Compare commits
No commits in common. "0c6deac2c60067f78ff529f7287f527c8c807e66" and "2e2da1768fe4854d602da2003307d25f16957b02" have entirely different histories.
0c6deac2c6
...
2e2da1768f
438 changed files with 15687 additions and 659 deletions
9
.ansible-lint
Normal file
9
.ansible-lint
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
skip_list:
|
||||||
|
- yaml[line-length]
|
||||||
|
- var-naming
|
||||||
|
warn_list:
|
||||||
|
- command-instead-of-shell
|
||||||
|
- deprecated-command-syntax
|
||||||
|
- experimental
|
||||||
|
- no-changed-when
|
52
.archive/.taskfiles/Ansible/Taskfile.yaml
Normal file
52
.archive/.taskfiles/Ansible/Taskfile.yaml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://taskfile.dev/schema.json
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
vars:
|
||||||
|
PYTHON_BIN: python3
|
||||||
|
|
||||||
|
env:
|
||||||
|
PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
|
||||||
|
VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
|
||||||
|
ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
|
||||||
|
ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
|
||||||
|
ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
deps:
|
||||||
|
desc: Set up Ansible dependencies for the environment
|
||||||
|
cmds:
|
||||||
|
- task: .venv
|
||||||
|
|
||||||
|
run:
|
||||||
|
desc: Run an Ansible playbook for configuring a cluster
|
||||||
|
summary: |
|
||||||
|
Args:
|
||||||
|
cluster: Cluster to run command against (required)
|
||||||
|
playbook: Playbook to run (required)
|
||||||
|
prompt: Run Ansible playbook '{{.playbook}}' against the '{{.cluster}}' cluster... continue?
|
||||||
|
deps: ["deps"]
|
||||||
|
cmd: |
|
||||||
|
.venv/bin/ansible-playbook \
|
||||||
|
--inventory {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml \
|
||||||
|
{{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml {{.CLI_ARGS}}
|
||||||
|
preconditions:
|
||||||
|
- { msg: "Argument (cluster) is required", sh: "test -n {{.cluster}}" }
|
||||||
|
- { msg: "Argument (playbook) is required", sh: "test -n {{.playbook}}" }
|
||||||
|
- { msg: "Venv not found", sh: "test -d {{.ROOT_DIR}}/.venv" }
|
||||||
|
- { msg: "Inventory not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml" }
|
||||||
|
- { msg: "Playbook not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml" }
|
||||||
|
|
||||||
|
.venv:
|
||||||
|
internal: true
|
||||||
|
cmds:
|
||||||
|
- true && {{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv
|
||||||
|
- .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
|
||||||
|
- .venv/bin/python3 -m pip install --upgrade --requirement {{.ANSIBLE_DIR}}/requirements.txt
|
||||||
|
- .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force
|
||||||
|
sources:
|
||||||
|
- "{{.ANSIBLE_DIR}}/requirements.txt"
|
||||||
|
- "{{.ANSIBLE_DIR}}/requirements.yaml"
|
||||||
|
generates:
|
||||||
|
- "{{.ROOT_DIR}}/.venv/pyvenv.cfg"
|
104
.archive/.taskfiles/rook/Taskfile.yaml
Normal file
104
.archive/.taskfiles/rook/Taskfile.yaml
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
x-task-vars: &task-vars
|
||||||
|
node: "{{.node}}"
|
||||||
|
ceph_disk: "{{.ceph_disk}}"
|
||||||
|
ts: "{{.ts}}"
|
||||||
|
jobName: "{{.jobName}}"
|
||||||
|
|
||||||
|
vars:
|
||||||
|
waitForJobScript: "../_scripts/wait-for-k8s-job.sh"
|
||||||
|
ts: '{{now | date "150405"}}'
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
wipe-node-aule:
|
||||||
|
desc: Trigger a wipe of Rook-Ceph data on node "aule"
|
||||||
|
cmds:
|
||||||
|
- task: wipe-disk
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460833"
|
||||||
|
- task: wipe-data
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
vars:
|
||||||
|
node: aule
|
||||||
|
|
||||||
|
wipe-node-orome:
|
||||||
|
desc: Trigger a wipe of Rook-Ceph data on node "orome"
|
||||||
|
cmds:
|
||||||
|
- task: wipe-disk
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37645333"
|
||||||
|
- task: wipe-data
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
vars:
|
||||||
|
node: orome
|
||||||
|
|
||||||
|
wipe-node-eonwe:
|
||||||
|
desc: Trigger a wipe of Rook-Ceph data on node "eonwe"
|
||||||
|
cmds:
|
||||||
|
- task: wipe-disk
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460887"
|
||||||
|
- task: wipe-data
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
vars:
|
||||||
|
node: eonwe
|
||||||
|
|
||||||
|
wipe-node-arlen:
|
||||||
|
desc: Trigger a wipe of Rook-Ceph data on node "arlen"
|
||||||
|
cmds:
|
||||||
|
- task: wipe-disk
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460897"
|
||||||
|
- task: wipe-data
|
||||||
|
vars:
|
||||||
|
node: "{{.node}}"
|
||||||
|
vars:
|
||||||
|
node: arlen
|
||||||
|
|
||||||
|
wipe-disk:
|
||||||
|
desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-disk node=aule ceph_disk="/dev/nvme0n1")
|
||||||
|
silent: true
|
||||||
|
internal: true
|
||||||
|
cmds:
|
||||||
|
- envsubst < <(cat {{.wipeRookDiskJobTemplate}}) | kubectl apply -f -
|
||||||
|
- bash {{.waitForJobScript}} {{.wipeCephDiskJobName}} default
|
||||||
|
- kubectl -n default wait job/{{.wipeCephDiskJobName}} --for condition=complete --timeout=1m
|
||||||
|
- kubectl -n default logs job/{{.wipeCephDiskJobName}} --container list
|
||||||
|
- kubectl -n default delete job {{.wipeCephDiskJobName}}
|
||||||
|
vars:
|
||||||
|
node: '{{ or .node (fail "`node` is required") }}'
|
||||||
|
ceph_disk: '{{ or .ceph_disk (fail "`ceph_disk` is required") }}'
|
||||||
|
jobName: 'wipe-disk-{{- .node -}}-{{- .ceph_disk | replace "/" "-" -}}-{{- .ts -}}'
|
||||||
|
wipeRookDiskJobTemplate: "WipeDiskJob.tmpl.yaml"
|
||||||
|
env: *task-vars
|
||||||
|
preconditions:
|
||||||
|
- sh: test -f {{.waitForJobScript}}
|
||||||
|
- sh: test -f {{.wipeRookDiskJobTemplate}}
|
||||||
|
|
||||||
|
wipe-data:
|
||||||
|
desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-data node=aule)
|
||||||
|
silent: true
|
||||||
|
internal: true
|
||||||
|
cmds:
|
||||||
|
- envsubst < <(cat {{.wipeRookDataJobTemplate}}) | kubectl apply -f -
|
||||||
|
- bash {{.waitForJobScript}} {{.wipeRookDataJobName}} default
|
||||||
|
- kubectl -n default wait job/{{.wipeRookDataJobName}} --for condition=complete --timeout=1m
|
||||||
|
- kubectl -n default logs job/{{.wipeRookDataJobName}} --container list
|
||||||
|
- kubectl -n default delete job {{.wipeRookDataJobName}}
|
||||||
|
vars:
|
||||||
|
node: '{{ or .node (fail "`node` is required") }}'
|
||||||
|
jobName: "wipe-rook-data-{{- .node -}}-{{- .ts -}}"
|
||||||
|
wipeRookDataJobTemplate: "WipeRookDataJob.tmpl.yaml"
|
||||||
|
env: *task-vars
|
||||||
|
preconditions:
|
||||||
|
- sh: test -f {{.waitForJobScript}}
|
||||||
|
- sh: test -f {{.wipeRookDataJobTemplate}}
|
26
.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml
Normal file
26
.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: "${jobName}"
|
||||||
|
namespace: "default"
|
||||||
|
spec:
|
||||||
|
ttlSecondsAfterFinished: 3600
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
restartPolicy: Never
|
||||||
|
nodeName: ${node}
|
||||||
|
containers:
|
||||||
|
- name: disk-wipe
|
||||||
|
image: docker.io/library/alpine:3.20.0
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
resources: {}
|
||||||
|
command: ["/bin/sh", "-c"]
|
||||||
|
args:
|
||||||
|
- apk add --no-cache sgdisk util-linux parted;
|
||||||
|
sgdisk --zap-all ${ceph_disk};
|
||||||
|
blkdiscard ${ceph_disk};
|
||||||
|
dd if=/dev/zero bs=1M count=10000 oflag=direct of=${ceph_disk};
|
||||||
|
partprobe ${ceph_disk};
|
29
.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml
Normal file
29
.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: "${jobName}"
|
||||||
|
namespace: "default"
|
||||||
|
spec:
|
||||||
|
ttlSecondsAfterFinished: 3600
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
restartPolicy: Never
|
||||||
|
nodeName: ${node}
|
||||||
|
containers:
|
||||||
|
- name: disk-wipe
|
||||||
|
image: docker.io/library/alpine:3.20.0
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
resources: {}
|
||||||
|
command: ["/bin/sh", "-c"]
|
||||||
|
args:
|
||||||
|
- rm -rf /mnt/host_var/lib/rook
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /mnt/host_var
|
||||||
|
name: host-var
|
||||||
|
volumes:
|
||||||
|
- name: host-var
|
||||||
|
hostPath:
|
||||||
|
path: /var
|
19
.archive/.taskfiles/rook/pod.yaml
Normal file
19
.archive/.taskfiles/rook/pod.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: my-pod
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: disk-wipe
|
||||||
|
image: docker.io/library/alpine:3.20.0
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
resources: {}
|
||||||
|
command: ["/bin/sh", "-c"]
|
||||||
|
args:
|
||||||
|
- apk add --no-cache sgdisk util-linux parted e2fsprogs;
|
||||||
|
sgdisk --zap-all /dev/nvme1n1;
|
||||||
|
blkdiscard /dev/nvme1n1;
|
||||||
|
dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/nvme1n1;
|
||||||
|
sgdisk /dev/nvme1n1
|
||||||
|
partprobe /dev/nvme1n1;
|
116
.archive/kubernetes/default/jellyfin/app/helmrelease.yaml
Normal file
116
.archive/kubernetes/default/jellyfin/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,116 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: jellyfin
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.1.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
jellyfin:
|
||||||
|
type: statefulset
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: jellyfin/jellyfin
|
||||||
|
tag: 10.8.13
|
||||||
|
env:
|
||||||
|
NVIDIA_VISIBLE_DEVICES: "all"
|
||||||
|
NVIDIA_DRIVER_CAPABILITIES: "compute,video,utility"
|
||||||
|
DOTNET_SYSTEM_IO_DISABLEFILELOCKING: "true"
|
||||||
|
JELLYFIN_FFmpeg__probesize: 50000000
|
||||||
|
JELLYFIN_FFmpeg__analyzeduration: 50000000
|
||||||
|
JELLYFIN_PublishedServerUrl: jelly.hsn.dev
|
||||||
|
TZ: America/Chicago
|
||||||
|
probes:
|
||||||
|
liveness: &probes
|
||||||
|
enabled: true
|
||||||
|
custom: true
|
||||||
|
spec:
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: &port 8096
|
||||||
|
initialDelaySeconds: 0
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 1
|
||||||
|
failureThreshold: 3
|
||||||
|
readiness: *probes
|
||||||
|
startup:
|
||||||
|
enabled: false
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
nvidia.com/gpu: 1 # requesting 1 GPU
|
||||||
|
cpu: 100m
|
||||||
|
memory: 512Mi
|
||||||
|
limits:
|
||||||
|
nvidia.com/gpu: 1
|
||||||
|
memory: 4Gi
|
||||||
|
pod:
|
||||||
|
runtimeClassName: nvidia
|
||||||
|
enableServiceLinks: false
|
||||||
|
nodeSelector:
|
||||||
|
nvidia.com/gpu.present: "true"
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
fsGroup: 568
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
|
supplementalGroups: [44, 105, 10000]
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: jellyfin
|
||||||
|
ports:
|
||||||
|
http:
|
||||||
|
port: *port
|
||||||
|
ingress:
|
||||||
|
app:
|
||||||
|
enabled: true
|
||||||
|
className: external-nginx
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||||
|
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||||
|
hosts:
|
||||||
|
- host: &host "jelly.hsn.dev"
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
service:
|
||||||
|
identifier: app
|
||||||
|
port: http
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
persistence:
|
||||||
|
config:
|
||||||
|
existingClaim: jellyfin
|
||||||
|
enabled: true
|
||||||
|
transcode:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /transcode
|
||||||
|
media:
|
||||||
|
enabled: true
|
||||||
|
type: nfs
|
||||||
|
server: 10.1.1.12
|
||||||
|
path: /mnt/users/Media
|
||||||
|
globalMounts:
|
||||||
|
- path: /media
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
namespace: default
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ../../../../templates/volsync
|
23
.archive/kubernetes/default/jellyfin/ks.yaml
Normal file
23
.archive/kubernetes/default/jellyfin/ks.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app jellyfin
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
dependsOn:
|
||||||
|
- name: external-secrets-stores
|
||||||
|
path: ./kubernetes/apps/default/jellyfin/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *app
|
||||||
|
VOLSYNC_CAPACITY: 10Gi
|
|
@ -0,0 +1,26 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: home-assistant
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: home-assistant-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
HASS_ELEVATION: "{{ .hass_elevation }}"
|
||||||
|
HASS_LATITUDE: "{{ .hass_latitude }}"
|
||||||
|
HASS_LONGITUDE: "{{ .hass_longitude }}"
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: home-assistant
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "hass_$1"
|
|
@ -0,0 +1,90 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: home-assistant
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.1.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
strategy: rollback
|
||||||
|
retries: 3
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
home-assistant:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
pod:
|
||||||
|
annotations:
|
||||||
|
k8s.v1.cni.cncf.io/networks: |
|
||||||
|
[{
|
||||||
|
"name":"multus-iot",
|
||||||
|
"namespace": "kube-system",
|
||||||
|
"ips": ["10.1.3.151/24"]
|
||||||
|
}]
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 568
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/home-assistant/home-assistant
|
||||||
|
tag: 2024.5.5
|
||||||
|
env:
|
||||||
|
TZ: America/Chicago
|
||||||
|
HASS_HTTP_TRUSTED_PROXY_1: 10.244.0.0/16
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: home-assistant-secret
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
limits:
|
||||||
|
memory: 1Gi
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: home-assistant
|
||||||
|
ports:
|
||||||
|
http:
|
||||||
|
port: 8123
|
||||||
|
ingress:
|
||||||
|
app:
|
||||||
|
className: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- host: &host hass.jahanson.tech
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
service:
|
||||||
|
identifier: app
|
||||||
|
port: http
|
||||||
|
tls:
|
||||||
|
- hosts: [*host]
|
||||||
|
persistence:
|
||||||
|
config:
|
||||||
|
existingClaim: home-assistant
|
||||||
|
logs:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /config/logs
|
||||||
|
tts:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /config/tts
|
||||||
|
tmp:
|
||||||
|
type: emptyDir
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ../../../../templates/volsync
|
29
.archive/kubernetes/home-automation/home-assistant/ks.yaml
Normal file
29
.archive/kubernetes/home-automation/home-assistant/ks.yaml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app home-assistant
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: home-automation
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: external-secrets-stores
|
||||||
|
- name: openebs-system
|
||||||
|
- name: volsync
|
||||||
|
path: ./kubernetes/apps/home-automation/home-assistant/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *app
|
||||||
|
VOLSYNC_CAPACITY: 5Gi
|
9
.archive/kubernetes/home-automation/kustomization.yaml
Normal file
9
.archive/kubernetes/home-automation/kustomization.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
# Pre Flux-Kustomizations
|
||||||
|
- ./namespace.yaml
|
||||||
|
# Flux-Kustomizations
|
||||||
|
- ./mosquitto/ks.yaml
|
|
@ -0,0 +1,107 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: &app matter-server
|
||||||
|
spec:
|
||||||
|
interval: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.2.1
|
||||||
|
interval: 15m
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
maxHistory: 3
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
strategy: rollback
|
||||||
|
retries: 3
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
matter-server:
|
||||||
|
type: statefulset
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
pod:
|
||||||
|
annotations:
|
||||||
|
k8s.v1.cni.cncf.io/networks: |
|
||||||
|
[{
|
||||||
