diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml index 10a1392..0995e78 100644 --- a/.taskfiles/Flux/Taskfile.yaml +++ b/.taskfiles/Flux/Taskfile.yaml @@ -3,20 +3,20 @@ version: "3" vars: - CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml" - GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml" + CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml" + GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml" tasks: bootstrap: desc: Bootstrap Flux into a Kubernetes cluster cmds: - - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux + - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename - - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename - - - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config + - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config preconditions: - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" } reconcile: - desc: Force update Flux to pull in changes from your Git repository + desc: Force update Flux to pull in changes from the Git repository cmd: flux reconcile --namespace flux-system kustomization cluster --with-source \ No newline at end of file diff --git a/Taskfile.yaml b/Taskfile.yaml index 32f674e..9002946 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -3,7 +3,7 @@ version: "3" vars: - CLUSTER_DIR: "{{.ROOT_DIR}}/cluster" + CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes" includes: flux: .taskfiles/Flux/Taskfile.yaml diff --git a/kubernetes/main/core/cert-manager/helm-release.yaml b/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml similarity index 80% rename from kubernetes/main/core/cert-manager/helm-release.yaml rename to kubernetes/common/apps/cert-manager/app/files/helm-release.yaml index c31b577..6712652 100644 --- a/kubernetes/main/core/cert-manager/helm-release.yaml +++ b/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml @@ -14,7 +14,7 @@ spec: name: jetstack-charts namespace: flux-system values: - installCRDs: false + installCRDs: true webhook: enabled: true extraArgs: @@ -26,8 +26,8 @@ spec: nameservers: - "1.1.1.1" - "9.9.9.9" - prometheus: - servicemonitor: - enabled: true - labels: - release: kube-prometheus-stack \ No newline at end of file +# prometheus: +# servicemonitor: +# enabled: false +# labels: +# release: kube-prometheus-stack \ No newline at end of file diff --git a/kubernetes/main/core/cert-manager/helm-repository.yaml b/kubernetes/common/apps/cert-manager/app/files/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/helm-repository.yaml rename to kubernetes/common/apps/cert-manager/app/files/helm-repository.yaml diff --git a/kubernetes/main/core/storage/kustomization.yaml b/kubernetes/common/apps/cert-manager/app/files/kustomization.yaml similarity index 59% rename from kubernetes/main/core/storage/kustomization.yaml rename to kubernetes/common/apps/cert-manager/app/files/kustomization.yaml index 56090e7..14a2c31 100644 --- a/kubernetes/main/core/storage/kustomization.yaml +++ b/kubernetes/common/apps/cert-manager/app/files/kustomization.yaml @@ -1,6 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./longhorn -- ./openebs -#- ./local-path-provisioner \ No newline at end of file +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/app/ks.yaml b/kubernetes/common/apps/cert-manager/app/ks.yaml new file mode 100644 index 0000000..471dbc2 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/cert-manager/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/main/core/cert-manager/cloudflare-cred.sops.yaml b/kubernetes/common/apps/cert-manager/certs/files/cloudflare-cred.sops.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/cloudflare-cred.sops.yaml rename to kubernetes/common/apps/cert-manager/certs/files/cloudflare-cred.sops.yaml diff --git a/kubernetes/main/core/cert-manager/kustomization.yaml b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml similarity index 64% rename from kubernetes/main/core/cert-manager/kustomization.yaml rename to kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml index 7589521..d721975 100644 --- a/kubernetes/main/core/cert-manager/kustomization.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml @@ -1,10 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./namespace.yaml - ./cloudflare-cred.sops.yaml -- ./helm-repository.yaml -- ./helm-release.yaml - ./letsencrypt-prod.yaml - ./letsencrypt-stage.yaml - ./wildcard-cert.yaml \ No newline at end of file diff --git a/kubernetes/main/core/cert-manager/letsencrypt-prod.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml similarity index 79% rename from kubernetes/main/core/cert-manager/letsencrypt-prod.yaml rename to kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml index cff18c2..7aae355 100644 --- a/kubernetes/main/core/cert-manager/letsencrypt-prod.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml @@ -10,9 +10,6 @@ spec: privateKeySecretRef: name: letsencrypt-production solvers: -# - http01: -# ingress: -# class: traefik - dns01: cloudflare: email: "${SECRET_MY_EMAIL}" @@ -21,4 +18,6 @@ spec: key: api-token selector: dnsZones: - - "${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "${SECRET_NEW_DOMAIN}" + - "internal.${SECRET_NEW_DOMAIN}" + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/main/core/cert-manager/letsencrypt-stage.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml similarity index 83% rename from kubernetes/main/core/cert-manager/letsencrypt-stage.yaml rename to kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml index 63b7f44..b5be2b3 100644 --- a/kubernetes/main/core/cert-manager/letsencrypt-stage.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml @@ -10,9 +10,6 @@ spec: privateKeySecretRef: name: letsencrypt-staging solvers: -# - http01: -# ingress: -# class: traefik - dns01: cloudflare: email: "${SECRET_MY_EMAIL}" diff --git a/kubernetes/main/core/cert-manager/wildcard-cert.yaml b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml similarity index 56% rename from kubernetes/main/core/cert-manager/wildcard-cert.yaml rename to kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml index cc5b30f..1b4d80e 100644 --- a/kubernetes/main/core/cert-manager/wildcard-cert.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml @@ -2,14 +2,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-main-cert - namespace: traefik #cert-manager + namespace: nginx spec: secretName: wildcard-main-tls -# secretTemplate: -# annotations: -# replicator.v1.mittwald.de/replicate-to: "traefik" - duration: 2160h # 90d renewBefore: 360h # 15d @@ -20,6 +16,4 @@ spec: dnsNames: - "${SECRET_NEW_DOMAIN}" - "*.${SECRET_NEW_DOMAIN}" -# - "*.k3s.${SECRET_NEW_DOMAIN}" -# - "*.database.${SECRET_NEW_DOMAIN}" -# - "*.s3.${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/certs/ks.yaml b/kubernetes/common/apps/cert-manager/certs/ks.yaml new file mode 100644 index 0000000..a24d477 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager-certificates + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/cert-manager/certs/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: cert-manager + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/kustomization.yaml b/kubernetes/common/apps/cert-manager/kustomization.yaml new file mode 100644 index 0000000..d70fba6 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./app/ks.yaml +- ./certs/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/core/cert-manager/namespace.yaml b/kubernetes/common/apps/cert-manager/namespace.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/namespace.yaml rename to kubernetes/common/apps/cert-manager/namespace.yaml diff --git a/kubernetes/common/apps/database/dbs/ks.yaml b/kubernetes/common/apps/database/dbs/ks.yaml new file mode 100644 index 0000000..02f303e --- /dev/null +++ b/kubernetes/common/apps/database/dbs/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: postgresql + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/database/dbs/postgresql + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs-sc + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml b/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml new file mode 100644 index 0000000..df00d37 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml @@ -0,0 +1,42 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: postgresql + namespace: database +spec: + interval: 5m + chart: + spec: + chart: postgresql + version: 14.3.x + sourceRef: + kind: HelmRepository + name: bitnami-charts + namespace: flux-system + values: + auth: + existingSecret: "pgsql-secrets" + secretKeys: + adminPasswordKey: "adminPassword" + replicationPasswordKey: "replicationPassword" + + serviceMonitor: + enabled: true + labels: + release: kube-prometheus-stack + + volumePermissions: + enabled: true + + primary: + persistence: + existingClaim: "postgresql-pvc" + + containerSecurityContext: + enabled: true + runAsUser: 655 + + readReplicas: + containerSecurityContext: + enabled: true + runAsUser: 655 \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml b/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml new file mode 100644 index 0000000..b52eb49 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pgsql-pv.yaml +- ./pgsql.sops.yaml +- ./helm-release.yaml +#- ./pgadmin4 \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml new file mode 100644 index 0000000..6e347ba --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml @@ -0,0 +1,47 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: pgadmin4 + namespace: database +spec: + interval: 5m + chart: + spec: + chart: pgadmin4 + version: "1.28.0" + sourceRef: + kind: HelmRepository + name: runix-charts + namespace: flux-system + values: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: &host pgadm.