diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index 8f92c9a9..00000000 --- a/.ansible-lint +++ /dev/null @@ -1,9 +0,0 @@ ---- -skip_list: - - yaml[line-length] - - var-naming -warn_list: - - command-instead-of-shell - - deprecated-command-syntax - - experimental - - no-changed-when diff --git a/.archive/.taskfiles/Ansible/Taskfile.yaml b/.archive/.taskfiles/Ansible/Taskfile.yaml deleted file mode 100644 index ecacebf1..00000000 --- a/.archive/.taskfiles/Ansible/Taskfile.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# yaml-language-server: $schema=https://taskfile.dev/schema.json -version: "3" - -vars: - PYTHON_BIN: python3 - -env: - PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH" - VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv" - ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy" - ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles" - ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops" - -tasks: - - deps: - desc: Set up Ansible dependencies for the environment - cmds: - - task: .venv - - run: - desc: Run an Ansible playbook for configuring a cluster - summary: | - Args: - cluster: Cluster to run command against (required) - playbook: Playbook to run (required) - prompt: Run Ansible playbook '{{.playbook}}' against the '{{.cluster}}' cluster... continue? - deps: ["deps"] - cmd: | - .venv/bin/ansible-playbook \ - --inventory {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml \ - {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml {{.CLI_ARGS}} - preconditions: - - { msg: "Argument (cluster) is required", sh: "test -n {{.cluster}}" } - - { msg: "Argument (playbook) is required", sh: "test -n {{.playbook}}" } - - { msg: "Venv not found", sh: "test -d {{.ROOT_DIR}}/.venv" } - - { msg: "Inventory not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml" } - - { msg: "Playbook not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml" } - - .venv: - internal: true - cmds: - - true && {{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv - - .venv/bin/python3 -m pip install --upgrade pip setuptools wheel - - .venv/bin/python3 -m pip install --upgrade --requirement {{.ANSIBLE_DIR}}/requirements.txt - - .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force - sources: - - "{{.ANSIBLE_DIR}}/requirements.txt" - - "{{.ANSIBLE_DIR}}/requirements.yaml" - generates: - - "{{.ROOT_DIR}}/.venv/pyvenv.cfg" diff --git a/.archive/.taskfiles/rook/Taskfile.yaml b/.archive/.taskfiles/rook/Taskfile.yaml deleted file mode 100644 index df004a10..00000000 --- a/.archive/.taskfiles/rook/Taskfile.yaml +++ /dev/null @@ -1,104 +0,0 @@ ---- -version: "3" - -x-task-vars: &task-vars - node: "{{.node}}" - ceph_disk: "{{.ceph_disk}}" - ts: "{{.ts}}" - jobName: "{{.jobName}}" - -vars: - waitForJobScript: "../_scripts/wait-for-k8s-job.sh" - ts: '{{now | date "150405"}}' - -tasks: - wipe-node-aule: - desc: Trigger a wipe of Rook-Ceph data on node "aule" - cmds: - - task: wipe-disk - vars: - node: "{{.node}}" - ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460833" - - task: wipe-data - vars: - node: "{{.node}}" - vars: - node: aule - - wipe-node-orome: - desc: Trigger a wipe of Rook-Ceph data on node "orome" - cmds: - - task: wipe-disk - vars: - node: "{{.node}}" - ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37645333" - - task: wipe-data - vars: - node: "{{.node}}" - vars: - node: orome - - wipe-node-eonwe: - desc: Trigger a wipe of Rook-Ceph data on node "eonwe" - cmds: - - task: wipe-disk - vars: - node: "{{.node}}" - ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460887" - - task: wipe-data - vars: - node: "{{.node}}" - vars: - node: eonwe - - wipe-node-arlen: - desc: Trigger a wipe of Rook-Ceph data on node "arlen" - cmds: - - task: wipe-disk - vars: - node: "{{.node}}" - ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460897" - - task: wipe-data - vars: - node: "{{.node}}" - vars: - node: arlen - - wipe-disk: - desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-disk node=aule ceph_disk="/dev/nvme0n1") - silent: true - internal: true - cmds: - - envsubst < <(cat {{.wipeRookDiskJobTemplate}}) | kubectl apply -f - - - bash {{.waitForJobScript}} {{.wipeCephDiskJobName}} default - - kubectl -n default wait job/{{.wipeCephDiskJobName}} --for condition=complete --timeout=1m - - kubectl -n default logs job/{{.wipeCephDiskJobName}} --container list - - kubectl -n default delete job {{.wipeCephDiskJobName}} - vars: - node: '{{ or .node (fail "`node` is required") }}' - ceph_disk: '{{ or .ceph_disk (fail "`ceph_disk` is required") }}' - jobName: 'wipe-disk-{{- .node -}}-{{- .ceph_disk | replace "/" "-" -}}-{{- .ts -}}' - wipeRookDiskJobTemplate: "WipeDiskJob.tmpl.yaml" - env: *task-vars - preconditions: - - sh: test -f {{.waitForJobScript}} - - sh: test -f {{.wipeRookDiskJobTemplate}} - - wipe-data: - desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-data node=aule) - silent: true - internal: true - cmds: - - envsubst < <(cat {{.wipeRookDataJobTemplate}}) | kubectl apply -f - - - bash {{.waitForJobScript}} {{.wipeRookDataJobName}} default - - kubectl -n default wait job/{{.wipeRookDataJobName}} --for condition=complete --timeout=1m - - kubectl -n default logs job/{{.wipeRookDataJobName}} --container list - - kubectl -n default delete job {{.wipeRookDataJobName}} - vars: - node: '{{ or .node (fail "`node` is required") }}' - jobName: "wipe-rook-data-{{- .node -}}-{{- .ts -}}" - wipeRookDataJobTemplate: "WipeRookDataJob.tmpl.yaml" - env: *task-vars - preconditions: - - sh: test -f {{.waitForJobScript}} - - sh: test -f {{.wipeRookDataJobTemplate}} diff --git a/.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml b/.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml deleted file mode 100644 index 2c5bf35f..00000000 --- a/.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "${jobName}" - namespace: "default" -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - automountServiceAccountToken: false - restartPolicy: Never - nodeName: ${node} - containers: - - name: disk-wipe - image: docker.io/library/alpine:3.20.0 - securityContext: - privileged: true - resources: {} - command: ["/bin/sh", "-c"] - args: - - apk add --no-cache sgdisk util-linux parted; - sgdisk --zap-all ${ceph_disk}; - blkdiscard ${ceph_disk}; - dd if=/dev/zero bs=1M count=10000 oflag=direct of=${ceph_disk}; - partprobe ${ceph_disk}; diff --git a/.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml b/.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml deleted file mode 100644 index 70b1be55..00000000 --- a/.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "${jobName}" - namespace: "default" -spec: - ttlSecondsAfterFinished: 3600 - template: - spec: - automountServiceAccountToken: false - restartPolicy: Never - nodeName: ${node} - containers: - - name: disk-wipe - image: docker.io/library/alpine:3.20.0 - securityContext: - privileged: true - resources: {} - command: ["/bin/sh", "-c"] - args: - - rm -rf /mnt/host_var/lib/rook - volumeMounts: - - mountPath: /mnt/host_var - name: host-var - volumes: - - name: host-var - hostPath: - path: /var diff --git a/.archive/.taskfiles/rook/pod.yaml b/.archive/.taskfiles/rook/pod.yaml deleted file mode 100644 index bd32784b..00000000 --- a/.archive/.taskfiles/rook/pod.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: my-pod -spec: - containers: - - name: disk-wipe - image: docker.io/library/alpine:3.20.0 - securityContext: - privileged: true - resources: {} - command: ["/bin/sh", "-c"] - args: - - apk add --no-cache sgdisk util-linux parted e2fsprogs; - sgdisk --zap-all /dev/nvme1n1; - blkdiscard /dev/nvme1n1; - dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/nvme1n1; - sgdisk /dev/nvme1n1 - partprobe /dev/nvme1n1; diff --git a/.archive/kubernetes/default/jellyfin/app/helmrelease.yaml b/.archive/kubernetes/default/jellyfin/app/helmrelease.yaml deleted file mode 100644 index 8acbb53c..00000000 --- a/.archive/kubernetes/default/jellyfin/app/helmrelease.yaml +++ /dev/null @@ -1,116 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: jellyfin - namespace: default -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - jellyfin: - type: statefulset - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: jellyfin/jellyfin - tag: 10.8.13 - env: - NVIDIA_VISIBLE_DEVICES: "all" - NVIDIA_DRIVER_CAPABILITIES: "compute,video,utility" - DOTNET_SYSTEM_IO_DISABLEFILELOCKING: "true" - JELLYFIN_FFmpeg__probesize: 50000000 - JELLYFIN_FFmpeg__analyzeduration: 50000000 - JELLYFIN_PublishedServerUrl: jelly.hsn.dev - TZ: America/Chicago - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /health - port: &port 8096 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - startup: - enabled: false - resources: - requests: - nvidia.com/gpu: 1 # requesting 1 GPU - cpu: 100m - memory: 512Mi - limits: - nvidia.com/gpu: 1 - memory: 4Gi - pod: - runtimeClassName: nvidia - enableServiceLinks: false - nodeSelector: - nvidia.com/gpu.present: "true" - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [44, 105, 10000] - service: - app: - controller: jellyfin - ports: - http: - port: *port - ingress: - app: - enabled: true - className: external-nginx - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - external-dns.alpha.kubernetes.io/target: external.hsn.dev - hosts: - - host: &host "jelly.hsn.dev" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - existingClaim: jellyfin - enabled: true - transcode: - type: emptyDir - globalMounts: - - path: /transcode - media: - enabled: true - type: nfs - server: 10.1.1.12 - path: /mnt/users/Media - globalMounts: - - path: /media diff --git a/.archive/kubernetes/default/jellyfin/app/kustomization.yaml b/.archive/kubernetes/default/jellyfin/app/kustomization.yaml deleted file mode 100644 index 2eb7698f..00000000 --- a/.archive/kubernetes/default/jellyfin/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: default -resources: - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/.archive/kubernetes/default/jellyfin/ks.yaml b/.archive/kubernetes/default/jellyfin/ks.yaml deleted file mode 100644 index f0daf558..00000000 --- a/.archive/kubernetes/default/jellyfin/ks.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app jellyfin - namespace: flux-system -spec: - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/default/jellyfin/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 10Gi diff --git a/.archive/kubernetes/home-automation/home-assistant/app/externalsecret.yaml b/.archive/kubernetes/home-automation/home-assistant/app/externalsecret.yaml deleted file mode 100644 index 112299d0..00000000 --- a/.archive/kubernetes/home-automation/home-assistant/app/externalsecret.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: home-assistant -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: home-assistant-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - HASS_ELEVATION: "{{ .hass_elevation }}" - HASS_LATITUDE: "{{ .hass_latitude }}" - HASS_LONGITUDE: "{{ .hass_longitude }}" - dataFrom: - - extract: - key: home-assistant - rewrite: - - regexp: - source: "(.*)" - target: "hass_$1" diff --git a/.archive/kubernetes/home-automation/home-assistant/app/helmrelease.yaml b/.archive/kubernetes/home-automation/home-assistant/app/helmrelease.yaml deleted file mode 100644 index d451a21e..00000000 --- a/.archive/kubernetes/home-automation/home-assistant/app/helmrelease.yaml +++ /dev/null @@ -1,90 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: home-assistant -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - home-assistant: - annotations: - reloader.stakater.com/auto: "true" - pod: - annotations: - k8s.v1.cni.cncf.io/networks: | - [{ - "name":"multus-iot", - "namespace": "kube-system", - "ips": ["10.1.3.151/24"] - }] - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - containers: - app: - image: - repository: ghcr.io/home-assistant/home-assistant - tag: 2024.5.5 - env: - TZ: America/Chicago - HASS_HTTP_TRUSTED_PROXY_1: 10.244.0.0/16 - envFrom: - - secretRef: - name: home-assistant-secret - resources: - requests: - cpu: 10m - limits: - memory: 1Gi - service: - app: - controller: home-assistant - ports: - http: - port: 8123 - ingress: - app: - className: internal-nginx - hosts: - - host: &host hass.jahanson.tech - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: [*host] - persistence: - config: - existingClaim: home-assistant - logs: - type: emptyDir - globalMounts: - - path: /config/logs - tts: - type: emptyDir - globalMounts: - - path: /config/tts - tmp: - type: emptyDir diff --git a/.archive/kubernetes/home-automation/home-assistant/app/kustomization.yaml b/.archive/kubernetes/home-automation/home-assistant/app/kustomization.yaml deleted file mode 100644 index be13d2db..00000000 --- a/.archive/kubernetes/home-automation/home-assistant/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/.archive/kubernetes/home-automation/home-assistant/ks.yaml b/.archive/kubernetes/home-automation/home-assistant/ks.yaml deleted file mode 100644 index 9aacacf9..00000000 --- a/.archive/kubernetes/home-automation/home-assistant/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app home-assistant - namespace: flux-system -spec: - targetNamespace: home-automation - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: openebs-system - - name: volsync - path: ./kubernetes/apps/home-automation/home-assistant/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 5Gi diff --git a/.archive/kubernetes/home-automation/kustomization.yaml b/.archive/kubernetes/home-automation/kustomization.yaml deleted file mode 100644 index 33992969..00000000 --- a/.archive/kubernetes/home-automation/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./mosquitto/ks.yaml diff --git a/.archive/kubernetes/home-automation/matter-server/app/helmrelease.yaml b/.archive/kubernetes/home-automation/matter-server/app/helmrelease.yaml deleted file mode 100644 index c7d21f76..00000000 --- a/.archive/kubernetes/home-automation/matter-server/app/helmrelease.yaml +++ /dev/null @@ -1,107 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app matter-server -spec: - interval: 15m - chart: - spec: - chart: app-template - version: 3.2.1 - interval: 15m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 3 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - matter-server: - type: statefulset - annotations: - reloader.stakater.com/auto: "true" - pod: - annotations: - k8s.v1.cni.cncf.io/networks: | - [{ - "name":"multus-iot", - "namespace": "kube-system", - "ips": ["10.1.3.152/24"] - }] - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - - containers: - app: - image: - repository: ghcr.io/home-assistant-libs/python-matter-server - tag: 6.0.1 - pullPolicy: IfNotPresent - env: - TZ: "America/Chicago" - MATTER_SERVER__INSTANCE_NAME: Matter-Server - MATTER_SERVER__PORT: &port 5580 - MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech - MATTER_SERVER__LOG_LEVEL: info - probes: - liveness: - enabled: true - readiness: - enabled: true - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - resources: - requests: - memory: "100M" - limits: - memory: "500M" - service: - app: - controller: *app - type: LoadBalancer - annotations: - io.cilium/lb-ipam-ips: "10.1.1.37" - ports: - api: - enabled: true - primary: true - protocol: TCP - port: *port - externalTrafficPolicy: Cluster - persistence: - config: - enabled: true - existingClaim: matter-server - advancedMounts: - matter-server: - app: - - path: "/data" - ingress: - app: - className: internal-nginx - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: [*host] diff --git a/.archive/kubernetes/home-automation/matter-server/app/kustomization.yaml b/.archive/kubernetes/home-automation/matter-server/app/kustomization.yaml deleted file mode 100644 index a928a563..00000000 --- a/.archive/kubernetes/home-automation/matter-server/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/.archive/kubernetes/home-automation/matter-server/ks.yaml b/.archive/kubernetes/home-automation/matter-server/ks.yaml deleted file mode 100644 index 177b9056..00000000 --- a/.archive/kubernetes/home-automation/matter-server/ks.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app matter-server - namespace: flux-system -spec: - targetNamespace: home-automation - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: openebs-system - - name: volsync - path: ./kubernetes/apps/home-automation/matter-server/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 1Gi diff --git a/.archive/kubernetes/home-automation/mosquitto/app/config/mosquitto.conf b/.archive/kubernetes/home-automation/mosquitto/app/config/mosquitto.conf deleted file mode 100644 index a2b210d5..00000000 --- a/.archive/kubernetes/home-automation/mosquitto/app/config/mosquitto.conf +++ /dev/null @@ -1,9 +0,0 @@ -per_listener_settings false -listener 1883 -allow_anonymous false -persistence true -persistence_location /data -autosave_interval 1800 -connection_messages false -autosave_interval 60 -password_file /mosquitto/external_config/mosquitto_pwd diff --git a/.archive/kubernetes/home-automation/mosquitto/app/externalsecret.yaml b/.archive/kubernetes/home-automation/mosquitto/app/externalsecret.yaml deleted file mode 100644 index c48a93a8..00000000 --- a/.archive/kubernetes/home-automation/mosquitto/app/externalsecret.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: mosquitto -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: mosquitto-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - mosquitto_pwd: | - {{ .mosquitto_username }}:{{ .mosquitto_password }} - {{ .mosquitto_zwave_username }}:{{ .mosquitto_zwave_password }} - {{ .mosquitto_home_assistant_username }}:{{ .mosquitto_home_assistant_password }} - dataFrom: - - extract: - key: mosquitto - rewrite: - - regexp: - source: "(.*)" - target: "mosquitto_$1" diff --git a/.archive/kubernetes/home-automation/mosquitto/app/helmrelease.yaml b/.archive/kubernetes/home-automation/mosquitto/app/helmrelease.yaml deleted file mode 100644 index 96b56592..00000000 --- a/.archive/kubernetes/home-automation/mosquitto/app/helmrelease.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app mosquitto -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.2.1 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - values: - controllers: - mosquitto: - annotations: - reloader.stakater.com/auto: "true" - - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - - initContainers: - init-config: - image: - repository: public.ecr.aws/docker/library/eclipse-mosquitto - tag: 2.0.18 - command: - - "/bin/sh" - - "-c" - args: - - cp /tmp/secret/* /mosquitto/external_config/; - mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd; - chmod 0600 /mosquitto/external_config/mosquitto_pwd; - - containers: - app: - image: - repository: public.ecr.aws/docker/library/eclipse-mosquitto - tag: 2.0.18 - probes: - liveness: - enabled: true - readiness: - enabled: true - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - resources: - requests: - cpu: 5m - memory: 10M - limits: - memory: 10M - - service: - app: - controller: mosquitto - type: LoadBalancer - annotations: - external-dns.alpha.kubernetes.io/hostname: "mqtt.jahanson.tech" - io.cilium/lb-ipam-ips: "10.1.1.36" - externalTrafficPolicy: Local - ports: - mqtt: - enabled: true - port: 1883 - - persistence: - data: - existingClaim: *app - advancedMounts: - mosquitto: - app: - - path: /data - mosquitto-configfile: - type: configMap - name: mosquitto-configmap - advancedMounts: - mosquitto: - app: - - path: /mosquitto/config/mosquitto.conf - subPath: mosquitto.conf - mosquitto-secret: - type: secret - name: mosquitto-secret - advancedMounts: - mosquitto: - init-config: - - path: /tmp/secret - mosquitto-externalconfig: - type: emptyDir - globalMounts: - - path: /mosquitto/external_config diff --git a/.archive/kubernetes/home-automation/mosquitto/app/kustomization.yaml b/.archive/kubernetes/home-automation/mosquitto/app/kustomization.yaml deleted file mode 100644 index 9172dadf..00000000 --- a/.archive/kubernetes/home-automation/mosquitto/app/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./externalsecret.yaml - - ../../../../templates/volsync -configMapGenerator: - - name: mosquitto-configmap - files: - - config/mosquitto.conf -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/home-automation/mosquitto/ks.yaml b/.archive/kubernetes/home-automation/mosquitto/ks.yaml deleted file mode 100644 index 9dbb6728..00000000 --- a/.archive/kubernetes/home-automation/mosquitto/ks.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &appname mosquitto - namespace: flux-system -spec: - targetNamespace: home-automation - commonMetadata: - labels: - app.kubernetes.io/name: *appname - interval: 10m - path: "./kubernetes/apps/home-automation/mosquitto/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: openebs - - name: volsync - - name: external-secrets-stores - postBuild: - substitute: - APP: *appname - VOLSYNC_CLAIM: mosquitto-data - VOLSYNC_CAPACITY: 512Mi diff --git a/.archive/kubernetes/home-automation/namespace.yaml b/.archive/kubernetes/home-automation/namespace.yaml deleted file mode 100644 index 2472a39b..00000000 --- a/.archive/kubernetes/home-automation/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: home-automation - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml b/.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml deleted file mode 100644 index 30caa215..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml +++ /dev/null @@ -1,588 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - creationTimestamp: null - name: ciliumbgppeeringpolicies.cilium.io -spec: - group: cilium.io - names: - categories: - - cilium - - ciliumbgp - kind: CiliumBGPPeeringPolicy - listKind: CiliumBGPPeeringPolicyList - plural: ciliumbgppeeringpolicies - shortNames: - - bgpp - singular: ciliumbgppeeringpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: CiliumBGPPeeringPolicy is a Kubernetes third-party resource for - instructing Cilium's BGP control plane to create virtual BGP routers. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is a human readable description of a BGP peering policy - properties: - nodeSelector: - description: "NodeSelector selects a group of nodes where this BGP - Peering Policy applies. \n If empty / nil this policy applies to - all nodes." - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - description: MatchLabelsValue represents the value from the - MatchLabels {key,value} pair. - maxLength: 63 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - virtualRouters: - description: A list of CiliumBGPVirtualRouter(s) which instructs the - BGP control plane how to instantiate virtual BGP routers. - items: - description: CiliumBGPVirtualRouter defines a discrete BGP virtual - router configuration. - properties: - exportPodCIDR: - default: false - description: ExportPodCIDR determines whether to export the - Node's private CIDR block to the configured neighbors. - type: boolean - localASN: - description: LocalASN is the ASN of this virtual router. Supports - extended 32bit ASNs - format: int64 - maximum: 4294967295 - minimum: 0 - type: integer - neighbors: - description: Neighbors is a list of neighboring BGP peers for - this virtual router - items: - description: CiliumBGPNeighbor is a neighboring peer for use - in a CiliumBGPVirtualRouter configuration. - properties: - advertisedPathAttributes: - description: AdvertisedPathAttributes can be used to apply - additional path attributes to selected routes when advertising - them to the peer. If empty / nil, no additional path - attributes are advertised. - items: - description: CiliumBGPPathAttributes can be used to - apply additional path attributes to matched routes - when advertising them to a BGP peer. - properties: - communities: - description: Communities defines a set of community - values advertised in the supported BGP Communities - path attributes. If nil / not set, no BGP Communities - path attribute will be advertised. - properties: - large: - description: Large holds a list of the BGP Large - Communities Attribute (RFC 8092) values. - items: - description: BGPLargeCommunity type represents - a value of the BGP Large Communities Attribute - (RFC 8092), as three 4-byte decimal numbers - separated by colons. - pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$ - type: string - type: array - standard: - description: Standard holds a list of "standard" - 32-bit BGP Communities Attribute (RFC 1997) - values defined as numeric values. - items: - description: BGPStandardCommunity type represents - a value of the "standard" 32-bit BGP Communities - Attribute (RFC 1997) as a 4-byte decimal - number or two 2-byte decimal numbers separated - by a colon (<0-65535>:<0-65535>). For example, - no-export community value is 65553:65281. - pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$|^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: array - wellKnown: - description: WellKnown holds a list "standard" - 32-bit BGP Communities Attribute (RFC 1997) - values defined as well-known string aliases - to their numeric values. - items: - description: "BGPWellKnownCommunity type represents - a value of the \"standard\" 32-bit BGP Communities - Attribute (RFC 1997) as a well-known string - alias to its numeric value. Allowed values - and their mapping to the numeric values: - \n internet = 0x00000000 - (0:0) planned-shut = 0xffff0000 - (65535:0) accept-own = 0xffff0001 - (65535:1) route-filter-translated-v4 = 0xffff0002 - (65535:2) route-filter-v4 = 0xffff0003 - (65535:3) route-filter-translated-v6 = 0xffff0004 - (65535:4) route-filter-v6 = 0xffff0005 - (65535:5) llgr-stale = 0xffff0006 - (65535:6) no-llgr = 0xffff0007 - (65535:7) blackhole = 0xffff029a - (65535:666) no-export = - 0xffffff01\t(65535:65281) no-advertise = - 0xffffff02 (65535:65282) no-export-subconfed - \ = 0xffffff03 (65535:65283) no-peer - \ = 0xffffff04 (65535:65284)" - enum: - - internet - - planned-shut - - accept-own - - route-filter-translated-v4 - - route-filter-v4 - - route-filter-translated-v6 - - route-filter-v6 - - llgr-stale - - no-llgr - - blackhole - - no-export - - no-advertise - - no-export-subconfed - - no-peer - type: string - type: array - type: object - localPreference: - description: LocalPreference defines the preference - value advertised in the BGP Local Preference path - attribute. As Local Preference is only valid for - iBGP peers, this value will be ignored for eBGP - peers (no Local Preference path attribute will - be advertised). If nil / not set, the default - Local Preference of 100 will be advertised in - the Local Preference path attribute for iBGP peers. - format: int64 - maximum: 4294967295 - minimum: 0 - type: integer - selector: - description: Selector selects a group of objects - of the SelectorType resulting into routes that - will be announced with the configured Attributes. - If nil / not set, all objects of the SelectorType - are selected. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - description: MatchLabelsValue represents the - value from the MatchLabels {key,value} pair. - maxLength: 63 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - selectorType: - description: 'SelectorType defines the object type - on which the Selector applies: - For "PodCIDR" - the Selector matches k8s CiliumNode resources - (path attributes apply to routes announced for - PodCIDRs of selected CiliumNodes. Only affects - routes of cluster scope / Kubernetes IPAM CIDRs, - not Multi-Pool IPAM CIDRs. - For "CiliumLoadBalancerIPPool" - the Selector matches CiliumLoadBalancerIPPool - custom resources (path attributes apply to routes - announced for selected CiliumLoadBalancerIPPools). - - For "CiliumPodIPPool" the Selector matches CiliumPodIPPool - custom resources (path attributes apply to routes - announced for allocated CIDRs of selected CiliumPodIPPools).' - enum: - - PodCIDR - - CiliumLoadBalancerIPPool - - CiliumPodIPPool - type: string - required: - - selectorType - type: object - type: array - authSecretRef: - description: AuthSecretRef is the name of the secret to - use to fetch a TCP authentication password for this - peer. - type: string - connectRetryTimeSeconds: - default: 120 - description: ConnectRetryTimeSeconds defines the initial - value for the BGP ConnectRetryTimer (RFC 4271, Section - 8). - format: int32 - maximum: 2147483647 - minimum: 1 - type: integer - eBGPMultihopTTL: - default: 1 - description: EBGPMultihopTTL controls the multi-hop feature - for eBGP peers. Its value defines the Time To Live (TTL) - value used in BGP packets sent to the neighbor. The - value 1 implies that eBGP multi-hop feature is disabled - (only a single hop is allowed). This field is ignored - for iBGP peers. - format: int32 - maximum: 255 - minimum: 1 - type: integer - families: - description: "Families, if provided, defines a set of - AFI/SAFIs the speaker will negotiate with it's peer. - \n If this slice is not provided the default families - of IPv6 and IPv4 will be provided." - items: - description: CiliumBGPFamily represents a AFI/SAFI address - family pair. - properties: - afi: - description: Afi is the Address Family Identifier - (AFI) of the family. - enum: - - ipv4 - - ipv6 - - l2vpn - - ls - - opaque - type: string - safi: - description: Safi is the Subsequent Address Family - Identifier (SAFI) of the family. - enum: - - unicast - - multicast - - mpls_label - - encapsulation - - vpls - - evpn - - ls - - sr_policy - - mup - - mpls_vpn - - mpls_vpn_multicast - - route_target_constraints - - flowspec_unicast - - flowspec_vpn - - key_value - type: string - required: - - afi - - safi - type: object - type: array - gracefulRestart: - description: GracefulRestart defines graceful restart - parameters which are negotiated with this neighbor. - If empty / nil, the graceful restart capability is disabled. - properties: - enabled: - description: Enabled flag, when set enables graceful - restart capability. - type: boolean - restartTimeSeconds: - default: 120 - description: RestartTimeSeconds is the estimated time - it will take for the BGP session to be re-established - with peer after a restart. After this period, peer - will remove stale routes. This is described RFC - 4724 section 4.2. - format: int32 - maximum: 4095 - minimum: 1 - type: integer - required: - - enabled - type: object - holdTimeSeconds: - default: 90 - description: HoldTimeSeconds defines the initial value - for the BGP HoldTimer (RFC 4271, Section 4.2). Updating - this value will cause a session reset. - format: int32 - maximum: 65535 - minimum: 3 - type: integer - keepAliveTimeSeconds: - default: 30 - description: KeepaliveTimeSeconds defines the initial - value for the BGP KeepaliveTimer (RFC 4271, Section - 8). It can not be larger than HoldTimeSeconds. Updating - this value will cause a session reset. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - peerASN: - description: PeerASN is the ASN of the peer BGP router. - Supports extended 32bit ASNs - format: int64 - maximum: 4294967295 - minimum: 0 - type: integer - peerAddress: - description: PeerAddress is the IP address of the peer. - This must be in CIDR notation and use a /32 to express - a single host. - format: cidr - type: string - peerPort: - default: 179 - description: PeerPort is the TCP port of the peer. 1-65535 - is the range of valid port numbers that can be specified. - If unset, defaults to 179. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - peerASN - - peerAddress - type: object - minItems: 1 - type: array - podIPPoolSelector: - description: "PodIPPoolSelector selects CiliumPodIPPools based - on labels. The virtual router will announce allocated CIDRs - of matching CiliumPodIPPools. \n If empty / nil no CiliumPodIPPools - will be announced." - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - description: MatchLabelsValue represents the value from - the MatchLabels {key,value} pair. - maxLength: 63 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - serviceSelector: - description: "ServiceSelector selects a group of load balancer - services which this virtual router will announce. The loadBalancerClass - for a service must be nil or specify a class supported by - Cilium, e.g. \"io.cilium/bgp-control-plane\". Refer to the - following document for additional details regarding load balancer - classes: \n https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class - \n If empty / nil no services will be announced." - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - description: MatchLabelsValue represents the value from - the MatchLabels {key,value} pair. - maxLength: 63 - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - required: - - localASN - - neighbors - type: object - minItems: 1 - type: array - required: - - virtualRouters - type: object - required: - - metadata - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] \ No newline at end of file diff --git a/.archive/kubernetes/kube-system/cilium/app/bgppeeringpolicy.yaml b/.archive/kubernetes/kube-system/cilium/app/bgppeeringpolicy.yaml deleted file mode 100644 index aef9be36..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/bgppeeringpolicy.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: cilium.io/v2alpha1 -kind: CiliumBGPPeeringPolicy -# comments courtesy of JJGadgets -# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED! -# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap -# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB -metadata: - name: bgp-loadbalancer-ip-main -spec: - nodeSelector: - matchLabels: - kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster - virtualRouters: - - localASN: 64512 - exportPodCIDR: false - serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced - matchExpressions: - - { - key: thisFakeSelector, - operator: NotIn, - values: ["will-match-and-announce-all-services"], - } - neighbors: - - peerAddress: "10.1.1.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation - peerASN: 64512 - ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: main-pool -spec: - cidrs: - - cidr: 10.45.0.1/24 diff --git a/.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml b/.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml deleted file mode 100644 index 7cc936c4..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: cilium - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: cilium - version: 1.15.3 - sourceRef: - kind: HelmRepository - name: cilium - namespace: flux-system - maxHistory: 2 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - cluster: - name: homelab - id: 1 - hubble: - relay: - enabled: true - ui: - enabled: true - metrics: - enableOpenMetrics: true - prometheus: - enabled: true - operator: - prometheus: - enabled: true - ipam: - mode: kubernetes - kubeProxyReplacement: true - k8sServiceHost: 127.0.0.1 - k8sServicePort: 7445 - rollOutCiliumPods: true - cgroup: - automount: - enabled: false - hostRoot: /sys/fs/cgroup - bgp: - enabled: false - announce: - loadbalancerIP: true - podCIDR: false - bgpControlPlane: - enabled: true - securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/allow-ssh.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/allow-ssh.yaml deleted file mode 100644 index 0a295edd..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/allow-ssh.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: allow-ssh -spec: - description: "" - nodeSelector: - matchLabels: - # node-access: ssh - node-role.kubernetes.io/control-plane: "true" - ingress: - - fromEntities: - - cluster - - toPorts: - - ports: - - port: "22" - protocol: TCP - - icmps: - - fields: - - type: 8 - family: IPv4 diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/apiserver.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/apiserver.yaml deleted file mode 100644 index 7956dc92..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/apiserver.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: api-server -spec: - nodeSelector: - # apply to master nodes - matchLabels: - node-role.kubernetes.io/control-plane: 'true' - ingress: - # load balancer -> api server - - fromCIDR: - - 167.235.217.82/32 - toPorts: - - ports: - - port: '6443' - protocol: TCP - egress: - # api server -> kubelet - - toEntities: - - remote-node - toPorts: - - ports: - - port: '10250' - protocol: TCP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-health.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-health.yaml deleted file mode 100644 index e4c56f86..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-health.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: cilium-health -specs: - - endpointSelector: - # apply to health endpoints - matchLabels: - reserved:health: '' - ingress: - # cilium agent -> cilium agent - - fromEntities: - - host - - remote-node - toPorts: - - ports: - - port: '4240' - protocol: TCP - - nodeSelector: - # apply to all nodes - matchLabels: {} - ingress: - # cilium agent -> cilium agent - - fromEntities: - - health - - remote-node - toPorts: - - ports: - - port: '4240' - protocol: TCP - egress: - # cilium agent -> cilium agent - - toEntities: - - health - - remote-node - toPorts: - - ports: - - port: '4240' - protocol: TCP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-vxlan.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-vxlan.yaml deleted file mode 100644 index 98f0929e..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/cilium-vxlan.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: cilium-vxlan -spec: - nodeSelector: - # apply to all nodes - matchLabels: {} - ingress: - # node -> vxlan - - fromEntities: - - remote-node - toPorts: - - ports: - - port: '8472' - protocol: UDP - egress: - # node -> vxlan - - toEntities: - - remote-node - toPorts: - - ports: - - port: '8472' - protocol: UDP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/core-dns.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/core-dns.yaml deleted file mode 100644 index f31c8b70..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/core-dns.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: core-dns - namespace: kube-system -specs: - - nodeSelector: - # apply to master nodes - matchLabels: - node-role.kubernetes.io/control-plane: 'true' - ingress: - # core dns -> api server - - fromEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns - toPorts: - - ports: - - port: '6443' - protocol: TCP - - nodeSelector: - # apply to all nodes - matchLabels: {} - egress: - # kubelet -> core dns probes - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns - toPorts: - - ports: - - port: '8080' - protocol: TCP - - port: '8181' - protocol: TCP - - endpointSelector: - # apply to core dns pods - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns - ingress: - # kubelet -> core dns probes - - fromEntities: - - host - toPorts: - - ports: - - port: '8080' - protocol: TCP - - port: '8181' - protocol: TCP - egress: - # core dns -> api server - - toEntities: - - kube-apiserver - toPorts: - - ports: - - port: '6443' - protocol: TCP - # core dns -> upstream DNS - - toCIDR: - - 185.12.64.1/32 - - 185.12.64.2/32 - toPorts: - - ports: - - port: '53' - protocol: UDP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml deleted file mode 100644 index e239332d..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: etcd -spec: - nodeSelector: - # apply to master nodes - matchLabels: - node-role.kubernetes.io/control-plane: 'true' - ingress: - # etcd peer -> etcd peer - - fromEntities: - - remote-node - toPorts: - - ports: - - port: '2380' - protocol: TCP - egress: - # etcd peer -> etcd peer - - toEntities: - - remote-node - toPorts: - - ports: - - port: '2380' - protocol: TCP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/fix-apiserver.yml b/.archive/kubernetes/kube-system/cilium/app/netpols/fix-apiserver.yml deleted file mode 100644 index 798ae743..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/fix-apiserver.yml +++ /dev/null @@ -1,15 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: "cilium.io/v2" -kind: CiliumClusterwideNetworkPolicy -metadata: - name: allow-specific-traffic -spec: - endpointSelector: {} - ingress: - - fromEntities: - - host - toPorts: - - ports: - - port: '6443' - protocol: TCP \ No newline at end of file diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-relay.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-relay.yaml deleted file mode 100644 index 0473f984..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-relay.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: hubble-relay - namespace: kube-system -specs: - - nodeSelector: - # apply to all nodes - matchLabels: {} - ingress: - # hubble relay -> hubble agent - - fromEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - toPorts: - - ports: - - port: '4244' - protocol: TCP - egress: - # kubelet -> hubble relay probes - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - toPorts: - - ports: - - port: '4245' - protocol: TCP - - endpointSelector: - # apply to hubble relay pods - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - ingress: - # kubelet -> hubble relay probes - - fromEntities: - - host - toPorts: - - ports: - - port: '4245' - protocol: TCP - egress: - # hubble relay -> hubble agent - - toEntities: - - host - - remote-node - toPorts: - - ports: - - port: '4244' - protocol: TCP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-ui.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-ui.yaml deleted file mode 100644 index c4914d02..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/hubble-ui.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: hubble-ui - namespace: kube-system -specs: - - nodeSelector: - # apply to master nodes - matchLabels: - node-role.kubernetes.io/control-plane: '' - ingress: - # hubble ui -> api server - - fromEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-ui - toPorts: - - ports: - - port: '6443' - protocol: TCP - - endpointSelector: - # apply to core dns endpoints - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns - ingress: - # hubble ui -> core dns - - fromEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-ui - toPorts: - - ports: - - port: '53' - protocol: UDP - - endpointSelector: - # apply to hubble relay endpoints - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - ingress: - # hubble ui -> hubble relay - - fromEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-ui - toPorts: - - ports: - - port: '4245' - protocol: TCP - - endpointSelector: - # apply to hubble ui endpoints - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-ui - egress: - # hubble ui -> api server - - toEntities: - - kube-apiserver - toPorts: - - ports: - - port: '6443' - protocol: TCP - # hubble ui -> hubble relay - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: hubble-relay - toPorts: - - ports: - - port: '4245' - protocol: TCP - # hubble ui -> core dns - - toEndpoints: - - matchLabels: - io.cilium.k8s.policy.serviceaccount: coredns - toPorts: - - ports: - - port: '53' - protocol: UDP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/kubelet.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/kubelet.yaml deleted file mode 100644 index 23d50607..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/kubelet.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json ---- -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: kubelet -spec: - nodeSelector: - # apply to all nodes - matchLabels: {} - ingress: - # api server -> kubelet - - fromEntities: - - kube-apiserver - toPorts: - - ports: - - port: '10250' - protocol: TCP - egress: - # kubelet -> load balancer - - toCIDR: - - 167.235.217.82/32 - toEntities: - - host - toPorts: - - ports: - - port: '6443' - protocol: TCP diff --git a/.archive/kubernetes/kube-system/cilium/app/netpols/kustomization.yaml b/.archive/kubernetes/kube-system/cilium/app/netpols/kustomization.yaml deleted file mode 100644 index ceec6c3d..00000000 --- a/.archive/kubernetes/kube-system/cilium/app/netpols/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - - ./allow-ssh.yaml - - ./apiserver.yaml - - ./cilium-health.yaml - - ./cilium-vxlan.yaml - - ./core-dns.yaml - - ./etcd.yaml - - ./hubble-relay.yaml - - ./hubble-ui.yaml - - ./kubelet.yaml - diff --git a/.archive/kubernetes/kube-system/cilium/ks.yaml b/.archive/kubernetes/kube-system/cilium/ks.yaml deleted file mode 100644 index b9adeed7..00000000 --- a/.archive/kubernetes/kube-system/cilium/ks.