|
"name":"multus-iot",
|
||||||
|
"namespace": "kube-system",
|
||||||
|
"ips": ["10.1.3.152/24"]
|
||||||
|
}]
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 568
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
|
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/home-assistant-libs/python-matter-server
|
||||||
|
tag: 6.0.1
|
||||||
|
pullPolicy: IfNotPresent
|
||||||
|
env:
|
||||||
|
TZ: "America/Chicago"
|
||||||
|
MATTER_SERVER__INSTANCE_NAME: Matter-Server
|
||||||
|
MATTER_SERVER__PORT: &port 5580
|
||||||
|
MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
|
||||||
|
MATTER_SERVER__LOG_LEVEL: info
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
enabled: true
|
||||||
|
readiness:
|
||||||
|
enabled: true
|
||||||
|
startup:
|
||||||
|
enabled: true
|
||||||
|
spec:
|
||||||
|
failureThreshold: 30
|
||||||
|
periodSeconds: 5
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "100M"
|
||||||
|
limits:
|
||||||
|
memory: "500M"
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: *app
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
io.cilium/lb-ipam-ips: "10.1.1.37"
|
||||||
|
ports:
|
||||||
|
api:
|
||||||
|
enabled: true
|
||||||
|
primary: true
|
||||||
|
protocol: TCP
|
||||||
|
port: *port
|
||||||
|
externalTrafficPolicy: Cluster
|
||||||
|
persistence:
|
||||||
|
config:
|
||||||
|
enabled: true
|
||||||
|
existingClaim: matter-server
|
||||||
|
advancedMounts:
|
||||||
|
matter-server:
|
||||||
|
app:
|
||||||
|
- path: "/data"
|
||||||
|
ingress:
|
||||||
|
app:
|
||||||
|
className: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- host: *host
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
service:
|
||||||
|
identifier: app
|
||||||
|
port: http
|
||||||
|
tls:
|
||||||
|
- hosts: [*host]
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ../../../../templates/volsync
|
28
.archive/kubernetes/home-automation/matter-server/ks.yaml
Normal file
28
.archive/kubernetes/home-automation/matter-server/ks.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app matter-server
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: home-automation
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: openebs-system
|
||||||
|
- name: volsync
|
||||||
|
path: ./kubernetes/apps/home-automation/matter-server/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *app
|
||||||
|
VOLSYNC_CAPACITY: 1Gi
|
|
@ -0,0 +1,9 @@
|
||||||
|
per_listener_settings false
|
||||||
|
listener 1883
|
||||||
|
allow_anonymous false
|
||||||
|
persistence true
|
||||||
|
persistence_location /data
|
||||||
|
autosave_interval 1800
|
||||||
|
connection_messages false
|
||||||
|
autosave_interval 60
|
||||||
|
password_file /mosquitto/external_config/mosquitto_pwd
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: mosquitto
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: mosquitto-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
mosquitto_pwd: |
|
||||||
|
{{ .mosquitto_username }}:{{ .mosquitto_password }}
|
||||||
|
{{ .mosquitto_zwave_username }}:{{ .mosquitto_zwave_password }}
|
||||||
|
{{ .mosquitto_home_assistant_username }}:{{ .mosquitto_home_assistant_password }}
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: mosquitto
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "mosquitto_$1"
|
|
@ -0,0 +1,105 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: &app mosquitto
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.2.1
|
||||||
|
interval: 30m
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
mosquitto:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
|
||||||
|
pod:
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
fsGroup: 568
|
||||||
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
|
|
||||||
|
initContainers:
|
||||||
|
init-config:
|
||||||
|
image:
|
||||||
|
repository: public.ecr.aws/docker/library/eclipse-mosquitto
|
||||||
|
tag: 2.0.18
|
||||||
|
command:
|
||||||
|
- "/bin/sh"
|
||||||
|
- "-c"
|
||||||
|
args:
|
||||||
|
- cp /tmp/secret/* /mosquitto/external_config/;
|
||||||
|
mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd;
|
||||||
|
chmod 0600 /mosquitto/external_config/mosquitto_pwd;
|
||||||
|
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: public.ecr.aws/docker/library/eclipse-mosquitto
|
||||||
|
tag: 2.0.18
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
enabled: true
|
||||||
|
readiness:
|
||||||
|
enabled: true
|
||||||
|
startup:
|
||||||
|
enabled: true
|
||||||
|
spec:
|
||||||
|
failureThreshold: 30
|
||||||
|
periodSeconds: 5
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 5m
|
||||||
|
memory: 10M
|
||||||
|
limits:
|
||||||
|
memory: 10M
|
||||||
|
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: mosquitto
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: "mqtt.jahanson.tech"
|
||||||
|
io.cilium/lb-ipam-ips: "10.1.1.36"
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
ports:
|
||||||
|
mqtt:
|
||||||
|
enabled: true
|
||||||
|
port: 1883
|
||||||
|
|
||||||
|
persistence:
|
||||||
|
data:
|
||||||
|
existingClaim: *app
|
||||||
|
advancedMounts:
|
||||||
|
mosquitto:
|
||||||
|
app:
|
||||||
|
- path: /data
|
||||||
|
mosquitto-configfile:
|
||||||
|
type: configMap
|
||||||
|
name: mosquitto-configmap
|
||||||
|
advancedMounts:
|
||||||
|
mosquitto:
|
||||||
|
app:
|
||||||
|
- path: /mosquitto/config/mosquitto.conf
|
||||||
|
subPath: mosquitto.conf
|
||||||
|
mosquitto-secret:
|
||||||
|
type: secret
|
||||||
|
name: mosquitto-secret
|
||||||
|
advancedMounts:
|
||||||
|
mosquitto:
|
||||||
|
init-config:
|
||||||
|
- path: /tmp/secret
|
||||||
|
mosquitto-externalconfig:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /mosquitto/external_config
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ../../../../templates/volsync
|
||||||
|
configMapGenerator:
|
||||||
|
- name: mosquitto-configmap
|
||||||
|
files:
|
||||||
|
- config/mosquitto.conf
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
28
.archive/kubernetes/home-automation/mosquitto/ks.yaml
Normal file
28
.archive/kubernetes/home-automation/mosquitto/ks.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &appname mosquitto
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: home-automation
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *appname
|
||||||
|
interval: 10m
|
||||||
|
path: "./kubernetes/apps/home-automation/mosquitto/app"
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: true
|
||||||
|
dependsOn:
|
||||||
|
- name: openebs
|
||||||
|
- name: volsync
|
||||||
|
- name: external-secrets-stores
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *appname
|
||||||
|
VOLSYNC_CLAIM: mosquitto-data
|
||||||
|
VOLSYNC_CAPACITY: 512Mi
|
8
.archive/kubernetes/home-automation/namespace.yaml
Normal file
8
.archive/kubernetes/home-automation/namespace.yaml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: home-automation
|
||||||
|
labels:
|
||||||
|
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||||
|
volsync.backube/privileged-movers: "true"
|
588
.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml
Normal file
588
.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml
Normal file
|
@ -0,0 +1,588 @@
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
controller-gen.kubebuilder.io/version: v0.14.0
|
||||||
|
creationTimestamp: null
|
||||||
|
name: ciliumbgppeeringpolicies.cilium.io
|
||||||
|
spec:
|
||||||
|
group: cilium.io
|
||||||
|
names:
|
||||||
|
categories:
|
||||||
|
- cilium
|
||||||
|
- ciliumbgp
|
||||||
|
kind: CiliumBGPPeeringPolicy
|
||||||
|
listKind: CiliumBGPPeeringPolicyList
|
||||||
|
plural: ciliumbgppeeringpolicies
|
||||||
|
shortNames:
|
||||||
|
- bgpp
|
||||||
|
singular: ciliumbgppeeringpolicy
|
||||||
|
scope: Cluster
|
||||||
|
versions:
|
||||||
|
- additionalPrinterColumns:
|
||||||
|
- jsonPath: .metadata.creationTimestamp
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
|
name: v2alpha1
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
description: CiliumBGPPeeringPolicy is a Kubernetes third-party resource for
|
||||||
|
instructing Cilium's BGP control plane to create virtual BGP routers.
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
metadata:
|
||||||
|
type: object
|
||||||
|
spec:
|
||||||
|
description: Spec is a human readable description of a BGP peering policy
|
||||||
|
properties:
|
||||||
|
nodeSelector:
|
||||||
|
description: "NodeSelector selects a group of nodes where this BGP
|
||||||
|
Peering Policy applies. \n If empty / nil this policy applies to
|
||||||
|
all nodes."
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label selector requirements.
|
||||||
|
The requirements are ANDed.
|
||||||
|
items:
|
||||||
|
description: A label selector requirement is a selector that
|
||||||
|
contains values, a key, and an operator that relates the key
|
||||||
|
and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the selector applies
|
||||||
|
to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: operator represents a key's relationship to
|
||||||
|
a set of values. Valid operators are In, NotIn, Exists
|
||||||
|
and DoesNotExist.
|
||||||
|
enum:
|
||||||
|
- In
|
||||||
|
- NotIn
|
||||||
|
- Exists
|
||||||
|
- DoesNotExist
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: values is an array of string values. If the
|
||||||
|
operator is In or NotIn, the values array must be non-empty.
|
||||||
|
If the operator is Exists or DoesNotExist, the values
|
||||||
|
array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
description: MatchLabelsValue represents the value from the
|
||||||
|
MatchLabels {key,value} pair.
|
||||||
|
maxLength: 63
|
||||||
|
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||||
|
type: string
|
||||||
|
description: matchLabels is a map of {key,value} pairs. A single
|
||||||
|
{key,value} in the matchLabels map is equivalent to an element
|
||||||
|
of matchExpressions, whose key field is "key", the operator
|
||||||
|
is "In", and the values array contains only "value". The requirements
|
||||||
|
are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
virtualRouters:
|
||||||
|
description: A list of CiliumBGPVirtualRouter(s) which instructs the
|
||||||
|
BGP control plane how to instantiate virtual BGP routers.
|
||||||
|
items:
|
||||||
|
description: CiliumBGPVirtualRouter defines a discrete BGP virtual
|
||||||
|
router configuration.
|
||||||
|
properties:
|
||||||
|
exportPodCIDR:
|
||||||
|
default: false
|
||||||
|
description: ExportPodCIDR determines whether to export the
|
||||||
|
Node's private CIDR block to the configured neighbors.
|
||||||
|
type: boolean
|
||||||
|
localASN:
|
||||||
|
description: LocalASN is the ASN of this virtual router. Supports
|
||||||
|
extended 32bit ASNs
|
||||||
|
format: int64
|
||||||
|
maximum: 4294967295
|
||||||
|
minimum: 0
|
||||||
|
type: integer
|
||||||
|
neighbors:
|
||||||
|
description: Neighbors is a list of neighboring BGP peers for
|
||||||
|
this virtual router
|
||||||
|
items:
|
||||||
|
description: CiliumBGPNeighbor is a neighboring peer for use
|
||||||
|
in a CiliumBGPVirtualRouter configuration.
|
||||||
|
properties:
|
||||||
|
advertisedPathAttributes:
|
||||||
|
description: AdvertisedPathAttributes can be used to apply
|
||||||
|
additional path attributes to selected routes when advertising
|
||||||
|
them to the peer. If empty / nil, no additional path
|
||||||
|
attributes are advertised.
|
||||||
|
items:
|
||||||
|
description: CiliumBGPPathAttributes can be used to
|
||||||
|
apply additional path attributes to matched routes
|
||||||
|
when advertising them to a BGP peer.
|
||||||
|
properties:
|
||||||
|
communities:
|
||||||
|
description: Communities defines a set of community
|
||||||
|
values advertised in the supported BGP Communities
|
||||||
|
path attributes. If nil / not set, no BGP Communities
|
||||||
|
path attribute will be advertised.
|
||||||
|
properties:
|
||||||
|
large:
|
||||||
|
description: Large holds a list of the BGP Large
|
||||||
|
Communities Attribute (RFC 8092) values.
|
||||||
|
items:
|
||||||
|
description: BGPLargeCommunity type represents
|
||||||
|
a value of the BGP Large Communities Attribute
|
||||||
|
(RFC 8092), as three 4-byte decimal numbers
|
||||||
|
separated by colons.
|
||||||
|
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
standard:
|
||||||
|
description: Standard holds a list of "standard"
|
||||||
|
32-bit BGP Communities Attribute (RFC 1997)
|
||||||
|
values defined as numeric values.
|
||||||
|
items:
|
||||||
|
description: BGPStandardCommunity type represents
|
||||||
|
a value of the "standard" 32-bit BGP Communities
|
||||||
|
Attribute (RFC 1997) as a 4-byte decimal
|
||||||
|
number or two 2-byte decimal numbers separated
|
||||||
|
by a colon (<0-65535>:<0-65535>). For example,
|
||||||
|
no-export community value is 65553:65281.
|
||||||
|
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$|^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
wellKnown:
|
||||||
|
description: WellKnown holds a list "standard"
|
||||||
|
32-bit BGP Communities Attribute (RFC 1997)
|
||||||
|
values defined as well-known string aliases
|
||||||
|
to their numeric values.
|
||||||
|
items:
|
||||||
|
description: "BGPWellKnownCommunity type represents
|
||||||
|
a value of the \"standard\" 32-bit BGP Communities
|
||||||
|
Attribute (RFC 1997) as a well-known string
|
||||||
|
alias to its numeric value. Allowed values
|
||||||
|
and their mapping to the numeric values:
|
||||||
|
\n internet = 0x00000000
|
||||||
|
(0:0) planned-shut = 0xffff0000
|
||||||
|
(65535:0) accept-own = 0xffff0001
|
||||||
|
(65535:1) route-filter-translated-v4 = 0xffff0002
|
||||||
|
(65535:2) route-filter-v4 = 0xffff0003
|
||||||
|
(65535:3) route-filter-translated-v6 = 0xffff0004
|
||||||
|
(65535:4) route-filter-v6 = 0xffff0005
|
||||||
|
(65535:5) llgr-stale = 0xffff0006
|
||||||
|
(65535:6) no-llgr = 0xffff0007
|
||||||
|
(65535:7) blackhole = 0xffff029a
|
||||||
|
(65535:666) no-export =
|
||||||
|
0xffffff01\t(65535:65281) no-advertise =
|
||||||
|
0xffffff02 (65535:65282) no-export-subconfed
|
||||||
|
\ = 0xffffff03 (65535:65283) no-peer
|
||||||
|
\ = 0xffffff04 (65535:65284)"
|
||||||
|
enum:
|
||||||
|
- internet
|
||||||
|
- planned-shut
|
||||||
|
- accept-own
|
||||||
|
- route-filter-translated-v4
|
||||||
|
- route-filter-v4
|
||||||
|
- route-filter-translated-v6
|
||||||
|
- route-filter-v6
|
||||||
|
- llgr-stale
|
||||||
|
- no-llgr
|
||||||
|
- blackhole
|
||||||
|
- no-export
|
||||||
|
- no-advertise
|
||||||
|
- no-export-subconfed
|
||||||
|
- no-peer
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
localPreference:
|
||||||
|
description: LocalPreference defines the preference
|
||||||
|
value advertised in the BGP Local Preference path
|
||||||
|
attribute. As Local Preference is only valid for
|
||||||
|
iBGP peers, this value will be ignored for eBGP
|
||||||
|
peers (no Local Preference path attribute will
|
||||||
|
be advertised). If nil / not set, the default
|
||||||
|
Local Preference of 100 will be advertised in
|
||||||
|
the Local Preference path attribute for iBGP peers.
|
||||||
|
format: int64
|
||||||
|
maximum: 4294967295
|
||||||
|
minimum: 0
|
||||||
|
type: integer
|
||||||
|
selector:
|
||||||
|
description: Selector selects a group of objects
|
||||||
|
of the SelectorType resulting into routes that
|
||||||
|
will be announced with the configured Attributes.
|
||||||
|
If nil / not set, all objects of the SelectorType
|
||||||
|
are selected.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: A label selector requirement
|
||||||
|
is a selector that contains values, a key,
|
||||||
|
and an operator that relates the key and
|
||||||
|
values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: operator represents a key's
|
||||||
|
relationship to a set of values. Valid
|
||||||
|
operators are In, NotIn, Exists and
|
||||||
|
DoesNotExist.