${SECRET_NEW_DOMAIN} + paths: + - path: "/" + pathType: Prefix + tls: + - hosts: + - *host + +# securityContext: +# runAsUser: 10000 +# runAsGroup: 10000 +# fsGroup: 10000 +# +# containerSecurityContext: +# enabled: true +# allowPrivilegeEscalation: false + +# envVarsFromConfigMaps: +# - pgadmin4-secret + + persistentVolume: + enabled: false + + volumePermissions: + enabled: true \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml new file mode 100644 index 0000000..8348d74 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: runix-charts + namespace: flux-system +spec: + interval: 1m + url: https://helm.runix.net diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml new file mode 100644 index 0000000..a83bec5 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pgadmin4.sops.yaml +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml new file mode 100644 index 0000000..fa77932 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgresql-pvc + namespace: database +spec: + storageClassName: openebs-dual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml new file mode 100644 index 0000000..9c1b403 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pgsql-secrets + namespace: database +stringData: + adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str] + userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str] + replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-10-22T16:25:15Z" + mac: ENC[AES256_GCM,data:uWVPfKwPpR212js7f2RnCzEsMnxk2JpGPcf2L5i4gJCddJCrRJkdhjWGyVVpp/ociP3JLRTI95+WSEUH0KkPZpY1ptQevCVsUemRytOCtBlR0yR4qsBwEisSu8m4B5dbAYsqlXAndrBNL2WGB7uBv+ILgNxkhlN58unseSWJBDM=,iv:e7QyZSlhpyQ+A8OmV4p1848itIUxyam6CJOI9/N7DDY=,tag:N28mfrAjUTTYkly1hu0OhA==,type:str] + pgp: + - created_at: "2023-06-19T18:35:15Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ//aQdUERyq3G7V29F5rpY6LdDgo8+hqrrZvdI3JnON0VUM + Tj3AAYg+xvYh8aPQywF9fJvn6qNw8fqrb2GiuuNTa9ZPCFsD+WXbuYHmQ9z6tAtV + opXe3QLNBuo9zEtUfGPbaCp8EH7f1TxQsTJoe9iE/1B2S69cHNUdgXZtfQyhpmlG + iyAk/G04kPazweIuFNjOYaN/12J/s2Cf5AZUeROkMxg8/GTPO68LeEBz9v4vl/1z + JlxmZyXR/9IeoBlO63asDrR85fcvSDb31K4qE3WVkag20bXClv1lehLVKO4bxA/F + lW1tXDR3odC9Ozme884Znd05L0NWkzYKYRta198IV6JuSCeMdjTscGGlMM9wqqKz + SZgs81FHXT16YCVupfI22CqMiD0EzQXrGEtJ4NqaBvhZu+MDxszNRzIl73b0HANc + 8JQqQqOJh7ltrWnf39Xlv73yVC/pYbaV1LWGnMfqWvOcksa9QjOH9Ysfj/RxdaMw + VQhydU+21+xeuEQBL7OsiJQUzgJjFREnTRPXcorCtWxocCn5zwdct1SFchFzCOTp + H0ubpD+MP4RTWxuYbZRhE5ty6GJU9liRH7dUJtVaQiv8V+G1DungTqq36AbbnHzd + 9cy+4cM3wZx2VYElL7DBom8nqqm7Xhffr0UaaY8VFuV5bBry3BmM5rOr8vDYqf7U + aAEJAhC/4yiBMuhEB+fwXIq/dBjMzW+p8SotK2QK03yaTFQchnBDknwVdqcKQxIZ + di3kupnjB+KllWOZhl121tT9L35ymL53BUu1FKCTFdIS2wXxy6UlIS98n0bvWJYN + c5WTfk81xmbT + =UE14 + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-06-19T18:35:15Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ/9G2JDsJw6YJMjstWPrv07tnU0ErWZx5WGcNUGhw6T5tOJ + kXCAuaZax8NxoTtZnQ9Cd+WgJr7R0FuVPEPTc4G2RsfntSZq5rBgCpT0fgwyASFX + 64b6YTbLcCL+G6sg/FwIi9SRqqCsaljATjoU685vrjaxYYfAdhyUoM3qSNjMMaMl + zVjn0kbWrQn4GqfuRMqcr+zCIQdHNTTJ12+c6UUo/zJp4zzjA68Yur9aiw1iHtR1 + rYCPHX2/ZmQjADTHXqwpuMdb5j0VDcd5JcZabdcJkhn/6MRJiN+XryZN/Neq9UbF + 5WrMaZz5v0iRnMUCr8HMw29P0ttu5Sma+RyCOZuWlpsXj+C84pJ8CjBbFhzSJzGP + cKI8Syn0CPLN3X6vKs+LJXEHg1jxJ9kuN+RgW+SQRctUX3A0JtFg2tWplkptNtLl + hN5rW+fWxk7BV9dP7wouwVJiKcW3Y/OMCF5H8YHwL/KVHvANBwNM+nmFPrHaqN2s + 0RghznmZMVG+9IYedSM6d8ZJLnO/QsNTE0QTGM/3dmBAn9jcndCLTgcgThAtvcmw + lFJYaMN3W455Cccaif93xnb44yn47actgEuM6GOuP15GGJaHD2iBQ2atHcaQhNQR + mxhIIouu+Kaa6g34MA/VGDNoN0eNYI5RZIUSSBl7bgaOXs9/3j1Uvap9yesCaOTU + aAEJAhDDqjX7RUazeEByAiKjv5TxpQzsi8gR4zyrhf6tTx34jHzQNoVjYEtLMEVl + ZlAJ06RoxOj8O6+8RGYd/ZUE+TQPQ4jx+PgWrZPUQx8TSxevuduw5XZ1lKytUSCZ + GFDjOxp0lMGV + =LHSB + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.8.0 diff --git a/kubernetes/common/apps/database/kustomization.yaml b/kubernetes/common/apps/database/kustomization.yaml new file mode 100644 index 0000000..f5c95bb --- /dev/null +++ b/kubernetes/common/apps/database/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./dbs/ks.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/database/namespace.yaml b/kubernetes/common/apps/database/namespace.yaml new file mode 100644 index 0000000..12a2a91 --- /dev/null +++ b/kubernetes/common/apps/database/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: database \ No newline at end of file diff --git a/kubernetes/main/core/intel-gpu/files/gpu-plugin.yaml b/kubernetes/common/apps/intel-gpu/files/gpu-plugin.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/gpu-plugin.yaml rename to kubernetes/common/apps/intel-gpu/files/gpu-plugin.yaml diff --git a/kubernetes/main/core/intel-gpu/files/helm-repos.yaml b/kubernetes/common/apps/intel-gpu/files/helm-repos.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/helm-repos.yaml rename to kubernetes/common/apps/intel-gpu/files/helm-repos.yaml diff --git a/kubernetes/main/core/intel-gpu/files/intel-device-plugins-operator.yaml b/kubernetes/common/apps/intel-gpu/files/intel-device-plugins-operator.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/intel-device-plugins-operator.yaml rename to kubernetes/common/apps/intel-gpu/files/intel-device-plugins-operator.yaml diff --git a/kubernetes/main/core/intel-gpu/files/kustomization.yaml b/kubernetes/common/apps/intel-gpu/files/kustomization.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/kustomization.yaml rename to kubernetes/common/apps/intel-gpu/files/kustomization.yaml diff --git a/kubernetes/main/core/intel-gpu/files/namespace.yaml b/kubernetes/common/apps/intel-gpu/files/namespace.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/namespace.yaml rename to kubernetes/common/apps/intel-gpu/files/namespace.yaml diff --git a/kubernetes/common/apps/intel-gpu/ks.yaml b/kubernetes/common/apps/intel-gpu/ks.yaml new file mode 100644 index 0000000..f02ec18 --- /dev/null +++ b/kubernetes/common/apps/intel-gpu/ks.yaml @@ -0,0 +1,24 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: intel-gpu + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/intel-gpu/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: nfd + namespace: flux-system + # requires certificates for communications between plugins + - name: cert-manager + namespace: flux-system \ No newline at end of file diff --git a/kubernetes/main/core/networking/metallb/helm-release.yaml b/kubernetes/common/apps/metallb/app/files/helm-release.yaml similarity index 96% rename from kubernetes/main/core/networking/metallb/helm-release.yaml rename to kubernetes/common/apps/metallb/app/files/helm-release.yaml index a36f740..e19d459 100644 --- a/kubernetes/main/core/networking/metallb/helm-release.yaml +++ b/kubernetes/common/apps/metallb/app/files/helm-release.yaml @@ -24,4 +24,4 @@ spec: namespace: flux-system values: crds: - enabled: false + enabled: true diff --git a/kubernetes/main/core/networking/kustomization.yaml b/kubernetes/common/apps/metallb/app/files/kustomization.yaml similarity index 76% rename from kubernetes/main/core/networking/kustomization.yaml rename to kubernetes/common/apps/metallb/app/files/kustomization.yaml index 37a9b9a..ea3145d 100644 --- a/kubernetes/main/core/networking/kustomization.yaml +++ b/kubernetes/common/apps/metallb/app/files/kustomization.yaml @@ -1,5 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./traefik -- ./metallb \ No newline at end of file +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/app/ks.yaml b/kubernetes/common/apps/metallb/app/ks.yaml new file mode 100644 index 0000000..cd1c37f --- /dev/null +++ b/kubernetes/common/apps/metallb/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: metallb + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/metallb/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/kustomization.yaml b/kubernetes/common/apps/metallb/kustomization.yaml new file mode 100644 index 0000000..965ecd3 --- /dev/null +++ b/kubernetes/common/apps/metallb/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./app/ks.yaml +- ./pool/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/core/networking/metallb/namespace.yaml b/kubernetes/common/apps/metallb/namespace.