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cilium - namespace: flux-system -spec: - interval: 30m - retryInterval: 1m - timeout: 5m - path: "./kubernetes/apps/kube-system/cilium/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false diff --git a/.archive/kubernetes/kube-system/spegel/app/resources/values.yml b/.archive/kubernetes/kube-system/spegel/app/resources/values.yml deleted file mode 100644 index 10b68bc8..00000000 --- a/.archive/kubernetes/kube-system/spegel/app/resources/values.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -spegel: - containerdSock: /run/containerd/containerd.sock - containerdRegistryConfigPath: /etc/cri/conf.d/hosts - registries: - - https://docker.io - - https://ghcr.io - - https://quay.io - - https://mcr.microsoft.com - - https://public.ecr.aws - - https://gcr.io - - https://registry.k8s.io - - https://k8s.gcr.io - - https://lscr.io -service: - registry: - hostPort: 29999 diff --git a/.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml b/.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml deleted file mode 100644 index 4d7b31b2..00000000 --- a/.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml +++ /dev/null @@ -1,109 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app zfs-scrub -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.2.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - kubanetics: - type: cronjob - cronjob: - schedule: "@weekly" - parallelism: 1 # Set to my total number of nodes - containers: - app: - image: - repository: ghcr.io/aarnaud/talos-debug-tools - tag: latest-6.6.29 - command: ["/bin/bash", "-c"] - args: - - | - # Trim filesystems - chroot /host /usr/local/sbin/zpool scrub nahar - probes: - liveness: - enabled: false - readiness: - enabled: false - startup: - enabled: false - resources: - requests: - cpu: 25m - limits: - memory: 128Mi - securityContext: - privileged: true - pod: - hostNetwork: true - hostPID: true - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - persistence: - netfs: - type: hostPath - hostPath: /sys - hostPathType: Directory - globalMounts: - - path: /sys - readOnly: true - dev: - type: hostPath - hostPath: /dev - hostPathType: Directory - globalMounts: - - path: /dev - modules: - type: hostPath - hostPath: /lib/modules - hostPathType: "" - globalMounts: - - path: /lib/modules - udev: - type: hostPath - hostPath: /run/udev - hostPathType: "" - globalMounts: - - path: /run/udev - localtime: - type: hostPath - hostPath: /etc/localtime - hostPathType: "" - globalMounts: - - path: /etc/localtime - host: - type: hostPath - hostPath: / - hostPathType: Directory - globalMounts: - - path: /host - efivars: - type: hostPath - hostPath: /sys/firmware/efi/efivars - hostPathType: "" - globalMounts: - - path: /sys/firmware/efi/efivars diff --git a/.archive/kubernetes/kube-system/zfs-scrub/app/kustomization.yaml b/.archive/kubernetes/kube-system/zfs-scrub/app/kustomization.yaml deleted file mode 100644 index 28e28a0e..00000000 --- a/.archive/kubernetes/kube-system/zfs-scrub/app/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml -configMapGenerator: - - name: zfs-scrub-configmap - files: - - zfs-scrub.sh=./resources/zfs-scrub.sh -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/kube-system/zfs-scrub/app/resources/zfs-scrub.sh b/.archive/kubernetes/kube-system/zfs-scrub/app/resources/zfs-scrub.sh deleted file mode 100644 index d90d0d9f..00000000 --- a/.archive/kubernetes/kube-system/zfs-scrub/app/resources/zfs-scrub.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash -KUBELET_BIN="/usr/local/bin/kubelet" -KUBELET_PID="$(pgrep -f $KUBELET_BIN)" -ZPOOL="nahar" - -if [ -z "${KUBELET_PID}" ]; then - echo "kubelet not found" - exit 1 -fi - -# Enter namespaces and run commands -nsrun() { - nsenter \ - --mount="/host/proc/${KUBELET_PID}/ns/mnt" \ - --net="/host/proc/${KUBELET_PID}/ns/net" \ - -- bash -c "$1" -} - -# Scrub filesystems -nsrun "zpool scrub ${ZPOOL}" diff --git a/.archive/kubernetes/kube-system/zfs-scrub/ks.yaml b/.archive/kubernetes/kube-system/zfs-scrub/ks.yaml deleted file mode 100644 index 0354a483..00000000 --- a/.archive/kubernetes/kube-system/zfs-scrub/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app zfs-scrub - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/zfs-scrub/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/.archive/kubernetes/media/immich/app/configmap.yaml b/.archive/kubernetes/media/immich/app/configmap.yaml deleted file mode 100644 index a7555bc7..00000000 --- a/.archive/kubernetes/media/immich/app/configmap.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: immich-app-config - labels: - app.kubernetes.io/name: immich -data: - LOG_LEVEL: verbose - DB_VECTOR_EXTENSION: pgvector - NODE_ENV: production - REDIS_HOSTNAME: dragonfly.database.svc.cluster.local - REDIS_PORT: "6379" - IMMICH_WEB_URL: http://immich-web.media.svc.cluster.local:3000 - IMMICH_SERVER_URL: http://immich-server.media.svc.cluster.local:3001 - IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.media.svc.cluster.local:3003 diff --git a/.archive/kubernetes/media/immich/app/externalsecret.yaml b/.archive/kubernetes/media/immich/app/externalsecret.yaml deleted file mode 100644 index d093fd4c..00000000 --- a/.archive/kubernetes/media/immich/app/externalsecret.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: immich -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: immich-secret - template: - engineVersion: v2 - data: - DATABASE_URI: "postgresql://{{ .DATABASE_USER }}:{{ .DATABASE_PASSWORD }}@immich-primary-real.media.svc:{{ .DATABASE_PORT }}/{{ .DATABASE_NAME }}" - dataFrom: - - extract: - key: immich diff --git a/.archive/kubernetes/media/immich/app/gatus.yaml b/.archive/kubernetes/media/immich/app/gatus.yaml deleted file mode 100644 index aa976954..00000000 --- a/.archive/kubernetes/media/immich/app/gatus.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: immich-postgres-gatus-ep - labels: - gatus.io/enabled: "true" -data: - config.yaml: | - endpoints: - - name: immich-postgres - group: infrastructure - url: tcp://immich-primary-real.media.svc.cluster.local:5432 - interval: 1m - ui: - hide-url: true - hide-hostname: true - conditions: - - "[CONNECTED] == true" - alerts: - - type: pushover diff --git a/.archive/kubernetes/media/immich/app/helmrelease.yaml b/.archive/kubernetes/media/immich/app/helmrelease.yaml deleted file mode 100644 index 392018e5..00000000 --- a/.archive/kubernetes/media/immich/app/helmrelease.yaml +++ /dev/null @@ -1,97 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &name immich - namespace: default -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - immich-server: - type: statefulset - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.105.1 - command: /bin/sh - args: - - ./start-server.sh - probes: - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - liveness: - enabled: true - readiness: - enabled: true - resources: - requests: - cpu: 100m - memory: 512Mi - limits: - memory: 4Gi - env: - TZ: America/Chicago - DB_URL: - valueFrom: - secretKeyRef: - name: immich-secret - key: DATABASE_URI - envFrom: - - configMapRef: - name: immich-app-config - service: - app: - controller: immich-server - ports: - http: - port: 3001 - ingress: - app: - enabled: true - className: external-nginx - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - external-dns.alpha.kubernetes.io/target: external.hsn.dev - nginx.ingress.kubernetes.io/proxy-body-size: "0" - hosts: - - host: &host "im.hsn.dev" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - media: - enabled: true - type: nfs - server: 10.1.1.13 - path: /eru/media/immich - globalMounts: - - path: /usr/src/app/upload diff --git a/.archive/kubernetes/media/immich/app/kustomization.yaml b/.archive/kubernetes/media/immich/app/kustomization.yaml deleted file mode 100644 index e2d93ed7..00000000 --- a/.archive/kubernetes/media/immich/app/kustomization.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./configmap.yaml - - ./externalsecret.yaml - - ./gatus.yaml - - ./helmrelease.yaml - - ./machine-learning - - ./microservices - - ./postgresCluster.yaml - - ./pushsecret.yaml - - ./service.yaml -configMapGenerator: - - name: immich-databse-init-sql - files: - - init.sql=./resources/init.sql -labels: - - pairs: - app.kubernetes.io/name: immich - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -generatorOptions: - disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/.archive/kubernetes/media/immich/app/machine-learning/helmrelease.yaml b/.archive/kubernetes/media/immich/app/machine-learning/helmrelease.yaml deleted file mode 100644 index a481b4c4..00000000 --- a/.archive/kubernetes/media/immich/app/machine-learning/helmrelease.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: immich-machine-learning -spec: - interval: 15m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - interval: 15m - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - immich-machine-learning: - annotations: - reloader.stakater.com/auto: "true" - strategy: Recreate - pod: - nodeSelector: - nvidia.com/gpu.present: "true" - runtimeClassName: nvidia - containers: - app: - image: - repository: ghcr.io/immich-app/immich-machine-learning - tag: v1.105.1 - resources: - requests: - cpu: 15m - memory: 250Mi - limits: - memory: 4000Mi - probes: - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - liveness: - enabled: true - readiness: - enabled: true - envFrom: - - configMapRef: - name: immich-app-config - env: - DB_URL: - valueFrom: - secretKeyRef: - name: immich-secret - key: DATABASE_URI - service: - app: - controller: immich-machine-learning - ports: - http: - port: 3003 - persistence: - media: - enabled: true - type: nfs - server: 10.1.1.13 - path: /eru/media/immich - globalMounts: - - path: /usr/src/app/upload - cache: - enabled: true - type: emptyDir diff --git a/.archive/kubernetes/media/immich/app/machine-learning/kustomization.yaml b/.archive/kubernetes/media/immich/app/machine-learning/kustomization.yaml deleted file mode 100644 index 11efb15f..00000000 --- a/.archive/kubernetes/media/immich/app/machine-learning/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -labels: - - pairs: - app.kubernetes.io/name: immich-machine-learning - app.kubernetes.io/instance: immich-machine-learning - app.kubernetes.io/part-of: immich -resources: - - ./helmrelease.yaml diff --git a/.archive/kubernetes/media/immich/app/microservices/helmrelease.yaml b/.archive/kubernetes/media/immich/app/microservices/helmrelease.yaml deleted file mode 100644 index 420f7183..00000000 --- a/.archive/kubernetes/media/immich/app/microservices/helmrelease.yaml +++ /dev/null @@ -1,80 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: immich-microservices -spec: - interval: 15m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - interval: 15m - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - immich-microservices: - strategy: Recreate - annotations: - reloader.stakater.com/auto: "true" - pod: - nodeSelector: - nvidia.com/gpu.present: "true" - runtimeClassName: nvidia - containers: - app: - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.105.1 - command: /bin/sh - args: - - ./start-microservices.sh - resources: - requests: - cpu: 100m - memory: 250Mi - limits: - memory: 4000Mi - probes: - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - liveness: - enabled: true - readiness: - enabled: true - envFrom: - - configMapRef: - name: immich-app-config - env: - DB_URL: - valueFrom: - secretKeyRef: - name: immich-secret - key: DATABASE_URI - service: - app: - controller: immich-microservices - enabled: false - persistence: - media: - enabled: true - type: nfs - server: 10.1.1.13 - path: /eru/media/immich - globalMounts: - - path: /usr/src/app/upload diff --git a/.archive/kubernetes/media/immich/app/microservices/kustomization.yaml b/.archive/kubernetes/media/immich/app/microservices/kustomization.yaml deleted file mode 100644 index 3184c846..00000000 --- a/.archive/kubernetes/media/immich/app/microservices/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -labels: - - pairs: - app.kubernetes.io/name: immich-microservices - app.kubernetes.io/instance: immich-microservices - app.kubernetes.io/part-of: immich -resources: - - ./helmrelease.yaml diff --git a/.archive/kubernetes/media/immich/app/postgresCluster.yaml b/.archive/kubernetes/media/immich/app/postgresCluster.yaml deleted file mode 100644 index 0cd139c6..00000000 --- a/.archive/kubernetes/media/immich/app/postgresCluster.yaml +++ /dev/null @@ -1,94 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json -apiVersion: postgres-operator.crunchydata.com/v1beta1 -kind: PostgresCluster -metadata: - name: &name "${APP}" -spec: - postgresVersion: 16 - dataSource: - pgbackrest: - stanza: db - configuration: - - secret: - name: pgo-s3-creds - global: - repo1-path: "/${APP}/repo1" - repo1-s3-uri-style: path - repo: - name: repo1 - s3: - bucket: "crunchy-postgres" - endpoint: "s3.hsn.dev" - region: "us-east-1" - monitoring: - pgmonitor: - exporter: - # https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml - image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3 - patroni: - dynamicConfiguration: - synchronous_mode: true - postgresql: - synchronous_commit: "on" - pg_hba: - - hostnossl all all 10.244.0.0/16 md5 - - hostssl all all all md5 - databaseInitSQL: - name: immich-databse-init-sql - key: init.sql - instances: - - name: postgres - metadata: - labels: - app.kubernetes.io/name: pgo-${APP} - replicas: 1 - dataVolumeClaimSpec: - storageClassName: openebs-zfs - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: "DoNotSchedule" - labelSelector: - matchLabels: - postgres-operator.crunchydata.com/cluster: ${APP} - postgres-operator.crunchydata.com/data: postgres - users: - - name: "immich" - databases: - - "immich" - options: "SUPERUSER" - password: - type: AlphaNumeric - backups: - pgbackrest: - configuration: - - secret: - name: pgo-s3-creds - global: - archive-push-queue-max: 4GiB - repo1-retention-full: "14" - repo1-retention-full-type: time - repo1-path: "/${APP}/repo1" - repo1-s3-uri-style: path - manual: - repoName: repo1 - options: - - --type=full - metadata: - labels: - app.kubernetes.io/name: pgo-${APP}-backup - repos: - - name: repo1 - schedules: - full: "0 1 * * 0" - differential: "0 1 * * 1-6" - s3: - bucket: "crunchy-postgres" - endpoint: "s3.hsn.dev" - region: "us-east-1" diff --git a/.archive/kubernetes/media/immich/app/pushsecret.yaml b/.archive/kubernetes/media/immich/app/pushsecret.yaml deleted file mode 100644 index 6a84b359..00000000 --- a/.archive/kubernetes/media/immich/app/pushsecret.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: immich -spec: - refreshInterval: 1h - secretStoreRefs: - - name: onepassword-connect - kind: ClusterSecretStore - selector: - secret: - name: immich-pguser-immich - data: - - match: - secretKey: dbname - remoteRef: - remoteKey: immich - property: DATABASE_NAME - - match: - secretKey: host - remoteRef: - remoteKey: immich - property: DATABASE_HOST - - match: - secretKey: user - remoteRef: - remoteKey: immich - property: DATABASE_USER - - match: - secretKey: password - remoteRef: - remoteKey: immich - property: DATABASE_PASSWORD - - match: - secretKey: port - remoteRef: - remoteKey: immich - property: DATABASE_PORT diff --git a/.archive/kubernetes/media/immich/app/resources/init.sql b/.archive/kubernetes/media/immich/app/resources/init.sql deleted file mode 100644 index af7e500b..00000000 --- a/.archive/kubernetes/media/immich/app/resources/init.sql +++ /dev/null @@ -1,4 +0,0 @@ -\c immich\\ -CREATE EXTENSION vector; -CREATE EXTENSION cube; -CREATE EXTENSION earthdistance; diff --git a/.archive/kubernetes/media/immich/app/service.yaml b/.archive/kubernetes/media/immich/app/service.yaml deleted file mode 100644 index 863dc525..00000000 --- a/.archive/kubernetes/media/immich/app/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - labels: - postgres-operator.crunchydata.com/cluster: immich - postgres-operator.crunchydata.com/role: primary - name: immich-primary-real - namespace: media -spec: - internalTrafficPolicy: Cluster - ports: - - name: postgres - port: 5432 - protocol: TCP - targetPort: postgres - selector: - postgres-operator.crunchydata.com/cluster: immich - postgres-operator.crunchydata.com/role: master - type: ClusterIP diff --git a/.archive/kubernetes/media/immich/ks.yaml b/.archive/kubernetes/media/immich/ks.yaml deleted file mode 100644 index 61788fa7..00000000 --- a/.archive/kubernetes/media/immich/ks.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app immich - namespace: flux-system -spec: - targetNamespace: media - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: crunchy-postgres-operator - - name: external-secrets-stores - - name: dragonfly - path: ./kubernetes/apps/media/immich/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - DB_NAME: immich - DB_USER: immich diff --git a/.archive/kubernetes/media/kustomization.yaml b/.archive/kubernetes/media/kustomization.yaml deleted file mode 100644 index 6df031b5..00000000 --- a/.archive/kubernetes/media/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./immich/ks.yaml diff --git a/.archive/kubernetes/media/namespace.yaml b/.archive/kubernetes/media/namespace.yaml deleted file mode 100644 index 8ff6d8c3..00000000 --- a/.archive/kubernetes/media/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: media - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" - pgo-enabled-hsn.dev: "true" diff --git a/.archive/kubernetes/observability/alertmanager-silencer/app/helmrelease.yaml b/.archive/kubernetes/observability/alertmanager-silencer/app/helmrelease.yaml deleted file mode 100644 index 367734b1..00000000 --- a/.archive/kubernetes/observability/alertmanager-silencer/app/helmrelease.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: alertmanager-silencer -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.3.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - dependsOn: - - name: kube-prometheus-stack - namespace: observability - values: - controllers: - alertmanager-silencer: - type: cronjob - cronjob: - schedule: "@daily" - containers: - app: - image: - repository: ghcr.io/onedr0p/kubanetics - tag: 2024.7.1@sha256:020ec6f00b9cdc0ee247d2fd34d3951ac32718326bb90c38e947eed9d555de6c - env: - SCRIPT_NAME: alertmanager-silencer.sh - ALERTMANAGER_URL: http://alertmanager-operated.observability.svc.cluster.local:9093 - MATCHERS_0: alertname=NodeCPUHighUsage job=node-exporter - MATCHERS_1: alertname=CPUThrottlingHigh container=gc - MATCHERS_2: alertname=CPUThrottlingHigh container=worker - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 25m - limits: - memory: 128Mi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true diff --git a/.archive/kubernetes/observability/alertmanager-silencer/ks.yaml b/.archive/kubernetes/observability/alertmanager-silencer/ks.yaml deleted file mode 100644 index e0ef6cdd..00000000 --- a/.archive/kubernetes/observability/alertmanager-silencer/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app alertmanager-silencer - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/observability/alertmanager-silencer/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/.archive/kubernetes/observability/grafana/app/externalsecret.yaml b/.archive/kubernetes/observability/grafana/app/externalsecret.yaml deleted file mode 100644 index 1838d318..00000000 --- a/.archive/kubernetes/observability/grafana/app/externalsecret.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: grafana-secret - namespace: observability -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: grafana-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}" - GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true" - GF_SERVER_ROOT_URL: https://grafana.hsn.dev - GF_DATABASE_NAME: "{{ .grafana_GF_DATABASE_NAME }}" - GF_DATABASE_HOST: "postgres-primary-real.database.svc" - GF_DATABASE_USER: "{{ .grafana_GF_DATABASE_USER }}" - GF_DATABASE_PASSWORD: "{{ .grafana_GF_DATABASE_PASSWORD }}" - GF_DATABASE_SSL_MODE: "require" - GF_DATABASE_TYPE: postgres - GF_ANALYTICS_CHECK_FOR_UPDATES: "false" - GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false" - GF_ANALYTICS_REPORTING_ENABLED: "false" - GF_AUTH_ANONYMOUS_ENABLED: "false" - GF_AUTH_BASIC_ENABLED: "false" - GF_AUTH_GENERIC_OAUTH_ENABLED: "true" - GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/ - GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/ - GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/ - GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M - GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false" - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" - GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups - GF_AUTH_OAUTH_AUTO_LOGIN: "true" - GF_EXPLORE_ENABLED: "true" - GF_FEATURE_TOGGLES_ENABLE: publicDashboards - GF_LOG_MODE: console - GF_NEWS_NEWS_FEED_ENABLED: "false" - GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel - GF_SECURITY_COOKIE_SAMESITE: grafana - GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true" - - dataFrom: - - extract: - key: Authentik - rewrite: - - regexp: - source: "(.*)" - target: "authentik_$1" - - extract: - key: grafana - rewrite: - - regexp: - source: "(.*)" - target: "grafana_$1" diff --git a/.archive/kubernetes/observability/grafana/app/helmrelease.yaml b/.archive/kubernetes/observability/grafana/app/helmrelease.yaml deleted file mode 100644 index ad716cf9..00000000 --- a/.archive/kubernetes/observability/grafana/app/helmrelease.yaml +++ /dev/null @@ -1,401 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: grafana -spec: - interval: 30m - chart: - spec: - chart: grafana - version: 8.3.7 - sourceRef: - kind: HelmRepository - name: grafana - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - dependsOn: - - name: kube-prometheus-stack - namespace: observability - - name: loki - namespace: observability - values: - replicas: 1 - envFromSecret: grafana-secret - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: default - orgId: 1 - folder: "" - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default-folder - - name: ceph - orgId: 1 - folder: Ceph - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/ceph-folder - - name: crunchy-postgres - orgId: 1 - folder: Crunchy-postgres - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/crunchy-postgres-folder - - name: flux - orgId: 1 - folder: Flux - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/flux-folder - - name: kubernetes - orgId: 1 - folder: Kubernetes - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/kubernetes-folder - - name: nginx - orgId: 1 - folder: Nginx - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/nginx-folder - - name: prometheus - orgId: 1 - folder: Prometheus - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/prometheus-folder - - name: thanos - orgId: 1 - folder: Thanos - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/thanos-folder - - name: unifi - orgId: 1 - folder: Unifi - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/unifi-folder - datasources: - datasources.yaml: - apiVersion: 1 - deleteDatasources: - - { name: Alertmanager, orgId: 1 } - - { name: Loki, orgId: 1 } - - { name: Prometheus, orgId: 1 } - datasources: - - name: Prometheus - type: prometheus - uid: prometheus - access: proxy - url: http://thanos-query-frontend.observability.svc.cluster.local:10902 - jsonData: - prometheusType: Thanos - timeInterval: 1m - isDefault: true - - name: Loki - type: loki - uid: loki - access: proxy - url: http://loki-gateway.observability.svc.cluster.local - jsonData: - maxLines: 250 - - name: Alertmanager - type: alertmanager - uid: alertmanager - access: proxy - url: http://alertmanager-operated.observability.svc.cluster.local:9093 - jsonData: - implementation: prometheus - dashboards: - default: - cloudflared: - # renovate: depName="Cloudflare Tunnels (cloudflared)" - gnetId: 17457 - revision: 6 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - external-dns: - # renovate: depName="External-dns" - gnetId: 15038 - revision: 3 - datasource: Prometheus - minio: - # renovate: depName="MinIO Dashboard" - gnetId: 13502 - revision: 25 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - node-exporter-full: - # renovate: depName="Node Exporter Full" - gnetId: 1860 - revision: 33 - datasource: Prometheus - postgres: - # renovate: depName="PostgreSQL Database" - gnetId: 9628 - revision: 7 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - smartctl-exporter: - # renovate: depName="smartctl_exporter" - gnetId: 20204 - revision: 1 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - spegel: - # renovate: depName="Spegel" - gnetId: 18089 - revision: 1 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - unpackerr: - # renovate: depName="Unpackerr" - gnetId: 18817 - revision: 1 - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - zfs: - # renovate: depName="ZFS" - gnetId: 7845 - revision: 4 - datasource: Prometheus - dragonflydb: - url: https://raw.githubusercontent.com/dragonflydb/dragonfly/main/tools/local/monitoring/grafana/provisioning/dashboards/dashboard.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - cert-manager: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json - datasource: Prometheus - external-secrets: - url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json - datasource: Prometheus - node-feature-discovery: - url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json - datasource: Prometheus - crunchy-postgres: - pgbackrest: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pgbackrest.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - pods: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pod_details.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - postgresql: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_details.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - postgresql-overview: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_overview.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - postgresql-health: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_service_health.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - postgresql-alerts: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/prometheus_alerts.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - query-stats: - url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/query_statistics.json - datasource: - - { name: DS_PROMETHEUS, value: Prometheus } - ceph: - ceph-cluster: - # renovate: depName="Ceph Cluster" - gnetId: 2842 - revision: 17 - datasource: Prometheus - ceph-osd: - # renovate: depName="Ceph - OSD (Single)" - gnetId: 5336 - revision: 9 - datasource: Prometheus - ceph-pools: - # renovate: depName="Ceph - Pools" - gnetId: 5342 - revision: 9 - datasource: Prometheus - flux: - flux-cluster: - url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json - datasource: Prometheus - flux-control-plane: - url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json - datasource: Prometheus - kubernetes: - kubernetes-api-server: - # renovate: depName="Kubernetes / System / API Server" - gnetId: 15761 - revision: 16 - datasource: Prometheus - kubernetes-coredns: - # renovate: depName="Kubernetes / System / CoreDNS" - gnetId: 15762 - revision: 17 - datasource: Prometheus - kubernetes-global: - # renovate: depName="Kubernetes / Views / Global" - gnetId: 15757 - revision: 37 - datasource: Prometheus - kubernetes-namespaces: - # renovate: depName="Kubernetes / Views / Namespaces" - gnetId: 15758 - revision: 34 - datasource: Prometheus - kubernetes-nodes: - # renovate: depName="Kubernetes / Views / Nodes" - gnetId: 15759 - revision: 29 - datasource: Prometheus - kubernetes-pods: - # renovate: depName="Kubernetes / Views / Pods" - gNetId: 15760 - revision: 21 - datasource: Prometheus - kubernetes-volumes: - # renovate: depName="K8s / Storage / Volumes / Cluster" - gnetId: 11454 - revision: 14 - datasource: Prometheus - nginx: - nginx: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json - datasource: Prometheus - nginx-request-handling-performance: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json - datasource: Prometheus - prometheus: - prometheus: - # renovate: depName="Prometheus" - gnetId: 19105 - revision: 3 - datasource: Prometheus - thanos: - thanos-bucket-replicate: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json - datasource: Prometheus - thanos-compact: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json - datasource: Prometheus - thanos-overview: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json - datasource: Prometheus - thanos-query: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json - datasource: Prometheus - thanos-query-frontend: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json - datasource: Prometheus - thanos-receieve: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json - datasource: Prometheus - thanos-rule: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json - datasource: Prometheus - thanos-sidecar: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json - datasource: Prometheus - thanos-store: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json - datasource: Prometheus - unifi: - unifi-insights: - # renovate: depName="UniFi-Poller: Client Insights - Prometheus" - gnetId: 11315 - revision: 9 - datasource: Prometheus - unifi-network-sites: - # renovate: depName="UniFi-Poller: Network Sites - Prometheus" - gnetId: 11311 - revision: 5 - datasource: Prometheus - unifi-uap: - # renovate: depName="UniFi-Poller: UAP Insights - Prometheus" - gnetId: 11314 - revision: 10 - datasource: Prometheus - unifi-usw: - # renovate: depName="UniFi-Poller: USW Insights - Prometheus" - gnetId: 11312 - revision: 9 - datasource: Prometheus - sidecar: - dashboards: - enabled: true - searchNamespace: ALL - labelValue: "" - label: grafana_dashboard - folderAnnotation: grafana_folder - provider: - disableDelete: true - foldersFromFilesStructure: true - datasources: - enabled: true - searchNamespace: ALL - labelValue: "" - plugins: - - grafana-clock-panel - - grafana-piechart-panel - - grafana-worldmap-panel - - natel-discrete-panel - - pr0ps-trackmap-panel - - vonage-status-panel - serviceMonitor: - enabled: true - ingress: - enabled: true - ingressClassName: external-nginx - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - external-dns.alpha.kubernetes.io/target: external.hsn.dev - hosts: - - &host grafana.hsn.dev - tls: - - hosts: - - *host - persistence: - enabled: false - testFramework: - enabled: false - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: grafana diff --git a/.archive/kubernetes/observability/grafana/app/kustomization.yaml b/.archive/kubernetes/observability/grafana/app/kustomization.yaml deleted file mode 100644 index 4eed917b..00000000 --- a/.archive/kubernetes/observability/grafana/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/.archive/kubernetes/observability/grafana/ks.yaml b/.archive/kubernetes/observability/grafana/ks.yaml deleted file mode 100644 index 13a7fe74..00000000 --- a/.archive/kubernetes/observability/grafana/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app grafana - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: crunchy-postgres-operator - - name: external-secrets-stores - path: ./kubernetes/apps/observability/grafana/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - DB_NAME: grafana - DB_USER: grafana diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/externalsecret.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/externalsecret.yaml deleted file mode 100644 index 082069fc..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/externalsecret.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: alertmanager -spec: - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: alertmanager-secret - template: - templateFrom: - - configMap: - name: alertmanager-config-tpl - items: - - key: alertmanager.yaml - dataFrom: - - extract: - key: pushover diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/helmrelease.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/helmrelease.yaml deleted file mode 100644 index 5b0ec0a2..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/helmrelease.yaml +++ /dev/null @@ -1,190 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: kube-prometheus-stack -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: kube-prometheus-stack - version: 61.6.0 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: flux-system - install: - crds: CreateReplace - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - strategy: rollback - retries: 3 - values: - crds: - enabled: true - cleanPrometheusOperatorObjectNames: true - alertmanager: - ingress: - enabled: true - pathType: Prefix - ingressClassName: internal-nginx - hosts: - - &host alertmanager.jahanson.tech - tls: - - hosts: - - *host - alertmanagerSpec: - replicas: 1 - useExistingSecret: true - configSecret: alertmanager-secret - storage: - volumeClaimTemplate: - spec: - storageClassName: openebs-hostpath - resources: - requests: - storage: 1Gi - kubelet: - enabled: true - serviceMonitor: - metricRelabelings: - # Drop high cardinality labels - - action: labeldrop - regex: (uid) - - action: labeldrop - regex: (id|name) - - action: drop - sourceLabels: ["__name__"] - regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) - kubeApiServer: - enabled: true - serviceMonitor: - metricRelabelings: - # Drop high cardinality labels - - action: drop - sourceLabels: ["__name__"] - regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket - - action: drop - sourceLabels: ["__name__"] - regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket) - kubeControllerManager: - enabled: true - endpoints: &cp - - 10.1.1.61 - kubeEtcd: - enabled: true - endpoints: *cp - kubeScheduler: - enabled: true - endpoints: *cp - kubeProxy: - enabled: false - prometheus: - ingress: - enabled: true - ingressClassName: internal-nginx - pathType: Prefix - hosts: - - &host prometheus.jahanson.tech - tls: - - hosts: - - *host - thanosService: - enabled: true - thanosServiceMonitor: - enabled: true - # thanosServiceExternal: - # enabled: true - # type: LoadBalancer - # annotations: - # external-dns.alpha.kubernetes.io/hostname: thanos.jahanson.tech - # io.cilium/lb-ipam-ips: 10.45.0.6 - # externalTrafficPolicy: Cluster - prometheusSpec: - podMetadata: - annotations: - secret.reloader.stakater.com/reload: &secret thanos-objstore-config - replicas: 1 - replicaExternalLabelName: __replica__ - scrapeInterval: 1m # Must match interval in Grafana Helm chart - ruleSelectorNilUsesHelmValues: false - serviceMonitorSelectorNilUsesHelmValues: false - podMonitorSelectorNilUsesHelmValues: false - probeSelectorNilUsesHelmValues: false - scrapeConfigSelectorNilUsesHelmValues: false - enableAdminAPI: true - walCompression: true - enableFeatures: - - auto-gomemlimit - - memory-snapshot-on-shutdown - - new-service-discovery-manager - image: - registry: quay.io - repository: prometheus/prometheus - tag: v2.51.0-dedupelabels - thanos: - image: quay.io/thanos/thanos:${THANOS_VERSION} - version: "${THANOS_VERSION#v}" - objectStorageConfig: - existingSecret: - name: *secret - key: config - retention: 2d - retentionSize: 15GB - externalLabels: - cluster: main - storageSpec: - volumeClaimTemplate: - spec: - storageClassName: openebs-hostpath - resources: - requests: - storage: 20Gi - nodeExporter: - enabled: true - prometheus-node-exporter: - fullnameOverride: node-exporter - prometheus: - monitor: - enabled: true - relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node - kubeStateMetrics: - enabled: true - kube-state-metrics: - fullnameOverride: kube-state-metrics - metricLabelsAllowlist: - - pods=[*] - - deployments=[*] - - persistentvolumeclaims=[*] - prometheus: - monitor: - enabled: true - relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node - grafana: - enabled: false - forceDeployDashboards: true - sidecar: - dashboards: - annotations: - grafana_folder: Kubernetes - multicluster: - etcd: - enabled: true diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/kustomization.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/kustomization.yaml deleted file mode 100644 index 086bb927..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ./prometheusrules - # - ./scrapeconfigs - - ./podmonitors -configMapGenerator: - - name: alertmanager-config-tpl - files: - - alertmanager.yaml=./resources/alertmanager.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/crunchy-postgres.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/crunchy-postgres.yaml deleted file mode 100644 index a868a3a0..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/crunchy-postgres.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json ---- -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: crunchy-postgres-exporter -spec: - selector: - matchLabels: - postgres-operator.crunchydata.com/crunchy-postgres-exporter: 'true' - namespaceSelector: - matchNames: - - database - - media - podMetricsEndpoints: - - port: "exporter" - relabelings: - - sourceLabels: [__meta_kubernetes_pod_container_port_number] - action: keep - regex: "9187" - - sourceLabels: [__meta_kubernetes_namespace] - targetLabel: kubernetes_namespace - - sourceLabels: [__meta_kubernetes_pod_name] - targetLabel: pod - - sourceLabels: [__meta_kubernetes_namespace, __meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster] - separator: ":" - targetLabel: pg_cluster - replacement: "$1$2" - - sourceLabels: [__meta_kubernetes_pod_ip] - targetLabel: ip - - sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance] - targetLabel: deployment - - sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role] - targetLabel: role diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/dragonflydb.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/dragonflydb.yaml deleted file mode 100644 index 8c8ad96d..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/dragonflydb.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: dragonflydb-metrics - namespace: database -spec: - selector: - matchLabels: - app.kubernetes.io/name: dragonfly - app: dragonfly - podTargetLabels: - - app - namespaceSelector: - matchNames: - - database - podMetricsEndpoints: - - port: admin diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/kustomization.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/kustomization.yaml deleted file mode 100644 index fa86e4a9..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./crunchy-postgres.yaml - - ./dragonflydb.yaml diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/kustomization.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/kustomization.yaml deleted file mode 100644 index ce216b11..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./prometheusrule.yaml diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/prometheusrule.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/prometheusrule.yaml deleted file mode 100644 index f74d565f..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/prometheusrule.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/prometheusrule_v1.json -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: miscellaneous-rules - labels: - prometheus: k8s - role: alert-rules -spec: - groups: - - name: dockerhub - rules: - - alert: BootstrapRateLimitRisk - annotations: - summary: Kubernetes cluster at risk of being rate limited by dockerhub on bootstrap - expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100 - for: 15m - labels: - severity: critical - - name: oom - rules: - - alert: OOMKilled - annotations: - summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes. - expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1 - labels: - severity: critical - - name: zfs - rules: - - alert: ZfsUnexpectedPoolState - annotations: - summary: ZFS pool {{$labels.zpool}} on {{$labels.instance}} is in a unexpected state {{$labels.state}} - expr: node_zfs_zpool_state{state!="online"} > 0 - for: 15m - labels: - severity: critical diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/resources/alertmanager.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/resources/alertmanager.yaml deleted file mode 100644 index e8be4810..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/resources/alertmanager.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -global: - resolve_timeout: 5m -route: - group_by: ["alertname", "job"] - group_interval: 10m - group_wait: 1m - receiver: pushover - repeat_interval: 12h - routes: - - receiver: heartbeat - group_interval: 5m - group_wait: 0s - matchers: - - alertname =~ "Watchdog" - repeat_interval: 5m - - receiver: "null" - matchers: - - alertname =~ "InfoInhibitor" - - receiver: pushover - continue: true - matchers: - - severity = "critical" -inhibit_rules: - - equal: ["alertname", "namespace"] - source_matchers: - - severity = "critical" - target_matchers: - - severity = "warning" -receivers: - - name: heartbeat - webhook_configs: - - send_resolved: true - url: "{{ .alertmanager_heartbeat_url }}" - - name: "null" - - name: pushover - pushover_configs: - - html: true - # Compooters are hard - message: |- - {{ "{{-" }} range .Alerts {{ "}}" }} - {{ "{{-" }} if ne .Annotations.description "" {{ "}}" }} - {{ "{{" }} .Annotations.description {{ "}}" }} - {{ "{{-" }} else if ne .Annotations.summary "" {{ "}}" }} - {{ "{{" }} .Annotations.summary {{ "}}" }} - {{ "{{-" }} else if ne .Annotations.message "" {{ "}}" }} - {{ "{{" }} .Annotations.message {{ "}}" }} - {{ "{{-" }} else {{ "}}" }} - Alert description not available - {{ "{{-" }} end {{ "}}" }} - {{ "{{-" }} if gt (len .Labels.SortedPairs) 0 {{ "}}" }} - - {{ "{{-" }} range .Labels.SortedPairs {{ "}}" }} - {{ "{{" }} .Name {{ "}}" }}: {{ "{{" }} .Value {{ "}}" }} - {{ "{{-" }} end {{ "}}" }} - - {{ "{{-" }} end {{ "}}" }} - {{ "{{-" }} end {{ "}}" }} - priority: |- - {{ "{{" }} if eq .Status "firing" {{ "}}" }}1{{ "{{" }} else {{ "}}" }}0{{ "{{" }} end {{ "}}" }} - send_resolved: true - sound: gamelan - title: >- - {{ "{{" }} .CommonLabels.alertname {{ "}}" }} - [{{ "{{" }} .Status | toUpper {{ "}}" }}{{ "{{" }} if eq .Status "firing" {{ "}}" }}:{{ "{{" }} .Alerts.Firing | len {{ "}}" }}{{ "{{" }} end {{ "}}" }}] - token: "{{ .alertmanager_token }}" - url_title: View in Alertmanager - user_key: "{{ .userkey_jahanson }}" diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml deleted file mode 100644 index e599bb73..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./node-exporter.yaml - - ./zfs-exporter.yaml diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/node-exporter.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/node-exporter.yaml deleted file mode 100644 index 68e8bed2..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/node-exporter.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: node-exporter -spec: - staticConfigs: - - targets: - - 10.1.1.1:9100 - metricsPath: /metrics diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/zfs-exporter.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/zfs-exporter.yaml deleted file mode 100644 index a368d6cd..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/zfs-exporter.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json -apiVersion: monitoring.coreos.com/v1alpha1 -kind: ScrapeConfig -metadata: - name: zfs-exporter -spec: - staticConfigs: - - targets: - - 10.1.1.13:9134 - metricsPath: /metrics diff --git a/.archive/kubernetes/observability/kube-prometheus-stack/ks.yaml b/.archive/kubernetes/observability/kube-prometheus-stack/ks.yaml deleted file mode 100644 index 7108794c..00000000 --- a/.archive/kubernetes/observability/kube-prometheus-stack/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kube-prometheus-stack - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: openebs - - name: volsync - path: ./kubernetes/apps/observability/kube-prometheus-stack/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 15m - postBuild: - substitute: - # renovate: datasource=docker depName=quay.io/thanos/thanos - THANOS_VERSION: v0.34.1 diff --git a/.archive/kubernetes/observability/loki/app/externalsecret.yaml b/.archive/kubernetes/observability/loki/app/externalsecret.yaml deleted file mode 100644 index bb537a3a..00000000 --- a/.archive/kubernetes/observability/loki/app/externalsecret.