|
||||||
|
enum:
|
||||||
|
- In
|
||||||
|
- NotIn
|
||||||
|
- Exists
|
||||||
|
- DoesNotExist
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: values is an array of string
|
||||||
|
values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty.
|
||||||
|
If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This
|
||||||
|
array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
description: MatchLabelsValue represents the
|
||||||
|
value from the MatchLabels {key,value} pair.
|
||||||
|
maxLength: 63
|
||||||
|
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||||
|
type: string
|
||||||
|
description: matchLabels is a map of {key,value}
|
||||||
|
pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions,
|
||||||
|
whose key field is "key", the operator is
|
||||||
|
"In", and the values array contains only "value".
|
||||||
|
The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
selectorType:
|
||||||
|
description: 'SelectorType defines the object type
|
||||||
|
on which the Selector applies: - For "PodCIDR"
|
||||||
|
the Selector matches k8s CiliumNode resources
|
||||||
|
(path attributes apply to routes announced for
|
||||||
|
PodCIDRs of selected CiliumNodes. Only affects
|
||||||
|
routes of cluster scope / Kubernetes IPAM CIDRs,
|
||||||
|
not Multi-Pool IPAM CIDRs. - For "CiliumLoadBalancerIPPool"
|
||||||
|
the Selector matches CiliumLoadBalancerIPPool
|
||||||
|
custom resources (path attributes apply to routes
|
||||||
|
announced for selected CiliumLoadBalancerIPPools).
|
||||||
|
- For "CiliumPodIPPool" the Selector matches CiliumPodIPPool
|
||||||
|
custom resources (path attributes apply to routes
|
||||||
|
announced for allocated CIDRs of selected CiliumPodIPPools).'
|
||||||
|
enum:
|
||||||
|
- PodCIDR
|
||||||
|
- CiliumLoadBalancerIPPool
|
||||||
|
- CiliumPodIPPool
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- selectorType
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
authSecretRef:
|
||||||
|
description: AuthSecretRef is the name of the secret to
|
||||||
|
use to fetch a TCP authentication password for this
|
||||||
|
peer.
|
||||||
|
type: string
|
||||||
|
connectRetryTimeSeconds:
|
||||||
|
default: 120
|
||||||
|
description: ConnectRetryTimeSeconds defines the initial
|
||||||
|
value for the BGP ConnectRetryTimer (RFC 4271, Section
|
||||||
|
8).
|
||||||
|
format: int32
|
||||||
|
maximum: 2147483647
|
||||||
|
minimum: 1
|
||||||
|
type: integer
|
||||||
|
eBGPMultihopTTL:
|
||||||
|
default: 1
|
||||||
|
description: EBGPMultihopTTL controls the multi-hop feature
|
||||||
|
for eBGP peers. Its value defines the Time To Live (TTL)
|
||||||
|
value used in BGP packets sent to the neighbor. The
|
||||||
|
value 1 implies that eBGP multi-hop feature is disabled
|
||||||
|
(only a single hop is allowed). This field is ignored
|
||||||
|
for iBGP peers.
|
||||||
|
format: int32
|
||||||
|
maximum: 255
|
||||||
|
minimum: 1
|
||||||
|
type: integer
|
||||||
|
families:
|
||||||
|
description: "Families, if provided, defines a set of
|
||||||
|
AFI/SAFIs the speaker will negotiate with it's peer.
|
||||||
|
\n If this slice is not provided the default families
|
||||||
|
of IPv6 and IPv4 will be provided."
|
||||||
|
items:
|
||||||
|
description: CiliumBGPFamily represents a AFI/SAFI address
|
||||||
|
family pair.
|
||||||
|
properties:
|
||||||
|
afi:
|
||||||
|
description: Afi is the Address Family Identifier
|
||||||
|
(AFI) of the family.
|
||||||
|
enum:
|
||||||
|
- ipv4
|
||||||
|
- ipv6
|
||||||
|
- l2vpn
|
||||||
|
- ls
|
||||||
|
- opaque
|
||||||
|
type: string
|
||||||
|
safi:
|
||||||
|
description: Safi is the Subsequent Address Family
|
||||||
|
Identifier (SAFI) of the family.
|
||||||
|
enum:
|
||||||
|
- unicast
|
||||||
|
- multicast
|
||||||
|
- mpls_label
|
||||||
|
- encapsulation
|
||||||
|
- vpls
|
||||||
|
- evpn
|
||||||
|
- ls
|
||||||
|
- sr_policy
|
||||||
|
- mup
|
||||||
|
- mpls_vpn
|
||||||
|
- mpls_vpn_multicast
|
||||||
|
- route_target_constraints
|
||||||
|
- flowspec_unicast
|
||||||
|
- flowspec_vpn
|
||||||
|
- key_value
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- afi
|
||||||
|
- safi
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
gracefulRestart:
|
||||||
|
description: GracefulRestart defines graceful restart
|
||||||
|
parameters which are negotiated with this neighbor.
|
||||||
|
If empty / nil, the graceful restart capability is disabled.
|
||||||
|
properties:
|
||||||
|
enabled:
|
||||||
|
description: Enabled flag, when set enables graceful
|
||||||
|
restart capability.
|
||||||
|
type: boolean
|
||||||
|
restartTimeSeconds:
|
||||||
|
default: 120
|
||||||
|
description: RestartTimeSeconds is the estimated time
|
||||||
|
it will take for the BGP session to be re-established
|
||||||
|
with peer after a restart. After this period, peer
|
||||||
|
will remove stale routes. This is described RFC
|
||||||
|
4724 section 4.2.
|
||||||
|
format: int32
|
||||||
|
maximum: 4095
|
||||||
|
minimum: 1
|
||||||
|
type: integer
|
||||||
|
required:
|
||||||
|
- enabled
|
||||||
|
type: object
|
||||||
|
holdTimeSeconds:
|
||||||
|
default: 90
|
||||||
|
description: HoldTimeSeconds defines the initial value
|
||||||
|
for the BGP HoldTimer (RFC 4271, Section 4.2). Updating
|
||||||
|
this value will cause a session reset.
|
||||||
|
format: int32
|
||||||
|
maximum: 65535
|
||||||
|
minimum: 3
|
||||||
|
type: integer
|
||||||
|
keepAliveTimeSeconds:
|
||||||
|
default: 30
|
||||||
|
description: KeepaliveTimeSeconds defines the initial
|
||||||
|
value for the BGP KeepaliveTimer (RFC 4271, Section
|
||||||
|
8). It can not be larger than HoldTimeSeconds. Updating
|
||||||
|
this value will cause a session reset.
|
||||||
|
format: int32
|
||||||
|
maximum: 65535
|
||||||
|
minimum: 1
|
||||||
|
type: integer
|
||||||
|
peerASN:
|
||||||
|
description: PeerASN is the ASN of the peer BGP router.
|
||||||
|
Supports extended 32bit ASNs
|
||||||
|
format: int64
|
||||||
|
maximum: 4294967295
|
||||||
|
minimum: 0
|
||||||
|
type: integer
|
||||||
|
peerAddress:
|
||||||
|
description: PeerAddress is the IP address of the peer.
|
||||||
|
This must be in CIDR notation and use a /32 to express
|
||||||
|
a single host.
|
||||||
|
format: cidr
|
||||||
|
type: string
|
||||||
|
peerPort:
|
||||||
|
default: 179
|
||||||
|
description: PeerPort is the TCP port of the peer. 1-65535
|
||||||
|
is the range of valid port numbers that can be specified.
|
||||||
|
If unset, defaults to 179.
|
||||||
|
format: int32
|
||||||
|
maximum: 65535
|
||||||
|
minimum: 1
|
||||||
|
type: integer
|
||||||
|
required:
|
||||||
|
- peerASN
|
||||||
|
- peerAddress
|
||||||
|
type: object
|
||||||
|
minItems: 1
|
||||||
|
type: array
|
||||||
|
podIPPoolSelector:
|
||||||
|
description: "PodIPPoolSelector selects CiliumPodIPPools based
|
||||||
|
on labels. The virtual router will announce allocated CIDRs
|
||||||
|
of matching CiliumPodIPPools. \n If empty / nil no CiliumPodIPPools
|
||||||
|
will be announced."
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label selector
|
||||||
|
requirements. The requirements are ANDed.
|
||||||
|
items:
|
||||||
|
description: A label selector requirement is a selector
|
||||||
|
that contains values, a key, and an operator that relates
|
||||||
|
the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the selector
|
||||||
|
applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: operator represents a key's relationship
|
||||||
|
to a set of values. Valid operators are In, NotIn,
|
||||||
|
Exists and DoesNotExist.
|
||||||
|
enum:
|
||||||
|
- In
|
||||||
|
- NotIn
|
||||||
|
- Exists
|
||||||
|
- DoesNotExist
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: values is an array of string values.
|
||||||
|
If the operator is In or NotIn, the values array
|
||||||
|
must be non-empty. If the operator is Exists or
|
||||||
|
DoesNotExist, the values array must be empty. This
|
||||||
|
array is replaced during a strategic merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
description: MatchLabelsValue represents the value from
|
||||||
|
the MatchLabels {key,value} pair.
|
||||||
|
maxLength: 63
|
||||||
|
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||||
|
type: string
|
||||||
|
description: matchLabels is a map of {key,value} pairs.
|
||||||
|
A single {key,value} in the matchLabels map is equivalent
|
||||||
|
to an element of matchExpressions, whose key field is
|
||||||
|
"key", the operator is "In", and the values array contains
|
||||||
|
only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
serviceSelector:
|
||||||
|
description: "ServiceSelector selects a group of load balancer
|
||||||
|
services which this virtual router will announce. The loadBalancerClass
|
||||||
|
for a service must be nil or specify a class supported by
|
||||||
|
Cilium, e.g. \"io.cilium/bgp-control-plane\". Refer to the
|
||||||
|
following document for additional details regarding load balancer
|
||||||
|
classes: \n https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
|
||||||
|
\n If empty / nil no services will be announced."
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label selector
|
||||||
|
requirements. The requirements are ANDed.
|
||||||
|
items:
|
||||||
|
description: A label selector requirement is a selector
|
||||||
|
that contains values, a key, and an operator that relates
|
||||||
|
the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the selector
|
||||||
|
applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: operator represents a key's relationship
|
||||||
|
to a set of values. Valid operators are In, NotIn,
|
||||||
|
Exists and DoesNotExist.
|
||||||
|
enum:
|
||||||
|
- In
|
||||||
|
- NotIn
|
||||||
|
- Exists
|
||||||
|
- DoesNotExist
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: values is an array of string values.
|
||||||
|
If the operator is In or NotIn, the values array
|
||||||
|
must be non-empty. If the operator is Exists or
|
||||||
|
DoesNotExist, the values array must be empty. This
|
||||||
|
array is replaced during a strategic merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
description: MatchLabelsValue represents the value from
|
||||||
|
the MatchLabels {key,value} pair.
|
||||||
|
maxLength: 63
|
||||||
|
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||||
|
type: string
|
||||||
|
description: matchLabels is a map of {key,value} pairs.
|
||||||
|
A single {key,value} in the matchLabels map is equivalent
|
||||||
|
to an element of matchExpressions, whose key field is
|
||||||
|
"key", the operator is "In", and the values array contains
|
||||||
|
only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- localASN
|
||||||
|
- neighbors
|
||||||
|
type: object
|
||||||
|
minItems: 1
|
||||||
|
type: array
|
||||||
|
required:
|
||||||
|
- virtualRouters
|
||||||
|
type: object
|
||||||
|
required:
|
||||||
|
- metadata
|
||||||
|
type: object
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
subresources: {}
|
||||||
|
status:
|
||||||
|
acceptedNames:
|
||||||
|
kind: ""
|
||||||
|
plural: ""
|
||||||
|
conditions: []
|
||||||
|
storedVersions: []
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2alpha1
|
||||||
|
kind: CiliumBGPPeeringPolicy
|
||||||
|
# comments courtesy of JJGadgets
|
||||||
|
# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED!