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/namespace.yaml rename to kubernetes/common/apps/metallb/namespace.yaml diff --git a/kubernetes/common/apps/metallb/pool/files/kustomization.yaml b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml new file mode 100644 index 0000000..1230a99 --- /dev/null +++ b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./metallb-static-ips.yaml \ No newline at end of file diff --git a/kubernetes/main/core/networking/metallb/metallb-static-ips.yaml b/kubernetes/common/apps/metallb/pool/files/metallb-static-ips.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/metallb-static-ips.yaml rename to kubernetes/common/apps/metallb/pool/files/metallb-static-ips.yaml diff --git a/kubernetes/common/apps/metallb/pool/ks.yaml b/kubernetes/common/apps/metallb/pool/ks.yaml new file mode 100644 index 0000000..d224748 --- /dev/null +++ b/kubernetes/common/apps/metallb/pool/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: metallb-pool + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/metallb/pool/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: metallb + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/main/core/nfd/files/helm-repos.yaml b/kubernetes/common/apps/nfd/files/helm-repos.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/helm-repos.yaml rename to kubernetes/common/apps/nfd/files/helm-repos.yaml diff --git a/kubernetes/main/core/nfd/files/kustomization.yaml b/kubernetes/common/apps/nfd/files/kustomization.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/kustomization.yaml rename to kubernetes/common/apps/nfd/files/kustomization.yaml diff --git a/kubernetes/main/core/nfd/files/nfd.yaml b/kubernetes/common/apps/nfd/files/nfd.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/nfd.yaml rename to kubernetes/common/apps/nfd/files/nfd.yaml diff --git a/kubernetes/main/core/nfd/ks.yaml b/kubernetes/common/apps/nfd/ks.yaml similarity index 86% rename from kubernetes/main/core/nfd/ks.yaml rename to kubernetes/common/apps/nfd/ks.yaml index b5184d0..397d133 100644 --- a/kubernetes/main/core/nfd/ks.yaml +++ b/kubernetes/common/apps/nfd/ks.yaml @@ -7,7 +7,7 @@ metadata: spec: timeout: 5m interval: 10m - path: ./kubernetes/main/core/nfd/files + path: ./kubernetes/common/apps/nfd/files prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/main/core/storage/openebs/helm-release.yaml b/kubernetes/common/apps/openebs/helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/helm-release.yaml rename to kubernetes/common/apps/openebs/helm-release.yaml diff --git a/kubernetes/main/core/storage/openebs/helm-repository.yaml b/kubernetes/common/apps/openebs/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/helm-repository.yaml rename to kubernetes/common/apps/openebs/helm-repository.yaml diff --git a/kubernetes/main/core/storage/openebs/kustomization.yaml b/kubernetes/common/apps/openebs/kustomization.yaml similarity index 72% rename from kubernetes/main/core/storage/openebs/kustomization.yaml rename to kubernetes/common/apps/openebs/kustomization.yaml index 3989888..dec9b5f 100644 --- a/kubernetes/main/core/storage/openebs/kustomization.yaml +++ b/kubernetes/common/apps/openebs/kustomization.yaml @@ -4,5 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml -- ./mainpool-sc.yaml - ./monitoring-helm-release.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/openebs/monitoring-helm-release.yaml b/kubernetes/common/apps/openebs/monitoring-helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/monitoring-helm-release.yaml rename to kubernetes/common/apps/openebs/monitoring-helm-release.yaml diff --git a/kubernetes/main/core/storage/openebs/namespace.yaml b/kubernetes/common/apps/openebs/namespace.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/namespace.yaml rename to kubernetes/common/apps/openebs/namespace.yaml diff --git a/kubernetes/main/core/networking/traefik/dashboard-ingress.yaml b/kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/dashboard-ingress.yaml rename to kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml diff --git a/kubernetes/main/core/networking/traefik/helm-release.yaml b/kubernetes/common/apps/traefik/app/files/helm-release.yaml similarity index 97% rename from kubernetes/main/core/networking/traefik/helm-release.yaml rename to kubernetes/common/apps/traefik/app/files/helm-release.yaml index 17b2b7c..a0f74b7 100644 --- a/kubernetes/main/core/networking/traefik/helm-release.yaml +++ b/kubernetes/common/apps/traefik/app/files/helm-release.yaml @@ -17,7 +17,6 @@ spec: values: additionalArguments: - --api.insecure - - --entryPoints.factorio.address=:34197/udp logs: general: diff --git a/kubernetes/main/core/networking/traefik/helm-repository.yaml b/kubernetes/common/apps/traefik/app/files/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/helm-repository.yaml rename to kubernetes/common/apps/traefik/app/files/helm-repository.yaml diff --git a/kubernetes/main/core/networking/traefik/kustomization.yaml b/kubernetes/common/apps/traefik/app/files/kustomization.yaml similarity index 72% rename from kubernetes/main/core/networking/traefik/kustomization.yaml rename to kubernetes/common/apps/traefik/app/files/kustomization.yaml index 835cd22..191a565 100644 --- a/kubernetes/main/core/networking/traefik/kustomization.yaml +++ b/kubernetes/common/apps/traefik/app/files/kustomization.yaml @@ -4,5 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml -- ./default-tls-store.yaml - ./dashboard-ingress.yaml \ No newline at end of file diff --git a/kubernetes/main/core/networking/traefik/namespace.yaml b/kubernetes/common/apps/traefik/app/files/namespace.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/namespace.yaml rename to kubernetes/common/apps/traefik/app/files/namespace.yaml diff --git a/kubernetes/common/apps/traefik/app/ks.yaml b/kubernetes/common/apps/traefik/app/ks.yaml new file mode 100644 index 0000000..d514965 --- /dev/null +++ b/kubernetes/common/apps/traefik/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/main/core/networking/traefik/default-tls-store.yaml b/kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/default-tls-store.yaml rename to kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml diff --git a/kubernetes/common/apps/traefik/extra/files/kustomization.yaml b/kubernetes/common/apps/traefik/extra/files/kustomization.yaml new file mode 100644 index 0000000..4dfa729 --- /dev/null +++ b/kubernetes/common/apps/traefik/extra/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./default-tls-store.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/extra/ks.yaml b/kubernetes/common/apps/traefik/extra/ks.yaml new file mode 100644 index 0000000..53e157d --- /dev/null +++ b/kubernetes/common/apps/traefik/extra/ks.yaml @@ -0,0 +1,30 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-default-tls + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/extra/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/kustomization.yaml b/kubernetes/common/apps/traefik/kustomization.yaml new file mode 100644 index 0000000..c2d4a00 --- /dev/null +++ b/kubernetes/common/apps/traefik/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./app/ks.yaml +- ./extra/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/bootstrap/flux/forgejo-deploy-key.sops.yaml b/kubernetes/common/bootstrap/flux/forgejo-deploy-key.sops.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/forgejo-deploy-key.sops.yaml rename to kubernetes/common/bootstrap/flux/forgejo-deploy-key.sops.yaml diff --git a/kubernetes/main/bootstrap/flux/kustomization.yaml b/kubernetes/common/bootstrap/flux/kustomization.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/kustomization.yaml rename to kubernetes/common/bootstrap/flux/kustomization.yaml diff --git a/kubernetes/main/bootstrap/flux/sops-key.sops.yaml b/kubernetes/common/bootstrap/flux/sops-key.sops.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/sops-key.sops.yaml rename to kubernetes/common/bootstrap/flux/sops-key.sops.yaml diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index c4557a3..d929528 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -3,9 +3,14 @@ kind: Kustomization resources: - ./kube-system - ./helm-repositories.yaml -- ./cert-manager -- ./networking -- ./storage +- ../../common/apps/cert-manager +- ../../common/apps/metallb +- ../../common/apps/traefik +# storage +- ./longhorn +- ./openebs + - ./kube-replicator -- ./nfd/ks.yaml -- ./intel-gpu/ks.yaml \ No newline at end of file + +- ../../common/apps/nfd/ks.yaml +- ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/longhorn/alerts.yaml b/kubernetes/main/core/longhorn/alerts.