - imagePullSecrets: [] - nameOverride: "litellm" - fullnameOverride: "" - - serviceAccount: - # Specifies whether a service account should be created - create: false - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - - podAnnotations: {} - podLabels: {} - - # At the time of writing, the litellm docker image requires write access to the - # filesystem on startup so that prisma can install some dependencies. - podSecurityContext: {} - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: false - # runAsNonRoot: true - # runAsUser: 1000 - - # A list of Kubernetes Secret objects that will be exported to the LiteLLM proxy - # pod as environment variables. These secrets can then be referenced in the - # configuration file (or "litellm" ConfigMap) with `os.environ/` - environmentSecrets: [] - # - litellm-env-secret - - # A list of Kubernetes ConfigMap objects that will be exported to the LiteLLM proxy - # pod as environment variables. The ConfigMap kv-pairs can then be referenced in the - # configuration file (or "litellm" ConfigMap) with `os.environ/` - environmentConfigMaps: [] - # - litellm-env-configmap - - service: - type: ClusterIP - port: 4000 - - ingress: - enabled: false - className: "nginx" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: api.example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - # masterkey: changeit - - # The elements within proxy_config are rendered as config.yaml for the proxy - # Examples: https://github.com/BerriAI/litellm/tree/main/litellm/proxy/example_config_yaml - # Reference: https://docs.litellm.ai/docs/proxy/configs - proxy_config: - model_list: - # At least one model must exist for the proxy to start. - - model_name: gpt-3.5-turbo - litellm_params: - model: gpt-3.5-turbo - api_key: eXaMpLeOnLy - - model_name: fake-openai-endpoint - litellm_params: - model: openai/fake - api_key: fake-key - api_base: https://exampleopenaiendpoint-production.up.railway.app/ - general_settings: - master_key: os.environ/PROXY_MASTER_KEY - - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - - # Additional volumes on the output Deployment definition. - volumes: [] - # - name: foo - # secret: - # secretName: mysecret - # optional: false - - # Additional volumeMounts on the output Deployment definition. - volumeMounts: [] - # - name: foo - # mountPath: "/etc/foo" - # readOnly: true - - nodeSelector: {} - - tolerations: [] - - affinity: {} - - db: - # Use an existing postgres server/cluster - useExisting: false - - # How to connect to the existing postgres server/cluster - endpoint: localhost - database: litellm - url: postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_HOST)/$(DATABASE_NAME) - secret: - name: postgres - usernameKey: username - passwordKey: password - - # Use the Stackgres Helm chart to deploy an instance of a Stackgres cluster. - # The Stackgres Operator must already be installed within the target - # Kubernetes cluster. - # TODO: Stackgres deployment currently unsupported - useStackgresOperator: false - - # Use the Postgres Helm chart to create a single node, stand alone postgres - # instance. See the "postgresql" top level key for additional configuration. - deployStandalone: true - - # Settings for Bitnami postgresql chart (if db.deployStandalone is true, ignored - # otherwise) - postgresql: - architecture: standalone - auth: - username: litellm - database: litellm - - # You should override these on the helm command line with - # `--set postgresql.auth.postgres-password=,postgresql.auth.password=` - password: NoTaGrEaTpAsSwOrD - postgres-password: NoTaGrEaTpAsSwOrD - - # A secret is created by this chart (litellm-helm) with the credentials that - # the new Postgres instance should use. - # existingSecret: "" - # secretKeys: - # userPasswordKey: password - - # requires cache: true in config file - # either enable this or pass a secret for REDIS_HOST, REDIS_PORT, REDIS_PASSWORD or REDIS_URL - # with cache: true to use existing redis instance - redis: - enabled: false - architecture: standalone - - # Prisma migration job settings - migrationJob: - enabled: true # Enable or disable the schema migration Job - retries: 3 # Number of retries for the Job in case of failure - backoffLimit: 4 # Backoff limit for Job restarts - disableSchemaUpdate: false # Skip schema migrations for specific environments. When True, the job will exit with code 0. - annotations: {} - ttlSecondsAfterFinished: 120 - - # Additional environment variables to be added to the deployment - envVars: { - # USE_DDTRACE: "true" - } - diff --git a/infra/longhorn/templates/ingress.yaml b/infra/longhorn/templates/ingress.yaml deleted file mode 100644 index ad4ebd3..0000000 --- a/infra/longhorn/templates/ingress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: longhorn-ingress - annotations: - cert-manager.io/cluster-issuer: vault-issuer -spec: - entryPoints: - - websecure - routes: - - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`) - kind: Rule - middlewares: - #- name: authentik-proxy-provider - # namespace: traefik - services: - - name: longhorn-frontend - port: 80 - tls: - secretName: longhorn-tls - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: longhorn-tls -spec: - secretName: longhorn-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "longhorn.infra.durp.info" - dnsNames: - - "longhorn.infra.durp.info" diff --git a/infra/longhorn/templates/secrets.yaml b/infra/longhorn/templates/secrets.yaml deleted file mode 100644 index e3d18af..0000000 --- a/infra/longhorn/templates/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - ---- - -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: external-longhorn-backup-token-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: longhorn-backup-token-secret - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - key: kv/longhorn/backup - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_ENDPOINTS - remoteRef: - key: kv/longhorn/backup - property: AWS_ENDPOINTS - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - key: kv/longhorn/backup - property: AWS_SECRET_ACCESS_KEY diff --git a/infra/longhorn/values.yaml b/infra/longhorn/values.yaml deleted file mode 100644 index e34a1ee..0000000 --- a/infra/longhorn/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -longhorn: - global: - cattle: - systemDefaultRegistry: "" - - image: - longhorn: - engine: - repository: longhornio/longhorn-engine - manager: - repository: longhornio/longhorn-manager - ui: - repository: longhornio/longhorn-ui - instanceManager: - repository: longhornio/longhorn-instance-manager - shareManager: - repository: longhornio/longhorn-share-manager - backingImageManager: - repository: longhornio/backing-image-manager - csi: - attacher: - repository: longhornio/csi-attacher - provisioner: - repository: longhornio/csi-provisioner - nodeDriverRegistrar: - repository: longhornio/csi-node-driver-registrar - resizer: - repository: longhornio/csi-resizer - snapshotter: - repository: longhornio/csi-snapshotter - pullPolicy: Always - - service: - ui: - type: ClusterIP - nodePort: null - manager: - type: ClusterIP - nodePort: "" - loadBalancerIP: "" - loadBalancerSourceRanges: "" - - persistence: - defaultClass: true - defaultFsType: ext4 - defaultClassReplicaCount: 3 - defaultDataLocality: disabled # best-effort otherwise - reclaimPolicy: Delete - migratable: false - recurringJobSelector: - enable: true - jobList: '[ - { - "name":"backup", - "task":"backup", - "cron":"0 0 * * *", - "retain":24 - } - ]' - backingImage: - enable: false - name: ~ - dataSourceType: ~ - dataSourceParameters: ~ - expectedChecksum: ~ - - csi: - kubeletRootDir: ~ - attacherReplicaCount: ~ - provisionerReplicaCount: ~ - resizerReplicaCount: ~ - snapshotterReplicaCount: ~ - - defaultSettings: - backupTarget: S3://longhorn-master@us-east-1/ - backupTargetCredentialSecret: longhorn-backup-token-secret - allowRecurringJobWhileVolumeDetached: ~ - createDefaultDiskLabeledNodes: ~ - defaultDataPath: ~ - defaultDataLocality: ~ - replicaSoftAntiAffinity: ~ - replicaAutoBalance: ~ - storageOverProvisioningPercentage: ~ - storageMinimalAvailablePercentage: ~ - upgradeChecker: ~ - defaultReplicaCount: ~ - defaultLonghornStaticStorageClass: longhorn - backupstorePollInterval: ~ - taintToleration: ~ - systemManagedComponentsNodeSelector: ~ - priorityClass: ~ - autoSalvage: ~ - autoDeletePodWhenVolumeDetachedUnexpectedly: ~ - disableSchedulingOnCordonedNode: ~ - replicaZoneSoftAntiAffinity: ~ - nodeDownPodDeletionPolicy: ~ - allowNodeDrainWithLastHealthyReplica: ~ - mkfsExt4Parameters: ~ - disableReplicaRebuild: ~ - replicaReplenishmentWaitInterval: ~ - concurrentReplicaRebuildPerNodeLimit: ~ - disableRevisionCounter: ~ - systemManagedPodsImagePullPolicy: ~ - allowVolumeCreationWithDegradedAvailability: ~ - autoCleanupSystemGeneratedSnapshot: ~ - concurrentAutomaticEngineUpgradePerNodeLimit: ~ - backingImageCleanupWaitInterval: ~ - backingImageRecoveryWaitInterval: ~ - guaranteedEngineManagerCPU: ~ - guaranteedReplicaManagerCPU: ~ - kubernetesClusterAutoscalerEnabled: ~ - orphanAutoDeletion: ~ - storageNetwork: ~ - privateRegistry: - createSecret: ~ - registryUrl: ~ - registryUser: ~ - registryPasswd: ~ - registrySecret: ~ - - longhornManager: - priorityClass: ~ - tolerations: [] - ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above - ## and uncomment this example block - # - key: "key" - # operator: "Equal" - # value: "value" - # effect: "NoSchedule" - nodeSelector: {} - ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above - ## and uncomment this example block - # label-key1: "label-value1" - # label-key2: "label-value2" - - longhornDriver: - priorityClass: ~ - tolerations: [] - ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above - ## and uncomment this example block - # - key: "key" - # operator: "Equal" - # value: "value" - # effect: "NoSchedule" - nodeSelector: {} - ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above - ## and uncomment this example block - # label-key1: "label-value1" - # label-key2: "label-value2" - - longhornUI: - priorityClass: ~ - tolerations: [] - ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above - ## and uncomment this example block - # - key: "key" - # operator: "Equal" - # value: "value" - # effect: "NoSchedule" - nodeSelector: {} - ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above - ## and uncomment this example block - # label-key1: "label-value1" - # label-key2: "label-value2" - - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - # - - ingress: - enabled: false - - ## Specify override namespace, specifically this is useful for using longhorn as sub-chart - ## and its release namespace is not the `longhorn-system` - namespaceOverride: "" - - # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional. - annotations: {} - - serviceAccount: - # Annotations to add to the service account - annotations: {} - diff --git a/infra/metallb-system/Chart.yaml b/infra/metallb-system/Chart.yaml deleted file mode 100644 index c92e842..0000000 --- a/infra/metallb-system/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: metallb-system -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: -- name: metallb - repository: https://metallb.github.io/metallb - version: 0.15.2 diff --git a/infra/metallb-system/values.yaml b/infra/metallb-system/values.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/infra/nebula-sync/Chart.yaml b/infra/nebula-sync/Chart.yaml deleted file mode 100644 index 114f728..0000000 --- a/infra/nebula-sync/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: nebula-sync -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" diff --git a/infra/nebula-sync/templates/deployment.yaml b/infra/nebula-sync/templates/deployment.yaml deleted file mode 100644 index 51e2607..0000000 --- a/infra/nebula-sync/templates/deployment.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: nebula-sync - name: nebula-sync - labels: - app: nebula-sync -spec: - selector: - matchLabels: - app: nebula-sync - replicas: 1 - template: - metadata: - labels: - app: nebula-sync - spec: - containers: - - name: nebula-sync - image: registry.durp.info/lovelaze/nebula-sync:latest - imagePullPolicy: Always - env: - - name: PRIMARY - valueFrom: - secretKeyRef: - name: nebula-sync-secret - key: primary - - name: REPLICAS - valueFrom: - secretKeyRef: - name: nebula-sync-secret - key: replicas - - name: FULL_SYNC - value: "false" - - name: RUN_GRAVITY - value: "false" - - name: CRON - value: "*/15 * * * *" - - name: CLIENT_SKIP_TLS_VERIFICATION - value: "true" - - name: TZ - value: America/Chicago - - name: SYNC_CONFIG_DNS - value: "true" - - name: SYNC_CONFIG_DHCP - value: "true" - - name: SYNC_CONFIG_NTP - value: "true" - - name: SYNC_CONFIG_RESOLVER - value: "true" - - name: SYNC_CONFIG_DATABASE - value: "true" - - name: SYNC_CONFIG_MISC - value: "true" - - name: SYNC_CONFIG_DEBUG - value: "true" - - name: SYNC_GRAVITY_DHCP_LEASES - value: "true" - - name: SYNC_GRAVITY_GROUP - value: "true" - - name: SYNC_GRAVITY_AD_LIST - value: "true" - - name: SYNC_GRAVITY_AD_LIST_BY_GROUP - value: "true" - - name: SYNC_GRAVITY_DOMAIN_LIST - value: "true" - - name: SYNC_GRAVITY_DOMAIN_LIST_BY_GROUP - value: "true" - - name: SYNC_GRAVITY_CLIENT - value: "true" - - name: SYNC_GRAVITY_CLIENT_BY_GROUP - value: "true" - diff --git a/infra/nebula-sync/templates/secrets.yaml b/infra/nebula-sync/templates/secrets.yaml deleted file mode 100644 index 3ab65df..0000000 --- a/infra/nebula-sync/templates/secrets.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: nebula-sync-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: nebula-sync-secret - data: - - secretKey: primary - remoteRef: - key: kv/pihole - property: primary - - secretKey: replicas - remoteRef: - key: kv/pihole - property: replicas - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - diff --git a/infra/nfs/Chart.yaml b/infra/nfs/Chart.yaml deleted file mode 100644 index 1a9ffb9..0000000 --- a/infra/nfs/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: nfs-csi -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: -- name: csi-driver-nfs - repository: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts - version: 4.11.0 diff --git a/infra/openclarity/Chart.yaml b/infra/openclarity/Chart.yaml deleted file mode 100644 index e4028f3..0000000 --- a/infra/openclarity/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: openclarity -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: openclarity - repository: oci://ghcr.io/openclarity/charts - version: 1.1.3 diff --git a/infra/openclarity/templates/secret.yaml b/infra/openclarity/templates/secret.yaml deleted file mode 100644 index 51ba410..0000000 --- a/infra/openclarity/templates/secret.