|
||||||
|
# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap
|
||||||
|
# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB
|
||||||
|
metadata:
|
||||||
|
name: bgp-loadbalancer-ip-main
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
|
||||||
|
virtualRouters:
|
||||||
|
- localASN: 64512
|
||||||
|
exportPodCIDR: false
|
||||||
|
serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
|
||||||
|
matchExpressions:
|
||||||
|
- {
|
||||||
|
key: thisFakeSelector,
|
||||||
|
operator: NotIn,
|
||||||
|
values: ["will-match-and-announce-all-services"],
|
||||||
|
}
|
||||||
|
neighbors:
|
||||||
|
- peerAddress: "10.1.1.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
|
||||||
|
peerASN: 64512
|
||||||
|
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json
|
||||||
|
apiVersion: "cilium.io/v2alpha1"
|
||||||
|
kind: CiliumLoadBalancerIPPool
|
||||||
|
metadata:
|
||||||
|
name: main-pool
|
||||||
|
spec:
|
||||||
|
cidrs:
|
||||||
|
- cidr: 10.45.0.1/24
|
78
.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml
Normal file
78
.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: cilium
|
||||||
|
namespace: kube-system
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: cilium
|
||||||
|
version: 1.15.3
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: cilium
|
||||||
|
namespace: flux-system
|
||||||
|
maxHistory: 2
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
uninstall:
|
||||||
|
keepHistory: false
|
||||||
|
values:
|
||||||
|
cluster:
|
||||||
|
name: homelab
|
||||||
|
id: 1
|
||||||
|
hubble:
|
||||||
|
relay:
|
||||||
|
enabled: true
|
||||||
|
ui:
|
||||||
|
enabled: true
|
||||||
|
metrics:
|
||||||
|
enableOpenMetrics: true
|
||||||
|
prometheus:
|
||||||
|
enabled: true
|
||||||
|
operator:
|
||||||
|
prometheus:
|
||||||
|
enabled: true
|
||||||
|
ipam:
|
||||||
|
mode: kubernetes
|
||||||
|
kubeProxyReplacement: true
|
||||||
|
k8sServiceHost: 127.0.0.1
|
||||||
|
k8sServicePort: 7445
|
||||||
|
rollOutCiliumPods: true
|
||||||
|
cgroup:
|
||||||
|
automount:
|
||||||
|
enabled: false
|
||||||
|
hostRoot: /sys/fs/cgroup
|
||||||
|
bgp:
|
||||||
|
enabled: false
|
||||||
|
announce:
|
||||||
|
loadbalancerIP: true
|
||||||
|
podCIDR: false
|
||||||
|
bgpControlPlane:
|
||||||
|
enabled: true
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
ciliumAgent:
|
||||||
|
- CHOWN
|
||||||
|
- KILL
|
||||||
|
- NET_ADMIN
|
||||||
|
- NET_RAW
|
||||||
|
- IPC_LOCK
|
||||||
|
- SYS_ADMIN
|
||||||
|
- SYS_RESOURCE
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
- FOWNER
|
||||||
|
- SETGID
|
||||||
|
- SETUID
|
||||||
|
cleanCiliumState:
|
||||||
|
- NET_ADMIN
|
||||||
|
- SYS_ADMIN
|
||||||
|
- SYS_RESOURCE
|
|
@ -0,0 +1,23 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: allow-ssh
|
||||||
|
spec:
|
||||||
|
description: ""
|
||||||
|
nodeSelector:
|
||||||
|
matchLabels:
|
||||||
|
# node-access: ssh
|
||||||
|
node-role.kubernetes.io/control-plane: "true"
|
||||||
|
ingress:
|
||||||
|
- fromEntities:
|
||||||
|
- cluster
|
||||||
|
- toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: "22"
|
||||||
|
protocol: TCP
|
||||||
|
- icmps:
|
||||||
|
- fields:
|
||||||
|
- type: 8
|
||||||
|
family: IPv4
|
|
@ -0,0 +1,27 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: api-server
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
# apply to master nodes
|
||||||
|
matchLabels:
|
||||||
|
node-role.kubernetes.io/control-plane: 'true'
|
||||||
|
ingress:
|
||||||
|
# load balancer -> api server
|
||||||
|
- fromCIDR:
|
||||||
|
- 167.235.217.82/32
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# api server -> kubelet
|
||||||
|
- toEntities:
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '10250'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,41 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: cilium-health
|
||||||
|
specs:
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to health endpoints
|
||||||
|
matchLabels:
|
||||||
|
reserved:health: ''
|
||||||
|
ingress:
|
||||||
|
# cilium agent -> cilium agent
|
||||||
|
- fromEntities:
|
||||||
|
- host
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4240'
|
||||||
|
protocol: TCP
|
||||||
|
- nodeSelector:
|
||||||
|
# apply to all nodes
|
||||||
|
matchLabels: {}
|
||||||
|
ingress:
|
||||||
|
# cilium agent -> cilium agent
|
||||||
|
- fromEntities:
|
||||||
|
- health
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4240'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# cilium agent -> cilium agent
|
||||||
|
- toEntities:
|
||||||
|
- health
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4240'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,26 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: cilium-vxlan
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
# apply to all nodes
|
||||||
|
matchLabels: {}
|
||||||
|
ingress:
|
||||||
|
# node -> vxlan
|
||||||
|
- fromEntities:
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '8472'
|
||||||
|
protocol: UDP
|
||||||
|
egress:
|
||||||
|
# node -> vxlan
|
||||||
|
- toEntities:
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '8472'
|
||||||
|
protocol: UDP
|
|
@ -0,0 +1,65 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: core-dns
|
||||||
|
namespace: kube-system
|
||||||
|
specs:
|
||||||
|
- nodeSelector:
|
||||||
|
# apply to master nodes
|
||||||
|
matchLabels:
|
||||||
|
node-role.kubernetes.io/control-plane: 'true'
|
||||||
|
ingress:
|
||||||
|
# core dns -> api server
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: coredns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
||||||
|
- nodeSelector:
|
||||||
|
# apply to all nodes
|
||||||
|
matchLabels: {}
|
||||||
|
egress:
|
||||||
|
# kubelet -> core dns probes
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: coredns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '8080'
|
||||||
|
protocol: TCP
|
||||||
|
- port: '8181'
|
||||||
|
protocol: TCP
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to core dns pods
|
||||||
|
matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: coredns
|
||||||
|
ingress:
|
||||||
|
# kubelet -> core dns probes
|
||||||
|
- fromEntities:
|
||||||
|
- host
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '8080'
|
||||||
|
protocol: TCP
|
||||||
|
- port: '8181'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# core dns -> api server
|
||||||
|
- toEntities:
|
||||||
|
- kube-apiserver
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
||||||
|
# core dns -> upstream DNS
|
||||||
|
- toCIDR:
|
||||||
|
- 185.12.64.1/32
|
||||||
|
- 185.12.64.2/32
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '53'
|
||||||
|
protocol: UDP
|
27
.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml
Normal file
27
.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: etcd
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
# apply to master nodes
|
||||||
|
matchLabels:
|
||||||
|
node-role.kubernetes.io/control-plane: 'true'
|
||||||
|
ingress:
|
||||||
|
# etcd peer -> etcd peer
|
||||||
|
- fromEntities:
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '2380'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# etcd peer -> etcd peer
|
||||||
|
- toEntities:
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '2380'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,15 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: "cilium.io/v2"
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: allow-specific-traffic
|
||||||
|
spec:
|
||||||
|
endpointSelector: {}
|
||||||
|
ingress:
|
||||||
|
- fromEntities:
|
||||||
|
- host
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,50 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: hubble-relay
|
||||||
|
namespace: kube-system
|
||||||
|
specs:
|
||||||
|
- nodeSelector:
|
||||||
|
# apply to all nodes
|
||||||
|
matchLabels: {}
|
||||||
|
ingress:
|
||||||
|
# hubble relay -> hubble agent
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4244'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# kubelet -> hubble relay probes
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4245'
|
||||||
|
protocol: TCP
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to hubble relay pods
|
||||||
|
matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||||
|
ingress:
|
||||||
|
# kubelet -> hubble relay probes
|
||||||
|
- fromEntities:
|
||||||
|
- host
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4245'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# hubble relay -> hubble agent
|
||||||
|
- toEntities:
|
||||||
|
- host
|
||||||
|
- remote-node
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4244'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,75 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: hubble-ui
|
||||||
|
namespace: kube-system
|
||||||
|
specs:
|
||||||
|
- nodeSelector:
|
||||||
|
# apply to master nodes
|
||||||
|
matchLabels:
|
||||||
|
node-role.kubernetes.io/control-plane: ''
|
||||||
|
ingress:
|
||||||
|
# hubble ui -> api server
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to core dns endpoints
|
||||||
|
matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: coredns
|
||||||
|
ingress:
|
||||||
|
# hubble ui -> core dns
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '53'
|
||||||
|
protocol: UDP
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to hubble relay endpoints
|
||||||
|
matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||||
|
ingress:
|
||||||
|
# hubble ui -> hubble relay
|
||||||
|
- fromEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4245'
|
||||||
|
protocol: TCP
|
||||||
|
- endpointSelector:
|
||||||
|
# apply to hubble ui endpoints
|
||||||
|
matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||||
|
egress:
|
||||||
|
# hubble ui -> api server
|
||||||
|
- toEntities:
|
||||||
|
- kube-apiserver
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
||||||
|
# hubble ui -> hubble relay
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '4245'
|
||||||
|
protocol: TCP
|
||||||
|
# hubble ui -> core dns
|
||||||
|
- toEndpoints:
|
||||||
|
- matchLabels:
|
||||||
|
io.cilium.k8s.policy.serviceaccount: coredns
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '53'
|
||||||
|
protocol: UDP
|
|
@ -0,0 +1,28 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||||
|
---
|
||||||
|
apiVersion: cilium.io/v2
|
||||||
|
kind: CiliumClusterwideNetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: kubelet
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
# apply to all nodes
|
||||||
|
matchLabels: {}
|
||||||
|
ingress:
|
||||||
|
# api server -> kubelet
|
||||||
|
- fromEntities:
|
||||||
|
- kube-apiserver
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '10250'
|
||||||
|
protocol: TCP
|
||||||
|
egress:
|
||||||
|
# kubelet -> load balancer
|
||||||
|
- toCIDR:
|
||||||
|
- 167.235.217.82/32
|
||||||
|
toEntities:
|
||||||
|
- host
|
||||||
|
toPorts:
|
||||||
|
- ports:
|
||||||
|
- port: '6443'
|
||||||
|
protocol: TCP
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
namespace: kube-system
|
||||||
|
resources:
|
||||||
|
- ./allow-ssh.yaml
|
||||||
|
- ./apiserver.yaml
|
||||||
|
- ./cilium-health.yaml
|
||||||
|
- ./cilium-vxlan.yaml
|
||||||
|
- ./core-dns.yaml
|
||||||
|
- ./etcd.yaml
|
||||||
|
- ./hubble-relay.yaml
|
||||||
|
- ./hubble-ui.yaml
|
||||||
|
- ./kubelet.yaml
|
||||||
|
|
17
.archive/kubernetes/kube-system/cilium/ks.yaml
Normal file
17
.archive/kubernetes/kube-system/cilium/ks.yaml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: cilium
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
path: "./kubernetes/apps/kube-system/cilium/app"
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
|
@ -7,6 +7,6 @@ resources:
|
||||||
configMapGenerator:
|
configMapGenerator:
|
||||||
- name: spegel-helm-values
|
- name: spegel-helm-values
|
||||||
files:
|
files:
|
||||||
- values.yaml=./helm-values.yml
|
- values.yaml=./resources/values.yml
|
||||||
configurations:
|
configurations:
|
||||||
- kustomizeconfig.yaml
|
- kustomizeconfig.yaml
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
spegel:
|
||||||
|
containerdSock: /run/containerd/containerd.sock
|
||||||
|
containerdRegistryConfigPath: /etc/cri/conf.d/hosts
|
||||||
|
registries:
|
||||||
|
- https://docker.io
|
||||||
|
- https://ghcr.io
|
||||||
|
- https://quay.io
|
||||||
|
- https://mcr.microsoft.com
|
||||||
|
- https://public.ecr.aws
|
||||||
|
- https://gcr.io
|
||||||
|
- https://registry.k8s.io
|
||||||
|
- https://k8s.gcr.io
|
||||||
|
- https://lscr.io
|
||||||
|
service:
|
||||||
|
registry:
|
||||||
|
hostPort: 29999
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
prune: true
|
prune: true
|
||||||
sourceRef:
|
sourceRef:
|
||||||
kind: GitRepository
|
kind: GitRepository
|
||||||
name: theshire
|
name: homelab
|
||||||
wait: false
|
wait: false
|
||||||
interval: 30m
|
interval: 30m
|
||||||
retryInterval: 1m
|
retryInterval: 1m
|
109
.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml
Normal file
109
.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,109 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: &app zfs-scrub
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.2.1
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
kubanetics:
|
||||||
|
type: cronjob
|
||||||
|
cronjob:
|
||||||
|
schedule: "@weekly"
|
||||||
|
parallelism: 1 # Set to my total number of nodes
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/aarnaud/talos-debug-tools
|
||||||
|
tag: latest-6.6.29
|
||||||
|
command: ["/bin/bash", "-c"]
|
||||||
|
args:
|
||||||
|
- |
|
||||||
|
# Trim filesystems
|
||||||
|
chroot /host /usr/local/sbin/zpool scrub nahar
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
enabled: false
|
||||||
|
readiness:
|
||||||
|
enabled: false
|
||||||
|
startup:
|
||||||
|
enabled: false
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 25m
|
||||||
|
limits:
|
||||||
|
memory: 128Mi
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
pod:
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
persistence:
|
||||||
|
netfs:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /sys
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- path: /sys
|
||||||
|
readOnly: true
|
||||||
|
dev:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /dev
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- path: /dev
|
||||||
|
modules:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /lib/modules
|
||||||
|
hostPathType: ""
|
||||||
|
globalMounts:
|
||||||
|
- path: /lib/modules
|
||||||
|
udev:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /run/udev
|
||||||
|
hostPathType: ""
|
||||||
|
globalMounts:
|
||||||
|
- path: /run/udev
|
||||||
|
localtime:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /etc/localtime
|
||||||
|
hostPathType: ""
|
||||||
|
globalMounts:
|
||||||
|
- path: /etc/localtime
|
||||||
|
host:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- path: /host
|
||||||
|
efivars:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /sys/firmware/efi/efivars
|
||||||
|
hostPathType: ""
|
||||||
|
globalMounts:
|
||||||
|
- path: /sys/firmware/efi/efivars
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
configMapGenerator:
|
||||||
|
- name: zfs-scrub-configmap
|
||||||
|
files:
|
||||||
|
- zfs-scrub.sh=./resources/zfs-scrub.sh
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
|
@ -0,0 +1,20 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
KUBELET_BIN="/usr/local/bin/kubelet"
|
||||||
|
KUBELET_PID="$(pgrep -f $KUBELET_BIN)"
|
||||||
|
ZPOOL="nahar"
|
||||||
|
|
||||||
|
if [ -z "${KUBELET_PID}" ]; then
|
||||||
|
echo "kubelet not found"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Enter namespaces and run commands
|
||||||
|
nsrun() {
|
||||||
|
nsenter \
|
||||||
|
--mount="/host/proc/${KUBELET_PID}/ns/mnt" \
|
||||||
|
--net="/host/proc/${KUBELET_PID}/ns/net" \
|
||||||
|
-- bash -c "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Scrub filesystems
|
||||||
|
nsrun "zpool scrub ${ZPOOL}"
|
21
.archive/kubernetes/kube-system/zfs-scrub/ks.yaml
Normal file
21
.archive/kubernetes/kube-system/zfs-scrub/ks.yaml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app zfs-scrub
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: kube-system
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
path: ./kubernetes/apps/kube-system/zfs-scrub/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
16
.archive/kubernetes/media/immich/app/configmap.yaml
Normal file
16
.archive/kubernetes/media/immich/app/configmap.yaml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: immich-app-config
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: immich
|
||||||
|
data:
|
||||||
|
LOG_LEVEL: verbose
|
||||||
|
DB_VECTOR_EXTENSION: pgvector
|
||||||
|
NODE_ENV: production
|
||||||
|
REDIS_HOSTNAME: dragonfly.database.svc.cluster.local
|
||||||
|
REDIS_PORT: "6379"
|
||||||
|
IMMICH_WEB_URL: http://immich-web.media.svc.cluster.local:3000
|
||||||
|
IMMICH_SERVER_URL: http://immich-server.media.svc.cluster.local:3001
|
||||||
|
IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.media.svc.cluster.local:3003
|
19
.archive/kubernetes/media/immich/app/externalsecret.yaml
Normal file
19
.archive/kubernetes/media/immich/app/externalsecret.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: immich
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: immich-secret
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
DATABASE_URI: "postgresql://{{ .DATABASE_USER }}:{{ .DATABASE_PASSWORD }}@immich-primary-real.media.svc:{{ .DATABASE_PORT }}/{{ .DATABASE_NAME }}"
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: immich
|
21
.archive/kubernetes/media/immich/app/gatus.yaml
Normal file
21
.archive/kubernetes/media/immich/app/gatus.yaml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: immich-postgres-gatus-ep
|
||||||
|
labels:
|
||||||
|
gatus.io/enabled: "true"
|
||||||
|
data:
|
||||||
|
config.yaml: |
|
||||||
|
endpoints:
|
||||||
|
- name: immich-postgres
|
||||||
|
group: infrastructure
|
||||||
|
url: tcp://immich-primary-real.media.svc.cluster.local:5432
|
||||||
|
interval: 1m
|
||||||
|
ui:
|
||||||
|
hide-url: true
|
||||||
|
hide-hostname: true
|
||||||
|
conditions:
|
||||||
|
- "[CONNECTED] == true"
|
||||||
|
alerts:
|
||||||
|
- type: pushover
|
97
.archive/kubernetes/media/immich/app/helmrelease.yaml
Normal file
97
.archive/kubernetes/media/immich/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,97 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: &name immich