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/alerts.yaml rename to kubernetes/main/core/longhorn/alerts.yaml diff --git a/kubernetes/main/core/storage/longhorn/helm-release.yaml b/kubernetes/main/core/longhorn/helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/helm-release.yaml rename to kubernetes/main/core/longhorn/helm-release.yaml diff --git a/kubernetes/main/core/storage/longhorn/helm-repository.yaml b/kubernetes/main/core/longhorn/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/helm-repository.yaml rename to kubernetes/main/core/longhorn/helm-repository.yaml diff --git a/kubernetes/main/core/storage/longhorn/kustomization.yaml b/kubernetes/main/core/longhorn/kustomization.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/kustomization.yaml rename to kubernetes/main/core/longhorn/kustomization.yaml diff --git a/kubernetes/main/core/storage/longhorn/namespace.yaml b/kubernetes/main/core/longhorn/namespace.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/namespace.yaml rename to kubernetes/main/core/longhorn/namespace.yaml diff --git a/kubernetes/main/core/storage/longhorn/service-monitor.yaml b/kubernetes/main/core/longhorn/service-monitor.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/service-monitor.yaml rename to kubernetes/main/core/longhorn/service-monitor.yaml diff --git a/kubernetes/main/core/openebs/kustomization.yaml b/kubernetes/main/core/openebs/kustomization.yaml new file mode 100644 index 0000000..334016a --- /dev/null +++ b/kubernetes/main/core/openebs/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../common/apps/openebs +- ./mainpool-sc.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/openebs/mainpool-sc.yaml b/kubernetes/main/core/openebs/mainpool-sc.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/mainpool-sc.yaml rename to kubernetes/main/core/openebs/mainpool-sc.yaml diff --git a/kubernetes/main/core/storage/local-path-provisioner/helm.yaml b/kubernetes/main/core/storage/local-path-provisioner/helm.yaml deleted file mode 100644 index a6966ef..0000000 --- a/kubernetes/main/core/storage/local-path-provisioner/helm.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: local-path-provisioner - namespace: flux-system -spec: - interval: 1m - url: https://github.com/rancher/local-path-provisioner.git - ref: - tag: v0.0.29 ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: local-path-provisioner - namespace: kube-system -spec: - interval: 15m - chart: - spec: - chart: ./deploy/chart/local-path-provisioner - sourceRef: - kind: GitRepository - name: local-path-provisioner - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - helperImage: - repository: public.ecr.aws/docker/library/busybox - tag: latest - storageClass: - defaultClass: false - nodePathMap: - - node: DEFAULT_PATH_FOR_NON_LISTED_NODES - paths: ["/var/lib/rancher/k3s/storage"] - # Note: Do not enable Flux variable substitution on this HelmRelease - configmap: - setup: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - mkdir -m 0777 -p ${absolutePath} - chmod 701 ${absolutePath}/.. - teardown: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - rm -rf ${absolutePath} \ No newline at end of file diff --git a/kubernetes/main/secrets/kustomization.yaml b/kubernetes/main/secrets/kustomization.yaml index 69c610d..970b3ed 100644 --- a/kubernetes/main/secrets/kustomization.yaml +++ b/kubernetes/main/secrets/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./cluster-secrets.sops.yaml -- ./orca-registry-puller.sops.yaml - ./cluster-settings.yaml \ No newline at end of file diff --git a/kubernetes/main/secrets/orca-registry-puller.sops.yaml b/kubernetes/main/secrets/orca-registry-puller.sops.yaml deleted file mode 100644 index c1af45f..0000000 --- a/kubernetes/main/secrets/orca-registry-puller.sops.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: orca-puller - namespace: default - annotations: - replicator.v1.mittwald.de/replication-allowed: "true" - replicator.v1.mittwald.de/replication-allowed-namespaces: '*' -data: - .dockerconfigjson: ENC[AES256_GCM,data:g58h5rYAEZu2W3CYnYHgajsp7wvnFdhyRCt1qWPHbVDC+nwD1TVqTGDga1b2/RTR5tdobqZ9FdP41/1dzZeNBe2lfXOsWhQYd87EhpchFYRgsb9u7ZL32sxERhAxSg+0/AaoIYSHbuBLgRwxqnHOojS7Hcg956L+6Kgh/uiaOGsUrKRjlMAI0aN4agx+n/nU,iv:ichMs+o/3ld90VVq/UatXpAtpD6qjrEIdt0ZRwyh0Gg=,tag:lxvZy9U6sGsndz3sAy3DTQ==,type:str] -type: kubernetes.io/dockerconfigjson -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-07-22T02:12:00Z" - mac: ENC[AES256_GCM,data:yFHVGwFdi2n4Ju6SqqxXDxqxZaHKROIsQZtF+AtJY52f0XJif9jP2fi05dnxULnQ+wWOq4FPwVXc/9GiCiYMItecEApS0+6C7sWxKCWzYYAiFyxSajECzNtr4/XN5yoZBJCgsgFAf42jy9Nr5xLHOAVomnNfmDheS/Pe+Uq9v9E=,iv:oFKca0hHR7ERNgJqDp3pOxzQDBlTCF9Fx1yIl3HCj2o=,tag:107vU6pOFE6Na4BO5C5tiA==,type:str] - pgp: - - created_at: "2023-07-22T02:12:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAzKleRwoSoixAQ//QEVgmHtcIVC1afYtQMgD3Kwb+n0nZid3d/enKN64D+fJ - bw0xXX9tjO4sy3To49k0EDETLW5paxcNApFYL+zajxNfa+EAZfdYxQqKWraQcxvL - /p8bNDyzYDrecWcIdcq4RqrVEA4Ga0K6MmPM0t5l+J/PgguDJWmAxEzlmTb/CdqI - MpUmO0RoLHb6m0vfAkEI0LT5E/37pTdqjAq4eMT9n7zxeHr3NmJBIetahENxTKDk - Ymw7DhBCLZBPvHyxw/kU7hS/yhJMxmLw9mjHuzWkYVYmZQDB/TwqWsL4cVLFNAVu - LqZBHtl2HmaeGefhDij4SfxCj3qTi1e3z1T5wch97XmFanabNizb2oezHYou4h5k - AVqWuxUd13am9YhmRMQ32TPPxyAWpV4W87C/XnIrMrfePH2xy54S2ISyL5lQ1I3K - 5/a4ZMU8hBdCw7FxX6OSAXUd5cCfelJEaRopvwgXF5ZfQjARjQ7iGCedqBQbOsZM - vsf5WQvYxp8uivj7gKxhn+KkqJoM225OQKlSwCQ2bj20WsZ3SrjBuK41iO88urej - SJLAqG42e+nUjHXn/ql794kCHHG59uRES1wWLvgQ6Siu8TxJK6B+fjOrHBMOeSiD - oMKyqWIvziXN5KczkIpOWFCJzHb+AGTUn/a/jCLAqAxAqkWHwwbLdMiUv1053vHS - XgHkdbFnWqSekHCdLXu6q1lJhY+VAyzI55Ex2HvdxzBxWQKZAD4c1fFN/88j/Fb4 - 6/IVZvSU45coCyUR3O+py0s6XvBjrJL6W4haNXMl6nVcTxHgby1JTX5vickv400= - =cqEc - -----END PGP MESSAGE----- - fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 - - created_at: "2023-07-22T02:12:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAy5t8IMoPu4VAQ//RAyoi7oTNza3klhojjvUXum9iH3pOl1eqNu3qdJc9L4A - rGeo7Q9NTgywAaHQA4N0WPjJfFNkKSFLBxbtRpzlVCNrfontoGoFr5fGFWDh2Kfe - LydY3Zz9yUfcQYuGm8onVM6B6ImYUtM9ZPix808jxfiuz7rvqNmxqTdCa9o5oMHK - TqQ5u26MBR9cFf+W7bxKdDsqm4vEhxxWpEf5wgX+iZboA4O/J8LCVwrp6pb2pJ1q - nMA5ElKk/WZbsB6C20DYNXJRsdHjC1Huye6NDt1Em2XY9qcfWkQskVtohlYCdDCp - TciHgOF32rmN7h1i4j5Ae58AaSQmNRpKZFc192z8+dHdiSlzQEno6XXV11pezz/i - 0ALvy2Q+r7xFA8xXyrOf7xOU/j9T8XCEAeidtQoZzEcINtg93tKItakzqacxRa2C - 4Yj3Wic3LGSX13dZ5cpQNT6P3F6UMVAlVEEu1lHdsAjShbmuFWSFNXVo473O3Nwu - 1imHmfb1xnqbiWS0tKdUX9jMQg+xYPrsAXQESq/9PmPJxl4tsGPzzCu+rMKf9pmF - XqGBASdcf9WaB4Hojm6+4UKb7pPDKAC2vLnOV9ilGv/0z+DwxU0x9swPkAYBm9M9 - KkcaEh8petqyU2J8f91ESU3OafMo2h5OsJvzB2Zte2XIZIZV0h0y8mo6LKOJ1hzS - XgFiMVicO02DFcMkSJXA7ZVnV+1qfJl5vPW6Sa0vDikz/k8jYoRSv2skwZcpFIYf - Kr6LbZskq2QVBDS50HdpbOfyF+N8/mYuSfjKkuVH8oOq0KrZ38eJROiygPgpUYk= - =i9P2 - -----END PGP MESSAGE----- - fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/thin/apps/cilium/bgp.yaml b/kubernetes/thin/apps/cilium/bgp.yaml new file mode 100644 index 0000000..4bc9b5c --- /dev/null +++ b/kubernetes/thin/apps/cilium/bgp.yaml @@ -0,0 +1,54 @@ +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPClusterConfig +metadata: + name: cilium-bgp +spec: + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + bgpInstances: + - name: "bgp-public" + localASN: 65552 + peers: + - name: "router" + peerASN: 65551 + peerAddress: 192.168.1.1 + peerConfigRef: + name: "cilium-peer-router" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeerConfig +metadata: + name: cilium-peer-router +spec: + timers: + holdTimeSeconds: 9 + keepAliveTimeSeconds: 3 + gracefulRestart: + enabled: true + restartTimeSeconds: 15 + families: + - afi: ipv4 + safi: unicast + advertisements: + matchLabels: + advertise: "bgp-public" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPAdvertisement +metadata: + name: bgp-public-ad + labels: + advertise: "bgp-public" +spec: + advertisements: + - advertisementType: "Service" + service: + addresses: + #- ClusterIP + - ExternalIP + - LoadBalancerIP + selector: + matchLabels: + bgp/service-type: public \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/kustomization.yaml b/kubernetes/thin/apps/cilium/kustomization.yaml new file mode 100644 index 0000000..b436c3f --- /dev/null +++ b/kubernetes/thin/apps/cilium/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./main-ip-pool.yaml +- ./bgp.