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - ---- - -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: openclarity-postgres-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: openclarity-postgres-secret - data: - - secretKey: username - remoteRef: - key: kv/openclarity/postgres - property: username - - secretKey: postgres-password - remoteRef: - key: kv/openclarity/postgres - property: password - - secretKey: password - remoteRef: - key: kv/openclarity/postgres - property: password - - secretKey: database - remoteRef: - key: kv/openclarity/postgres - property: database diff --git a/infra/openclarity/values.yaml b/infra/openclarity/values.yaml deleted file mode 100644 index c8f1629..0000000 --- a/infra/openclarity/values.yaml +++ /dev/null @@ -1,915 +0,0 @@ -openclarity: - global: - imageRegistry: registry.durp.info - - apiserver: - # -- Number of replicas for the API Server - replicas: 1 - - database: - postgresql: - # -- Enable/disable Postgresql database - enabled: true - externalPostgresql: - # -- Enable/disable external Postgresql database - enabled: false - # -- External Postgreqsl database host - host: "" - # -- External Postgresql database port - port: 5432 - auth: - # -- Name of existing secret to use for PostgreSQL credentials that has the following keys: - # username - # password - # database - existingSecret: "" - - image: - # -- API Server image registry - registry: ghcr.io - # -- API Server image repository - repository: openclarity/openclarity-api-server - # -- API Server image tag (immutable tags are recommended) - tag: latest - # -- API Server image digest. If set will override the tag. - digest: "" - # -- API Server image pull policy - pullPolicy: IfNotPresent - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - # -- API Server log level - logLevel: info - - resources: - # -- The resources limits for the apiserver containers - limits: {} - # -- The requested resources for the apiserver containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - orchestrator: - # -- Number of replicas for the Orchestrator service - # Currently 1 supported. - replicas: 1 - - image: - # -- Orchestrator image registry - registry: ghcr.io - # -- Orchestrator image repository - repository: openclarity/openclarity-orchestrator - # -- Orchestrator image tag (immutable tags are recommended) - tag: latest - # -- Orchestrator image digest. If set will override the tag. - digest: "" - # -- Orchestrator image pull policy - pullPolicy: IfNotPresent - - podSecurityContext: - # -- Whether Orchestrator pod security context is enabled - enabled: true - # -- Orchestrator pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - # -- Orchestrator service log level - logLevel: info - - resources: - # -- The resources limits for the orchestrator containers - limits: {} - # -- The requested resources for the orchestrator containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: true - - # -- Global policy used to determine when to clean up an AssetScan. - # Possible options are: - # Always - All AssetScans are cleaned up - # OnSuccess - Only Successful AssetScans are cleaned up, Failed ones are left for debugging - # Never - No AssetScans are cleaned up - deleteJobPolicy: Always - - scannerImage: - # -- Scanner Container image registry - registry: ghcr.io - # -- Scanner Container image repository - repository: openclarity/openclarity-cli - # -- Scanner Container image tag (immutable tags are recommended) - tag: latest - # -- Scanner Container image digest. If set will override the tag. - digest: "" - - # -- Address that scanners can use to reach back to the API server - scannerApiserverAddress: "" - - # -- Address that scanners can use to reach back to the Exploits server - exploitsDBAddress: "" - - # -- Address that scanners can use to reach trivy server - trivyServerAddress: "" - - # -- Address that scanners can use to reach the grype server - grypeServerAddress: "" - - # -- Address that scanners can use to reach the freshclam mirror - freshclamMirrorAddress: "" - - # -- Address that scanner can use to reach the yara rule server - yaraRuleServerAddress: "" - - # -- Which provider driver to enable. - # If enabling the Kubernetes provider ensure that the orchestrator - # serviceAccount section is configured to allow access to the Kubernetes API. - provider: "kubernetes" - - kubernetes: {} - - # Only for testing purposes - docker: {} - - ui: - # -- Number of replicas for the UI service - replicas: 1 - - image: - # -- UI image registry - registry: ghcr.io - # -- UI image repository - repository: openclarity/openclarity-ui - # -- UI image tag - tag: latest - # -- UI image digest. If set will override the tag - digest: "" - # -- UI Image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the UI containers - limits: {} - # -- The requested resources for the UI containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: true - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 101 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 101 - # -- Group ID which the containers should run as - runAsGroup: 101 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - uibackend: - # -- Number of replicas for the UI Backend service - replicas: 1 - - image: - # -- UI Backend image registry - registry: ghcr.io - # -- UI Backend image repository - repository: openclarity/openclarity-ui-backend - # -- UI Backend image tag - tag: latest - # -- UI Backend image digest. If set will override the tag. - digest: "" - # -- UI Backend image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the UI backend containers - limits: {} - # -- The requested resources for the UI backend containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - # -- Log level for the UI backend service - logLevel: info - - gateway: - # -- Number of replicas for the gateway - replicas: 1 - - image: - # -- Gateway service container registry - registry: docker.io - # -- Gateway service container repository - repository: nginxinc/nginx-unprivileged - # -- Gateway service container tag - tag: 1.29.0 - # -- Gateway image digest. If set will override the tag. - digest: "" - # -- Gateway service container pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the gateway containers - limits: {} - # -- The requested resources for the gateway containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 101 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 101 - # -- Group ID which the containers should run as - runAsGroup: 101 - # -- Whether the containers should run as a non-root user - runAsNonRoot: false - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - service: - # -- Service type: ClusterIP, NodePort, LoadBalancer - type: ClusterIP - # -- Port configurations - ports: - http: 80 - # -- NodePort configurations - nodePorts: - http: "" - # -- Dedicated IP address used for service - clusterIP: "" - # -- Annotations set for service - annotations: {} - # -- External Traffic Policy configuration - # Set the field to Cluster to route external traffic to all ready endpoints and Local to only route to ready node - # local endpoints. - externalTrafficPolicy: Cluster - - ingress: - # -- Be careful when using ingress. As there is no authentication on openclarity, your instance may be accessible. - # Make sure the ingress remains internal if you decide to enable it. - enabled: false - labels: {} - annotations: {} - - # -- Optionally use ingressClassName instead of default ingress class. - ingressClassName: "" - - hosts: - # Hostname you want to use to access the UI - - host: chart-example.local - # paths will default to: - # paths: - # - pathType: Prefix - # path: / - paths: [] - - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - postgresql: - image: - # -- Postgresql container registry - registry: docker.io - # -- Postgresql container repository - repository: bitnami/postgresql - # -- Postgresql container tag - tag: 16.6.0-debian-12-r1 - # -- Postgresql image digest. If set will override the tag. - digest: "" - # -- Postgresql container image pull policy - pullPolicy: IfNotPresent - primary: - # -- Postgresql container resource preset - # For more info see: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - resourcesPreset: "small" - - resources: - # -- The resources limits for the postgresql containers - limits: {} - # -- The requested resources for the postgresql containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - auth: - existingSecret: openclarity-postgres-secret - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - service: - ports: - # -- PostgreSQL service port - postgresql: 5432 - - exploitDBServer: - # -- Number of replicas for the exploit-db-server service - replicas: 1 - - image: - # -- Exploit DB Server container registry - registry: ghcr.io - # -- Exploit DB Server container repository - repository: openclarity/exploit-db-server - # -- Exploit DB Server container tag - tag: v0.3.0 - # -- Exploit DB Server image digest. If set will override the tag. - digest: "" - # -- Exploit DB Server image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the exploit-db-server containers - limits: {} - # -- The requested resources for the exploit-db-server containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: false - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - trivyServer: - # -- Number of replicas for the trivy server service - replicas: 1 - - image: - # -- Trivy Server container registry - registry: docker.io - # -- Trivy Server container repository - repository: aquasec/trivy - # -- Trivy Server container tag - tag: 0.69.3 - # -- Trivy Server image digest. If set will override the tag. - digest: "" - # -- Trivy Server image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the trivy server containers - limits: {} - # -- The requested resources for the trivy server containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - grypeServer: - # -- Number of replicas for the grype server service - replicas: 1 - - image: - # -- Grype server container registry - registry: ghcr.io - # -- Grype server container repository - repository: openclarity/grype-server - # -- Grype server container tag - tag: v0.7.5 - # -- Grype server image digest. If set will override the tag. - digest: "" - # -- Grype server image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the grype server containers - limits: {} - # -- The requested resources for the grype server containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: true - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: true - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - # -- Log level for the grype-server service - logLevel: info - - freshclamMirror: - # -- Number of replicas for the freshclam mirror service - replicas: 1 - - image: - # -- Freshclam Mirror container registry - registry: ghcr.io - # -- Freshclam Mirror container repository - repository: openclarity/freshclam-mirror - # -- Freshclam Mirror container tag - tag: v0.3.1 - # -- Freshclam Mirror image digest. If set will override the tag. - digest: "" - # -- Freshclam Mirror image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the freshclam mirror containers - limits: {} - # -- The requested resources for the freshclam mirror containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: false - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: false - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - swaggerUI: - # -- Number of replicas for the swagger-ui service - replicas: 1 - - image: - # -- Swagger UI container registry - registry: docker.io - # -- Swagger UI container repository - repository: swaggerapi/swagger-ui - # -- Swagger UI container tag - tag: v5.26.2 - # -- Swagger UI image digest. If set will override the tag. - digest: "" - # -- Swagger UI image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the swagger ui containers - limits: {} - # -- The requested resources for the swagger ui containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: false - # -- Pod security context fsGroup - fsGroup: 101 - - containerSecurityContext: - # -- Container security context enabled - enabled: false - # -- User ID which the containers should run as - runAsUser: 0 - # -- Group ID which the containers should run as - runAsGroup: 0 - # -- Whether the containers should run as a non-root user - runAsNonRoot: false - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - yaraRuleServer: - # -- Number of replicas for the Yara Rule Server service - replicas: 1 - - image: - # -- Yara Rule Server container registry - registry: ghcr.io - # -- Yara Rule Server container repository - repository: openclarity/yara-rule-server - # -- Yara Rule Server container tag - tag: v0.3.0 - # -- Yara Rule Server image digest. If set will override the tag. - digest: "" - # -- Yara Rule Server image pull policy - pullPolicy: IfNotPresent - - resources: - # -- The resources limits for the Yara Rule Server containers - limits: {} - # -- The requested resources for the Yara Rule Server containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - #false -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: false - # -- Pod security context fsGroup - fsGroup: 1001 - - containerSecurityContext: - # -- Container security context enabled - enabled: false - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL - - crDiscoveryServer: - nodeSelector: {} - tolerations: [] - affinity: {} - image: - # -- Container Runtime Discovery Server container registry - registry: ghcr.io - # -- Container Runtime Discovery Server container repository - repository: openclarity/openclarity-cr-discovery-server - # -- Container Runtime Discovery Server container tag - tag: latest - # -- Container Runtime Discovery Server image digest. If set will override the tag. - digest: "" - # -- Container Runtime Discovery Server image pull policy - pullPolicy: IfNotPresent - - # -- Environment variables to set in the Container Runtime Discovery Server container - env: [] - # - name: CONTAINERD_SOCK_ADDRESS - # value: /var/run/containerd/containerd.sock - containerRuntimePaths: - - name: containerd - path: /var/run/containerd - readOnly: true - - name: k3s-containerd - path: /run/k3s/containerd - readOnly: true - - name: docker - path: /var/lib/docker - readOnly: true - - name: crio - path: /var/run/crio - readOnly: true - - name: crio-lib - path: /var/lib/containers - - name: crio-run - path: /var/run/containers - - name: crio-containers - path: /etc/containers - readOnly: true - resources: - # -- The resources limits for the container runtime discovery server containers - limits: {} - # -- The requested resources for the container runtime discovery server containers - requests: {} - - serviceAccount: - # -- Enable creation of ServiceAccount - create: true - # -- The name of the ServiceAccount to use. - # If not set and create is true, it will use the component's calculated name. - name: "" - # -- Allows auto mount of ServiceAccountToken on the serviceAccount created. - # Can be set to false if pods using this serviceAccount do not need to use K8s API. - automountServiceAccountToken: false - - podSecurityContext: - # -- Pod security context enabled - enabled: false - # -- Pod security context fsGroup - fsGroup: 1001 - - # In order to use CRI-O runtime you need to run OpenClarity - # with the following configuration: - # - # containerSecurityContext: - # enabled: true - # privileged: true - # readOnlyRootFilesystem: false - containerSecurityContext: - # -- Container security context enabled - enabled: false - # -- User ID which the containers should run as - runAsUser: 1001 - # -- Group ID which the containers should run as - runAsGroup: 1001 - # -- Whether the containers should run as a non-root user - runAsNonRoot: true - # -- Whether the container should run in privileged mode - privileged: false - # -- Force the child process to run as non-privileged - allowPrivilegeEscalation: false - # -- Mounts the container file system as ReadOnly - readOnlyRootFilesystem: true - capabilities: - # -- List of capabilities to be dropped - drop: - - ALL \ No newline at end of file diff --git a/infra/portainer/Chart.yaml b/infra/portainer/Chart.yaml deleted file mode 100644 index 6bedd0a..0000000 --- a/infra/portainer/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: portainer -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: portainer - repository: https://portainer.github.io/k8s/ - version: 2.33.6 diff --git a/infra/portainer/templates/ingress.yaml b/infra/portainer/templates/ingress.yaml deleted file mode 100644 index c1e0e38..0000000 --- a/infra/portainer/templates/ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: portainer-ingress -spec: - entryPoints: - - websecure - routes: - - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: portainer - port: 9000 - tls: - secretName: portainer-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: portainer-tls -spec: - secretName: portainer-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "portainer.internal.durp.info" - dnsNames: - - "portainer.internal.durp.info" diff --git a/infra/portainer/values.yaml b/infra/portainer/values.yaml deleted file mode 100644 index a3779f7..0000000 --- a/infra/portainer/values.yaml +++ /dev/null @@ -1,78 +0,0 @@ -portainer: - replicaCount: 1 - image: - repository: registry.durp.info/portainer/portainer-ce - tag: 2.39.1 - pullPolicy: Always - - imagePullSecrets: [] - - nodeSelector: {} - tolerations: [] - - serviceAccount: - annotations: {} - name: portainer-sa-clusteradmin - - # This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application - # If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true - localMgmt: true - - service: - # Set the httpNodePort and edgeNodePort only if the type is NodePort - # For Ingress, set the type to be ClusterIP and set ingress.enabled to true - # For Cloud Providers, set the type to be LoadBalancer - type: NodePort - httpPort: 9000 - httpsPort: 9443 - httpNodePort: 30777 - httpsNodePort: 30779 - edgePort: 8000 - edgeNodePort: 30776 - annotations: {} - - tls: - # If set, Portainer will be configured to use TLS only - force: false - # If set, will mount the existing secret into the pod - existingSecret: "" - - trusted_origins: - # If set, Portainer will be configured to trust the domains specified in domains - enabled: false - # specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy - # example: portainer.mydomain.com,portainer.example.com - domains: "" - - mtls: - # If set, Portainer will be configured to use mTLS only - enable: false - # If set, will mount the existing secret into the pod - existingSecret: "" - - feature: - flags: [] - - ingress: - enabled: false - ingressClassName: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # Only use below if tls.force=true - # nginx.ingress.kubernetes.io/backend-protocol: HTTPS - # Note: Hosts and paths are of type array - hosts: - - host: - paths: [] - # - path: "/" - tls: [] - - resources: {} - - persistence: - enabled: true - size: "10Gi" - annotations: {} - storageClass: longhorn - existingClaim: - diff --git a/infra/renovate/Chart.yaml b/infra/renovate/Chart.yaml deleted file mode 100644 index b20d1e8..0000000 --- a/infra/renovate/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v2 -name: renovate -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: - - name: renovate - repository: https://docs.renovatebot.com/helm-charts - version: 39.264.0 - alias: "renovate-personal" diff --git a/infra/renovate/templates/secrets.yaml b/infra/renovate/templates/secrets.yaml deleted file mode 100644 index d42ab7e..0000000 --- a/infra/renovate/templates/secrets.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: renovate-config-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: renovate-config-secret - data: - - secretKey: renovate.json - remoteRef: - key: kv/renovate - property: config - - secretKey: RENOVATE_AUTODISCOVER - remoteRef: - key: kv/renovate - property: RENOVATE_AUTODISCOVER - - secretKey: RENOVATE_ENDPOINT - remoteRef: - key: kv/renovate - property: RENOVATE_ENDPOINT - - secretKey: RENOVATE_GIT_AUTHOR - remoteRef: - key: kv/renovate - property: RENOVATE_GIT_AUTHOR - - secretKey: RENOVATE_PLATFORM - remoteRef: - key: kv/renovate - property: RENOVATE_PLATFORM - - secretKey: RENOVATE_TOKEN - remoteRef: - key: kv/renovate - property: RENOVATE_TOKEN - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: renovate-personal-config-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: renovate-personal-config-secret - data: - - secretKey: RENOVATE_TOKEN - remoteRef: - key: kv/renoatePersonal - property: RENOVATE_TOKEN - - secretKey: RENOVATE_GITHUB_COM_TOKEN - remoteRef: - key: kv/renoatePersonal - property: RENOVATE_GITHUB_COM_TOKEN diff --git a/infra/renovate/values.yaml b/infra/renovate/values.yaml deleted file mode 100644 index 4754bc7..0000000 --- a/infra/renovate/values.yaml +++ /dev/null @@ -1,330 +0,0 @@ -renovate-personal: - global: - # -- Additional labels to be set on all renovate resources - commonLabels: {} - compatibility: - openshift: - # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: `auto` (apply if the detected running cluster is Openshift), `force` (perform the adaptation always), `disabled` (do not perform adaptation) - adaptSecurityContext: "auto" - - # -- Override the name of the chart - nameOverride: "" - # -- Override the fully qualified app name - fullnameOverride: "" - # -- Annotations to add to secret - secretAnnotations: {} - - cronjob: - # -- Schedules the job to run using cron notation - schedule: "0 1 * * *" # At 01:00 every day - # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) - timeZone: "" # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names - # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions. - suspend: false - # -- Annotations to set on the cronjob - annotations: {} - # -- Labels to set on the cronjob - labels: {} - # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run - concurrencyPolicy: "" - # -- "Number of successful completions is reached to mark the job as complete" - completions: "" - # -- "Where the jobs should be NonIndexed or Indexed" - completionMode: "" - # -- Amount of failed jobs to keep in history - failedJobsHistoryLimit: "" - # -- Amount of completed jobs to keep in history - successfulJobsHistoryLimit: "" - # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails - jobRestartPolicy: Never - # -- Time to keep the job after it finished before automatically deleting it - ttlSecondsAfterFinished: "" - # -- Deadline for the job to finish - activeDeadlineSeconds: "" - # -- Number of times to retry running the pod before considering the job as being failed - jobBackoffLimit: "" - # -- Maximal number of failures per index - backoffLimitPerIndex: "" - # -- Maximal number of failed indexes before terminating the Job execution - maxFailedIndexes: "" - # -- Deadline to start the job, skips execution if job misses it's configured deadline - startingDeadlineSeconds: "" - # -- Additional initContainers that can be executed before renovate - initContainers: [] - # initContainers: - # - name: INIT_CONTAINER_NAME - # image: INIT_CONTAINER_IMAGE - # -- Number of pods to run in parallel - parallelism: "" - # -- Custom command to run in the container - commandOverride: [] - # -- Custom arguments to run in the container - argsOverride: [] - # -- Prepend shell commands before renovate runs - #preCommand: '' - #preCommand: | - # ls /config - # cat /config/renovate.json - - postCommand: "" - # postCommand: | - # echo hello - # echo world - - pod: - # -- Annotations to set on the pod - annotations: {} - # -- Labels to set on the pod - labels: {} - - image: - # -- Registry to pull image from - registry: registry.durp.info - # -- Image name to pull - repository: renovatebot/renovate - # -- Renovate image tag to pull - #tag: 39.264.0 - # -- "IfNotPresent" to pull the image if no image with the specified tag exists on the node, "Always" to always pull the image or "Never" to try and use pre-pulled images - pullPolicy: Always - # -- Set `true` to use the full image. See https://docs.renovatebot.com/getting-started/running/#the-full-image - useFull: false - - # -- Secret to use to pull the image from the repository - imagePullSecrets: {} - - renovate: - # -- Custom exiting global renovate config - #existingConfigFile: "/config/renovate.json" - # -- Inline global renovate config.json - config: | - { - "platform": "gitlab", - "endpoint": "https://gitlab.durp.info/api/v4", - "autodiscover": true, - "dryRun": null, - "printConfig": false, - "autodiscoverFilter": ["durfy/**"], - "assignees": ["durp"] - } - # See https://docs.renovatebot.com/self-hosted-configuration - # config: | - # { - # "": "gitlab", - # "endpoint": "https://gitlab.example.com/api/v4", - # "token": "your-gitlab-renovate-user-token", - # "autodiscover": "false", - # "dryRun": true, - # "printConfig": true, - # "repositories": ["username/repo", "orgname/repo"] - # } - - # -- Use the Helm tpl function on your configuration. See README for how to use this value - configEnableHelmTpl: false - - # -- Use this to create the renovate-config as a secret instead of a configmap - configIsSecret: true - - # -- Use this to create a config.js instead of a config.json - configIsJavaScript: false - - # -- Renovate Container-level security-context - securityContext: {} - - # Instead of a file system cache, it is highly recommended to use the redis subchart. - # Alternatively, SQLite is also a good choice. - # Take a look at https://github.com/renovatebot/renovate/discussions/30525 for more information. - # -- Options related to persistence - persistence: - cache: - # -- Allow the cache to persist between runs - enabled: false - # -- Storage class of the cache PVC - storageClass: "" - # -- Storage size of the cache PVC - storageSize: "512Mi" - # -- Existing volume, enables binding the pvc to an existing volume - volumeName: "" - # -- Labels to set on the cache PVC - labels: {} - - ssh_config: - # -- Whether to enable the use and creation of a secret containing .ssh files - enabled: false - - # Provide .ssh config file contents - # -- Contents of the id_rsa file - id_rsa: "" - # -- Contents of the id_rsa_pub file - id_rsa_pub: "" - # -- Contents of the config file - config: "" - - # or provide the name of an existing secret to be read instead. - # -- Name of the existing secret containing a valid .ssh configuration - existingSecret: "" - - # -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set - secrets: {} - # -- k8s secret to reference environment variables from. Overrides secrets if set - existingSecret: "renovate-personal-config-secret" - - # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config - extraConfigmaps: [] - # extraConfigmaps: - # - name: netrc-config - # data: - # .netrc: |- - # machine gitlab.example.com - # login gitlab-ci-token - # password some-pass - # - name: yet-another-config - # data: - # ya-config.yaml: |- - # "key"="value" - # "key1"="value1" - - #extraVolumes: - # - name: renovate-config-secret - # secretName: - # name: renovate-config-secret - # items: - # - key: renovate.json - # path: renovate.json - - #extraVolumeMounts: - # - name: renovate-config-secret - # mountPath: /config - # subPath: renovate.json - - # -- Additional containers to the pod - extraContainers: [] - # extraContainers: - # - name: vault-agent - # image: vault:1.6.2 - # args: - # - agent - # - -config - # - /vault/config/config.hcl - # env: - # - name: VAULT_ADDR - # value: https://vault:8200 - # - name: VAULT_SKIP_VERIFY - # value: "false" - # - name: VAULT_CACERT - # value: /vault/tls/ca.crt - - serviceAccount: - # -- Specifies whether a service account should be created - create: false - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use - # If not set and create is true, a name is generated using the fullname template - name: "" - - # -- Specify resource limits and requests for the renovate container - resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - # -- Environment variables to add from existing secrets/configmaps. Uses the keys as variable name - envFrom: [] - # envFrom: - # - secretRef: - # name: env-secrets - # - configMapRef: - # name: env-configmap - - # -- Environment variables to set on the renovate container - env: - RENOVATE_AUTODISCOVER: true - #LOG_LEVEL: debug - # env: - # VARIABLE_NAME: "value" - - # -- Additional env. Helpful too if you want to use anything other than a `value` source. - envList: [] - # envList: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - - redis: - # Configuration for a Redis subchart. Additional documentation at - # https://github.com/bitnami/charts/tree/master/bitnami/redis - - # -- Enable the Redis subchart? - enabled: false - - # -- Override the prefix of the redisHost - nameOverride: "" - - # -- Disable replication by default - architecture: standalone - - auth: - # -- Don't require a password by default - enabled: false - - # -- Override Kubernetes version for redis chart - kubeVersion: "" - - # -- Override hostname resolution - hostAliases: [] - # See: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ - # hostAliases: - # - ip: "your-ip" - # hostnames: - # - "your-hostname" - - # -- Pod-level security-context - securityContext: {} - - # -- Select the node using labels to specify where the cronjob pod should run on - nodeSelector: {} - # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - # renovate: true - - # -- Configure the pod(Anti)Affinity and/or node(Anti)Affinity - affinity: {} - # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - # -- Configure which node taints the pod should tolerate - tolerations: [] - # See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - - # -- Create extra manifests via values. Would be passed through `tpl` for templating - extraObjects: [] - # extraObjects: - # - apiVersion: external-secrets.io/v1 - # kind: ExternalSecret - # metadata: - # name: '{{ include "renovate.fullname" . }}-token' - # spec: - # secretStoreRef: - # name: default - # data: - # - secretKey: token - # remoteRef: - # key: github-token - # - | - # apiVersion: v1 - # kind: ConfigMap - # metadata: - # name: {{ include "renovate.fullname" . }}-config - # data: - # config.json: | - # { - # "platform": "github", - # "repositories": ["username/repo", "orgname/repo"] - # } diff --git a/infra/traefik/Chart.yaml b/infra/traefik/Chart.yaml deleted file mode 100644 index 1df1d76..0000000 --- a/infra/traefik/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: traefik -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: traefik - repository: https://traefik.github.io/charts - version: 34.5.0 diff --git a/infra/traefik/values.yaml b/infra/traefik/values.yaml deleted file mode 100644 index 3c75dd1..0000000 --- a/infra/traefik/values.yaml +++ /dev/null @@ -1,53 +0,0 @@ -traefik: - image: - registry: registry.durp.info - repository: traefik - pullPolicy: Always - - providers: - kubernetesCRD: - allowCrossNamespace: true - allowExternalNameServices: true - allowEmptyServices: false - - deployment: - replicas: 3 - revisionHistoryLimit: 1 - - ingressRoute: - dashboard: - enabled: true - - additionalArguments: - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - autoscaling: - enabled: true - minReplicas: 3 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - - # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - memory: "512Mi" diff --git a/infra/vault/templates/ingress.yaml b/infra/vault/templates/ingress.yaml deleted file mode 100644 index 547cde8..0000000 --- a/infra/vault/templates/ingress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: vault-ingress - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production -spec: - entryPoints: - - websecure - routes: - - match: Host(`vault.infra.durp.info`) - kind: Rule - services: - - name: vault - port: 8200 - scheme: https - tls: - secretName: vault-tls - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: vault-tls -spec: - secretName: vault-tls - issuerRef: - name: vault-issuer - kind: ClusterIssuer - commonName: "vault.infra.durp.info" - dnsNames: - - "vault.infra.durp.info" diff --git a/infra/vault/templates/sa.yaml b/infra/vault/templates/sa.yaml deleted file mode 100644 index e298701..0000000 --- a/infra/vault/templates/sa.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: issuer diff --git a/infra/vault/templates/secret-store.yaml b/infra/vault/templates/secret-store.yaml deleted file mode 100644 index f17884e..0000000 --- a/infra/vault/templates/secret-store.