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.1.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
immich-server:
|
||||||
|
type: statefulset
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/immich-app/immich-server
|
||||||
|
tag: v1.105.1
|
||||||
|
command: /bin/sh
|
||||||
|
args:
|
||||||
|
- ./start-server.sh
|
||||||
|
probes:
|
||||||
|
startup:
|
||||||
|
enabled: true
|
||||||
|
spec:
|
||||||
|
failureThreshold: 30
|
||||||
|
periodSeconds: 5
|
||||||
|
liveness:
|
||||||
|
enabled: true
|
||||||
|
readiness:
|
||||||
|
enabled: true
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 512Mi
|
||||||
|
limits:
|
||||||
|
memory: 4Gi
|
||||||
|
env:
|
||||||
|
TZ: America/Chicago
|
||||||
|
DB_URL:
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: DATABASE_URI
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: immich-app-config
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: immich-server
|
||||||
|
ports:
|
||||||
|
http:
|
||||||
|
port: 3001
|
||||||
|
ingress:
|
||||||
|
app:
|
||||||
|
enabled: true
|
||||||
|
className: external-nginx
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||||
|
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||||
|
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||||
|
hosts:
|
||||||
|
- host: &host "im.hsn.dev"
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
service:
|
||||||
|
identifier: app
|
||||||
|
port: http
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
persistence:
|
||||||
|
media:
|
||||||
|
enabled: true
|
||||||
|
type: nfs
|
||||||
|
server: 10.1.1.13
|
||||||
|
path: /eru/media/immich
|
||||||
|
globalMounts:
|
||||||
|
- path: /usr/src/app/upload
|
27
.archive/kubernetes/media/immich/app/kustomization.yaml
Normal file
27
.archive/kubernetes/media/immich/app/kustomization.yaml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./configmap.yaml
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./gatus.yaml
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ./machine-learning
|
||||||
|
- ./microservices
|
||||||
|
- ./postgresCluster.yaml
|
||||||
|
- ./pushsecret.yaml
|
||||||
|
- ./service.yaml
|
||||||
|
configMapGenerator:
|
||||||
|
- name: immich-databse-init-sql
|
||||||
|
files:
|
||||||
|
- init.sql=./resources/init.sql
|
||||||
|
labels:
|
||||||
|
- pairs:
|
||||||
|
app.kubernetes.io/name: immich
|
||||||
|
app.kubernetes.io/instance: immich
|
||||||
|
app.kubernetes.io/part-of: immich
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
||||||
|
annotations:
|
||||||
|
kustomize.toolkit.fluxcd.io/substitute: disabled
|
|
@ -0,0 +1,82 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: immich-machine-learning
|
||||||
|
spec:
|
||||||
|
interval: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.1.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
interval: 15m
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
immich-machine-learning:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
strategy: Recreate
|
||||||
|
pod:
|
||||||
|
nodeSelector:
|
||||||
|
nvidia.com/gpu.present: "true"
|
||||||
|
runtimeClassName: nvidia
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/immich-app/immich-machine-learning
|
||||||
|
tag: v1.105.1
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 15m
|
||||||
|
memory: 250Mi
|
||||||
|
limits:
|
||||||
|
memory: 4000Mi
|
||||||
|
probes:
|
||||||
|
startup:
|
||||||
|
enabled: true
|
||||||
|
spec:
|
||||||
|
failureThreshold: 30
|
||||||
|
periodSeconds: 5
|
||||||
|
liveness:
|
||||||
|
enabled: true
|
||||||
|
readiness:
|
||||||
|
enabled: true
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: immich-app-config
|
||||||
|
env:
|
||||||
|
DB_URL:
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: DATABASE_URI
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: immich-machine-learning
|
||||||
|
ports:
|
||||||
|
http:
|
||||||
|
port: 3003
|
||||||
|
persistence:
|
||||||
|
media:
|
||||||
|
enabled: true
|
||||||
|
type: nfs
|
||||||
|
server: 10.1.1.13
|
||||||
|
path: /eru/media/immich
|
||||||
|
globalMounts:
|
||||||
|
- path: /usr/src/app/upload
|
||||||
|
cache:
|
||||||
|
enabled: true
|
||||||
|
type: emptyDir
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
labels:
|
||||||
|
- pairs:
|
||||||
|
app.kubernetes.io/name: immich-machine-learning
|
||||||
|
app.kubernetes.io/instance: immich-machine-learning
|
||||||
|
app.kubernetes.io/part-of: immich
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: immich-microservices
|
||||||
|
spec:
|
||||||
|
interval: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.1.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
interval: 15m
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
immich-microservices:
|
||||||
|
strategy: Recreate
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
pod:
|
||||||
|
nodeSelector:
|
||||||
|
nvidia.com/gpu.present: "true"
|
||||||
|
runtimeClassName: nvidia
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/immich-app/immich-server
|
||||||
|
tag: v1.105.1
|
||||||
|
command: /bin/sh
|
||||||
|
args:
|
||||||
|
- ./start-microservices.sh
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 250Mi
|
||||||
|
limits:
|
||||||
|
memory: 4000Mi
|
||||||
|
probes:
|
||||||
|
startup:
|
||||||
|
enabled: true
|
||||||
|
spec:
|
||||||
|
failureThreshold: 30
|
||||||
|
periodSeconds: 5
|
||||||
|
liveness:
|
||||||
|
enabled: true
|
||||||
|
readiness:
|
||||||
|
enabled: true
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: immich-app-config
|
||||||
|
env:
|
||||||
|
DB_URL:
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: immich-secret
|
||||||
|
key: DATABASE_URI
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: immich-microservices
|
||||||
|
enabled: false
|
||||||
|
persistence:
|
||||||
|
media:
|
||||||
|
enabled: true
|
||||||
|
type: nfs
|
||||||
|
server: 10.1.1.13
|
||||||
|
path: /eru/media/immich
|
||||||
|
globalMounts:
|
||||||
|
- path: /usr/src/app/upload
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
labels:
|
||||||
|
- pairs:
|
||||||
|
app.kubernetes.io/name: immich-microservices
|
||||||
|
app.kubernetes.io/instance: immich-microservices
|
||||||
|
app.kubernetes.io/part-of: immich
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
94
.archive/kubernetes/media/immich/app/postgresCluster.yaml
Normal file
94
.archive/kubernetes/media/immich/app/postgresCluster.yaml
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
|
||||||
|
apiVersion: postgres-operator.crunchydata.com/v1beta1
|
||||||
|
kind: PostgresCluster
|
||||||
|
metadata:
|
||||||
|
name: &name "${APP}"
|
||||||
|
spec:
|
||||||
|
postgresVersion: 16
|
||||||
|
dataSource:
|
||||||
|
pgbackrest:
|
||||||
|
stanza: db
|
||||||
|
configuration:
|
||||||
|
- secret:
|
||||||
|
name: pgo-s3-creds
|
||||||
|
global:
|
||||||
|
repo1-path: "/${APP}/repo1"
|
||||||
|
repo1-s3-uri-style: path
|
||||||
|
repo:
|
||||||
|
name: repo1
|
||||||
|
s3:
|
||||||
|
bucket: "crunchy-postgres"
|
||||||
|
endpoint: "s3.hsn.dev"
|
||||||
|
region: "us-east-1"
|
||||||
|
monitoring:
|
||||||
|
pgmonitor:
|
||||||
|
exporter:
|
||||||
|
# https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml
|
||||||
|
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3
|
||||||
|
patroni:
|
||||||
|
dynamicConfiguration:
|
||||||
|
synchronous_mode: true
|
||||||
|
postgresql:
|
||||||
|
synchronous_commit: "on"
|
||||||
|
pg_hba:
|
||||||
|
- hostnossl all all 10.244.0.0/16 md5
|
||||||
|
- hostssl all all all md5
|
||||||
|
databaseInitSQL:
|
||||||
|
name: immich-databse-init-sql
|
||||||
|
key: init.sql
|
||||||
|
instances:
|
||||||
|
- name: postgres
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: pgo-${APP}
|
||||||
|
replicas: 1
|
||||||
|
dataVolumeClaimSpec:
|
||||||
|
storageClassName: openebs-zfs
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: "kubernetes.io/hostname"
|
||||||
|
whenUnsatisfiable: "DoNotSchedule"
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
postgres-operator.crunchydata.com/cluster: ${APP}
|
||||||
|
postgres-operator.crunchydata.com/data: postgres
|
||||||
|
users:
|
||||||
|
- name: "immich"
|
||||||
|
databases:
|
||||||
|
- "immich"
|
||||||
|
options: "SUPERUSER"
|
||||||
|
password:
|
||||||
|
type: AlphaNumeric
|
||||||
|
backups:
|
||||||
|
pgbackrest:
|
||||||
|
configuration:
|
||||||
|
- secret:
|
||||||
|
name: pgo-s3-creds
|
||||||
|
global:
|
||||||
|
archive-push-queue-max: 4GiB
|
||||||
|
repo1-retention-full: "14"
|
||||||
|
repo1-retention-full-type: time
|
||||||
|
repo1-path: "/${APP}/repo1"
|
||||||
|
repo1-s3-uri-style: path
|
||||||
|
manual:
|
||||||
|
repoName: repo1
|
||||||
|
options:
|
||||||
|
- --type=full
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: pgo-${APP}-backup
|
||||||
|
repos:
|
||||||
|
- name: repo1
|
||||||
|
schedules:
|
||||||
|
full: "0 1 * * 0"
|
||||||
|
differential: "0 1 * * 1-6"
|
||||||
|
s3:
|
||||||
|
bucket: "crunchy-postgres"
|
||||||
|
endpoint: "s3.hsn.dev"
|
||||||
|
region: "us-east-1"
|
40
.archive/kubernetes/media/immich/app/pushsecret.yaml
Normal file
40
.archive/kubernetes/media/immich/app/pushsecret.yaml
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||||
|
apiVersion: external-secrets.io/v1alpha1
|
||||||
|
kind: PushSecret
|
||||||
|
metadata:
|
||||||
|
name: immich
|
||||||
|
spec:
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRefs:
|
||||||
|
- name: onepassword-connect
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
selector:
|
||||||
|
secret:
|
||||||
|
name: immich-pguser-immich
|
||||||
|
data:
|
||||||
|
- match:
|
||||||
|
secretKey: dbname
|
||||||
|
remoteRef:
|
||||||
|
remoteKey: immich
|
||||||
|
property: DATABASE_NAME
|
||||||
|
- match:
|
||||||
|
secretKey: host
|
||||||
|
remoteRef:
|
||||||
|
remoteKey: immich
|
||||||
|
property: DATABASE_HOST
|
||||||
|
- match:
|
||||||
|
secretKey: user
|
||||||
|
remoteRef:
|
||||||
|
remoteKey: immich
|
||||||
|
property: DATABASE_USER
|
||||||
|
- match:
|
||||||
|
secretKey: password
|
||||||
|
remoteRef:
|
||||||
|
remoteKey: immich
|
||||||
|
property: DATABASE_PASSWORD
|
||||||
|
- match:
|
||||||
|
secretKey: port
|
||||||
|
remoteRef:
|
||||||
|
remoteKey: immich
|
||||||
|
property: DATABASE_PORT
|
4
.archive/kubernetes/media/immich/app/resources/init.sql
Normal file
4
.archive/kubernetes/media/immich/app/resources/init.sql
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
\c immich\\
|
||||||
|
CREATE EXTENSION vector;
|
||||||
|
CREATE EXTENSION cube;
|
||||||
|
CREATE EXTENSION earthdistance;
|
20
.archive/kubernetes/media/immich/app/service.yaml
Normal file
20
.archive/kubernetes/media/immich/app/service.yaml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
postgres-operator.crunchydata.com/cluster: immich
|
||||||
|
postgres-operator.crunchydata.com/role: primary
|
||||||
|
name: immich-primary-real
|
||||||
|
namespace: media
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: postgres
|
||||||
|
port: 5432
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: postgres
|
||||||
|
selector:
|
||||||
|
postgres-operator.crunchydata.com/cluster: immich
|
||||||
|
postgres-operator.crunchydata.com/role: master
|
||||||
|
type: ClusterIP
|
30
.archive/kubernetes/media/immich/ks.yaml
Normal file
30
.archive/kubernetes/media/immich/ks.yaml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app immich
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: media
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: crunchy-postgres-operator
|
||||||
|
- name: external-secrets-stores
|
||||||
|
- name: dragonfly
|
||||||
|
path: ./kubernetes/apps/media/immich/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *app
|
||||||
|
DB_NAME: immich
|
||||||
|
DB_USER: immich
|
9
.archive/kubernetes/media/kustomization.yaml
Normal file
9
.archive/kubernetes/media/kustomization.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
# Pre Flux-Kustomizations
|
||||||
|
- ./namespace.yaml
|
||||||
|
# Flux-Kustomizations
|
||||||
|
- ./immich/ks.yaml
|
9
.archive/kubernetes/media/namespace.yaml
Normal file
9
.archive/kubernetes/media/namespace.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: media
|
||||||
|
labels:
|
||||||
|
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||||
|
volsync.backube/privileged-movers: "true"
|
||||||
|
pgo-enabled-hsn.dev: "true"
|
|
@ -0,0 +1,58 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: alertmanager-silencer
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.3.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
dependsOn:
|
||||||
|
- name: kube-prometheus-stack
|
||||||
|
namespace: observability
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
alertmanager-silencer:
|
||||||
|
type: cronjob
|
||||||
|
cronjob:
|
||||||
|
schedule: "@daily"
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/onedr0p/kubanetics
|
||||||
|
tag: 2024.7.1@sha256:020ec6f00b9cdc0ee247d2fd34d3951ac32718326bb90c38e947eed9d555de6c
|
||||||
|
env:
|
||||||
|
SCRIPT_NAME: alertmanager-silencer.sh
|
||||||
|
ALERTMANAGER_URL: http://alertmanager-operated.observability.svc.cluster.local:9093
|
||||||
|
MATCHERS_0: alertname=NodeCPUHighUsage job=node-exporter
|
||||||
|
MATCHERS_1: alertname=CPUThrottlingHigh container=gc
|
||||||
|
MATCHERS_2: alertname=CPUThrottlingHigh container=worker
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities: { drop: ["ALL"] }
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 25m
|
||||||
|
limits:
|
||||||
|
memory: 128Mi
|
||||||
|
pod:
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 568
|
||||||
|
runAsGroup: 568
|
||||||
|
runAsNonRoot: true
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app alertmanager-silencer
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: observability
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
path: ./kubernetes/apps/observability/alertmanager-silencer/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: grafana-secret
|
||||||
|
namespace: observability
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: grafana-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
|
||||||
|
GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
|
||||||
|
GF_SERVER_ROOT_URL: https://grafana.hsn.dev
|
||||||
|
GF_DATABASE_NAME: "{{ .grafana_GF_DATABASE_NAME }}"
|
||||||
|
GF_DATABASE_HOST: "postgres-primary-real.database.svc"
|
||||||
|
GF_DATABASE_USER: "{{ .grafana_GF_DATABASE_USER }}"
|
||||||
|
GF_DATABASE_PASSWORD: "{{ .grafana_GF_DATABASE_PASSWORD }}"
|
||||||
|
GF_DATABASE_SSL_MODE: "require"
|
||||||
|
GF_DATABASE_TYPE: postgres
|
||||||
|
GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
|
||||||
|
GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
|
||||||
|
GF_ANALYTICS_REPORTING_ENABLED: "false"
|
||||||
|
GF_AUTH_ANONYMOUS_ENABLED: "false"
|
||||||
|
GF_AUTH_BASIC_ENABLED: "false"
|
||||||
|
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
|
||||||
|
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
|
||||||
|
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
|
||||||
|
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
|
||||||
|
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
|
||||||
|
GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
|
||||||
|
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||||||
|
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
|
||||||
|
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
|
||||||
|
GF_EXPLORE_ENABLED: "true"
|
||||||
|
GF_FEATURE_TOGGLES_ENABLE: publicDashboards
|
||||||
|
GF_LOG_MODE: console
|
||||||
|
GF_NEWS_NEWS_FEED_ENABLED: "false"
|
||||||
|
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
|
||||||
|
GF_SECURITY_COOKIE_SAMESITE: grafana
|
||||||
|
GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true"
|
||||||
|
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: Authentik
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "authentik_$1"
|
||||||
|
- extract:
|
||||||
|
key: grafana
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "grafana_$1"
|
401
.archive/kubernetes/observability/grafana/app/helmrelease.yaml
Normal file
401
.archive/kubernetes/observability/grafana/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,401 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: grafana
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: grafana
|
||||||
|
version: 8.3.7
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: grafana
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
uninstall:
|
||||||
|
keepHistory: false
|
||||||
|
dependsOn:
|
||||||
|
- name: kube-prometheus-stack
|
||||||
|
namespace: observability
|
||||||
|
- name: loki
|
||||||
|
namespace: observability
|
||||||
|
values:
|
||||||
|
replicas: 1
|
||||||
|
envFromSecret: grafana-secret
|
||||||
|
dashboardProviders:
|
||||||
|
dashboardproviders.yaml:
|
||||||
|
apiVersion: 1
|
||||||
|
providers:
|
||||||
|
- name: default
|
||||||
|
orgId: 1
|
||||||
|
folder: ""
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/default-folder
|
||||||
|
- name: ceph
|
||||||
|
orgId: 1
|
||||||
|
folder: Ceph
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/ceph-folder
|
||||||
|
- name: crunchy-postgres
|
||||||
|
orgId: 1
|
||||||
|
folder: Crunchy-postgres
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/crunchy-postgres-folder
|
||||||
|
- name: flux
|
||||||
|
orgId: 1
|
||||||
|
folder: Flux
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/flux-folder
|
||||||
|
- name: kubernetes
|
||||||
|
orgId: 1
|
||||||
|
folder: Kubernetes
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/kubernetes-folder
|
||||||
|
- name: nginx
|
||||||
|
orgId: 1
|
||||||
|
folder: Nginx
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/nginx-folder
|
||||||
|
- name: prometheus
|
||||||
|
orgId: 1
|
||||||
|
folder: Prometheus
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/prometheus-folder
|
||||||
|
- name: thanos
|
||||||
|
orgId: 1
|
||||||
|
folder: Thanos
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/thanos-folder
|
||||||
|
- name: unifi
|
||||||
|
orgId: 1
|
||||||
|
folder: Unifi
|
||||||
|
type: file
|
||||||
|
disableDeletion: false
|
||||||
|
editable: true
|
||||||
|
options:
|
||||||
|
path: /var/lib/grafana/dashboards/unifi-folder
|
||||||
|
datasources:
|
||||||
|
datasources.yaml:
|
||||||
|
apiVersion: 1
|
||||||
|
deleteDatasources:
|
||||||
|
- { name: Alertmanager, orgId: 1 }
|
||||||
|