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: loki -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: loki-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - S3_HOST: s3.hsn.dev - S3_BUCKET: "{{ .minio_thanos_bucket_name }}" - S3_ACCESS_KEY: "{{ .minio_loki_access_key }}" - S3_SECRET_KEY: "{{ .minio_loki_secret_key }}" - S3_REGION: us-east-1 - dataFrom: - - extract: - key: minio - rewrite: - - regexp: - source: "(.*)" - target: "minio_$1" diff --git a/.archive/kubernetes/observability/loki/app/helmrelease.yaml b/.archive/kubernetes/observability/loki/app/helmrelease.yaml deleted file mode 100644 index 5d2673eb..00000000 --- a/.archive/kubernetes/observability/loki/app/helmrelease.yaml +++ /dev/null @@ -1,138 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: loki -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: loki - version: 6.7.3 - sourceRef: - kind: HelmRepository - name: grafana - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: uninstall - retries: 3 - valuesFrom: - - targetPath: loki.storage.bucketNames.chunks - kind: Secret - name: loki-secret - valuesKey: S3_BUCKET - - targetPath: loki.storage.s3.endpoint - kind: Secret - name: loki-secret - valuesKey: S3_HOST - - targetPath: loki.storage.s3.region - kind: Secret - name: loki-secret - valuesKey: S3_REGION - - targetPath: loki.storage.s3.accessKeyId - kind: Secret - name: loki-secret - valuesKey: S3_ACCESS_KEY - - targetPath: loki.storage.s3.secretAccessKey - kind: Secret - name: loki-secret - valuesKey: S3_SECRET_KEY - values: - deploymentMode: SimpleScalable - loki: - podAnnotations: - secret.reloader.stakater.com/reload: loki-secret - ingester: - chunk_encoding: snappy - storage: - type: s3 - s3: - s3ForcePathStyle: true - insecure: true - schemaConfig: - configs: - - from: "2024-04-01" - store: tsdb - object_store: s3 - schema: v13 - index: - prefix: loki_index_ - period: 24h - structuredConfig: - auth_enabled: false - server: - log_level: info - http_listen_port: 3100 - grpc_listen_port: 9095 - grpc_server_max_recv_msg_size: 8388608 - grpc_server_max_send_msg_size: 8388608 - limits_config: - ingestion_burst_size_mb: 128 - ingestion_rate_mb: 64 - max_query_parallelism: 100 - per_stream_rate_limit: 64M - per_stream_rate_limit_burst: 128M - reject_old_samples: true - reject_old_samples_max_age: 168h - retention_period: 30d - shard_streams: - enabled: true - split_queries_by_interval: 1h - query_scheduler: - max_outstanding_requests_per_tenant: 4096 - frontend: - max_outstanding_per_tenant: 4096 - ruler: - enable_api: true - enable_alertmanager_v2: true - alertmanager_url: http://alertmanager-operated.observability.svc.cluster.local:9093 - storage: - type: local - local: - directory: /rules - rule_path: /rules/fake - analytics: - reporting_enabled: false - backend: - replicas: 1 - persistence: - size: 20Gi - storageClass: openebs-hostpath - gateway: - replicas: 1 - image: - registry: ghcr.io - ingress: - enabled: true - ingressClassName: internal-nginx - hosts: - - host: &host loki.jahanson.tech - paths: - - path: / - pathType: Prefix - tls: - - hosts: [*host] - read: - replicas: 1 - write: - replicas: 1 - persistence: - size: 20Gi - storageClass: openebs-hostpath - sidecar: - image: - repository: ghcr.io/kiwigrid/k8s-sidecar - rules: - searchNamespace: ALL - folder: /rules/fake - lokiCanary: - enabled: false - test: - enabled: false diff --git a/.archive/kubernetes/observability/loki/app/kustomization.yaml b/.archive/kubernetes/observability/loki/app/kustomization.yaml deleted file mode 100644 index 4eed917b..00000000 --- a/.archive/kubernetes/observability/loki/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/.archive/kubernetes/observability/loki/ks.yaml b/.archive/kubernetes/observability/loki/ks.yaml deleted file mode 100644 index 173dc11c..00000000 --- a/.archive/kubernetes/observability/loki/ks.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app loki - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: openebs - - name: vector - path: ./kubernetes/apps/observability/loki/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/.archive/kubernetes/observability/thanos/app/externalsecret.yaml b/.archive/kubernetes/observability/thanos/app/externalsecret.yaml deleted file mode 100644 index 207b5ce6..00000000 --- a/.archive/kubernetes/observability/thanos/app/externalsecret.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: thanos -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: thanos-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - S3_HOST: s3.hsn.dev - S3_BUCKET: "{{ .minio_thanos_bucket_name }}" - S3_ACCESS_KEY: "{{ .minio_thanos_access_key }}" - S3_SECRET_KEY: "{{ .minio_thanos_secret_key }}" - S3_REGION: us-east-1 - dataFrom: - - extract: - key: Minio - rewrite: - - regexp: - source: "(.*)" - target: "minio_$1" diff --git a/.archive/kubernetes/observability/thanos/app/helmrelease.yaml b/.archive/kubernetes/observability/thanos/app/helmrelease.yaml deleted file mode 100644 index 6ff06b08..00000000 --- a/.archive/kubernetes/observability/thanos/app/helmrelease.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: thanos -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: thanos - version: 1.17.2 - sourceRef: - kind: HelmRepository - name: stevehipwell - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - valuesFrom: - - targetPath: objstoreConfig.value.config.bucket - kind: Secret - name: thanos-secret - valuesKey: S3_BUCKET - - targetPath: objstoreConfig.value.config.endpoint - kind: Secret - name: thanos-secret - valuesKey: S3_HOST - - targetPath: objstoreConfig.value.config.region - kind: Secret - name: thanos-secret - valuesKey: S3_REGION - - targetPath: objstoreConfig.value.config.access_key - kind: Secret - name: thanos-secret - valuesKey: S3_ACCESS_KEY - - targetPath: objstoreConfig.value.config.secret_key - kind: Secret - name: thanos-secret - valuesKey: S3_SECRET_KEY - values: - objstoreConfig: - value: - type: s3 - config: - insecure: false - additionalEndpoints: - - dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.observability.svc.cluster.local - additionalReplicaLabels: ["__replica__"] - serviceMonitor: - enabled: true - compact: - enabled: true - extraArgs: - - --compact.concurrency=4 - - --delete-delay=30m - - --retention.resolution-raw=14d - - --retention.resolution-5m=30d - - --retention.resolution-1h=60d - persistence: &persistence - enabled: true - storageClass: openebs-hostpath - size: 10Gi - query: - replicas: 1 - extraArgs: ["--alert.query-url=https://thanos.jahanson.tech"] - queryFrontend: - enabled: true - replicas: 1 - extraEnv: &extraEnv - - name: THANOS_CACHE_CONFIG - valueFrom: - configMapKeyRef: - name: &configMap thanos-cache-configmap - key: cache.yaml - extraArgs: ["--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)"] - ingress: - enabled: true - ingressClassName: internal-nginx - hosts: - - &host thanos.jahanson.tech - tls: - - hosts: [*host] - podAnnotations: &podAnnotations - configmap.reloader.stakater.com/reload: *configMap - rule: - enabled: true - replicas: 1 - extraArgs: ["--web.prefix-header=X-Forwarded-Prefix"] - alertmanagersConfig: - value: |- - alertmanagers: - - api_version: v2 - static_configs: - - dnssrv+_http-web._tcp.alertmanager-operated.observability.svc.cluster.local - rules: - value: |- - groups: - - name: PrometheusWatcher - rules: - - alert: PrometheusDown - annotations: - summary: A Prometheus has disappeared from Prometheus target discovery - expr: absent(up{job="kube-prometheus-stack-prometheus"}) - for: 5m - labels: - severity: critical - persistence: *persistence - storeGateway: - replicas: 1 - extraEnv: *extraEnv - extraArgs: ["--index-cache.config=$(THANOS_CACHE_CONFIG)"] - persistence: *persistence - podAnnotations: *podAnnotations diff --git a/.archive/kubernetes/observability/thanos/app/kustomization.yaml b/.archive/kubernetes/observability/thanos/app/kustomization.yaml deleted file mode 100644 index 9a4c8f20..00000000 --- a/.archive/kubernetes/observability/thanos/app/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./externalsecret.yaml -configMapGenerator: - - name: thanos-cache-configmap - files: - - cache.yaml=./resources/cache.yml -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/observability/thanos/app/resources/cache.yml b/.archive/kubernetes/observability/thanos/app/resources/cache.yml deleted file mode 100644 index df31f345..00000000 --- a/.archive/kubernetes/observability/thanos/app/resources/cache.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -type: REDIS -config: - addr: dragonfly.database.svc.cluster.local:6379 - db: 1 diff --git a/.archive/kubernetes/observability/thanos/ks.yaml b/.archive/kubernetes/observability/thanos/ks.yaml deleted file mode 100644 index 645f8fea..00000000 --- a/.archive/kubernetes/observability/thanos/ks.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app thanos - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: openebs - - name: dragonfly-operator - path: ./kubernetes/apps/observability/thanos/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/.archive/kubernetes/observability/vector/app/agent/helmrelease.yaml b/.archive/kubernetes/observability/vector/app/agent/helmrelease.yaml deleted file mode 100644 index ef6de121..00000000 --- a/.archive/kubernetes/observability/vector/app/agent/helmrelease.yaml +++ /dev/null @@ -1,103 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: vector-agent -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: app-template - version: 3.3.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - dependsOn: - - name: vector-aggregator - namespace: observability - values: - controllers: - vector: - type: daemonset - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/timberio/vector - tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2 - env: - PROCFS_ROOT: /host/proc - SYSFS_ROOT: /host/sys - VECTOR_SELF_NODE_NAME: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - VECTOR_SELF_POD_NAME: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - VECTOR_SELF_POD_NAMESPACE: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - args: ["--config", "/etc/vector/vector.yaml"] - securityContext: - privileged: true - serviceAccount: - create: true - name: vector-agent - persistence: - config: - enabled: true - type: configMap - name: vector-agent-configmap - globalMounts: - - path: /etc/vector/vector.yaml - subPath: vector.yaml - readOnly: true - data: - type: emptyDir - globalMounts: - - path: /vector-data-dir - procfs: - type: hostPath - hostPath: /proc - hostPathType: Directory - globalMounts: - - path: /host/proc - readOnly: true - sysfs: - type: hostPath - hostPath: /sys - hostPathType: Directory - globalMounts: - - path: /host/sys - readOnly: true - var-lib: - type: hostPath - hostPath: /var/lib - hostPathType: Directory - globalMounts: - - readOnly: true - var-log: - type: hostPath - hostPath: /var/log - hostPathType: Directory - globalMounts: - - readOnly: true diff --git a/.archive/kubernetes/observability/vector/app/agent/kustomization.yaml b/.archive/kubernetes/observability/vector/app/agent/kustomization.yaml deleted file mode 100644 index cad3d529..00000000 --- a/.archive/kubernetes/observability/vector/app/agent/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./rbac.yaml -configMapGenerator: - - name: vector-agent-configmap - files: - - vector.yaml=./resources/vector.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/observability/vector/app/agent/rbac.yaml b/.archive/kubernetes/observability/vector/app/agent/rbac.yaml deleted file mode 100644 index a088f8d1..00000000 --- a/.archive/kubernetes/observability/vector/app/agent/rbac.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vector-agent -rules: - - apiGroups: [""] - resources: ["namespaces", "nodes", "pods"] - verbs: ["list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vector-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: vector-agent -subjects: - - kind: ServiceAccount - name: vector-agent - namespace: observability diff --git a/.archive/kubernetes/observability/vector/app/agent/resources/vector.yaml b/.archive/kubernetes/observability/vector/app/agent/resources/vector.yaml deleted file mode 100644 index f3a7565c..00000000 --- a/.archive/kubernetes/observability/vector/app/agent/resources/vector.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -data_dir: /vector-data-dir - -sources: - kubernetes_source: - type: kubernetes_logs - use_apiserver_cache: true - pod_annotation_fields: - container_image: container_image - container_name: container_name - pod_labels: pod_labels - pod_name: pod_name - pod_annotations: "" - namespace_annotation_fields: - namespace_labels: "" - node_annotation_fields: - node_labels: "" - -sinks: - kubernetes: - type: vector - compression: true - version: "2" - address: vector-aggregator.observability.svc.cluster.local:6010 - inputs: ["kubernetes_source"] diff --git a/.archive/kubernetes/observability/vector/app/aggregator/externalsecret.yaml b/.archive/kubernetes/observability/vector/app/aggregator/externalsecret.yaml deleted file mode 100644 index d9fc9f52..00000000 --- a/.archive/kubernetes/observability/vector/app/aggregator/externalsecret.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: vector-aggregator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: vector-aggregator-secret - template: - engineVersion: v2 - data: - GEOIPUPDATE_ACCOUNT_ID: "{{ .account_id }}" - GEOIPUPDATE_LICENSE_KEY: "{{ .vector_license_key }}" - dataFrom: - - extract: - key: maxmind diff --git a/.archive/kubernetes/observability/vector/app/aggregator/helmrelease.yaml b/.archive/kubernetes/observability/vector/app/aggregator/helmrelease.yaml deleted file mode 100644 index 2de27930..00000000 --- a/.archive/kubernetes/observability/vector/app/aggregator/helmrelease.yaml +++ /dev/null @@ -1,91 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app vector-aggregator -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: app-template - version: 3.3.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - vector-aggregator: - replicas: 1 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - initContainers: - init-geoip: - image: - repository: ghcr.io/maxmind/geoipupdate - tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0 - env: - GEOIPUPDATE_EDITION_IDS: GeoLite2-City - GEOIPUPDATE_FREQUENCY: "0" - GEOIPUPDATE_VERBOSE: "1" - envFrom: - - secretRef: - name: vector-aggregator-secret - containers: - app: - image: - repository: docker.io/timberio/vector - tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2 - args: ["--config", "/etc/vector/vector.yaml"] - pod: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - service: - app: - controller: vector-aggregator - type: LoadBalancer - annotations: - external-dns.alpha.kubernetes.io/hostname: vector.jahanson.tech - io.cilium/lb-ipam-ips: 10.1.1.33 - ports: - http: - port: 8686 - journald: - port: 6000 - kubernetes: - port: 6010 - vyos: - port: 6020 - persistence: - config: - enabled: true - type: configMap - name: vector-aggregator-configmap - globalMounts: - - path: /etc/vector/vector.yaml - subPath: vector.yaml - readOnly: true - data: - type: emptyDir - globalMounts: - - path: /vector-data-dir - geoip: - type: emptyDir - globalMounts: - - path: /usr/share/GeoIP diff --git a/.archive/kubernetes/observability/vector/app/aggregator/kustomization.yaml b/.archive/kubernetes/observability/vector/app/aggregator/kustomization.yaml deleted file mode 100644 index e3264144..00000000 --- a/.archive/kubernetes/observability/vector/app/aggregator/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml -configMapGenerator: - - name: vector-aggregator-configmap - files: - - vector.yaml=./resources/vector.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/observability/vector/app/aggregator/resources/vector.yaml b/.archive/kubernetes/observability/vector/app/aggregator/resources/vector.yaml deleted file mode 100644 index 3bfa3e44..00000000 --- a/.archive/kubernetes/observability/vector/app/aggregator/resources/vector.yaml +++ /dev/null @@ -1,132 +0,0 @@ ---- -data_dir: /vector-data-dir -api: - enabled: true - address: 0.0.0.0:8686 - -enrichment_tables: - geoip_table: - type: geoip - path: /usr/share/GeoIP/GeoLite2-City.mmdb - -# -# Sources -# - -sources: - journald_source: - type: vector - version: "2" - address: 0.0.0.0:6000 - - kubernetes_source: - type: vector - version: "2" - address: 0.0.0.0:6010 - - vyos_source: - type: syslog - address: 0.0.0.0:6020 - mode: tcp - -# -# Transforms -# - -transforms: - kubernetes_remap: - type: remap - inputs: ["kubernetes_source"] - source: | - # Standardize 'app' index - .custom_app_name = .pod_labels."app.kubernetes.io/name" || .pod_labels.app || .pod_labels."k8s-app" || "unknown" - # Drop pod_labels - del(.pod_labels) - - # [63950.153039] [wan-local-default-D]IN=eth4 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=60610 PROTO=TCP SPT=53451 DPT=2002 WINDOW=1024 RES=0x00 SYN URGP=0 - vyos_firewall_route: - type: route - inputs: ["vyos_source"] - route: - firewall: | - .facility == "kern" && match!(.message, r'^\[(.*?)\].(.*)') - - vyos_firewall_remap: - type: remap - inputs: ["vyos_firewall_route.firewall"] - source: | - # Parse firewall rule message - split_message, split_err = parse_regex(.message, r'^\[.*\].\[(?P.*?)\](?P.*)') - if split_err != null { - abort - } - # Extract separate fields from message - split_message.fields, split_err = strip_whitespace(split_message.fields) - if split_err != null { - abort - } - .message, parse_err = parse_key_value(split_message.fields, whitespace: "strict") - if parse_err != null { - abort - } - # Add more information about the triggered rule - .message.RULE, parse_err = parse_regex(split_message.rule, r'^ipv4-(?P\w+)-(?P\w+)-(?P\w+)-(?P\w+)$') - if parse_err != null { - abort - } - - vyos_firewall_wan_route: - type: route - inputs: ["vyos_firewall_remap"] - route: - from_wan: .message.RULE.from_zone == "wan" - - vyos_firewall_geoip_remap: - type: remap - inputs: ["vyos_firewall_wan_route.from_wan"] - source: | - .geoip = get_enrichment_table_record!( - "geoip_table", { - "ip": .message.SRC - } - ) - -# -# Sinks -# - -sinks: - journald: - inputs: ["journald_source"] - type: loki - endpoint: http://loki-gateway.observability.svc.cluster.local - encoding: { codec: json } - out_of_order_action: accept - remove_label_fields: true - remove_timestamp: true - labels: - hostname: '{{ host }}' - - kubernetes: - inputs: ["kubernetes_remap"] - type: loki - endpoint: http://loki-gateway.observability.svc.cluster.local - encoding: { codec: json } - out_of_order_action: accept - remove_label_fields: true - remove_timestamp: true - labels: - app: '{{ custom_app_name }}' - namespace: '{{ kubernetes.pod_namespace }}' - node: '{{ kubernetes.pod_node_name }}' - - vyos: - inputs: ["vyos_source", "vyos_firewall_geoip_remap"] - type: loki - endpoint: http://loki-gateway.observability.svc.cluster.local - encoding: { codec: json } - out_of_order_action: accept - remove_label_fields: true - remove_timestamp: true - labels: - hostname: '{{ host }}' diff --git a/.archive/kubernetes/observability/vector/app/kustomization.yaml b/.archive/kubernetes/observability/vector/app/kustomization.yaml deleted file mode 100644 index 54568aa0..00000000 --- a/.archive/kubernetes/observability/vector/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./agent - - ./aggregator diff --git a/.archive/kubernetes/observability/vector/ks.yaml b/.archive/kubernetes/observability/vector/ks.yaml deleted file mode 100644 index 86d2bbdb..00000000 --- a/.archive/kubernetes/observability/vector/ks.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app vector - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/observability/vector/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/.archive/kubernetes/openebs-system/kustomization.yaml b/.archive/kubernetes/openebs-system/kustomization.yaml deleted file mode 100644 index 011b5101..00000000 --- a/.archive/kubernetes/openebs-system/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./openebs/ks.yaml diff --git a/.archive/kubernetes/openebs-system/namespace.yaml b/.archive/kubernetes/openebs-system/namespace.yaml deleted file mode 100644 index 18921b50..00000000 --- a/.archive/kubernetes/openebs-system/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openebs-system - annotations: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/.archive/kubernetes/openebs-system/openebs/app/helmrelease.yaml b/.archive/kubernetes/openebs-system/openebs/app/helmrelease.yaml deleted file mode 100644 index 4ec773bf..00000000 --- a/.archive/kubernetes/openebs-system/openebs/app/helmrelease.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: openebs-zfs -spec: - interval: 30m - chart: - spec: - chart: zfs-localpv - version: 2.6.0 - sourceRef: - kind: HelmRepository - name: openebs-zfs - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - zfsNode: - encrKeysDir: /var/openebs/keys - crds: - csi: - volumeSnapshots: - enabled: false diff --git a/.archive/kubernetes/openebs-system/openebs/app/kustomization.yaml b/.archive/kubernetes/openebs-system/openebs/app/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/.archive/kubernetes/openebs-system/openebs/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/.archive/kubernetes/openebs-system/openebs/cluster/kustomization.yaml b/.archive/kubernetes/openebs-system/openebs/cluster/kustomization.yaml deleted file mode 100644 index 176bb55e..00000000 --- a/.archive/kubernetes/openebs-system/openebs/cluster/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./storageclass.yaml - - ./volumesnapshotclass.yaml diff --git a/.archive/kubernetes/openebs-system/openebs/cluster/storageclass.yaml b/.archive/kubernetes/openebs-system/openebs/cluster/storageclass.yaml deleted file mode 100644 index 7f911e5f..00000000 --- a/.archive/kubernetes/openebs-system/openebs/cluster/storageclass.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: openebs-zfs - annotations: - storageclass.kubevirt.io/is-default-virt-class: "true" - storageclass.kubernetes.io/is-default-class: "true" -provisioner: zfs.csi.openebs.io -parameters: - recordsize: "128k" - compression: "off" - dedup: "off" - fstype: "zfs" - poolname: "nahar" -allowVolumeExpansion: true diff --git a/.archive/kubernetes/openebs-system/openebs/cluster/volumesnapshotclass.yaml b/.archive/kubernetes/openebs-system/openebs/cluster/volumesnapshotclass.yaml deleted file mode 100644 index 352e7d32..00000000 --- a/.archive/kubernetes/openebs-system/openebs/cluster/volumesnapshotclass.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/snapshot.storage.k8s.io/volumesnapshotclass_v1.json -kind: VolumeSnapshotClass -apiVersion: snapshot.storage.k8s.io/v1 -metadata: - name: openebs-zfs - annotations: - snapshot.storage.kubernetes.io/is-default-class: "true" -driver: zfs.csi.openebs.io -deletionPolicy: Delete diff --git a/.archive/kubernetes/openebs-system/openebs/ks.yaml b/.archive/kubernetes/openebs-system/openebs/ks.yaml deleted file mode 100644 index 690b4cc0..00000000 --- a/.archive/kubernetes/openebs-system/openebs/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app openebs - namespace: flux-system -spec: - targetNamespace: openebs-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/openebs-system/openebs/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/.archive/kubernetes/qbittorrent/app/externalsecret.yaml b/.archive/kubernetes/qbittorrent/app/externalsecret.yaml deleted file mode 100644 index 51ccfff3..00000000 --- a/.archive/kubernetes/qbittorrent/app/externalsecret.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: qbittorrent - namespace: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: qbittorrent-secret - creationPolicy: Owner - data: - - secretKey: WIREGUARD_ENDPOINT_IP - remoteRef: - key: ProtonVPN - property: qbittorrent_vpn_endpoint_ip - - secretKey: WIREGUARD_PUBLIC_KEY - remoteRef: - key: ProtonVPN - property: qbittorrent_wireguard_public_key - - secretKey: WIREGUARD_PRIVATE_KEY - remoteRef: - key: ProtonVPN - property: qbittorrent_wireguard_private_key - - secretKey: WIREGUARD_ADDRESSES - remoteRef: - key: ProtonVPN - property: qbittorrent_wireguard_addresses diff --git a/.archive/kubernetes/qbittorrent/app/helmrelease.yaml b/.archive/kubernetes/qbittorrent/app/helmrelease.yaml deleted file mode 100644 index ca3bc979..00000000 --- a/.archive/kubernetes/qbittorrent/app/helmrelease.yaml +++ /dev/null @@ -1,163 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app qbittorrent-protonvpn -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.3.2 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - qbittorrent: - annotations: - configmap.reloader.stakater.com/reload: qbittorrent-scripts - secret.reloader.stakater.com/reload: qbittorrent-secret - pod: - securityContext: - fsGroup: 568 - fsGroupChangePolicy: "OnRootMismatch" - containers: - app: - nameOverride: qbittorrent - image: - repository: ghcr.io/onedr0p/qbittorrent - tag: 4.6.6@sha256:e21c95568c9175f40390bacd7f778d8d2af5331d1e663e1a6860140891c65742 - env: - UMASK: "022" - QBITTORRENT__PORT: &port 80 - QBT_Preferences__WebUI__AlternativeUIEnabled: false - QBT_Preferences__WebUI__AuthSubnetWhitelistEnabled: true - QBT_Preferences__WebUI__AuthSubnetWhitelist: |- - 10.244.0.0/16, 10.1.2.0/24 - QBT_Preferences__WebUI__LocalHostAuth: false - QBT_BitTorrent__Session__Interface: wg0 - QBT_BitTorrent__Session__InterfaceName: wg0 - resources: - requests: - cpu: 49m - memory: 1024Mi - limits: - memory: 24Gi - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - - gluetun: - image: - repository: ghcr.io/qdm12/gluetun - tag: latest@sha256:fb448a2eb8755b68106a386d1e5a78c781bf28a0eea0fb712824cd2dc0ec19a7 - env: - VPN_SERVICE_PROVIDER: custom - VPN_TYPE: wireguard - VPN_INTERFACE: wg0 - WIREGUARD_ENDPOINT_PORT: 51820 - VPN_PORT_FORWARDING: on - VPN_PORT_FORWARDING_PROVIDER: protonvpn - FIREWALL_INPUT_PORTS: *port - FIREWALL_OUTBOUND_SUBNETS: 10.32.0.0/16 # Allow access to k8s subnets - envFrom: - - secretRef: - name: qbittorrent-secret - securityContext: - # until I can debug the issues on talos 1.8. - privileged: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - - port-forward: - image: - repository: ghcr.io/bjw-s/gluetun-qb-port-sync - tag: v0.0.2 - env: - GLUETUN_CONTROL_SERVER_HOST: localhost - GLUETUN_CONTROL_SERVER_PORT: 8000 - QBITTORRENT_HOST: localhost - QBITTORRENT_WEBUI_PORT: *port - CRON_ENABLED: true - CRON_SCHEDULE: "*/5 * * * *" - LOG_TIMESTAMP: false - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - - service: - app: - controller: qbittorrent - type: LoadBalancer - annotations: - io.cilium/lb-ipam-ips: 10.1.1.34 - nameOverride: qbittorrent - ports: - http: - port: *port - # bittorrent port is set by gluetun-qb-port-sync - # So we don't need to set it for forwarding-to from firewall here. - # bittorrent: - # enabled: true - # port: *bittorrentPort - # protocol: TCP - - ingress: - app: - className: "internal-nginx" - hosts: - - host: "qb.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - "qb.jahanson.tech" - - persistence: - config: - existingClaim: qbittorrent - media: - type: nfs - server: 10.1.1.11 - path: /volume1/Media - advancedMounts: - qbittorrent: - app: - - path: /data/nas-media - qbtun: - type: hostPath - hostPath: /dev/net - advancedMounts: - qbittorrent: - gluetun: - - path: /dev/net diff --git a/.archive/kubernetes/qbittorrent/app/kustomization.yaml b/.archive/kubernetes/qbittorrent/app/kustomization.yaml deleted file mode 100644 index 8ad2376c..00000000 --- a/.archive/kubernetes/qbittorrent/app/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/volsync -generatorOptions: - disableNameSuffixHash: true diff --git a/.archive/kubernetes/qbittorrent/ks.yaml b/.archive/kubernetes/qbittorrent/ks.yaml deleted file mode 100644 index 25ac12ef..00000000 --- a/.archive/kubernetes/qbittorrent/ks.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app qbittorrent - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 10m - path: "./kubernetes/apps/qbittorrent/qbittorrent/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: openebs - - name: volsync - - name: external-secrets-stores - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 2Gi - VOLSYNC_STORAGECLASS: zfs-generic-nfs-csi - VOLSYNC_SNAPSHOTCLASS: zfs-generic-nfs-csi ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app qbittorrent-tools - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/qbittorrent/qbittorrent/tools - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/.archive/kubernetes/qbittorrent/tools/helmrelease.yaml b/.archive/kubernetes/qbittorrent/tools/helmrelease.yaml deleted file mode 100644 index a833568d..00000000 --- a/.archive/kubernetes/qbittorrent/tools/helmrelease.yaml +++ /dev/null @@ -1,146 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: qbtools -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.3.2 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - dependsOn: - - name: qbittorrent - namespace: qbittorrent - values: - controllers: - tagging: - type: cronjob - cronjob: &cronJobSpec - schedule: "@hourly" - timeZone: &timeZone America/Chicago - concurrencyPolicy: Forbid - successfulJobsHistory: 1 - failedJobsHistory: 1 - initContainers: - tagging: &container - image: - repository: ghcr.io/buroa/qbtools - tag: v0.16.3@sha256:1eb3be84d7d63bfd0aaffd1e85f1cfd9a5064fd8ce5ed94522672eca0d201e56 - env: - TZ: *timeZone - POD_NAMESPACE: - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: [ - "tagging", - "--added-on", - "--expired", - "--last-activity", - "--sites", - "--unregistered", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80", - "--config", "/config/config.yaml" - ] - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 25m - limits: - memory: 256M - containers: - unregistered: - <<: *container - args: [ - "prune", - "--exclude-category", "manual", - "--exclude-category", "music", - "--exclude-tag", "added:24h", - "--include-tag", "unregistered", - # "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - expired: - <<: *container - args: [ - "prune", - "--exclude-category", "manual", - "--exclude-category", "music", - "--include-tag", "expired", # defined in config.yaml - "--include-tag", "added:7d", - # "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - pod: - restartPolicy: OnFailure - orphaned: - type: cronjob - cronjob: - <<: *cronJobSpec - schedule: "@daily" - containers: - app: - <<: *container - args: [ - "orphaned", - "--exclude-pattern", "*_unpackerred*", - "--exclude-pattern", "*/manual/*", - # "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - pod: - restartPolicy: OnFailure - reannounce: - containers: - app: - <<: *container - args: [ - "reannounce", - "--process-seeding", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - seccompProfile: { type: RuntimeDefault } - persistence: - secret-file: - type: secret - name: qbtools-secret - globalMounts: - - path: /config/config.yaml - subPath: config.yaml - readOnly: true - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - advancedMounts: - orphaned: - app: - - path: /data/nas-media - subPath: qb/downloads diff --git a/.archive/kubernetes/qbittorrent/tools/kustomization.yaml b/.archive/kubernetes/qbittorrent/tools/kustomization.yaml deleted file mode 100644 index 6b4d0b3a..00000000 --- a/.archive/kubernetes/qbittorrent/tools/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./qbtools.secret.sops.yaml - - ./helmrelease.yaml diff --git a/.archive/kubernetes/qbittorrent/tools/qbtools.secret.sops.yaml b/.archive/kubernetes/qbittorrent/tools/qbtools.secret.sops.yaml deleted file mode 100644 index ea848a7d..00000000 --- a/.archive/kubernetes/qbittorrent/tools/qbtools.secret.sops.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: qbtools-secret -stringData: - config.yaml: ENC[AES256_GCM,data:NZq8GKG05lEp6lLvE/IMOkt6FrzJ8Hoj3KJ57y5rumsTxqydyxzmrt9IVf34nQ1SgSGKMdI8KgEIVnHBj/4jfYgJZ5+1AfKiTe0DW3NZSK3LkDJcs6Mcwu6f5lbil1vfaS3YgJ2K1pv5ys7GCmE/zMqiNsTpmc1niY/JMOs/0eJaUYNACHl0I1w3fLJVPjnhdK99IhFYo42XywODyVSRdMeFTP6Q7Y4NRNJKA3u9W0ix12yaTdfBk5ia1sIRb9H3Gvl5z/XTvr0X6IzIpfoP46wf/EXLU7Y7Rt5fvnymQgzQr7JtUL90NBkKvqOko4NSl36uEol5jsu9gj9o+FZbA2CnDbZ6mp6BqJIB9HuaWCrgb6ideNTUYL/ASU6Wp17A1CzPDjlm+b6kGZpJKQYFEZ/VO8BEoeW3Yx9D0dG1ep9xFTu6xDKo7JxF4pbMWgWU5I+mE6xiCK7XGrab1latVhcPHBAVoxBrdHvAgwgvs1WmAe0ofP0vPpq6ZHd+kgQg2qHPbkj4viXl1Hf9M9Q7HJm+hlgfCmjaT9m5/1ipzbj9xlu0vG5GFTbf6hcPJXlthaEubHggKD1Idx1k7NUvJzQi/Y6KpUCM4BUOGOgYpGWic7kTSUoqdqKQNAJr77EKOIRGkI+LCPSOWx4atUS8jgS8/tbeXYAb9eBhovGWXZsGyPQt1bpfXmfiBRTqyRC66qPw5+AcruVaJY3C7Aj0f6BhqkDWScBiF3H3ZJj0Wp6wWKh/KCxSqO+AqcB36nVa62zLy6sIZHclwQwgxLzXFiaHxblRWxNuyAASNnrbAutLTsQ4HXCQPaiJ/9LxK+QAow7hryQsikq4XhCRV0TdEYzBpB3eatpB5G02kApvbMRW5kYvR8GHJzF8eqWgcRit4g0Q+kJn5p+UAi1rOP2bh/9lwPadn7TuuW3J9SzUOOmP2eajsicUkqnxsrxQFJbxkztLkPpLGHpd4zI8Y3riHtv2di57/ktUP9acc4kIk2LyYiN6jwKEOc2HTmSE3l2qdBXoy6Rcl/V/Uz1hOE3vOFUNJQL2sRyBf/0R7IKzXRieghR9h17pKYAsvbN9vO02dLevSYsqktowjwA1QXxxR2Vzp15tMV45T/nP5XLe3+f4zfJjRSuNM13ddowXp6smUOZ0Myw=,iv:FszW51oSi/iKN1cquyhF+HwStHgpgmioyopdJriuiOw=,tag:GYaRuyCgXuGVWyxShyH39Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UzFWbHB0bVlGQXV4dEVt - ZUxrcnZ1MlFOY2o2eTl0cDV3T3BKdmNMUXg0CmcyejMzV1loSUNIMEw0K09yc3Ax - NGZOTE1tamV2a05kZm9lNkpoeG9OWm8KLS0tIEVVM01nSjhQYzBOZ0MrY2JpODRz - MGNWSGJmaXdkbUJDOHpCRk9YWUZVSm8KGGHivrtQfHayo6BGbH+Tch3fzVlFNU3s - lLec6VZauGjIXifXBLC5e65SrSO/nZS4xsurrZovOLn3DpeDQu/4+Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-15T17:21:52Z" - mac: ENC[AES256_GCM,data:V+K/2CEFommRZ7kkJlUSjOIMQL8c3OtnJnPT7heHpkGUm/XJ8JFAhqHc5G6D6bjN6vsXcr7X7b9Tm6OBNPHBCJIekBahySUThHc6IxhQrNVTMu2lNOS9B7+VwZN2oezmEwbpY+5dT+3angWiBy2k5XW/7hmVlz1mQX8tJBTUHOM=,iv:LorlvJFs067H6FI/UPvIgRi9xTReOTfv13IdInFhcAU=,tag:72TTcNC6Fh3SiWlJa2xgzg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml b/.archive/kubernetes/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml deleted file mode 100644 index 78c545de..00000000 --- a/.archive/kubernetes/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: rook-ceph-dashboard-password -stringData: - password: ENC[AES256_GCM,data:WWTt7SN6ssndLahsOA1gujEeGAM=,iv:YbHGNN+11wA/MLq9vFVM6v4mhPO58JmwXBDj0Qs7+Wk=,tag:5Xn0tqpiIiEt8ZWZHRTM3w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzb2ZpaDd0azNHNTJoUTB6 - VVpKbm94ZEprSHplb2UrQnkzTzdGUEFjcGxBCnhxR1BwNmFIOExtMW5GRkVJWTl5 - blQzSmZ0Tm5CWTk3N25nUUM0dFpKUTQKLS0tIEgwSHNlVXNRdHZvcE10VzExU0hE - L0dGK1lFd0ZSQ0lTcEdMNTBkSDJ6WWsKQuiJmRSLbvmgenlu4F2/CQYCCbZTtS/K - nz7NsY2om+mWMvPSvLAp1pOHDAdFW79ggQAiCyslDi9iOkaD8MOnxQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-16T23:22:39Z" - mac: ENC[AES256_GCM,data:djsWoz/MuUhEKsM03+iaGV/dZUjRAGkiBEz4hROi+rfNWeHLJG2/xXPSKYYgT3h7JOZGh2Gnz7NXiB7TuixlWrAfT2BUBzd+2o9/hzg3xQzLAjApSfZdyap6oafatKxZAR/JHBSw7s0saVNnop9d/DZK4c1Fb1qNKoTrnWqqrF8=,iv:oitjHdZl07CaoBtNtX/sOPLHu7AS/R4YE4TKBJKrUBw=,tag:Br8mBH+mATEwsLzSZmoVYg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/cluster/kustomization.yaml b/.archive/kubernetes/rook-ceph/rook-ceph/cluster/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/.archive/kubernetes/rook-ceph/rook-ceph/cluster/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/.forgejo/workflows/schemas.yaml b/.forgejo/workflows/schemas.yaml deleted file mode 100644 index c36e9a0d..00000000 --- a/.forgejo/workflows/schemas.yaml +++ /dev/null @@ -1,135 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json -name: "Schemas" - -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * *" # Every day at midnight - push: - branches: ["main"] - paths: [".forgejo/workflows/schemas.yaml"] - -jobs: - publish: - name: Schemas - runs-on: ["ubuntu-x86_64"] - permissions: - contents: read - packages: write - steps: - - name: Checkout - uses: https://github.com/actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup Workflow Tools - shell: bash - run: | - curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x kubectl - mv kubectl /usr/local/bin/ - - curl -LO "https://dl.min.io/client/mc/release/linux-amd64/mc" - chmod +x mc - mv mc /usr/local/bin/ - - - name: Setup Python - run: | - apt-get update - apt-get install -y python3 python3-pip python3-yaml - pip3 install --upgrade pip - - - name: Write kubeconfig - id: kubeconfig - uses: https://github.com/timheuer/base64-to-file@v1 - with: - encodedString: "${{ secrets.KUBECONFIG }}" - fileName: kubeconfig - fileDir: ${{ env.GITHUB_WORKSPACE }} - - name: Write mc - id: mcconfig - uses: https://github.com/timheuer/base64-to-file@v1 - with: - encodedString: "${{ secrets.MCCONFIG }}" - fileName: config.json - fileDir: $HOME/.mc - - - name: Extracting CRDs to yaml and converting to JSON schema - env: - KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}" - run: | - # kubeconfig - echo "kubeconfig location: $KUBECONFIG" - # Create temp folder for CRDs - TMP_CRD_DIR=$(mktemp -d) - echo "Temp directory: $TMP_CRD_DIR" - - # Create final schemas directory - SCHEMAS_DIR=$GITHUB_WORKSPACE/crdSchemas - mkdir -p $SCHEMAS_DIR - echo "Schemas directory: $SCHEMAS_DIR" - - # Create array to store CRD kinds and groups - ORGANIZE_BY_GROUP=true - declare -A CRD_GROUPS 2>/dev/null - if [ $? -ne 0 ]; then - # Array creation failed, signal to skip organization by group - ORGANIZE_BY_GROUP=false - fi - - # Extract CRDs from cluster - NUM_OF_CRDS=0 - while read -r crd - do - filename=${crd%% *} - kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1 - echo "Extracted CRD: $filename" - - resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]') - resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}') - - # Save name and group for later directory organization - CRD_GROUPS["$resourceKind"]="$resourceGroup" - - let ++NUM_OF_CRDS - done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2) - echo numCRDs: $NUM_OF_CRDS - - # Download converter script - curl https://raw.githubusercontent.com/yannh/kubeconform/master/scripts/openapi2jsonschema.py --output $TMP_CRD_DIR/openapi2jsonschema.py 2>/dev/null - - # Convert crds to jsonSchema - cd $SCHEMAS_DIR - python3 $TMP_CRD_DIR/openapi2jsonschema.py $TMP_CRD_DIR/*.yaml - conversionResult=$? - - # Copy and rename files to support kubeval - rm -rf $SCHEMAS_DIR/master-standalone - mkdir -p $SCHEMAS_DIR/master-standalone - cp $SCHEMAS_DIR/*.json $SCHEMAS_DIR/master-standalone - find $SCHEMAS_DIR/master-standalone -name '*json' -exec bash -c ' mv -f $0 ${0/\_/-stable-}' {} \; - - # Organize schemas by group - if [ $ORGANIZE_BY_GROUP == true ]; then - for schema in $SCHEMAS_DIR/*.json - do - crdFileName=$(basename $schema .json) - crdKind=${crdFileName%%_*} - crdGroup=${CRD_GROUPS[$crdKind]} - if [ -z $crdGroup ]; then - crdGroup="uncategorized" - echo "CRD kind $crdKind has no group, moving to $crdGroup" - fi - echo making directory $crdGroup - mkdir -p $crdGroup - mv $schema ./$crdGroup - done - fi - - rm -rf $TMP_CRD_DIR - - - name: Deploy to Cloudflare R2 - shell: bash - run: | - mc cp --recursive $GITHUB_WORKSPACE/crdSchemas/ r2-ks/kubernetes-schema diff --git a/.gitignore b/.gitignore index 04f00eae..d47b9fcd 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,3 @@ kubeconfig* omniconfig.yaml config.xml .idea/ -.env -.secrets -.github diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 28d5065e..e94be5e0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,7 +9,7 @@ exclude: | repos: - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.33.0 hooks: - id: yamllint args: @@ -17,7 +17,7 @@ repos: - ".yamllint.yaml" - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -29,7 +29,7 @@ repos: - id: check-executables-have-shebangs - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.5.5 + rev: v1.5.4 hooks: - id: forbid-crlf - id: forbid-tabs diff --git a/.renovate/autoMerge.json5 b/.renovate/autoMerge.json5 index 155a148b..6afcfd08 100644 --- a/.renovate/autoMerge.json5 +++ b/.renovate/autoMerge.json5 @@ -19,4 +19,4 @@ "ignoreTests": false } ] -} \ No newline at end of file +} diff --git a/.sops.yaml b/.sops.yaml index cf1f0f9c..09afbeb2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,20 +5,20 @@ creation_rules: input_type: yaml encrypted_regex: ^(token|crt|key|id|secret|secretboxencryptionsecret|ca|bootstraptoken)$ age: >- - age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn - path_regex: kubernetes/.*/talos/.*\.sops\.ya?ml$ age: >- - age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" # Homelab age: >- - age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn - path_regex: .*\.sops\.(env|ini|json|toml) # Homelab age: >- - age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn - path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml # Homelab age: >- - age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn diff --git a/.taskfiles/act/Taskfile.yaml b/.taskfiles/act/Taskfile.yaml deleted file mode 100644 index c48e22f1..00000000 --- a/.taskfiles/act/Taskfile.