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: vault -spec: - provider: - vault: - server: "https://vault.infra.durp.info" - path: "kv" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "external-secrets" - serviceAccountRef: - name: "vault" - diff --git a/infra/vault/values.yaml b/infra/vault/values.yaml deleted file mode 100644 index 913df48..0000000 --- a/infra/vault/values.yaml +++ /dev/null @@ -1,140 +0,0 @@ -vault: - global: - enabled: true - tlsDisable: false - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - - server: - image: - repository: "hashicorp/vault" - # These Resource Limits are in line with node requirements in the - # Vault Reference Architecture for a Small Cluster - #resources: - # requests: - # memory: 8Gi - # cpu: 2000m - # limits: - # memory: 16Gi - # cpu: 2000m - - # For HA configuration and because we need to manually init the vault, - # we need to define custom readiness/liveness Probe settings - readinessProbe: - enabled: true - path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204" - livenessProbe: - enabled: true - path: "/v1/sys/health?standbyok=true" - initialDelaySeconds: 60 - - # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be - # used to include variables required for auto-unseal. - extraEnvironmentVars: - VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca - - extraSecretEnvironmentVars: - - envName: VAULT_TOKEN - secretName: autounseal - secretKey: VAULT_TOKEN - - volumes: - - name: userconfig-vault-server-tls - secret: - defaultMode: 420 - secretName: vault-server-tls - - volumeMounts: - - mountPath: /vault/userconfig/vault-server-tls - name: userconfig-vault-server-tls - readOnly: true - - # This configures the Vault Statefulset to create a PVC for audit logs. - # See https://www.vaultproject.io/docs/audit/index.html to know more - auditStorage: - enabled: true - - standalone: - enabled: false - - config: | - disable_mlock = true - ui = true - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" - tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" - } - - seal "transit" { - address = "https://root-vault.internal.durp.info" - disable_renewal = "false" - key_name = "autounseal" - mount_path = "transit/" - tls_skip_verify = "true" - } - - storage "raft" { - path = "/vault/data" - } - - # Run Vault in "HA" mode. - ha: - enabled: true - replicas: 3 - raft: - enabled: true - setNodeId: true - - config: | - ui = true - cluster_name = "vault-integrated-storage" - listener "tcp" { - address = "[::]:8200" - cluster_address = "[::]:8201" - tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" - tls_key_file = "/vault/userconfig/vault-server-tls/vault.key" - } - - seal "transit" { - address = "https://root-vault.internal.durp.info" - disable_renewal = "false" - key_name = "autounseal" - mount_path = "transit/" - tls_skip_verify = "true" - } - - storage "raft" { - path = "/vault/data" - retry_join { - leader_api_addr = "https://vault-0.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" - } - retry_join { - leader_api_addr = "https://vault-1.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" - } - retry_join { - leader_api_addr = "https://vault-2.vault-internal:8200" - leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca" - leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt" - leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key" - } - } - - # Vault UI - ui: - enabled: false - serviceType: "LoadBalancer" - serviceNodePort: null - externalPort: 8200 diff --git a/dmz/internalproxy/Chart.yaml b/internalproxy/Chart.yaml similarity index 100% rename from dmz/internalproxy/Chart.yaml rename to internalproxy/Chart.yaml diff --git a/internalproxy/templates/argocd.yaml b/internalproxy/templates/argocd.yaml new file mode 100644 index 0000000..15dfaf9 --- /dev/null +++ b/internalproxy/templates/argocd.yaml @@ -0,0 +1,46 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: argocd-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + entryPoints: + - websecure + routes: + - match: Host(`argocd.internal.durp.info`) + middlewares: + - name: whitelist + namespace: traefik + kind: Rule + services: + - name: argocd-server + port: 443 + scheme: https + tls: + secretName: argocd-tls + +--- + +kind: Service +apiVersion: v1 +metadata: + name: argocd-server +spec: + type: ExternalName + externalName: argocd-server.argocd.svc.cluster.local + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: argocd-tls +spec: + secretName: argocd-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "argocd.internal.durp.info" + dnsNames: + - "argocd.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/duplicati-ingress.yaml b/internalproxy/templates/duplicati-ingress.yaml new file mode 100644 index 0000000..d51c391 --- /dev/null +++ b/internalproxy/templates/duplicati-ingress.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Service +metadata: + name: duplicati +spec: + ports: + - name: app + port: 8200 + protocol: TCP + targetPort: 8200 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: duplicati +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8200 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: duplicati-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: duplicati + port: 8200 + - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: duplicati-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: duplicati-tls +spec: + secretName: duplicati-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "duplicati.internal.durp.info" + dnsNames: + - "duplicati.internal.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/gitea.yaml b/internalproxy/templates/gitea.yaml new file mode 100644 index 0000000..8443aaf --- /dev/null +++ b/internalproxy/templates/gitea.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: gitea-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: gitea.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/internalproxy/templates/guac.yaml b/internalproxy/templates/guac.yaml new file mode 100644 index 0000000..a69b685 --- /dev/null +++ b/internalproxy/templates/guac.yaml @@ -0,0 +1,71 @@ +kind: Service +apiVersion: v1 +metadata: + name: guac-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: guac.durp.info +spec: + type: ExternalName + externalName: durp.info + +--- + +apiVersion: v1 +kind: Service +metadata: + name: guac +spec: + ports: + - name: app + port: 8082 + protocol: TCP + targetPort: 8082 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: guac +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8082 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: guac-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`guac.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: guac + port: 8082 + tls: + secretName: guac-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: guac-tls +spec: + secretName: guac-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "guac.durp.info" + dnsNames: + - "guac.durp.info" \ No newline at end of file diff --git a/internalproxy/templates/jellyfin.yaml b/internalproxy/templates/jellyfin.yaml new file mode 100644 index 0000000..61d86a5 --- /dev/null +++ b/internalproxy/templates/jellyfin.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: jellyfin-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/internalproxy/templates/kasm.yaml b/internalproxy/templates/kasm.yaml new file mode 100644 index 0000000..28b25ae --- /dev/null +++ b/internalproxy/templates/kasm.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: kasm-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kasm.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/dmz/internalproxy/templates/nexus.yaml b/internalproxy/templates/nexus.yaml similarity index 60% rename from dmz/internalproxy/templates/nexus.yaml rename to internalproxy/templates/nexus.yaml index 8e9ca70..7074102 100644 --- a/dmz/internalproxy/templates/nexus.yaml +++ b/internalproxy/templates/nexus.yaml @@ -1,4 +1,33 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: v1 +kind: Service +metadata: + name: nexus +spec: + ports: + - name: app + port: 8081 + protocol: TCP + targetPort: 8081 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: nexus +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8081 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: nexus-ingress @@ -9,7 +38,7 @@ spec: - match: Host(`nexus.durp.info`) && PathPrefix(`/`) kind: Rule services: - - name: unraid + - name: nexus port: 8081 tls: secretName: nexus-tls @@ -39,4 +68,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: nexus.durp.info spec: type: ExternalName - externalName: durp.info + externalName: durp.info \ No newline at end of file diff --git a/internalproxy/templates/plex.yaml b/internalproxy/templates/plex.yaml new file mode 100644 index 0000000..2e70286 --- /dev/null +++ b/internalproxy/templates/plex.yaml @@ -0,0 +1,9 @@ +kind: Service +apiVersion: v1 +metadata: + name: plex-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: plex.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/internalproxy/templates/registry-internal.yaml b/internalproxy/templates/registry-internal.yaml new file mode 100644 index 0000000..a1c584f --- /dev/null +++ b/internalproxy/templates/registry-internal.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Service +metadata: + name: registry-internal +spec: + ports: + - name: app + port: 5001 + protocol: TCP + targetPort: 5001 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: registry-internal +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 5001 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: registry-internal-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.internal.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: registry-internal + port: 5001 + tls: + secretName: registry-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-internal-tls +spec: + secretName: registry-internal-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.durp.info" + dnsNames: + - "registry.durp.info" diff --git a/internalproxy/templates/registry.yaml b/internalproxy/templates/registry.yaml new file mode 100644 index 0000000..b4ac19a --- /dev/null +++ b/internalproxy/templates/registry.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: Service +metadata: + name: registry +spec: + ports: + - name: app + port: 5000 + protocol: TCP + targetPort: 5000 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: registry +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 5000 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: registry-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`registry.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: registry + port: 5000 + tls: + secretName: registry-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-tls +spec: + secretName: registry-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "registry.durp.info" + dnsNames: + - "registry.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: registry-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: registry.durp.info +spec: + type: ExternalName + externalName: durp.info \ No newline at end of file diff --git a/dmz/internalproxy/templates/smokeping.yaml b/internalproxy/templates/smokeping.yaml similarity index 56% rename from dmz/internalproxy/templates/smokeping.yaml rename to internalproxy/templates/smokeping.yaml index 9808876..8a76738 100644 --- a/dmz/internalproxy/templates/smokeping.yaml +++ b/internalproxy/templates/smokeping.yaml @@ -1,4 +1,33 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: v1 +kind: Service +metadata: + name: smokeping +spec: + ports: + - name: app + port: 81 + protocol: TCP + targetPort: 81 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: smokeping +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 81 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: smokeping-ingress @@ -14,12 +43,19 @@ spec: namespace: traefik kind: Rule services: - - name: unraid + - name: smokeping port: 81 + - match: Host(`smokeping.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 tls: secretName: smokeping-tls --- + apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -34,6 +70,7 @@ spec: - "smokeping.durp.info" --- + kind: Service apiVersion: v1 metadata: @@ -42,4 +79,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info spec: type: ExternalName - externalName: durp.info + externalName: durp.info \ No newline at end of file diff --git a/dmz/openspeedtest/templates/ingress.yaml b/internalproxy/templates/speedtest.yaml similarity index 50% rename from dmz/openspeedtest/templates/ingress.yaml rename to internalproxy/templates/speedtest.yaml index 063a751..e034917 100644 --- a/dmz/openspeedtest/templates/ingress.yaml +++ b/internalproxy/templates/speedtest.yaml @@ -1,7 +1,36 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: v1 +kind: Service +metadata: + name: speedtest +spec: + ports: + - name: app + port: 6580 + protocol: TCP + targetPort: 6580 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: speedtest +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 6580 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: - name: openspeedtest-ingress + name: speedtest-ingress spec: entryPoints: - websecure @@ -10,22 +39,21 @@ spec: kind: Rule middlewares: - name: authentik-proxy-provider - namespace: traefik - - name: limit-buffering + namespace: traefik services: - - name: openspeedtest - port: 3000 + - name: speedtest + port: 6580 tls: - secretName: openspeedtest-tls + secretName: speedtest-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: openspeedtest-tls + name: speedtest-tls spec: - secretName: openspeedtest-tls + secretName: speedtest-tls issuerRef: name: letsencrypt-production kind: ClusterIssuer @@ -38,19 +66,9 @@ spec: kind: Service apiVersion: v1 metadata: - name: openspeedtest-external-dns + name: speedtest-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info spec: type: ExternalName - externalName: durp.info - ---- - -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: limit-buffering -spec: - buffering: - maxRequestBodyBytes: 10000000000 + externalName: durp.info \ No newline at end of file diff --git a/dmz/internalproxy/templates/tdarr.yaml b/internalproxy/templates/tdarr.yaml similarity index 61% rename from dmz/internalproxy/templates/tdarr.yaml rename to internalproxy/templates/tdarr.yaml index 35b9485..c4403b9 100644 --- a/dmz/internalproxy/templates/tdarr.yaml +++ b/internalproxy/templates/tdarr.yaml @@ -1,4 +1,33 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: v1 +kind: Service +metadata: + name: tdarr +spec: + ports: + - name: app + port: 8267 + protocol: TCP + targetPort: 8267 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + name: tdarr +subsets: +- addresses: + - ip: 192.168.20.253 + ports: + - name: app + port: 8267 + protocol: TCP + +--- + +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: tdarr-ingress @@ -16,7 +45,7 @@ spec: namespace: traefik kind: Rule services: - - name: unraid + - name: tdarr port: 8267 scheme: http tls: @@ -31,7 +60,7 @@ metadata: spec: secretName: tdarr-tls issuerRef: - name: vault-issuer + name: letsencrypt-production kind: ClusterIssuer commonName: "tdarr.internal.durp.info" dnsNames: diff --git a/infra/kube-prometheus-stack/Chart.yaml b/kube-prometheus-stack/Chart.yaml similarity index 56% rename from infra/kube-prometheus-stack/Chart.yaml rename to kube-prometheus-stack/Chart.yaml index d2de063..3cd9e24 100644 --- a/infra/kube-prometheus-stack/Chart.yaml +++ b/kube-prometheus-stack/Chart.yaml @@ -7,6 +7,6 @@ version: 0.1.0 appVersion: "1.16.0" dependencies: - - name: kube-prometheus-stack - repository: https://prometheus-community.github.io/helm-charts - version: 77.10.0 +- name: kube-prometheus-stack + repository: https://prometheus-community.github.io/helm-charts + version: 40.5.0 diff --git a/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml b/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml new file mode 100644 index 0000000..716d4e5 --- /dev/null +++ b/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml @@ -0,0 +1,41 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-grafana-oauth +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-oauth + data: + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + remoteRef: + key: secrets/kube-prometheus/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + remoteRef: + key: secrets/kube-prometheus/grafana/oauth + property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-admin-credentials +spec: + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: grafana-admin-credentials + data: + - secretKey: admin-password + remoteRef: + key: secrets/kube-prometheus/grafana/admin + property: admin-password + - secretKey: admin-user + remoteRef: + key: secrets/kube-prometheus/grafana/admin + property: admin-user diff --git a/infra/kube-prometheus-stack/templates/ingress.yaml b/kube-prometheus-stack/templates/ingress.yaml similarity index 61% rename from infra/kube-prometheus-stack/templates/ingress.yaml rename to kube-prometheus-stack/templates/ingress.yaml index 5638d6a..caf0ee1 100644 --- a/infra/kube-prometheus-stack/templates/ingress.yaml +++ b/kube-prometheus-stack/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: grafana-ingress @@ -6,15 +6,16 @@ spec: entryPoints: - websecure routes: - - match: Host(`grafana.