- { name: Loki, orgId: 1 }
|
||||||
|
- { name: Prometheus, orgId: 1 }
|
||||||
|
datasources:
|
||||||
|
- name: Prometheus
|
||||||
|
type: prometheus
|
||||||
|
uid: prometheus
|
||||||
|
access: proxy
|
||||||
|
url: http://thanos-query-frontend.observability.svc.cluster.local:10902
|
||||||
|
jsonData:
|
||||||
|
prometheusType: Thanos
|
||||||
|
timeInterval: 1m
|
||||||
|
isDefault: true
|
||||||
|
- name: Loki
|
||||||
|
type: loki
|
||||||
|
uid: loki
|
||||||
|
access: proxy
|
||||||
|
url: http://loki-gateway.observability.svc.cluster.local
|
||||||
|
jsonData:
|
||||||
|
maxLines: 250
|
||||||
|
- name: Alertmanager
|
||||||
|
type: alertmanager
|
||||||
|
uid: alertmanager
|
||||||
|
access: proxy
|
||||||
|
url: http://alertmanager-operated.observability.svc.cluster.local:9093
|
||||||
|
jsonData:
|
||||||
|
implementation: prometheus
|
||||||
|
dashboards:
|
||||||
|
default:
|
||||||
|
cloudflared:
|
||||||
|
# renovate: depName="Cloudflare Tunnels (cloudflared)"
|
||||||
|
gnetId: 17457
|
||||||
|
revision: 6
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
external-dns:
|
||||||
|
# renovate: depName="External-dns"
|
||||||
|
gnetId: 15038
|
||||||
|
revision: 3
|
||||||
|
datasource: Prometheus
|
||||||
|
minio:
|
||||||
|
# renovate: depName="MinIO Dashboard"
|
||||||
|
gnetId: 13502
|
||||||
|
revision: 25
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
node-exporter-full:
|
||||||
|
# renovate: depName="Node Exporter Full"
|
||||||
|
gnetId: 1860
|
||||||
|
revision: 33
|
||||||
|
datasource: Prometheus
|
||||||
|
postgres:
|
||||||
|
# renovate: depName="PostgreSQL Database"
|
||||||
|
gnetId: 9628
|
||||||
|
revision: 7
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
smartctl-exporter:
|
||||||
|
# renovate: depName="smartctl_exporter"
|
||||||
|
gnetId: 20204
|
||||||
|
revision: 1
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
spegel:
|
||||||
|
# renovate: depName="Spegel"
|
||||||
|
gnetId: 18089
|
||||||
|
revision: 1
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
unpackerr:
|
||||||
|
# renovate: depName="Unpackerr"
|
||||||
|
gnetId: 18817
|
||||||
|
revision: 1
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
zfs:
|
||||||
|
# renovate: depName="ZFS"
|
||||||
|
gnetId: 7845
|
||||||
|
revision: 4
|
||||||
|
datasource: Prometheus
|
||||||
|
dragonflydb:
|
||||||
|
url: https://raw.githubusercontent.com/dragonflydb/dragonfly/main/tools/local/monitoring/grafana/provisioning/dashboards/dashboard.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
cert-manager:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
|
||||||
|
datasource: Prometheus
|
||||||
|
external-secrets:
|
||||||
|
url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json
|
||||||
|
datasource: Prometheus
|
||||||
|
node-feature-discovery:
|
||||||
|
url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json
|
||||||
|
datasource: Prometheus
|
||||||
|
crunchy-postgres:
|
||||||
|
pgbackrest:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pgbackrest.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
pods:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pod_details.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
postgresql:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_details.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
postgresql-overview:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_overview.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
postgresql-health:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_service_health.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
postgresql-alerts:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/prometheus_alerts.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
query-stats:
|
||||||
|
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/query_statistics.json
|
||||||
|
datasource:
|
||||||
|
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||||
|
ceph:
|
||||||
|
ceph-cluster:
|
||||||
|
# renovate: depName="Ceph Cluster"
|
||||||
|
gnetId: 2842
|
||||||
|
revision: 17
|
||||||
|
datasource: Prometheus
|
||||||
|
ceph-osd:
|
||||||
|
# renovate: depName="Ceph - OSD (Single)"
|
||||||
|
gnetId: 5336
|
||||||
|
revision: 9
|
||||||
|
datasource: Prometheus
|
||||||
|
ceph-pools:
|
||||||
|
# renovate: depName="Ceph - Pools"
|
||||||
|
gnetId: 5342
|
||||||
|
revision: 9
|
||||||
|
datasource: Prometheus
|
||||||
|
flux:
|
||||||
|
flux-cluster:
|
||||||
|
url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json
|
||||||
|
datasource: Prometheus
|
||||||
|
flux-control-plane:
|
||||||
|
url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes:
|
||||||
|
kubernetes-api-server:
|
||||||
|
# renovate: depName="Kubernetes / System / API Server"
|
||||||
|
gnetId: 15761
|
||||||
|
revision: 16
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-coredns:
|
||||||
|
# renovate: depName="Kubernetes / System / CoreDNS"
|
||||||
|
gnetId: 15762
|
||||||
|
revision: 17
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-global:
|
||||||
|
# renovate: depName="Kubernetes / Views / Global"
|
||||||
|
gnetId: 15757
|
||||||
|
revision: 37
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-namespaces:
|
||||||
|
# renovate: depName="Kubernetes / Views / Namespaces"
|
||||||
|
gnetId: 15758
|
||||||
|
revision: 34
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-nodes:
|
||||||
|
# renovate: depName="Kubernetes / Views / Nodes"
|
||||||
|
gnetId: 15759
|
||||||
|
revision: 29
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-pods:
|
||||||
|
# renovate: depName="Kubernetes / Views / Pods"
|
||||||
|
gNetId: 15760
|
||||||
|
revision: 21
|
||||||
|
datasource: Prometheus
|
||||||
|
kubernetes-volumes:
|
||||||
|
# renovate: depName="K8s / Storage / Volumes / Cluster"
|
||||||
|
gnetId: 11454
|
||||||
|
revision: 14
|
||||||
|
datasource: Prometheus
|
||||||
|
nginx:
|
||||||
|
nginx:
|
||||||
|
url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
|
||||||
|
datasource: Prometheus
|
||||||
|
nginx-request-handling-performance:
|
||||||
|
url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
|
||||||
|
datasource: Prometheus
|
||||||
|
prometheus:
|
||||||
|
prometheus:
|
||||||
|
# renovate: depName="Prometheus"
|
||||||
|
gnetId: 19105
|
||||||
|
revision: 3
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos:
|
||||||
|
thanos-bucket-replicate:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-compact:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-overview:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-query:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-query-frontend:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-receieve:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-rule:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-sidecar:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json
|
||||||
|
datasource: Prometheus
|
||||||
|
thanos-store:
|
||||||
|
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json
|
||||||
|
datasource: Prometheus
|
||||||
|
unifi:
|
||||||
|
unifi-insights:
|
||||||
|
# renovate: depName="UniFi-Poller: Client Insights - Prometheus"
|
||||||
|
gnetId: 11315
|
||||||
|
revision: 9
|
||||||
|
datasource: Prometheus
|
||||||
|
unifi-network-sites:
|
||||||
|
# renovate: depName="UniFi-Poller: Network Sites - Prometheus"
|
||||||
|
gnetId: 11311
|
||||||
|
revision: 5
|
||||||
|
datasource: Prometheus
|
||||||
|
unifi-uap:
|
||||||
|
# renovate: depName="UniFi-Poller: UAP Insights - Prometheus"
|
||||||
|
gnetId: 11314
|
||||||
|
revision: 10
|
||||||
|
datasource: Prometheus
|
||||||
|
unifi-usw:
|
||||||
|
# renovate: depName="UniFi-Poller: USW Insights - Prometheus"
|
||||||
|
gnetId: 11312
|
||||||
|
revision: 9
|
||||||
|
datasource: Prometheus
|
||||||
|
sidecar:
|
||||||
|
dashboards:
|
||||||
|
enabled: true
|
||||||
|
searchNamespace: ALL
|
||||||
|
labelValue: ""
|
||||||
|
label: grafana_dashboard
|
||||||
|
folderAnnotation: grafana_folder
|
||||||
|
provider:
|
||||||
|
disableDelete: true
|
||||||
|
foldersFromFilesStructure: true
|
||||||
|
datasources:
|
||||||
|
enabled: true
|
||||||
|
searchNamespace: ALL
|
||||||
|
labelValue: ""
|
||||||
|
plugins:
|
||||||
|
- grafana-clock-panel
|
||||||
|
- grafana-piechart-panel
|
||||||
|
- grafana-worldmap-panel
|
||||||
|
- natel-discrete-panel
|
||||||
|
- pr0ps-trackmap-panel
|
||||||
|
- vonage-status-panel
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
ingressClassName: external-nginx
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||||
|
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||||
|
hosts:
|
||||||
|
- &host grafana.hsn.dev
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
persistence:
|
||||||
|
enabled: false
|
||||||
|
testFramework:
|
||||||
|
enabled: false
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: grafana
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./helmrelease.yaml
|
29
.archive/kubernetes/observability/grafana/ks.yaml
Normal file
29
.archive/kubernetes/observability/grafana/ks.yaml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app grafana
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: observability
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: crunchy-postgres-operator
|
||||||
|
- name: external-secrets-stores
|
||||||
|
path: ./kubernetes/apps/observability/grafana/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 5m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
APP: *app
|
||||||
|
DB_NAME: grafana
|
||||||
|
DB_USER: grafana
|
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: alertmanager
|
||||||
|
spec:
|
||||||
|
refreshInterval: 5m
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: alertmanager-secret
|
||||||
|
template:
|
||||||
|
templateFrom:
|
||||||
|
- configMap:
|
||||||
|
name: alertmanager-config-tpl
|
||||||
|
items:
|
||||||
|
- key: alertmanager.yaml
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: pushover
|
|
@ -0,0 +1,190 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: kube-prometheus-stack
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: kube-prometheus-stack
|
||||||
|
version: 61.6.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: prometheus-community
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
crds: CreateReplace
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
crds: CreateReplace
|
||||||
|
remediation:
|
||||||
|
strategy: rollback
|
||||||
|
retries: 3
|
||||||
|
values:
|
||||||
|
crds:
|
||||||
|
enabled: true
|
||||||
|
cleanPrometheusOperatorObjectNames: true
|
||||||
|
alertmanager:
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
pathType: Prefix
|
||||||
|
ingressClassName: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- &host alertmanager.jahanson.tech
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
alertmanagerSpec:
|
||||||
|
replicas: 1
|
||||||
|
useExistingSecret: true
|
||||||
|
configSecret: alertmanager-secret
|
||||||
|
storage:
|
||||||
|
volumeClaimTemplate:
|
||||||
|
spec:
|
||||||
|
storageClassName: openebs-hostpath
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
kubelet:
|
||||||
|
enabled: true
|
||||||
|
serviceMonitor:
|
||||||
|
metricRelabelings:
|
||||||
|
# Drop high cardinality labels
|
||||||
|
- action: labeldrop
|
||||||
|
regex: (uid)
|
||||||
|
- action: labeldrop
|
||||||
|
regex: (id|name)
|
||||||
|
- action: drop
|
||||||
|
sourceLabels: ["__name__"]
|
||||||
|
regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count)
|
||||||
|
kubeApiServer:
|
||||||
|
enabled: true
|
||||||
|
serviceMonitor:
|
||||||
|
metricRelabelings:
|
||||||
|
# Drop high cardinality labels
|
||||||
|
- action: drop
|
||||||
|
sourceLabels: ["__name__"]
|
||||||
|
regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket
|
||||||
|
- action: drop
|
||||||
|
sourceLabels: ["__name__"]
|
||||||
|
regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket)
|
||||||
|
kubeControllerManager:
|
||||||
|
enabled: true
|
||||||
|
endpoints: &cp
|
||||||
|
- 10.1.1.61
|
||||||
|
kubeEtcd:
|
||||||
|
enabled: true
|
||||||
|
endpoints: *cp
|
||||||
|
kubeScheduler:
|
||||||
|
enabled: true
|
||||||
|
endpoints: *cp
|
||||||
|
kubeProxy:
|
||||||
|
enabled: false
|
||||||
|
prometheus:
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
ingressClassName: internal-nginx
|
||||||
|
pathType: Prefix
|
||||||
|
hosts:
|
||||||
|
- &host prometheus.jahanson.tech
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- *host
|
||||||
|
thanosService:
|
||||||
|
enabled: true
|
||||||
|
thanosServiceMonitor:
|
||||||
|
enabled: true
|
||||||
|
# thanosServiceExternal:
|
||||||
|
# enabled: true
|
||||||
|
# type: LoadBalancer
|
||||||
|
# annotations:
|
||||||
|
# external-dns.alpha.kubernetes.io/hostname: thanos.jahanson.tech
|
||||||
|
# io.cilium/lb-ipam-ips: 10.45.0.6
|
||||||
|
# externalTrafficPolicy: Cluster
|
||||||
|
prometheusSpec:
|
||||||
|
podMetadata:
|
||||||
|
annotations:
|
||||||
|
secret.reloader.stakater.com/reload: &secret thanos-objstore-config
|
||||||
|
replicas: 1
|
||||||
|
replicaExternalLabelName: __replica__
|
||||||
|
scrapeInterval: 1m # Must match interval in Grafana Helm chart
|
||||||
|
ruleSelectorNilUsesHelmValues: false
|
||||||
|
serviceMonitorSelectorNilUsesHelmValues: false
|
||||||
|
podMonitorSelectorNilUsesHelmValues: false
|
||||||
|
probeSelectorNilUsesHelmValues: false
|
||||||
|
scrapeConfigSelectorNilUsesHelmValues: false
|
||||||
|
enableAdminAPI: true
|
||||||
|
walCompression: true
|
||||||
|
enableFeatures:
|
||||||
|
- auto-gomemlimit
|
||||||
|
- memory-snapshot-on-shutdown
|
||||||
|
- new-service-discovery-manager
|
||||||
|
image:
|
||||||
|
registry: quay.io
|
||||||
|
repository: prometheus/prometheus
|
||||||
|
tag: v2.51.0-dedupelabels
|
||||||
|
thanos:
|
||||||
|
image: quay.io/thanos/thanos:${THANOS_VERSION}
|
||||||
|
version: "${THANOS_VERSION#v}"
|
||||||
|
objectStorageConfig:
|
||||||
|
existingSecret:
|
||||||
|
name: *secret
|
||||||
|
key: config
|
||||||
|
retention: 2d
|
||||||
|
retentionSize: 15GB
|
||||||
|
externalLabels:
|
||||||
|
cluster: main
|
||||||
|
storageSpec:
|
||||||
|
volumeClaimTemplate:
|
||||||
|
spec:
|
||||||
|
storageClassName: openebs-hostpath
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 20Gi
|
||||||
|
nodeExporter:
|
||||||
|
enabled: true
|
||||||
|
prometheus-node-exporter:
|
||||||
|
fullnameOverride: node-exporter
|
||||||
|
prometheus:
|
||||||
|
monitor:
|
||||||
|
enabled: true
|
||||||
|
relabelings:
|
||||||
|
- action: replace
|
||||||
|
regex: (.*)
|
||||||
|
replacement: $1
|
||||||
|
sourceLabels:
|
||||||
|
- __meta_kubernetes_pod_node_name
|
||||||
|
targetLabel: kubernetes_node
|
||||||
|
kubeStateMetrics:
|
||||||
|
enabled: true
|
||||||
|
kube-state-metrics:
|
||||||
|
fullnameOverride: kube-state-metrics
|
||||||
|
metricLabelsAllowlist:
|
||||||
|
- pods=[*]
|
||||||
|
- deployments=[*]
|
||||||
|
- persistentvolumeclaims=[*]
|
||||||
|
prometheus:
|
||||||
|
monitor:
|
||||||
|
enabled: true
|
||||||
|
relabelings:
|
||||||
|
- action: replace
|
||||||
|
regex: (.*)
|
||||||
|
replacement: $1
|
||||||
|
sourceLabels:
|
||||||
|
- __meta_kubernetes_pod_node_name
|
||||||
|
targetLabel: kubernetes_node
|
||||||
|
grafana:
|
||||||
|
enabled: false
|
||||||
|
forceDeployDashboards: true
|
||||||
|
sidecar:
|
||||||
|
dashboards:
|
||||||
|
annotations:
|
||||||
|
grafana_folder: Kubernetes
|
||||||
|
multicluster:
|
||||||
|
etcd:
|
||||||
|
enabled: true
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ./prometheusrules
|
||||||
|
# - ./scrapeconfigs
|
||||||
|
- ./podmonitors
|
||||||
|
configMapGenerator:
|
||||||
|
- name: alertmanager-config-tpl
|
||||||
|
files:
|
||||||
|
- alertmanager.yaml=./resources/alertmanager.yaml
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
|
@ -0,0 +1,34 @@
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PodMonitor
|
||||||
|
metadata:
|
||||||
|
name: crunchy-postgres-exporter
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
postgres-operator.crunchydata.com/crunchy-postgres-exporter: 'true'
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- database
|
||||||
|
- media
|
||||||
|
podMetricsEndpoints:
|
||||||
|
- port: "exporter"
|
||||||
|
relabelings:
|
||||||
|
- sourceLabels: [__meta_kubernetes_pod_container_port_number]
|
||||||
|
action: keep
|
||||||
|
regex: "9187"
|
||||||
|
- sourceLabels: [__meta_kubernetes_namespace]
|
||||||
|
targetLabel: kubernetes_namespace
|
||||||
|
- sourceLabels: [__meta_kubernetes_pod_name]
|
||||||
|
targetLabel: pod
|
||||||
|
- sourceLabels: [__meta_kubernetes_namespace, __meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster]
|
||||||
|
separator: ":"
|
||||||
|
targetLabel: pg_cluster
|
||||||
|
replacement: "$1$2"
|
||||||
|
- sourceLabels: [__meta_kubernetes_pod_ip]
|
||||||
|
targetLabel: ip
|
||||||
|
- sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance]
|
||||||
|
targetLabel: deployment
|
||||||
|
- sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role]
|
||||||
|
targetLabel: role
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PodMonitor
|
||||||
|
metadata:
|
||||||
|
name: dragonflydb-metrics
|
||||||
|
namespace: database
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: dragonfly
|
||||||
|
app: dragonfly
|
||||||
|
podTargetLabels:
|
||||||
|
- app
|
||||||
|
namespaceSelector:
|
||||||
|
matchNames:
|
||||||
|
- database
|
||||||
|
podMetricsEndpoints:
|
||||||
|
- port: admin
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./crunchy-postgres.yaml
|
||||||
|
- ./dragonflydb.yaml
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./prometheusrule.yaml
|
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/prometheusrule_v1.json
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PrometheusRule
|
||||||
|
metadata:
|
||||||
|
name: miscellaneous-rules
|
||||||
|
labels:
|
||||||
|
prometheus: k8s
|
||||||
|
role: alert-rules
|
||||||
|
spec:
|
||||||
|
groups:
|
||||||
|
- name: dockerhub
|
||||||
|
rules:
|
||||||
|
- alert: BootstrapRateLimitRisk
|
||||||
|
annotations:
|
||||||
|
summary: Kubernetes cluster at risk of being rate limited by dockerhub on bootstrap
|
||||||
|
expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100
|
||||||
|
for: 15m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
- name: oom
|
||||||
|
rules:
|
||||||
|
- alert: OOMKilled
|
||||||
|
annotations:
|
||||||
|
summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.