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -version: "3" - -tasks: - run: - desc: Run ACT with custom image - cmds: - - act -P ubuntu-x86_64=catthehacker/ubuntu:act-latest diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml index ff2577bf..77bb10a2 100644 --- a/.taskfiles/talos/Taskfile.yaml +++ b/.taskfiles/talos/Taskfile.yaml @@ -7,13 +7,13 @@ tasks: desc: Bootstrap Talos summary: | Args: - cluster: Cluster to run command against (default: homelab) + cluster: Cluster to run command against (default: theshire) controller: Controller node to run command against (required) (IP/DNS) prompt: Bootstrap Talos on the cluster... continue? cmds: - task: bootstrap-etcd vars: &vars - cluster: '{{.cluster | default "homelab"}}' + cluster: '{{.cluster | default "theshire"}}' controller: "{{.controller}}" - task: fetch-kubeconfig vars: *vars @@ -93,7 +93,7 @@ tasks: --env-file {{.KUBERNETES_DIR}}/bootstrap/talos/talenv.sops.yaml \ --config-file {{.KUBERNETES_DIR}}/bootstrap/talos/talconfig.yaml cmds: - - talosctl --context {{.cluster}} upgrade -n {{.node}} --image {{.TALOS_IMAGE }} --preserve # single node talos cluster needs to be preserved + - talosctl --context {{.cluster}} upgrade -n {{.node}} --image {{.TALOS_IMAGE }} requires: vars: - cluster @@ -114,7 +114,7 @@ tasks: yq -r ".kubernetesVersion" {{.KUBERNETES_DIR}}/bootstrap/talos/talconfig.yaml CONTROLPLANE_NODE: sh: | - talosctl --context homelab config info \ + talosctl --context theshire config info \ | grep Endpoints: \ | awk '{split($0,u," "); print u[2]}' \ | sed -E 's/,//' @@ -163,6 +163,7 @@ tasks: --nodes "{{.hostname}}" --file "{{.KUBERNETES_DIR}}/bootstrap/talos/clusterconfig/{{.filename}}" {{ if eq "true" .dry_run }}--dry-run{{ end }} + #--insecure requires: vars: - cluster diff --git a/.taskfiles/volsync/Taskfile.yaml b/.taskfiles/volsync/Taskfile.yaml index 776d5f23..aff33358 100644 --- a/.taskfiles/volsync/Taskfile.yaml +++ b/.taskfiles/volsync/Taskfile.yaml @@ -22,38 +22,35 @@ vars: VOLSYNC_RESOURCES_DIR: "{{.ROOT_DIR}}/.taskfiles/volsync/resources" tasks: - state-*: desc: Suspend or Resume Volsync summary: | - cluster: Cluster to run command against (required) state: resume or suspend (required) + dotenv: ['{{.VOLSYNC_RESOURCES_DIR}}/.env'] cmds: - - flux --context {{.cluster}} {{.state}} kustomization volsync - - flux --context {{.cluster}} -n {{.ns}} {{.state}} helmrelease volsync - - kubectl --context {{.cluster}} -n {{.ns}} scale deployment volsync --replicas {{if eq "suspend" .state}}0{{else}}1{{end}} + - flux --context $CLUSTER {{.state}} kustomization volsync + - flux --context $CLUSTER -n {{.ns}} {{.state}} helmrelease volsync + - kubectl --context $CLUSTER -n {{.ns}} scale deployment volsync --replicas {{if eq "suspend" .state}}0{{else}}1{{end}} env: *env-vars vars: ns: '{{.ns | default "volsync-system"}}' state: '{{index .MATCH 0}}' - requires: - vars: ["cluster"] list: desc: List snapshots for an application summary: | - cluster: Cluster to run command against (required) ns: Namespace the PVC is in (default: default) app: Application to list snapshots for (required) + dotenv: ['{{.VOLSYNC_RESOURCES_DIR}}/.env'] cmds: - - /etc/profiles/per-user/jahanson/bin/envsubst < <(cat {{.VOLSYNC_RESOURCES_DIR}}/list.tmpl.yaml) | kubectl --context {{.cluster}} apply -f - - - bash {{.VOLSYNC_RESOURCES_DIR}}/wait-for-job.sh {{.job}} {{.ns}} {{.cluster}} - - kubectl --context {{.cluster}} -n {{.ns}} wait job/{{.job}} --for condition=complete --timeout=1m - - kubectl --context {{.cluster}} -n {{.ns}} logs job/{{.job}} --container main - - kubectl --context {{.cluster}} -n {{.ns}} delete job {{.job}} + - /etc/profiles/per-user/jahanson/bin/envsubst < <(cat {{.VOLSYNC_RESOURCES_DIR}}/list.tmpl.yaml) | kubectl --context $CLUSTER apply -f - + - bash {{.VOLSYNC_RESOURCES_DIR}}/wait-for-job.sh {{.job}} {{.ns}} $CLUSTER + - kubectl --context $CLUSTER -n {{.ns}} wait job/{{.job}} --for condition=complete --timeout=1m + - kubectl --context $CLUSTER -n {{.ns}} logs job/{{.job}} --container main + - kubectl --context $CLUSTER -n {{.ns}} delete job {{.job}} env: *env-vars requires: - vars: ["cluster", "app"] + vars: ["app"] vars: ns: '{{.ns | default "default"}}' job: volsync-list-{{.app}} @@ -66,19 +63,19 @@ tasks: unlock: desc: Unlock a Restic repository for an application summary: | - cluster: Cluster to run command against (required) ns: Namespace the PVC is in (default: default) app: Application to unlock (required) + dotenv: ['{{.VOLSYNC_RESOURCES_DIR}}/.env'] cmds: - - /etc/profiles/per-user/jahanson/bin/envsubst < <(cat {{.VOLSYNC_RESOURCES_DIR}}/unlock.tmpl.yaml) | kubectl --context {{.cluster}} apply -f - - - bash {{.VOLSYNC_RESOURCES_DIR}}/wait-for-job.sh {{.job}} {{.ns}} {{.cluster}} - - kubectl --context {{.cluster}} -n {{.ns}} wait job/{{.job}} --for condition=complete --timeout=1m - - kubectl --context {{.cluster}} -n {{.ns}} logs job/{{.job}} --container minio - - kubectl --context {{.cluster}} -n {{.ns}} logs job/{{.job}} --container r2 - - kubectl --context {{.cluster}} -n {{.ns}} delete job {{.job}} + - /etc/profiles/per-user/jahanson/bin/envsubst < <(cat {{.VOLSYNC_RESOURCES_DIR}}/unlock.tmpl.yaml) | kubectl --context $CLUSTER apply -f - + - bash {{.VOLSYNC_RESOURCES_DIR}}/wait-for-job.sh {{.job}} {{.ns}} $CLUSTER + - kubectl --context $CLUSTER -n {{.ns}} wait job/{{.job}} --for condition=complete --timeout=1m + - kubectl --context $CLUSTER -n {{.ns}} logs job/{{.job}} --container minio + - kubectl --context $CLUSTER -n {{.ns}} logs job/{{.job}} --container r2 + - kubectl --context $CLUSTER -n {{.ns}} delete job {{.job}} env: *env-vars requires: - vars: ["cluster", "app"] + vars: ["app"] vars: ns: '{{.ns | default "default"}}' job: volsync-unlock-{{.app}} diff --git a/.taskfiles/volsync/resources/.env b/.taskfiles/volsync/resources/.env new file mode 100644 index 00000000..21bfcc52 --- /dev/null +++ b/.taskfiles/volsync/resources/.env @@ -0,0 +1 @@ +CLUSTER=theshire diff --git a/.taskfiles/volsync/resources/list.tmpl.yaml b/.taskfiles/volsync/resources/list.tmpl.yaml index a5b08eba..e1bbc1a3 100644 --- a/.taskfiles/volsync/resources/list.tmpl.yaml +++ b/.taskfiles/volsync/resources/list.tmpl.yaml @@ -16,5 +16,5 @@ spec: args: ["snapshots"] envFrom: - secretRef: - name: ${app}-volsync-secret + name: ${app}-volsync-r2-secret resources: {} diff --git a/.taskfiles/volsync/resources/replicationdestination.tmpl.yaml b/.taskfiles/volsync/resources/replicationdestination.tmpl.yaml index 082ac9e6..b560e7e3 100644 --- a/.taskfiles/volsync/resources/replicationdestination.tmpl.yaml +++ b/.taskfiles/volsync/resources/replicationdestination.tmpl.yaml @@ -8,10 +8,10 @@ spec: trigger: manual: restore-once restic: - repository: ${app}-volsync-secret + repository: ${app}-volsync-r2-secret destinationPVC: ${claim} copyMethod: Direct - storageClassName: openebs-hostpath + storageClassName: ceph-block # storageClassName: ceph-filesystem # accessModes: ["ReadWriteMany"] # IMPORTANT NOTE: diff --git a/.taskfiles/volsync/resources/wait-for-job.sh b/.taskfiles/volsync/resources/wait-for-job.sh index aaf6d17c..ab6bafc1 100755 --- a/.taskfiles/volsync/resources/wait-for-job.sh +++ b/.taskfiles/volsync/resources/wait-for-job.sh @@ -2,7 +2,7 @@ JOB=$1 NAMESPACE="${2:-default}" -CLUSTER="${3:-homelab}" +CLUSTER="${3:-main}" [[ -z "${JOB}" ]] && echo "Job name not specified" && exit 1 while true; do diff --git a/.vscode/settings.json b/.vscode/settings.json index fc139670..67d6e322 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,10 @@ { + "ansible.validation.lint.arguments": "-c .ansible-lint", "files.associations": { "*.json5": "jsonc", + "**/ansible/**/*.yaml": "ansible", + "**/ansible/**/*.sops.yaml": "yaml", + "**/ansible/**/inventory/**/*.yaml": "yaml", "**/kubernetes/**/*.sops.toml": "plaintext" }, "material-icon-theme.folders.associations": { @@ -20,6 +24,7 @@ }, "yaml.schemaStore.enable": true, "yaml.schemas": { + "ansible": "ansible/**/*.yaml", "kubernetes": "kubernetes/**/*.yaml" }, "editor.fontFamily": "FiraCode Nerd Font", @@ -35,5 +40,7 @@ ], "explorer.autoReveal": false, "files.trimTrailingWhitespace": true, + "ansible.python.interpreterPath": "/usr/bin/python3", "sops.defaults.ageKeyFile": "age.key", + "ansible.validation.lint.path": "~/projects/valinor/.venv/bin/ansible-lint" } diff --git a/README.md b/README.md index 3639bcbb..628b44f5 100644 --- a/README.md +++ b/README.md @@ -1 +1,4 @@ -Kubernetes with talos @ Home +Talos & 6x Dell USFF nodes with 2 Beefy VM works with GPUs. + + +Fancier README to come! :) diff --git a/Taskfile.yaml b/Taskfile.yaml index 3ad3e1e2..3bb0a73c 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -18,7 +18,6 @@ includes: k8s: .taskfiles/k8s flux: .taskfiles/flux talos: .taskfiles/talos - act: .taskfiles/act tasks: default: diff --git a/kubernetes/apps/ai/kustomization.yaml b/kubernetes/apps/ai/kustomization.yaml deleted file mode 100644 index 02c7ad91..00000000 --- a/kubernetes/apps/ai/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./ollama/ks.yaml - - ./open-webui/ks.yaml - - ./stable-diffusion/ks.yaml diff --git a/kubernetes/apps/ai/namespace.yaml b/kubernetes/apps/ai/namespace.yaml deleted file mode 100644 index 08e0c552..00000000 --- a/kubernetes/apps/ai/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ai - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/ai/ollama/app/helmrelease.yaml b/kubernetes/apps/ai/ollama/app/helmrelease.yaml deleted file mode 100644 index b1121935..00000000 --- a/kubernetes/apps/ai/ollama/app/helmrelease.yaml +++ /dev/null @@ -1,88 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app ollama -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - ollama: - annotations: - reloader.stakater.com/auto: "true" - pod: - nodeSelector: - nvidia.com/gpu.present: "true" - runtimeClassName: nvidia - containers: - app: - image: - repository: docker.io/ollama/ollama - tag: 0.3.8 - env: - - name: OLLAMA_HOST - value: 0.0.0.0 - - name: OLLAMA_ORIGINS - value: "*" - - name: OLLAMA_MODELS - value: &modelPath "/models" - - name: OLLAMA_KEEP_ALIVE - value: "24h" - resources: - requests: - nvidia.com/gpu: 1 # requesting 1 GPU - cpu: 500m - memory: 2Gi - limits: - memory: 16Gi - nvidia.com/gpu: 1 # requesting 1 GPU - service: - app: - controller: ollama - ports: - http: - port: 11434 - ingress: - app: - enabled: true - className: internal-nginx - hosts: - - host: &host "{{ .Release.Name }}.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - models: - enabled: true - existingClaim: ollama-models - advancedMounts: - ollama: - app: - - path: *modelPath - config: - enabled: true - existingClaim: ollama - globalMounts: - - path: /root/.ollama diff --git a/kubernetes/apps/ai/ollama/app/kustomization.yaml b/kubernetes/apps/ai/ollama/app/kustomization.yaml deleted file mode 100644 index 5ca502cf..00000000 --- a/kubernetes/apps/ai/ollama/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./pvc.yaml - - ../../../../templates/volsync diff --git a/kubernetes/apps/ai/ollama/app/pvc.yaml b/kubernetes/apps/ai/ollama/app/pvc.yaml deleted file mode 100644 index 6b2734e2..00000000 --- a/kubernetes/apps/ai/ollama/app/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: ollama-models -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 500Gi - storageClassName: openebs-hostpath diff --git a/kubernetes/apps/ai/ollama/ks.yaml b/kubernetes/apps/ai/ollama/ks.yaml deleted file mode 100644 index b9050e9c..00000000 --- a/kubernetes/apps/ai/ollama/ks.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ollama - namespace: flux-system -spec: - targetNamespace: ai - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: nvidia-device-plugin - - name: node-feature-discovery - - name: volsync - - name: openebs - path: ./kubernetes/apps/ai/ollama/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 1Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs diff --git a/kubernetes/apps/ai/open-webui/app/helmrelease.yaml b/kubernetes/apps/ai/open-webui/app/helmrelease.yaml deleted file mode 100644 index ab961cd5..00000000 --- a/kubernetes/apps/ai/open-webui/app/helmrelease.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app open-webui -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - dependsOn: - - name: ollama - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - open-webui: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/open-webui/open-webui - tag: v0.3.16 - env: - - name: OLLAMA_BASE_URL - value: http://ollama.ai.svc.cluster.local:11434 - - name: ENABLE_RAG_WEB_SEARCH - value: true - - name: RAG_WEB_SEARCH_ENGINE - value: searxng - - name: SEARXNG_QUERY_URL - value: http://searxng.default.svc.cluster.local:8080/search?q= - resources: - requests: - cpu: 500m - memory: 2Gi - limits: - memory: 2Gi - service: - app: - controller: open-webui - ports: - http: - port: 8080 - ingress: - app: - enabled: true - className: internal-nginx - hosts: - - host: &host "chat.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: *app - globalMounts: - - path: /app/backend/data diff --git a/kubernetes/apps/ai/open-webui/app/kustomization.yaml b/kubernetes/apps/ai/open-webui/app/kustomization.yaml deleted file mode 100644 index 82c34407..00000000 --- a/kubernetes/apps/ai/open-webui/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ../../../../templates/volsync - - ../../../../templates/gatus/internal diff --git a/kubernetes/apps/ai/open-webui/ks.yaml b/kubernetes/apps/ai/open-webui/ks.yaml deleted file mode 100644 index bb4633d2..00000000 --- a/kubernetes/apps/ai/open-webui/ks.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app open-webui - namespace: flux-system -spec: - targetNamespace: ai - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: volsync - - name: ollama - path: ./kubernetes/apps/ai/open-webui/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 5Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs - GATUS_SUBDOMAIN: chat diff --git a/kubernetes/apps/ai/stable-diffusion/comfyui/helmrelease.yaml b/kubernetes/apps/ai/stable-diffusion/comfyui/helmrelease.yaml deleted file mode 100644 index edb02c33..00000000 --- a/kubernetes/apps/ai/stable-diffusion/comfyui/helmrelease.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app comfyui -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - comfyui: - annotations: - reloader.stakater.com/auto: "true" - pod: - nodeSelector: - nvidia.com/gpu.present: "true" - runtimeClassName: nvidia - containers: - app: - image: - repository: docker.io/jahanson/comfyui - tag: v0.0.1 - resources: - requests: - nvidia.com/gpu: 1 # requesting 1 GPU - cpu: 500m - memory: 2Gi - limits: - memory: 60Gi - nvidia.com/gpu: 1 # requesting 1 GPU - service: - app: - controller: comfyui - ports: - http: - port: 7860 - ingress: - app: - enabled: true - className: internal-nginx - hosts: - - host: &host "{{ .Release.Name }}.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - models: - enabled: true - existingClaim: stablediffusion-checkpoints - globalMounts: - - path: /data/models - config: - enabled: true - existingClaim: comfyui - globalMounts: - - path: /data/config - output: - enabled: true - type: emptyDir - globalMounts: - - path: /output diff --git a/kubernetes/apps/ai/stable-diffusion/comfyui/kustomization.yaml b/kubernetes/apps/ai/stable-diffusion/comfyui/kustomization.yaml deleted file mode 100644 index 3783d728..00000000 --- a/kubernetes/apps/ai/stable-diffusion/comfyui/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./pvc.yaml - - ../../../../templates/volsync - - ../../../../templates/gatus/internal diff --git a/kubernetes/apps/ai/stable-diffusion/comfyui/pvc.yaml b/kubernetes/apps/ai/stable-diffusion/comfyui/pvc.yaml deleted file mode 100644 index 7634d1cc..00000000 --- a/kubernetes/apps/ai/stable-diffusion/comfyui/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: stablediffusion-checkpoints -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 300Gi - storageClassName: openebs-hostpath diff --git a/kubernetes/apps/ai/stable-diffusion/ks.yaml b/kubernetes/apps/ai/stable-diffusion/ks.yaml deleted file mode 100644 index 02ebbf8d..00000000 --- a/kubernetes/apps/ai/stable-diffusion/ks.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app comfyui - namespace: flux-system -spec: - targetNamespace: ai - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: nvidia-device-plugin - - name: node-feature-discovery - - name: volsync - - name: openebs - path: ./kubernetes/apps/ai/stable-diffusion/comfyui - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 5Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs - GATUS_SUBDOMAIN: comfyui diff --git a/kubernetes/apps/cdi/cdi/app/ingress.yaml b/kubernetes/apps/cdi/cdi/app/ingress.yaml deleted file mode 100644 index 1d16c9dd..00000000 --- a/kubernetes/apps/cdi/cdi/app/ingress.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cdi-uploadproxy - namespace: cdi -spec: - ingressClassName: internal-nginx - rules: - - host: &host "cdi.jahanson.tech" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: cdi-uploadproxy - port: - number: 443 - tls: - - hosts: - - *host diff --git a/kubernetes/apps/cdi/cdi/app/kustomization.yaml b/kubernetes/apps/cdi/cdi/app/kustomization.yaml deleted file mode 100644 index 796cff94..00000000 --- a/kubernetes/apps/cdi/cdi/app/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Flux-Kustomizations - - ./ingress.yaml - - ./sp-nfs-zfs-csi.yaml - - ./sp-openebs-hostpath.yaml - - ./sp-openebs-zfs.yaml diff --git a/kubernetes/apps/cdi/cdi/app/sp-nfs-zfs-csi.yaml b/kubernetes/apps/cdi/cdi/app/sp-nfs-zfs-csi.yaml deleted file mode 100644 index e0bc6a8b..00000000 --- a/kubernetes/apps/cdi/cdi/app/sp-nfs-zfs-csi.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cdi.kubevirt.io/storageprofile_v1beta1.json -apiVersion: cdi.kubevirt.io/v1beta1 -kind: StorageProfile -metadata: - labels: - app: containerized-data-importer - app.kubernetes.io/component: storage - app.kubernetes.io/managed-by: cdi-controller - cdi.kubevirt.io: "" - name: zfs-generic-nfs-csi -spec: - claimPropertySets: - - accessModes: - - ReadWriteMany - - ReadWriteOnce - volumeMode: Filesystem -status: - cloneStrategy: snapshot - dataImportCronSourceFormat: pvc - provisioner: org.democratic-csi.nfs - snapshotClass: zfs-generic-nfs-csi - storageClass: zfs-generic-nfs-csi diff --git a/kubernetes/apps/cdi/cdi/app/sp-openebs-hostpath.yaml b/kubernetes/apps/cdi/cdi/app/sp-openebs-hostpath.yaml deleted file mode 100644 index 7dab98e3..00000000 --- a/kubernetes/apps/cdi/cdi/app/sp-openebs-hostpath.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cdi.kubevirt.io/storageprofile_v1beta1.json -apiVersion: cdi.kubevirt.io/v1beta1 -kind: StorageProfile -metadata: - labels: - app: containerized-data-importer - app.kubernetes.io/component: storage - app.kubernetes.io/managed-by: cdi-controller - cdi.kubevirt.io: "" - name: openebs-hostpath -spec: - claimPropertySets: - - accessModes: - - ReadWriteOnce - volumeMode: Filesystem -status: - claimPropertySets: - - accessModes: - - ReadWriteOnce - volumeMode: Block - cloneStrategy: copy - dataImportCronSourceFormat: pvc - provisioner: openebs.io/local - snapshotClass: openebs-hostpath - storageClass: openebs-hostpath diff --git a/kubernetes/apps/cdi/cdi/app/sp-openebs-zfs.yaml b/kubernetes/apps/cdi/cdi/app/sp-openebs-zfs.yaml deleted file mode 100644 index 5142093d..00000000 --- a/kubernetes/apps/cdi/cdi/app/sp-openebs-zfs.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cdi.kubevirt.io/storageprofile_v1beta1.json -apiVersion: cdi.kubevirt.io/v1beta1 -kind: StorageProfile -metadata: - labels: - app: containerized-data-importer - app.kubernetes.io/component: storage - app.kubernetes.io/managed-by: cdi-controller - cdi.kubevirt.io: "" - name: openebs-zfs -spec: - claimPropertySets: - - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - snapshotClass: openebs-zfs -status: - claimPropertySets: - - accessModes: - - ReadWriteOnce - volumeMode: Block - cloneStrategy: clone - dataImportCronSourceFormat: pvc - provisioner: openebs.io/local - snapshotClass: openebs-zfs - storageClass: openebs-zfs diff --git a/kubernetes/apps/cdi/cdi/ks.yaml b/kubernetes/apps/cdi/cdi/ks.yaml deleted file mode 100644 index d4965fb3..00000000 --- a/kubernetes/apps/cdi/cdi/ks.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubevirt-cdi - namespace: flux-system -spec: - targetNamespace: cdi - dependsOn: - - name: kubevirt - - name: openebs - path: ./deploy - prune: true - sourceRef: - kind: GitRepository - name: kubevirt-cdi - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m - patches: - - patch: | - $patch: delete - apiVersion: v1 - kind: Namespace - metadata: - name: cdi - target: - kind: Namespace - name: cdi - - patch: | - apiVersion: cdi.kubevirt.io/v1beta1 - kind: CDI - metadata: - name: not-used - spec: - cloneStrategyOverride: copy - config: - featureGates: - - HonorWaitForFirstConsumer - customizeComponents: {} - imagePullPolicy: IfNotPresent - infra: - nodeSelector: - kubernetes.io/os: linux - tolerations: - - key: CriticalAddonsOnly - operator: Exists - workload: - nodeSelector: - kubernetes.io/os: linux - target: - group: cdi.kubevirt.io - kind: CDI ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubevirt-cdi-addl - namespace: flux-system -spec: - targetNamespace: cdi - dependsOn: - - name: kubevirt-cdi - interval: 10m - path: "./kubernetes/apps/cdi/cdi/app/" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false diff --git a/kubernetes/apps/cdi/kustomization.yaml b/kubernetes/apps/cdi/kustomization.yaml deleted file mode 100644 index 7bc6941d..00000000 --- a/kubernetes/apps/cdi/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./cdi/ks.yaml diff --git a/kubernetes/apps/cdi/namespace.yaml b/kubernetes/apps/cdi/namespace.yaml deleted file mode 100644 index 867f2410..00000000 --- a/kubernetes/apps/cdi/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cdi - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" - cdi.kubevirt.io: "" diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index d12c873a..f624b919 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -26,7 +26,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false dependsOn: - name: cert-manager diff --git a/kubernetes/apps/cert-manager/namespace.yaml b/kubernetes/apps/cert-manager/namespace.yaml index 0093891c..ed788350 100644 --- a/kubernetes/apps/cert-manager/namespace.yaml +++ b/kubernetes/apps/cert-manager/namespace.yaml @@ -5,4 +5,3 @@ metadata: name: cert-manager labels: kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml index 58ee2727..14459f3c 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/apiservice.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: @@ -13,4 +14,4 @@ spec: service: name: webhook-dnsimple namespace: cert-manager - version: v1alpha1 \ No newline at end of file + version: v1alpha1 diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml index fcb704f6..5616cbb0 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml @@ -67,4 +67,4 @@ spec: readOnly: true serviceAccount: create: true - name: webhook-dnsimple \ No newline at end of file + name: webhook-dnsimple diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml index aef8fbe1..3b027361 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/pki.yaml @@ -57,6 +57,6 @@ spec: issuerRef: name: webhook-dnsimple-ca dnsNames: - - webhook-dnsimple - - webhook-dnsimple.cert-manager - - webhook-dnsimple.cert-manager.svc \ No newline at end of file + - webhook-dnsimple + - webhook-dnsimple.cert-manager + - webhook-dnsimple.cert-manager.svc diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml index a578ad34..3b00dc99 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml @@ -10,9 +10,9 @@ rules: - apiGroups: - acme.hsn.dev resources: - - '*' + - "*" verbs: - - 'create' + - "create" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -77,23 +77,23 @@ subjects: kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: "cert-manager" - name: webhook-dnsimple:access-secret + namespace: "cert-manager" + name: webhook-dnsimple:access-secret rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: webhook-dnsimple:access-secret - namespace: "cert-manager" -subjects: -- kind: ServiceAccount - name: webhook-dnsimple + name: webhook-dnsimple:access-secret namespace: "cert-manager" +subjects: + - kind: ServiceAccount + name: webhook-dnsimple + namespace: "cert-manager" roleRef: - kind: Role - name: webhook-dnsimple:access-secret - apiGroup: rbac.authorization.k8s.io + kind: Role + name: webhook-dnsimple:access-secret + apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml index ae4caf79..76249172 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/ks.yaml @@ -12,5 +12,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab - wait: true \ No newline at end of file + name: theshire + wait: true diff --git a/kubernetes/apps/ci-runners/forgejo/app/externalsecret.yaml b/kubernetes/apps/ci-runners/forgejo/app/externalsecret.yaml deleted file mode 100644 index dec40ab5..00000000 --- a/kubernetes/apps/ci-runners/forgejo/app/externalsecret.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: forgejo-runner-secret -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: forgejo-runner-secret - template: - engineVersion: v2 - data: - FORGEJO_INSTANCE_URL: "{{ .forgejo_instance_url }}" - RUNNER_NAME: "{{ .runner_name }}" - RUNNER_TOKEN: "{{ .runner_token }}" - - dataFrom: - - extract: - key: forgejo-runner diff --git a/kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml b/kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml deleted file mode 100644 index dabd8353..00000000 --- a/kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml +++ /dev/null @@ -1,103 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app forgejo-runner -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - forgejo-runner: - replicas: 2 - initContainers: - runner-register: - image: - repository: code.forgejo.org/forgejo/runner - tag: 3.5.1 - command: - - "forgejo-runner" - - "register" - - "--no-interactive" - - "--token" - - $(RUNNER_TOKEN) - - "--name" - - $(RUNNER_NAME) - - "--instance" - - $(FORGEJO_INSTANCE_URL) - - "--labels" - - "docker:docker://node:20-bullseye,x86_64:docker://node:20-bullseye,linux:docker://node:20-bullseye,pc:docker://node:20-bullseye,ubuntu-x86_64:docker://node:20-bullseye" - env: - - name: RUNNER_NAME - valueFrom: - secretKeyRef: - name: forgejo-runner-secret - key: RUNNER_NAME - - name: RUNNER_TOKEN - valueFrom: - secretKeyRef: - name: forgejo-runner-secret - key: RUNNER_TOKEN - - name: FORGEJO_INSTANCE_URL - valueFrom: - secretKeyRef: - name: forgejo-runner-secret - key: FORGEJO_INSTANCE_URL - containers: - daemon: - image: - repository: docker - tag: 27.2.0-dind - securityContext: - privileged: true - env: - - name: DOCKER_TLS_CERTDIR - value: /certs - app: - image: - repository: code.forgejo.org/forgejo/runner - tag: 3.5.1 - command: - - "sh" - - "-c" - - "while ! nc -z localhost 2376 - - sabnzbd, - sabnzbd.default, - sabnzbd.default.svc, - sabnzbd.default.svc.cluster, - sabnzbd.default.svc.cluster.local, - sabz.jahanson.tech, - sabnzbd.jahanson.tech - envFrom: - - secretRef: - name: sabnzbd-secret - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /api?mode=version - port: *port - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - startup: - enabled: false - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 100m - limits: - memory: 16Gi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] - service: - app: - controller: sabnzbd - ports: - http: - port: *port - ingress: - app: - enabled: true - className: internal-nginx - hosts: - - host: &host sabz.jahanson.tech - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: sabnzbd - tmp: - type: emptyDir - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - globalMounts: - - path: /data/nas-media diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml deleted file mode 100644 index be13d2db..00000000 --- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml deleted file mode 100644 index be0964dc..00000000 --- a/kubernetes/apps/default/sabnzbd/ks.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app sabnzbd - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: openebs - - name: volsync - path: ./kubernetes/apps/default/sabnzbd/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 1Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs diff --git a/kubernetes/apps/default/searxng/app/externalsecret.yaml b/kubernetes/apps/default/searxng/app/externalsecret.yaml deleted file mode 100644 index 982251f8..00000000 --- a/kubernetes/apps/default/searxng/app/externalsecret.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: searxng -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: searxng-secret - template: - engineVersion: v2 - data: - SEARXNG_SECRET: "{{ .SEARXNG_SECRET }}" - dataFrom: - - extract: - key: searxng diff --git a/kubernetes/apps/default/searxng/app/helmrelease.yaml b/kubernetes/apps/default/searxng/app/helmrelease.yaml deleted file mode 100644 index bd2e5994..00000000 --- a/kubernetes/apps/default/searxng/app/helmrelease.yaml +++ /dev/null @@ -1,112 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: searxng -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - searxng: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/searxng/searxng - tag: 2024.7.7-ef103ba80 - envFrom: - - secretRef: - name: searxng-secret - env: - TZ: America/Chicago - SEARXNG_BASE_URL: https://search.jahanson.tech - SEARXNG_URL: https://search.jahanson.tech - SEARXNG_PORT: &port 8080 - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /stats - port: *port - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - startup: - enabled: false - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - add: - - CHOWN - - SETGID - - SETUID - - DAC_OVERRIDE - resources: - requests: - cpu: 10m - limits: - memory: 3Gi - service: - app: - controller: searxng - ports: - http: - port: *port - ingress: - app: - enabled: true - className: internal-nginx - hosts: - - host: &host "search.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - type: configMap - name: searxng-configmap - advancedMounts: - searxng: - app: - - path: /etc/searxng/settings.yml - subPath: settings.yml - readOnly: true - - path: /etc/searxng/limiter.toml - subPath: limiter.toml - readOnly: true - tmp: - type: emptyDir - advancedMounts: - searxng: - app: - - path: /etc/searxng diff --git a/kubernetes/apps/default/searxng/app/kustomization.yaml b/kubernetes/apps/default/searxng/app/kustomization.yaml deleted file mode 100644 index cc085e4e..00000000 --- a/kubernetes/apps/default/searxng/app/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/gatus/internal -configMapGenerator: - - name: searxng-configmap - files: - - settings.yml=./resources/settings.yml - - limiter.toml=./resources/limiter.toml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/default/searxng/app/resources/limiter.toml b/kubernetes/apps/default/searxng/app/resources/limiter.toml deleted file mode 100644 index 190f8df5..00000000 --- a/kubernetes/apps/default/searxng/app/resources/limiter.toml +++ /dev/null @@ -1,6 +0,0 @@ -# This configuration file updates the default configuration file -# See https://github.com/searxng/searxng/blob/master/searx/limiter.toml - -[botdetection.ip_limit] -# activate link_token method in the ip_limit method -link_token = true diff --git a/kubernetes/apps/default/searxng/app/resources/settings.yml b/kubernetes/apps/default/searxng/app/resources/settings.yml deleted file mode 100644 index 553e14e6..00000000 --- a/kubernetes/apps/default/searxng/app/resources/settings.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -use_default_settings: true - -server: - limiter: false - image_proxy: true - -redis: - url: redis://dragonfly.database.svc.cluster.local:6379?db=10 - -search: - safe_search: 0 - autocomplete: brave - formats: - - html - - json - -general: - instance_name: HansonSearch - -ui: - static_use_hash: true - default_theme: simple - theme_args: - simple_style: dark - infinite_scroll: true - results_on_new_tab: true - -enabled_plugins: - - Basic Calculator - - Hash plugin - - Hostnames plugin - - Open Access DOI rewrite - - Self Informations - - Tracker URL remover - - Unit converter plugin - -hostnames: - high_priority: - - (.*)\/blog\/(.*) - - (.*\.)?wikipedia.org$ - - (.*\.)?github.com$ - - (.*\.)?reddit.com$ - - (.*\.)?linuxserver.io$ - - (.*\.)?docker.com$ - - (.*\.)?archlinux.org$ - - (.*\.)?stackoverflow.com$ - - (.*\.)?askubuntu.com$ - - (.*\.)?superuser.com$ - replace: - (www\.)?reddit\.com$: red.hsn.dev diff --git a/kubernetes/apps/default/searxng/ks.yaml b/kubernetes/apps/default/searxng/ks.yaml deleted file mode 100644 index 4a4df6a8..00000000 --- a/kubernetes/apps/default/searxng/ks.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app searxng - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: dragonfly - - name: external-secrets-stores - path: ./kubernetes/apps/default/searxng/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - GATUS_SUBDOMAIN: search diff --git a/kubernetes/apps/default/sonarr/app/externalsecret.yaml b/kubernetes/apps/default/sonarr/app/externalsecret.yaml deleted file mode 100644 index 8db1a12a..00000000 --- a/kubernetes/apps/default/sonarr/app/externalsecret.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: sonarr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: sonarr-secret - template: - engineVersion: v2 - data: - PUSHOVER_TOKEN: "{{ .sonarr_token }}" - PUSHOVER_USER_KEY: "{{ .userkey_jahanson }}" - SONARR__AUTH__APIKEY: "{{ .api_key }}" - SONARR__POSTGRES__HOST: "postgres-primary-real.database.svc" - SONARR__POSTGRES__USER: "{{ .SONARR_POSTGRES_USER }}" - SONARR__POSTGRES__PASSWORD: "{{ .SONARR_POSTGRES_PASSWORD }}" - SONARR__POSTGRES__PORT: "5432" - SONARR__POSTGRES__MAINDB: sonarr_main - dataFrom: - - extract: - key: pushover - - extract: - key: sonarr diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml deleted file mode 100644 index 7e93811d..00000000 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ /dev/null @@ -1,117 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: sonarr -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - sonarr: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/onedr0p/sonarr-develop - tag: 4.0.9.2278 - env: - SONARR__APP__INSTANCENAME: Sonarr - SONARR__APP__THEME: dark - SONARR__AUTH__METHOD: External - SONARR__AUTH__REQUIRED: DisabledForLocalAddresses - SONARR__LOG__DBENABLED: "False" - SONARR__LOG__LEVEL: info - SONARR__SERVER__PORT: &port 80 - SONARR__UPDATE__BRANCH: develop - TZ: America/Chicago - envFrom: - - secretRef: - name: sonarr-secret - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /ping - port: *port - initialDelaySeconds: 0 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 3 - readiness: *probes - startup: - enabled: false - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 10m - limits: - memory: 16Gi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] - service: - app: - controller: sonarr - ports: - http: - port: *port - ingress: - main: - enabled: true - className: internal-nginx - hosts: - - host: &host "{{ .Release.Name }}.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: sonarr - tmp: - type: emptyDir - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - globalMounts: - - path: /data/nas-media - sting-media: - type: nfs - server: 10.1.1.12 - path: /mnt/user/Media/ - globalMounts: - - path: /data/sting-media diff --git a/kubernetes/apps/default/sonarr/app/kustomization.yaml b/kubernetes/apps/default/sonarr/app/kustomization.yaml deleted file mode 100644 index be13d2db..00000000 --- a/kubernetes/apps/default/sonarr/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/kubernetes/apps/default/sonarr/ks.yaml b/kubernetes/apps/default/sonarr/ks.yaml deleted file mode 100644 index 3590b66f..00000000 --- a/kubernetes/apps/default/sonarr/ks.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app sonarr - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: crunchy-postgres-operator - - name: external-secrets-stores - - name: volsync - - name: openebs - path: ./kubernetes/apps/default/sonarr/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - DB_NAME: sonarr - DB_USER: sonarr - VOLSYNC_CAPACITY: 15Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs diff --git a/kubernetes/apps/default/tautulli/app/helmrelease.yaml b/kubernetes/apps/default/tautulli/app/helmrelease.yaml deleted file mode 100644 index fa990829..00000000 --- a/kubernetes/apps/default/tautulli/app/helmrelease.yaml +++ /dev/null @@ -1,118 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: tautulli -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - tautulli: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/tautulli/tautulli - tag: v2.14.4@sha256:4316ed82bd1334852c56460d0dc2c3ff4fc84ac55e71944bcb0f27838ed7a53e - env: - TZ: America/Chicago - command: ["/usr/local/bin/python", "Tautulli.py"] - args: [ - "--config", "/config/config.ini", - "--datadir", "/config", - "--port", "80" - ] - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /status - port: &port 80 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - startup: - enabled: false - securityContext: &securityContext - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 10m - limits: - memory: 1Gi - jbops: - image: - repository: registry.k8s.io/git-sync/git-sync - tag: v4.2.4@sha256:8bfbf28623690fba06c65ec392e42023d28ecfc7e0fbfd4443388d020dc112ea - env: - GITSYNC_REPO: https://github.com/blacktwin/JBOPS - GITSYNC_REF: master - GITSYNC_PERIOD: 24h - GITSYNC_ROOT: /add-ons - securityContext: *securityContext - resources: - requests: - cpu: 10m - limits: - memory: 128Mi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - service: - app: - controller: tautulli - ports: - http: - port: *port - ingress: - app: - enabled: true - className: external-nginx - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - external-dns.alpha.kubernetes.io/target: external.hsn.dev - hosts: - - host: &host "t.hsn.dev" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: tautulli - tmp: - type: emptyDir - add-ons: - type: emptyDir diff --git a/kubernetes/apps/default/tautulli/app/kustomization.yaml b/kubernetes/apps/default/tautulli/app/kustomization.yaml deleted file mode 100644 index a928a563..00000000 --- a/kubernetes/apps/default/tautulli/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ../../../../templates/volsync diff --git a/kubernetes/apps/default/tautulli/ks.yaml b/kubernetes/apps/default/tautulli/ks.yaml deleted file mode 100644 index 78c5506e..00000000 --- a/kubernetes/apps/default/tautulli/ks.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app tautulli - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/default/tautulli/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - dependsOn: - - name: openebs - - name: volsync - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 5Gi - VOLSYNC_STORAGECLASS: openebs-zfs - VOLSYNC_SNAPSHOTCLASS: openebs-zfs diff --git a/kubernetes/apps/default/thelounge/app/helmrelease.yaml b/kubernetes/apps/default/thelounge/app/helmrelease.yaml deleted file mode 100644 index ceb4362d..00000000 --- a/kubernetes/apps/default/thelounge/app/helmrelease.yaml +++ /dev/null @@ -1,79 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: thelounge -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - values: - controllers: - thelounge: - type: statefulset - - annotations: - reloader.stakater.com/auto: "true" - - statefulset: - volumeClaimTemplates: - - name: config - accessMode: ReadWriteOnce - size: 1Gi - storageClass: openebs-zfs - globalMounts: - - path: /config - - containers: - app: - image: - repository: ghcr.io/thelounge/thelounge - tag: 4.4.3 - env: - THELOUNGE_HOME: /config - probes: - liveness: - enabled: true - readiness: - enabled: true - startup: - enabled: true - spec: - failureThreshold: 30 - periodSeconds: 5 - resources: - requests: - cpu: 12m - memory: 256M - limits: - memory: 512M - - service: - app: - controller: thelounge - ports: - http: - port: 9000 - - ingress: - app: - className: internal-nginx - hosts: - - host: &host "{{ .Release.Name }}.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host diff --git a/kubernetes/apps/default/thelounge/app/kustomization.yaml b/kubernetes/apps/default/thelounge/app/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/kubernetes/apps/default/thelounge/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/default/unpackerr/app/externalsecret.yaml b/kubernetes/apps/default/unpackerr/app/externalsecret.yaml deleted file mode 100644 index ef51d833..00000000 --- a/kubernetes/apps/default/unpackerr/app/externalsecret.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: unpackerr -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: unpackerr-secret - template: - engineVersion: v2 - data: - UN_RADARR_0_API_KEY: "{{ .radarr_api_key }}" - UN_SONARR_0_API_KEY: "{{ .sonarr_api_key }}" - dataFrom: - - extract: - key: radarr - rewrite: - - regexp: - source: "(.*)" - target: "radarr_$1" - - extract: - key: sonarr - rewrite: - - regexp: - source: "(.*)" - target: "sonarr_$1" diff --git a/kubernetes/apps/default/unpackerr/app/helmrelease.yaml b/kubernetes/apps/default/unpackerr/app/helmrelease.yaml deleted file mode 100644 index 116dc2b5..00000000 --- a/kubernetes/apps/default/unpackerr/app/helmrelease.yaml +++ /dev/null @@ -1,84 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: unpackerr -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - unpackerr: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/unpackerr/unpackerr - tag: 0.14.5@sha256:dc72256942ce50d1c8a1aeb5aa85b6ae2680a36eefd2182129d8d210fce78044 - env: - TZ: America/Chicago - UN_WEBSERVER_METRICS: "true" - UN_SONARR_0_URL: http://sonarr.default.svc.cluster.local - UN_SONARR_0_PATHS_0: /data/nas-media/qb/downloads/complete/sonarr/ - UN_RADARR_0_URL: http://radarr.default.svc.cluster.local - UN_RADARR_0_PATHS_0: /data/nas-media/qb/downloads/complete/radarr/ - envFrom: - - secretRef: - name: unpackerr-secret - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 10m - limits: - memory: 4Gi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - service: - app: - controller: unpackerr - ports: - http: - port: 5656 - serviceMonitor: - app: - serviceName: unpackerr - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - persistence: - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - advancedMounts: - unpackerr: - app: - - path: /data/nas-media diff --git a/kubernetes/apps/default/unpackerr/app/kustomization.yaml b/kubernetes/apps/default/unpackerr/app/kustomization.yaml deleted file mode 100644 index 4eed917b..00000000 --- a/kubernetes/apps/default/unpackerr/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/kubernetes/apps/default/unpackerr/ks.yaml b/kubernetes/apps/default/unpackerr/ks.yaml deleted file mode 100644 index ce3a15bd..00000000 --- a/kubernetes/apps/default/unpackerr/ks.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app unpackerr - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/default/unpackerr/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/democratic-csi/democratic-csi/app/externalsecret.yaml b/kubernetes/apps/democratic-csi/democratic-csi/app/externalsecret.yaml deleted file mode 100644 index ef0668b8..00000000 --- a/kubernetes/apps/democratic-csi/democratic-csi/app/externalsecret.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: democratic-csi -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: democratic-csi-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - CSI_USERNAME: "{{ .dcsi_username }}" - CSI_PRIVATEKEY: "{{ .dcsi_privatekey }}" - dataFrom: - - extract: - key: democratic-csi - rewrite: - - regexp: - source: "(.*)" - target: "dcsi_$1" diff --git a/kubernetes/apps/democratic-csi/democratic-csi/app/helmrelease.yaml b/kubernetes/apps/democratic-csi/democratic-csi/app/helmrelease.yaml deleted file mode 100644 index d292bfd5..00000000 --- a/kubernetes/apps/democratic-csi/democratic-csi/app/helmrelease.yaml +++ /dev/null @@ -1,119 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: nfs-zfs-dataset - namespace: democratic-csi -spec: - interval: 30m - chart: - spec: - chart: democratic-csi - version: 0.14.6 - sourceRef: - name: democratic-csi - kind: HelmRepository - namespace: flux-system - valuesFrom: - - targetPath: driver.config.sshConnection.username - kind: Secret - name: democratic-csi-secret - valuesKey: CSI_USERNAME - - targetPath: driver.config.sshConnection.privateKey - kind: Secret - name: democratic-csi-secret - valuesKey: CSI_PRIVATEKEY - values: - csiDriver: - # should be globally unique for a given cluster - name: "org.democratic-csi.nfs" - fsGroupPolicy: File - storageClasses: - - name: zfs-generic-nfs-csi - defaultClass: false - reclaimPolicy: Delete - volumeBindingMode: Immediate - allowVolumeExpansion: true - parameters: - # for block-based storage can be ext3, ext4, xfs - # for nfs should be nfs - fsType: nfs - - # if true, volumes created from other snapshots will be - # zfs send/received instead of zfs cloned - # detachedVolumesFromSnapshots: "false" - - # if true, volumes created from other volumes will be - # zfs send/received instead of zfs cloned - # detachedVolumesFromVolumes: "false" - - mountOptions: - - noatime - - nfsvers=4.2 - secrets: - provisioner-secret: - controller-publish-secret: - node-stage-secret: - node-publish-secret: - controller-expand-secret: - volumeSnapshotClasses: - - name: zfs-generic-nfs-csi - parameters: - # if true, snapshots will be created with zfs send/receive - detachedSnapshots: "true" - secrets: - snapshotter-secret: - driver: - config: - # please see the most up-to-date example of the corresponding config here: - # https://github.com/democratic-csi/democratic-csi/tree/master/examples - # YOU MUST COPY THE DATA HERE INLINE! - driver: zfs-generic-nfs - sshConnection: - host: 10.1.1.13 - port: 22 - - zfs: - # can be used to override defaults if necessary - # the example below is useful for NixOS - cli: - sudoEnabled: true - paths: - zfs: /run/current-system/sw/bin/zfs - zpool: /run/current-system/sw/bin/zpool - sudo: /run/wrappers/bin/sudo - chroot: /run/current-system/sw/bin/chroot - - # can be used to set arbitrary values on the dataset/zvol - # can use handlebars templates with the parameters from the storage class/CO - #datasetProperties: - # "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" - # "org.freenas:test": "{{ parameters.foo }}" - # "org.freenas:test2": "some value" - - datasetParentName: eru/k8s/homelab - # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap - # they may be siblings, but neither should be nested in the other - # do NOT comment this option out even if you don't plan to use snapshots, just leave it with dummy value - detachedSnapshotsDatasetParentName: tanks/k8s/homelab-snapshots - - datasetEnableQuotas: true - datasetEnableReservation: false - datasetPermissionsMode: "0777" - datasetPermissionsUser: 0 - datasetPermissionsGroup: 0 - #datasetPermissionsAcls: - #- "-m everyone@:full_set:allow" - #- "-m u:kube:full_set:allow" - - nfs: - # # https://docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html - # # https://www.hiroom2.com/2016/05/18/ubuntu-16-04-share-zfs-storage-via-nfs-smb/ - shareStrategy: "setDatasetProperties" - shareStrategySetDatasetProperties: - properties: - # sharenfs: "rw,no_subtree_check,no_root_squash" - sharenfs: "on" - # share: "" - shareHost: "10.1.1.13" diff --git a/kubernetes/apps/democratic-csi/democratic-csi/app/kustomization.yaml b/kubernetes/apps/democratic-csi/democratic-csi/app/kustomization.yaml deleted file mode 100644 index 4eed917b..00000000 --- a/kubernetes/apps/democratic-csi/democratic-csi/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml b/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml deleted file mode 100644 index 42764f2d..00000000 --- a/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app democratic-csi - namespace: flux-system -spec: - targetNamespace: democratic-csi - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/democratic-csi/democratic-csi/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/democratic-csi/kustomization.yaml b/kubernetes/apps/democratic-csi/kustomization.yaml deleted file mode 100644 index 5c873ed5..00000000 --- a/kubernetes/apps/democratic-csi/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./democratic-csi/ks.yaml diff --git a/kubernetes/apps/democratic-csi/namespace.yaml b/kubernetes/apps/democratic-csi/namespace.yaml deleted file mode 100644 index 17db4dd0..00000000 --- a/kubernetes/apps/democratic-csi/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: democratic-csi - annotations: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/dragonfly-operator-crd.yaml b/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/dragonfly-operator-crd.yaml deleted file mode 100644 index cc183bf7..00000000 --- a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/dragonfly-operator-crd.yaml +++ /dev/null @@ -1,1702 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: dragonflies.dragonflydb.io -spec: - group: dragonflydb.io - names: - kind: Dragonfly - listKind: DragonflyList - plural: dragonflies - singular: dragonfly - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Dragonfly is the Schema for the dragonflies API - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: DragonflySpec defines the desired state of Dragonfly - properties: - aclFromSecret: - description: (Optional) Acl file Secret to pass to the container - properties: - key: - description: - The key of the secret to select from. Must be a - valid secret key. - type: string - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - affinity: - description: (Optional) Dragonfly pod affinity - properties: - nodeAffinity: - description: - Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: - The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node matches - the corresponding matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: - An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects (i.e. - is also a no-op). - properties: - preference: - description: - A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of node selector requirements - by node's labels. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node selector requirements - by node's fields. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - weight: - description: - Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: - If the affinity requirements specified by this - field are not met at scheduling time, the pod will not be - scheduled onto the node. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to an update), the system may or may not try to - eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list of node selector terms. - The terms are ORed. - items: - description: - A null or empty node selector term matches - no objects. The requirements of them are ANDed. The - TopologySelectorTerm type implements a subset of the - NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node selector requirements - by node's labels. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node selector requirements - by node's fields. - items: - description: - A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - The label key that the selector - applies to. - type: string - operator: - description: - Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. - type: string - values: - description: - An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - x-kubernetes-map-type: atomic - type: array - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: - Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: - The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: - The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: - namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: - If the affinity requirements specified by this - field are not met at scheduling time, the pod will not be - scheduled onto the node. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may or may - not try to eventually evict the pod from its node. When - there are multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. all terms - must be satisfied. - items: - description: - Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: - namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: - The scheduler will prefer to schedule pods to - nodes that satisfy the anti-affinity expressions specified - by this field, but it may choose a node that violates one - or more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: - The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: - namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: - If the anti-affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the anti-affinity requirements - specified by this field cease to be met at some point during - pod execution (e.g. due to a pod label update), the system - may or may not try to eventually evict the pod from its - node. When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. - items: - description: - Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: - namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - annotations: - additionalProperties: - type: string - description: (Optional) Annotations to add to the Dragonfly pods. - type: object - args: - description: - (Optional) Dragonfly container args to pass to the container - Refer to the Dragonfly documentation for the list of supported args - items: - type: string - type: array - authentication: - description: (Optional) Dragonfly Authentication mechanism - properties: - clientCaCertSecret: - description: - (Optional) If specified, the Dragonfly instance will - check if the client certificate is signed by this CA. Server - TLS must be enabled for this. - properties: - key: - description: - The key of the secret to select from. Must be - a valid secret key. - type: string - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - optional: - description: - Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - passwordFromSecret: - description: - (Optional) Dragonfly Password from Secret as a reference - to a specific key - properties: - key: - description: - The key of the secret to select from. Must be - a valid secret key. - type: string - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - optional: - description: - Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - env: - description: (Optional) Env variables to add to the Dragonfly pods. - items: - description: - EnvVar represents an environment variable present in - a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: - 'Variable references $(VAR_NAME) are expanded using - the previously defined environment variables in the container - and any service environment variables. If a variable cannot - be resolved, the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the - string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or - not. Defaults to "".' - type: string - valueFrom: - description: - Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - optional: - description: - Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: - "Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, - status.podIP, status.podIPs." - properties: - apiVersion: - description: - Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: - Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: - "Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported." - properties: - containerName: - description: - "Container name: required for volumes, - optional for env vars" - type: string - divisor: - anyOf: - - type: integer - - type: string - description: - Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: "Required: resource to select" - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: - The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: - "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?" - type: string - optional: - description: - Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - description: Image is the Dragonfly image to use - type: string - labels: - additionalProperties: - type: string - description: (Optional) Labels to add to the Dragonfly pods. - type: object - nodeSelector: - additionalProperties: - type: string - description: (Optional) Dragonfly pod node selector - type: object - priorityClassName: - description: (Optional) Dragonfly pod priority class name - type: string - replicas: - description: - Replicas is the total number of Dragonfly instances including - the master - format: int32 - type: integer - resources: - description: - (Optional) Dragonfly container resource limits. Any container - limits can be specified. - properties: - claims: - description: - "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: - Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - type: object - serviceAccountName: - description: (Optional) Dragonfly pod service account name - type: string - serviceSpec: - description: (Optional) Dragonfly Service configuration - properties: - annotations: - additionalProperties: - type: string - description: (Optional) Dragonfly Service Annotations - type: object - type: - description: (Optional) Dragonfly Service type - type: string - type: object - snapshot: - description: (Optional) Dragonfly Snapshot configuration - properties: - cron: - description: (Optional) Dragonfly snapshot schedule - type: string - dir: - description: - (Optional) The path to the snapshot directory This - can also be an S3 URI with the prefix `s3://` when using S3 - as the snapshot backend - type: string - persistentVolumeClaimSpec: - description: (Optional) Dragonfly PVC spec - properties: - accessModes: - description: - "accessModes contains the desired access modes - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" - items: - type: string - type: array - dataSource: - description: - "dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) If the provisioner - or an external controller can support the specified data - source, it will create a new volume based on the contents - of the specified data source. When the AnyVolumeDataSource - feature gate is enabled, dataSource contents will be copied - to dataSourceRef, and dataSourceRef contents will be copied - to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not - be copied to dataSource." - properties: - apiGroup: - description: - APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: - "dataSourceRef specifies the object from which - to populate the volume with data, if a non-empty volume - is desired. This may be any object from a non-empty API - group (non core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed - if the type of the specified object matches some installed - volume populator or dynamic provisioner. This field will - replace the functionality of the dataSource field and as - such if both fields are non-empty, they must have the same - value. For backwards compatibility, when namespace isn't - specified in dataSourceRef, both fields (dataSource and - dataSourceRef) will be set to the same value automatically - if one of them is empty and the other is non-empty. When - namespace is specified in dataSourceRef, dataSource isn't - set to the same value and must be empty. There are three - important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, - dataSourceRef allows any non-core object, as well as PersistentVolumeClaim - objects. * While dataSource ignores disallowed values (dropping - them), dataSourceRef preserves all values, and generates - an error if a disallowed value is specified. * While dataSource - only allows local objects, dataSourceRef allows objects - in any namespaces. (Beta) Using this field requires the - AnyVolumeDataSource feature gate to be enabled. (Alpha) - Using the namespace field of dataSourceRef requires the - CrossNamespaceVolumeDataSource feature gate to be enabled." - properties: - apiGroup: - description: - APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: - Namespace is the namespace of resource being - referenced Note that when a namespace is specified, - a gateway.networking.k8s.io/ReferenceGrant object is - required in the referent namespace to allow that namespace's - owner to accept the reference. See the ReferenceGrant - documentation for details. (Alpha) This field requires - the CrossNamespaceVolumeDataSource feature gate to be - enabled. - type: string - required: - - kind - - name - type: object - resources: - description: - "resources represents the minimum resources the - volume should have. If RecoverVolumeExpansionFailure feature - is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher - than capacity recorded in the status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources" - properties: - claims: - description: - "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: - Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - type: object - selector: - description: - selector is a label query over volumes to consider - for binding. - properties: - matchExpressions: - description: - matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: - key is the label key that the selector - applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: - "storageClassName is the name of the StorageClass - required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1" - type: string - volumeMode: - description: - volumeMode defines what type of volume is required - by the claim. Value of Filesystem is implied when not included - in claim spec. - type: string - volumeName: - description: - volumeName is the binding reference to the PersistentVolume - backing this claim. - type: string - type: object - type: object - tlsSecretRef: - description: - (Optional) Dragonfly TLS secret to used for TLS Connections - to Dragonfly. Dragonfly instance must have access to this secret - and be in the same namespace - properties: - name: - description: - name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: - namespace defines the space within which the secret - name must be unique. - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: (Optional) Dragonfly pod tolerations - items: - description: - The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . - properties: - effect: - description: - Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: - Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. - type: string - operator: - description: - Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: (Optional) Dragonfly pod topologySpreadConstraints - items: - description: The pod this TopologySpreadConstraints is attached - properties: - maxSkew: - description: - the degree to which Pods may be unevenly distributed. - You must specify this field and the number must be greater than zero. - Its semantics differ according to the value of whenUnsatisfiable - format: int32 - type: integer - minDomains: - description: - (Optional) indicates a minimum number of eligible domains. - This field is optional. A domain is a particular instance of a topology. - An eligible domain is a domain whose nodes match the node selector - format: int32 - type: integer - topologyKey: - description: - the key of node labels. Nodes that have a label with this key and - identical values are considered to be in the same topology. We call each - instance of a topology (in other words, a pair) a domain. - The scheduler will try to put a balanced number of pods into each domain. - Also, we define an eligible domain as a domain whose nodes meet the - requirements of nodeAffinityPolicy and nodeTaintsPolicy. - type: string - whenUnsatisfiable: - description: - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to still schedule it while prioritizing - nodes that minimize the skew. - type: string - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: - field is a beta-level field and enabled by default in 1.27. - You can disable it by disabling the MatchLabelKeysInPodTopologySpread - items: - type: string - type: array - nodeAffinityPolicy: - description: - indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are Honor or Ignore - type: string - nodeTaintsPolicy: - description: indicates how we will treat node taints when calculating pod topology spread skew. Honor or Ignore - type: string - type: object - type: array - type: object - status: - description: DragonflyStatus defines the observed state of Dragonfly - properties: - isRollingUpdate: - description: - IsRollingUpdate is true if the Dragonfly instance is - being updated - type: boolean - phase: - description: - 'Status of the Dragonfly Instance It can be one of the - following: - "ready": The Dragonfly instance is ready to serve requests - - "configuring-replication": The controller is updating the master - of the Dragonfly instance - "resources-created": The Dragonfly instance - resources were created but not yet configured' - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/helmrelease.yaml b/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/helmrelease.yaml deleted file mode 100644 index c6d21028..00000000 --- a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/helmrelease.yaml +++ /dev/null @@ -1,129 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app dragonfly-operator -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - serviceAccount: - create: false - name: dragonfly-operator-controller-manager - controllers: - dragonfly-operator: - containers: - rbac-proxy: - image: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.16.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 5m - memory: 64Mi - limits: - cpu: 500m - memory: 128Mi - app: - image: - repository: docker.dragonflydb.io/dragonflydb/operator - tag: v1.1.7 - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" - command: - - "/manager" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /healthz - port: &port 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /readyz - port: *port - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - startup: - enabled: false - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - cpu: 500m - memory: 128Mi - annotations: - reloader.stakater.com/auto: "true" - pod: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - amd64 - - arm64 - - ppc64le - - s390x - - key: kubernetes.io/os - operator: In - values: - - linux - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - service: - app: - controller: dragonfly-operator - ports: - http: - port: *port diff --git a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/kustomization.yaml b/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/kustomization.yaml deleted file mode 100644 index b925202a..00000000 --- a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: dragonfly-operator-system -resources: - - ./dragonfly-operator-crd.yaml - - ./rbac.yaml - - ./helmrelease.yaml diff --git a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/rbac.yaml b/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/rbac.yaml deleted file mode 100644 index 397e1e31..00000000 --- a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app/rbac.yaml +++ /dev/null @@ -1,230 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: controller-manager-sa - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-controller-manager - namespace: dragonfly-operator-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/name: role - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-leader-election-role - namespace: dragonfly-operator-system -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: dragonfly-operator-manager-role -rules: - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - dragonflydb.io - resources: - - dragonflies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - dragonflydb.io - resources: - - dragonflies/finalizers - verbs: - - update - - apiGroups: - - dragonflydb.io - resources: - - dragonflies/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-metrics-reader -rules: - - nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/name: clusterrole - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-proxy-role -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/name: rolebinding - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-leader-election-rolebinding - namespace: dragonfly-operator-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: dragonfly-operator-leader-election-role -subjects: - - kind: ServiceAccount - name: dragonfly-operator-controller-manager - namespace: dragonfly-operator-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: dragonfly-operator-manager-role -subjects: - - kind: ServiceAccount - name: dragonfly-operator-controller-manager - namespace: dragonfly-operator-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: dragonfly-operator - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/part-of: dragonfly-operator - name: dragonfly-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: dragonfly-operator-proxy-role -subjects: - - kind: ServiceAccount - name: dragonfly-operator-controller-manager - namespace: dragonfly-operator-system diff --git a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/ks.yaml b/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/ks.yaml deleted file mode 100644 index dda3b80e..00000000 --- a/kubernetes/apps/dragonfly-operator-system/dragonfly-operator/ks.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app dragonfly-operator - namespace: flux-system -spec: - targetNamespace: dragonfly-operator-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 10m - path: "./kubernetes/apps/dragonfly-operator-system/dragonfly-operator/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true diff --git a/kubernetes/apps/dragonfly-operator-system/kustomization.yaml b/kubernetes/apps/dragonfly-operator-system/kustomization.yaml deleted file mode 100644 index ed1a27ca..00000000 --- a/kubernetes/apps/dragonfly-operator-system/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./dragonfly-operator/ks.yaml diff --git a/kubernetes/apps/dragonfly-operator-system/namespace.yaml b/kubernetes/apps/dragonfly-operator-system/namespace.yaml deleted file mode 100644 index ec6c2812..00000000 --- a/kubernetes/apps/dragonfly-operator-system/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: system - app.kubernetes.io/name: namespace - app.kubernetes.io/part-of: dragonfly-operator - control-plane: controller-manager - name: dragonfly-operator-system diff --git a/kubernetes/apps/flux-system/add-ons/ks.yaml b/kubernetes/apps/flux-system/add-ons/ks.yaml index ef8ec66e..48860edd 100644 --- a/kubernetes/apps/flux-system/add-ons/ks.yaml +++ b/kubernetes/apps/flux-system/add-ons/ks.yaml @@ -13,7 +13,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -30,5 +30,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true diff --git a/kubernetes/apps/kube-system/cilium/app/resources/values.yml b/kubernetes/apps/kube-system/cilium/app/helm-values.yml similarity index 73% rename from kubernetes/apps/kube-system/cilium/app/resources/values.yml rename to kubernetes/apps/kube-system/cilium/app/helm-values.yml index 774d110e..906f64a6 100644 --- a/kubernetes/apps/kube-system/cilium/app/resources/values.yml +++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yml @@ -1,31 +1,32 @@ --- autoDirectNodeRoutes: true bandwidthManager: - bbr: true enabled: true + bbr: true bpf: masquerade: true tproxy: true cgroup: - autoMount: + automount: enabled: false hostRoot: /sys/fs/cgroup cluster: id: 1 - name: homelab + name: theshire cni: exclusive: false -devices: bond+ -# socketLB: - # enabled: false # supposed to be default off, but it's enabled anyway, and looks fun lol # TODO: 2024-06-02: temporarily turned off to attempt fixing endpoint creation timeout - # hostNamespaceOnly: true # KubeVirt compatibility +containerRuntime: + integration: containerd +# devices: eno+|enp+ enableRuntimeDeviceDetection: true endpointRoutes: enabled: true +hubble: + enable: false envoy: - enabled: false + enable: false ipam: - mode: "kubernetes" + mode: kubernetes ipv4NativeRoutingCIDR: 10.244.0.0/16 k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 @@ -38,7 +39,7 @@ loadBalancer: mode: dsr localRedirectPolicy: true operator: - replicas: 1 + rollOutPods: true rollOutCiliumPods: true routingMode: native securityContext: diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index 1d9e11c6..579cb37b 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -7,7 +7,7 @@ resources: configMapGenerator: - name: cilium-helm-values files: - - values.yaml=./resources/values.yml + - values.yaml=./helm-values.yml configurations: - kustomizeconfig.yaml generatorOptions: diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml index 1fcad09f..58f92ba1 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -4,4 +4,4 @@ nameReference: version: v1 fieldSpecs: - path: spec/valuesFrom/name - kind: HelmRelease \ No newline at end of file + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/cilium/config/l2.yaml b/kubernetes/apps/kube-system/cilium/config/l2.yaml index 05c09ec4..a756c7f8 100644 --- a/kubernetes/apps/kube-system/cilium/config/l2.yaml +++ b/kubernetes/apps/kube-system/cilium/config/l2.yaml @@ -6,7 +6,8 @@ metadata: name: l2-policy spec: loadBalancerIPs: true - interfaces: ["^bond+"] + # interfaces: ["^enp.*|^eth.*|^ens.*|^eno.*"] + interfaces: ["^eno+|^enp+"] nodeSelector: matchLabels: kubernetes.io/os: linux diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index b4985e68..0ad4ac7e 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -14,7 +14,7 @@ spec: prune: false sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true interval: 30m retryInterval: 1m @@ -37,7 +37,7 @@ spec: prune: false # never should be deleted sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml index 1878af1d..613a5336 100644 --- a/kubernetes/apps/kube-system/coredns/ks.yaml +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -10,11 +10,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/coredns/app + path: ./kubernetes/kube-system/coredns/app prune: false # never should be deleted sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml b/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml deleted file mode 100644 index 5d2e66cd..00000000 --- a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: descheduler -spec: - interval: 30m - chart: - spec: - chart: descheduler - version: 0.30.1 - sourceRef: - kind: HelmRepository - name: descheduler - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - replicas: 1 - kind: Deployment - deschedulerPolicyAPIVersion: descheduler/v1alpha2 - deschedulerPolicy: - profiles: - - name: Default - pluginConfig: - - name: DefaultEvictor - args: - evictFailedBarePods: true - evictLocalStoragePods: true - evictSystemCriticalPods: true - nodeFit: true - - name: RemovePodsViolatingInterPodAntiAffinity - - name: RemovePodsViolatingNodeAffinity - args: - nodeAffinityType: - - requiredDuringSchedulingIgnoredDuringExecution - - name: RemovePodsViolatingNodeTaints - - name: RemovePodsViolatingTopologySpreadConstraint - args: - constraints: - - DoNotSchedule - - ScheduleAnyway - - name: LowNodeUtilization - args: - targetThresholds: - cpu: 50 - memory: 50 - pods: 50 - thresholds: - cpu: 20 - memory: 20 - pods: 20 - useDeviationThresholds: true - plugins: - balance: - enabled: - - RemovePodsViolatingTopologySpreadConstraint - - LowNodeUtilization - deschedule: - enabled: - - RemovePodsViolatingInterPodAntiAffinity - - RemovePodsViolatingNodeAffinity - - RemovePodsViolatingNodeTaints - service: - enabled: true - serviceMonitor: - enabled: true - leaderElection: - enabled: true diff --git a/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml b/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml deleted file mode 100644 index 2d7deaca..00000000 --- a/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml \ No newline at end of file diff --git a/kubernetes/apps/kube-system/descheduler/ks.yaml b/kubernetes/apps/kube-system/descheduler/ks.yaml deleted file mode 100644 index 4d91e2af..00000000 --- a/kubernetes/apps/kube-system/descheduler/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app descheduler - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/descheduler/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/kube-system/fstrim.yaml b/kubernetes/apps/kube-system/fstrim.yaml index 1f279c1e..ccc2d42e 100644 --- a/kubernetes/apps/kube-system/fstrim.yaml +++ b/kubernetes/apps/kube-system/fstrim.yaml @@ -32,4 +32,4 @@ spec: path: /proc - name: netfs hostPath: - path: /sys \ No newline at end of file + path: /sys diff --git a/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml b/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml index e47b5fe7..ba2af77c 100644 --- a/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: app-template - version: 3.4.0 + version: 3.3.2 sourceRef: kind: HelmRepository name: bjw-s diff --git a/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml b/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml index 2d7deaca..17cbc72b 100644 --- a/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./helmrelease.yaml \ No newline at end of file + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/fstrim/ks.yaml b/kubernetes/apps/kube-system/fstrim/ks.yaml index c1a99929..6d007822 100644 --- a/kubernetes/apps/kube-system/fstrim/ks.yaml +++ b/kubernetes/apps/kube-system/fstrim/ks.yaml @@ -14,8 +14,8 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m - timeout: 5m \ No newline at end of file + timeout: 5m diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml deleted file mode 100644 index 92451d35..00000000 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -providerRegex: ^shadowfax$ -bypassDnsResolution: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml new file mode 100644 index 00000000..b88c2a1f --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml @@ -0,0 +1,2 @@ +--- +providerRegex: ^bilbo|^frodo|^sam$ diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml index 9f1c424a..5052c750 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml @@ -7,6 +7,6 @@ resources: configMapGenerator: - name: kubelet-csr-approver-helm-values files: - - values.yaml=./helm-values.yaml + - values.yaml=./helm-values.yml configurations: - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml index 8e7c1dae..d8579357 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml @@ -14,7 +14,7 @@ spec: prune: false # never should be deleted sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index d5bf8c94..dc37a56c 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -7,12 +7,10 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./cilium/ks.yaml - - ./coredns/ks.yaml - - ./descheduler/ks.yaml - ./dnsimple-webhook-rbac.yaml - ./fstrim/ks.yaml - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml - ./node-feature-discovery/ks.yaml - - ./nvidia-device-plugin/ks.yaml - ./reloader/ks.yaml + - ./spegel/ks.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml index b3d7dcb2..2ad2803f 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -20,7 +20,6 @@ spec: metrics: enabled: true args: - - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml index 6c0925a3..7adca6ae 100644 --- a/kubernetes/apps/kube-system/metrics-server/ks.yaml +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true diff --git a/kubernetes/apps/kube-system/multus/app/crd.yaml b/kubernetes/apps/kube-system/multus/app/crd.yaml deleted file mode 100644 index 24b2c58f..00000000 --- a/kubernetes/apps/kube-system/multus/app/crd.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: network-attachment-definitions.k8s.cni.cncf.io -spec: - group: k8s.cni.cncf.io - scope: Namespaced - names: - plural: network-attachment-definitions - singular: network-attachment-definition - kind: NetworkAttachmentDefinition - shortNames: - - net-attach-def - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing - Working Group to express the intent for attaching pods to one or more logical or physical - networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec' - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this represen - tation of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment' - type: object - properties: - config: - description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration' - type: string diff --git a/kubernetes/apps/kube-system/multus/app/helmrelease.yaml b/kubernetes/apps/kube-system/multus/app/helmrelease.yaml deleted file mode 100644 index 5b9e9948..00000000 --- a/kubernetes/apps/kube-system/multus/app/helmrelease.yaml +++ /dev/null @@ -1,214 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: multus -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - values: - configMaps: - daemon-config: - data: - daemon-config.json: | - { - "cniVersion": "0.3.1", - "logToStderr": true, - "logLevel": "error", - "binDir": "/opt/cni/bin", - "chrootDir": "/hostroot", - "cniConfigDir": "/host/etc/cni/net.d", - "confDir": "/host/etc/cni/net.d", - "multusAutoconfigDir": "/host/etc/cni/net.d", - "multusConfigFile": "auto", - "socketDir": "/host/run/multus/" - } - - controllers: - uninstall: - type: job - - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - helm.sh/hook: pre-delete, pre-upgrade - helm.sh/hook-weight: "-5" - helm.sh/hook-delete-policy: hook-succeeded - - pod: - hostNetwork: true - - containers: - uninstall: - image: - repository: alpine - tag: 3.20.2 - - command: - - /bin/sh - - -c - - args: - - | - rm -rf /host/etc/cni/net.d/*multus* - rm -rf /host/opt/cni/bin/*multus* - - multus: - type: daemonset - - annotations: - reloader.stakater.com/auto: "true" - - pod: - hostNetwork: true - hostPID: true - - containers: - multus-daemon: - image: &image - repository: ghcr.io/k8snetworkplumbingwg/multus-cni - tag: v4.1.0-thick - env: - MULTUS_NODE_NAME: - valueFrom: - fieldRef: - fieldPath: spec.nodeName - resources: - requests: - cpu: "5m" - memory: "96Mi" - limits: - memory: "500Mi" - securityContext: - privileged: true - - initContainers: - cni-plugins-installer: - image: - repository: ghcr.io/angelnu/cni-plugins - tag: 1.5.1 - resources: - requests: - cpu: "10m" - memory: "15Mi" - securityContext: - capabilities: - drop: - - ALL - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - - multus-shim-installer: - image: *image - command: - - /bin/sh - - -c - args: | - set -x - cp -f /usr/src/multus-cni/bin/multus-shim /host/opt/cni/bin/multus-shim - resources: - requests: - cpu: "10m" - memory: "15Mi" - securityContext: - capabilities: - drop: - - ALL - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - - persistence: - cni: - type: hostPath - hostPath: /etc/cni/net.d - advancedMounts: - uninstall: - uninstall: - - path: /host/etc/cni/net.d - multus: - multus-daemon: - - path: /host/etc/cni/net.d - - cnibin: - type: hostPath - hostPath: /opt/cni/bin - advancedMounts: - uninstall: - uninstall: - - path: /host/opt/cni/bin - multus: - cni-plugins-installer: - - path: /host/opt/cni/bin - multus-shim-installer: - - path: /host/opt/cni/bin - multus-daemon: - # multus-daemon expects that cnibin path must be identical between pod and container host. - # e.g. if the cni bin is in '/opt/cni/bin' on the container host side, then it should be - # mount to '/opt/cni/bin' in multus-daemon, not to any other directory, like '/opt/bin' or - # '/usr/bin'. - - path: /opt/cni/bin - - config: - type: configMap - name: multus-daemon-config - advancedMounts: - multus: - multus-daemon: - - path: /etc/cni/net.d/multus.d - hostroot: - type: hostPath - hostPath: / - advancedMounts: - multus: - multus-daemon: - - path: /hostroot - mountPropagation: HostToContainer - host-run: - type: hostPath - hostPath: /run - advancedMounts: - multus: - multus-daemon: - - path: /host/run - host-var-lib-cni-multus: - type: hostPath - hostPath: /var/lib/cni/multus - advancedMounts: - multus: - multus-daemon: - - path: /var/lib/cni/multus - host-var-lib-kubelet: - type: hostPath - hostPath: /var/lib/kubelet - advancedMounts: - multus: - multus-daemon: - - path: /var/lib/kubelet - host-run-k8s-cni-cncf-io: - type: hostPath - hostPath: /run/k8s.cni.cncf.io - advancedMounts: - multus: - multus-daemon: - - path: /run/k8s.cni.cncf.io - host-run-netns: - type: hostPath - hostPath: /var/run/netns/ - advancedMounts: - multus: - multus-daemon: - - path: /run/netns/ - mountPropagation: HostToContainer - - serviceAccount: - create: true diff --git a/kubernetes/apps/kube-system/multus/app/kustomization.yaml b/kubernetes/apps/kube-system/multus/app/kustomization.yaml deleted file mode 100644 index f6a66c9f..00000000 --- a/kubernetes/apps/kube-system/multus/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./rbac.yaml - - ./crd.yaml diff --git a/kubernetes/apps/kube-system/multus/app/rbac.yaml b/kubernetes/apps/kube-system/multus/app/rbac.yaml deleted file mode 100644 index 4a54cf48..00000000 --- a/kubernetes/apps/kube-system/multus/app/rbac.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: multus -rules: - - apiGroups: ["k8s.cni.cncf.io"] - resources: - - '*' - verbs: - - '*' - - apiGroups: - - "" - resources: - - pods - - pods/status - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: multus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: multus -subjects: - - kind: ServiceAccount - name: multus - namespace: kube-system diff --git a/kubernetes/apps/kube-system/multus/config/kustomization.yaml b/kubernetes/apps/kube-system/multus/config/kustomization.yaml deleted file mode 100644 index 2c6f4b18..00000000 --- a/kubernetes/apps/kube-system/multus/config/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./net-attach-iot.yaml \ No newline at end of file diff --git a/kubernetes/apps/kube-system/multus/config/net-attach-iot.yaml b/kubernetes/apps/kube-system/multus/config/net-attach-iot.yaml deleted file mode 100644 index 7a9e2001..00000000 --- a/kubernetes/apps/kube-system/multus/config/net-attach-iot.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/k8s.cni.cncf.io%2Fnetworkattachmentdefinition_v1.json -apiVersion: "k8s.cni.cncf.io/v1" -kind: NetworkAttachmentDefinition -metadata: - name: multus-iot -spec: - config: |- - { - "cniVersion": "0.3.1", - "name": "multus-iot", - "plugins": [ - { - "type": "macvlan", - "master": "bond0.30", - "mode": "bridge", - "capabilities": { - "ips": true - }, - "ipam": { - "type": "static", - "routes": [ - { "dst": "10.1.2.0/24", "gw": "10.1.3.1" } - ] - } - }, - { - "capabilities": { "mac": true }, - "type": "tuning" - } - ] - } diff --git a/kubernetes/apps/kube-system/multus/ks.yaml b/kubernetes/apps/kube-system/multus/ks.yaml deleted file mode 100644 index 520ee794..00000000 --- a/kubernetes/apps/kube-system/multus/ks.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &appname multus - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *appname - interval: 10m - path: "./kubernetes/apps/kube-system/multus/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &appname multus-config - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *appname - interval: 10m - path: "./kubernetes/apps/kube-system/multus/config" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: multus \ No newline at end of file diff --git a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml b/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml index 80a1ac9f..2783add6 100644 --- a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml +++ b/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml @@ -15,24 +15,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: node-feature-discovery-rules - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - interval: 10m - path: "./kubernetes/apps/kube-system/node-feature-discovery/rules" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: node-feature-discovery diff --git a/kubernetes/apps/kube-system/node-feature-discovery/rules/nvidia.yaml b/kubernetes/apps/kube-system/node-feature-discovery/rules/nvidia.yaml deleted file mode 100644 index 354e5f5d..00000000 --- a/kubernetes/apps/kube-system/node-feature-discovery/rules/nvidia.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# yaml-language-server: $schema=https://ks.hsn.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json ---- -apiVersion: nfd.k8s-sigs.io/v1alpha1 -kind: NodeFeatureRule -metadata: - name: nvidia-device -spec: - rules: - - # NVIDIA GPU - name: nvidia.com/gpu - labels: - nvidia.com/gpu.present: "true" - matchFeatures: - - feature: pci.device - matchExpressions: - vendor: { op: In, value: ["10de"] } diff --git a/kubernetes/apps/kube-system/nvidia-device-plugin/app/helmrelease.yaml b/kubernetes/apps/kube-system/nvidia-device-plugin/app/helmrelease.yaml deleted file mode 100644 index 6f01dccc..00000000 --- a/kubernetes/apps/kube-system/nvidia-device-plugin/app/helmrelease.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: nvidia-device-plugin -spec: - interval: 30m - chart: - spec: - chart: nvidia-device-plugin - version: 0.16.2 - sourceRef: - kind: HelmRepository - name: nvdp - namespace: flux-system - metadata: - annotations: - reloader.stakater.com/auto: "true" - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - podAnnotations: - configmap.reloader.stakater.com/reload: nvidia-helm-values - config: - name: nvidia-helm-values - runtimeClassName: "nvidia" - gfd: - enabled: true - nfd: - enabled: false - resources: - requests: - cpu: 100m - limits: - memory: 512Mi diff --git a/kubernetes/apps/kube-system/nvidia-device-plugin/app/kustomization.yaml b/kubernetes/apps/kube-system/nvidia-device-plugin/app/kustomization.yaml deleted file mode 100644 index c325a94c..00000000 --- a/kubernetes/apps/kube-system/nvidia-device-plugin/app/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./runtimeclass.yaml -configMapGenerator: - - name: nvidia-helm-values - files: - - values.yaml=./resources/values.yml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/kube-system/nvidia-device-plugin/app/resources/values.yml b/kubernetes/apps/kube-system/nvidia-device-plugin/app/resources/values.yml deleted file mode 100644 index cdf9eca8..00000000 --- a/kubernetes/apps/kube-system/nvidia-device-plugin/app/resources/values.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -version: v1 -flags: - migStrategy: "single" - plugin: - deviceListStrategy: "envvar" - deviceIDStrategy: "uuid" -sharing: - timeSlicing: - resources: - - name: nvidia.com/gpu - replicas: 3 diff --git a/kubernetes/apps/kube-system/nvidia-device-plugin/app/runtimeclass.yaml b/kubernetes/apps/kube-system/nvidia-device-plugin/app/runtimeclass.yaml deleted file mode 100644 index 7ba6add1..00000000 --- a/kubernetes/apps/kube-system/nvidia-device-plugin/app/runtimeclass.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: node.k8s.io/v1 -kind: RuntimeClass -metadata: - name: nvidia -handler: nvidia diff --git a/kubernetes/apps/kube-system/nvidia-device-plugin/ks.yaml b/kubernetes/apps/kube-system/nvidia-device-plugin/ks.yaml deleted file mode 100644 index d3de8b24..00000000 --- a/kubernetes/apps/kube-system/nvidia-device-plugin/ks.