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: grafana - port: 80 + - match: Host(`grafana.durp.info`) && PathPrefix(`/`) + kind: Rule + services: + - name: grafana + port: 80 tls: secretName: grafana-tls --- + apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -26,10 +27,11 @@ spec: kind: ClusterIssuer commonName: "grafana.durp.info" dnsNames: - - "grafana.durp.info" + - "grafana.durp.info" --- -apiVersion: traefik.io/v1alpha1 + +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: alertmanager-ingress @@ -37,20 +39,21 @@ spec: entryPoints: - websecure routes: - - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) - middlewares: - - name: whitelist - namespace: traefik - - name: authentik-proxy-provider - namespace: traefik - kind: Rule - services: - - name: prometheus-alertmanager - port: 9093 + - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: prometheus-alertmanager + port: 9093 tls: secretName: alertmanager-tls --- + apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -62,9 +65,10 @@ spec: kind: ClusterIssuer commonName: "alertmanager.durp.info" dnsNames: - - "alertmanager.durp.info" + - "alertmanager.durp.info" --- + kind: Service apiVersion: v1 metadata: @@ -73,5 +77,4 @@ metadata: external-dns.alpha.kubernetes.io/hostname: grafana.durp.info spec: type: ExternalName - externalName: durp.info - + externalName: durp.info \ No newline at end of file diff --git a/infra/kube-prometheus-stack/values.yaml b/kube-prometheus-stack/values.yaml similarity index 85% rename from infra/kube-prometheus-stack/values.yaml rename to kube-prometheus-stack/values.yaml index df68eba..19436ac 100644 --- a/infra/kube-prometheus-stack/values.yaml +++ b/kube-prometheus-stack/values.yaml @@ -1,4 +1,4 @@ -kube-prometheus-stack: +kube-prometheus-stack: fullnameOverride: prometheus defaultRules: @@ -51,16 +51,16 @@ kube-prometheus-stack: userKey: admin-user passwordKey: admin-password ingress: - enabled: false + enabled: false grafana.ini: server: root_url: https://grafana.durp.info auth.generic_oauth: - enabled: true - scopes: openid profile email - auth_url: https://authentik.durp.info/application/o/authorize/ - token_url: https://authentik.durp.info/application/o/token/ - api_url: https://authentik.durp.info/application/o/userinfo/ + enabled: true + scopes: openid profile email + auth_url: https://authentik.durp.info/application/o/authorize/ + token_url: https://authentik.durp.info/application/o/token/ + api_url: https://authentik.durp.info/application/o/userinfo/ envFromSecret: "grafana-oauth" kubeApiServer: @@ -77,10 +77,10 @@ kube-prometheus-stack: kubeControllerManager: enabled: true - endpoints: # ips of servers - - 192.168.12.11 - - 192.168.12.12 - - 192.168.12.13 + endpoints: # ips of servers + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 coreDns: enabled: false @@ -91,9 +91,9 @@ kube-prometheus-stack: kubeEtcd: enabled: true endpoints: # ips of servers - - 192.168.12.11 - - 192.168.12.12 - - 192.168.12.13 + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 service: enabled: true port: 2381 @@ -102,16 +102,16 @@ kube-prometheus-stack: kubeScheduler: enabled: true endpoints: # ips of servers - - 192.168.12.11 - - 192.168.12.12 - - 192.168.12.13 + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 kubeProxy: enabled: true endpoints: # ips of servers - - 192.168.12.11 - - 192.168.12.12 - - 192.168.12.13 + - 192.168.20.121 + - 192.168.20.122 + - 192.168.20.123 kubeStateMetrics: enabled: true @@ -190,14 +190,14 @@ kube-prometheus-stack: retention: 6h enableAdminAPI: true walCompression: true - storageSpec: + storageSpec: volumeClaimTemplate: spec: - storageClassName: longhorn + storageClassName: nfs-storage accessModes: ["ReadWriteMany"] resources: requests: - storage: 20Gi + storage: 50Gi thanosRuler: enabled: false diff --git a/dev/external-dns/Chart.yaml b/kubeclarity/Chart.yaml similarity index 52% rename from dev/external-dns/Chart.yaml rename to kubeclarity/Chart.yaml index 937bc49..6c050c2 100644 --- a/dev/external-dns/Chart.yaml +++ b/kubeclarity/Chart.yaml @@ -1,12 +1,11 @@ - apiVersion: v2 -name: external-dns +name: kubeclarity description: A Helm chart for Kubernetes type: application version: 0.0.1 appVersion: 0.0.1 dependencies: -- name: external-dns - repository: https://charts.bitnami.com/bitnami - version: 8.9.2 +- name: kubeclarity + repository: https://openclarity.github.io/kubeclarity + version: 2.22.0 diff --git a/kubeclarity/templates/ingress.yaml b/kubeclarity/templates/ingress.yaml new file mode 100644 index 0000000..77b67a7 --- /dev/null +++ b/kubeclarity/templates/ingress.yaml @@ -0,0 +1,47 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: kubeclarity-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`kubeclarity.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: kubeclarity-kubeclarity + port: 8080 + tls: + secretName: kubeclarity-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kubeclarity-tls +spec: + secretName: kubeclarity-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "kubeclarity.durp.info" + dnsNames: + - "kubeclarity.durp.info" + +--- + +kind: Service +apiVersion: v1 +metadata: + name: kubeclarity-external-dns + annotations: + external-dns.alpha.kubernetes.io/hostname: kubeclarity.durp.info +spec: + type: ExternalName + externalName: durp.info diff --git a/kubeclarity/values.yaml b/kubeclarity/values.yaml new file mode 100644 index 0000000..0bb5078 --- /dev/null +++ b/kubeclarity/values.yaml @@ -0,0 +1,235 @@ +kubeclarity: + global: + databasePassword: kubeclarity + docker: + registry: "registry.internal.durp.info/openclarity" + tag: "latest" + imagePullPolicy: Always + + curl: + image: + registry: "registry.internal.durp.info" + repository: curlimages/curl + tag: 7.87.0 + + kubeclarity: + docker: + imageName: "" + + logLevel: warning + + enableDBInfoLog: false + + prometheus: + enabled: false + + podAnnotations: {} + + service: + type: ClusterIP + port: 8080 + annotations: {} + + ingress: + enabled: false + + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "1000Mi" + cpu: "1000m" + + initContainers: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "200m" + + kubeclarity-runtime-scan: + httpsProxy: "" + httpProxy: "" + resultServicePort: 8888 + + labels: + app: kubeclarity-scanner + sidecar.istio.io/inject: "false" + + namespace: "" + + registry: + skipVerifyTlS: "false" + useHTTP: "false" + + cis-docker-benchmark-scanner: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "1000Mi" + cpu: "1000m" + + vulnerability-scanner: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "1000Mi" + cpu: "1000m" + + analyzer: + analyzerList: "syft gomod trivy" + analyzerScope: "squashed" + + trivy: + enabled: true + timeout: "300" + + scanner: + scannerList: "grype trivy" + + grype: + enabled: true + mode: "REMOTE" + + remote-grype: + timeout: "2m" + + dependency-track: + enabled: false + insecureSkipVerify: "true" + disableTls: "true" + apiserverAddress: "dependency-track-apiserver.dependency-track" + apiKey: "" + + trivy: + enabled: true + timeout: "300" + + kubeclarity-grype-server: + enabled: true + + docker: + imageRepo: "registry.internal.durp.info/openclarity" + imageTag: "v0.6.0" + imagePullPolicy: Always + + logLevel: warning + + servicePort: 9991 + + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1G" + + kubeclarity-trivy-server: + enabled: true + + ## Docker Image values. + image: + registry: registry.internal.durp.info + repository: aquasec/trivy + tag: 0.44.1 + pullPolicy: Always + + persistence: + enabled: false + + podSecurityContext: + runAsUser: 1001 + runAsNonRoot: true + fsGroup: 1001 + + securityContext: + privileged: false + readOnlyRootFilesystem: true + + trivy: + debugMode: false + + service: + port: 9992 + + resources: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1G" + + + kubeclarity-sbom-db: + docker: + imageName: "" + logLevel: warning + + servicePort: 8080 + + resources: + requests: + memory: "20Mi" + cpu: "10m" + limits: + memory: "1Gi" + cpu: "200m" + + kubeclarity-postgresql: + enabled: true + + image: + registry: registry.internal.durp.info + repository: bitnami/postgresql + tag: 14.6.0-debian-11-r31 + + auth: + existingSecret: kubeclarity-postgresql-secret + username: postgres + database: kubeclarity + sslMode: disable + + service: + ports: + postgresql: 5432 + + serviceAccount: + enabled: true + securityContext: + enabled: true + fsGroup: 1001 + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + volumePermissions: + enabled: false + securityContext: + runAsUser: 1001 + shmVolume: + chmod: + enabled: true + + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "1000Mi" + cpu: "1000m" + + kubeclarity-postgresql-external: + enabled: false + + kubeclarity-postgresql-secret: + create: true + secretKey: "postgres-password" diff --git a/infra/longhorn/Chart.yaml b/longhorn/Chart.yaml similarity index 92% rename from infra/longhorn/Chart.yaml rename to longhorn/Chart.yaml index c699fa5..b7b6417 100644 --- a/infra/longhorn/Chart.yaml +++ b/longhorn/Chart.yaml @@ -9,4 +9,4 @@ appVersion: "1.16.0" dependencies: - name: longhorn repository: https://charts.longhorn.io - version: 1.9.0 + version: 1.3.2 diff --git a/longhorn/templates/ingress.yaml b/longhorn/templates/ingress.yaml new file mode 100644 index 0000000..df2e071 --- /dev/null +++ b/longhorn/templates/ingress.yaml @@ -0,0 +1,41 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: longhorn-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/`) + middlewares: + - name: whitelist + namespace: traefik + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: longhorn-frontend + port: 80 + - match: Host(`longhorn.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: longhorn-tls + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-tls +spec: + secretName: longhorn-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "longhorn.internal.durp.info" + dnsNames: + - "longhorn.internal.durp.info" diff --git a/dmz/longhorn/templates/secrets.yaml b/longhorn/templates/secrets.yaml similarity index 70% rename from dmz/longhorn/templates/secrets.yaml rename to longhorn/templates/secrets.yaml index e3d18af..c10ab89 100644 --- a/dmz/longhorn/templates/secrets.yaml +++ b/longhorn/templates/secrets.yaml @@ -1,11 +1,5 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault ---- - -apiVersion: external-secrets.io/v1 +apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-longhorn-backup-token-secret @@ -18,13 +12,13 @@ spec: data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: kv/longhorn/backup + key: secrets/longhorn/backup property: AWS_ACCESS_KEY_ID - secretKey: AWS_ENDPOINTS remoteRef: - key: kv/longhorn/backup + key: secrets/longhorn/backup property: AWS_ENDPOINTS - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: kv/longhorn/backup + key: secrets/longhorn/backup property: AWS_SECRET_ACCESS_KEY diff --git a/dmz/longhorn/values.yaml b/longhorn/values.yaml similarity index 66% rename from dmz/longhorn/values.yaml rename to longhorn/values.yaml index e34a1ee..5343300 100644 --- a/dmz/longhorn/values.yaml +++ b/longhorn/values.yaml @@ -1,4 +1,8 @@ longhorn: + + # Default values for longhorn. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. global: cattle: systemDefaultRegistry: "" @@ -45,7 +49,7 @@ longhorn: defaultFsType: ext4 defaultClassReplicaCount: 3 defaultDataLocality: disabled # best-effort otherwise - reclaimPolicy: Delete + reclaimPolicy: Retain migratable: false recurringJobSelector: enable: true @@ -53,7 +57,7 @@ longhorn: { "name":"backup", "task":"backup", - "cron":"0 0 * * *", + "cron":"0 */6 * * *", "retain":24 } ]' @@ -72,7 +76,7 @@ longhorn: snapshotterReplicaCount: ~ defaultSettings: - backupTarget: S3://longhorn-master@us-east-1/ + backupTarget: S3://longhorn@us-east-1/ backupTargetCredentialSecret: longhorn-backup-token-secret allowRecurringJobWhileVolumeDetached: ~ createDefaultDiskLabeledNodes: ~ @@ -177,8 +181,65 @@ longhorn: # ingress: + ## Set to true to enable ingress record generation enabled: false + ## Add ingressClassName to the Ingress + ## Can replace the kubernetes.io/ingress.class annotation on v1.18+ + ingressClassName: nginx + + host: longhorn.internal.durp.info + + ## Set this to true in order to enable TLS on the ingress record + ## A side effect of this will be that the backend service will be connected at port 443 + tls: + - secretName: longhorn-tls + hosts: + - longhorn.internal.durp.info + + ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS + tlsSecret: longhorn-tls + + ## If ingress is enabled you can set the default ingress path + ## then you can access the UI by using the following full path {{host}}+{{path}} + path: / + + ## Ingress annotations done as key:value pairs + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/auth-url: |- + http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: |- + https://longhorn.internal.durp.info/outpost.goauthentik.io/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + + secrets: + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + # - name: longhorn.local-tls + # key: + # certificate: + + # Configure a pod security policy in the Longhorn namespace to allow privileged pods + enablePSP: true + ## Specify override namespace, specifically this is useful for using longhorn as sub-chart ## and its release namespace is not the `longhorn-system` namespaceOverride: "" diff --git a/dev/metallb-system/Chart.yaml b/metallb-system/Chart.yaml similarity index 91% rename from dev/metallb-system/Chart.yaml rename to metallb-system/Chart.yaml index c92e842..c90584f 100644 --- a/dev/metallb-system/Chart.yaml +++ b/metallb-system/Chart.yaml @@ -9,4 +9,5 @@ appVersion: "1.16.0" dependencies: - name: metallb repository: https://metallb.github.io/metallb - version: 0.15.2 + version: 0.14.5 + diff --git a/infra/metallb-system/templates/config.yaml b/metallb-system/templates/config.yaml similarity index 86% rename from infra/metallb-system/templates/config.yaml rename to metallb-system/templates/config.yaml index 457130f..c662007 100644 --- a/infra/metallb-system/templates/config.yaml +++ b/metallb-system/templates/config.yaml @@ -4,7 +4,7 @@ metadata: name: cheap spec: addresses: - - 192.168.12.130-192.168.12.140 + - 192.168.20.34-192.168.20.39 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement diff --git a/metallb-system/values.yaml b/metallb-system/values.yaml new file mode 100644 index 0000000..260551d --- /dev/null +++ b/metallb-system/values.yaml @@ -0,0 +1,197 @@ +metallb: + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + loadBalancerClass: "" + + rbac: + create: true + + prometheus: + scrapeAnnotations: false + metricsPort: 7472 + speakerMetricsTLSSecret: "" + controllerMetricsTLSSecret: "" + rbacPrometheus: true + serviceAccount: "" + namespace: "" + rbacProxy: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.12.0 + pullPolicy: + podMonitor: + enabled: false + additionalLabels: {} + annotations: {} + jobLabel: "app.kubernetes.io/name" + interval: + metricRelabelings: [] + relabelings: [] + serviceMonitor: + enabled: false + speaker: + additionalLabels: {} + annotations: {} + tlsConfig: + insecureSkipVerify: true + controller: + additionalLabels: {} + annotations: {} + tlsConfig: + insecureSkipVerify: true + jobLabel: "app.kubernetes.io/name" + interval: + metricRelabelings: [] + relabelings: [] + prometheusRule: + enabled: false + additionalLabels: {} + annotations: {} + staleConfig: + enabled: true + labels: + severity: warning + configNotLoaded: + enabled: true + labels: + severity: warning + addressPoolExhausted: + enabled: true + labels: + severity: alert + addressPoolUsage: + enabled: true + thresholds: + - percent: 75 + labels: + severity: warning + - percent: 85 + labels: + severity: warning + - percent: 95 + labels: + severity: alert + bgpSessionDown: + enabled: true + labels: + severity: alert + + extraAlerts: [] + + controller: + enabled: true + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + image: + repository: quay.io/metallb/controller + tag: + pullPolicy: + strategy: + type: RollingUpdate + serviceAccount: + create: true + name: "" + annotations: {} + securityContext: + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + resources: {} + nodeSelector: {} + tolerations: [] + priorityClassName: "" + runtimeClassName: "" + affinity: {} + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] + + speaker: + enabled: true + logLevel: debug + tolerateMaster: true + memberlist: + enabled: true + mlBindPort: 7946 + mlBindAddrOverride: "" + mlSecretKeyPath: "/etc/ml_secret_key" + excludeInterfaces: + enabled: true + ignoreExcludeLB: false + + image: + repository: quay.io/metallb/speaker + tag: + pullPolicy: + updateStrategy: + type: RollingUpdate + serviceAccount: + create: true + name: "" + annotations: {} + securityContext: {} + resources: {} + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + runtimeClassName: "" + podAnnotations: {} + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + frr: + enabled: true + image: + repository: quay.io/frrouting/frr + tag: 9.0.2 + pullPolicy: + metricsPort: 7473 + resources: {} + reloader: + resources: {} + frrMetrics: + resources: {} + extraContainers: [] + crds: + enabled: true + validationFailurePolicy: Fail + frrk8s: + enabled: false + diff --git a/prd/.gitlab/.gitlab-ci.yml b/prd/.gitlab/.gitlab-ci.yml deleted file mode 100644 index 99ddf7b..0000000 --- a/prd/.gitlab/.gitlab-ci.yml +++ /dev/null @@ -1,95 +0,0 @@ -stages: - - plan - - apply - - destroy - -variables: - WORKDIR: $CI_PROJECT_DIR/prd/terraform - GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/prd - -image: - name: registry.durp.info/opentofu/opentofu:latest - entrypoint: [""] - -.tf-init: - before_script: - - cd $WORKDIR - - tofu init - -reconfigure - -backend-config="address=${GITLAB_TF_ADDRESS}" - -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" - -backend-config="username=gitlab-ci-token" - -backend-config="password=${CI_JOB_TOKEN}" - -backend-config="lock_method=POST" - -backend-config="unlock_method=DELETE" - -backend-config="retry_wait_min=5" - -format: - stage: .pre - allow_failure: false - script: - - cd $WORKDIR - - tofu fmt -diff -check -write=false - rules: - - changes: - - "prd/terraform/*.tf" - -validate: - stage: .pre - allow_failure: false - extends: .tf-init - script: - - tofu validate - rules: - - changes: - - "prd/terraform/*.tf" - -plan-prd-infrastructure: - stage: plan - variables: - PLAN: plan.tfplan - JSON_PLAN_FILE: tfplan.json - ENVIRONMENT_NAME: prd - allow_failure: false - extends: .tf-init - script: - - apk add --update curl jq - - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - - tofu plan -out=$PLAN $ARGUMENTS - - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE - artifacts: - reports: - terraform: $WORKDIR/$JSON_PLAN_FILE - needs: ["validate","format"] - rules: - - changes: - - "prd/terraform/*.tf" - -apply-prd-infrastructure: - stage: apply - variables: - ENVIRONMENT_NAME: prd - allow_failure: false - extends: .tf-init - script: - - tofu apply -auto-approve $ARGUMENTS - rules: - - changes: - - "prd/terraform/*.tf" - when: manual - needs: ["plan-prd-infrastructure"] - -destroy-prd-infrastructure: - stage: destroy - variables: - ENVIRONMENT_NAME: prd - allow_failure: false - extends: .tf-init - script: - - tofu destroy -auto-approve $ARGUMENTS - rules: - - changes: - - "prd/terraform/*.tf" - when: manual - needs: ["plan-prd-infrastructure"] diff --git a/prd/cert-manager/Chart.yaml b/prd/cert-manager/Chart.yaml deleted file mode 100644 index 7280af8..0000000 --- a/prd/cert-manager/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: cert-manager -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.17.2 diff --git a/prd/cert-manager/templates/issuer.yaml b/prd/cert-manager/templates/issuer.yaml deleted file mode 100644 index cf61c83..0000000 --- a/prd/cert-manager/templates/issuer.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: issuer -secrets: - - name: issuer-token-lmzpj - ---- - -apiVersion: v1 -kind: Secret -metadata: - name: issuer-token-lmzpj - annotations: - kubernetes.io/service-account.name: issuer -type: kubernetes.io/service-account-token diff --git a/prd/cert-manager/templates/letsencrypt.yaml b/prd/cert-manager/templates/letsencrypt.yaml deleted file mode 100644 index 56b8374..0000000 --- a/prd/cert-manager/templates/letsencrypt.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-production - solvers: - - dns01: - cloudflare: - email: developerdurp@durp.info - apiTokenSecretRef: - name: cloudflare-api-token-secret - key: cloudflare-api-token-secret - ---- - -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: vault-issuer -spec: - vault: - server: https://vault.infra.durp.info - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVzekNDQTV1Z0F3SUJBZ0lVWkV6enhxRXVZaUtIa0wxZGYrQ2IyMk5SUkpNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekl5TXpRME1sb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dJREVlTUJ3R0ExVUVBeE1WZG1GMWJIUXVhVzVtY21FdVpIVnljQzVwYm1adk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWtaTTB1ZTRiTWNtbUFUcytrR1lTcFIyaExVenEKc2NHSXdDdHFtYUtDTWJkMXhobWdqbklSM3p2U1JwdExSMkdWR3ZjMXRpNnFieTBqWFl2Y3FieGtIdmF5MDB6VwoyellOK00ybTRsWHB1V3pnMXQ2TkVvTzZYR0FzR2oydjB2Y1ZrdFBQVTl1ajByR1VWR1dXZnN2am9YcVFGZzVJCmpkeHN4SzlTdk12dzJYdEUzRmdLeHB6Q3l3OTRJbklIbGNQd0ZUTyszWmRLU3RabE1iVURJa21zekxCcldGY3IKWE9zUERmTHhxTXkwQ2svL0xLSXQ4ZGpoMzI1NEZIQjFHRzUra0krSlNXMW8rdFVjTDJOeW12SUlOd20vMmFjUwoxdVRtK2o5VzdpRVhhdjBwSk5tbSsvZHpTc2tjM1kwZnRNMGgySENYZ2l0QklhRVpuVVZuZU5IT0x3SURBUUFCCm80SUI3ekNDQWVzd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZDYVEycTdqN0x5QkdFVEVaNXFhSkFkbElTS0NNQjhHQTFVZEl3UVlNQmFBRk8xakN5R2twRk8rUWlSMgpkZkJNV1ZZZVdyUTJNSUgwQmdnckJnRUZCUWNCQVFTQjV6Q0I1REF6QmdnckJnRUZCUWN3QVlZbmFIUjBjSE02Ckx5OHhPVEl1TVRZNExqSXdMakkxTXpvNE1qQXhMM1l4TDNCcmFTOXZZM053TUQwR0NDc0dBUVVGQnpBQmhqRm8KZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnJhUzl2WTNOdwpNREVHQ0NzR0FRVUZCekFDaGlWb2RIUndjem92THpFNU1pNHhOamd1TWpBdU1qVXpPamd5TURFdmRqRXZjR3RwCkwyTmhNRHNHQ0NzR0FRVUZCekFDaGk5b2RIUndjem92TDNKdmIzUXRkbUYxYkhRdWFXNTBaWEp1WVd3dVpIVnkKY0M1cGJtWnZMM1l4TDNCcmFTOWpZVEFnQmdOVkhSRUVHVEFYZ2hWMllYVnNkQzVwYm1aeVlTNWtkWEp3TG1sdQpabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3TGpJMU16bzRNakF4CkwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6T2k4dmNtOXZkQzEyWVhWc2RDNXBiblJsY201aGJDNWsKZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXVKK2xwbFkvK0E1TAo1THprbGpiS0RUeTNVNlBMdjFMdHhxVkNPRkdpSlhCblhNanRWVzA3YkJFVWFkekZSTlc4R0hRM3c1UXpPRzZrCi92RS9UcnJKaG83bDA1Si91YytCVXJQU05qZWZMbVFWNmhuNGpyUDg2UFIwdnpSZmJTcUtLQklJRDlNNyt6aTYKR0Z2SGxWa1NIc1F5TVFwN0pPb2F4OUtWelcyWStPSWd3N0xndzJ0UDEyMldDdDJTSUYwUWVub1pIc29XMGd1agp0elRKUm1KRGpuNlhlSjdMM0ZQa2YzN0g2dWIwSmczekJHcjZlb3JFRmZZWk5ONUNYZXpqcU1GQnBSZHE0VUlvCjFNM0E3bzN1eVpGY0ZzcC92R0RjTUJrd2FDc0JWOWlkdS9Id2t2R2FUVU5JMjg1aWxCT1JQRDBiTVpuQUNxLzkKK1EvY2RzTzVsZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVtekNDQTRPZ0F3SUJBZ0lVUXdDQXM4MnNnU3VpYVZiakFOSFNjTzJEU2ZBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TWpFeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBbjlmakdScXFGc3FndXo1Nlg2Y1had0VNdEQ5d0Vsd1NGQ2I0RmM4WVR6bEgKNGZWMTNRd1hLRVNMRS9RKzdidzR5NEZKUThCaUdOYnh4YlFPT2dXaGZHR2xReUZhMWxmaEp0WUxmcVJONUMyLwpTN25yMFl4REI5ZHVjNE9BRXhWTDZQcjQvS29jK3ZEWlkwM2w3Unp3bkYyQU9NOURqRlRBU3cwMVRwaENRalJrClUrdXBpTjJUVWhVUGVqVi9nTVIrelhNNnBuOThVQktHMWROdWJTMEh6QU13QUVYQVBtMTQxTkR5V1VDUFQ5KzMKNlAwM0thOG1VVHgzWDQ5T0N0dkpFR0VRYnRsblRGUWFPU2tQMXlMVytYUk1IdzNzUWFWMlBXWHU1ZkluYkVwWgorU3V6bWdMT1h0bVFObUhMYXY5cTFxZVRWa3BCR1BXdmZoMlZoMUpKaFFJREFRQUJvNElCNHpDQ0FkOHdEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmFQMTdmMVp3MFYKNTVLczlVZjBVU1ZXbDBCUE1COEdBMVVkSXdRWU1CYUFGTzFqQ3lHa3BGTytRaVIyZGZCTVdWWWVXclEyTUlIMApCZ2dyQmdFRkJRY0JBUVNCNXpDQjVEQXpCZ2dyQmdFRkJRY3dBWVluYUhSMGNITTZMeTh4T1RJdU1UWTRMakl3CkxqSTFNem80TWpBeEwzWXhMM0JyYVM5dlkzTndNRDBHQ0NzR0FRVUZCekFCaGpGb2RIUndjem92TDNKdmIzUXQKZG1GMWJIUXVhVzUwWlhKdVlXd3VaSFZ5Y0M1cGJtWnZMM1l4TDNCcmFTOXZZM053TURFR0NDc0dBUVVGQnpBQwpoaVZvZEhSd2N6b3ZMekU1TWk0eE5qZ3VNakF1TWpVek9qZ3lNREV2ZGpFdmNHdHBMMk5oTURzR0NDc0dBUVVGCkJ6QUNoaTlvZEhSd2N6b3ZMM0p2YjNRdGRtRjFiSFF1YVc1MFpYSnVZV3d1WkhWeWNDNXBibVp2TDNZeEwzQnIKYVM5allUQVVCZ05WSFJFRURUQUxnZ2xrZFhKd0xtbHVabTh3YndZRFZSMGZCR2d3WmpBc29DcWdLSVltYUhSMApjSE02THk4eE9USXVNVFk0TGpJd0xqSTFNem80TWpBeEwzWXhMM0JyYVM5amNtd3dOcUEwb0RLR01HaDBkSEJ6Ck9pOHZjbTl2ZEMxMllYVnNkQzVwYm5SbGNtNWhiQzVrZFhKd0xtbHVabTh2ZGpFdmNHdHBMMk55YkRBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFpcUFaNHpOSUVrQ1djdnBEUnEwVnlKdWs1OXNWdEpyNVg0RnNjSFExNzluRQpRYmJ2TWUrRUJERlM2WFFtbDFFbGo4amlQYS9ENU85T2M2SWlzbm01K3dlWkt3QXB6L2xRK1hWa1dMQ29FcGxCClpaOWZjV1ZDYk1MdDB4bHQ4cW41ei9tWUtmYkNUN1pDcURPK3ByUVp0K0FESmNRYmlrbmZyb0FBcUViTkt4d04KWTl1VXlPV05GM1N4SkVjaDR3MmR0WCtJRVZteGVabmhNeThPdVAwU1FLbDhhVzQwdWdpRzBaRDV5VEJCZk9EOQp6c3JHU1UvaVNhdG4wYjdiZXZCaGFMOTZoejEvck5SMWNMKzQvYWxiWDJocnI4UnYzL1NCMkRMdE5RbFFXMGxzCkFmaFhBcVA1ekwrWXRnZjFPZi9wVmRnbmh4cllVWTdSS0NTR1k1SGFndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMekNDQWhlZ0F3SUJBZ0lVTkhkdk96YW0ySFBWZHdYcE1IVXk0d2w4WlJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF4TUpaSFZ5Y0M1cGJtWnZNQjRYRFRJMU1ERXlNekV4TVRVeU5Wb1hEVE0xTURFeQpNVEV4TVRVMU5Wb3dGREVTTUJBR0ExVUVBeE1KWkhWeWNDNXBibVp2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBOFhEVFZFdFJJMytrNHl1dnFWcWZJaUxSUUpjWGJtaGZWdEFlWWsrNWo5T3gKcDF3OVlIZG5QTHFMRnJEMVB6YWRqcVllQXAvZndsRUZmczZscXdvVFM4Uzl2aGFGcWNnQjU3blZNYjc3ZFRCYgovMDhYSFhPVTZGUFJqZEZLbTVRTXBTN3RuMVhhY1BNeS9vMGJLcVJSRVFlaXVGREdWUnl1RjVQVWd2V2MxZHZKCmwyN0p2dmdZa3RnamZwTlM0RGxDeGc0bEdYVDVhYnZhS2YyaG5yNjVlZ2FJby95UldOOXdudkF6UmlZN29jaTcKR0Exb0t6ODdZYzF0ZkwyZ2N5bnJ3Y2NPT0NGL2VVS2VzSlIxSTZHWE5rTi9hMWZjcitMZDlaOU5oSEJ0Tyt2RQpOOERzWlkra0c3REUzTTRCQ0NURlV6bGxjWUhqYVc0SGFGOXZaVytQWXdJREFRQUJvM2t3ZHpBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdXTUxJYVNrVTc1Q0pIWjEKOEV4WlZoNWF0RFl3SHdZRFZSMGpCQmd3Rm9BVTdXTUxJYVNrVTc1Q0pIWjE4RXhaVmg1YXREWXdGQVlEVlIwUgpCQTB3QzRJSlpIVnljQzVwYm1adk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVMvcVVJLzFZdjA3eFVUSzVrCnI5M2tDN0dTUHBtcGtYSXNmakNoQWw5M3NlYk4xNDNmdTcwTlVQNzRqakNjMFdrYjhoUm9mR2cxMEUrLzI0cjEKQUkwS3NMaHpLemZJQVN4VVZRQW44UlRwdExydWFhUExib1NBNE1VWjhJQjV5OFZ5OEUzL0t0RDBnRDgwajY0WQpybTlYR0hBMEhUSkhiUFVUYi9SdXgyZzBFN1d0aXlXU1dIOG1xemJlZ1U4SXJrTTNlVlQ0K3lsQkU3WWtmV0RECmR3NDRzQjcxdGZtREtweldnNlhRNllNaDBZZm55RzFmWUNqOUxodWVjTlk5VXVvNmNqRGFBdmt6TWV3V3dxRHgKUTJFa2FzOThEaTZpdENQOHZFVCtnQkRqZUNjK1hSNkh4NnZ6V214bFpod0R1eEVLTDFhMi9EYWJVeEp5TU56dgo1NUZuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - path: pki/sign/issue-homelab-certs - auth: - kubernetes: - mountPath: /v1/auth/dmz-cluster - role: issuer - secretRef: - name: issuer-token-lmzpj - key: token diff --git a/prd/cert-manager/templates/secretvault.yaml b/prd/cert-manager/templates/secretvault.yaml deleted file mode 100644 index 11c82bc..0000000 --- a/prd/cert-manager/templates/secretvault.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cloudflare-api-token-secret -spec: - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: cloudflare-api-token-secret - data: - - secretKey: cloudflare-api-token-secret - remoteRef: - key: kv/cert-manager - property: cloudflare-api-token-secret - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/prd/cert-manager/values.yaml b/prd/cert-manager/values.yaml deleted file mode 100644 index c9cf12f..0000000 --- a/prd/cert-manager/values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -cert-manager: - crds: - enabled: true - image: - registry: registry.internal.durp.info - repository: jetstack/cert-manager-controller - pullPolicy: Always - replicaCount: 3 - extraArgs: - - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 - - --dns01-recursive-nameservers-only - podDnsPolicy: None - podDnsConfig: - nameservers: - - "1.1.1.1" - - "1.0.0.1" - webhook: - image: - registry: registry.internal.durp.info - repository: jetstack/cert-manager-webhook - pullPolicy: Always - cainjector: - image: - registry: registry.internal.durp.info - repository: jetstack/cert-manager-cainjector - pullPolicy: Always diff --git a/prd/external-dns/Chart.yaml b/prd/external-dns/Chart.yaml deleted file mode 100644 index 937bc49..0000000 --- a/prd/external-dns/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ - -apiVersion: v2 -name: external-dns -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: external-dns - repository: https://charts.bitnami.com/bitnami - version: 8.9.2 diff --git a/prd/external-secrets/Chart.yaml b/prd/external-secrets/Chart.yaml deleted file mode 100644 index 48645c3..0000000 --- a/prd/external-secrets/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: external-secrets -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: external-secrets - repository: https://charts.external-secrets.io - version: 0.17.0 diff --git a/prd/external-secrets/templates/ca.yaml b/prd/external-secrets/templates/ca.yaml deleted file mode 100644 index 9b2a135..0000000 --- a/prd/external-secrets/templates/ca.