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/main-ip-pool.yaml b/kubernetes/thin/apps/cilium/main-ip-pool.yaml new file mode 100644 index 0000000..2b9ae95 --- /dev/null +++ b/kubernetes/thin/apps/cilium/main-ip-pool.yaml @@ -0,0 +1,8 @@ +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: "main-pool" +spec: + blocks: + - start: "192.168.2.50" + stop: "192.168.2.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml new file mode 100644 index 0000000..409959c --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml @@ -0,0 +1,128 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: home-assistant + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.4.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + dependsOn: + - name: openebs + namespace: openebs + values: + controllers: + main: + containers: + app: + image: + repository: ghcr.io/onedr0p/home-assistant + tag: 2024.9.1 + env: + TZ: America/New_York #${SERVER_TIMEZONE} + HASS_HTTP_TRUSTED_PROXY_1: 192.168.0.0/16 + HASS_HTTP_TRUSTED_PROXY_2: 10.0.0.0/8 + HASS_SECRET_URL: &hassHost "hass.thin.seanomik.net" #${SECRET_NEW_DOMAIN} + HOME_ASSISTANT__HACS_INSTALL: "true" + envFrom: + - secretRef: + name: home-assistant + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 2Gi + code-server: + image: + repository: ghcr.io/coder/code-server + tag: 4.92.2 + args: [ + "--auth", "none", + "--user-data-dir", "/config/.vscode", + "--extensions-dir", "/config/.vscode", + "--port", "12321", + "/config" + ] + resources: + requests: + cpu: 10m + limits: + memory: 512Mi + + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } + + service: + app: + controller: main + + ports: + http: + port: 8123 + code-server: + port: 12321 + + ingress: + app: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + className: external + hosts: + - host: *hassHost + paths: + - path: / + service: + identifier: app + port: http + code-server: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + className: internal + hosts: + - host: "hass-code.internal.thin.seanomik.net" + paths: + - path: / + service: + identifier: app + port: code-server + + persistence: + config: + existingClaim: home-assistant-config + globalMounts: + - path: /config + logs: + type: emptyDir + globalMounts: + - path: /config/logs + tts: + type: emptyDir + globalMounts: + - path: /config/tts + tmp: + type: emptyDir + globalMounts: + - path: /tmp diff --git a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml new file mode 100644 index 0000000..7d3f7a7 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pvc.yaml +- ./secret.sops.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml new file mode 100644 index 0000000..11fc25a --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: home-assistant-config + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: openebs-dual + resources: + requests: + storage: 6Gi \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml new file mode 100644 index 0000000..7c3abe3 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Secret +metadata: + name: home-assistant + namespace: default +type: Opaque +stringData: + HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:+dg6fw==,iv:8YPS3cD/qnZcQCwjdSVYJ5x/z0rSR8jplZfxr1EPqJk=,tag:2S0JTIYBvxN5tAnLMLMwtQ==,type:str] + HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:Kgq3N7fRG8Dn2g==,iv:7m7RQM1WcIKTLfMr1cjcFxqnYJ+7llKNY6Mdl9MdVmI=,tag:wtgsJsCov1BxN0LW3bn2cg==,type:str] + HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:fBTv0J7rNN6Tt5I=,iv:lU0J2Qd1rRzrIKhYUDeqcQfRidGvsBzby7a/9UiCKYU=,tag:Lyh1QS3WIpP0tl0g9NEQMg==,type:str] + HASS_SECRET_DB_URL: ENC[AES256_GCM,data:YXk+YKDlqnrn7hxGe4Q5cTaafK2ijRWf2NtAltdeJmQ3sAL3Z8N7yV3VwSUkL9Re181JRXeiIebEoIMx2DDlTaYMcnGPQyqjSWBMSt4/+WgmZ0Q=,iv:5N/dbYht2ts26GAh14BxNA3zq7US+s8WbmNWFJtO+jk=,tag:6sqa0kufUdkyMVdJ9rVCdA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-16T00:34:28Z" + mac: ENC[AES256_GCM,data:zoW6fr1LbCpxj+47BS7YSJtT8CF3QLdkYR+JsNmVNv+NZ5229TC+RGWbSwjyHtqb7Xxzhwzuna8kVR9Jg8dnJOZhEJM2uY7rTx0z0tpakdvUggxDiBH3W8nIc//DzxgbGZwtP9/LNpzE0ucvTKrqJsUW6/Idu815bLknNbeaPxo=,iv:KbbWZ17JQNsCuSI26nGKwKjoP4aULua3GBCJbQgNpyI=,tag:PvEhlwCpYMtJB8lx5vmVfQ==,type:str] + pgp: + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAyqlIeyoxYovAQ//WFv9Y/YWKUUEV7ymMAqVpCdiVp1DiRBbsNVlBCi+x2lF + NO/AHTeTvJL+9uyavQsSQVuuIhCMG9R7uwTAQaLgZat8Q3ToC4ntEjoxQQfKsUTl + 1qfsFTTGW8PJbekkvZmufTMTzmJ+8j0TGnQeCcI9D/XmE/fDP+P551YLCXJm/MtC + xGo1Wz27n0YYseWRjO6hAOU0/z3tQxgEYU40uWt/Wego3XaXVIAOC7E+uxbVIGfW + DsQQQi3E5mKGdWB6VvzozstneZuDNU+GiNCCHsYYCCSMwT4z1FFPTl3T4Qr+yRbQ + Ylh5y7LQsVmHnwzC2eDatxL2v7chSoYWczZMKTmNCcppZ1Lvas14Cd9MdC/yt2yD + jDrXtyw1jPho+A688EvB7E/nCEXnchL0xqCcCqa7IE3+hhZzxLWysfz4QM0Mg2rv + j7QLP2/ssuB9K2dOrudkE0MUzQyf5tu9Av7YD+KR0SEcuQ/Y2yvnScLf4SS/NEgG + erB8e44M/NG/CN38YOxPGtK9FcxjJKyDfk5S//TPteZBgtKwf18H5SDonu3E6WUU + Z61U/Vw31xtIuFVRPAQc5qzfCVQ9N0zJx28F3QJXcgMzmEVHQKyJ+/u9ytfTQpg5 + CPfexvgNg9CR++p6MY0tie07iLkmoT23hq1A36Q+pnyqR1bZVu0vVIVtOIANG3qF + AgwDXjg0p2IN1X8BD/4oBsOiwYJYAPdsxtQyMoj92r6NUl+STRdvalSyweJqf9xK + RfQzlNtdN6ADTD7p6PKZxg/Bb9HGJe7eUto78Eqn9Uqu67pGPCUiaVk7JUUayGHd + Fay3OJYuLEgukEo1okq+yBDjj+dGwTJ17Cl8hYgNSyeGCAiXqUkktkRXkjvhI55X + lgOc3wiaRqcuLFG5h00qo3Wy4ESzuQSKFEimpSec8CSxuY/vTg8CFjekkmUerNmd + eKKW6q0IB2WUrxbvG4moF+4pK6F8zOgF1B94cFuFHoDQ1sOFkUI95v0/mEi6qIX4 + gTD6DAbgmZCyFWrfH1ogU7vpa2aDrFDHYLFyjESX6zhMVnQwetQsgdQ3C2Q5HpD5 + uWuzbVSOVpUzwOsgwP1bUn6Layxnk3cVtgLj5ODdUYSBJZ6/ReQ/aQjhUpNVQIUA + inqCuL6dSFDTKKwDpzdVTX105knBNP5pHaDVdFN+iUu9pbFGSqWAZQ/XtfznBSbl + QntMp70zVe5TlMtB7DCpkRcgI/oOLjciM+ITVW3mh7nX0tbBUZ/2T/KKPwFHNI/4 + wU/TH13RW0l92eJRXYarYsOqsDsYzlkOoPupNQFK8UVu44cVe/jPJNNi9yU8EN5r + 2VoKr2F7sYprbSunhFrOXFGngCs0pgk6lKcWKE6mP8b2AmmX0FHBjojTDRu3D9Rm + AQkCEHK/1D/N2aQA8WZBnz87r51MTQ+dqxTu9tAOjCGX2jP1NvQqnS2vL+iqsvlo + CxojBsFhFZXLpd/op2N+4nFMA0HAPl4pKj5hi6tUEzkXr9ltfvnIMdv0ZoZoM61r + B1xdW8jX + =HAf4 + -----END PGP MESSAGE----- + fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ//S4pP46cksxK/sNjHKP8A8uY3KNewuTd9URB605mXlaAA + iTMnujsimRREiYoxkcgCIuxoYgpXoi30XrlrSbdKwSt1flGRjVBtW62uvgFRn/Ya + qmZimGRyhSr0NWMZdsCoOGECCd21lGOwGeTmZzcsvYtzT0fgpYoRtQv0L44eBuFy + uzNIvDw7SvvjM2nGWI6VAlAg6CnAz3Fo9JbccZINqgfRTNhtkHU5R6M0M6EjmN6M + xkcr280dOdV3dWKfAtZld2aPb9QLj2vxYxcSqaqQ3jLpmy5JrCT+E4fxt6THyg4R + x9EGds30zUOUwB5hOJGF+dPPdb3M1imZZymDYZ65WDt6nttRVz9p1Vxu8BiMzMef + CPcrArf5ic+TDp4QydwAb3UjkT+b8/iHGLrFLn7E7s9xaWN8Y8wHxhABjEMKia/8 + hhZozgapC7EIK10Qq4S+mce+pQrLdPrz++/jEL5enuh3vo8s6PSCAbM7sxjoNUV0 + Sjbl3lOlbvRLMRJoxMgeHCYKR8HBKYX3lbPSOl0+D2rwibdrbuk1N4NMq0z9YU3O + PCEDpGxzj469yss1XbpoANG7EpS9uMdTN+ONE1Xx7AvsADMrNvdJeLvku93bknZw + 6rD1aSBau98H/WGM1XGu0nOzQgxtfCoaFRnXf03lMldWlkQnwYuhZPs+3mwg8vfU + ZgEJAhD4mf23O6K9MUJFjoHABoZAQqX2UEc7TRjIc+YHGg8PekuK4yTWIKkHIvUL + WdiWaO8gB+QmoyHt6bg4+di1iqTujnKTPqPF6ehpoDlqWHXWs2mxl2UiC6DGUHlm + oIfC9MKtDA== + =uXt0 + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/thin/apps/default/home-assistant/ks.yaml b/kubernetes/thin/apps/default/home-assistant/ks.yaml new file mode 100644 index 0000000..424c719 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: home-assistant + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/home-assistant/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs-sc + namespace: flux-system + - name: postgresql + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/default/kustomization.yaml b/kubernetes/thin/apps/default/kustomization.yaml new file mode 100644 index 0000000..d037f75 --- /dev/null +++ b/kubernetes/thin/apps/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./whoami/ks.yaml +- ./home-assistant/ks.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml new file mode 100644 index 0000000..51c7db6 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml @@ -0,0 +1,49 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: whoami + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + controllers: + main: + containers: + main: + image: + repository: containous/whoami + tag: latest + + service: + app: + controller: main + + ports: + http: + port: 80 + + ingress: + main: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + className: internal + hosts: + - host: "whoami.${SECRET_NEW_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/thin/apps/default/whoami/files/kustomization.yaml b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/ks.yaml b/kubernetes/thin/apps/default/whoami/ks.yaml new file mode 100644 index 0000000..a92aa63 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoami + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/whoami/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/helm-repositories.yaml b/kubernetes/thin/apps/helm-repositories.yaml new file mode 100644 index 0000000..fc2b583 --- /dev/null +++ b/kubernetes/thin/apps/helm-repositories.yaml @@ -0,0 +1,26 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bitnami-charts + namespace: flux-system +spec: + interval: 1m + url: https://charts.bitnami.com/bitnami +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjws-charts + namespace: flux-system +spec: + interval: 1m + url: https://bjw-s.