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: nvidia-device-plugin - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - targetNamespace: kube-system - interval: 10m - path: "./kubernetes/apps/kube-system/nvidia-device-plugin/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml index 6dbbf0eb..abb6778a 100644 --- a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: reloader - version: 1.0.121 + version: 1.0.116 sourceRef: kind: HelmRepository name: stakater @@ -19,6 +19,7 @@ spec: values: reloader: reloadStrategy: annotations + deployment: resources: requests: @@ -26,4 +27,4 @@ spec: memory: 63Mi limits: cpu: 45m - memory: 200Mi + memory: 100Mi diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml index 20fcb2c7..b0b41d76 100644 --- a/kubernetes/apps/kube-system/reloader/ks.yaml +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true diff --git a/kubernetes/apps/kube-system/rocky-nenya.yaml b/kubernetes/apps/kube-system/rocky-nenya.yaml index 9e53cd7c..1ec0df24 100644 --- a/kubernetes/apps/kube-system/rocky-nenya.yaml +++ b/kubernetes/apps/kube-system/rocky-nenya.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Pod metadata: name: rocky-nenya - namespace: kube-system + namespace: kube-system spec: # nodeName: nenya containers: diff --git a/kubernetes/apps/kube-system/spegel/app/helm-values.yml b/kubernetes/apps/kube-system/spegel/app/helm-values.yml new file mode 100644 index 00000000..7b137f39 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helm-values.yml @@ -0,0 +1,8 @@ +--- +spegel: + appendMirrors: true + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 diff --git a/.archive/kubernetes/kube-system/spegel/app/helmrelease.yaml b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml similarity index 100% rename from .archive/kubernetes/kube-system/spegel/app/helmrelease.yaml rename to kubernetes/apps/kube-system/spegel/app/helmrelease.yaml diff --git a/.archive/kubernetes/kube-system/spegel/app/kustomization.yaml b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml similarity index 86% rename from .archive/kubernetes/kube-system/spegel/app/kustomization.yaml rename to kubernetes/apps/kube-system/spegel/app/kustomization.yaml index 84c4d605..3d2a9fbe 100644 --- a/.archive/kubernetes/kube-system/spegel/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml @@ -7,6 +7,6 @@ resources: configMapGenerator: - name: spegel-helm-values files: - - values.yaml=./resources/values.yml + - values.yaml=./helm-values.yml configurations: - kustomizeconfig.yaml diff --git a/.archive/kubernetes/kube-system/spegel/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml similarity index 100% rename from .archive/kubernetes/kube-system/spegel/app/kustomizeconfig.yaml rename to kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml diff --git a/.archive/kubernetes/kube-system/spegel/ks.yaml b/kubernetes/apps/kube-system/spegel/ks.yaml similarity index 96% rename from .archive/kubernetes/kube-system/spegel/ks.yaml rename to kubernetes/apps/kube-system/spegel/ks.yaml index bbfbdb31..7902bf8f 100644 --- a/.archive/kubernetes/kube-system/spegel/ks.yaml +++ b/kubernetes/apps/kube-system/spegel/ks.yaml @@ -14,7 +14,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/kubevirt/app/ks.yaml b/kubernetes/apps/kubevirt/app/ks.yaml deleted file mode 100644 index 4d837e16..00000000 --- a/kubernetes/apps/kubevirt/app/ks.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubevirt - namespace: flux-system -spec: - targetNamespace: kubevirt - dependsOn: - - name: openebs - path: ./deploy - prune: true - sourceRef: - kind: GitRepository - name: kubevirt - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m - patches: - # namespace is managed separately by main ks, no need for this ks to also manage it, KubeVirt bundles namespace into kubevirt-operator.yaml - - patch: | - $patch: delete - apiVersion: v1 - kind: Namespace - metadata: - name: kubevirt - target: - kind: Namespace - name: kubevirt - - patch: | - apiVersion: kubevirt.io/v1 - kind: KubeVirt - metadata: - name: not-used - spec: - configuration: - developerConfiguration: - featureGates: - - CPUNodeDiscovery - - ExpandDisks - vmStateStorageClass: openebs-hostpath - target: - group: kubevirt.io - kind: KubeVirt diff --git a/kubernetes/apps/kubevirt/kustomization.yaml b/kubernetes/apps/kubevirt/kustomization.yaml deleted file mode 100644 index 861aec98..00000000 --- a/kubernetes/apps/kubevirt/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./manager/ks.yaml - - ./app/ks.yaml diff --git a/kubernetes/apps/kubevirt/manager/app/helmrelease.yaml b/kubernetes/apps/kubevirt/manager/app/helmrelease.yaml deleted file mode 100644 index f9393ea9..00000000 --- a/kubernetes/apps/kubevirt/manager/app/helmrelease.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app kubevirt-manager -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 2 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - kubevirt-manager: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/kubevirtmanager/kubevirt-manager - tag: 1.4.1 - env: - TZ: America/Chicago - resources: - requests: - cpu: 5m - memory: 50Mi - limits: - memory: 150Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - pod: - securityContext: - runAsUser: 10000 - runAsGroup: 30000 - serviceAccount: - create: true - name: kubevirt-manager - service: - app: - controller: kubevirt-manager - ports: - http: - port: 8001 - ingress: - app: - className: internal-nginx - hosts: - - host: &host "kubevirt.jahanson.tech" - paths: - - path: / - pathType: Prefix - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - cache: - type: emptyDir - globalMounts: - - path: /var/cache/nginx - run: - type: emptyDir - globalMounts: - - path: /var/run diff --git a/kubernetes/apps/kubevirt/manager/app/kustomization.yaml b/kubernetes/apps/kubevirt/manager/app/kustomization.yaml deleted file mode 100644 index cc3d9442..00000000 --- a/kubernetes/apps/kubevirt/manager/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./rbac.yaml - - ../../../../templates/gatus/internal diff --git a/kubernetes/apps/kubevirt/manager/app/rbac.yaml b/kubernetes/apps/kubevirt/manager/app/rbac.yaml deleted file mode 100644 index 8b8f22c9..00000000 --- a/kubernetes/apps/kubevirt/manager/app/rbac.yaml +++ /dev/null @@ -1,110 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubevirt-manager -rules: - - apiGroups: [""] - resources: ["nodes", "namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["customresourcedefinitions"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumeclaims", "persistentvolumes", "services", "secrets", "serviceaccounts", "configmaps", "deployments"] - verbs: ["*"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["*"] - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["*"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list"] - - apiGroups: ["k8s.cni.cncf.io"] - resources: ["network-attachment-definitions"] - verbs: ["get", "list"] - - apiGroups: ["kubevirt.io"] - resources: ["virtualmachines", "virtualmachineinstances"] - verbs: ["*"] - - apiGroups: ["subresources.kubevirt.io"] - resources: ["*"] - verbs: ["get", "list", "update", "patch"] - - apiGroups: ["instancetype.kubevirt.io"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["cdi.kubevirt.io"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["pool.kubevirt.io"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["scheduling.k8s.io"] - resources: ["priorityclasses"] - verbs: ["get", "list"] - - apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers"] - verbs: ["*"] - - apiGroups: ["cluster.x-k8s.io"] - resources: ["clusters", "machinedeployments"] - verbs: ["*"] - - apiGroups: ["controlplane.cluster.x-k8s.io"] - resources: ["kubeadmcontrolplanes"] - verbs: ["*"] - - apiGroups: ["infrastructure.cluster.x-k8s.io"] - resources: ["kubevirtmachinetemplates", "kubevirtclusters"] - verbs: ["*"] - - apiGroups: ["bootstrap.cluster.x-k8s.io"] - resources: ["kubeadmconfigtemplates"] - verbs: ["*"] - - apiGroups: ["addons.cluster.x-k8s.io"] - resources: ["clusterresourcesets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubevirt-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubevirt-manager -subjects: - - kind: ServiceAccount - name: kubevirt-manager - namespace: kubevirt ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubevirt-manager-kccm -rules: - - apiGroups: ["kubevirt.io"] - resources: ["virtualmachines"] - verbs: ["get", "list", "watch"] - - apiGroups: ["kubevirt.io"] - resources: ["virtualmachineinstances"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["services"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kubevirt-manager-kccm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubevirt-manager-kccm -subjects: - - kind: ServiceAccount - name: kubevirt-manager - namespace: kubevirt diff --git a/kubernetes/apps/kubevirt/manager/ks.yaml b/kubernetes/apps/kubevirt/manager/ks.yaml deleted file mode 100644 index 1c8736d3..00000000 --- a/kubernetes/apps/kubevirt/manager/ks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubevirt-manager - namespace: flux-system -spec: - targetNamespace: kubevirt - path: ./kubernetes/apps/kubevirt/manager/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - GATUS_SUBDOMAIN: kubevirt diff --git a/kubernetes/apps/kubevirt/namespace.yaml b/kubernetes/apps/kubevirt/namespace.yaml deleted file mode 100644 index cbde5f58..00000000 --- a/kubernetes/apps/kubevirt/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kubevirt - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" - pod-security.kubernetes.io/enforce: "privileged" - kubevirt.io: "" diff --git a/kubernetes/apps/kubevirt/vms/fj-runner-01-disk1.yaml b/kubernetes/apps/kubevirt/vms/fj-runner-01-disk1.yaml deleted file mode 100644 index f5d29807..00000000 --- a/kubernetes/apps/kubevirt/vms/fj-runner-01-disk1.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: fj-runner-01-disk1 -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 160Gi - storageClassName: "openebs-hostpath" diff --git a/kubernetes/apps/kubevirt/vms/fj-runner-01.yaml b/kubernetes/apps/kubevirt/vms/fj-runner-01.yaml deleted file mode 100644 index a7e756cd..00000000 --- a/kubernetes/apps/kubevirt/vms/fj-runner-01.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kubevirt.io/virtualmachine_v1.json -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - name: fj-runner-01 - namespace: default -spec: - running: false - template: - spec: - architecture: amd64 - domain: - clock: - timezone: "America/Chicago" - cpu: - cores: 4 - sockets: 1 - threads: 2 - devices: - disks: - - disk: - bus: sata - name: disk1 - - cdrom: - bus: sata - name: nixosiso - interfaces: - - bridge: {} - name: net1 - networkInterfaceMultiqueue: true - firmware: - # this sets the bootloader type - bootloader: - efi: - secureBoot: false - machine: - type: q35 - resources: - requests: - memory: 8Gi - networks: - - name: net1 - pod: {} - nodeSelector: - kubernetes.io/hostname: shadowfax - # priorityClassName: vm-standard - volumes: - - name: disk1 - persistentVolumeClaim: - claimName: fj-runner-01-disk1 - - name: nixosiso - dataVolume: - name: "nixos-minimal" diff --git a/kubernetes/apps/kubevirt/vms/fj-runner-02-disk1.yaml b/kubernetes/apps/kubevirt/vms/fj-runner-02-disk1.yaml deleted file mode 100644 index 4d2f56f4..00000000 --- a/kubernetes/apps/kubevirt/vms/fj-runner-02-disk1.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: fj-runner-02-disk1 -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 160Gi - storageClassName: local-hostpath-nvme1 diff --git a/kubernetes/apps/kubevirt/vms/fj-runner-02.yaml b/kubernetes/apps/kubevirt/vms/fj-runner-02.yaml deleted file mode 100644 index d4409eaa..00000000 --- a/kubernetes/apps/kubevirt/vms/fj-runner-02.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kubevirt.io/virtualmachine_v1.json -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - name: fj-runner-02 - namespace: default -spec: - running: false - template: - spec: - architecture: amd64 - domain: - clock: - timezone: "America/Chicago" - cpu: - cores: 4 - sockets: 1 - threads: 2 - devices: - disks: - - disk: - bus: sata - name: disk1 - - cdrom: - bus: sata - name: nixosiso - interfaces: - - bridge: {} - name: net1 - networkInterfaceMultiqueue: true - firmware: - # this sets the bootloader type - bootloader: - efi: - secureBoot: false - machine: - type: q35 - resources: - requests: - memory: 8Gi - networks: - - name: net1 - pod: {} - nodeSelector: - kubernetes.io/hostname: shadowfax - priorityClassName: vm-standard - volumes: - - name: disk1 - persistentVolumeClaim: - claimName: fj-runner-02-disk1 - - dataVolume: - name: "nixos-minimal" - name: nixosiso diff --git a/kubernetes/apps/kubevirt/vms/nixosdv.yaml b/kubernetes/apps/kubevirt/vms/nixosdv.yaml deleted file mode 100644 index 820f20dc..00000000 --- a/kubernetes/apps/kubevirt/vms/nixosdv.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cdi.kubevirt.io/datavolume_v1beta1.json -apiVersion: cdi.kubevirt.io/v1beta1 -kind: DataVolume -metadata: - name: "nixos-minimal" -spec: - storage: - resources: - requests: - storage: 2Gi - storageClassName: "openebs-hostpath" - accessModes: - - "ReadWriteOnce" - source: - http: - url: "https://channels.nixos.org/nixos-24.05/latest-nixos-minimal-x86_64-linux.iso" diff --git a/kubernetes/apps/kyverno/kyverno/ks.yaml b/kubernetes/apps/kyverno/kyverno/ks.yaml index 115f8878..1f549bcf 100644 --- a/kubernetes/apps/kyverno/kyverno/ks.yaml +++ b/kubernetes/apps/kyverno/kyverno/ks.yaml @@ -10,7 +10,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true interval: 30m retryInterval: 1m @@ -29,7 +29,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/network/cloudflared/app/config/config.yaml b/kubernetes/apps/network/cloudflared/app/config/config.yml similarity index 60% rename from kubernetes/apps/network/cloudflared/app/config/config.yaml rename to kubernetes/apps/network/cloudflared/app/config/config.yml index 85dbeea8..3e549757 100644 --- a/kubernetes/apps/network/cloudflared/app/config/config.yaml +++ b/kubernetes/apps/network/cloudflared/app/config/config.yml @@ -3,10 +3,6 @@ originRequest: http2Origin: true ingress: - - hostname: hsn.dev - service: https://ingress-nginx-controller.network.svc.cluster.local:443 - originRequest: - originServerName: external.hsn.dev - hostname: "*.hsn.dev" service: https://ingress-nginx-controller.network.svc.cluster.local:443 originRequest: diff --git a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml index a8c427a0..eb568a9b 100644 --- a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -28,7 +28,7 @@ spec: values: controllers: cloudflared: - replicas: 1 + replicas: 2 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" diff --git a/kubernetes/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml index 4dbb6acf..f80372b4 100644 --- a/kubernetes/apps/network/cloudflared/app/kustomization.yaml +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -9,6 +9,6 @@ resources: configMapGenerator: - name: cloudflared-configmap files: - - config.yaml=./config/config.yaml + - config.yaml=./config/config.yml generatorOptions: disableNameSuffixHash: true diff --git a/kubernetes/apps/network/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml index 851ab89b..46bcdf0d 100644 --- a/kubernetes/apps/network/cloudflared/ks.yaml +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -19,7 +19,7 @@ spec: prune: false sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/network/echo-server/ks.yaml b/kubernetes/apps/network/echo-server/ks.yaml index a3022b62..db8b7fc8 100644 --- a/kubernetes/apps/network/echo-server/ks.yaml +++ b/kubernetes/apps/network/echo-server/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true diff --git a/kubernetes/apps/network/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml index 95e680b9..9c21433f 100644 --- a/kubernetes/apps/network/external-dns/ks.yaml +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -14,7 +14,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true dependsOn: - name: external-secrets-stores @@ -34,7 +34,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true dependsOn: - - name: external-secrets-stores \ No newline at end of file + - name: external-secrets-stores diff --git a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml index c0a8904e..c88a0069 100644 --- a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml @@ -22,7 +22,7 @@ spec: valuesKey: MAXMIND_LICENSE_KEY values: controller: - replicaCount: 1 + replicaCount: 2 updateStrategy: type: RollingUpdate allowSnippetAnnotations: true diff --git a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml index 20d3e40e..ef658ea6 100644 --- a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -20,7 +20,7 @@ spec: fullnameOverride: nginx-internal controller: - replicaCount: 1 + replicaCount: 2 updateStrategy: type: RollingUpdate diff --git a/kubernetes/apps/network/ingress-nginx/ks.yaml b/kubernetes/apps/network/ingress-nginx/ks.yaml index 6468d641..d4604502 100644 --- a/kubernetes/apps/network/ingress-nginx/ks.yaml +++ b/kubernetes/apps/network/ingress-nginx/ks.yaml @@ -13,7 +13,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true dependsOn: - name: cert-manager-issuers @@ -32,7 +32,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true dependsOn: - name: cert-manager-issuers diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 3b223444..d97b83ed 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -9,4 +9,4 @@ resources: - ./cloudflared/ks.yaml - ./echo-server/ks.yaml - ./external-dns/ks.yaml - - ./ingress-nginx/ks.yaml \ No newline at end of file + - ./ingress-nginx/ks.yaml diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml index ea1e9e60..4d78d7b1 100644 --- a/kubernetes/apps/network/namespace.yaml +++ b/kubernetes/apps/network/namespace.yaml @@ -5,4 +5,3 @@ metadata: name: network labels: kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/observability/gatus/app/externalsecret.yaml b/kubernetes/apps/observability/gatus/app/externalsecret.yaml deleted file mode 100644 index 8683a2a5..00000000 --- a/kubernetes/apps/observability/gatus/app/externalsecret.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: gatus-secret - template: - engineVersion: v2 - data: - CUSTOM_PUSHOVER_TOKEN: "{{ .gatus_token }}" - CUSTOM_PUSHOVER_USER_KEY: "{{ .userkey_jahanson }}" - DATABASE_URI: "postgresql://{{ .pg_username }}:{{ .pg_password }}@postgres-primary-real.database.svc:{{ .pg_port }}/{{ .pg_database }}" - dataFrom: - - extract: - key: pushover - - extract: - key: gatus \ No newline at end of file diff --git a/kubernetes/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/apps/observability/gatus/app/helmrelease.yaml deleted file mode 100644 index 5cf380d3..00000000 --- a/kubernetes/apps/observability/gatus/app/helmrelease.yaml +++ /dev/null @@ -1,131 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: gatus -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - gatus: - annotations: - reloader.stakater.com/auto: "true" - initContainers: - init-config: - image: - repository: ghcr.io/kiwigrid/k8s-sidecar - tag: 1.27.6@sha256:db85bd5532530d288736b35e63baceacbf570bf863d85a0404b33c1e1631f63b - env: - FOLDER: /config - LABEL: gatus.io/enabled - NAMESPACE: ALL - RESOURCE: both - UNIQUE_FILENAMES: true - METHOD: WATCH - restartPolicy: Always - resources: &resources - requests: - cpu: 10m - limits: - memory: 256Mi - containers: - app: - image: - repository: ghcr.io/twin/gatus - tag: v5.12.1@sha256:3cc4e90534c05599f07fbdf15580401aa7771fac15f51d1dc8f7de265d70d12f - env: - TZ: America/Chicago - GATUS_CONFIG_PATH: /config - GATUS_DELAY_START_SECONDS: 5 - CUSTOM_WEB_PORT: &port 80 - envFrom: - - secretRef: - name: gatus-secret - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /health - port: *port - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: *resources - pod: - dnsConfig: - options: - - { name: ndots, value: "1" } - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - service: - app: - controller: gatus - ports: - http: - port: *port - serviceMonitor: - app: - serviceName: gatus - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - ingress: - app: - className: external-nginx - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - external-dns.alpha.kubernetes.io/target: external.hsn.dev - hosts: - - host: &host status.hsn.dev - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: [*host] - serviceAccount: - create: true - name: gatus - persistence: - config: - type: emptyDir - config-file: - type: configMap - name: gatus-configmap - globalMounts: - - path: /config/config.yaml - subPath: config.yaml - readOnly: true \ No newline at end of file diff --git a/kubernetes/apps/observability/gatus/app/kustomization.yaml b/kubernetes/apps/observability/gatus/app/kustomization.yaml deleted file mode 100644 index 9dfa1881..00000000 --- a/kubernetes/apps/observability/gatus/app/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ./rbac.yaml -configMapGenerator: - - name: gatus-configmap - files: - - config.yaml=./resources/config.yml -generatorOptions: - disableNameSuffixHash: true \ No newline at end of file diff --git a/kubernetes/apps/observability/gatus/app/rbac.yaml b/kubernetes/apps/observability/gatus/app/rbac.yaml deleted file mode 100644 index 6ac3c80e..00000000 --- a/kubernetes/apps/observability/gatus/app/rbac.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gatus -rules: - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gatus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatus -subjects: - - kind: ServiceAccount - name: gatus - namespace: observability \ No newline at end of file diff --git a/kubernetes/apps/observability/gatus/app/resources/config.yml b/kubernetes/apps/observability/gatus/app/resources/config.yml deleted file mode 100644 index 60917cb4..00000000 --- a/kubernetes/apps/observability/gatus/app/resources/config.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# Note: Gatus vars should be escaped with $${VAR_NAME} to avoid interpolation by Flux -web: - port: $${CUSTOM_WEB_PORT} -storage: - type: postgres - path: $${DATABASE_URI} - caching: true -metrics: true -debug: false -ui: - title: Status | Gatus - header: Status -alerting: - pushover: - application-token: $${CUSTOM_PUSHOVER_TOKEN} - user-key: $${CUSTOM_PUSHOVER_USER_KEY} - default-alert: - description: health-check failed - send-on-resolved: true - failure-threshold: 5 - success-threshold: 2 -connectivity: - checker: - target: 1.1.1.1:53 - interval: 1m -endpoints: - - name: status - group: external - url: https://status.hsn.dev - interval: 1m - client: - dns-resolver: tcp://1.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - # - name: Umami - # group: external - # url: https://umi.hsn.dev/script.js - # interval: 1m - # client: - # dns-resolver: tcp://1.1.1.1:53 - # conditions: - # - "[STATUS] == 200" - # alerts: - # - type: pushover - - name: Nextcloud External - group: external - url: https://nc.hsn.dev - interval: 1m - ui: - hide-url: true - hide-hostname: true - client: - dns-resolver: tcp://1.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: flux-webhook - group: external - url: https://flux-receiver.hsn.dev - interval: 1m - client: - dns-resolver: tcp://1.1.1.1:53 - conditions: - - "[STATUS] == 404" - alerts: - - type: pushover - - name: Elessar - group: internal - url: https://elessar.jahanson.tech - interval: 1m - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: Sting - group: internal - url: http://sting.jahanson.tech - interval: 1m - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: Gandalf - group: internal - url: https://gandalf.jahanson.tech:8443 - interval: 1m - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: Gollum - group: internal - url: http://gollum.jahanson.tech - interval: 1m - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: Nextcloud Internal - group: internal - url: https://nc.hsn.dev - interval: 1m - ui: - hide-url: true - hide-hostname: true - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover - - name: Home Assistant - group: internal - url: https://hass.jahanson.tech - interval: 1m - client: - dns-resolver: tcp://10.1.1.1:53 - conditions: - - "[STATUS] == 200" - alerts: - - type: pushover diff --git a/kubernetes/apps/observability/gatus/ks.yaml b/kubernetes/apps/observability/gatus/ks.yaml deleted file mode 100644 index b0e1058e..00000000 --- a/kubernetes/apps/observability/gatus/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app gatus - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: crunchy-postgres-operator - - name: external-secrets-stores - path: ./kubernetes/apps/observability/gatus/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - DB_NAME: gatus - DB_USER: gatus diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml new file mode 100644 index 00000000..3ac2d304 --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -0,0 +1,146 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kube-prometheus-stack +spec: + interval: 30m + timeout: 15m + chart: + spec: + chart: kube-prometheus-stack + version: 62.3.1 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + interval: 30m + install: + crds: Skip + upgrade: + crds: Skip + values: + crds: + enabled: false + cleanPrometheusOperatorObjectNames: true + + ### + ### Component values + ### + alertmanager: + enabled: false + + kubeApiServer: + enabled: true + serviceMonitor: + metricRelabelings: + # Drop high cardinality labels + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket) + + kubeControllerManager: + enabled: false + + kubeEtcd: + enabled: false + + kubelet: + enabled: true + serviceMonitor: + metricRelabelings: + # Drop high cardinality labels + - action: labeldrop + regex: (uid) + - action: labeldrop + regex: (id|name) + - action: drop + sourceLabels: ["__name__"] + regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) + + kubeProxy: + enabled: false + + kubeScheduler: + enabled: false + + kubeStateMetrics: + enabled: false + + nodeExporter: + enabled: false + + grafana: + enabled: false + forceDeployDashboards: true + sidecar: + dashboards: + annotations: + grafana_folder: Kubernetes + + ### + ### Prometheus operator values + ### + prometheusOperator: + resources: + requests: + cpu: 35m + memory: 273M + limits: + memory: 326M + + prometheusConfigReloader: + # resource config for prometheusConfigReloader + resources: + requests: + cpu: 5m + memory: 32M + limits: + memory: 32M + + ### + ### Prometheus instance values + ### + prometheus: + ingress: + enabled: true + ingressClassName: internal-nginx + annotations: + external-dns.alpha.kubernetes.io/target: internal.jahanson.tech + hosts: + - prometheus.jahanson.tech + pathType: Prefix + + prometheusSpec: + enableAdminAPI: true + enableFeatures: + - auto-gomaxprocs + - memory-snapshot-on-shutdown + - new-service-discovery-manager + podMonitorSelectorNilUsesHelmValues: false + probeSelectorNilUsesHelmValues: false + replicas: 1 + replicaExternalLabelName: "__replica__" # must match with thanos value `.query.replicaLabel[0]` + resources: + requests: + cpu: 100m + limits: + memory: 1500M + retention: 14d + retentionSize: 50GB + ruleSelectorNilUsesHelmValues: false + scrapeConfigSelectorNilUsesHelmValues: false + scrapeInterval: 1m # Must match interval in Grafana Helm chart + serviceMonitorSelectorNilUsesHelmValues: false + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: ceph-block + resources: + requests: + storage: 55Gi + walCompression: true diff --git a/kubernetes/apps/default/thelounge/ks.yaml b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml similarity index 60% rename from kubernetes/apps/default/thelounge/ks.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/ks.yaml index 07273d63..93d157fc 100644 --- a/kubernetes/apps/default/thelounge/ks.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml @@ -3,17 +3,20 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &appname thelounge + name: &appname kube-prometheus-stack namespace: flux-system spec: - targetNamespace: default + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *appname interval: 10m - path: "./kubernetes/apps/default/thelounge/app" + path: "./kubernetes/apps/observability/kube-prometheus-stack/app" prune: true sourceRef: kind: GitRepository - name: homelab - wait: false + name: theshire + wait: true + dependsOn: + # - name: alertmanager + - name: rook-ceph-cluster diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml index 29e54382..62b598c9 100644 --- a/kubernetes/apps/observability/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -1,13 +1,9 @@ --- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - - ./gatus/ks.yaml - - ./node-exporter/ks.yaml - - ./prometheus-operator-crds/ks.yaml - # - ./smartctl-exporter/ks.yaml - # - ./victoria-metrics/ks.yaml + - ./kube-prometheus-stack/ks.yaml diff --git a/kubernetes/apps/observability/namespace.yaml b/kubernetes/apps/observability/namespace.yaml index f062e931..ce3a5bd2 100644 --- a/kubernetes/apps/observability/namespace.yaml +++ b/kubernetes/apps/observability/namespace.yaml @@ -5,4 +5,3 @@ metadata: name: observability labels: kustomize.toolkit.fluxcd.io/prune: disabled - pgo-enabled-hsn.dev: "true" \ No newline at end of file diff --git a/kubernetes/apps/observability/node-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/node-exporter/app/helmrelease.yaml deleted file mode 100644 index b4c6c543..00000000 --- a/kubernetes/apps/observability/node-exporter/app/helmrelease.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: node-exporter -spec: - interval: 30m - chart: - spec: - chart: prometheus-node-exporter - version: 4.39.0 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: flux-system - interval: 30m - values: - fullnameOverride: node-exporter - - image: - registry: quay.io - repository: prometheus/node-exporter - - prometheus: - monitor: - enabled: true - jobLabel: app.kubernetes.io/instance - - relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: nodename - - resources: - requests: - cpu: 23m - memory: 64M - limits: - memory: 64M - - hostNetwork: false diff --git a/kubernetes/apps/observability/node-exporter/app/kustomization.yaml b/kubernetes/apps/observability/node-exporter/app/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/kubernetes/apps/observability/node-exporter/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/node-exporter/ks.yaml b/kubernetes/apps/observability/node-exporter/ks.yaml deleted file mode 100644 index 8d3acfa3..00000000 --- a/kubernetes/apps/observability/node-exporter/ks.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app node-exporter - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 10m - path: "./kubernetes/apps/observability/node-exporter/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml deleted file mode 100644 index 90286100..00000000 --- a/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: prometheus-operator-crds -spec: - interval: 30m - chart: - spec: - chart: prometheus-operator-crds - version: 14.0.0 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml b/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml deleted file mode 100644 index 8d439060..00000000 --- a/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app prometheus-operator-crds - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/observability/prometheus-operator-crds/app - prune: false # never should be deleted - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml deleted file mode 100644 index e670beca..00000000 --- a/kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app smartctl-exporter -spec: - interval: 30m - chart: - spec: - chart: prometheus-smartctl-exporter - version: 0.10.0 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - dependsOn: - - name: kube-prometheus-stack - namespace: observability - values: - fullnameOverride: *app - config: - devices: - - /dev/sda - serviceMonitor: - enabled: true - prometheusRules: - enabled: false - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - operator: Exists - nodeSelector: - # only control plane nodes - node-role.kubernetes.io/control-plane: "" \ No newline at end of file diff --git a/kubernetes/apps/observability/smartctl-exporter/app/kustomization.yaml b/kubernetes/apps/observability/smartctl-exporter/app/kustomization.yaml deleted file mode 100644 index f12e0812..00000000 --- a/kubernetes/apps/observability/smartctl-exporter/app/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./prometheusrule.yaml -configMapGenerator: - - name: smartctl-exporter-loki-rules - files: - - smartctl-exporter.yaml=./resources/lokirule.yml - options: - labels: - loki_rule: "true" -generatorOptions: - disableNameSuffixHash: true \ No newline at end of file diff --git a/kubernetes/apps/observability/smartctl-exporter/app/prometheusrule.yaml b/kubernetes/apps/observability/smartctl-exporter/app/prometheusrule.yaml deleted file mode 100644 index 771b7991..00000000 --- a/kubernetes/apps/observability/smartctl-exporter/app/prometheusrule.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/prometheusrule_v1.json -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: smartctl-exporter-rules -spec: - groups: - - name: smartctl-exporter.rules - rules: - - alert: SmartDeviceHighTemperature - annotations: - summary: Mounted drive {{ $labels.device }} on device {{ $labels.instance }} - has a temperature higher than 65°C. - expr: smartctl_device_temperature > 65 - for: 15m - labels: - severity: critical - - alert: SmartDeviceTestFailed - annotations: - summary: Mounted drive {{ $labels.device }} on device {{ $labels.instance }} - did not pass its SMART test. - expr: | - ( - smartctl_device_smart_status != 1 - or - smartctl_device_status != 1 - ) - for: 15m - labels: - severity: critical - - alert: SmartDeviceCriticalWarning - annotations: - summary: Mounted drive {{ $labels.device }} on device {{ $labels.instance }} - is in a critical state. - expr: smartctl_device_critical_warning != 0 - for: 15m - labels: - severity: critical - # - # Ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-smartctl-exporter/rules/rules.txt - # - - alert: SmartDeviceMediaErrors - annotations: - summary: Mounted drive {{ $labels.device }} on device {{ $labels.instance }} - has media errors. - expr: smartctl_device_media_errors != 0 - for: 15m - labels: - severity: critical - - alert: SmartDeviceAvailableSpareUnderThreadhold - annotations: - summary: Device {{ $labels.device }} on instance {{ $labels.instance }} - is under available spare threashold. - expr: smartctl_device_available_spare_threshold > smartctl_device_available_spare - for: 15m - labels: - severity: critical - - alert: SmartDeviceInterfaceSlow - annotations: - summary: Device {{ $labels.device }} on instance {{ $labels.instance }} - interface is slower then it should be. - expr: | - smartctl_device_interface_speed{speed_type="current"} != on(device, instance, namespace, pod) smartctl_device_interface_speed{speed_type="max"} - for: 15m - labels: - severity: critical \ No newline at end of file diff --git a/kubernetes/apps/observability/smartctl-exporter/app/resources/lokirule.yml b/kubernetes/apps/observability/smartctl-exporter/app/resources/lokirule.yml deleted file mode 100644 index 6ee7be2e..00000000 --- a/kubernetes/apps/observability/smartctl-exporter/app/resources/lokirule.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -groups: - - name: smart - rules: - - alert: SMARTFailure - expr: | - sum by (hostname) (count_over_time({hostname=~".+"} | json | _SYSTEMD_UNIT = "smartmontools.service" !~ "(?i)previous self-test completed without error" !~ "(?i)Prefailure" |~ "(?i)(error|fail)"[2m])) > 0 - for: 2m - labels: - severity: critical - category: logs - annotations: - hostname: "{{ $labels.hostname }}" - summary: "{{ $labels.hostname }} has reported SMART failures" diff --git a/kubernetes/apps/observability/smartctl-exporter/ks.yaml b/kubernetes/apps/observability/smartctl-exporter/ks.yaml deleted file mode 100644 index f9d9da83..00000000 --- a/kubernetes/apps/observability/smartctl-exporter/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app smartctl-exporter - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/observability/smartctl-exporter/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/observability/victoria-metrics/app/helmrelease.yaml b/kubernetes/apps/observability/victoria-metrics/app/helmrelease.yaml deleted file mode 100644 index 6b57d54f..00000000 --- a/kubernetes/apps/observability/victoria-metrics/app/helmrelease.yaml +++ /dev/null @@ -1,202 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: victoria-metrics -spec: - interval: 30m - chart: - spec: - chart: victoria-metrics-k8s-stack - version: 0.25.8 - sourceRef: - kind: HelmRepository - name: victoria-metrics - namespace: flux-system - values: - fullnameOverride: victoria-metrics - - # VM Operator deployment - victoria-metrics-operator: - enabled: true - operator: - # disable_prometheus_converter: false # Ensure we keep enabled the converter to sync prom rules to VM rules - enable_converter_ownership: true # Required to allow VM to remove VM rules it imports if a prometheus rule is deleted - - # Single-binary vm cluster - vmsingle: - enabled: true - spec: - extraArgs: - dedup.minScrapeInterval: 30s - maxLabelsPerTimeseries: "90" - search.minStalenessInterval: 5m - vmalert.proxyURL: http://vmalert-victoria-metrics.observability.svc.cluster.local:8080 - retentionPeriod: 1y - storage: - storageClassName: "openebs-zfs" - resources: - requests: - storage: "50Gi" - accessModes: - - ReadWriteOnce - ingress: - enabled: true - ingressClassName: internal-nginx - hosts: - - vm.jahanson.tech - - # VM Alerting (however, this just watches & passes alerts to alertmanager) - vmalert: - enabled: true - spec: - replicaCount: 1 - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 150m - memory: 256Mi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: vmalert - extraArgs: - external.url: https://vmalert.jahanson.tech - notifiers: - - url: http://alertmanager.observability.svc.cluster.local:9093 - ingress: - enabled: true - ingressClassName: internal-nginx - hosts: - - vmalert.jahanson.tech - - # VM Data scraping - vmagent: - enabled: true - spec: - replicaCount: 1 - shardCount: 2 - scrapeInterval: 30s - externalLabels: - cluster: main - resources: - requests: - cpu: 50m - memory: 256Mi - limits: - cpu: 400m - memory: 512Mi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: vmagent - additionalScrapeConfigs: - name: vm-additional-scrape-configs - key: prometheus-additional.yaml - ingress: - enabled: true - ingressClassName: internal-nginx - hosts: - - vmagent.jahanson.tech - - # Extra slack templates - monzoTemplate: - enabled: false - - # Scrape configs - kubelet: - enabled: true - spec: - interval: 30s - # drop high cardinality label and useless metrics for cadvisor and kubelet - metricRelabelConfigs: - - action: labeldrop - regex: (uid|pod_uid|id) - - action: labeldrop - regex: (name) - - action: drop - source_labels: [__name__] - regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) - - action: drop - source_labels: [__name__] - regex: (container_tasks_state|container_memory_failures_total) - - action: drop - source_labels: [__name__] - regex: (container_blkio_device_usage_total) - - action: drop - source_labels: [__name__] - regex: (prober_probe_duration_seconds_bucket) - relabelConfigs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - sourceLabels: [__metrics_path__] - targetLabel: metrics_path - - targetLabel: "job" - replacement: "kubelet" - # kubeApiServer: - # enabled: false - # kubeControllerManager: - # enabled: false - # kubeProxy: - # enabled: false - # kubeScheduler: - # enabled: false - # kubeEtcd: - # enabled: false - - # Enable deployment of kube-state-metrics - # kube-state-metrics: - # enabled: false - - # Enable deployment of prometheus-node-exporter - # prometheus-node-exporter: - # enabled: false - - # Enable deployment of grafana - # defaultDashboardsEnabled: false - # grafana: - # enabled: false - - # Enable deployment of alertmanager - # alertmanager: - # enabled: false - - # Prepared sets of default rules - # Adjust to what scraping functions you have enabled - # i.e. if you dont have kubeapisever setup & enabled, disable - # the kubeApiserver rules below - defaultRules: - create: true - rules: - etcd: false - general: true - k8s: true - kubeApiserver: true - kubeApiserverAvailability: true - kubeApiserverBurnrate: true - kubeApiserverHistogram: true - kubeApiserverSlos: true - kubelet: true - kubePrometheusGeneral: true - kubePrometheusNodeRecording: true - kubernetesApps: true - kubernetesResources: true - kubernetesStorage: true - kubernetesSystem: true - kubeScheduler: false - kubeStateMetrics: true - network: true - node: true - vmagent: true - vmsingle: false - vmhealth: true - alertmanager: false diff --git a/kubernetes/apps/observability/victoria-metrics/app/kustomization.yaml b/kubernetes/apps/observability/victoria-metrics/app/kustomization.yaml deleted file mode 100644 index 17cbc72b..00000000 --- a/kubernetes/apps/observability/victoria-metrics/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/victoria-metrics/ks.yaml b/kubernetes/apps/observability/victoria-metrics/ks.yaml deleted file mode 100644 index 85590ef0..00000000 --- a/kubernetes/apps/observability/victoria-metrics/ks.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app victoria-metrics-stack - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/observability/victoria-metrics/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/openebs-system/kustomization.yaml b/kubernetes/apps/openebs-system/kustomization.yaml deleted file mode 100644 index 334dd681..00000000 --- a/kubernetes/apps/openebs-system/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./openebs/ks.yaml \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/namespace.yaml b/kubernetes/apps/openebs-system/namespace.yaml deleted file mode 100644 index f79a5197..00000000 --- a/kubernetes/apps/openebs-system/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openebs-system - annotations: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml deleted file mode 100644 index 9372ccd0..00000000 --- a/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: openebs -spec: - interval: 30m - chart: - spec: - chart: openebs - version: 4.1.0 - sourceRef: - kind: HelmRepository - name: openebs - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - localpv-provisioner: - localpv: - image: - registry: quay.io/ - repository: openebs/provisioner-localpv - hostpathClass: - enabled: true - name: openebs-hostpath - isDefaultClass: true - basePath: /var/mnt/nvme1 - openebs-crds: - csi: - volumeSnapshots: - enabled: false - keep: false - zfs-localpv: - enabled: true - zfsNode: - encrKeysDir: /var/openebs/keys - zfsPlugin: - image: - registry: quay.io/ - repository: openebs/zfs-driver - lvm-localpv: - enabled: false - mayastor: - enabled: false - engines: - local: - lvm: - enabled: false - zfs: - enabled: true - replicated: - mayastor: - enabled: false diff --git a/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml deleted file mode 100644 index 0a884217..00000000 --- a/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./storageclass.yaml - - ./volumesnapshotclass.yaml diff --git a/kubernetes/apps/openebs-system/openebs/app/storageclass.yaml b/kubernetes/apps/openebs-system/openebs/app/storageclass.yaml deleted file mode 100644 index f2bfe7ea..00000000 --- a/kubernetes/apps/openebs-system/openebs/app/storageclass.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: openebs-zfs - annotations: - storageclass.kubernetes.io/is-default-class: "true" -provisioner: zfs.csi.openebs.io -parameters: - recordsize: "128k" - compression: "off" - dedup: "off" - fstype: "zfs" - poolname: "nahar" -allowVolumeExpansion: true diff --git a/kubernetes/apps/openebs-system/openebs/app/volumesnapshotclass.yaml b/kubernetes/apps/openebs-system/openebs/app/volumesnapshotclass.yaml deleted file mode 100644 index 352e7d32..00000000 --- a/kubernetes/apps/openebs-system/openebs/app/volumesnapshotclass.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/snapshot.storage.k8s.io/volumesnapshotclass_v1.json -kind: VolumeSnapshotClass -apiVersion: snapshot.storage.k8s.io/v1 -metadata: - name: openebs-zfs - annotations: - snapshot.storage.kubernetes.io/is-default-class: "true" -driver: zfs.csi.openebs.io -deletionPolicy: Delete diff --git a/kubernetes/apps/openebs-system/openebs/ks.yaml b/kubernetes/apps/openebs-system/openebs/ks.yaml deleted file mode 100644 index 690b4cc0..00000000 --- a/kubernetes/apps/openebs-system/openebs/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app openebs - namespace: flux-system -spec: - targetNamespace: openebs-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/openebs-system/openebs/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/qbittorrent/cross-seed/app/externalsecret.yaml b/kubernetes/apps/qbittorrent/cross-seed/app/externalsecret.yaml deleted file mode 100644 index 249d7ee5..00000000 --- a/kubernetes/apps/qbittorrent/cross-seed/app/externalsecret.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: cross-seed -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: cross-seed-secret - template: - engineVersion: v2 - data: - config.js: | - module.exports = { - action: "inject", - apiKey: "{{.CROSS_SEED_API_KEY}}", - dataCategory: "cross-seed", - delay: 30, - duplicateCategories: true, - includeEpisodes: true, - includeNonVideos: true, - includeSingleEpisodes: true, - linkDir: "/data/nas-media/qb/downloads/complete/cross-seed", - linkType: "hardlink", - matchMode: "safe", - outputDir: "/config", - port: 80, - qbittorrentUrl: "http://qbittorrent.qbittorrent.svc.cluster.local", - skipRecheck: true, - torrentDir: "/qbittorrent/qBittorrent/BT_backup", - torznab: [] - }; - dataFrom: - - extract: - key: cross-seed diff --git a/kubernetes/apps/qbittorrent/cross-seed/app/helmrelease.yaml b/kubernetes/apps/qbittorrent/cross-seed/app/helmrelease.yaml deleted file mode 100644 index 0f363257..00000000 --- a/kubernetes/apps/qbittorrent/cross-seed/app/helmrelease.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cross-seed -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - dependsOn: - - name: qbittorrent - namespace: qbittorrent - values: - controllers: - cross-seed: - nameOverride: cross-seed - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: ghcr.io/cross-seed/cross-seed - tag: 6.0.0-32@sha256:df3e63c3564d3f61a62ca966acc043d438fecbbc80bf8b4de0dec5170bce9cd7 - env: - TZ: America/Chicago - args: ["daemon"] - probes: - liveness: - enabled: true - readiness: - enabled: true - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 10m - limits: - memory: 512Mi - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] - seccompProfile: { type: RuntimeDefault } - service: - app: - controller: cross-seed - ports: - http: - port: 80 - persistence: - config: - type: emptyDir - secret-file: - type: secret - name: cross-seed-secret - globalMounts: - - path: /config/config.js - subPath: config.js - readOnly: true - qbittorrent: - existingClaim: qbittorrent - globalMounts: - - path: /qbittorrent/qBittorrent/BT_backup - subPath: qBittorrent/BT_backup - readOnly: true - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - globalMounts: - - path: /data/nas-media diff --git a/kubernetes/apps/qbittorrent/cross-seed/app/kustomization.yaml b/kubernetes/apps/qbittorrent/cross-seed/app/kustomization.yaml deleted file mode 100644 index 3351d8da..00000000 --- a/kubernetes/apps/qbittorrent/cross-seed/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/qbittorrent/cross-seed/ks.yaml b/kubernetes/apps/qbittorrent/cross-seed/ks.yaml deleted file mode 100644 index 4c355f17..00000000 --- a/kubernetes/apps/qbittorrent/cross-seed/ks.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cross-seed - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/qbittorrent/cross-seed/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/qbittorrent/flood/app/externalsecret.yaml b/kubernetes/apps/qbittorrent/flood/app/externalsecret.yaml deleted file mode 100644 index 4fa2a6c8..00000000 --- a/kubernetes/apps/qbittorrent/flood/app/externalsecret.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: flood - namespace: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: flood-secret - data: - - secretKey: FLOOD_OPTION_QBUSER - remoteRef: - key: flood - property: username - - secretKey: FLOOD_OPTION_QBPASS - remoteRef: - key: flood - property: password diff --git a/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml b/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml deleted file mode 100644 index 2ea4e276..00000000 --- a/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml +++ /dev/null @@ -1,98 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app flood - namespace: default -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - dependsOn: - - name: qbittorrent - namespace: qbittorrent - values: - defaultPodOptions: - securityContext: - fsGroup: 568 - runAsGroup: 568 - runAsNonRoot: true - runAsUser: 568 - seccompProfile: - type: RuntimeDefault - controllers: - flood: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: jesec/flood - tag: master@sha256:3d20df051209bff2905dec4e8328c1c464d5375e730ef7d81ca21422e2ccf06a - envFrom: - - secretRef: - name: flood-secret - env: - FLOOD_OPTION_RUNDIR: /data - FLOOD_OPTION_AUTH: none - FLOOD_OPTION_QBURL: http://qbittorrent.qbittorrent.svc.cluster.local - # FLOOD_OPTION_QBUSER is required but not used. - # FLOOD_OPTION_QBPASS is required but not used. - resources: - requests: - memory: 250Mi - cpu: 15m - limits: - memory: 512Mi - probes: - liveness: - enabled: true - readiness: - enabled: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - service: - app: - controller: *app - ports: - http: - port: 3000 - ingress: - app: - enabled: true - className: "internal-nginx" - hosts: - - host: &host "flood.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: *app - globalMounts: - - path: /data diff --git a/kubernetes/apps/qbittorrent/flood/app/kustomization.yaml b/kubernetes/apps/qbittorrent/flood/app/kustomization.yaml deleted file mode 100644 index 47667ae1..00000000 --- a/kubernetes/apps/qbittorrent/flood/app/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: default -resources: - - ./helmrelease.yaml - - ./externalsecret.yaml - - ../../../../templates/gatus/internal - - ../../../../templates/volsync diff --git a/kubernetes/apps/qbittorrent/flood/ks.yaml b/kubernetes/apps/qbittorrent/flood/ks.yaml deleted file mode 100644 index 4d80a308..00000000 --- a/kubernetes/apps/qbittorrent/flood/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flood - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: qbittorrent - - name: volsync - path: ./kubernetes/apps/qbittorrent/flood/app - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 2Gi diff --git a/kubernetes/apps/qbittorrent/kustomization.yaml b/kubernetes/apps/qbittorrent/kustomization.yaml deleted file mode 100644 index 5106afe2..00000000 --- a/kubernetes/apps/qbittorrent/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # Flux-Kustomizations - - ./cross-seed/ks.yaml - - ./flood/ks.yaml - - ./qbittorrent/ks.yaml diff --git a/kubernetes/apps/qbittorrent/namespace.yaml b/kubernetes/apps/qbittorrent/namespace.yaml deleted file mode 100644 index f771b45d..00000000 --- a/kubernetes/apps/qbittorrent/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: qbittorrent - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - volsync.backube/privileged-movers: "true" diff --git a/kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml deleted file mode 100644 index 288892c7..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: qbittorrent - namespace: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: qbittorrent-secret - template: - engineVersion: v2 - data: - CROSS_SEED_API_KEY: "{{ .CROSS_SEED_API_KEY }}" - dataFrom: - - extract: - key: cross-seed diff --git a/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml deleted file mode 100644 index 056ec6f4..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml +++ /dev/null @@ -1,127 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app qbittorrent -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback - values: - controllers: - qbittorrent: - annotations: - configmap.reloader.stakater.com/reload: qbittorrent-scripts - secret.reloader.stakater.com/reload: qbittorrent-secret - pod: - securityContext: - fsGroup: 568 - fsGroupChangePolicy: "OnRootMismatch" - containers: - app: - nameOverride: qbittorrent - image: - repository: ghcr.io/onedr0p/qbittorrent - tag: 4.6.6@sha256:2fd0eba46205055c3f758411a79d5fa175df324f707dab9ad9a3a5be2ab92071 - env: - UMASK: "022" - QBITTORRENT__PORT: &port 80 - QBITTORRENT__BT_PORT: &bittorrentPort 50413 - QBT_Preferences__WebUI__AlternativeUIEnabled: false - QBT_Preferences__WebUI__AuthSubnetWhitelistEnabled: true - QBT_Preferences__WebUI__AuthSubnetWhitelist: |- - 10.244.0.0/16, 10.1.2.0/24 - QBT_Preferences__WebUI__LocalHostAuth: false - CROSS_SEED_HOST: cross-seed.qbittorrent.svc.cluster.local - CROSS_SEED_PORT: 80 - CROSS_SEED_SLEEP_INTERVAL: 0 - envFrom: - - secretRef: - name: qbittorrent-secret - resources: - requests: - cpu: 49m - memory: 1024Mi - limits: - memory: 24Gi - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - - service: - app: - controller: *app - type: LoadBalancer - annotations: - io.cilium/lb-ipam-ips: 10.1.1.34 - nameOverride: *app - ports: - http: - port: *port - bittorrent: - enabled: true - port: *bittorrentPort - protocol: TCP - - ingress: - app: - className: "internal-nginx" - hosts: - - host: "qb.jahanson.tech" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - "qb.jahanson.tech" - - persistence: - config: - existingClaim: qbittorrent - scripts: - type: configMap - name: qbittorrent-scripts - defaultMode: 0775 - globalMounts: - - path: /scripts/cross-seed.sh - subPath: cross-seed.sh - readOnly: true - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - advancedMounts: - qbittorrent: - app: - - path: /data/nas-media - qbtun: - type: hostPath - hostPath: /dev/net - advancedMounts: - qbittorrent: - gluetun: - - path: /dev/net diff --git a/kubernetes/apps/qbittorrent/qbittorrent/app/kustomization.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/kustomization.yaml deleted file mode 100644 index 0f2d15ca..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/app/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ../../../../templates/volsync -configMapGenerator: - - name: qbittorrent-scripts - files: - - cross-seed.sh=./resources/cross-seed.sh -generatorOptions: - disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/kubernetes/apps/qbittorrent/qbittorrent/app/resources/cross-seed.sh b/kubernetes/apps/qbittorrent/qbittorrent/app/resources/cross-seed.sh deleted file mode 100644 index 34fc5bb2..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/app/resources/cross-seed.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bash - -export CROSS_SEED_HOST=${CROSS_SEED_HOST:-cross-seed.default.svc.cluster.local} -export CROSS_SEED_PORT=${CROSS_SEED_PORT:-80} -export CROSS_SEED_API_KEY=${CROSS_SEED_API_KEY:-unset} -export CROSS_SEED_SLEEP_INTERVAL=${CROSS_SEED_SLEEP_INTERVAL:-30} - -SEARCH_PATH=$1 - -# Update permissions on the search path -chmod -R 750 "${SEARCH_PATH}" - -# Search for cross-seed -response=$( - curl \ - --silent \ - --output /dev/null \ - --write-out "%{http_code}" \ - --request POST \ - --data-urlencode "path=${SEARCH_PATH}" \ - --header "X-Api-Key: ${CROSS_SEED_API_KEY}" \ - "http://${CROSS_SEED_HOST}:${CROSS_SEED_PORT}/api/webhook" -) - -if [[ "${response}" != "204" ]]; then - printf "Failed to search cross-seed for '%s'\n" "${SEARCH_PATH}" - exit 1 -fi - -printf "Successfully searched cross-seed for '%s'\n" "${SEARCH_PATH}" - -sleep "${CROSS_SEED_SLEEP_INTERVAL}" diff --git a/kubernetes/apps/qbittorrent/qbittorrent/ks.yaml b/kubernetes/apps/qbittorrent/qbittorrent/ks.yaml deleted file mode 100644 index 25ac12ef..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/ks.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app qbittorrent - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 10m - path: "./kubernetes/apps/qbittorrent/qbittorrent/app" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: openebs - - name: volsync - - name: external-secrets-stores - postBuild: - substitute: - APP: *app - VOLSYNC_CAPACITY: 2Gi - VOLSYNC_STORAGECLASS: zfs-generic-nfs-csi - VOLSYNC_SNAPSHOTCLASS: zfs-generic-nfs-csi ---- -# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app qbittorrent-tools - namespace: flux-system -spec: - targetNamespace: qbittorrent - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/qbittorrent/qbittorrent/tools - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml b/kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml deleted file mode 100644 index 23694f0d..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml +++ /dev/null @@ -1,146 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: qbtools -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.4.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - dependsOn: - - name: qbittorrent - namespace: qbittorrent - values: - controllers: - tagging: - type: cronjob - cronjob: &cronJobSpec - schedule: "@hourly" - timeZone: &timeZone America/Chicago - concurrencyPolicy: Forbid - successfulJobsHistory: 1 - failedJobsHistory: 1 - initContainers: - tagging: &container - image: - repository: ghcr.io/buroa/qbtools - tag: v0.16.10@sha256:fec06dd13ec90694110ca912eb9003d3a46d29be83944538599b35fc78dcbf18 - env: - TZ: *timeZone - POD_NAMESPACE: - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: [ - "tagging", - "--added-on", - "--expired", - "--last-activity", - "--sites", - "--unregistered", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80", - "--config", "/config/config.yaml" - ] - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 25m - limits: - memory: 256M - containers: - unregistered: - <<: *container - args: [ - "prune", - "--exclude-category", "manual", - "--exclude-category", "music", - "--exclude-tag", "added:24h", - "--include-tag", "unregistered", - "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - expired: - <<: *container - args: [ - "prune", - "--exclude-category", "manual", - "--exclude-category", "music", - "--include-tag", "expired", # defined in config.yaml - "--include-tag", "added:7d", - "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - pod: - restartPolicy: OnFailure - orphaned: - type: cronjob - cronjob: - <<: *cronJobSpec - schedule: "@daily" - containers: - app: - <<: *container - args: [ - "orphaned", - "--exclude-pattern", "*_unpackerred*", - "--exclude-pattern", "*/manual/*", - # "--dry-run", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - pod: - restartPolicy: OnFailure - reannounce: - containers: - app: - <<: *container - args: [ - "reannounce", - "--process-seeding", - "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local", - "--port", "80" - ] - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - seccompProfile: { type: RuntimeDefault } - persistence: - secret-file: - type: secret - name: qbtools-secret - globalMounts: - - path: /config/config.yaml - subPath: config.yaml - readOnly: true - media: - type: nfs - server: 10.1.1.13 - path: /eru/media - advancedMounts: - orphaned: - app: - - path: /data/nas-media - subPath: qb/downloads diff --git a/kubernetes/apps/qbittorrent/qbittorrent/tools/kustomization.yaml b/kubernetes/apps/qbittorrent/qbittorrent/tools/kustomization.yaml deleted file mode 100644 index 6b4d0b3a..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/tools/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./qbtools.secret.sops.yaml - - ./helmrelease.yaml diff --git a/kubernetes/apps/qbittorrent/qbittorrent/tools/qbtools.secret.sops.yaml b/kubernetes/apps/qbittorrent/qbittorrent/tools/qbtools.secret.sops.yaml deleted file mode 100644 index ea848a7d..00000000 --- a/kubernetes/apps/qbittorrent/qbittorrent/tools/qbtools.secret.sops.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: qbtools-secret -stringData: - config.yaml: ENC[AES256_GCM,data:NZq8GKG05lEp6lLvE/IMOkt6FrzJ8Hoj3KJ57y5rumsTxqydyxzmrt9IVf34nQ1SgSGKMdI8KgEIVnHBj/4jfYgJZ5+1AfKiTe0DW3NZSK3LkDJcs6Mcwu6f5lbil1vfaS3YgJ2K1pv5ys7GCmE/zMqiNsTpmc1niY/JMOs/0eJaUYNACHl0I1w3fLJVPjnhdK99IhFYo42XywODyVSRdMeFTP6Q7Y4NRNJKA3u9W0ix12yaTdfBk5ia1sIRb9H3Gvl5z/XTvr0X6IzIpfoP46wf/EXLU7Y7Rt5fvnymQgzQr7JtUL90NBkKvqOko4NSl36uEol5jsu9gj9o+FZbA2CnDbZ6mp6BqJIB9HuaWCrgb6ideNTUYL/ASU6Wp17A1CzPDjlm+b6kGZpJKQYFEZ/VO8BEoeW3Yx9D0dG1ep9xFTu6xDKo7JxF4pbMWgWU5I+mE6xiCK7XGrab1latVhcPHBAVoxBrdHvAgwgvs1WmAe0ofP0vPpq6ZHd+kgQg2qHPbkj4viXl1Hf9M9Q7HJm+hlgfCmjaT9m5/1ipzbj9xlu0vG5GFTbf6hcPJXlthaEubHggKD1Idx1k7NUvJzQi/Y6KpUCM4BUOGOgYpGWic7kTSUoqdqKQNAJr77EKOIRGkI+LCPSOWx4atUS8jgS8/tbeXYAb9eBhovGWXZsGyPQt1bpfXmfiBRTqyRC66qPw5+AcruVaJY3C7Aj0f6BhqkDWScBiF3H3ZJj0Wp6wWKh/KCxSqO+AqcB36nVa62zLy6sIZHclwQwgxLzXFiaHxblRWxNuyAASNnrbAutLTsQ4HXCQPaiJ/9LxK+QAow7hryQsikq4XhCRV0TdEYzBpB3eatpB5G02kApvbMRW5kYvR8GHJzF8eqWgcRit4g0Q+kJn5p+UAi1rOP2bh/9lwPadn7TuuW3J9SzUOOmP2eajsicUkqnxsrxQFJbxkztLkPpLGHpd4zI8Y3riHtv2di57/ktUP9acc4kIk2LyYiN6jwKEOc2HTmSE3l2qdBXoy6Rcl/V/Uz1hOE3vOFUNJQL2sRyBf/0R7IKzXRieghR9h17pKYAsvbN9vO02dLevSYsqktowjwA1QXxxR2Vzp15tMV45T/nP5XLe3+f4zfJjRSuNM13ddowXp6smUOZ0Myw=,iv:FszW51oSi/iKN1cquyhF+HwStHgpgmioyopdJriuiOw=,tag:GYaRuyCgXuGVWyxShyH39Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UzFWbHB0bVlGQXV4dEVt - ZUxrcnZ1MlFOY2o2eTl0cDV3T3BKdmNMUXg0CmcyejMzV1loSUNIMEw0K09yc3Ax - NGZOTE1tamV2a05kZm9lNkpoeG9OWm8KLS0tIEVVM01nSjhQYzBOZ0MrY2JpODRz - MGNWSGJmaXdkbUJDOHpCRk9YWUZVSm8KGGHivrtQfHayo6BGbH+Tch3fzVlFNU3s - lLec6VZauGjIXifXBLC5e65SrSO/nZS4xsurrZovOLn3DpeDQu/4+Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-15T17:21:52Z" - mac: ENC[AES256_GCM,data:V+K/2CEFommRZ7kkJlUSjOIMQL8c3OtnJnPT7heHpkGUm/XJ8JFAhqHc5G6D6bjN6vsXcr7X7b9Tm6OBNPHBCJIekBahySUThHc6IxhQrNVTMu2lNOS9B7+VwZN2oezmEwbpY+5dT+3angWiBy2k5XW/7hmVlz1mQX8tJBTUHOM=,iv:LorlvJFs067H6FI/UPvIgRi9xTReOTfv13IdInFhcAU=,tag:72TTcNC6Fh3SiWlJa2xgzg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/.archive/kubernetes/rook-ceph/kustomization.yaml b/kubernetes/apps/rook-ceph/kustomization.yaml similarity index 100% rename from .archive/kubernetes/rook-ceph/kustomization.yaml rename to kubernetes/apps/rook-ceph/kustomization.yaml diff --git a/.archive/kubernetes/rook-ceph/namespace.yaml b/kubernetes/apps/rook-ceph/namespace.yaml similarity index 100% rename from .archive/kubernetes/rook-ceph/namespace.yaml rename to kubernetes/apps/rook-ceph/namespace.yaml diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/app/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml similarity index 87% rename from .archive/kubernetes/rook-ceph/rook-ceph/app/helmrelease.yaml rename to kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml index 916efb8f..bbb37b3a 100644 --- a/.archive/kubernetes/rook-ceph/rook-ceph/app/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml @@ -1,6 +1,6 @@ --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: rook-ceph-operator @@ -10,7 +10,7 @@ spec: chart: spec: chart: rook-ceph - version: v1.14.2 + version: v1.15.0 sourceRef: kind: HelmRepository name: rook-ceph @@ -30,7 +30,7 @@ spec: values: csi: provisioner: - image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.1 + image: registry.k8s.io/sig-storage/csi-provisioner:v5.0.2 cephFSKernelMountOptions: ms_mode=prefer-crc enableLiveness: true serviceMonitor: diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/app/kustomization.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml similarity index 100% rename from .archive/kubernetes/rook-ceph/rook-ceph/app/kustomization.yaml rename to kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml diff --git a/kubernetes/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml new file mode 100644 index 00000000..b8c53f9d --- /dev/null +++ b/kubernetes/apps/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: rook-ceph-dashboard-password +stringData: + password: ENC[AES256_GCM,data:5AzZOH8yd3PqieJ3AWMys4xOGu8=,iv:VPikjUWKO3RNSE+UZzUPDQcTYJi9EidxUucT5+xogdQ=,tag:cA2E3aOhtqus3u4X2CQ/Cw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WVNxRkFxTm9lWmZqYXcw + SlFVNjhveWU2OVZIM0VnMU9qcm9RcjlZeGhFCmsyTGtubWFsdU4xTG9DREhOdkRU + Z0MrVFdzZEw0T0h4RGpvTm9uYUsybmcKLS0tIGVmWmwrV2FieDF3OXc2Rm9FVTRB + RHFiSFptTjlHTDd4QU9mVFBXVkw0SmcKpJnJHKbnqKeDqJ9huXKF4ZV+/fhQgyXO + zq3TcV4e/5ZQ2ygxOh+E9CkV9fk0gmHcIMCg86OZtH2aUIiJDPF0uw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-15T16:01:56Z" + mac: ENC[AES256_GCM,data:8fHRQCoV96iiJQJNbiXnaTujH4GEaRK3Tiqh/BTyuw9FJWm54XPpIoBzHIJ7mIgkMtGcSZ/LrLde/0CUFlhNp5X15cVi2VA5VZEgt4ZJ0s8nSsb38Io8RQj6v3d25XqtbITlLIH7yJWHhAnYE5wdEX9anNKVGkT0PXg+xtXe5ro=,iv:YyD3AQeooIOhC6c7Z1nm4s1Un1sIgnrovu6Uf2bjv4g=,tag:H/FHhEdWH3tad1PSZBZYYg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml similarity index 87% rename from .archive/kubernetes/rook-ceph/rook-ceph/cluster/helmrelease.yaml rename to kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index a02aed2d..1a0c6850 100644 --- a/.archive/kubernetes/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -1,6 +1,6 @@ --- # yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: rook-ceph-cluster @@ -10,7 +10,7 @@ spec: chart: spec: chart: rook-ceph-cluster - version: v1.14.2 + version: v1.15.0 sourceRef: kind: HelmRepository name: rook-ceph @@ -49,8 +49,11 @@ spec: bdev_enable_discard = true bdev_async_discard = true osd_class_update_on_start = false - osd_pool_default_size = 1 cephClusterSpec: + mgr: + modules: + - name: pg_autoscaler + enabled: true network: provider: host connections: @@ -64,33 +67,35 @@ spec: storage: useAllNodes: true useAllDevices: false - deviceFilter: "nvme2n1" + deviceFilter: "nvme0n1" resources: mgr: requests: - cpu: 500m + cpu: 10m memory: 512Mi limits: cpu: 2000m memory: 2Gi mon: requests: - cpu: 500m + cpu: 10m memory: 1Gi limits: cpu: 4000m memory: 4Gi osd: requests: - cpu: 500m - memory: 4Gi + cpu: 10m + memory: 1Gi limits: cpu: 4000m - memory: 8Gi + memory: 3Gi cephBlockPools: - name: ceph-blockpool spec: failureDomain: host + replicated: + size: 3 storageClass: enabled: true name: ceph-block @@ -116,16 +121,20 @@ spec: - name: ceph-filesystem spec: metadataPool: + replicated: + size: 3 dataPools: - failureDomain: host + replicated: + size: 3 name: data0 metadataServer: activeCount: 1 activeStandby: true resources: requests: - cpu: 1000m - memory: 4Gi + cpu: 10m + memory: 1Gi limits: memory: 4Gi storageClass: @@ -153,14 +162,19 @@ spec: spec: metadataPool: failureDomain: host + replicated: + size: 3 dataPool: failureDomain: host + erasureCoded: + dataChunks: 2 + codingChunks: 1 preservePoolsOnDelete: true gateway: port: 80 resources: requests: - cpu: 1000m + cpu: 10m memory: 1Gi limits: memory: 2Gi diff --git a/.archive/kubernetes/observability/alertmanager-silencer/app/kustomization.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml similarity index 100% rename from .archive/kubernetes/observability/alertmanager-silencer/app/kustomization.yaml rename to kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml diff --git a/.archive/kubernetes/rook-ceph/rook-ceph/ks.yaml b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml similarity index 96% rename from .archive/kubernetes/rook-ceph/rook-ceph/ks.yaml rename to kubernetes/apps/rook-ceph/rook-ceph/ks.yaml index c8342f26..ce6fcefc 100644 --- a/.archive/kubernetes/rook-ceph/rook-ceph/ks.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml @@ -14,7 +14,7 @@ spec: prune: false # never should be deleted sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m @@ -35,7 +35,7 @@ spec: prune: false # never should be deleted sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/security/external-secrets/app/helmrelease.yaml b/kubernetes/apps/security/external-secrets/app/helmrelease.yaml index 11c47cc2..6a141b96 100644 --- a/kubernetes/apps/security/external-secrets/app/helmrelease.yaml +++ b/kubernetes/apps/security/external-secrets/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: external-secrets - version: 0.10.2 + version: 0.10.0 interval: 30m sourceRef: kind: HelmRepository diff --git a/kubernetes/apps/security/external-secrets/cluster-secrets/kustomization.yaml b/kubernetes/apps/security/external-secrets/cluster-secrets/kustomization.yaml deleted file mode 100644 index 1f608ccb..00000000 --- a/kubernetes/apps/security/external-secrets/cluster-secrets/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./pgo-s3-creds.yaml diff --git a/kubernetes/apps/security/external-secrets/cluster-secrets/pgo-s3-creds.yaml b/kubernetes/apps/security/external-secrets/cluster-secrets/pgo-s3-creds.yaml deleted file mode 100644 index daba91e3..00000000 --- a/kubernetes/apps/security/external-secrets/cluster-secrets/pgo-s3-creds.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clusterexternalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ClusterExternalSecret -metadata: - name: pgo-s3-creds -spec: - externalSecretName: pgo-s3-creds - - namespaceSelector: - matchLabels: - pgo-enabled-hsn.dev: "true" - - refreshTime: "1m" - - externalSecretSpec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - - target: - name: pgo-s3-creds - creationPolicy: Owner - template: - engineVersion: v2 - data: - s3.conf: | - [global] - repo1-s3-key={{ .pgo_crunchy_postgres_access_key }} - repo1-s3-key-secret={{ .pgo_crunchy_postgres_secret_key }} - - dataFrom: - - extract: - key: pgo-s3-creds - rewrite: - - regexp: - source: "[-]" - target: "_" - - regexp: - source: "(.*)" - target: "pgo_$1" diff --git a/kubernetes/apps/security/external-secrets/ks.yaml b/kubernetes/apps/security/external-secrets/ks.yaml index 12583cbf..f3cf7c8d 100644 --- a/kubernetes/apps/security/external-secrets/ks.yaml +++ b/kubernetes/apps/security/external-secrets/ks.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -26,25 +26,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: true dependsOn: - name: external-secrets ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: external-secrets-cluster-secrets - namespace: flux-system -spec: - interval: 10m - path: "./kubernetes/apps/security/external-secrets/cluster-secrets" - prune: true - sourceRef: - kind: GitRepository - name: homelab - wait: true - dependsOn: - - name: external-secrets - - name: external-secrets-stores diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml index e3f99d72..b5f59d11 100644 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml +++ b/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml @@ -4,24 +4,24 @@ metadata: name: onepassword-connect-token namespace: security stringData: - token: ENC[AES256_GCM,data:QxB/aN8td7/dqGV1RCnTam7+Q9cKiZUBaj9D2hcpZxVDqA0MSPCelxTdKyerZUKNTd26vx1XGms2NEVaDsM9Vw115/JB8X7RVEFIIJHoy/9ikhFL3gUAEkC1fPBq75kDdbDqygBcxTvx5W6WMfSQcyRnEzyaVxLpxDMAYtLRq2EEoaWSMl5y2UGeLDexv/L7FVP5COIwUedJdxc5c6L9oHpU2tumFXigGFVlDpcYUMOOPirvx+R1RNQWS14eGEvKTzrCDicS4Strvgscb9n+sJrqHZaq9Ym0YYNTtrqODPsozR97whT+UQwprHoSJhOtuKglFsszOfRGQoz3pAbLGOX08cZWSLOPw+rxFcJeRTlnVvgG+zDP3XdjWvQ9eSRKe5tfA17lHjoZLWSgA39lIwhVB5wjKsHMyWdwBBnGi/rb2IPdo/hf12ww/dGZbU9fqML6vvZ/p4or37S8BJI/OVxqN+1zOdY5841hjswvj/Ors3Vuhnz6EGPXOFs8kOXtrOD5VXygRaUBeRph8agqIg/ulJGGO56Fojz6lsnixUafb5WeWYIV1GRCq3WP646ko2FLx0KvJsT4YxhWFW8bZrRpS3xnEWiXdKwjQgXnccuni7ywW/xU53rDUfWwvTQ1j/p3jJeiKwqZ7w9kZk6o0Bz3tTIHRPOjnyhcLXHnhWxAxjMOHBHrOaSSvjoCo4AiG3rBSfWwYP7pv0mTsWtJDF3s0R0hY+skYsUa5C1NcaLeUKS/fxxjnGS0XmAOrFZ3eJiw2iuFhJzTB6griFlyCFIvaUdnJZEP2eCXzP5irngfDkdG3retxeqGbAqQJ9oXUmR/YBnvrUBqiDWQPLWWZkni3w==,iv:5nlZDxvy5MB4+lDLvAl1TYThf6DS8I9i/skcDgAk7Gs=,tag:na0sMJLIKYggiALNtLMYzQ==,type:str] + token: ENC[AES256_GCM,data:8hwYIhWteAjI8uorCHT4BV4Jp5Xw2GIi44bEvHj77dzF/lJed9Uz+zPi0eWTkvklZGQm2ZT6p2sI4UP0j+PRrgpdTBmyi8c4Vj0CCPF74hBQyTdVnpYEYNdINgZBAYBAQb4sRWNLHtJ3CYwqNTUFM1I8E2UUtt484E833wLkeHJNnZpYOOgDTQmgSu2QkD2g9FeXjjZHLQ0RhHwafzxfgcf5gxkF0ImE+kZkRgbjBHjKE+yIc3bfpr4gH26tXUwniVB86+N87LSyfIxjXeQnm4bewnlwtJ1IEwQyufU9W6rpGy9581bqLMKHm9m/ABIwtTVpCuYSmT3HWJi2l4fGQUjTw+/pwGGAi5Dv80/0ZTjEKOEe5JLdlvzDTNBtyurlA/iQs6h8EcUIP1o9nQ5iRddfeATrFo9uvDLvExVAo3xpanGI5N4ht50XZ/bSxhbJPKjSMRuR+YhX5hzVfbkZPgbqnNDDQsDct7A/TtsjmFWUo8Yq0BFojyXntVC0OGZtSJRy28MdO79zcsfGfewNfiUC7Au92AkVIhG/QG3aZl2DKBIlmo/cVv5LYvT8hVFt0CBA8kBN2JsMkYk3WoJ5hxtORNiaPpZHYfi2YZ/c+R90UH6CogVgaHbAFbGk5ljnYS0y924Gq7lm8uCEo9EPlJdLZzU4GlVmlLpg7+KPH21I0Nk03tmF0cvsXb1RqV/+FkzLfpNzy1aJUfzfXdUtLM8TS2UXYNlEtprJc7gnwIy5MBVMGtBhuJ32UwCmw6FKaAqb1wmpN6PoSHs+kde6IcknlRq/zNgQTf4JmbiysBfRWNTWQkQca0ldVYFENjBYlXObPL2CkIVhoqVDP4LGr1cy2w==,iv:POTdDElcc73BdePxMH8Hh25FrLlRvxQRUJxNidKvOI8=,tag:zm9QUdRtbHsvB760nEUPRQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZHo5aWdxVndCUkdCSEc4 - dkFkeGQ5ZkY2Rk4wM0RuaGxvU2g3K1JGTEJNCnJpYm1DbXBQOTdGSjVITU8xaE5D - RGRoYjVHWVh5Rno4THIvMmlZWWJVWncKLS0tIEVQNmQ1TTA2V0VjdWw2SU9WbUNt - VkJYWGZnMEJOdlkweS82RjFQdGtHekkK1LCJ2Ww1Ar1fXcepNTldf/hiBVbYdGRf - NwCgEa18sMHVVx1XdhBT67bhQewIr6yYHk4jX8y22ScS9GTx9syD4g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcjhjK0VGeW5IcEtERUZ1 + c1Z3cDFZSk9DSStGQTZYOVJ4ZzNXZU53d3dNCndpZ3lXc1Jjb1RRUUI5Y3JjZzh0 + WGJvRHU5SStIOTBoVmEwN3BwdWpLRzgKLS0tIDJZNFJtUis2b0c3QnROUitKWi9R + Y1EvNC9UaGpvVmJIMHpTY1NiNWhHVUkKcK1eZc8u7nzSptujFovG2wk9L4RAEJrZ + Hridg1dfyzB07MHFSEJjJ7++sQXfb7ejWolF6CUkUfkoBRABBbNHfg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-04T15:57:16Z" - mac: ENC[AES256_GCM,data:ts36iBxIjPOZX0/ok9ReTpbVWYCheUcc4gi/euWVbju+b1DPighNCNCTC00ML+XvIz8UxkF6+xFl51pe+Ly8ckNb7PlMg7tsv3WmWAn6jRXSR2phrioD9pKGiIhUvi3mmESE9Vh86vz6Iqu0HjvE5IF5MCkVIL4WRbjWChBjeDs=,iv:9vLtxB3w8gg91o4wzvNuhd3v4ORtqvtT7n42ijVadSo=,tag:c7Julm3rUYMBrGymaXhVFA==,type:str] + lastmodified: "2024-07-14T17:20:14Z" + mac: ENC[AES256_GCM,data:ZW7BoxV719vb/tOS9sPTIh8WXT873Gj05A+jZbEA1KlMDR8uM2ntOM1snE4J9NrJedkXNZdsopuBj1+DXDUJWhxtq2WrCKCw00jseP6t//cOZiD+J+hdNdSY/mdCRWrkq6698Z81hU7mdeNXGGOMobEGy6lSqx4hvaL/PvTXWto=,iv:+OGR+hsJrH1h+snFsVSBnI6lAbxIUPJ8asTWxzq0sfQ=,tag:zgmKXoziT/YMnl1S72mvsA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/security/namespace.yaml b/kubernetes/apps/security/namespace.yaml index f27af201..2a072aea 100644 --- a/kubernetes/apps/security/namespace.yaml +++ b/kubernetes/apps/security/namespace.yaml @@ -6,4 +6,3 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled volsync.backube/privileged-movers: "true" - pgo-enabled-hsn.dev: "true" diff --git a/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml index c4a0ce3e..9144d973 100644 --- a/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml +++ b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml @@ -14,7 +14,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/volsync-system/volsync/ks.yaml b/kubernetes/apps/volsync-system/volsync/ks.yaml index 9ad9450e..7079decb 100644 --- a/kubernetes/apps/volsync-system/volsync/ks.yaml +++ b/kubernetes/apps/volsync-system/volsync/ks.yaml @@ -15,7 +15,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire dependsOn: - name: snapshot-controller wait: false diff --git a/kubernetes/bootstrap/flux/age-key.sops.yaml b/kubernetes/bootstrap/flux/age-key.sops.yaml index 34349822..80a2d5e1 100644 --- a/kubernetes/bootstrap/flux/age-key.sops.yaml +++ b/kubernetes/bootstrap/flux/age-key.sops.yaml @@ -5,24 +5,24 @@ metadata: name: sops-age namespace: flux-system stringData: - age.agekey: ENC[AES256_GCM,data:f+9hVYtS9xNgh3KSpC7HtIzSWnFEEtKNijhT4NWi9Yx3dlRuX50vhc8exLYcjcIbytCwMtTCI4xAjUk4TkxlGaj5DzhU/rdvE+c=,iv:uzhwlqMG1F2rb4XM00EXCI8mpCcKMTn1a2KPH/NGYqo=,tag:Ao+cLYINlL1AfJGFR9EG/A==,type:str] + age.agekey: ENC[AES256_GCM,data:8L4sA+w2MgvnU0NtOV9BYknpSldy0a44pWZMBx2ApbuEpR3wdrS+BSERkBdsMplpbGP3brnsroT+g+O61288In4KIi7KN7NGM8A=,iv:h0FObEI4kdVtZmmsDGPv6ObWYt5A234ko5yxuDKrC0E=,tag:9n3M8bS+UXxK84xVyg/NPA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cVRSZUZjR1Y2Q0U2RUJC - M05wdVdhWU1oTjZBeTliNDR1V29KN3hKMFN3ClJJQkx2RTRSL2V4ZjR2QmJQUGph - ZUo3UlpPaVc4YjdJbGRkaVhTQmpHVGsKLS0tIFlYMHY2a1FjZ2xobUpKNnRwSDhV - eE1VUmwxNjU0SVAvaWF1dVNKMlV6ZzAKrxZ1g+mkSBNECmd+sf5Z4L7xVDaFw1g/ - hUoFCpjo7fiGS0ru7lhkLzBAwRflWDkpjn75W/18ULaF69bsF9swPQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWDdNdVBzZHpaMUZ3K25G + NlJob25tL0hQRy9sUFhycUt2Y3hjNG5mSlZRCjdvL3dJMHhCdU5VWXFGSXpibzhr + Y2IrdFdiMEo2V2NtR2k3NmxJUVBZQ0UKLS0tIEFNYlJ1S1hLeWUrYytXUVR1aHpI + T2tRMEtZMTN2N0Q3QzFjSEJPSVEzUEkKDi1Qs4BoV4p5W4/V0ZnzHKq9LC7Facow + 1RBbZInKHgeEZRLxvpFNSNnlwXIm2kA7U+uVojSn9ogoRitWvKWXYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-11T22:06:47Z" - mac: ENC[AES256_GCM,data:Sg8eZvpifFdLezfcQ8FFwCUzQpCzx+iOrje2E2fVM4AcIcVR/i3zrdCOzJ252W7Fe6mreVpZA0rKKePCEH1A6ZSvjnPKpMvAdhei7BMyIkDs/8VDJMjZOJOWmtLNIwCYIbkwA+cOnFfufnRdSp7/NsqVo+8STOcr4qWAyfDenVQ=,iv:FHFTiD1NtBHslxuTwdmxw3Xb31F9xK6hhKdw0szXfkk=,tag:MbNsGc1ZW1biUOEDFRTSMQ==,type:str] + lastmodified: "2024-07-14T17:22:04Z" + mac: ENC[AES256_GCM,data:kJvNLW5Bi1fcEPQt0jibZ/T82PHdTDU3UatLDjM2uIq7EFWriG25w/WFlCCOeJHKQl7lbUccp71najmsGxUC6Jp0vVpbwfzVSqS9M04eKQNyTTjId9/3jxw0Z3OmIm8WaXf3gN/5DD2vDESMRJqr7ngNyEtxK1I1vwQVTKYSrJY=,iv:7OEaCmL/DY9d+GA/nM7a+Hl4zNrmTdtQSVNstOnOUt8=,tag:LOYiR2ZTB9tUn/mO5wu8MA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml b/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml deleted file mode 100644 index 779a1627..00000000 --- a/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: git-deploy-key - namespace: flux-system -stringData: - #ENC[AES256_GCM,data:+GbB2yDDUQ4804/B/XphECCkAErDIe+JwXkhuXWDJw==,iv:EFYG8fEaGJt6ZVftO9px4cykuopjQcqNRTLPcT0vK+M=,tag:mPuA+9y+AZDA39/k1a4jmw==,type:comment] - identity: ENC[AES256_GCM,data:v17NqkLtELWHwB2Q5z3rqIxmsrGs4MOOgJr6+ZAjQ4wjBRZBkhDGuOKErkjAMboKyIBK0WpZkT55s3PGJpf9hUnGC/ecR70zAu72vUzPLkAfRtuufE+3O7JxaCuaOUHDeQhwm734vRnMVGLxfyeoDGuhA7XxgwCNAKuDb2JsJ/aYSrmTaO2BIPnV/WnC7iEAWAU92paTnlKJbs1yt0cBec+l4jqi4z+wn0MBYoxkwbFSwhU/G8ls/pgZCebhDyr0bBsFoSImPCDpAMo3uDe9Qc8B3eDMvsaS8Z3wxLbi4TuM1tBuFLteBb6xb2WyYZAOEc4BIwmfdu4SVC51puYT2oWdxZgkQ1vlohSrRqeGmIf7AYkEiZpBrydGzftg3B8KjwurV16I8P+/jjwT2mDpVUmM4Kn/Ragb5zbRST3Q/upxsoaFwcBDNJrPM4arizWehG0k2p53MxddTIXuq2pvf8tqU5ZirvE8k4mCgz51JNoywjUai9fgdvEMRn9ovkO6Fd753ITDuniHdt3ZcKdCfHE5bC60bUKYTQmS,iv:NDF02vwyHT92i/twKnjrGihcEiz7FftXbXg9oIItvXE=,tag:ci/aPzQhaeeyPvolPNmFvA==,type:str] - #ENC[AES256_GCM,data:x6ZbaxSmg8cybQLBN60EMMz3b7wcB6zAgcRcPQVr/Y7boCjbVlfdNumSu1/+f2OPJLZLpK+URTqAIhtwDlEwPRabe3MMpQfE3ifKobKPmvws4pvbdPeHG1UEPpGeqh3VJLN8,iv:65mO126WzjKiEJYhjpZnaWftQ2YMnRhak8E2J7X2CfE=,tag:Zof3hhjPzrmOPNWSWkGaEg==,type:comment] - known_hosts: ENC[AES256_GCM,data:l/ARsf+jcjqEm9Jv9AgtrNqyKn6tonkNTjkUrGtol0a3leJoCnO8SXrJrwlOWvaD5IjZIqPO0tJlKfUYRwP4DGW/HRZ6H9leWWKR9eLu8X6ANlm7jr/MRn5D4Fmx,iv:uY0CTgfuVMzpevI2FVhWPU1MK4yWlD2MbJ+qBDW9hO0=,tag:aXXcO+Rx/kWgRgDgDr+4fQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeS83SmdkZ2daM05UVkpO - RG1jM1lNVDREUGdQZmFuREdOaVIzQkd6MzN3CmdaQnRDbUJwTG9tZ2treFJ2RFFU - NkVWUlVVNlVJd2xSRkU0bUUzZDY0ZGMKLS0tIG8wRzZCZ29Pc0tNb3dVcnVyYWl6 - MmVnNzdNWU83MGl6TzFwNFYydHQ0WFkKMy8Ew8clnoYcNR9qicauSBlLDp8N8qvg - jAMftEoS6bUhSozWW4zCpcRK6hCTi8X+IsHe0niTotGRUZgPgdXUWg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-14T13:32:24Z" - mac: ENC[AES256_GCM,data:/QVk4SvDFbN2D3zqt+dlQBzPvnq1R+bbzLC9o5b28a9F3z2wtz8lwGh8OwSLJBcllPyqJNaouo5xYHESol/64Hw3D5MTHVbFDbP19t2IUGAzUUAgVjB31ytYXGGZeNcDCCUmIK669zwXSHuNsupXIvAcR5t3/LdvCk4HycnZumY=,iv:LdzNdMAQvq6bX/vT/IkFe7U7cMKpYdyCfNMdTJs4Qdw=,tag:ehlCqNXROdk8wKrP9kB0Rw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/kubernetes/bootstrap/helmfile.yaml b/kubernetes/bootstrap/helmfile.yaml index b3778dee..59dbb6bd 100644 --- a/kubernetes/bootstrap/helmfile.yaml +++ b/kubernetes/bootstrap/helmfile.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/helmfile.json +# yaml-language-server: $schema=https://json.schemastore.org/helmfile helmDefaults: wait: true waitForJobs: true @@ -10,6 +10,8 @@ helmDefaults: repositories: - name: cilium url: https://helm.cilium.io + - name: coredns + url: https://coredns.github.io/helm - name: postfinance url: https://postfinance.github.io/kubelet-csr-approver @@ -22,17 +24,37 @@ releases: namespace: kube-system chart: cilium/cilium version: 1.16.1 - values: ["../apps/kube-system/cilium/app/resources/values.yml"] - wait: true + values: + - ../apps/kube-system/cilium/app/helm-values.yml + needs: + - observability/prometheus-operator-crds + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.32.0 + values: + - ../apps/kube-system/coredns/app/helm-values.yml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium - name: kubelet-csr-approver namespace: kube-system chart: postfinance/kubelet-csr-approver version: 1.2.2 - values: ["../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"] - needs: ["cilium"] - # - name: spegel - # namespace: kube-system - # chart: oci://ghcr.io/spegel-org/helm-charts/spegel - # version: v0.0.23 - # values: ["../apps/kube-system/spegel/app/resources/values.yml"] - # wait: true + values: + - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - name: spegel + namespace: kube-system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.23 + values: + - ../apps/kube-system/spegel/app/helm-values.yml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - kube-system/kubelet-csr-approver diff --git a/kubernetes/bootstrap/readme.md b/kubernetes/bootstrap/readme.md index 992f4486..3d8b73f0 100644 --- a/kubernetes/bootstrap/readme.md +++ b/kubernetes/bootstrap/readme.md @@ -18,7 +18,7 @@ talosctl bootstrap --nodes=10.1.1.61 ### Install Cilium & Spegel ```sh -helmfile apply -f kubernetes/bootstrap/helmfile.yaml +helmfile apply -f kubernetes/bootstrap/talos/apps/helmfile.yaml ``` ## Flux Prep diff --git a/kubernetes/bootstrap/talos/clusterconfig/.gitignore b/kubernetes/bootstrap/talos/clusterconfig/.gitignore index 9659ab10..5eca7771 100644 --- a/kubernetes/bootstrap/talos/clusterconfig/.gitignore +++ b/kubernetes/bootstrap/talos/clusterconfig/.gitignore @@ -1,2 +1,8 @@ +theshire-bilbo.yaml +theshire-frodo.yaml +theshire-sam.yaml +theshire-pippin.yaml +theshire-merry.yaml +theshire-rosie.yaml talosconfig -homelab-shadowfax.yaml +theshire-gandalf-01.yaml diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml index 451226ac..a73d8e43 100644 --- a/kubernetes/bootstrap/talos/talconfig.yaml +++ b/kubernetes/bootstrap/talos/talconfig.yaml @@ -1,91 +1,139 @@ --- -# yaml-language-server: $schema=https://ks.hsn.dev/talhelper-schema.json -clusterName: homelab +# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json +clusterName: theshire -talosVersion: v1.8.0-alpha.1 +talosVersion: v1.7.6 kubernetesVersion: 1.30.2 -endpoint: "https://${clusterEndpointIP}:6443" +endpoint: "https://10.1.1.57:6444" -additionalApiServerCertSans: &san - - ${clusterEndpointIP} - - "127.0.0.1" # KubePrism +additionalApiServerCertSans: + - 10.1.1.57 -additionalMachineCertSans: *san +additionalMachineCertSans: + - 10.1.1.57 nodes: - - hostname: shadowfax + - hostname: bilbo disableSearchDomain: true - ipAddress: 10.1.1.61 + ipAddress: 10.1.1.62 controlPlane: true installDiskSelector: - busPath: /pci0000:20/0000:20:01.2/0000:2c:00.0/nvme/nvme4/nvme4n1 - machineDisks: - - device: /dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C - partitions: - - mountpoint: /var/mnt/nvme1 + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ networkInterfaces: - - interface: bond0 - dhcp: false - addresses: - - 10.1.1.61 - bond: - mode: active-backup - lacpRate: fast - miimon: 100 - deviceSelectors: - - hardwareAddr: 04:42:1a:ef:35:74 - driver: ixgbe - - hardwareAddr: 04:42:1a:ef:35:75 - driver: ixgbe - vlans: - - &vlan-iot - vlanId: 30 - mtu: 1500 - dhcp: true - dhcpOptions: - routeMetric: 4096 - kernelModules: - - name: nvidia - - name: nvidia_uvm - - name: nvidia_drm - - name: nvidia_modeset - schematic: - customization: - systemExtensions: - officialExtensions: - - siderolabs/amd-ucode - - siderolabs/nonfree-kmod-nvidia - - siderolabs/nvidia-container-toolkit - # Need talos 1.8 for nvidia and zfs to coexist - # https://github.com/siderolabs/extensions/issues/380 - - siderolabs/zfs - + - interface: eno1 + dhcp: true patches: - |- machine: sysctls: - net.core.bpf_jit_harden: 1 vm.nr_hugepages: "1024" - - &kubelet_extra_mounts |- - machine: - kubelet: - extraMounts: - - destination: /var/mnt/nvme1 - type: bind - source: /var/mnt/nvme1 - options: - - rbind - - rshared - - rw - # disables new feature that forwards kube-dns to host-dns 10.96.0.10 --> 10.96.0.9 + + - hostname: frodo + disableSearchDomain: true + ipAddress: 10.1.1.63 + controlPlane: true + installDiskSelector: + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ + networkInterfaces: + - interface: eno1 + dhcp: true + patches: - |- machine: - features: - hostDNS: - enabled: true - forwardKubeDNSToHost: false + sysctls: + vm.nr_hugepages: "1024" + - hostname: sam + disableSearchDomain: true + ipAddress: 10.1.1.64 + controlPlane: true + installDiskSelector: + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ + networkInterfaces: + - interface: eno1 + dhcp: true + patches: + - |- + machine: + sysctls: + vm.nr_hugepages: "1024" + + - hostname: pippin + disableSearchDomain: true + ipAddress: 10.1.1.65 + controlPlane: false + installDiskSelector: + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ + networkInterfaces: + - interface: eno1 + dhcp: true + patches: + - |- + machine: + sysctls: + vm.nr_hugepages: "1024" + + - hostname: merry + disableSearchDomain: true + ipAddress: 10.1.1.66 + controlPlane: false + installDiskSelector: + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ + networkInterfaces: + - interface: eno1 + dhcp: true + patches: + - |- + machine: + sysctls: + vm.nr_hugepages: "1024" + + - hostname: rosie + disableSearchDomain: true + ipAddress: 10.1.1.67 + controlPlane: false + installDiskSelector: + busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/ + networkInterfaces: + - interface: eno1 + dhcp: true + patches: + - |- + machine: + sysctls: + vm.nr_hugepages: "1024" + - hostname: gandalf-01 + disableSearchDomain: true + ipAddress: 10.1.1.68 + controlPlane: false + installDiskSelector: + busPath: /pci0000:00/0000:00:01.1/0000:02:00.0/virtio6/host6/target6:0:0/6:0:0:1/ + networkInterfaces: + - interface: enp5s0 + dhcp: true + patches: + - |- + machine: + sysctls: + vm.nr_hugepages: "1024" +worker: + schematic: + customization: + extraKernelArgs: + - net.ifnames=1 + systemExtensions: + officialExtensions: + - siderolabs/intel-ucode + - siderolabs/i915-ucode controlPlane: + schematic: + customization: + extraKernelArgs: + - net.ifnames=1 + systemExtensions: + officialExtensions: + - siderolabs/intel-ucode + - siderolabs/i915-ucode patches: # Disable search domain everywhere - |- @@ -116,6 +164,21 @@ controlPlane: enabled: true port: 7445 + # hostDNS configuration + - |- + machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: false + + # coreDNS configuration + - |- + cluster: + coreDNS: + disabled: true + # Cluster configuration - |- cluster: @@ -142,6 +205,22 @@ controlPlane: advertisedSubnets: - 10.1.1.0/24 + # Configure containerd + - |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + # Disable default API server admission plugins. - |- - op: remove @@ -170,21 +249,6 @@ controlPlane: nodeIP: validSubnets: - 10.1.1.0/24 - extraMounts: - - destination: /var/openebs/keys - type: bind - source: /var/openebs/keys - options: - - bind - - rshared - - rw - - destination: /var/openebs/local - type: bind - source: /var/openebs/local - options: - - bind - - rshared - - rw # Custom sysctls - |- @@ -197,7 +261,7 @@ controlPlane: net.core.wmem_max: "2500000" # Configure nfs mount options - - | + - |- machine: files: - op: overwrite diff --git a/kubernetes/bootstrap/talos/talenv.sops.yaml b/kubernetes/bootstrap/talos/talenv.sops.yaml index e531a59c..74ec21eb 100644 --- a/kubernetes/bootstrap/talos/talenv.sops.yaml +++ b/kubernetes/bootstrap/talos/talenv.sops.yaml @@ -1,22 +1,21 @@ -CLUSTER: ENC[AES256_GCM,data:2U1tPNOF/w==,iv:BE6ZEuh9SJirZ48ICFuf7RqnJhfOOu6PjEXwLDPG6vU=,tag:zk5eyFqcOmui6d70LQ7WtA==,type:str] -clusterEndpointIP: ENC[AES256_GCM,data:1gDw0FqQQZ9/,iv:OQ64In7KPn0nqWran1U2/oEHkHSyQsZNM8/beAN1C1M=,tag:diqiZHPcGZ7DVgZGFKJyJw==,type:str] +CLUSTER: ENC[AES256_GCM,data:umawZ1n1Sdc=,iv:NUC2lO+edizITkQYC2YtVYQkesPWDj7drFyyaHoyiKI=,tag:bmWfCArxFM9BCdZZgoFzMA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzanFETE1WblA4cE1xTHVi - R2p3UkZPMmNDRmdjRTRxeWFWUzUxdkRlRkdnCldJTUZRNndOQkp4TlNtUDNjdVg5 - ZVY4UkJKNCtjTlpKaFkxMXI1b2RiNDgKLS0tIG5Hc2tJMCtWUm85emNwS2xwS0hn - WUlNeVV1T2YxbjJCRU9ubVJheHNBTnMKzgZCLTz1Qo/91EFcHXxdKGosdRKKN/tB - VsfaNH/b5S2N8FN1wQ03Dn2nqwCqwiPAoNo8La/7ZHjzvNiXTCOFmQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZm9HeXI2dVN3cERya0lo + dnc0bXAxMEtITkxvM1Rka25vM3NiLzdaVmxNCkFFNW9CbnUxV0dhR2h0REVzbVBr + aGJhMlROWVV6aUFDWmU3MmtTejhLUjAKLS0tIHMvWmNkNVQ0OVJIdzV3Zkw1U1Nv + ekxtU1hrYmJuUkN6aVFnYkdDZ3ZtWk0K86+0Wqzsp9x3I/ZYvq11xMaHS0CR9+yD + Bwp1XZnn4taDz1H93+erJ+dgnjX/STg5KvGqPJQSi7COEZ7EJEJcyA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-08T13:48:53Z" - mac: ENC[AES256_GCM,data:SA9jJSCbgApT4qJfFNU/RVHhOX7ZdipQ6OmvBa4YqKEriUPD00ddp0musyQobdM3jrTK6P231FzwxYuAOQ+Y+xgWf+ylLyy/zcsVvdJbIzNPTsKwtC5J5zfhyvQK8fnRNP/3sP16X+jJ41iWF3yrPQ7nG7fGidsUPmpGDnGXKZg=,iv:dpHPBXm0OBeDGxbyMAu0qufoCahJb6u7d5KuHoP2d58=,tag:Mrnb8kGacrRvac5HF/BSvg==,type:str] + lastmodified: "2024-08-18T03:36:22Z" + mac: ENC[AES256_GCM,data:fiMzhJfGfmQaJgfDh5+jagPPc51vAe9cfpi4oCIouNDjWrCCjn5ZvaXgIqc19i9ZZhfRINaVag5fZXAm/9D2IIdzyB1jmrA3noCJiJ8ex4noHmmFTrTWdM41/Gth7LCcnrFdhnVKhr50/Zv8hMhFIYwW/iMZx0s7OW2QhHuM+y4=,iv:yofGL0biVVt4kXEA2ZY6O03Rh/CLxd++kVIMFDufjpA=,tag:9Jn8u2D+72dU6XvvkzjVIw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/kubernetes/bootstrap/talos/talsecret.sops.yaml b/kubernetes/bootstrap/talos/talsecret.sops.yaml index b95bdc1a..c3b7f153 100644 --- a/kubernetes/bootstrap/talos/talsecret.sops.yaml +++ b/kubernetes/bootstrap/talos/talsecret.sops.yaml @@ -1,43 +1,43 @@ cluster: - id: ENC[AES256_GCM,data:UHPqS+IVqzbdmn1pE5bQhXOhGx6gR4/2oVB8Lk0a0ymWNExcDcF7g3yk5zQ=,iv:1jK+boXIDiQP+ly0CDdrIs21rhB8B/ew48/wGYfWlFY=,tag:GxnhoCpYRliDSfojWrPw2Q==,type:str] - secret: ENC[AES256_GCM,data:u8RwNAXrXVszAwVQL4N6o4nKWzjYeZwWkVS9mWFerj8lNHkXnONLb0O0irA=,iv:eKk1GRYbyQ1bzAgEBvbflhhI5WbUbcmtrj+JeEnXCTo=,tag:IgfY/AxtVYBCRkIE0To04A==,type:str] + id: ENC[AES256_GCM,data:V2YtYIv8A9WWvTuoF2/CR1NO8+1q2Equ8ZOUaucPfF6U9qhvUP+uv4S4jtA=,iv:EEKxybmjxwgQUQQmMjJjILqXF9dQIEd12IVNRPFZrWQ=,tag:Ptbux1JgNVoK7Pz1nrKKCw==,type:str] + secret: ENC[AES256_GCM,data:oNHFs9rSfa4eE1sWH5Ic+LhJy/LhlZKsrFUUAKLD01rc4eMIBxQJ2nr57HQ=,iv:/525So7ZKc5wnLcipQTZRQfe9sR94geO/g31vPZWHdU=,tag:he6ZefVTkKtcAfCZVKK/kw==,type:str] secrets: - bootstraptoken: ENC[AES256_GCM,data:NMKM2mMaufiLmTPVszoDQqKBvO4d7v4=,iv:KZCuFzUorMTa1EzxWuXtrcGFaEkg2farNEEKWXbP+n8=,tag:eEtHLLyx9X9IjPk8O+yPDw==,type:str] - secretboxencryptionsecret: ENC[AES256_GCM,data:HPj0tqieFtIiGJlR0pxh9jCAZmcOA/5w1qLqQp+IVmByBzBsCBbjhhaUSzU=,iv:LVjdw4wmbdibdNzHDx/BXgHuUkFxDsaJbb+cG8xkNiA=,tag:ioRDsL49FaGbMDsYn6UWug==,type:str] + bootstraptoken: ENC[AES256_GCM,data:eWRUQ6SjtVuOq9LWh5MrSno7vde4utY=,iv:n/5EtJsGSLBlVIApWyX//xt+XVEF982JxHq3yEX6OS4=,tag:OUkRcbJ4dnyWLbnMq/bnMw==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:NjluwnnjBMy59BIkwPLgxotehJ0IQcRf/GJZcTpZ92GHHUyFjB3Wf44oyi4=,iv:OLeP/Vb1g/csSMo+49KGYCIO+7+Ipe/KOMWWOnMc9QI=,tag:qV6xtBCd3xX4TcHj4qgsZQ==,type:str] trustdinfo: - token: ENC[AES256_GCM,data:A4HR27GCWE0KFgsWAx3ajY31sIv/RKY=,iv:ujNjMMxPgfGiP5NxfLfGSS2z6bUfZ/UMKR+lTFfsu3g=,tag:/ZR+1ZzWfkiyV/uxph/zgg==,type:str] + token: ENC[AES256_GCM,data:Ip2PW71VTN/dkxC+/RQicvUlGISgMAI=,iv:fZZUn2Ftd5FzALuWteGKOyIpGIUEG6FdW1zuqAj8jd8=,tag:zdpbA6xxSDrqG727WZY6hg==,type:str] certs: etcd: - crt: ENC[AES256_GCM,data:LbDNA8Rnh2uim4pZ1tGm/qTJWsiYNvQY0p230lXm3BtbKOn4SMf+J/ro9eKIdkJPT4xckkndJ44ufWgwNhoDIGTDb0E1O3GmrHE7N2rKs8st3Co4iM9e8nuWghHclKGF7r2tUk4tuu0mQhC7CEIAMCYJ7HPqN8QGfW2TwzQyVwAsrh3yIUXWNnUdl/qkU0sjELRpA6Nu4xlJ8iEF0DR2jvlJtyUNXQ0SxZTZiQ12viICgvEaZzr7TRT1JpeKEGa5QSpkkXc0cqADtxEcf94TgPKdj5pS/Q8rePKNOiWpRqXv7PXMZZJcX1LTYEA5xMZgLTdIYQC6+jC/EcVOcgzHekgbIdbdnKFEHTFA2XCHur+BJR2TG+qXaziWK8BffKL4QXWc5Bwqqjs1OGCSLLiQZ25riM7ny/StUVF5HsvUFu8Z4bJoOZzqeBTrstzpoaVI79NuHm1zTqTxy0CqsAAn0w6ZE0rMn3v6Iw/ilyjQ/OUgHsKlnVrJGFMX8n6beAAHOai715KnpPfB1ZC0TRCkFY9w0l09T8DQjnnWAEsPpJkvfwD8pinGMZYCWGzUwVgDUqXt1UZh/9Clkc8tQJZf+g5v2nJbdY1xR0Kd5hJMzICaIXd0UrjpAKaECnZzKsO07FdqRlUV5iwAzOZ16RBRIa0ANIMd3LpccCe/edc/FK6jYXyqu8gFdaRPH+ceXFFQRItL6Vr+/NCtJzmYitN1RucubikTwHSQwe7ENK/BnnlNr2Ss6+EmeQ70nFModmJMRjD7GHVdf0HThI6juDQmV/LxXjo5ctcvpSK0FRVAG+qXiPYdqoWeiVeaOT9qxaBxwXRJRF8NnXYm1tznZMWdDQlm0iYS5FAHnWuO6Pbw1W7ocJBeqUAtGQ1MdYEry+yY6uff+7N2CJR/HiUIIskFPJ37j9iu5M0I2GmKOKNC3fWTYgESxu4VKa9zZv3JZSiGvPMNXJdFAOUuaEw7X5v7gqxoiNOK++m85ClkAyF5Dq8MFaYRpziDf/ZwLf4HdqZMih7x5A==,iv:X6cLCa7hfvT/BweU/ayRLUgyld2EMwCh/2NDqOIS+lo=,tag:97eVcBdCwQikwomD5WTQ2A==,type:str] - key: ENC[AES256_GCM,data:wdioeg95TLAG6gI3UdbPVtsuoRtLOTgR9PIDL+CSsWqXc4lsvSLP5aCIy1xRS5llukLRVup+UPE4P4JAUktfeZ+B1CRQgYX0kCbjyzXNRe7uT6YXQmrlP+YiSokHF2DFeFq8Kk75Ga56EphNy9wRTbKTSFXZI2/Ms/fTwistaOUjw3J+pweSHZehJY5x712RnYutYkR/b1qbMOt/lsKHcpZY8kXCZ9fyC4YG89eq6JdQBxmY10XFRDrQ7JY4gO9UpQj4rMFK5QARD1l7ugc8rn+G8RRdprufx+pJG4VBXRwb/I+Cs8jn7e6ycy9mWx/WJOMkr0C8nU2pc9l36fAD/BV+QG69XWfaiQngdAl3j5t9Dc0Qd1i87XhiIvdKRkHQh2fUR5xHLDJTDb62JcwvBg==,iv:J1l2/Dbul3xXE/oheb7Nno2Uq9XeioNd/Qm9GWRsRWA=,tag:WsdFmB4Qjp4AuweYzfJMAA==,type:str] + crt: ENC[AES256_GCM,data:0t4MrS/OKZKaGiMXGxXA6v876hliU5NtY1GSXBfsiZg7UR2nxu1JbxgKijga7zOrMrX8MgbG20ybEtIFO4aSPR9PJTKzE6YgjLyjcP4bRdxmDagcPfZpXU0Ps73yA8A5HnpmfJuLoUzLBGc4GDHPA4xB2633/2bfz5sEiJQWuEIx2jTrkiYHZ1f68ZRtEjPjUVP7T/4OL7+mUe2olIhOcHNwDNcBiIsYZd0xu4F3pWyCQAmTug1TzyIgZrbaM1ohp/z0S0PXXhOv6BWPHuoA0IMfijVlffqVi1fmTF3SUU/4zp8k+DXlUIe6fGooMj2o4uLGjyFNq7b+kFe6pniJUFpBLv+iV6tlXAzUz6krLSHTAp+dtUeFRfvl2fo16157iyuCJ+1UNPzgRdHCd+T1GRCyW1EA5eEhF+MZwmvPHz+hrt9Lsn1WTCkxWQJ2Lt43kpQ0tNoYAXo/K0r1+Uqi/FQqIer4wwzElQWgsnnJhr4Id/cUmxb2CmPNt1+3XbCIJl89sEOYgIIaIGvA7i3bDLEMxDYty+ahRgzED7WNxj9Yxy4MxNbAFL+4WacXwfr1zx9QrzgKYof+2atYUlVY5dCZLwBTE1DNsh3m+OYPS4PDtnG6wNBkR56sOPG/Y+uik/iWcursPGMhdsdZJ/tSVmXChqaY+CXsC4tximxwZ8yraWBibEcmQ8vSBlkiTBtMTqujUsJKqkF0ADDKUiMtipTHD2l9pVDkjPtcwZiAamkGWPnSIKTZCFXJ9gUSwORzvkHdGkSrALfr05H+QuyOq5VIDRU4Qbb8TE34Bjs/QD0mybe0E+WrE+G1kB16Xi2a6HQVyMg+RTsoy+bOsE02B1Qh/qoki9ZZ50P/WnWRuGqfS1ElQDrMMG+7JDbPFIqKM7POMwl+RdE0HbY3F9YbxsX+WdgOzBH69fvk09dLzQ7bKyKJOtTlyKwXBilj+cXFmMVWODHw1DZ6Hyc2Il4tJeksIRuwqSBoSGTthmCPUZOzjmp48JCSlLbMku+N8cg7fJclmg==,iv:lERKTgwy/JwPPr3lpIi+XGCzAIyJm7vp56h3YAznrvg=,tag:rNwN25vdVwtN3gwJpOwe1w==,type:str] + key: ENC[AES256_GCM,data:eOpuui6FWL+DXaWG+tu2XohYdLz/DvaZVffvu6McFwlnmAB/vnRYdnkko/4OdOhzFg63JdnGeNuPz5k4R+pIGo3xwdXhOEjs+niCrCWKjs4xbvw3rd5hhqEZEMB0cNzA0AdnysDZLcyS1J4FrORVKO5cfbnmKUPnO9RP3Wcul7dmU8p1+z7i4huViPrapr6yrp6mima49G8CHS7EtvhsxRTcVr19RzNAY5z3284SyO3oxao245aOqhINwGhfxLQethrrtII/A8wlOHp1tbd94CNo2ulfT6tbI9/8YGZIwvudrqWUTm5pHJp/ujX51yaD6UcxLcdlqSbEavYJLzTsEP9VjCosD9oLmMmiM5AOYUJkLn7sQNyF6sunYqA6GHgTTEmwuaRo0F9flfCXYHztfg==,iv:1jy+OyiN/OkhLj9B/sLnIqpgehDPHVp6yNvFSoRgNwU=,tag:3femQl3Sd1N3UnGCw7tWFw==,type:str] k8s: - crt: ENC[AES256_GCM,data:LFZKmfsXZ8dLvE/LnNDeUT56RhzdYkFEKdyneNuvnpO2itqLzfkkAxX6f+ul+q/jar4QfGCs2IbQeJBhiEbNwE7ElIjxkyuCUlwvW/6HqT5WZxeIEJDfHpEBxJJQ+WPBaV2ekk6APVCgBY0FaC9QqMre+JJH5C+aC3y/iQGe9TG9u3xjN8Dn7P8CF0OVCFnmonLQhMdlGl7Kwk/qRdQuvXL5EN1dH54JJ3B0wq27jKxB55XFij75Fvu/d4rJM6AEvcsWS8mFD/BqAocTpB3WqSbX7ZUNrcmZLuhJLCZ0vX3nnFqu3gc28mu9TTxlVAyDtSA6ph+pTanQMmKbkHFVoRivQtvvs7fGG/s4xQ/8CxSxMg6Ce3On0UUjh0mzu7lWbrcXo48irhvm67z0Surcgf4BAMd6teHFpN7MPh3CHRh+WA5vwYJyq6ENcGauOsbw7NgDDUvyrToxFsz3uuwUyc5G64p9m7w4F3cJc4ujMmHhhxXDcy5qelwXVtjXnBVO+GQv3ldIL9ByFqFP33gY0gEQc0ZG/DYKEf87fBMik4k6whqkU8ATwhRuyMcDzt8L8NYRdtyep2oNX9Loequ/d7P0eF/DXK35+oFswyLY/sQt0dmT5UtZe7p9/LgS62mhmMKGqlOfsiJfuVfcyjLPjFJtL2BrsbjrSE+V/qgbWqCQ6OYiNLyYbsVQSKxRicxOGGCOEWO5DLYaT5psLqihU7d5rJ4pux0VlxBAJOs1YyQDgvUjUlakHJmTODRWQBsGrr69OVjLBlMFQyEz7RJAm+36il9JMallxOYyHxnp9VuiBzzYfgdNjI6gbFqw94GAFO0+sGD0HIa2BQEQaLZOS75v5b1EhXkcXTgyApW2a8ipydUsKoRczBsyzO1YqXZRaWzkrFq6yQF76HC0OJz04rZN8VKKSRZdH6sRUa+Hs+h8ZS7qGRgp5p/Z6TY90BM392CMcgyyL26xNRgUfgMRz9aqdgBYMxnWpyP3NErsId1PcEArrDZhHu0AFT8PGyoQMwtwJTLab56IJgGuKoeKt5PDPTEWCJy7438aYg==,iv:2BEqN19Z9PCIP4qGjfd1V2yjCO+btrMmoFXPhfRwQE8=,tag:1reTIU0ZcKSQWgNPuaxgcQ==,type:str] - key: ENC[AES256_GCM,data:KPaWyLWQ3rh4Yi6VafZ21RPoJIILbSR34sKKNWzZEhnG2qXkRrwOErT1tEc+8cBTp3AjWLeR5XeogEn/DpITRp5d/qwp+SmaSN52D5WZfIm1hlCMQJWNG1ajFE5OEffCHABBhUlcE4ektyiJp47sSYJ6UlNtaid6Xdj32kCUco2xa+isG7QNHO22bM2TuFAznMWk+7eBgKQ7wOtx3CpUyH/nR9k+zZBANreIo0BBH6E6yTUCKGqeoFwWFubMO3a3/UcS/9AmC79V809isMoFMn4uIRWfnNCTUaihadPdVUGt1R5N8O4DKqrFB3vNAbZVIhSEHIRuFSjLixssyu7tf28iyH7WG/vMRSvkC3qMS7+afDwMb+Z4e6tWvyE5+Rz5rlXlPVJ9l8NI2TjUzYeNcQ==,iv:a5FKNc3uG8HJ4Zk2cJUQO4q+ccOaV9nXq/23cCc97oM=,tag:WNpVMiC1rVJcZ7RQY+T+Dg==,type:str] + crt: ENC[AES256_GCM,data:6ATQh+AF1e1t0mUggn97+fcv594tQk2v7BqfDHLaY/rM+cBzDH2dxt6Z2BSyN8jOqAh9mmrVtAhi2n/fjs2hjEUVddLdGFY1FbuXkABTZqfXpHOZjxb+P+XVAUbVl0lZuaw4KU91ZrSuVkmljosHzedAFKdc8fYQZnfwgu8jTPx4a9qzx4IARRnwa4dWwkOXrBuBoDRorapnX35JFkVfHCDZ/vfcIfJxEWNWRu5XlaGBW9fBCU6NhORUU3RBU5uFU1I06bZaSy7oitCCqV1T6N3VIa1vPPBejeMbJ1IpYnYYgqBcpEk70OnBbCPHyGJSqLd5USrydebhTcNTYs367x5di5Cuc9pNrErgumwjIuyiatQQd84ZeLyf8Co4t0tDHYVpkpju0R0VFf95nkkKNRvXPn/VpIKAyqjwApYBcDOsPfQtAufL2i1dY0FgR7UEVWsuc+rS4M1PpM2xNEe1gPpKZhCyckjkZarzO9I7eG2gDl6ZfVQox0XIiMY2Q1Wq3oHfaf9dDsvfceSGPfh5f0DBSNd4FF+OSUTkg6p5WNKUvPJGnzTqg5HnajzEWZOS0LsXhg2pF8AVQHKMH9JU37h6RQMCsuPF3PwZF9vAm2CHatYlq0bEdBGMbv2uDeLD4smWg02tDJhPnUY4mzXcSd21TRNFmG57wdahGEGomlK2Wv+G/rFNRHIk3rdPzjpAeI57RRBs00rPAewrS8pU/HHFj/u59X7roKaCduZGgIyyNOhMEnd9xRm+3Cusy/80/5ThYK1WZA6NhQknrcIgroTUT6IQ6T5UJCKrKeOzebIHpWrDwhaJYgy9Wb/911cEnENDd1WNpPgGv9y9q79KFzzb9lyUBEuTPwa/4/UbOWbF2sKYUEGf/yaoQACBFTFCfjwXaCbGJ6RMeXJxBCqPWlTSDtO04wycqNS2kzT9828bfZGMzPQXofeC1qYH0FYXH7jWq9RilmhheBdBBqtQkc253JuzlUcXRN+77x6dP45/dmB5z/2lT3dpTxUwbWoVuKr/QvxLENcBPWFqnf2nmsxAiaR7442Px9LRJg==,iv:UQJB27AG9MZjstMtnZ+LOQ4gh7Ys+VWrzeKCdks487s=,tag:Ipa4LZsRzGK4gMaMstaQdw==,type:str] + key: ENC[AES256_GCM,data:hsOXE5F5/wHOmWoeAiy8pjB8A18D7Dkj+UiffZznMIqpEjje0zKsBJkxgTWECD+vX5Ad93pWj24JCukdmvmV0tfnWwjrwZeB3DUDau4xT6O4OgunQl+L6muzGI4b7Rin8z2PhKVGAh3lf2phtk866l5j6wf8fvbJqSi7OT7pNbabkbOgK208bR+c3VCG+0JyIF7ZeUG4tbeY3/zAMHW32tjJlwSqOSTjZ+hNnLZIpBcgTMKvS0eMX7DadAFAFxAhQLYTN/8VEgLKnIMYR5qJ6dSIrkonvmaPpZn1cGlvLMnRE5N+6X5kUVbySZiL+hgLt5QANlGepomxwuuwtZww6rSDMsWQVn2SVmdt1EuOwkQGv1LnlU2t3aElbpr4+jE2W7yWy5MpqckUkssOam1d9g==,iv:cgfKu/sKlDSjej7M2JnUBbESsxknsfw+Azt7BwOx2uE=,tag:kxRckRzggMCZuvhdaeEI8A==,type:str] k8saggregator: - crt: ENC[AES256_GCM,data:3YxmqpybTb97mTNzLp8nuO23cewjuWvXmeDpCIdzrvt48qVT9HrVIuosaFtqKVkMduJBbVfqgfPFjgGd0lltWfb3dh6QJBfp/C5TML0u5cyQe+RThacVdmZeer5ETpw2vYK+bvhjnVhjgaSYmrbZ6i9267m3hSlf1LERgE5kJlVpzRMcuWxfhhK7l76KiCyf4Z9WReAqWvAn9obofBMOdhuI1IG+y1iWjES1N2G9Wof95tOL9JAcG9Wru8oFJKY/cvjU0n2atX1GoWlE1k9FE8ZmayLjc2pjnumMdQOICwmIYmYsu5uaR6DvkZ0lIz+U3Bp5TUdjTYGrRQIoQH9NqyqVHrRuIhQuzQ0oOtGSa9fB3LR0hCMhGOTwRH0UVntVSIngeZa55nWQH5OAWYL3zi6+H3qmlbtj2clRs1WG+HolRVU+fH47aHa7i6wixOYaBkBZyLyGPPP0loKHPXKsRh07WmwHZscsCfHRcGjDcvEPn9Brnrh1t5+cz1CBCm5ksQJXh9JjTaG+5e4NdOsQKV7+MntLceSppRIT5At7cOMlhh+un6PLFM1Z2gfMK/2Nnb00xLhAjkjAC/hT+cukl7PFc+6Ttz7MjBzSCD+DUMQ2Oe2wTGY60IUyMaXGUP9udNdMnEgOwRB9DIAYyvA7oibNd/xTn+lEfSUBKHgCBecv7HbXdaHuCkaALi8KfmQwiwVTi10PiBMOTiE2MVRx4UB9YKav/axEt3K48Y3KkXPwfurtofZJwQNk8UZpBTxPduSwsOLAJwrqzIvlYdcsSyjsFyfGZiwChP5Ezyn1YwXhsSkFkpC49Wj76cuKm0a48I+e3VexgHDMT8jXTX5G+zlBOyAepVMyNOqHjBZ19XNY4E5M1bRjDA+NiIK51IelVM74jq9fat1MpkwAjlh2i+1ECzYp5EF/a/T4GHQnqP4KjwKwOIEk11E7JNtIJNl0,iv:3YbtSgYsUgSAIyLv+7wVmyaSlRU7ETRxEXGO48L5mxI=,tag:5gqlu3kPg3NLUi5N8CFohg==,type:str] - key: ENC[AES256_GCM,data:0jEpBv6TfRA9JL0wuKNK+kaZmnfWA4dDC8M7JHWUI2+CzHI8/CnSs4LmuaHEg69IyhxMz8QmUK0JR55GxGZaXoaaPNg75RH6vWZzbYanAYCQ/jmNutme01q4l5gPC3ncnuUgSkgZqy6U8lSIbQzd6Z+g9pEp2sqcv1wE/pZEBmP/oZxvlAPI/TmrTnihdoloSq9ovEmuhlkb2lQDUu5vadAhOwILyB8sY/3srJ326GQXKJCIFLQSVtZL22FoF5EEN4zj6Eo4JB6+qyeHbVYCzrTGKBEIuIh2jnJiuHXr7pU9ks39eJ+RjAtztoSGzrrMNEKhsApDWKVoHPmaQHexJNnoYUc8+OitNpfWFZt6myRrXHBOLmE8yglWjZ5LYiA5mgVLteVTm2apaXGQLV57xg==,iv:H397yF63NsSKbflL7UzP/M2j9xI8BO11T9vZ9LkVsZA=,tag:55qD004ldZiOheDLtUEPpg==,type:str] + crt: ENC[AES256_GCM,data:I0ElOehHI7OoFh8K4vGUP9INWUOJdqu8dP2u7PP48TtkBA3jc20xJKYA9B9cdVg1VoKzJCo4v7ixTSShJzSrVbf4DQFDVv8I70UsWOhjfBKqdx86A68oa9XKo6E7wPY4P4hFxeXilQM9mwDDRexuAKpPyHo0qLthjbn8P2jI7p9sBtYqpmo5+7i0BAnKVYT1H8oIg34Ltv8t8XSIXgexjMZXlZDPFLAZl7RY/53dLX1gjNorT0BzSNNttlfHHyUXnewGzpjYS+UgJtpfxeIlwuCMHE1iq/k4IY+jO9VrfXgyjxTSVR58btT6QgxDDtnGyvyDMkZF1UhQqiZHd5CAg5UK+TgBdtgAgEJJNuJMxFN7TB2S4mAEewvssobt5tj+HY3eOsnMtx34crdoJ7Q3/LwBvpnPy4q+P2NMBqYvJiCirMX9ShnXIKqpbCj6xgEqbXB+1dWdiAFq/jkiyax4OOAvEM+KndMvv57GNZLtKEwY+DtHGTooJ2G8ekkqBkQPyLRfMcd4UshqeOSytfaVBJeEZ0fuc1K2A9agPjdp3BCRUdsgFPWpYliSDk0npjKeHb7heRNMkCKnL8L2RopcCi1WmDMirXG+MFT2hXtAe4e72ZSWr6vYgU1iqZtBObWw2ckhcnQN+6Ewm0oeXp2HMu03elDi4SeIabwx5tHoRSFuvDe3SL5d87O0exHdbk/f7OI2CG5LSSmSjC/9fPOrxtr2aDyUr8LuSjCHEIZYnBce7Q/xPMomdyxr+r+TEdgzjeh5acPWjytwjGcNItiaL5e1ZiSnToLvFMD6fZD8kb5oldinhSjqhKenDVzouPFhr4NGgsApdaBLxZGzVQHAaoweWOkxBdrN+1r8rGxp4R+P8E6s1KrObFboQzXuZn45yzR/Tj4ciEtodbOn+e8H+Hfxkoor5ICm1BoArQVCC8HqEV4A513V0g==,iv:Wdo8SnHcLE5qiQOahTLK2umueiawMUzjrqz22VzLX50=,tag:ky8NpuHcbQpnahe5m/CapA==,type:str] + key: ENC[AES256_GCM,data:JdMk0NseBEpd4B19ZBOQASn/D09WX04872LkR0hpjlTxRyQmKghHOO3iuY4O5vo179Of3w04dCLypHJRSh9Najoc2G4QlRkVtuDz8Y2ibAyvROcVP9tZIpiiffm076eUGgW4/tMEy5ik3qoHlZmqE29zjxuVqAeXTZykE5li3loE2F0HZezjEha8A4QEzj/w3qWztAoFJq1VlAWMD3z8/NED1ZO8V0dM1GnkQZgcx7LSC4+WP7H4INSZjQktD19Ra6b5XuOSKj3A4cBfmWYW18XvOXiktKtDruz/oBZdLXccLFD4HOrYvac932RKRqL2nHtgdxmDjiN97ZpPrd4dTpSESepqErUrj087N1uspm8g/tNFxr0DUY22h5ovdUNClxv+3Hwmla2Kj0sOXwzCdw==,iv:+sCWWDrfxHaHPwyk486BnG4b252LKtqq4HoxMiI7RhI=,tag:gJKJ5FbaL41XhG2FeaK3uQ==,type:str] k8sserviceaccount: - key: ENC[AES256_GCM,data:bWaK19quoA59fl/aRgDy6uxkcaTMwcfpSlu0GPgeGDcX9nF4hT6EyZyII5XDXOPcKuu359R9Ytd8ctt0FN8araEoHUmKcEV8i6aGL2zgGu3KX6P2Gd49PYTuLhS4tBxZIDeiNhI8btaMxlTywkRk3EKbs6PE04yVBCUmFlE+PbQn+RZT45b/D5CJCEWpAM3qR2SqcXFZg1fQdLSgD+ZnnDgGNOAfvBxoxNWOukZKFp0n9rvnSX0bdY6xACngDCxQKhUPcbhGRWbHyYhcLjtR7f7H8smC5lNl3Rh8VtJy/vKKBVfSaHkmWRiWapdBk+fE5Q7Wp9+WGGOxx5RsXMLHydaAHlcYBiRi/iDWiM8juuh0lU6vJpY6i10b2MWZmKxuqd9Yp6foDcKK9SWtuasnpzcoi27vlCo3LPW2JdRoWYW1y1xymm+R43yimXdDi9wY9siDFg1DcEGPeOg7EiPU6BXGzeQTl+z0+bAqTF0Gi0MOLhuPD5ZZXS/tsehJCQ/uOS8b8py5eWPi5SU0oUrWzsSeh+DpU+LlwuLbEAvoPCa9id49tapYc6Ec8E69lxrLVHSihsEtstqTY/eBABV/OlXSXfIHNQEwbdyeYG/7IsoZ+LcDxuxrMD5/mKAfoDeodkQsjs8f19wTA4Q0ujsVciaNQPMo4gScqb7u0jbw2wwOeYken7k24OHnSwhVuT+cdkhVF0ESSUGKRDhWcX8XluD8fBRfYWpiXjLZ+SSzjNU+4ud+hh/zOzQh31+zFdnseup0TJ0bWwwtjVSTjyo4hsrvGQl0OfUB6wZNA0M8g+MUhsyD0JDcJlq/Bycrhvum2SDFV2jyzJDdVdhPhhpeUAMrVxGcrubpXJgfb51A0gurFCW5Rnop2E5387Fs9I/PQ20fkr4Gpc/ibfNQ9azuAPZkaqwjThfPoeX5JdSudO2gTNkAfRI29kM4lKQqt0zLDBHSoPGzLsg4C80EhxcyUEBBVkT6u+O9maBarhUDhCrPBWZtn8bHDJIcMwcRBvtJkuRnHJkIZzaC2lJZV9sXnM1EAvnujWTOOeUdnmOIAZPXbHBXUXwzmVACPItQV0Uxu3aw4UrXTLeDcLnMuO2roF68TQixq/3dX0Nu9G5Kkfh0VnxxEPH7jlNp+9KXbR2s/CrcozZt5AB2/m8GkqJ3JPgdSla6kg9bmD/OtYA+a+HUkYW02jlCUWkyv8O4HBfl3OtWGSztdBM7bj9kvegEWj2Aj6A45D9N1u2rJpwxtz5tbLfky2/w0OkNsdIr8f6ZEyNrUNtuRmOhajfsPlVFAGly/ZxNN6dH+pYy7KQ1crT1lXFjxQig6gMzehSkw1sn3pD3y+1bd0pgEdxcp3FvqEgS/aZy62VLOGaXOFkNldM1EuCT5x43QP5G698Eh58xvkQw/tSqgl2oPpBC6BoskRAX/aF/bPrYQ4wJijAnxSv8un1puaZToRo+PGvdpMBfK3/FaG6/fYIF5ey+BPWk+fpaVPjZ8Ib70IEwR18g0rOdo26yL8fjxDKERIK3gLW7gTtSWxtbUWAk02pNI+cT3WKbdke2mMcEiv/bi94fetnR5R5PuK/GzZsO93yyDTflLxzmrFiBDaDov0uR6SKM/QG4bVIBMPbW5z/mZQDmZnbFXkp56BZVOuEfbdibAIPdnejb1whBfoSeEbqP/3U3LcDXpeoz2bSgEoE71NbA9LfRdaX00Wt2AW+/bhr8fJD6hTAdBQNfwtT5VVg7OOAUSOfKpVTflpfI5MOsC8zw/P233/ESKpT/mWTC+OIIQiEOyLc+FOP17TYO8vhA3i7xfYw1PMvu6Ze3mcwotlgDz1zbc24bMDlgP/VncAdgpvXk7IjWYOn2bT9XnL39uPhppoduJwL/HIAUmz7fsWXPLvoxRp4mZSjg3VPFkakvqkJEdfi/ru26tQvYtTZl3VEDepWa0pZptvNnizwULyDkD8rBSRLvTVHiOKuIKK64D5Qn5U3aaxtNv3oBIyLJyOSsZ3Ro739pOPuJf8RJO+BZYzqOW9FEUZtugeSdvF+kbFEV1hXlTl6whWuGBHptF7GUc0GIEs3LFN1Zy0XKm4Slkp+P+lEYaZ/dBfu2j3cpN7Q2VsVmJqdHU66OcRZZ+/zyX8EJr/PKLgdDFniAsa+OCaZBGS1Henpkw+jADkUlfyQETFcOGkkNywW2W51in13U3AqPvCbRnzWtpq8MuOYP9QTcNGgg4Eflc7xoT/2tsOwiTjIocemMjmaQURZPIHCdJFgW2BmrLQKyDkoop+j69sZ6vWW9MZKlfLzkdxGNCXUoKMj2b2vis22m+PdxBoMNCgViWgXjBzznoV4rLvs16GGC4Q0knGoD2m0mQs8/Pj4/FF0kNYEemAwgCVfDm2n9Xf2GmdH/8KjrOBWQLZhXuCgbD/FNMt8o+63LIoeydW+yYbuuF1FFF7nOomFdlE+4iFxFLPASiKAsPW9bQGhp3XVUnoBNB9451XoEtKhrXSZeo+Ae9F9UVidKPiOVWbj2ZfaPlYCHLRKJIHkdB0iJAGX7fwv/z8XHkxr0/L0CHUtSgTMnTYxFYRiCT7rtNJcf55T+DexrfqZNcMpaFELrpGZbuxVTNeBNXIe9FB0vC6HqyphkLCK8joiXKIG55k5x4e4Hs7W7+lfOqrl40efVo/lyZuk5iStZ2t4KDVmtpXRkFdf2Ir1Pd3T1CSz2xP5qRMQX8VhdIBbFVe+WxqXQBnGomOC7Rc8mCxs2vakfLUmU7yt4cilCZt/Ndt4um0WRoBLVVzClg9sR/U2KoJc8dtEC9mC/v2Lgss/Vpecx5kMizLoys7eqGeGAeo8ldryLoAUiq+P7O9MeR07bMEeD0QEHOyzW4934zhDniw2uuCLerb+MVdU6TW/9pDVhXIKVbRdKG6GzaKkeqJBx5SCfShAqRbtGm/ZF2ExxUbqeAYA19BydPdGLr5bJ2BAXc4yYX2xA1ZFZtaCGz8qrWsYTAa00yEsvLO12/TB7hSTy95SbR5KkX0DHVNC2WrU7p6Mn5lnjrSyQt6L6Gxn1zplFpDMq0cK4NdJgCvMaq4PI1oFq+BI2Jgyl5Y/AdenxDpHSrIjxMOSe+iVflBBoGs1xAp7PNnVIA1LVVnl8JG5HEgG6rEJpt7xvQZkB07YxyjHHqlvYHCku96AKVXqv5U/BulyptlIsvIZVaElLF30H90xLFnG/zelbOQoU50Ds9hN8usVgcGRX1PFAs9nEuVQPnqcRhmG2hpvK+UcEom7bvYVmi9wyDE0Ymodnqfa1jG9gBmYP/L5E1NEnmJ/jWX1E2mpR6uLq0ofCTn8LJOl7kOpBpAUUTI8tXaUD81tiKpviRi65JikaCBQM9XRDxrhfqsZoktZV3c0ojlEZWt/g8Z9aYjXuMtfpD3Pmag9RkF7mMVUOI1Ae3jBTZtx+mfnGoDo7Zz39RWNuWQNW1Z72Jg+1SKzUrMtFUDDwzRa7coFzNnBlBVtTwHvPDvHANKuJxUT7AiKx87qkLMfwDYCEd3PHivJMwJPylzwept/rcl2/nMXhl2u+OHeVdsDG6ZoR0x4wTiv10lrfXjvDS6HLNToFHYQAwcGH63G0tLe1DoHkClgSds94QTrEbmlfvhzNzi1pndOHCOgENQtcXxGqEZzuvy7a3aPiwFmfZWNj2PdJE91PwRzSbGDfue+SpU6uLuVJOtKGyQA4U1ZUzq3B2RZqg+g+cbeJPnUdL0bxEocCOPIgipI+kegUzrMjuuUM+MtNuXEqe9LoESB8MoYPG0g6sHyglYodS9ZtysDBEYZpuGA9HBcmuTsDeHIm7tYlfNKnpXHuBkALYb9DPfwqgca4P6TxHIJZMDbh7YcwNsYErBidjrkxgsCHwHlzxmTwChT734PzXeWTG60izIoSsp3XjBhSgXEV0wVg6Nq9J7nV2cjmTvJaypbkzkYYYtDPdbo+AqQHLotv3km7uxYAoEXCJhXj4VBzx1b+RGjlI1Zugut2TyYV7nh7cgaHCuIi3IpN7XjPbf4EFZ8RWwNlBVfPT/8Jbr2yuHPidTBbc1fZPTlwGDCZqh9/SVMoZ7V/EC3N9zyHzWoLABZ26M+27gOb9zTMPf/aacOUn9Ym2/Se5uJ0viy3B5y7/PV0YvtQFFjpdZicG0fCFqN+Kjv/xUuv5btoU7CWoFwMMQ79eGTd1KTCU8I0FkFPGXt4mWc1y8gPs5c/76w+khG6KmNnhkNgKsEknUHcSNh103Pa8M+23CFCEUYxfZSA8fWwR277iDMhs1JcMhz7loApKMGhjsH9IAPoBLVQ0oAC7786XsgXrPLbzEF3YW26QdjjjHqJs+2FsN/tTGiai5N3lsc/502ii2bMUMGkcccLt7/Bu4zKusHnnZqFezN2+1/7ay15y/muidi+pqpkv1ZD+lW6wLXTzO16Mo/cmzU0ONY/0CvG20ZUT9azY1uorMzReke7eH31QfLGlajaOqioREyODTKf1ZsNbhKf4MKbNncQE3W4ED9g4xQff0uYKw5uWC+NUOpJCdvHdw09xiZ/ZahV3dItr3/MVY6w/Z0WRjZnE9oN0CkVeW1k8VuEac0144A0O4Mbd6z2kvNgaC9bJ/QytqcTIrt9ej2Ml6tpyyil9JbnGX+iH0YlDE3VmbqHOU97//32E2w2EJXoT6LQez6c0P3eHtd13zGWXEyL04WK1ls0LKDZTDucmGudOT01BstSeXNw1E+HZGrcJv3n3yLKtswB7ioVEncas59IZq1Cg91UeKgp1a9EStgsSmXpz8ad4vMm4a+mj8fswJJkurE6eLdYsiEpMqkQmP6ua5MwPArv4wDr+bchw0zEZyTYgylRRtJmFMQ/wM1b31KSqdkn86XjpbFn5IAcOh4+LvHdZ3ImdBXIVjhePK3yhn9n1ZuuugwmVdxKWoxckn3DCASm1M3HdMndoWM5JzULwysZkDIRCHeh4tR1o2HHN/0SE2YwAnzq0wP2OUuiuf5lnLOsvnPGmM//nhMy1H+LuL7hyn/ITniLf73dg21BRM0wIt27W+vLkk15EQnjwJBVp2TCn68Cue42bGDXFQqNW2EKs9tFGnSHAhLV34ARRTxThXVe/eKCA6UjYt7pjA8ifPsfaTfhYQzlpKY6hBg7T+D+3s/1sE9EPnaba87gwsO5XSMh1vtZhC/Klr0v8X55bCcPf1R+vhLXOu0kx0ye6UOxWyiE4jn/ZLb8utttgcZnqe78D0g7oMwjSLhUcZdGqhxmrvNL9pbq2rs0Ymo880oyFpu5NUc2heYjbH6HCy8cz6VoRudBG5p5H4RvmoJtuZnL4kzIA4PjP0IpM+TehPe5xO34MNc5vth/D8oId0bAhe7RfZjCPW0LEF/xAhnWis0QUbn0MszOOAq0wZqTZDtyRjf5YxNclGvQc2XrSMr83TrHe5Nj0t6wc3Un9QVZER5zaXKTNwLky7EJ907TZy6wuFlsg4z/3700BKQeqoNHfef7ZeY/fuwjehYfKlnUXlNR9Zp39FGPePORB2SGv1iWtauB09J7XpbsaR4U6ugVv/BbWm4IxZ0Eu2Hh/zp6Itlib2WUg5VW0iv0MOZFCWr8IUhzZCA3o83puTacq6InBapu1s8VXIcz0pdCIMkPxcUh215yy1hrkU/zRCyIcNehk9nzkiuit4xYn9wlNelJellhFw5i4JK6NBInPh0IObi98mgEvw5FGJIEAZ8cxyPQ5FpxMFea0RpEuMYoffWpH+OkduyoWzsrVy2UdCnOOATgCj4cJJQtZQ==,iv:j1JW4EqVsIyWC4b7mIDpaWBPh2h1RtJVCi+7Q+ft+AU=,tag:9fE+XH5MihSAR9K44noKeg==,type:str] + key: ENC[AES256_GCM,data:sp3uall9BWQYZfomsZjIdBxBQ5RcA0b7eo0r/mA1Mp8/Xihg2kOqqfF3pSryrmI0MJXvNUNfM9t6sixdqXUhSK9qZ+CvdVnGzx2vlQwML8uAx5K3aMEvQ9HERoUS+EIixtP66Mbj4KNmU8UqNEDoNaD4NPmS0g0E2gFsCjaghyqF/TMWlxTlkhe6yflMHB98ggUdVk7+p5LeKJRrjWjSIrd/3X/iD5HyFQm0zKwwbE1Q3YJu9HJ6xpWTtuIeYPdwO6IANPEyEPxVjPVp2PdqHPe+OAq1et1JNU2p3kGwaRRphajxzdVNvqTE8ZeayYY4+HT9QP9Aam7uVtLv81U50G+ZiSlgdldwhtTVhIlrqaS8Ubfg1blAlOi2qSzb+H13Hh+mDhYcGXRRnyBoYVPyMh7gqflMtImLf/AsHjeIdcGLvRH2VQWenMfNIV5hj8WefQxQ4FpqVkSVVV243cp3rl2enaiLhsulbAuD1fAPi6mcISgYibB7bEC0OPgdmm4EqqoCpt4Q1rA8mxBMRsXQURj+27u3c3rwqahB/egInO0pDJjRWb7C+oE8DX4HPCLILfIw9Bk8ZXd+jhoGNQS/lZCQ/d9/JPbr/dE5vDxQDrUJcsA0ghVxtmw3uW5ejVROW5gK97ajjHj2lo0oscfK+xCPE9/ULx7FkkmDBzFrCqcPtNRgvfiFM6z4V3qnpVwzsKaOpvvaC8viRbgJ9T2I3cfUh5K5UMOptIvqARSufZTI3gB1NvTcbW2WUUV0ApZKgM5FrrdiCSRRTgEWyPAuuR5BOanEYKfQsXwDntuAFRfmWUpAnb63jtyv90rt+zgUvxgKjrY71flI0Tqusu8IzK7v5P/c6HWNWf/ltqwWvN9iXzNWzOLbECGgYvAByzBqCE6qBGFsRocISUebYFAiEPefWFIU48n6BthfxS+fI6v+ArBpqMhqwYuZbZjbjgJlTA9BqqW9cECHRim++iWsrowyZEnm08hnzSdfuFRcnlceeD+NQcYKlhqVkJqH4PgI0gymb8qtTlfIEVyeC/N1bmicMS81agOjaAvnuzAeKY6Cp94TSUuEyfsgdK0+I3HJdh9RUOAKpvqBQ2uasogfPwyVnMZfjXNO1lrSrNrk5oCgaxiSvwo+sCrFlq8TJxy8HlsktWe7Y8/G1+8yK+ikGaYTQuK1YNS172FHv3Ag34jPVpFCA4A2lu9ozDhGid9te7b6v3Zfgm0G0Clr5RVJuTNWMwsyTRGLaDmnnopLixwY+ptpeOINE+TwT8E9f7HXyThZ2B+NRroY2UlG1EQBTgzZvhwpGejSdVu9rx98apao7WlVUvdqQ0+J36dSxcOYAxv7RZZp2kGlrOy9FthjjAmon9fcl+WK0C/ITMhQMTB4X7j/YD0Q9UDLJaunvE5EicgN1WqK/88lrsEWCTtNKMUk0wbaaUXTtoe+OXXdb8lzdJgDAakHLAmI/IYubFeI3gawnVNN5hDAM7vH8r9mS18qKe+lUzO7BIo4AXai1shs2aCGeMOxt7pBBe8J9UKD0GvjtOR+YpiXX7oBOEkPvOk/YI6ZN5FbOqpOkf+aleudNUnIovVzrRmZHFvt84AbOYkdafgMdrri7Jx+LSwK/q3hD5xQeEk7Uf5Cfe5xdJOdwnQYUwojxorjMtkap+OwSs6K3G1sbiWff5krBPsWr2EVdg5XHCglyNAUNNQbxwk28VTEo7RyzyTG6REkQU6rJOekLPyZDGoqvc1+kOpHDYSFYvCx9L8y8D5UQwjT71109xBYS8X/epU30i9CAF2KefuRlfEUlN4p//mvztZRS/crPC+pYly1MQYOBOHXeJun3Mo0Qr8XyHUe+OSv96Jk7IVKjljFYjHxg+GgsHI1/4plUXhF2pkSqEle+lPMD0BUJyKvvADNrBaLXd8dMe3Wp+wwxrGZ2ccVCpmnkIjy5hH32NHN1sEdM7QN01wpMvHDRoulRoajyCqf+/Yzg0LLBZ39Qt4zo0OS7NO1Lb2kQ8aE7iFPhQeQjoZM+Ei7UYDeT+GklesNA8ii6cuTRYU1SFDXGWUnWDZjhCy3XZybOVV1ZpWvBOGy4lqhYpE4OLnHXKOr/VgICx3SYSpgIh4ow4j2txYFnCImCCPNf0//b+Q4qiQe5VFC4K07i/hBhMnYnNkgXXW3War0lRuXLemyzgfhuCAHKDAKgDG1HV+aI6nEuWGNu129F9dDR6zugeQADZfK+p6deGjW/BHKuQ2fv3O9RsMGxSnGDYgHzoMQ5p1Q4dy2uNO07J39bdFN/LlD5YZq7lsGF+UmIjyLWb/fkk5zUakUw/josNTdWkOo0X6PWx2uWE9l2Ity4uMLk+1hv9eFL5DoxA4W6Ak0kn2ELXukTOPIma1AeOgh+5xEx6xx2ZYVq0HuIOJvTL0DSZY66lW0HQwr892qieYaILi5g2LvKmigeYvhsAC+nwigVJ233CHX8A7zyxlxtN9NH2R6MI5RgqEQEBmRe9NQ6rbtQPNMU0Dz9xqTaRhF+ZB5kSkouuM6DMgN6djx55ovJR8M+f+2Nlli4sGCDAwJHMy6XWfN8iWXQdhEPlnP1b23OTm3Rxm+GlcfsDBgjj+rSWODLHhx7aj830FIOiRSCs4We9YXax50IXzC0yT6Bt+I44GCQj5r1SHFXTvt61kBEcVSCyW2kU/q0uqz/Vyg7fCGeOFCE8C+N8RX6j9tIFzlrhDpFh8/sfzCtAoA9KLYrq1f/rughbw6hWyWvk9Fl3ncaL/1GRTCzr9cbgWLTRen3Ky/kNusHhMEEEmatCg+Ll8U/8yjCFC+brr200655x8NnnkRLSSWYKLrXyq6v9SLmZQUZGrTr9AqvVPoz8lJTFlGw+A192bbvZK5/lb1Ndi21g8ydMb+49gFN30c1JjOc/Bcol3YGndO7vva5Xurwx9CXV3p6a5xLrpUPQM0VJ6COQ1rM0mwzfpaOZfCPfrxGIxLAdGAat2QO3oGRnf7ESPzV8cBZtHb00tGnfmzFiQLiP8DwkkOV6WL+01MTnC5FS6irQy8ar3MKZCOn8A/RG61k+poM4iJzL7A4zuu6brcgVgY6c/6OJYNyPLWFuocKx4dA5TsNa0PcuOmNnFzxJKaH7tg1rIMNStrQCKj9Atkrdd9PJ3jPZPQcxlWi1jzF9lw5sGD3jtk+eG5n0RgUOP5fTWu5cX33CVuHAoMCZ2Uy/m5HlCtATDvb2lJ3fEuhUCfxXzgSAOC3i0zqwTEzD8V2DbfXaBuhLy4XtOZ7tNEyt+YsG1DIsMNKqiDx2PQ+tLJEqiPLO6E0ntXeNqNqLoih7FTAIrNBTXtdA9XyB/sbpnezLvpbBNu2OrkAZ5emxcuEm+4cEr11qRnd2xyNrbCGApdEHPnMJ0p+Hfw1OFFm7Ydj+j463M3RhgSR66mYgMzR8hHLDO9vYXZ/0JcUbEOI4ZyO9vuQi0AXI9TKP7e6l6/zeAs5iB1pt4LjCRXRXpdkmxlINRhEZ9ltjc+9QDcemLgJFA+N89jPjwhKrclu/ZNx4Pisu01G6PSrZfu36uGT6GKVyXgO+D5Vp9Hgx5xBBGPlqqUTMFgnq5kDZt7LXhHd94iZS2et2wSyX/eUBy6+CiMyX8TOrpM0lf4S2xIYbSLmYP10zKLlEmo0mla8LbB8iIGvi1GwZDYHiT/x4y2lqMlOtoVeh1mzgM0TG3r6IxsWfJzjkKnWlSnLKIX+tUkBHeTSAgszNFd2QZAv8YePgPqcFCwg2Z8W6bzz/070Nghkwxfa/rlxYuk64zYOzCecCk3N3FKNvQNcf4Y+lItKQ1BrFDBZ08f1c3KQki7QQOvUFCTNAiv8nzeSs6K3cbI30PSNjgd2knps8AzQuRl1aGmCHBm5iUGty8UnKfN2aBm6td/fGkdV9Svy2FuMXzaoQaEa8ypyuPw0TckMkvKl3oSGDxNhl7Muon2V0McS0LkC0ZAetBWbqvMVVTdnueuHZahGVu2ztpr/bln1WWJRR7L5hExE5vMnDqi2MBAiSSAfWmIVVomO4UDvOl1hYhKkq+6fWjE234EyCz2AcUmze1flm6VyChV042Q8UJvXVAeZi2GLMq5D5GZ0kwoAw5Le+PHwTq17yeAeinIBJnHmD/EOgx++3TM1F96VdTSJqt1IS62vNlqnIzc8E/8Z/8IhdhhOWNY+7Me3FYAqNJT4fH3b19GD3vUcjNzy/FL3VEmWEpj+OPTAMRgfzPqugK0LesDQxlLqpqNaV/dB/RNhx6ncNsYhhOXcY7xxt1VylSVERoo9/AYtGraGF3AQCdlNtGunSQpbSAqTokXydID6iDStJRU3ct1Cq9R0sjamhwStJDWbWKyTRwSD6kzowTIXQNtoM5/nXqfAd28jddRY7LvKN6bLgB5W3VTvaybQKhRNoo2C0vHCLFFlJzWuIEIbAL+iMO4NXk6HgIjWRU5OGgH7G5H06LZSZj+9TOxLKaezplcck/hvgOKRhIIO9gy5jEmyGl/eb8aLEFcG2VH7MFBYw1jZdq8QDWvFNBBcsuVZMoNtfoq8qU4Vw3f+T4hUjFFbzAWomg723ElDp1CR4d8dvT6+5TSIMYGc5O26DNoprm+eLi/u+q2zgggUvOnNtZ9NmHLpnzEEgKnABoK1as3xYGp2eF/AWVgBk20hfePeQCL76c+OxoJC9+Nu8jdI5FC0gzO6nVaNNFOD2MB0XQPNZtqX9n2dQMVnPOFqCAdtnwNA+mT19q8fD+RO6P6WLgGhFXnQfRgVk2CrLSTmQUrthAI914eeCfJpbqcVZ/4iJU4i5tbWFgMLI5EAGZwgGw5H531gKqzq7u0oTX/d16SiDMMhnhBWBIb5WNm0J2QIjlNpKOP9uONQrkT1EKetMrC1qKsq5uZFdrMPbpX2U5PBh+0sIxTjvxWpGD882zZFjiBY/a0UvxK03ts1G6nYny2Wwd/URfphcwjQ9X1qP/e2kxT35XlK0PsHj1QZCsgB9NKoG1LRthdEQWB9/EE6nz9YSbPJrF911Igmd35VZGpCHT3V+hmE1HNCXMEpBLTlbVFqcUaLGmZgHfGc2O3Q5QWhoP9D2gNoRDpzEk44eIkxBaa/iU85P/gzgcwZOcg8VaRkVgQummXI2bvtKyT2hqBemtYsWhp8tHuHZNDCT4SkpL1E/zsAE+0HmXBQ6NEduFhmsbPoDKYE5/JToakDE/ZGe/qkktGVt1PKxGr+EBDSioXwicLOY9YR7+FzWLAT+mlGXNeUkHdO6p7D5RJPfY+uLFeV8OH9ghvT2OD2TSdomylhDCzNXh9pJ6i5NkFBziF2EY2HWdXcdxwW/3DO1F/2n4jMsYblGLRB46j+8mcjh2Yr6n7RunNxyf2rYu8YBiTJ0BUSa5ZXlSLa5zh9H/lBERz3rspaa/QIj1Pz/mZoOT4mIyajXJoUwdCjIuETl8RioojK8AavaZhxJTkKPQdYr8x72knsxU80DbFa0xILn35aMDNirk9DHHZWWUxO8fkha+RZPE14AhsjJqxVLHbAK7RxIkUdLmJoMTQIvxBdSCttvhtGszHcyjxxeFMtMH9qHwfOzcW29EWnjZhD6ajKM/VKgYcpYIdVH23msvwG+RdbVrb8lTZCZHk7NVWB21hU5WB9o+sepm5/gDIShqTlhIn3ODgWPzJUqLbytZFnqAe/t0OEvQM1ZIWp0v6kH9bBCdy0A+F+pcJSI5rwUzJOr3NhYJOI/1nlTtaadK7GDLqQOtmwlbBOAMtGzl2AH4xol0S6989IVT2IKR0pA==,iv:9BsyZZeMelL8Y8wyewZtuaYCN8Iln0zaVkexG+5CzHA=,tag:qMveJy0juiErucQF2vXYkg==,type:str] os: - crt: ENC[AES256_GCM,data:gQ65HrYcDVeSLZPMRPCVtCFiSMzF2mw41I4c0zQawiSbwfa2is2895KiFsi7NDtWhCgAPbOoWvwfm7z2jcWhgII4vi6JX4LoWHzF6bctrPAIZa14TLjcM2gN0BETvGW7sqSXYVfQagNHYDXr1gN/Edj76Tm43iqywig9pi5ZMqwJqWHaZHVQCG89Cn/+5lJwd3Pm9+YJ/lNnUUhIRNLB9ElN97NM2wmPWp3Msq+ZAjjwxsEGhWiVxQcOI8qNeYH68xLmBugHe0Cbnp7esksqLvYwqy/q80Fd/Cvsla0Irv7NxuXt3zcxHEF45inBIyGRpu7UPvLv21Fclyy/WmEEjzpm2D/94DvVoOg/gYn/rtok/D18mJwFAoPkeUYFt3cm//wdJkexmsWcavDM0A/x7ouMgHHqgE3I1BDm440jGz6jsG0DEOLJ7tMuizBDhY+FqfFIvjSt/bcX3En5iiSGjyY59ugNUkkYorDP/mjh+js+bHMzWId5f9fyQ6oz5bidF1Dw/OEfHJt+BjZI73QPgo9ukxQ4zygm47VwJxhXRWX7FK5Hj5ZcMe3JiDxpbdaopDfd3Rjxp1Qrh+MVhIs6RoZdWuPWSumUno+WgeD/IcK1WdTH5mYSdYBfAzSioXyXioX0KDjGx8exzmkOkAy7b/iOk86aJ3aICFq67uxn2MY/pbqxEmNEOZtXI03Lr0JJ9y85giw9mpind5qXBZRdYA65ueSvV+7gIwQ0ez9/TFZCT4sa9xgsnpNbk8qeSwOKaqcRavodj4s7ZQJlCHGtsL6YnBmpuX6pgkqRs6zGYzovbZOrK4cxoAHn/rCM/h9aCHfG4NLm9v1lVRtbfGMwFiFZxna28gjqwcXXjoVXPibGTxzP,iv:/Z1siSkwGd1dywxVjvr74VQAGfUWLLasFNbeBGH7CSU=,tag:TfBrPURAY24OqoQ3c7ZgpQ==,type:str] - key: ENC[AES256_GCM,data:y1jJNx8l9w6B20SsnY2t0F0J3VhxTVMxZND/1awq6f6/vz7gQq0f5CGktIlaJpouuGM3yBd2yngJsnAd3sTuhpIDdkh/D8dghzeolpZmVuLcC6VmDav+WltR5YBm7YZTa2WiyxQzs6S00mndA+RNzjKCMUE+gbH54tCCj99Rd+dmsR5SME0rnilHpO5y+xhZxAzeN5rb9dEB3vXfllm5fMX2VIXO4tIEegYz7wahByLvodB3,iv:NkXwb993RFCjnSaFH/4IFwpkCaQa+pSCLYMaz7wX8Ko=,tag:Ii5Ss0+TgNFjqkTHqBUpOA==,type:str] + crt: ENC[AES256_GCM,data:2xIqMlc9t2blgIbNf2PZG4UKj+yCJyDo+ME8Lx5L4/Q+OCP0Gmd2vPAYgZHqyyn0F7zX6zY6znTm9m25lgYcEscxmjhcITS6xzMtLwPo1XErRvVcF8l1KKLclRHIPalQYe2TsaSXN6M8sLouubkgx/3CqNU3DqXq1rc/nTTSb5jTrjGOeWrgjx6r+lsI5XkJM8QCxVJ5oek0XbJVZWewVtvOWeW/8w5i8DhLA6lcCce0zFGylWcAjazGwJNugm9vDeMdLzpbmKKQ0of22HSdpdo8QrWThFPxGiZRuXVq70O428n/1S7NKFx9ax4o87qTPl/tdDv5vWmWwzLG0sU//AWvO0umI9sHoOwl+MluTlJEBK9a//exTkFcZCfOy1qjRWkfo4eIUv3Bs655ftepA9TGQU+8SLVaxmrjSB4oQC6kdterdjwYWvFYWa0GrdVjm0mW759/vOLrV0k4gaeeHgTWAaAEfJ1T654ehFjgRreIKVqPKU8vo59eghhlgIIPCzfOEBrdbHUWcF1d66uSeKJt0oyoXgRR9nNxQJARoH9nkXLJCoi3ttxCqbV0hD7b+7ooT/2WfkFS2YvBnwgR9dtyIvZh6gwjypbdcNAAoQqS1X21vt2yh+AUkL3rdQU36XdV+iTTxqtvHIsrPgBB1i3z+GEcTXdfbs9mqSvj2K100/6y7bc7Kr/fNGNUuT87rs58ODoYA3IMGMpgYb7a1OwNa5R1/0bovBvbNeZqYD+92kRWIhtu9WXxqxuqrfhe2GjdYiwlpAq+fvmLup61ekdtO3RSa4gjCXFk9xhUDoPg48muXJxpKHo/5XiQc11yhLnzV4c4bQsuor9aU+LAJnj3ZPKRmwEcbXOaTzeqWr3Nk9lI,iv:jh3Yxzmnd6hSO5K7kjEn0ikfDoXBld/SrgdOmKFi5Xo=,tag:aVusAZdhz0vmUY1hk95N1w==,type:str] + key: ENC[AES256_GCM,data:vE+0+lGFdDbXlxQf4NnVL5qAAWUU+lLPV0lTQi36ZiccFzqKnsN+oikzuwrKbxf4WLcrQGZ9HtPcXZoBFFfxoYB6T5V8Cp8kN/9/3TuDqzOSF1jSMh0b3/qAPfeX/0gtZ5qcdjpWVHcwKJmk0ikV6n8ik6nIfph6SU4UZRXym/42N3uB0nolfpA+dbtodWsSENwPmf42RJWnhWYNZtsqUAPmI2kZYkImo9+VZZG1Qevb2pFt,iv:gbSfL5GUn5njObBG/5SFHgs/ZpQ0QWoiO+NmLckEjDY=,tag:lLcdNuhiO0ROvKHCXeK4yg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVUVrVzM2K3FxZW1vZWU2 - eGphc0hyVDVFK1YzQXJuWGpwM05pcm9hekc4Ci9Xc05GNHhUNHFpL2hNUmh1dFdu - bmt6Ti9SL1hMa1RrbVQxdUxKWVhMWXcKLS0tIHpIS1BoRzdQSWV0SG11KzBqbUxI - Z2IrdTdhdjlkbmpnZWFJTjRYS0daZ1UKYun8zBETwkX7bTGDq0lmT971fxk4rjBh - r7vEIHAXJXSN+l2j49epmQgDbJsLnxU0WYg2ujjvHGSPe7ZE+C5W/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMnhIeWtZUERTOFdOeXMy + ZE9SKzM0aXQyc1UrTi90TXZlUzdZdU1pYW5nCmpQMkJVZllBazVwUnQ5VmJFSE1u + TXVDYnJOUEQ5SDVLSk0ydW8reDU4YVEKLS0tIGdyUXYyMFBCZDhmVGJrNVdvclAz + cnJBaXVXQ1FJL3Y3R3NuU09JTHkxTjAKKfHOeVtTgDWmIfZoZ7fd38s1Vll6YgIr + YbCPwy4iy08ZRee9T/vUaCEi+6Lw40SYU8x2qxWlDYPouh+STVljqg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-08T17:37:37Z" - mac: ENC[AES256_GCM,data:o0D4a6UdOY3WeG9CIMH00AW4kNMbhNWKteOCZu8p0c+GuVgan8PaUkxi6NhB2H1BqYd3WB3LgGfAsTjcK4qd/hOwz/WwT2hf3Tf3zuZHaNKOH9M03TRTImLuWYdjpr2uEDBaUG0hWIufr4SmppDmdos12EDWMlPTgT3zvFpJd3o=,iv:IbWzjHzDAkjeryjlnSVDj+Kjpx3iVPOAFvrKRKjm6s4=,tag:DW/pajHvNz2fYIOuXYyImg==,type:str] + lastmodified: "2024-07-15T13:07:52Z" + mac: ENC[AES256_GCM,data:wChyg1ZPV/0YD4TIqGEMHKCGDbQMelKNn/3TagM9P9DRMYGpVkIrXuc1G1nRAJ+Z4CG/grfm4FiRG8JrhuBvKuHDVEJWw1+cK2qrUidC147a3OsTGUtMNq4hntuBdHhiIR8xFa9Gbok45C0v7t33YzjT0MWRb+gwEPbrc130oBo=,iv:tJmQsOrUvSom7eMOkb3ApIncXA3+pgf3Q6DVkbeBL9g=,tag:ZZzFXUQOoiDaNpCqDsnoPw==,type:str] pgp: [] encrypted_regex: ^(token|crt|key|id|secret|secretboxencryptionsecret|ca|bootstraptoken)$ version: 3.8.1 diff --git a/kubernetes/flux/cluster-apps.yaml b/kubernetes/flux/cluster-apps.yaml index 2bfa9a16..7298435c 100644 --- a/kubernetes/flux/cluster-apps.yaml +++ b/kubernetes/flux/cluster-apps.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: homelab + name: theshire decryption: provider: sops secretRef: diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml index 79ddd5c8..c631b73a 100644 --- a/kubernetes/flux/config/cluster.yaml +++ b/kubernetes/flux/config/cluster.yaml @@ -3,13 +3,13 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: homelab + name: theshire namespace: flux-system spec: interval: 30m ref: branch: main - url: https://git.hsn.dev/jahanson/homelab.git + url: https://git.hsn.dev/jahanson/theshire.git ignore: | # exclude all /* @@ -29,7 +29,7 @@ spec: wait: false sourceRef: kind: GitRepository - name: homelab + name: theshire decryption: provider: sops secretRef: diff --git a/kubernetes/flux/repositories/git/kubevirt-cdi.yaml b/kubernetes/flux/repositories/git/kubevirt-cdi.yaml deleted file mode 100644 index 18de624a..00000000 --- a/kubernetes/flux/repositories/git/kubevirt-cdi.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/gitrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: kubevirt-cdi - namespace: flux-system -spec: - interval: 30m - url: https://git.hsn.dev/jahanson/kubevirt-flux.git - ref: - branch: cdi-v1.59.0 - ignore: | - # exclude all - /* - # include files - !/deploy diff --git a/kubernetes/flux/repositories/git/kubevirt.yaml b/kubernetes/flux/repositories/git/kubevirt.yaml deleted file mode 100644 index b5bde714..00000000 --- a/kubernetes/flux/repositories/git/kubevirt.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/gitrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: kubevirt - namespace: flux-system -spec: - interval: 30m - url: https://git.hsn.dev/jahanson/kubevirt-flux.git - ref: - branch: v1.2.2 - ignore: | - # exclude all - /* - # include files - !/deploy diff --git a/kubernetes/flux/repositories/git/kustomization.yaml b/kubernetes/flux/repositories/git/kustomization.yaml deleted file mode 100644 index 160bbf70..00000000 --- a/kubernetes/flux/repositories/git/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - kubevirt.yaml - - kubevirt-cdi.yaml diff --git a/kubernetes/flux/repositories/helm/angelnu.yaml b/kubernetes/flux/repositories/helm/angelnu.yaml index 694897ae..e9a4ac44 100644 --- a/kubernetes/flux/repositories/helm/angelnu.yaml +++ b/kubernetes/flux/repositories/helm/angelnu.yaml @@ -8,4 +8,4 @@ metadata: spec: interval: 30m url: https://angelnu.github.io/helm-charts - timeout: 3m \ No newline at end of file + timeout: 3m diff --git a/kubernetes/flux/repositories/helm/emqx.yaml b/kubernetes/flux/repositories/helm/coredns.yaml similarity index 80% rename from kubernetes/flux/repositories/helm/emqx.yaml rename to kubernetes/flux/repositories/helm/coredns.yaml index 1ca9ebfc..27537d73 100644 --- a/kubernetes/flux/repositories/helm/emqx.yaml +++ b/kubernetes/flux/repositories/helm/coredns.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: - name: emqx + name: coredns namespace: flux-system spec: interval: 2h - url: https://repos.emqx.io/charts + url: https://coredns.github.io/helm diff --git a/kubernetes/flux/repositories/helm/descheduler.yaml b/kubernetes/flux/repositories/helm/descheduler.yaml index 76de28c6..9c83ebb8 100644 --- a/kubernetes/flux/repositories/helm/descheduler.yaml +++ b/kubernetes/flux/repositories/helm/descheduler.yaml @@ -7,4 +7,4 @@ metadata: namespace: flux-system spec: interval: 2h - url: https://kubernetes-sigs.github.io/descheduler \ No newline at end of file + url: https://kubernetes-sigs.github.io/descheduler diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index f4795c0f..0a9cf767 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -8,13 +8,13 @@ resources: - backube.yaml - bjw-s.yaml - cilium.yaml + - coredns.yaml - crowdsec.yaml - crunchydata.yaml - democratic-csi.yaml - descheduler.yaml - dragonflydb.yaml - elastic.yaml - - emqx.yaml - external-secrets.yaml - fairwinds.yaml - grafana.yaml @@ -35,4 +35,3 @@ resources: - spegel-org.yaml - stakater.yaml - stevehipwell.yaml - - victoria-metrics.yaml diff --git a/kubernetes/flux/repositories/helm/spegel-org.yaml b/kubernetes/flux/repositories/helm/spegel-org.yaml index 9cb852f5..25db6d48 100644 --- a/kubernetes/flux/repositories/helm/spegel-org.yaml +++ b/kubernetes/flux/repositories/helm/spegel-org.yaml @@ -8,4 +8,4 @@ metadata: spec: type: oci interval: 5m - url: oci://ghcr.io/spegel-org/helm-charts \ No newline at end of file + url: oci://ghcr.io/spegel-org/helm-charts diff --git a/kubernetes/flux/repositories/helm/stevehipwell.yaml b/kubernetes/flux/repositories/helm/stevehipwell.yaml index c2dceb76..bd0d0864 100644 --- a/kubernetes/flux/repositories/helm/stevehipwell.yaml +++ b/kubernetes/flux/repositories/helm/stevehipwell.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: diff --git a/kubernetes/flux/repositories/helm/victoria-metrics.yaml b/kubernetes/flux/repositories/helm/victoria-metrics.yaml deleted file mode 100644 index 37ee6b00..00000000 --- a/kubernetes/flux/repositories/helm/victoria-metrics.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: victoria-metrics - namespace: flux-system -spec: - interval: 30m - url: https://victoriametrics.github.io/helm-charts/ - timeout: 3m diff --git a/kubernetes/flux/repositories/kustomization.yaml b/kubernetes/flux/repositories/kustomization.yaml index 196ac069..219c6e2e 100644 --- a/kubernetes/flux/repositories/kustomization.yaml +++ b/kubernetes/flux/repositories/kustomization.yaml @@ -5,4 +5,3 @@ kind: Kustomization namespace: flux-system resources: - ./helm - - ./git diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index e806805e..9fa006ee 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,25 +4,25 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - CLUSTER_SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:bQvXy9wHJcVKCa9xb89Ji2VSBmsxPKuEXIG/+KiclmM=,iv:63JdSorOBh2uz98ajzdtydSbJH3wKEaX5fRP3LX8g9Q=,tag:NH7Y6EoWaEGVal7E0XHg0w==,type:str] - CLUSTER_SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:7UFpD5GCCwg+N5y1LKvhtLNRdTugwMQrR9tBSJ1ogt9qZNCJ,iv:ZjOh5Lr9vDxsbDeUx0/EuBLDSwlh71jn9wM6Cpl2FdE=,tag:GJTGF4LtPWWsv4lIDRg51g==,type:str] + CLUSTER_SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:9YWkXR/bWSbo020UOD81Y9FT9TOmOcPUudD/JEj0Src=,iv:FqWULXadlng/odR93Sv8HXy+3NLfMh1jj5BoA3+er90=,tag:PETCCxtVvJU2/Kw/Uupujg==,type:str] + CLUSTER_SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:JBVLvSlU3nXRI/ZZfrd6ahGjQPHn3AQYqAMa4HcRKX4dQyu7,iv:EtzKsH1UWB4zyXimSngqOnV+gwf8BrfF9TKM1ADgBr4=,tag:V+Ip8AtReDyvnmbH1hSDYA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 + - recipient: age1gr4js8ln65khjzjkf9gs5c32a2vrrv6jlv5asuz6hccqq8pddc4sjflprn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdHVVdXUyMUlYc01Va25F - aXg2YWVDdnQwQnRGMWE4SEJtUnNka216YkVRCks5SUJBMzIxY25PWXQzSlBybkdL - Smwxc1hscTlNdzkzUWVPaXBYNkg5RWsKLS0tIGg0UHU3NGlpR1I5RjAvK1NvS3hl - K3J3NTZHQlhIOEt6YnZ6QU5QZ0JLT3MKYyy736Q4oXmaryf+JLlgEoK64iGDlUDg - JbdxbEfCPh3xbuTAff5oU0LxX9XVsoKBO/8+ew6+P/8bcjeb9sNCEg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeUIrTloyWXFRYTlSeWp3 + eDZpVkNHbUhhQzJ4MEFUbEptUmFvQWlDdkZFCnJPY1FwaEx3RVpidnNPZUlZRjZz + Nnp0Wkx1WTc5MXJnVUV5bmpSSW5OM0kKLS0tIDE2NDEzKzZXZENicXdQaUNuUllB + MzA0aXAwbjUrV0ZMbmVHRUtRanUweE0K/I2EoGJKvfpC9sMNxYBbp41qQnRPYbGB + ApDo7SVBhXR+jnCmBrNdKbmpFdcGkHTYZ35LtuTuuBeq+bPyBazAQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-27T18:35:50Z" - mac: ENC[AES256_GCM,data:23mZCtZNAoOBnZGF7nweq9PXhk27VOUgY3C6xa5DhQsJjFAGv6J9e8om4WsVaYKyo0PJ24Qi1JVQOsEHc3eCNq9W/W5Kh7cNM6FEjQPWwfL3Bz2pC97J+nGedbgsdl6bQzazfHQ+n5tMWbc9Po5qOP+7Wna5BIlZ5KVZk8WuFMY=,iv:C7QUH4kJo53kGokm4S8Hgr1nbP4Zc5efRS4ociQYyI8=,tag:+ceCQSXufLMOn07ENG5WCA==,type:str] + lastmodified: "2024-07-14T17:47:42Z" + mac: ENC[AES256_GCM,data:pdlFLlQTGZ9Wuom0N38C043+6D05WSlE7UIt7BfhYNajwCqucCFhzphTKfGyx73WEJ9ctAmkAv1vQRjyFUDULgwSILH5dVV99a85dAguwaQJn/kqmf/jiznF/wRXek8CE/gQlu23bjM82vTEg5GdrDrFeenWBe9xYCt/UdmVp4A=,iv:fp6e3UCEEeWf3MT34f7Ae+ap4ss3KXD7boTrrBy6kpM=,tag:jtw9PlalhoGcbDhrQzNPXA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index f9d9366c..7215c738 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -5,4 +5,4 @@ metadata: name: cluster-settings namespace: flux-system data: - CLUSTER_NAME: homelab + CLUSTER_NAME: theshire diff --git a/kubernetes/templates/gatus/external/configmap.yaml b/kubernetes/templates/gatus/external/configmap.yaml index fe9bbdac..04086b79 100644 --- a/kubernetes/templates/gatus/external/configmap.yaml +++ b/kubernetes/templates/gatus/external/configmap.yaml @@ -17,4 +17,4 @@ data: conditions: - "[STATUS] == ${GATUS_STATUS:-200}" alerts: - - type: pushover \ No newline at end of file + - type: pushover diff --git a/kubernetes/templates/gatus/external/kustomization.yaml b/kubernetes/templates/gatus/external/kustomization.yaml index d4e4af42..e09060b9 100644 --- a/kubernetes/templates/gatus/external/kustomization.yaml +++ b/kubernetes/templates/gatus/external/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./configmap.yaml \ No newline at end of file + - ./configmap.yaml diff --git a/kubernetes/templates/volsync/claim.yaml b/kubernetes/templates/volsync/claim.yaml index 34346faf..1f2d9e16 100644 --- a/kubernetes/templates/volsync/claim.yaml +++ b/kubernetes/templates/volsync/claim.yaml @@ -12,4 +12,4 @@ spec: resources: requests: storage: "${VOLSYNC_CAPACITY}" - storageClassName: "${VOLSYNC_STORAGECLASS:-openebs-zfs}" + storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" diff --git a/kubernetes/templates/volsync/minio.yaml b/kubernetes/templates/volsync/minio.yaml index c42ef35b..eb2a9982 100644 --- a/kubernetes/templates/volsync/minio.yaml +++ b/kubernetes/templates/volsync/minio.yaml @@ -36,11 +36,11 @@ spec: copyMethod: "${VOLSYNC_COPYMETHOD:-Snapshot}" pruneIntervalDays: 7 repository: "${APP}-volsync-secret" - volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-openebs-zfs}" + volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-ceph-block}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] - storageClassName: "${VOLSYNC_STORAGECLASS:-openebs-zfs}" + storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"] moverSecurityContext: runAsUser: ${APP_UID:-568} @@ -62,11 +62,11 @@ spec: restic: repository: "${APP}-volsync-secret" copyMethod: Snapshot # must be Snapshot - volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-openebs-zfs}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" + volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-ceph-block}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" - storageClassName: "${VOLSYNC_STORAGECLASS:-openebs-zfs}" + storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"] capacity: "${VOLSYNC_CAPACITY}" moverSecurityContext: diff --git a/kubernetes/templates/volsync/r2.yaml b/kubernetes/templates/volsync/r2.yaml index d7ae84c0..e5ba28ef 100644 --- a/kubernetes/templates/volsync/r2.yaml +++ b/kubernetes/templates/volsync/r2.yaml @@ -36,11 +36,11 @@ spec: copyMethod: "${VOLSYNC_COPYMETHOD:-Snapshot}" pruneIntervalDays: 7 repository: "${APP}-volsync-r2-secret" - volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-openebs-zfs}" + volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-ceph-block}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] - storageClassName: "${VOLSYNC_STORAGECLASS:-openebs-zfs}" + storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"] moverSecurityContext: runAsUser: ${APP_UID:-568} diff --git a/kubernetes/tools/kbench.yaml b/kubernetes/tools/kbench.yaml index b0e71e63..1894da42 100644 --- a/kubernetes/tools/kbench.yaml +++ b/kubernetes/tools/kbench.yaml @@ -5,8 +5,8 @@ metadata: name: kbench-pvc spec: # storageClassName: zfs-generic-nfs-csi - storageClassName: openebs-hostpath - # storageClassName: openebs-zfs + # storageClassName: openebs-hostpath + storageClassName: ceph-block accessModes: - ReadWriteOnce resources: diff --git a/kubernetes/tools/wipeone.yaml b/kubernetes/tools/wipeone.yaml index 6e11d0f1..3c9b6e84 100644 --- a/kubernetes/tools/wipeone.yaml +++ b/kubernetes/tools/wipeone.yaml @@ -6,16 +6,16 @@ metadata: namespace: kube-system spec: restartPolicy: Never - nodeName: shadowfax + nodeName: gandalf-01 containers: - name: disk-wipe - image: docker.io/library/alpine:3.20.2 + image: docker.io/library/alpine:latest securityContext: privileged: true resources: {} env: - name: CEPH_DISK - value: "/dev/nvme2n1" + value: "/dev/nvme0n1" command: [ "/bin/sh", diff --git a/kubernetes/tools/wiperook.yaml b/kubernetes/tools/wiperook.yaml index fda079e9..6c7367e8 100644 --- a/kubernetes/tools/wiperook.yaml +++ b/kubernetes/tools/wiperook.yaml @@ -2,20 +2,20 @@ apiVersion: v1 kind: Pod metadata: - name: disk-wipe-s01 + name: disk-wipe-sam namespace: kube-system spec: restartPolicy: Never - nodeName: talos-fki-fmf + nodeName: sam containers: - name: disk-wipe - image: docker.io/library/alpine:3.20.2 + image: docker.io/library/alpine:latest securityContext: privileged: true resources: {} env: - name: CEPH_DISK - value: "/dev/xvdb" + value: "/dev/nvme0n1" command: [ "/bin/sh", @@ -39,20 +39,20 @@ spec: apiVersion: v1 kind: Pod metadata: - name: disk-wipe-anduril + name: disk-wipe-frodo namespace: kube-system spec: restartPolicy: Never - nodeName: talos-xuc-f2e + nodeName: frodo containers: - name: disk-wipe - image: docker.io/library/alpine:3.20.2 + image: docker.io/library/alpine:latest securityContext: privileged: true resources: {} env: - name: CEPH_DISK - value: "/dev/nvme1n1" + value: "/dev/nvme0n1" command: [ "/bin/sh", @@ -76,14 +76,14 @@ spec: apiVersion: v1 kind: Pod metadata: - name: disk-wipe-g01 + name: disk-wipe-bilbo namespace: kube-system spec: restartPolicy: Never - nodeName: talos-opy-6ij + nodeName: bilbo containers: - name: disk-wipe - image: docker.io/library/alpine:3.20.2 + image: docker.io/library/alpine:latest securityContext: privileged: true resources: {} diff --git a/renovate.json5 b/renovate.json5 index ac8695db..603ecc76 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -2,13 +2,11 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended", - "local>jahanson/homelab//.renovate/customManagers.json5", - "local>jahanson/homelab//.renovate/autoMerge.json5", - "local>jahanson/homelab//.renovate/packageRules.json5" - ], - "ignorePaths": [ - ".archive/**" + "local>jahanson/theshire//.renovate/customManagers.json5", + "local>jahanson/theshire//.renovate/autoMerge.json5", + "local>jahanson/theshire//.renovate/packageRules.json5" ], + "ignorePaths": [".archive/**"], "flux": { "fileMatch": [ "kubernetes/.+\\.ya?ml$" @@ -67,11 +65,6 @@ } ], "packageRules": [ - { - "description": "Update Gluetun only daily", - "matchDepNames": ["ghcr.io/qdm12/gluetun"], - "extends": ["schedule:daily"] - }, { "description": "Use custom versioning for Vector", "matchDatasources": [ @@ -225,27 +218,8 @@ ], "group": { "commitMessageTopic": "{{{groupName}}} group" - } + }, }, - { - "description": "Ollama combine datasources.", - "groupName": "Ollama", - "matchPackagePatterns": [ - "docker.io/ollama/ollama", - "ollama" - ], - "matchDatasources": [ - "docker", - "github-releases" - ], - "matchUpdateTypes": [ - "minor", - "patch" - ], - "group": { - "commitMessageTopic": "{{{groupName}}} group" - } - } - // Version strategies - ] - } + // Version strategies + ] +} diff --git a/shell.nix b/shell.nix index 402b1591..cd3e2bf6 100644 --- a/shell.nix +++ b/shell.nix @@ -17,6 +17,6 @@ pkgs.mkShell { kubernetes-helm pre-commit sops - cachix + age ]; }