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -data: - vault.pem: | - -----BEGIN CERTIFICATE----- - MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy - MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN - BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq - scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW - 2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I - jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr - XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS - 1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB - o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O - BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2 - dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6 - Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo - dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw - MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp - L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy - cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu - Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx - L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k - dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L - 5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k - /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6 - GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj - tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo - 1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9 - +Q/cdsO5lg== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH - 4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/ - S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk - U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3 - 6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ - +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD - VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V - 55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0 - BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw - LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt - dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC - hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF - BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br - aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0 - cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz - Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq - hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE - QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB - ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN - Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9 - zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls - AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL - BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy - MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF - AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox - p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb - /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ - l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7 - GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE - N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B - Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1 - 8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R - BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k - r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1 - AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y - rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD - dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx - Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv - 55Fn - -----END CERTIFICATE----- -kind: ConfigMap -metadata: - name: ca-pemstore diff --git a/prd/external-secrets/values.yaml b/prd/external-secrets/values.yaml deleted file mode 100644 index 304180d..0000000 --- a/prd/external-secrets/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -external-secrets: - replicaCount: 3 - revisionHistoryLimit: 1 - leaderElect: true - - installCRDs: true - crds: - createClusterExternalSecret: true - createClusterSecretStore: true - createClusterGenerator: true - createPushSecret: true - conversion: - enabled: false - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - webhook: - create: false - failurePolicy: Ignore - log: - level: debug - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - certController: - create: false - revisionHistoryLimit: 1 - log: - level: debug - - image: - repository: registry.durp.info/external-secrets/external-secrets - pullPolicy: Always - tag: "" - - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 32Mi - cpu: 10m - - extraVolumes: - - name: ca-pemstore - configMap: - name: ca-pemstore - - extraVolumeMounts: - - name: ca-pemstore - mountPath: /etc/ssl/certs/vault.pem - subPath: vault.pem - readOnly: true diff --git a/prd/metallb-system/Chart.yaml b/prd/metallb-system/Chart.yaml deleted file mode 100644 index c92e842..0000000 --- a/prd/metallb-system/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: metallb-system -description: A Helm chart for Kubernetes -type: application - -version: 0.1.0 -appVersion: "1.16.0" - -dependencies: -- name: metallb - repository: https://metallb.github.io/metallb - version: 0.15.2 diff --git a/prd/metallb-system/templates/config.yaml b/prd/metallb-system/templates/config.yaml deleted file mode 100644 index 03314b3..0000000 --- a/prd/metallb-system/templates/config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: cheap -spec: - addresses: - - 192.168.11.130-192.168.11.140 ---- -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: pool - namespace: metallb-system -spec: - ipAddressPools: - - cheap - diff --git a/prd/metallb-system/values.yaml b/prd/metallb-system/values.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/prd/traefik/Chart.yaml b/prd/traefik/Chart.yaml deleted file mode 100644 index 1df1d76..0000000 --- a/prd/traefik/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -name: traefik -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: traefik - repository: https://traefik.github.io/charts - version: 34.5.0 diff --git a/prd/traefik/values.yaml b/prd/traefik/values.yaml deleted file mode 100644 index 3d1d660..0000000 --- a/prd/traefik/values.yaml +++ /dev/null @@ -1,58 +0,0 @@ -traefik: - image: - # registry: registry.durp.info - # repository: traefik - pullPolicy: Always - - providers: - kubernetesCRD: - allowCrossNamespace: true - allowExternalNameServices: true - allowEmptyServices: false - - deployment: - replicas: 3 - revisionHistoryLimit: 1 - - # volumes: - # - name: traefik-configmap - # mountPath: "/config" - # type: configMap - - ingressRoute: - dashboard: - enabled: true - - additionalArguments: - # - "--providers.file.filename=/config/config.yml" - - "--serversTransport.insecureSkipVerify=true" - - "--log.level=DEBUG" - - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin - - --experimental.plugins.jwt.version=v0.7.0 - - autoscaling: - enabled: true - minReplicas: 3 - maxReplicas: 10 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 80 - behavior: - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Pods - value: 1 - periodSeconds: 60 - - # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. - resources: - requests: - cpu: "100m" - memory: "512Mi" - limits: - memory: "512Mi" diff --git a/prd/vault/Chart.yaml b/prd/vault/Chart.yaml deleted file mode 100644 index 412c292..0000000 --- a/prd/vault/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: vault -description: A Helm chart for Kubernetes -type: application -version: 0.0.1 -appVersion: 0.0.1 - -dependencies: -- name: vault - repository: https://helm.releases.hashicorp.com - version: 0.30.0 - diff --git a/prd/vault/templates/secret-store.yaml b/prd/vault/templates/secret-store.yaml deleted file mode 100644 index c48e52f..0000000 --- a/prd/vault/templates/secret-store.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: vault -spec: - provider: - vault: - server: "https://vault.infra.durp.info" - path: "kv" - version: "v2" - auth: - kubernetes: - mountPath: "dmz-cluster" - role: "external-secrets" - serviceAccountRef: - name: "vault" - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault diff --git a/prd/vault/values.yaml b/prd/vault/values.yaml deleted file mode 100644 index 877d8fe..0000000 --- a/prd/vault/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -vault: - global: - enabled: true - tlsDisable: false - externalVaultAddr: "https://vault.infra.durp.info" - resources: - requests: - memory: 256Mi - cpu: 250m - limits: - memory: 256Mi - cpu: 250m - diff --git a/renovate.json b/renovate.json deleted file mode 100644 index 7190a60..0000000 --- a/renovate.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "$schema": "https://docs.renovatebot.com/renovate-schema.json" -} diff --git a/dev/traefik/Chart.yaml b/traefik/Chart.yaml similarity index 91% rename from dev/traefik/Chart.yaml rename to traefik/Chart.yaml index 1df1d76..1ebbb2d 100644 --- a/dev/traefik/Chart.yaml +++ b/traefik/Chart.yaml @@ -8,4 +8,4 @@ appVersion: 0.0.1 dependencies: - name: traefik repository: https://traefik.github.io/charts - version: 34.5.0 + version: 22.1.0 diff --git a/traefik/templates/ingress.yaml b/traefik/templates/ingress.yaml new file mode 100644 index 0000000..a165566 --- /dev/null +++ b/traefik/templates/ingress.yaml @@ -0,0 +1,39 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-ingress +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.internal.durp.info`) + middlewares: + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: api@internal + kind: TraefikService + - match: Host(`traefik.internal.durp.info`) && PathPrefix(`/outpost.goauthentik.io`) + kind: Rule + services: + - name: ak-outpost-authentik-embedded-outpost + namespace: authentik + port: 9000 + tls: + secretName: traefik-tls + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: traefik-tls + namespace: traefik +spec: + secretName: traefik-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "traefik.internal.durp.info" + dnsNames: + - "traefik.internal.durp.info" \ No newline at end of file diff --git a/infra/traefik/templates/middleware.yaml b/traefik/templates/middlewares.yaml similarity index 69% rename from infra/traefik/templates/middleware.yaml rename to traefik/templates/middlewares.yaml index e888129..aaf45ab 100644 --- a/infra/traefik/templates/middleware.yaml +++ b/traefik/templates/middlewares.yaml @@ -1,11 +1,11 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: authentik-proxy-provider - namespace: traefik + name: authentik-proxy-provider + namespace: traefik spec: forwardAuth: - address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri + address: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username @@ -19,8 +19,10 @@ spec: - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version + --- -apiVersion: traefik.io/v1alpha1 + +apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: whitelist @@ -28,6 +30,5 @@ metadata: spec: ipWhiteList: sourceRange: - - 192.168.0.0/16 - - 172.16.0.0/12 + - 192.168.20.1/32 - 10.0.0.0/8 diff --git a/traefik/values.yaml b/traefik/values.yaml new file mode 100644 index 0000000..362a574 --- /dev/null +++ b/traefik/values.yaml @@ -0,0 +1,887 @@ +traefik: + # Default values for Traefik + image: + registry: docker.io + repository: traefik + # defaults to appVersion + tag: "" + pullPolicy: Always + + # + # Configure integration with Traefik Hub + # + hub: + ## Enabling Hub will: + # * enable Traefik Hub integration on Traefik + # * add `traefikhub-tunl` endpoint + # * enable Prometheus metrics with addRoutersLabels + # * enable allowExternalNameServices on KubernetesIngress provider + # * enable allowCrossNamespace on KubernetesCRD provider + # * add an internal (ClusterIP) Service, dedicated for Traefik Hub + enabled: true + ## Default port can be changed + # tunnelPort: 9901 + ## TLS is optional. Insecure is mutually exclusive with any other options + # tls: + # insecure: false + # ca: "/path/to/ca.pem" + # cert: "/path/to/cert.pem" + # key: "/path/to/key.pem" + + # + # Configure the deployment + # + deployment: + enabled: true + # Can be either Deployment or DaemonSet + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 3 + # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 + # - name: volume-permissions + # image: busybox:latest + # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + # securityContext: + # runAsNonRoot: true + # runAsGroup: 65532 + # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + # Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "sleep 40"] + # postStart: + # httpGet: + # path: /ping + # port: 9000 + # host: localhost + # scheme: HTTP + + # Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + + # Create a default IngressClass for Traefik + ingressClass: + enabled: true + isDefaultClass: false + + # Enable experimental features + experimental: + v3: + enabled: false + plugins: + enabled: true + kubernetesGateway: + enabled: false + gateway: + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt + + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + # The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + # Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] + # TLS options (e.g. secret containing certificate) + tls: {} + + # Customize updateStrategy of traefik pods + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + # + # Configure providers + # + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + + # + # Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" + # - "--ping" + # - "--ping.entrypoint=web" + volumes: [] + # - name: public-cert + # mountPath: "/certs" + # type: secret + # - name: '{{ printf "%s-configs" .Release.Name }}' + # mountPath: "/config" + # type: configMap + + # Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] + # For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + + ## Logs + ## https://docs.traefik.io/observability/logs/ + logs: + ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. + # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + ## By default, logs are written using the Common Log Format (CLF) on stdout. + ## To write logs in JSON, use json in the format option. + ## If the given format is unsupported, the default (CLF) is used instead. + # format: json + # filePath: "/var/log/traefik/access.log + ## To write the logs in an asynchronous fashion, specify a bufferingSize option. + ## This option represents the number of log lines Traefik will keep in memory before writing + ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + ## Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + ## Fields + ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + ## Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + ## Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + + metrics: + ## Prometheus is enabled by default. + ## It can be disabled by setting "prometheus: null" + prometheus: + ## Entry point used to expose metrics. + entryPoint: metrics + ## Enable metrics on entry points. Default=true + # addEntryPointsLabels: false + ## Enable metrics on routers. Default=false + # addRoutersLabels: true + ## Enable metrics on services. Default=true + # addServicesLabels: false + ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" + # buckets: "0.5,1.0,2.5" + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. + # address: "127.0.0.1:8125" + # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s + # # pushInterval: 30s + # ## The prefix to use for metrics collection. Default="traefik" + # # prefix: traefik + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # influxdb: + # ## Address instructs exporter to send metrics to influxdb at this address. + # address: localhost:8089 + # ## InfluxDB's address protocol (udp or http). Default="udp" + # protocol: udp + # ## InfluxDB database used when protocol is http. Default="" + # # database: "" + # ## InfluxDB retention policy used when protocol is http. Default="" + # # retentionPolicy: "" + # ## InfluxDB username (only with http). Default="" + # # username: "" + # ## InfluxDB password (only with http). Default="" + # # password: "" + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## Additional labels (influxdb tags) on all metrics. + # # additionalLabels: + # # env: production + # # foo: bar + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # influxdb2: + # ## Address instructs exporter to send metrics to influxdb v2 at this address. + # address: localhost:8086 + # ## Token with which to connect to InfluxDB v2. + # token: xxx + # ## Organisation where metrics will be stored. + # org: "" + # ## Bucket where metrics will be stored. + # bucket: "" + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## Additional labels (influxdb tags) on all metrics. + # # additionalLabels: + # # env: production + # # foo: bar + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # statsd: + # ## Address instructs exporter to send metrics to statsd at this address. + # address: localhost:8125 + # ## The interval used by the exporter to push metrics to influxdb. Default=10s + # # pushInterval: 30s + # ## The prefix to use for metrics collection. Default="traefik" + # # prefix: traefik + # ## Enable metrics on entry points. Default=true + # # addEntryPointsLabels: false + # ## Enable metrics on routers. Default=false + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false + # openTelemetry: + # ## Address of the OpenTelemetry Collector to send metrics to. + # address: "localhost:4318" + # ## Enable metrics on entry points. + # addEntryPointsLabels: true + # ## Enable metrics on routers. + # addRoutersLabels: true + # ## Enable metrics on services. + # addServicesLabels: true + # ## Explicit boundaries for Histogram data points. + # explicitBoundaries: + # - "0.1" + # - "0.3" + # - "1.2" + # - "5.0" + # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + # headers: + # foo: bar + # test: test + # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + # insecure: true + # ## Interval at which metrics are sent to the OpenTelemetry Collector. + # pushInterval: 10s + # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. + # path: /foo/v1/traces + # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + # tls: + # ## The path to the certificate authority, it defaults to the system bundle. + # ca: path/to/ca.crt + # ## The path to the public certificate. When using this option, setting the key option is required. + # cert: path/to/foo.cert + # ## The path to the private key. When using this option, setting the cert option is required. + # key: path/to/key.key + # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + # insecureSkipVerify: true + # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. + # grpc: true + + ## + ## enable optional CRDs for Prometheus Operator + ## + ## Create a dedicated metrics service for use with ServiceMonitor + ## When hub.enabled is set to true, it's not needed: it will use hub service. + # service: + # enabled: false + # labels: {} + # annotations: {} + ## When set to true, it won't check if Prometheus Operator CRDs are deployed + # disableAPICheck: false + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; + # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + # replacement: $1 + # action: drop + # relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + # jobLabel: traefik + # interval: 30s + # honorLabels: true + # # (Optional) + # # scrapeTimeout: 5s + # # honorTimestamps: true + # # enableHttp2: true + # # followRedirects: true + # # additionalLabels: + # # foo: bar + # # namespace: "another-namespace" + # # namespaceSelector: {} + # prometheusRule: + # additionalLabels: {} + # namespace: "another-namespace" + # rules: + # - alert: TraefikDown + # expr: up{job="traefik"} == 0 + # for: 5m + # labels: + # context: traefik + # severity: warning + # annotations: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + + tracing: {} + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 + # logLevel: info + # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + # jaeger: + # samplingServerURL: http://localhost:5778/sampling + # samplingType: const + # samplingParam: 1.0 + # localAgentHostPort: 127.0.0.1:6831 + # gen128Bit: false + # propagation: jaeger + # traceContextHeaderName: uber-trace-id + # disableAttemptReconnecting: true + # collector: + # endpoint: "" + # user: "" + # password: "" + # zipkin: + # httpEndpoint: http://localhost:9411/api/v2/spans + # sameSpan: false + # id128Bit: true + # sampleRate: 1.0 + # haystack: + # localAgentHost: 127.0.0.1 + # localAgentPort: 35000 + # globalTag: "" + # traceIDHeaderName: "" + # parentIDHeaderName: "" + # spanIDHeaderName: "" + # baggagePrefixHeaderName: "" + # elastic: + # serverURL: http://localhost:8200 + # secretToken: "" + # serviceEnvironment: "" + + globalArguments: + - "--global.checknewversion=false" + - "--global.sendanonymoususage=false" + + # + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--log.level=DEBUG" + - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin + - --experimental.plugins.jwt.version=v0.7.0 + + + # Environment variables to be passed to Traefik's binary + env: [] + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP + # valueFrom: + # configMapRef: + # name: configmap-name + # key: config-key + # - name: SOME_SECRET + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # Default: ports.traefik.port + # healthchecksPort: 9000 + + # Override the liveness/readiness scheme. Useful for getting ping to + # respond on websecure entryPoint. + # healthchecksScheme: HTTPS + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + redirectTo: websecure + # + # Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + # Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false + websecure: + ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # + ## Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for + ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. + ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + http3: + enabled: false + # advertisedPort: 4443 + # + ## Trust forwarded headers information (X-Forwarded-*). + #forwardedHeaders: + # trustedIPs: [] + # insecure: false + # + ## Enable the Proxy Protocol header parsing for the entry point + #proxyProtocol: + # trustedIPs: [] + # insecure: false + # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: + # tlsOptions: + # default: + # labels: {} + # sniStrict: true + # preferServerCipherSuites: true + # customOptions: + # labels: {} + # curvePreferences: + # - CurveP521 + # - CurveP384 + tlsOptions: {} + + # TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate + # https://doc.traefik.io/traefik/https/tls/#default-certificate + # Example: + # tlsStore: + # default: + # defaultCertificate: + # secretName: tls-cert + tlsStore: {} + + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: + enabled: true + ## Single service is using `MixedProtocolLBService` feature gate. + ## When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # Additional annotations for TCP service only + annotationsTCP: {} + # Additional annotations for UDP service only + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. + # Cannot contain type, selector or ports entries. + spec: + externalTrafficPolicy: Local + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + ## + ## An additionnal and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP + # # labels: {} + # # annotations: {} + # # spec: {} + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + + ## Create HorizontalPodAutoscaler object. + ## + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 60 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 60 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 60 + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # It can be used to store TLS certificates, see `storage` in certResolvers + persistence: + enabled: false + name: data + # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + # volumeName: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + # email: email@example.com + # dnsChallenge: + # # also add the provider's required configuration under env + # # or expand then from secrets/configmaps with envfrom + # # cf. https://doc.traefik.io/traefik/https/acme/#providers + # provider: digitalocean + # # add futher options for the dns challenge as needed + # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge + # delayBeforeCheck: 30 + # resolvers: + # - 1.1.1.1 + # - 8.8.8.8 + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" + # # It has to match the path with a persistent volume + # storage: /data/acme.json + + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the + # affinity is left as default. + hostNetwork: false + + # Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + + # The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + + # Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + + resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" + + # This example pod anti-affinity forces the scheduler to put traefik pods + # on nodes where no other traefik pods are scheduled. + # It should be used when hostNetwork: true to prevent port conflicts + affinity: {} + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ template "traefik.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + + nodeSelector: {} + tolerations: [] + topologySpreadConstraints: [] + # # This example topologySpreadConstraints forces the scheduler to put traefik pods + # # on nodes where no other traefik pods are scheduled. + # - labelSelector: + # matchLabels: + # app: '{{ template "traefik.name" . }}' + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + + # Pods can have priority. + # Priority indicates the importance of a Pod relative to other Pods. + priorityClassName: "" + + # Set the container security context + # To run the container with ports below 1024 this will need to be adjust to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + + podSecurityContext: + # # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and + # # permissions for the contents of each volume to match the fsGroup. This can + # # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + + # + # Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. + # See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] + + # This will override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik + # + ## This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik diff --git a/infra/bitwarden/Chart.yaml b/uptimekuma/Chart.yaml similarity index 86% rename from infra/bitwarden/Chart.yaml rename to uptimekuma/Chart.yaml index cfdd821..0dcf730 100644 --- a/infra/bitwarden/Chart.yaml +++ b/uptimekuma/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: bitwarden +name: uptimekuma description: A Helm chart for Kubernetes type: application diff --git a/uptimekuma/templates/deployment.yaml b/uptimekuma/templates/deployment.yaml new file mode 100644 index 0000000..21ce3c0 --- /dev/null +++ b/uptimekuma/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: uptime-kuma + name: deployment +spec: + selector: + matchLabels: + component: uptime-kuma + replicas: 1 + strategy: + type: Recreate + + template: + metadata: + labels: + component: uptime-kuma + spec: + containers: + - name: app + image: registry.internal.durp.info/louislam/uptime-kuma:1 + ports: + - containerPort: 3001 + volumeMounts: + - mountPath: /app/data + name: storage + #livenessProbe: + #exec: + #command: + #- node + #- extra/healthcheck.js + readinessProbe: + httpGet: + path: / + port: 3001 + scheme: HTTP + + volumes: + - name: storage + persistentVolumeClaim: + claimName: uptimekuma-pvc diff --git a/dmz/internalproxy/templates/kuma.yaml b/uptimekuma/templates/ingress.yaml similarity index 63% rename from dmz/internalproxy/templates/kuma.yaml rename to uptimekuma/templates/ingress.yaml index 31b040b..3df2689 100644 --- a/dmz/internalproxy/templates/kuma.yaml +++ b/uptimekuma/templates/ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: traefik.io/v1alpha1 +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: kuma-ingress @@ -6,16 +6,19 @@ spec: entryPoints: - websecure routes: - - match: Host(`kuma.durp.info`) && PathPrefix(`/`) - kind: Rule - services: - - name: unraid - port: 3001 - scheme: http + - match: Host(`kuma.durp.info`) && PathPrefix(`/`) + middlewares: + - name: authentik-proxy-provider + namespace: traefik + kind: Rule + services: + - name: service + port: 3001 tls: secretName: kuma-tls --- + apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -27,13 +30,14 @@ spec: kind: ClusterIssuer commonName: "kuma.durp.info" dnsNames: - - "kuma.durp.info" + - "kuma.durp.info" --- + kind: Service apiVersion: v1 metadata: - name: kuma-external-dns + name: heimdall-external-dns annotations: external-dns.alpha.kubernetes.io/hostname: kuma.durp.info spec: diff --git a/uptimekuma/templates/kuma-pv.yaml b/uptimekuma/templates/kuma-pv.yaml new file mode 100644 index 0000000..e17e5a7 --- /dev/null +++ b/uptimekuma/templates/kuma-pv.yaml @@ -0,0 +1,25 @@ +#apiVersion: v1 +#kind: PersistentVolume +#metadata: +# annotations: +# pv.kubernetes.io/provisioned-by: durp.info/nfs +# finalizers: +# - kubernetes.io/pv-protection +# name: uptimekuma-pv +#spec: +# accessModes: +# - ReadWriteMany +# capacity: +# storage: 10Gi +# claimRef: +# apiVersion: v1 +# kind: PersistentVolumeClaim +# name: uptimekuma-pvc +# namespace: uptimekuma +# nfs: +# path: /mnt/user/k3s/uptimekuma +# server: 192.168.20.253 +# persistentVolumeReclaimPolicy: Retain +# storageClassName: nfs-storage +# volumeMode: Filesystem +# \ No newline at end of file diff --git a/infra/bitwarden/templates/bitwarden-pvc.yaml b/uptimekuma/templates/kuma-pvc.yaml similarity index 65% rename from infra/bitwarden/templates/bitwarden-pvc.yaml rename to uptimekuma/templates/kuma-pvc.yaml index 333af4d..ab76bf0 100644 --- a/infra/bitwarden/templates/bitwarden-pvc.yaml +++ b/uptimekuma/templates/kuma-pvc.yaml @@ -1,11 +1,12 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: bitwarden-pvc + name: uptimekuma-pvc + namespace: uptimekuma spec: - storageClassName: longhorn accessModes: - ReadWriteMany resources: requests: storage: 10Gi + storageClassName: longhorn \ No newline at end of file diff --git a/uptimekuma/templates/service.yaml b/uptimekuma/templates/service.yaml new file mode 100644 index 0000000..cad08e7 --- /dev/null +++ b/uptimekuma/templates/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + selector: + component: uptime-kuma + type: ClusterIP + ports: + - name: http + port: 3001 + targetPort: 3001 + protocol: TCP \ No newline at end of file diff --git a/infra/vault/Chart.yaml b/vault/Chart.yaml similarity index 91% rename from infra/vault/Chart.yaml rename to vault/Chart.yaml index 412c292..fc08adf 100644 --- a/infra/vault/Chart.yaml +++ b/vault/Chart.yaml @@ -8,5 +8,5 @@ appVersion: 0.0.1 dependencies: - name: vault repository: https://helm.releases.hashicorp.com - version: 0.30.0 + version: 0.27.0 diff --git a/vault/templates/secret-store.yaml b/vault/templates/secret-store.yaml new file mode 100644 index 0000000..c2da892 --- /dev/null +++ b/vault/templates/secret-store.yaml @@ -0,0 +1,30 @@ +#apiVersion: external-secrets.io/v1beta1 +#kind: ClusterSecretStore +#metadata: +# name: vault +#spec: +# provider: +# vault: +# server: "http://vault.vault.svc.cluster.local:8200" +# path: "secrets" +# version: "v2" +# auth: +# kubernetes: +# mountPath: "kubernetes" +# role: "dmz-external-secrets" +#--- +#apiVersion: external-secrets.io/v1beta1 +#kind: ClusterSecretStore +#metadata: +# name: vault +#spec: +# provider: +# vault: +# server: "https://vault.internal.prd.durp.info" +# path: "secrets" +# version: "v2" +# auth: +# tokenSecretRef: +# name: vault-token +# key: token +# namespace: external-secrets diff --git a/vault/values.yaml b/vault/values.yaml new file mode 100644 index 0000000..61048a7 --- /dev/null +++ b/vault/values.yaml @@ -0,0 +1,34 @@ +vault: + + global: + externalVaultAddr: "https://vault.internal.prd.durp.info" + + image: + repository: "registry.internal.durp.info/hashicorp/vault-k8s" + tag: "1.3.1" + pullPolicy: Always + + agentImage: + repository: "registry.internal.durp.info/hashicorp/vault" + tag: "1.15.2" + + + injector: + enabled: "-" + + replicas: 2 + leaderElector: + enabled: true + + metrics: + enabled: true + + image: + repository: "registry.internal.durp.info/hashicorp/vault-k8s" + tag: "1.3.1" + pullPolicy: Always + + agentImage: + repository: "registry.internal.durp.info/hashicorp/vault" + tag: "1.15.2" +