|
||||||
|
expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
- name: zfs
|
||||||
|
rules:
|
||||||
|
- alert: ZfsUnexpectedPoolState
|
||||||
|
annotations:
|
||||||
|
summary: ZFS pool {{$labels.zpool}} on {{$labels.instance}} is in a unexpected state {{$labels.state}}
|
||||||
|
expr: node_zfs_zpool_state{state!="online"} > 0
|
||||||
|
for: 15m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
|
@ -0,0 +1,68 @@
|
||||||
|
---
|
||||||
|
global:
|
||||||
|
resolve_timeout: 5m
|
||||||
|
route:
|
||||||
|
group_by: ["alertname", "job"]
|
||||||
|
group_interval: 10m
|
||||||
|
group_wait: 1m
|
||||||
|
receiver: pushover
|
||||||
|
repeat_interval: 12h
|
||||||
|
routes:
|
||||||
|
- receiver: heartbeat
|
||||||
|
group_interval: 5m
|
||||||
|
group_wait: 0s
|
||||||
|
matchers:
|
||||||
|
- alertname =~ "Watchdog"
|
||||||
|
repeat_interval: 5m
|
||||||
|
- receiver: "null"
|
||||||
|
matchers:
|
||||||
|
- alertname =~ "InfoInhibitor"
|
||||||
|
- receiver: pushover
|
||||||
|
continue: true
|
||||||
|
matchers:
|
||||||
|
- severity = "critical"
|
||||||
|
inhibit_rules:
|
||||||
|
- equal: ["alertname", "namespace"]
|
||||||
|
source_matchers:
|
||||||
|
- severity = "critical"
|
||||||
|
target_matchers:
|
||||||
|
- severity = "warning"
|
||||||
|
receivers:
|
||||||
|
- name: heartbeat
|
||||||
|
webhook_configs:
|
||||||
|
- send_resolved: true
|
||||||
|
url: "{{ .alertmanager_heartbeat_url }}"
|
||||||
|
- name: "null"
|
||||||
|
- name: pushover
|
||||||
|
pushover_configs:
|
||||||
|
- html: true
|
||||||
|
# Compooters are hard
|
||||||
|
message: |-
|
||||||
|
{{ "{{-" }} range .Alerts {{ "}}" }}
|
||||||
|
{{ "{{-" }} if ne .Annotations.description "" {{ "}}" }}
|
||||||
|
{{ "{{" }} .Annotations.description {{ "}}" }}
|
||||||
|
{{ "{{-" }} else if ne .Annotations.summary "" {{ "}}" }}
|
||||||
|
{{ "{{" }} .Annotations.summary {{ "}}" }}
|
||||||
|
{{ "{{-" }} else if ne .Annotations.message "" {{ "}}" }}
|
||||||
|
{{ "{{" }} .Annotations.message {{ "}}" }}
|
||||||
|
{{ "{{-" }} else {{ "}}" }}
|
||||||
|
Alert description not available
|
||||||
|
{{ "{{-" }} end {{ "}}" }}
|
||||||
|
{{ "{{-" }} if gt (len .Labels.SortedPairs) 0 {{ "}}" }}
|
||||||
|
<small>
|
||||||
|
{{ "{{-" }} range .Labels.SortedPairs {{ "}}" }}
|
||||||
|
<b>{{ "{{" }} .Name {{ "}}" }}:</b> {{ "{{" }} .Value {{ "}}" }}
|
||||||
|
{{ "{{-" }} end {{ "}}" }}
|
||||||
|
</small>
|
||||||
|
{{ "{{-" }} end {{ "}}" }}
|
||||||
|
{{ "{{-" }} end {{ "}}" }}
|
||||||
|
priority: |-
|
||||||
|
{{ "{{" }} if eq .Status "firing" {{ "}}" }}1{{ "{{" }} else {{ "}}" }}0{{ "{{" }} end {{ "}}" }}
|
||||||
|
send_resolved: true
|
||||||
|
sound: gamelan
|
||||||
|
title: >-
|
||||||
|
{{ "{{" }} .CommonLabels.alertname {{ "}}" }}
|
||||||
|
[{{ "{{" }} .Status | toUpper {{ "}}" }}{{ "{{" }} if eq .Status "firing" {{ "}}" }}:{{ "{{" }} .Alerts.Firing | len {{ "}}" }}{{ "{{" }} end {{ "}}" }}]
|
||||||
|
token: "{{ .alertmanager_token }}"
|
||||||
|
url_title: View in Alertmanager
|
||||||
|
user_key: "{{ .userkey_jahanson }}"
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./node-exporter.yaml
|
||||||
|
- ./zfs-exporter.yaml
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
|
||||||
|
apiVersion: monitoring.coreos.com/v1alpha1
|
||||||
|
kind: ScrapeConfig
|
||||||
|
metadata:
|
||||||
|
name: node-exporter
|
||||||
|
spec:
|
||||||
|
staticConfigs:
|
||||||
|
- targets:
|
||||||
|
- 10.1.1.1:9100
|
||||||
|
metricsPath: /metrics
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
|
||||||
|
apiVersion: monitoring.coreos.com/v1alpha1
|
||||||
|
kind: ScrapeConfig
|
||||||
|
metadata:
|
||||||
|
name: zfs-exporter
|
||||||
|
spec:
|
||||||
|
staticConfigs:
|
||||||
|
- targets:
|
||||||
|
- 10.1.1.13:9134
|
||||||
|
metricsPath: /metrics
|
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app kube-prometheus-stack
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: observability
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: external-secrets-stores
|
||||||
|
- name: openebs
|
||||||
|
- name: volsync
|
||||||
|
path: ./kubernetes/apps/observability/kube-prometheus-stack/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 15m
|
||||||
|
postBuild:
|
||||||
|
substitute:
|
||||||
|
# renovate: datasource=docker depName=quay.io/thanos/thanos
|
||||||
|
THANOS_VERSION: v0.34.1
|
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: loki
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: loki-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
S3_HOST: s3.hsn.dev
|
||||||
|
S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
|
||||||
|
S3_ACCESS_KEY: "{{ .minio_loki_access_key }}"
|
||||||
|
S3_SECRET_KEY: "{{ .minio_loki_secret_key }}"
|
||||||
|
S3_REGION: us-east-1
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: minio
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "minio_$1"
|
138
.archive/kubernetes/observability/loki/app/helmrelease.yaml
Normal file
138
.archive/kubernetes/observability/loki/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: loki
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: loki
|
||||||
|
version: 6.7.3
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: grafana
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
strategy: uninstall
|
||||||
|
retries: 3
|
||||||
|
valuesFrom:
|
||||||
|
- targetPath: loki.storage.bucketNames.chunks
|
||||||
|
kind: Secret
|
||||||
|
name: loki-secret
|
||||||
|
valuesKey: S3_BUCKET
|
||||||
|
- targetPath: loki.storage.s3.endpoint
|
||||||
|
kind: Secret
|
||||||
|
name: loki-secret
|
||||||
|
valuesKey: S3_HOST
|
||||||
|
- targetPath: loki.storage.s3.region
|
||||||
|
kind: Secret
|
||||||
|
name: loki-secret
|
||||||
|
valuesKey: S3_REGION
|
||||||
|
- targetPath: loki.storage.s3.accessKeyId
|
||||||
|
kind: Secret
|
||||||
|
name: loki-secret
|
||||||
|
valuesKey: S3_ACCESS_KEY
|
||||||
|
- targetPath: loki.storage.s3.secretAccessKey
|
||||||
|
kind: Secret
|
||||||
|
name: loki-secret
|
||||||
|
valuesKey: S3_SECRET_KEY
|
||||||
|
values:
|
||||||
|
deploymentMode: SimpleScalable
|
||||||
|
loki:
|
||||||
|
podAnnotations:
|
||||||
|
secret.reloader.stakater.com/reload: loki-secret
|
||||||
|
ingester:
|
||||||
|
chunk_encoding: snappy
|
||||||
|
storage:
|
||||||
|
type: s3
|
||||||
|
s3:
|
||||||
|
s3ForcePathStyle: true
|
||||||
|
insecure: true
|
||||||
|
schemaConfig:
|
||||||
|
configs:
|
||||||
|
- from: "2024-04-01"
|
||||||
|
store: tsdb
|
||||||
|
object_store: s3
|
||||||
|
schema: v13
|
||||||
|
index:
|
||||||
|
prefix: loki_index_
|
||||||
|
period: 24h
|
||||||
|
structuredConfig:
|
||||||
|
auth_enabled: false
|
||||||
|
server:
|
||||||
|
log_level: info
|
||||||
|
http_listen_port: 3100
|
||||||
|
grpc_listen_port: 9095
|
||||||
|
grpc_server_max_recv_msg_size: 8388608
|
||||||
|
grpc_server_max_send_msg_size: 8388608
|
||||||
|
limits_config:
|
||||||
|
ingestion_burst_size_mb: 128
|
||||||
|
ingestion_rate_mb: 64
|
||||||
|
max_query_parallelism: 100
|
||||||
|
per_stream_rate_limit: 64M
|
||||||
|
per_stream_rate_limit_burst: 128M
|
||||||
|
reject_old_samples: true
|
||||||
|
reject_old_samples_max_age: 168h
|
||||||
|
retention_period: 30d
|
||||||
|
shard_streams:
|
||||||
|
enabled: true
|
||||||
|
split_queries_by_interval: 1h
|
||||||
|
query_scheduler:
|
||||||
|
max_outstanding_requests_per_tenant: 4096
|
||||||
|
frontend:
|
||||||
|
max_outstanding_per_tenant: 4096
|
||||||
|
ruler:
|
||||||
|
enable_api: true
|
||||||
|
enable_alertmanager_v2: true
|
||||||
|
alertmanager_url: http://alertmanager-operated.observability.svc.cluster.local:9093
|
||||||
|
storage:
|
||||||
|
type: local
|
||||||
|
local:
|
||||||
|
directory: /rules
|
||||||
|
rule_path: /rules/fake
|
||||||
|
analytics:
|
||||||
|
reporting_enabled: false
|
||||||
|
backend:
|
||||||
|
replicas: 1
|
||||||
|
persistence:
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: openebs-hostpath
|
||||||
|
gateway:
|
||||||
|
replicas: 1
|
||||||
|
image:
|
||||||
|
registry: ghcr.io
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
ingressClassName: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- host: &host loki.jahanson.tech
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
tls:
|
||||||
|
- hosts: [*host]
|
||||||
|
read:
|
||||||
|
replicas: 1
|
||||||
|
write:
|
||||||
|
replicas: 1
|
||||||
|
persistence:
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: openebs-hostpath
|
||||||
|
sidecar:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/kiwigrid/k8s-sidecar
|
||||||
|
rules:
|
||||||
|
searchNamespace: ALL
|
||||||
|
folder: /rules/fake
|
||||||
|
lokiCanary:
|
||||||
|
enabled: false
|
||||||
|
test:
|
||||||
|
enabled: false
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./helmrelease.yaml
|
25
.archive/kubernetes/observability/loki/ks.yaml
Normal file
25
.archive/kubernetes/observability/loki/ks.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app loki
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: observability
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: external-secrets-stores
|
||||||
|
- name: openebs
|
||||||
|
- name: vector
|
||||||
|
path: ./kubernetes/apps/observability/loki/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 15m
|
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: thanos
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: thanos-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
S3_HOST: s3.hsn.dev
|
||||||
|
S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
|
||||||
|
S3_ACCESS_KEY: "{{ .minio_thanos_access_key }}"
|
||||||
|
S3_SECRET_KEY: "{{ .minio_thanos_secret_key }}"
|
||||||
|
S3_REGION: us-east-1
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: Minio
|
||||||
|
rewrite:
|
||||||
|
- regexp:
|
||||||
|
source: "(.*)"
|
||||||
|
target: "minio_$1"
|
120
.archive/kubernetes/observability/thanos/app/helmrelease.yaml
Normal file
120
.archive/kubernetes/observability/thanos/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,120 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: thanos
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: thanos
|
||||||
|
version: 1.17.2
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: stevehipwell
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
strategy: rollback
|
||||||
|
retries: 3
|
||||||
|
valuesFrom:
|
||||||
|
- targetPath: objstoreConfig.value.config.bucket
|
||||||
|
kind: Secret
|
||||||
|
name: thanos-secret
|
||||||
|
valuesKey: S3_BUCKET
|
||||||
|
- targetPath: objstoreConfig.value.config.endpoint
|
||||||
|
kind: Secret
|
||||||
|
name: thanos-secret
|
||||||
|
valuesKey: S3_HOST
|
||||||
|
- targetPath: objstoreConfig.value.config.region
|
||||||
|
kind: Secret
|
||||||
|
name: thanos-secret
|
||||||
|
valuesKey: S3_REGION
|
||||||
|
- targetPath: objstoreConfig.value.config.access_key
|
||||||
|
kind: Secret
|
||||||
|
name: thanos-secret
|
||||||
|
valuesKey: S3_ACCESS_KEY
|
||||||
|
- targetPath: objstoreConfig.value.config.secret_key
|
||||||
|
kind: Secret
|
||||||
|
name: thanos-secret
|
||||||
|
valuesKey: S3_SECRET_KEY
|
||||||
|
values:
|
||||||
|
objstoreConfig:
|
||||||
|
value:
|
||||||
|
type: s3
|
||||||
|
config:
|
||||||
|
insecure: false
|
||||||
|
additionalEndpoints:
|
||||||
|
- dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.observability.svc.cluster.local
|
||||||
|
additionalReplicaLabels: ["__replica__"]
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
compact:
|
||||||
|
enabled: true
|
||||||
|
extraArgs:
|
||||||
|
- --compact.concurrency=4
|
||||||
|
- --delete-delay=30m
|
||||||
|
- --retention.resolution-raw=14d
|
||||||
|
- --retention.resolution-5m=30d
|
||||||
|
- --retention.resolution-1h=60d
|
||||||
|
persistence: &persistence
|
||||||
|
enabled: true
|
||||||
|
storageClass: openebs-hostpath
|
||||||
|
size: 10Gi
|
||||||
|
query:
|
||||||
|
replicas: 1
|
||||||
|
extraArgs: ["--alert.query-url=https://thanos.jahanson.tech"]
|
||||||
|
queryFrontend:
|
||||||
|
enabled: true
|
||||||
|
replicas: 1
|
||||||
|
extraEnv: &extraEnv
|
||||||
|
- name: THANOS_CACHE_CONFIG
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: &configMap thanos-cache-configmap
|
||||||
|
key: cache.yaml
|
||||||
|
extraArgs: ["--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)"]
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
ingressClassName: internal-nginx
|
||||||
|
hosts:
|
||||||
|
- &host thanos.jahanson.tech
|
||||||
|
tls:
|
||||||
|
- hosts: [*host]
|
||||||
|
podAnnotations: &podAnnotations
|
||||||
|
configmap.reloader.stakater.com/reload: *configMap
|
||||||
|
rule:
|
||||||
|
enabled: true
|
||||||
|
replicas: 1
|
||||||
|
extraArgs: ["--web.prefix-header=X-Forwarded-Prefix"]
|
||||||
|
alertmanagersConfig:
|
||||||
|
value: |-
|
||||||
|
alertmanagers:
|
||||||
|
- api_version: v2
|
||||||
|
static_configs:
|
||||||
|