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1m + url: https://kubernetes.github.io/ingress-nginx \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml b/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml new file mode 100644 index 0000000..da2fdfc --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-cr.yaml +# change namespace to kubevirt-cdi +transformers: +- ../namespace-transformer.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/ks.yaml b/kubernetes/thin/apps/kubevirt-cdi/ks.yaml new file mode 100644 index 0000000..3ef5620 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/ks.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-cdi-operator + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt-cdi/operator + prune: true + targetNamespace: kubevirt-cdi + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-operator + namespace: flux-system + - name: kubevirt-operator-cr + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-cdi-cr + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt-cdi/cr + prune: true + targetNamespace: kubevirt-cdi + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-cdi-operator + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml b/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml new file mode 100644 index 0000000..9522f11 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml @@ -0,0 +1,11 @@ +apiVersion: builtin +kind: NamespaceTransformer +metadata: + name: change-cdi-namespace + namespace: kubevirt-cdi +setRoleBindingSubjects: none +unsetOnly: false +fieldSpecs: +- path: metadata/name + kind: Namespace + create: true \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml b/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml new file mode 100644 index 0000000..1beca53 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-operator.yaml +# change namespace to kubevirt-cdi +transformers: +- ../namespace-transformer.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt/cr/kustomization.yaml b/kubernetes/thin/apps/kubevirt/cr/kustomization.yaml new file mode 100644 index 0000000..460bd3e --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/cr/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-cr.yaml diff --git a/kubernetes/thin/apps/kubevirt/ks.yaml b/kubernetes/thin/apps/kubevirt/ks.yaml new file mode 100644 index 0000000..41dda7d --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/ks.yaml @@ -0,0 +1,60 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/operator + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator-cr + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/cr + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-operator + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt/operator/kustomization.yaml b/kubernetes/thin/apps/kubevirt/operator/kustomization.yaml new file mode 100644 index 0000000..e89fad7 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/operator/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-operator.yaml diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml new file mode 100644 index 0000000..339bda0 --- /dev/null +++ b/kubernetes/thin/apps/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-repositories.yaml +# networking +- ./cilium +- ./nginx/ks.yaml +- ../../common/apps/cert-manager +# storage +- ./snapshot-system/ks.yaml +- ./openebs/ks.yaml +# hardware +- ../../common/apps/nfd/ks.yaml +- ../../common/apps/intel-gpu/ks.yaml +# VMs +- ./kubevirt/ks.yaml +- ./kubevirt-cdi/ks.yaml + +- ../../common/apps/database +- ./default \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/external/helm-release.yaml b/kubernetes/thin/apps/nginx/external/helm-release.yaml new file mode 100644 index 0000000..6271d8b --- /dev/null +++ b/kubernetes/thin/apps/nginx/external/helm-release.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: nginx-external + controller: + replicaCount: 2 + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.50 + labels: + bgp/service-type: public + + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + + allowSnippetAnnotations: true + config: + # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go + block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" + + metrics: + enabled: false # TODO + serviceMonitor: + enabled: true + namespaceSelector: + any: true + + extraArgs: + default-ssl-certificate: nginx/wildcard-main-tls + + terminationGracePeriodSeconds: 120 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: nginx-external + app.kubernetes.io/component: controller + + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + + defaultBackend: + enabled: false diff --git a/kubernetes/thin/apps/nginx/external/kustomization.yaml b/kubernetes/thin/apps/nginx/external/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/nginx/external/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/internal/helm-release.yaml b/kubernetes/thin/apps/nginx/internal/helm-release.yaml new file mode 100644 index 0000000..3180bfd --- /dev/null +++ b/kubernetes/thin/apps/nginx/internal/helm-release.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-internal +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: nginx-internal + controller: + replicaCount: 2 + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.51 + labels: + bgp/service-type: public + + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + + allowSnippetAnnotations: true + config: + # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go + block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" + + metrics: + enabled: false # TODO + serviceMonitor: + enabled: true + namespaceSelector: + any: true + + extraArgs: + default-ssl-certificate: nginx/wildcard-main-tls + + terminationGracePeriodSeconds: 120 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: nginx-internal + app.kubernetes.io/component: controller + + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + + defaultBackend: + enabled: false diff --git a/kubernetes/thin/apps/nginx/internal/kustomization.yaml b/kubernetes/thin/apps/nginx/internal/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/nginx/internal/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/ks.yaml b/kubernetes/thin/apps/nginx/ks.yaml new file mode 100644 index 0000000..889e45e --- /dev/null +++ b/kubernetes/thin/apps/nginx/ks.yaml @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nginx-external + namespace: flux-system +spec: + targetNamespace: nginx + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nginx-internal + namespace: flux-system +spec: + targetNamespace: nginx + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/helm-release.yaml b/kubernetes/thin/apps/openebs/app/helm-release.yaml new file mode 100644 index 0000000..648c9e3 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/helm-release.yaml @@ -0,0 +1,69 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs + namespace: openebs +spec: + interval: 5m + chart: + spec: + chart: openebs + version: 4.1.0 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + values: + openebs-crds: + csi: + volumeSnapshots: + enabled: false + keep: false + + # Refer to https://github.com/openebs/dynamic-localpv-provisioner/blob/HEAD/deploy/helm/charts/values.yaml for complete set of values. + localpv-provisioner: + rbac: + create: true + localpv: + enabled: true + hostpathClass: + enabled: true + + # Refer to https://github.com/openebs/mayastor-extensions/blob/v2.7.0/chart/values.yaml for complete set of values. + mayastor: + enabled: true + nodeSelector: + kubernetes.io/arch: amd64 + openebs.io/engine: mayastor + csi: + node: + initContainers: + enabled: true + etcd: + # -- Kubernetes Cluster Domain + clusterDomain: cluster.local + crds: + enabled: false + monitoring: + enabled: false + loki-stack: + enabled: false + storageClass: + nameSuffix: single + tolerations: + # tolerate control plane + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + + engines: + local: + lvm: + enabled: true + zfs: + enabled: true + replicated: + mayastor: + enabled: true + diff --git a/kubernetes/thin/apps/openebs/app/helm-repository.yaml b/kubernetes/thin/apps/openebs/app/helm-repository.yaml new file mode 100644 index 0000000..2bec563 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/helm-repository.yaml @@ -0,0 +1,17 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 1m + url: https://openebs.github.io/openebs +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs-monitoring-charts + namespace: flux-system +spec: + interval: 1m + url: https://openebs.github.io/monitoring \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/kustomization.yaml b/kubernetes/thin/apps/openebs/app/kustomization.yaml new file mode 100644 index 0000000..4ee545a --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-repository.yaml +- ./helm-release.yaml +#- ./monitoring-helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml b/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml new file mode 100644 index 0000000..d8cb0cd --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs-monitoring + namespace: openebs +spec: + interval: 5m + chart: + spec: + chart: openebs-monitoring + version: 0.4.13 + sourceRef: + kind: HelmRepository + name: openebs-monitoring-charts + namespace: flux-system + dependsOn: + - name: openebs + values: + kube-prometheus-stack: + install: false + + openebsMonitoringAddon: + # this is the only provisioner enabled + localPV: + enabled: true + + cStore: + enabled: false + jiva: + enabled: false + ndm: + enabled: false + npd: + enabled: false + deviceLocalPV: + enabled: false + lvmLocalPV: + enabled: false + zfsLocalPV: + enabled: false \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/namespace.yaml b/kubernetes/thin/apps/openebs/app/namespace.yaml new file mode 100644 index 0000000..2175285 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openebs \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/ks.yaml b/kubernetes/thin/apps/openebs/ks.yaml new file mode 100644 index 0000000..b2fd926 --- /dev/null +++ b/kubernetes/thin/apps/openebs/ks.yaml @@ -0,0 +1,59 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: openebs + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: snapshot-system + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: openebs-sc + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/openebs/storage-class + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml b/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml new file mode 100644 index 0000000..62dea56 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml @@ -0,0 +1,8 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: openebs-dual +parameters: + protocol: nvmf + repl: "2" +provisioner: io.openebs.csi-mayastor \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml b/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml new file mode 100644 index 0000000..20cd2b1 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pool.yaml +- ./dual-replica-sc.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/pool.yaml b/kubernetes/thin/apps/openebs/storage-class/pool.yaml new file mode 100644 index 0000000..49e25e5 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/pool.yaml @@ -0,0 +1,39 @@ +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-controller-d52ycbgv + namespace: openebs +spec: + node: dorm-controller-d52ycbgv + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLB256HAHQ-000H1_S425NX1MA23444 +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-3ssgwrlx + namespace: openebs +spec: + node: dorm-worker-3ssgwrlx + disks: + - /dev/disk/by-id/nvme-KXG60ZNV256G_TOSHIBA_69CA70CIK34N +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-hklqhcrv + namespace: openebs +spec: + node: dorm-worker-hklqhcrv + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K125956 +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-kgoutccb + namespace: openebs +spec: + node: dorm-worker-kgoutccb + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K173346 \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml b/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml new file mode 100644 index 0000000..6eb28ff --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: snapshot-controller + namespace: snapshot-system +spec: + interval: 30m + timeout: 15m + chart: + spec: + chart: snapshot-controller + version: 3.0.6 + sourceRef: + kind: HelmRepository + name: piraeus + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controller: + serviceMonitor: + create: false # TODO + webhook: + enabled: false \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml b/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml new file mode 100644 index 0000000..91c9108 --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: piraeus + namespace: flux-system +spec: + interval: 1m + url: https://piraeus.io/helm-charts/ \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml b/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml new file mode 100644 index 0000000..524ef3c --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-repo.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/namespace.yaml b/kubernetes/thin/apps/snapshot-system/app/namespace.yaml new file mode 100644 index 0000000..1409af9 --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: snapshot-system \ No newline at end of file diff --git a/kubernetes/main/core/intel-gpu/ks.yaml b/kubernetes/thin/apps/snapshot-system/ks.yaml similarity index 72% rename from kubernetes/main/core/intel-gpu/ks.yaml rename to kubernetes/thin/apps/snapshot-system/ks.yaml index 96c36a9..e89d772 100644 --- a/kubernetes/main/core/intel-gpu/ks.yaml +++ b/kubernetes/thin/apps/snapshot-system/ks.yaml @@ -2,12 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: intel-gpu + name: snapshot-system namespace: flux-system spec: timeout: 5m interval: 10m - path: ./kubernetes/main/core/intel-gpu/files + path: ./kubernetes/thin/apps/snapshot-system/app prune: true sourceRef: kind: GitRepository @@ -15,7 +15,4 @@ spec: decryption: provider: sops secretRef: - name: sops-gpg - dependsOn: - - name: nfd - namespace: flux-system \ No newline at end of file + name: sops-gpg \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml new file mode 100644 index 0000000..005ebee --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -0,0 +1,93 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik-external + namespace: traefik +spec: + interval: 5m + chart: + spec: + chart: traefik + version: '30.1.0' + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 1m + values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.50 + labels: + bgp/service-type: public + + additionalArguments: + - --api.insecure + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + publishedService: + enabled: false + + ports: + traefik: + port: 9000 + expose: + default: false + exposedPort: 9000 + protocol: TCP + + web: + port: 8000 + nodePort: 30080 + expose: + default: true + redirectTo: + port: websecure + protocol: TCP + + websecure: + port: 8443 + nodePort: 30443 + expose: + default: true + protocol: TCP + tls: + enabled: true + + metrics: + port: 9100 + expose: + default: false + protocol: TCP + + # Disable Dashboard + ingressRoute: + dashboard: + enabled: false + + ingressClass: + enabled: true + isDefaultClass: false + name: external + + metrics: + prometheus: + entryPoint: metrics + + # Set default certificate +# tlsStore: +# default: +# defaultCertificate: +# secretName: wildcard-main-tls diff --git a/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml b/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml new file mode 100644 index 0000000..cb2e806 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: traefik-charts + namespace: flux-system +spec: + interval: 1m + url: https://traefik.github.io/charts diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml new file mode 100644 index 0000000..796e449 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -0,0 +1,83 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik-internal + namespace: traefik +spec: + interval: 5m + chart: + spec: + chart: traefik + version: '30.1.0' + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 1m + values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.51 + labels: + bgp/service-type: public + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + publishedService: + enabled: false + + ports: + web: + port: 8000 + nodePort: 30081 + expose: + default: true + redirectTo: + port: websecure + protocol: TCP + + websecure: + port: 8443 + nodePort: 30444 + expose: + default: true + protocol: TCP + tls: + enabled: true + + metrics: + port: 9100 + expose: + default: false + protocol: TCP + + # Disable Dashboard + ingressRoute: + dashboard: + enabled: false + + ingressClass: + enabled: true + isDefaultClass: true + name: internal + + metrics: + prometheus: + entryPoint: metrics + + # Set default certificate + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls \ No newline at end of file diff --git a/kubernetes/main/core/networking/metallb/kustomization.yaml b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml similarity index 72% rename from kubernetes/main/core/networking/metallb/kustomization.yaml rename to kubernetes/thin/apps/traefik/app/files/kustomization.yaml index 046bf58..8f65359 100644 --- a/kubernetes/main/core/networking/metallb/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml +- ./helm-repository.yaml - ./helm-release.yaml -- ./metallb-static-ips.yaml \ No newline at end of file +- ./internal-hr.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/namespace.yaml b/kubernetes/thin/apps/traefik/app/files/namespace.yaml new file mode 100644 index 0000000..c30b28b --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefik + labels: + name: traefik \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/ks.yaml b/kubernetes/thin/apps/traefik/app/ks.yaml new file mode 100644 index 0000000..39f2a0d --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/traefik/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml b/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml new file mode 100644 index 0000000..9a38626 --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml @@ -0,0 +1,9 @@ +apiVersion: traefik.io/v1alpha1 +kind: TLSStore +metadata: + name: default + namespace: traefik + +spec: + defaultCertificate: + secretName: wildcard-main-tls \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml b/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml new file mode 100644 index 0000000..4dfa729 --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./default-tls-store.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/ks.yaml b/kubernetes/thin/apps/traefik/extra/ks.yaml new file mode 100644 index 0000000..53e157d --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/ks.yaml @@ -0,0 +1,30 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-default-tls + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/extra/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/kustomization.yaml b/kubernetes/thin/apps/traefik/kustomization.yaml new file mode 100644 index 0000000..3342dd8 --- /dev/null +++ b/kubernetes/thin/apps/traefik/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./app/ks.yaml +#- ./extra/ks.yaml \ No newline at end of file diff --git a/kubernetes/thin/flux/config/cluster.yaml b/kubernetes/thin/flux/config/cluster.yaml new file mode 100644 index 0000000..776a5f1 --- /dev/null +++ b/kubernetes/thin/flux/config/cluster.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: home-cluster + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: feat/thin-cluster + secretRef: + name: forgejo-deploy-key + url: ssh://git@git.seanomik.net/seanomik/k3s-cluster +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-secrets + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/secrets + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system +spec: + timeout: 5m + interval: 10m + dependsOn: + - name: cluster-secrets + path: ./kubernetes/thin/apps + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/flux/config/kustomization.yaml b/kubernetes/thin/flux/config/kustomization.yaml new file mode 100644 index 0000000..00ec3c9 --- /dev/null +++ b/kubernetes/thin/flux/config/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster.yaml \ No newline at end of file diff --git a/kubernetes/thin/secrets/cluster-secrets.sops.yaml b/kubernetes/thin/secrets/cluster-secrets.sops.yaml new file mode 100644 index 0000000..3e3c2ca --- /dev/null +++ b/kubernetes/thin/secrets/cluster-secrets.sops.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +type: Opaque +stringData: + SECRET_MY_EMAIL: ENC[AES256_GCM,data:rNyzxxuVq/1dII5m8OKexQsH,iv:+i/h+iXhBNM7qxDyK7/3pQqp8l7hXDHhnZOwyuwcC3k=,tag:RM3svsBJXpFafRzoLp2NOg==,type:str] + SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:uUinHshJ3aUNzJDRQNVNWwNJ,iv:s8kggffO33/E04aUdZvxmgNhoPVKh+HnjX+k0o0DTNc=,tag:qreqEiN28i26OpsagQP5hQ==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:3zCSigeMzhC4H2SDVjqV6Q==,iv:OtUj2mDzmv9afBf4NcDSwZgGdKLJY3WG8qqSbI/NNog=,tag:buWUYjBMtfAVQADN2EREvQ==,type:str] + SECRET_NEW_DOMAIN: ENC[AES256_GCM,data:BDuzEYN7KOlqDUbJyFwHWCQ=,iv:DHrkALxuuEiZhjdLeFArgaORR8ZlsUuW2BT/joEFQGo=,tag:u1zVa2SA4xpgjNcO9iXtiw==,type:str] + SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:A2S9VBNLw2m6IEEGunHo8T/4v0tp0RvByYc6FIJdx1Q=,iv:Mu+TbsN2Ci2/7LvKhb8XWm6SPJe5ZxS8Z8YWjLwdT1c=,tag:uoatWIMDRLT4XaP0f0kpiQ==,type:str] + SECRET_DATABASE_PGSQL_USER_PASS: ENC[AES256_GCM,data:A++t+kACJthb9w6yml5KJo9Eqc/wp/BFadLzwOQhkhc=,iv:7mA6zCaC360dyJkC5wybh3PnGWjr12q0R/aGKi2D5Rc=,tag:h3BVuMH8VvnSc8LEM85wlQ==,type:str] + SECRET_DATABASE_PGSQL_ADMIN_PASS: ENC[AES256_GCM,data:UyFKnNw20KiJZj/Y5Jba6uFhDU/N+Dijl1mJlCcBgJk=,iv:Il50aBOHREDCDYeXmZks9DVBkq1+z1ZLo2KfibbiWmk=,tag:y/DBhdWLToD30tqVGD3uRg==,type:str] + SECRET_DATABASE_REDIS_PASS: ENC[AES256_GCM,data:ePEMWYYpXF5lv4+RAScXxArlKXq8U21XUYsSWBf8TG0=,iv:Lr9qq1fVuyzleC3oU7izKP/YHoSrtXADl9efz3iWgEw=,tag:73XjcnTWr1wPYFEROznz+A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-07T01:46:20Z" + mac: ENC[AES256_GCM,data:vdG/QHWHQge+m6YCBqtAfRsXdWvMLiZQ6DOnaxgaUNpslPvQuHml1kWBsSKrmNmB79jxqB2M6HwEY7ljOMf6ZlTeMs7mW6i0oj368IS6gQGfOHSJ4d34shyXujO9JHEnmL7O0tnOs1bp4ZHxdd/t4Wmq/ii+W/Kbta3/VLtOj/A=,iv:aB8Y4Y0t4ncViBAvH2WAAGgzbrzUSvL3/RRY+VVUKlk=,tag:0BSFABPxUxgRG1fDrDHXug==,type:str] + pgp: + - created_at: "2024-09-07T01:46:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAyqlIeyoxYovAQ//XsBS23tIBniGlJAVG7gBJRclDr4ecXUH3LTkVPSaQ4r6 + gLPL19dZaYcs4hkvOOgm0u7tXXPMFHuIWvLLPKwAbZMOGcvhqgSWmVDIFRKOtAKt + mdNeVEWARwf2/3JsVSyh8pyxbdtC1dlY6BB8Cxd95n70ZQdrAbGewAK6sVWWAiRr + uSLiYO/HUdyoP38q77dwG4p8up1qchND92Ie04zowWbiquMq+V/2pgJ3dd51Z5Gn + oD1oNZZZeZaBJ+G3mea5QSzduE7x8R56YyGyBcDOn6gmMxJF8adDBsQfdH2bQCWQ + I2QstgQwXAvvwqexow8x/wEAkUXksB/dZKWOu3QhlFq7vLJ9RXGTaKCg0FCcu8/U + h7x4njNLA2/aidAVL4ufRohiONss2fjcDhpiJ7uyBM/horq2SmABzwoCtmRS/4du + oE/Ygfh+OPa6+SuQmwB+BH255HPsDNeikC/F3XJ/LXKO6460L7yQAdYnKAR3EqVL + KcfrVNIaFAIxLQ7SQ3DaU2ddc18pzPbBDnLwwFoO+mM2u6wwaKZkyjAK/1NlNs/O + WGXjPzBvpjWTQmSL4PhwGmtaolNpE9j3zpLHUs3TcKUKXyzV1f5p2pxXBBo/IYZy + rVkKm2zPR0rgkVjJMWiZ+uazGy3mVbsDj3y/5c+CRYTuNoHk/AuWz3x8KSEz/JCF + AgwDXjg0p2IN1X8BEADFHtP/WpUDejsej2gXlWYJkT6N9IiZqfMKbejk3yAQr9+L + 9J1c5UkDT6MeQpIFs04cZMAVmQRg+Q5D9ipgp8t4PMBNCT6xuQYIvfkdoESQG4Rt + 6FpQHkeKkooXWJJzCppexkKzXeHjfMFm7KPd0jea46uwh+Qx2MbDaoiGK+YCzb82 + mWCpgPfguOdbLaGI2aSYiWTrmMnNZv4cthv4Z/u1ph6NB2X/SbG3ot5O569epLpq + Al9bVUb2ZCEfrRUmqC9eWTr3p+GFRF77u7PVBwOjYItI4Paz+M7EKUmUqvMoj4EF + X+I9Oaac2t9nlIMLKNtq14LkncvdW+xuy83M2dN708ceo0+HxUeHCFyqbogKG8l9 + vQa9OFGleLyeoWlVlBqKco2cQe4xI8UkJryxsBC+36OaeqrCFAhbYpCn5QL/Ij/4 + 8ZPg1RCh9oeFvfripRpQ9G6UNtmvloK8LA/73uHnkztAYx2AFMaI6zQr75F7S8IH + tSGNEUA3MHOU7pIrCp9KnGjjfsChD6J9d0EoOOQfP1nDxVkXrL1afiuFtieJOiru + pyr1LJonGBdBxDDSrfPj6tc1moqIjgiZiDBcImEPv076Wro9EZdTi53CNj9rtEln + hUpFDcNMdwccumMslDl8qNdAKJgFGEORtRqFs+n7nywjAnxqd7gVGKDO4RrjsdRm + AQkCEFhM1Krfrf1RAJz/fnEeg21yvhg47SCgBiNGizLXgyCgK1kGuxB+SpJVMkAg + rdBo5t2UfXkVyJQ00K77you1N17NtPnyKr8xfItd7JRmDpJn40f9MFR2AOyVFC5B + lVleELeG + =bKFu + -----END PGP MESSAGE----- + fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD + - created_at: "2024-09-07T01:46:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VARAAo2y6IQJlsEAswykjpfDzvQw3TCyTiZWe6duhmnDoXKjK + 8A66oDpQcfl0ubjIj6/FJICLr2PGPb1bgKUEz+vBsp1bv+txUtLwUXJTqFKnCS1H + CRKfEmDSNaAtNEtpOGnCeMffB0ghLvs42mlTUUi7u240FJ6MgD7AvV4UlM5IYOLx + +yZyjzYzgNibyh7rOun2E/df2VhDX0Ns6n9ZPZ3TFSdqsXGJ4bqn8+0MhJYeOMNc + ap3dMMhUuUoH5krvocNymJ6WH8x4LwUJrlQsTdr0edA6BhNYC35a2JcAkOGblaCP + er845gN/iCRhl6i/XFYcz7mhMheYmiVf5TEuMvFsdjBl0yNi65wJz5EX3U01Y63+ + G+UeWCLt9+qDnAG3CN45Hgp46xIXocBvUhqdrg4Srtd+h/12Xlg8vV0jcdezWNm5 + pqWVeLDGjDFZNLvG/p+dWF+EDN/Zv9V3Axb1ChYeRCbue0POqr7X6OS5lWZmuUwa + oaiE2vYFkUCcdZtQANDDluh36Bk2pHAOELcttPa4OO4F0mCopAtg6uDp07WQUUwR + TkELlxQvOQYtTJZkTiiOe7ogr3jXWuz6hp80WN/ZVdh6UtO9cNem3d5+hECUA0LY + NuEPYAAyZxfpvRRIrkV768AS+USqA6VDjistIFc/qTG0L3WeDyP6h0plAJr9OKvU + ZgEJAhCQhjQZwIG7xvkuK2EzSePmMMUl+DEbq1GzgCuzh3Y+X/3pryvEjh+002pe + 55FSHnIZn+nD8Z1jAcRI+6mEZWfNYUXecF98+JBGIe73J/xjNUSWJZpSiYLIMnR6 + 6SKCYH9ORA== + =jqMe + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/thin/secrets/cluster-settings.yaml b/kubernetes/thin/secrets/cluster-settings.yaml new file mode 100644 index 0000000..f256e0f --- /dev/null +++ b/kubernetes/thin/secrets/cluster-settings.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings + namespace: flux-system +data: + # MetalLB + METALLB_LB_RANGE: 192.168.2.50-192.168.2.59 + SERVER_TIMEZONE: America/New_York \ No newline at end of file diff --git a/kubernetes/thin/secrets/kustomization.yaml b/kubernetes/thin/secrets/kustomization.yaml new file mode 100644 index 0000000..970b3ed --- /dev/null +++ b/kubernetes/thin/secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./cluster-secrets.sops.yaml +- ./cluster-settings.yaml \ No newline at end of file