- dnssrv+_http-web._tcp.alertmanager-operated.observability.svc.cluster.local
|
||||||
|
rules:
|
||||||
|
value: |-
|
||||||
|
groups:
|
||||||
|
- name: PrometheusWatcher
|
||||||
|
rules:
|
||||||
|
- alert: PrometheusDown
|
||||||
|
annotations:
|
||||||
|
summary: A Prometheus has disappeared from Prometheus target discovery
|
||||||
|
expr: absent(up{job="kube-prometheus-stack-prometheus"})
|
||||||
|
for: 5m
|
||||||
|
labels:
|
||||||
|
severity: critical
|
||||||
|
persistence: *persistence
|
||||||
|
storeGateway:
|
||||||
|
replicas: 1
|
||||||
|
extraEnv: *extraEnv
|
||||||
|
extraArgs: ["--index-cache.config=$(THANOS_CACHE_CONFIG)"]
|
||||||
|
persistence: *persistence
|
||||||
|
podAnnotations: *podAnnotations
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
configMapGenerator:
|
||||||
|
- name: thanos-cache-configmap
|
||||||
|
files:
|
||||||
|
- cache.yaml=./resources/cache.yml
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
type: REDIS
|
||||||
|
config:
|
||||||
|
addr: dragonfly.database.svc.cluster.local:6379
|
||||||
|
db: 1
|
25
.archive/kubernetes/observability/thanos/ks.yaml
Normal file
25
.archive/kubernetes/observability/thanos/ks.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||||
|
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||||
|
kind: Kustomization
|
||||||
|
metadata:
|
||||||
|
name: &app thanos
|
||||||
|
namespace: flux-system
|
||||||
|
spec:
|
||||||
|
targetNamespace: observability
|
||||||
|
commonMetadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
dependsOn:
|
||||||
|
- name: external-secrets-stores
|
||||||
|
- name: openebs
|
||||||
|
- name: dragonfly-operator
|
||||||
|
path: ./kubernetes/apps/observability/thanos/app
|
||||||
|
prune: true
|
||||||
|
sourceRef:
|
||||||
|
kind: GitRepository
|
||||||
|
name: homelab
|
||||||
|
wait: false
|
||||||
|
interval: 30m
|
||||||
|
retryInterval: 1m
|
||||||
|
timeout: 15m
|
|
@ -0,0 +1,103 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: vector-agent
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.3.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
dependsOn:
|
||||||
|
- name: vector-aggregator
|
||||||
|
namespace: observability
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
vector:
|
||||||
|
type: daemonset
|
||||||
|
strategy: RollingUpdate
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: docker.io/timberio/vector
|
||||||
|
tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
|
||||||
|
env:
|
||||||
|
PROCFS_ROOT: /host/proc
|
||||||
|
SYSFS_ROOT: /host/sys
|
||||||
|
VECTOR_SELF_NODE_NAME:
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
VECTOR_SELF_POD_NAME:
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
VECTOR_SELF_POD_NAMESPACE:
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
args: ["--config", "/etc/vector/vector.yaml"]
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
name: vector-agent
|
||||||
|
persistence:
|
||||||
|
config:
|
||||||
|
enabled: true
|
||||||
|
type: configMap
|
||||||
|
name: vector-agent-configmap
|
||||||
|
globalMounts:
|
||||||
|
- path: /etc/vector/vector.yaml
|
||||||
|
subPath: vector.yaml
|
||||||
|
readOnly: true
|
||||||
|
data:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /vector-data-dir
|
||||||
|
procfs:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /proc
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- path: /host/proc
|
||||||
|
readOnly: true
|
||||||
|
sysfs:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /sys
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- path: /host/sys
|
||||||
|
readOnly: true
|
||||||
|
var-lib:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /var/lib
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- readOnly: true
|
||||||
|
var-log:
|
||||||
|
type: hostPath
|
||||||
|
hostPath: /var/log
|
||||||
|
hostPathType: Directory
|
||||||
|
globalMounts:
|
||||||
|
- readOnly: true
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
- ./rbac.yaml
|
||||||
|
configMapGenerator:
|
||||||
|
- name: vector-agent-configmap
|
||||||
|
files:
|
||||||
|
- vector.yaml=./resources/vector.yaml
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
22
.archive/kubernetes/observability/vector/app/agent/rbac.yaml
Normal file
22
.archive/kubernetes/observability/vector/app/agent/rbac.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: vector-agent
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["namespaces", "nodes", "pods"]
|
||||||
|
verbs: ["list", "watch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vector-agent
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: vector-agent
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: vector-agent
|
||||||
|
namespace: observability
|
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
data_dir: /vector-data-dir
|
||||||
|
|
||||||
|
sources:
|
||||||
|
kubernetes_source:
|
||||||
|
type: kubernetes_logs
|
||||||
|
use_apiserver_cache: true
|
||||||
|
pod_annotation_fields:
|
||||||
|
container_image: container_image
|
||||||
|
container_name: container_name
|
||||||
|
pod_labels: pod_labels
|
||||||
|
pod_name: pod_name
|
||||||
|
pod_annotations: ""
|
||||||
|
namespace_annotation_fields:
|
||||||
|
namespace_labels: ""
|
||||||
|
node_annotation_fields:
|
||||||
|
node_labels: ""
|
||||||
|
|
||||||
|
sinks:
|
||||||
|
kubernetes:
|
||||||
|
type: vector
|
||||||
|
compression: true
|
||||||
|
version: "2"
|
||||||
|
address: vector-aggregator.observability.svc.cluster.local:6010
|
||||||
|
inputs: ["kubernetes_source"]
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: vector-aggregator
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
target:
|
||||||
|
name: vector-aggregator-secret
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
GEOIPUPDATE_ACCOUNT_ID: "{{ .account_id }}"
|
||||||
|
GEOIPUPDATE_LICENSE_KEY: "{{ .vector_license_key }}"
|
||||||
|
dataFrom:
|
||||||
|
- extract:
|
||||||
|
key: maxmind
|
|
@ -0,0 +1,91 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||||
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||||
|
kind: HelmRelease
|
||||||
|
metadata:
|
||||||
|
name: &app vector-aggregator
|
||||||
|
spec:
|
||||||
|
interval: 30m
|
||||||
|
timeout: 15m
|
||||||
|
chart:
|
||||||
|
spec:
|
||||||
|
chart: app-template
|
||||||
|
version: 3.3.0
|
||||||
|
sourceRef:
|
||||||
|
kind: HelmRepository
|
||||||
|
name: bjw-s
|
||||||
|
namespace: flux-system
|
||||||
|
install:
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
upgrade:
|
||||||
|
cleanupOnFail: true
|
||||||
|
remediation:
|
||||||
|
retries: 3
|
||||||
|
strategy: rollback
|
||||||
|
values:
|
||||||
|
controllers:
|
||||||
|
vector-aggregator:
|
||||||
|
replicas: 1
|
||||||
|
strategy: RollingUpdate
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
initContainers:
|
||||||
|
init-geoip:
|
||||||
|
image:
|
||||||
|
repository: ghcr.io/maxmind/geoipupdate
|
||||||
|
tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0
|
||||||
|
env:
|
||||||
|
GEOIPUPDATE_EDITION_IDS: GeoLite2-City
|
||||||
|
GEOIPUPDATE_FREQUENCY: "0"
|
||||||
|
GEOIPUPDATE_VERBOSE: "1"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: vector-aggregator-secret
|
||||||
|
containers:
|
||||||
|
app:
|
||||||
|
image:
|
||||||
|
repository: docker.io/timberio/vector
|
||||||
|
tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
|
||||||
|
args: ["--config", "/etc/vector/vector.yaml"]
|
||||||
|
pod:
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: *app
|
||||||
|
service:
|
||||||
|
app:
|
||||||
|
controller: vector-aggregator
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: vector.jahanson.tech
|
||||||
|
io.cilium/lb-ipam-ips: 10.1.1.33
|
||||||
|
ports:
|
||||||
|
http:
|
||||||
|
port: 8686
|
||||||
|
journald:
|
||||||
|
port: 6000
|
||||||
|
kubernetes:
|
||||||
|
port: 6010
|
||||||
|
vyos:
|
||||||
|
port: 6020
|
||||||
|
persistence:
|
||||||
|
config:
|
||||||
|
enabled: true
|
||||||
|
type: configMap
|
||||||
|
name: vector-aggregator-configmap
|
||||||
|
globalMounts:
|
||||||
|
- path: /etc/vector/vector.yaml
|
||||||
|
subPath: vector.yaml
|
||||||
|
readOnly: true
|
||||||
|
data:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /vector-data-dir
|
||||||
|
geoip:
|
||||||
|
type: emptyDir
|
||||||
|
globalMounts:
|
||||||
|
- path: /usr/share/GeoIP
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- ./externalsecret.yaml
|
||||||
|
- ./helmrelease.yaml
|
||||||
|
configMapGenerator:
|
||||||
|
- name: vector-aggregator-configmap
|
||||||
|
files:
|
||||||
|
- vector.yaml=./resources/vector.yaml
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
|
@ -0,0 +1,132 @@
|
||||||
|
---
|
||||||
|
data_dir: /vector-data-dir
|
||||||
|
api:
|
||||||
|
enabled: true
|
||||||
|
address: 0.0.0.0:8686
|
||||||
|
|
||||||
|
enrichment_tables:
|
||||||
|
geoip_table:
|
||||||
|
type: geoip
|
||||||
|
path: /usr/share/GeoIP/GeoLite2-City.mmdb
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sources
|
||||||
|
#
|
||||||
|
|
||||||
|
sources:
|
||||||
|
journald_source:
|
||||||
|
type: vector
|
||||||
|
version: "2"
|
||||||
|
address: 0.0.0.0:6000
|
||||||
|
|
||||||
|
kubernetes_source:
|
||||||
|
type: vector
|
||||||
|
version: "2"
|
||||||
|
address: 0.0.0.0:6010
|
||||||
|
|
||||||
|
vyos_source:
|
||||||
|
type: syslog
|
||||||
|
address: 0.0.0.0:6020
|
||||||
|
mode: tcp
|
||||||
|
|
||||||
|
#
|
||||||
|
# Transforms
|
||||||
|
#
|
||||||
|
|
||||||
|
transforms:
|
||||||
|
kubernetes_remap:
|
||||||
|
type: remap
|
||||||
|
inputs: ["kubernetes_source"]
|
||||||
|
source: |
|
||||||
|
# Standardize 'app' index
|
||||||
|
.custom_app_name = .pod_labels."app.kubernetes.io/name" || .pod_labels.app || .pod_labels."k8s-app" || "unknown"
|
||||||
|
# Drop pod_labels
|
||||||
|
del(.pod_labels)
|
||||||
|
|
||||||
|
# [63950.153039] [wan-local-default-D]IN=eth4 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=60610 PROTO=TCP SPT=53451 DPT=2002 WINDOW=1024 RES=0x00 SYN URGP=0
|
||||||
|
vyos_firewall_route:
|
||||||
|
type: route
|
||||||
|
inputs: ["vyos_source"]
|
||||||
|
route:
|
||||||
|
firewall: |
|
||||||
|
.facility == "kern" && match!(.message, r'^\[(.*?)\].(.*)')
|
||||||
|
|
||||||
|
vyos_firewall_remap:
|
||||||
|
type: remap
|
||||||
|
inputs: ["vyos_firewall_route.firewall"]
|
||||||
|
source: |
|
||||||
|
# Parse firewall rule message
|
||||||
|
split_message, split_err = parse_regex(.message, r'^\[.*\].\[(?P<rule>.*?)\](?P<fields>.*)')
|
||||||
|
if split_err != null {
|
||||||
|
abort
|
||||||
|
}
|
||||||
|
# Extract separate fields from message
|
||||||
|
split_message.fields, split_err = strip_whitespace(split_message.fields)
|
||||||
|
if split_err != null {
|
||||||
|
abort
|
||||||
|
}
|
||||||
|
.message, parse_err = parse_key_value(split_message.fields, whitespace: "strict")
|
||||||
|
if parse_err != null {
|
||||||
|
abort
|
||||||
|
}
|
||||||
|
# Add more information about the triggered rule
|
||||||
|
.message.RULE, parse_err = parse_regex(split_message.rule, r'^ipv4-(?P<from_zone>\w+)-(?P<to_zone>\w+)-(?P<id>\w+)-(?P<action>\w+)$')
|
||||||
|
if parse_err != null {
|
||||||
|
abort
|
||||||
|
}
|
||||||
|
|
||||||
|
vyos_firewall_wan_route:
|
||||||
|
type: route
|
||||||
|
inputs: ["vyos_firewall_remap"]
|
||||||
|
route:
|
||||||
|
from_wan: .message.RULE.from_zone == "wan"
|
||||||
|
|
||||||
|
vyos_firewall_geoip_remap:
|
||||||
|
type: remap
|
||||||
|
inputs: ["vyos_firewall_wan_route.from_wan"]
|
||||||
|
source: |
|
||||||
|
.geoip = get_enrichment_table_record!(
|
||||||
|
"geoip_table", {
|
||||||
|
"ip": .message.SRC
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sinks
|
||||||
|
#
|
||||||
|
|
||||||
|
sinks:
|
||||||
|
journald:
|
||||||
|
inputs: ["journald_source"]
|
||||||
|
type: loki
|
||||||
|
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||||
|
encoding: { codec: json }
|
||||||
|
out_of_order_action: accept
|
||||||
|
remove_label_fields: true
|
||||||
|
remove_timestamp: true
|
||||||
|
labels:
|
||||||
|
hostname: '{{ host }}'
|
||||||
|
|
||||||
|
kubernetes:
|
||||||
|
inputs: ["kubernetes_remap"]
|
||||||
|
type: loki
|
||||||
|
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||||
|
encoding: { codec: json }
|
||||||
|
out_of_order_action: accept
|
||||||
|
remove_label_fields: true
|
||||||
|
remove_timestamp: true
|
||||||
|
labels:
|
||||||
|
app: '{{ custom_app_name }}'
|
||||||
|
namespace: '{{ kubernetes.pod_namespace }}'
|
||||||
|
node: '{{ kubernetes.pod_node_name }}'
|
||||||
|
|
||||||
|
vyos:
|
||||||
|
inputs: ["vyos_source", "vyos_firewall_geoip_remap"]
|
||||||
|
type: loki
|
||||||
|
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||||
|
encoding: { codec: json }
|
||||||
|
out_of_order_action: accept
|
||||||
|
remove_label_fields: true
|
||||||
|
remove_timestamp: true
|
||||||
|
labels:
|
||||||
|
hostname: '{{ host }}'
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue