Compare commits
979 commits
Author | SHA1 | Date | |
---|---|---|---|
761690ba5e | |||
cb2e0d24c8 | |||
bc687b28fd | |||
6c6ea27957 | |||
1166d4d687 | |||
ec4f619367 | |||
d870c79589 | |||
96179f13a2 | |||
2c348267c5 | |||
8222c32fe0 | |||
01f3eaa9fa | |||
c51bd020bd | |||
1f87e3c3db | |||
20a2e63b30 | |||
8ed33b3671 | |||
2de07ac885 | |||
f1c79adc59 | |||
97829c6809 | |||
14287e4cad | |||
7a72a530a7 | |||
c282512a8b | |||
0d547458d3 | |||
ca43a3f4b3 | |||
851884bd94 | |||
2a06b673fb | |||
dbb411bc42 | |||
53fc1d997f | |||
270896cbd6 | |||
b64647cdc2 | |||
7f096e8b16 | |||
fd95d435df | |||
191678bc36 | |||
8a369a96f0 | |||
4332d24615 | |||
6a3b358f26 | |||
139260eec1 | |||
af097c7dd3 | |||
3668207a96 | |||
50833f2dde | |||
fddcb0198d | |||
b49ed58d67 | |||
366747cfd1 | |||
5ae9e7a310 | |||
e6c290d9b2 | |||
51ba803722 | |||
941f4bd7fd | |||
dab5efcc2b | |||
64e7a0d471 | |||
3f8a65127c | |||
5a36c15280 | |||
24028be57f | |||
edeb043fef | |||
9b10358b66 | |||
bc4191a835 | |||
548785063f | |||
d68bfd6ce6 | |||
8a5144e5d9 | |||
27614465e0 | |||
a0e3680594 | |||
1c75bdcc6f | |||
ec200d725e | |||
c1007fd8e0 | |||
ced70c45d5 | |||
5be233a430 | |||
1fdc8d8bd5 | |||
eb5ac75328 | |||
86b22da9c9 | |||
cc7446166a | |||
e4c3d78f5e | |||
99fdc1c195 | |||
a91d468b22 | |||
8545b80220 | |||
d2ecff3909 | |||
08c2552e84 | |||
6249ac37e3 | |||
2dabf67c66 | |||
f5c8d9dc78 | |||
44f5a889f7 | |||
14522fa2ab | |||
abef2f4e6c | |||
886a5ae298 | |||
6438d94752 | |||
20b48673c8 | |||
449e85b001 | |||
2adb483750 | |||
a7fa7af1a2 | |||
a17783fa36 | |||
51e14a2c54 | |||
e6145233c6 | |||
5ca8cc02bb | |||
17afffbc84 | |||
2169fb950a | |||
0f73bcde4a | |||
060a0a82cc | |||
eaecc8bc8d | |||
a9ca0d19dc | |||
c9d187c722 | |||
e79d23c022 | |||
956f9a2afe | |||
e66972f743 | |||
59a6194eac | |||
8da9a09dc3 | |||
44c9b13e53 | |||
b6c9cd104a | |||
a1bb054694 | |||
dec439d9df | |||
d338c6e289 | |||
07af06f006 | |||
01176b870d | |||
2c017fac5b | |||
084ee574e5 | |||
dce990bc63 | |||
162067b974 | |||
a91f18ad95 | |||
d19bd2b6ce | |||
5d036b18fc | |||
10e6d57129 | |||
ace3f991f6 | |||
c70eb09a12 | |||
d9c14ff8ac | |||
a56785f067 | |||
7283590a5c | |||
8d327dcf0c | |||
dcc57fbcd4 | |||
55268dfc2c | |||
2abb192555 | |||
7e76b6300e | |||
587997b824 | |||
610f5ac9dc | |||
5ff8063ea7 | |||
108e4f43ac | |||
755a3f5ac6 | |||
1eb3a02ab5 | |||
822f88f58f | |||
44e8200961 | |||
57a058635f | |||
2deca013b2 | |||
1da4f8c090 | |||
5c16d00df6 | |||
30dc45178e | |||
c77719cba2 | |||
547bafa982 | |||
b1bfb7ca1e | |||
a2dc6bfdea | |||
326ed31f5c | |||
112a226093 | |||
468d52bdf0 | |||
389dfad2e2 | |||
797e44f8bd | |||
8faeb9b538 | |||
fd2d678340 | |||
c1ee6e2c46 | |||
7ecf25cf44 | |||
b3a861518f | |||
688a0fa475 | |||
e17d366995 | |||
13b84d28bb | |||
e735d57853 | |||
9b6ef5550e | |||
1946c17749 | |||
95cc6d3a49 | |||
e9c6f24f45 | |||
414d60504f | |||
d969759831 | |||
341bda003a | |||
05f1ed7a20 | |||
27d14444ab | |||
36537c15a3 | |||
c09a925e4e | |||
3713d7dc3f | |||
f13618c54c | |||
04597c4675 | |||
8a1c2d24aa | |||
195b948b33 | |||
6fb7e23d98 | |||
9ea9da65cc | |||
d30de1e0c4 | |||
a0bc016b2e | |||
b83ed22333 | |||
52a0f03e32 | |||
723bc729fc | |||
e3622cd081 | |||
5eac8a8fa9 | |||
895d342cfc | |||
e325f84255 | |||
9604f7d9b9 | |||
c10bdeafe9 | |||
6b95759b3b | |||
e788755a49 | |||
17243198ac | |||
967dfc3556 | |||
6f29438222 | |||
9a9be03cc9 | |||
44587fc33a | |||
5d98fd8019 | |||
f4725be8ff | |||
1793b64ecb | |||
cea6da84ee | |||
eabf64f582 | |||
ff70dcb76a | |||
adde7e018b | |||
cd6b92cd9d | |||
7ece80ef26 | |||
dd721302ee | |||
400bcc9fc0 | |||
278752fa4f | |||
357550f5a6 | |||
31b79e6911 | |||
9c5f0126c8 | |||
6d5293a709 | |||
68344219da | |||
392f6a0e6f | |||
fcf0382cab | |||
7d033b47f3 | |||
72600c6d75 | |||
afa66a4873 | |||
0e1c6aea9d | |||
cb64446a51 | |||
211520c981 | |||
efe5417b10 | |||
477ec3312f | |||
097153db29 | |||
96724f8d41 | |||
f0b9c7d560 | |||
dceda4e6e4 | |||
79716177f6 | |||
ab782d6386 | |||
6089bb7993 | |||
60fd4d085c | |||
7503bb63fe | |||
7e0210b2e5 | |||
f930ce0e81 | |||
9b28284233 | |||
6b21d9beb9 | |||
4d9a8e32d7 | |||
2f275ed5b9 | |||
f532b5416f | |||
58a3d4919b | |||
b4ecf685c3 | |||
c8b07d60c7 | |||
1bc4e9fdf3 | |||
f821f153d7 | |||
a63223df51 | |||
455218cf64 | |||
6b0cb19bfd | |||
65de770fcc | |||
c223f3e889 | |||
2436ff4166 | |||
1e512d354c | |||
c3443e87be | |||
a070f8381b | |||
f4ec9777a5 | |||
3f2c831c66 | |||
f87492fb84 | |||
1f6a00c005 | |||
f022ec5ee7 | |||
347aa68119 | |||
7b8ed73b92 | |||
e6878640ee | |||
a696c83d44 | |||
67c92a6f2d | |||
f5c5ab732d | |||
eb43276149 | |||
cfcb7ebe19 | |||
e0fd822691 | |||
7e91167a4c | |||
3849281f09 | |||
c4c03d75fb | |||
632d260a2e | |||
7b86253515 | |||
2c8cc873a7 | |||
36ec208d8d | |||
70fd6f6d3d | |||
a786069bcc | |||
c2a8a165e0 | |||
be0f0bc52e | |||
09baa7cf09 | |||
d9c56177da | |||
7f9e4a2504 | |||
ac4282a6c5 | |||
93d34a811b | |||
fe1088b239 | |||
646583d2aa | |||
ef47408716 | |||
aadd06696e | |||
19ca047ca1 | |||
7a94a4f790 | |||
b1820e8aea | |||
62b671125f | |||
c6de327c75 | |||
a2414374df | |||
4d18b83b81 | |||
6966e74fa6 | |||
d3692d298a | |||
22fbadfade | |||
91694926a7 | |||
e8892fa22a | |||
e3167d2370 | |||
1594910dd2 | |||
9a8e6b6291 | |||
84ed40827f | |||
b6dc54e192 | |||
9384099003 | |||
3dd13b051c | |||
aada4fd258 | |||
86a9bfd1cd | |||
612714efd6 | |||
845443720d | |||
e5a944afb8 | |||
ebbbbbc33c | |||
b096523f33 | |||
848f1a545a | |||
9e567aac0d | |||
767b4624d8 | |||
be4818bbb7 | |||
4a4089be7d | |||
fba72f86ef | |||
cddce8ed5b | |||
f5597e33c7 | |||
b54324d594 | |||
43d9ce9593 | |||
82cf626562 | |||
23f4d92e50 | |||
7861e27b6b | |||
2a3e7139fc | |||
c5b36d8ce2 | |||
b48e4a02c2 | |||
0cf1087754 | |||
4214515c6a | |||
acc8c0b920 | |||
5cde98f529 | |||
dde7c66b70 | |||
acf7bc72f0 | |||
302bdd77b2 | |||
cf3cd03a04 | |||
368dfad63f | |||
82eb531702 | |||
867f6a97ea | |||
db791c40c3 | |||
f65c3bb2b6 | |||
0582ccd81d | |||
16b79d9447 | |||
bc7e3294df | |||
68cdf5531e | |||
dbb62d28eb | |||
0bf3a2e727 | |||
362ffcdccc | |||
83e86b4b23 | |||
75a288c381 | |||
5e23e0fddd | |||
857d5f9f25 | |||
be59ac6eb6 | |||
491639f911 | |||
5e8a66dbf9 | |||
af1d0827c1 | |||
11470b3ddd | |||
f0d3933cd0 | |||
21394584fe | |||
eb0eacf99f | |||
94bee873e7 | |||
a567eda576 | |||
d6199e8db2 | |||
4154700932 | |||
279096ea11 | |||
9fed1b350f | |||
e45976ebf1 | |||
19c1d0d618 | |||
5e51ebcb9c | |||
3c8e5baa7b | |||
7cfc65d647 | |||
b0063fe8c4 | |||
9e94135f55 | |||
6abe2b9c4b | |||
fd8eb9cf19 | |||
fbe5c55308 | |||
9a0afa2aa4 | |||
877380899e | |||
93afdb3fe7 | |||
d85993b354 | |||
750b19f1e5 | |||
5f034598a9 | |||
6aea997c48 | |||
c05674b76b | |||
28d581634d | |||
5e8add9c86 | |||
338004fa0a | |||
a7b8662796 | |||
76e7901a2f | |||
4f604ba608 | |||
de94de0b2a | |||
4bc53661ad | |||
f1fdda6bdd | |||
6aaf58e8be | |||
ae41bd8a6e | |||
a894c9932b | |||
134cc34515 | |||
52a4fc077b | |||
5051f5b6f4 | |||
587565c0ed | |||
ba526c130b | |||
c7037694fa | |||
45d91c392d | |||
acba2f290f | |||
aa7119a6e4 | |||
b56314020a | |||
d67ed006ca | |||
d0d86351c1 | |||
1ee483d322 | |||
efb553e50b | |||
487976e388 | |||
7c8802e3bf | |||
7a67c2ddbf | |||
af2c995b76 | |||
1d32d2de95 | |||
17c3e2f311 | |||
be091afd25 | |||
1cb15bfbfe | |||
0eaa4c65d0 | |||
623737f4e2 | |||
0da719e372 | |||
a54a7a3807 | |||
b6636664d1 | |||
88179415ae | |||
4f2756bcd4 | |||
2ca0b5805f | |||
e906b8239d | |||
e6b1302167 | |||
3cfe1b6b51 | |||
26779c2d5c | |||
da23c6879b | |||
e3e3cbb0d3 | |||
a85c7b58b8 | |||
4ec7a417e7 | |||
ff154f7f58 | |||
f524d7c93c | |||
fdc61be74e | |||
988a983b8c | |||
ee886ae609 | |||
aaf63bb716 | |||
291aa1c4ec | |||
bdee54786f | |||
6004f08a5b | |||
0d937b46d9 | |||
054e3cc5cd | |||
d64ae18cdf | |||
bed7027b16 | |||
26bed655f3 | |||
11d9c918b8 | |||
bc7cdaae0a | |||
a4b7937be0 | |||
30c61a5131 | |||
a7a036ab0b | |||
91757ade12 | |||
2321112e59 | |||
2739362eaf | |||
5bb49b9b2b | |||
a2b84a5914 | |||
c48568327d | |||
24633e04c0 | |||
de8e418cb6 | |||
6f7374f445 | |||
211db49107 | |||
f7afa7927a | |||
811c28d44f | |||
8f1cee1106 | |||
d0f6ccd3bb | |||
e5710204df | |||
abfc90ee71 | |||
77f10a60c9 | |||
263b7c47ba | |||
0e56036c85 | |||
880986fa21 | |||
03b4824734 | |||
bd4040eb35 | |||
3cbdac6b6a | |||
d2924fc4a9 | |||
af4d3c34ef | |||
2c1431666e | |||
49510fb419 | |||
f4deff7e1e | |||
ab28afe658 | |||
d7b14ed2b0 | |||
669e188ce7 | |||
af7992cd09 | |||
b4d0507218 | |||
7138f54725 | |||
7dfa3bdf0b | |||
e8e99fd7d5 | |||
8207c5de1e | |||
4a0d8bf875 | |||
c2052b8feb | |||
e463573be6 | |||
8631b6c2fc | |||
81d728bb6c | |||
60aceeac62 | |||
34e5ef12a4 | |||
b8d4f143b9 | |||
cee1285f3d | |||
95cfc672e2 | |||
513cf1bbb1 | |||
9c93ad8976 | |||
63e711c2c3 | |||
8ac457f72b | |||
57bb6768ab | |||
599842790d | |||
da98956cdc | |||
5499875af7 | |||
f63fdf7a28 | |||
3f08f41958 | |||
9591062eed | |||
90426b40e8 | |||
9c30f066ca | |||
db2a61a6cf | |||
56b6c68bca | |||
f1daf0275b | |||
5af7fc6d99 | |||
0321ae9eeb | |||
1401cecaa5 | |||
86267fc773 | |||
7acfcd1b34 | |||
ff4634a861 | |||
1a0b44a9e5 | |||
e088c27d21 | |||
f4b5770ed4 | |||
cdf06378a8 | |||
c00a0789fb | |||
c4dd8c5e50 | |||
ec13ec0232 | |||
8e789d16fd | |||
ee3cca95df | |||
b92e3dd5fa | |||
9df1e73b6e | |||
02defccfef | |||
78ef057041 | |||
26fa673190 | |||
901865ab37 | |||
e1c79b090b | |||
bbe5741983 | |||
7ffe311fe5 | |||
91306f87d8 | |||
3d8596f950 | |||
ad0869cd40 | |||
a937e41e30 | |||
527894159f | |||
0cba34d6d6 | |||
b09dd52dcb | |||
7881f03754 | |||
dba7b0fc2e | |||
81386b8191 | |||
0859865755 | |||
838fb164ac | |||
7c251e675c | |||
5f3c6cd9c8 | |||
94a2f790c6 | |||
99acbbc5d3 | |||
cd5bc66550 | |||
e41726ee5b | |||
a1f51f1e77 | |||
72c8030da5 | |||
c529dd6cf6 | |||
db8eb8433d | |||
066cb4bd43 | |||
387177dfa2 | |||
ea811901eb | |||
fd9410268e | |||
27078dc58a | |||
a8e13105a6 | |||
0dc9e9d995 | |||
d6f3c9f906 | |||
d767469276 | |||
82ac44f14a | |||
7716de730c | |||
dd15364e56 | |||
6ca98137c9 | |||
ae1f77ed91 | |||
cc8b820d40 | |||
e18157c781 | |||
22b01e4dec | |||
01106d50c1 | |||
0d7ce8a6dc | |||
c493518734 | |||
462665a0ff | |||
5e0cdd9827 | |||
6aa9f4f1f3 | |||
2fce4e6a83 | |||
be4c9e7f5d | |||
57dea66be1 | |||
a531791fe0 | |||
99c2322b79 | |||
e4ea809eec | |||
eca6f4629c | |||
9dead41017 | |||
5153127e94 | |||
4a95832ce0 | |||
86c0e61980 | |||
e832ce628e | |||
1809a345e0 | |||
5ab13693b7 | |||
f1ee1c772b | |||
2fd503eaee | |||
a2c7b41aa1 | |||
dd08d112a2 | |||
32aa1bcd2c | |||
16c021cdff | |||
2c03e31091 | |||
6e60039bab | |||
4368928006 | |||
bad8694e7f | |||
24ced22e2b | |||
6792a074c8 | |||
1f7dc0a7f8 | |||
ee57a0a797 | |||
fce7576805 | |||
e44d722c5c | |||
d88f13a4d4 | |||
bffdab85d8 | |||
a475cafc88 | |||
c4c989631f | |||
81208da565 | |||
2edfe58948 | |||
9f717b7e0f | |||
6098464afd | |||
e52b35c6c2 | |||
9759aadfeb | |||
79c3af00bd | |||
cf3d710e2c | |||
7043d0b6cd | |||
e2e3f74bd8 | |||
5f02f1c21e | |||
5e61751680 | |||
fc30f7b350 | |||
adf4a50e55 | |||
34c0f6743f | |||
0f71bf9abd | |||
ed91d2668d | |||
04d2ba4df1 | |||
097501d8e4 | |||
41fb0100d7 | |||
d55ed1aeb2 | |||
a3385c6419 | |||
4c2c77f9bf | |||
7193cadc47 | |||
1c60618d7b | |||
37b1b4db6d | |||
c4da3a4360 | |||
ebf66d900a | |||
88ed3f7e7b | |||
60d80ffa79 | |||
828a596da3 | |||
d887bbf7d1 | |||
3594a73baf | |||
e4a027e21d | |||
fdb61f492a | |||
73596fbb49 | |||
691d2f9c2b | |||
aa44034ce9 | |||
d5f22691f1 | |||
31fe2100ac | |||
eff524a525 | |||
8dcb645d6a | |||
06600d8db3 | |||
4d17ba2460 | |||
78e19f8108 | |||
f812ec56b6 | |||
40fe789509 | |||
94f9b7fb96 | |||
43c2e6a55c | |||
a1edec07ed | |||
2a8c569ce9 | |||
7788ef96d5 | |||
63904c0b90 | |||
12ae9b0780 | |||
33eefa1fdc | |||
4837708c6b | |||
a55a9d5329 | |||
1d2b3b3572 | |||
ea7d0df02f | |||
84d0d70c1f | |||
b5e63b869b | |||
5aa37d3bdf | |||
b482321b54 | |||
30f124dea8 | |||
7468f2b7e0 | |||
f1d8aeb798 | |||
05d9a06e29 | |||
c60a65c465 | |||
39d5378973 | |||
9691bf327d | |||
c404ea7a55 | |||
a69ec7233b | |||
fb84fc14b2 | |||
cef13e14a4 | |||
eb0b46c2ca | |||
782d76e824 | |||
35d9e1a1d7 | |||
28718bb815 | |||
1075581494 | |||
e286e7e88f | |||
7d18bad55f | |||
7a6fec344f | |||
8c361dc14d | |||
ff70542f7a | |||
db67f1cfb5 | |||
dd0a492f55 | |||
66f10678fc | |||
544df1814f | |||
5e1cfde4e0 | |||
416ee6ec5d | |||
09f6d14e13 | |||
bb04ed4812 | |||
96553547d7 | |||
611371a6dd | |||
3341360a4d | |||
f9bdb3ea45 | |||
ef0ef790a1 | |||
cbffaf9183 | |||
3d0baf5c57 | |||
ce0d6be9aa | |||
9e10841dbc | |||
8e41655158 | |||
3ff5ac97c2 | |||
8319925a7e | |||
7399c39c04 | |||
b01e64f404 | |||
44a7d70864 | |||
59ab555ad3 | |||
826161535e | |||
106ef8ff12 | |||
a7ab50f161 | |||
d1fcc8f1a2 | |||
4ab042f9f1 | |||
b46dfdd73c | |||
3c73df68b3 | |||
b23d2c25f6 | |||
0c2443d064 | |||
53ec245e74 | |||
1ac81bfc7f | |||
25bfad64cb | |||
cee7c438e0 | |||
c0ec508f86 | |||
fc1fa644aa | |||
08d7d50ed9 | |||
66c444717f | |||
d903517e2a | |||
d6859bf689 | |||
d93afbcd92 | |||
ffada4bcab | |||
6826e5d5d7 | |||
168094c027 | |||
fa502b33db | |||
55cf6ed705 | |||
d3e601701a | |||
34ab7c09de | |||
e5346e2ec6 | |||
3472f9689a | |||
ce1f7c5b08 | |||
db2f65711c | |||
4a48893d7a | |||
450ac27a67 | |||
159d198407 | |||
15b67972c4 | |||
6995f60582 | |||
723435aa15 | |||
ca2a5db255 | |||
f110b83a23 | |||
806b86b233 | |||
738f039155 | |||
beb97dafee | |||
24c1c9462d | |||
c26261865e | |||
0253ac813d | |||
357f836592 | |||
a8de7ab7b0 | |||
1872415ea0 | |||
4e224c70af | |||
dff47edb2f | |||
04cbd1d372 | |||
7c6a2a4202 | |||
91032819a6 | |||
b006d61320 | |||
4ad48507be | |||
d1e634dc0b | |||
51ea447c3b | |||
e3407ffcad | |||
b9ff13b949 | |||
495b2c34e7 | |||
3c67c1a8c3 | |||
abddb24f66 | |||
143aeac199 | |||
d3310b7f38 | |||
15a9eae30f | |||
d3490f9ddc | |||
165ff2a9b0 | |||
e1e6f693d9 | |||
bc69e26911 | |||
e8743cd04c | |||
7fc0a26923 | |||
7fa4cb2fd5 | |||
b91b5cef47 | |||
11417e8c0f | |||
32bbd58eb4 | |||
1ae8b2083a | |||
dad46cae84 | |||
045d2f3095 | |||
126bd94cc3 | |||
4dbcc5517c | |||
6644ff9954 | |||
254fe8aa5f | |||
454274fbc8 | |||
f5775487f4 | |||
fdf918517d | |||
6bb70e4cfd | |||
e75727896d | |||
c8141ae442 | |||
e22c48b8fb | |||
7aadf8d0a5 | |||
dec0f4c86c | |||
6cbf60a728 | |||
19e17535be | |||
af75461454 | |||
733f05eccf | |||
aae1f28c84 | |||
5775937c46 | |||
71cc11f56c | |||
e2d20689a9 | |||
4eb6f072d5 | |||
a18143fdfc | |||
21e25b4134 | |||
9e43fe3fdd | |||
cc3643a323 | |||
ebbc7a1e83 | |||
ea3baef4a9 | |||
740e725f4e | |||
939b78eb1d | |||
581e72d35b | |||
ee559917f8 | |||
f9617c0df3 | |||
ac5e7485e8 | |||
d9382c2373 | |||
e4bfce1c60 | |||
7d879d7a5b | |||
092669cef9 | |||
eb74e0d027 | |||
d766c6ae21 | |||
443b9d99bd | |||
e6021cba90 | |||
f1085d5f39 | |||
f98c4196d4 | |||
a99c18b3ae | |||
d691bb8de7 | |||
9dd9bbf1de | |||
eb05484b71 | |||
57a707684d | |||
f799abc2a8 | |||
5ac8a712ba | |||
84b5f5f139 | |||
9e126bd52e | |||
aa35771649 | |||
49928191b8 | |||
9ee9ad6a4e | |||
ff038bcf37 | |||
19ca96b78e | |||
9c77dc55cd | |||
74d8d5b6d9 | |||
e21aa0faa9 | |||
acaf0c47d3 | |||
f0d975a1ac | |||
8346a566bd | |||
b81d0113ad | |||
749fd68860 | |||
ae0be25860 | |||
db03b996a9 | |||
02a039b199 | |||
f846672628 | |||
c0d67a970c | |||
3453328f87 | |||
83d2db71b3 | |||
2871b96407 | |||
431640d7fe | |||
0d825891da | |||
e3c635fdc5 | |||
3251d8240b | |||
d439c2084c | |||
2651c3efff | |||
2f17e3f3bd | |||
fb9ca1f9b0 | |||
ad7fc04320 | |||
0c6deac2c6 | |||
d9ff973a55 | |||
a8edf29bcb | |||
cfa37e2abd | |||
60cbc8a66c | |||
2e2da1768f | |||
bce0eb418b | |||
d192d02fbb | |||
ff56d9dc0d | |||
20671fc186 | |||
898483ce18 | |||
09f310115f | |||
d04e641038 | |||
4805fffc38 | |||
2115c02c35 | |||
07aac639bd | |||
c71fefa958 | |||
534cb0b7f3 | |||
608e4242f3 | |||
904f677095 | |||
1a4b97d104 | |||
2bc82c3376 | |||
0639fe6f7a | |||
1d7a19573c | |||
b6f54c5b9a | |||
6c29889443 | |||
a4c2af9903 | |||
6878fd39ac | |||
f4b6dc2a8e | |||
959bb7cee7 | |||
193fbec4e2 | |||
e6705d15a7 | |||
78029ea910 | |||
88e98fb833 | |||
69a47db688 | |||
64b8ce71d8 | |||
eb02ba4634 | |||
53569920bb | |||
0e727d7b1b | |||
b7dc417177 | |||
6ef4308e32 | |||
602c11dfa7 | |||
ac137f34e7 | |||
22057aae93 | |||
51bb105937 | |||
62ad3fbc4b | |||
997233bec6 | |||
5d64fcc03c | |||
053a3fbff0 | |||
92d5d2976e | |||
68119b054c | |||
eb5d4f104c | |||
cdc5581d70 | |||
eeea43e3a2 | |||
e2c786ee10 | |||
4d55562e4d | |||
519169e5a5 | |||
d1f5525420 | |||
7e9be2cfc7 | |||
40204291bd | |||
fb3d5c55f4 | |||
50ec476372 | |||
b905ed5d0b | |||
f6581a53e5 | |||
a89f1de395 | |||
4f3e5da071 | |||
6d6659a6fb | |||
1cbbe84cd0 | |||
21210cab43 | |||
2d3c9f4652 | |||
a151d3d658 | |||
ee4ceb505d | |||
29c6ebf86f | |||
251ce90154 | |||
afa49ce87d | |||
0c6f9c2136 | |||
072163eaa7 | |||
926583acc4 | |||
9bfbc9ceab | |||
aa0af4aade | |||
ea08873634 | |||
0ef05b912c | |||
4b92888e41 | |||
37499fa72b | |||
16e61a4fb4 | |||
4f8c537458 | |||
2bb8531dbd | |||
6d17eef027 | |||
853a0762a4 | |||
ed7eae27a7 | |||
4d5399bf47 | |||
33b3aaef29 |
530 changed files with 16000 additions and 9791 deletions
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
skip_list:
|
||||
- yaml[line-length]
|
||||
- var-naming
|
||||
warn_list:
|
||||
- command-instead-of-shell
|
||||
- deprecated-command-syntax
|
||||
- experimental
|
||||
- no-changed-when
|
|
@ -1,52 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://taskfile.dev/schema.json
|
||||
version: "3"
|
||||
|
||||
vars:
|
||||
PYTHON_BIN: python3
|
||||
|
||||
env:
|
||||
PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
|
||||
VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
|
||||
ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
|
||||
ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
|
||||
ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
|
||||
|
||||
tasks:
|
||||
|
||||
deps:
|
||||
desc: Set up Ansible dependencies for the environment
|
||||
cmds:
|
||||
- task: .venv
|
||||
|
||||
run:
|
||||
desc: Run an Ansible playbook for configuring a cluster
|
||||
summary: |
|
||||
Args:
|
||||
cluster: Cluster to run command against (required)
|
||||
playbook: Playbook to run (required)
|
||||
prompt: Run Ansible playbook '{{.playbook}}' against the '{{.cluster}}' cluster... continue?
|
||||
deps: ["deps"]
|
||||
cmd: |
|
||||
.venv/bin/ansible-playbook \
|
||||
--inventory {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml \
|
||||
{{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml {{.CLI_ARGS}}
|
||||
preconditions:
|
||||
- { msg: "Argument (cluster) is required", sh: "test -n {{.cluster}}" }
|
||||
- { msg: "Argument (playbook) is required", sh: "test -n {{.playbook}}" }
|
||||
- { msg: "Venv not found", sh: "test -d {{.ROOT_DIR}}/.venv" }
|
||||
- { msg: "Inventory not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml" }
|
||||
- { msg: "Playbook not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml" }
|
||||
|
||||
.venv:
|
||||
internal: true
|
||||
cmds:
|
||||
- true && {{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv
|
||||
- .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
|
||||
- .venv/bin/python3 -m pip install --upgrade --requirement {{.ANSIBLE_DIR}}/requirements.txt
|
||||
- .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force
|
||||
sources:
|
||||
- "{{.ANSIBLE_DIR}}/requirements.txt"
|
||||
- "{{.ANSIBLE_DIR}}/requirements.yaml"
|
||||
generates:
|
||||
- "{{.ROOT_DIR}}/.venv/pyvenv.cfg"
|
|
@ -1,104 +0,0 @@
|
|||
---
|
||||
version: "3"
|
||||
|
||||
x-task-vars: &task-vars
|
||||
node: "{{.node}}"
|
||||
ceph_disk: "{{.ceph_disk}}"
|
||||
ts: "{{.ts}}"
|
||||
jobName: "{{.jobName}}"
|
||||
|
||||
vars:
|
||||
waitForJobScript: "../_scripts/wait-for-k8s-job.sh"
|
||||
ts: '{{now | date "150405"}}'
|
||||
|
||||
tasks:
|
||||
wipe-node-aule:
|
||||
desc: Trigger a wipe of Rook-Ceph data on node "aule"
|
||||
cmds:
|
||||
- task: wipe-disk
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460833"
|
||||
- task: wipe-data
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
vars:
|
||||
node: aule
|
||||
|
||||
wipe-node-orome:
|
||||
desc: Trigger a wipe of Rook-Ceph data on node "orome"
|
||||
cmds:
|
||||
- task: wipe-disk
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37645333"
|
||||
- task: wipe-data
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
vars:
|
||||
node: orome
|
||||
|
||||
wipe-node-eonwe:
|
||||
desc: Trigger a wipe of Rook-Ceph data on node "eonwe"
|
||||
cmds:
|
||||
- task: wipe-disk
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460887"
|
||||
- task: wipe-data
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
vars:
|
||||
node: eonwe
|
||||
|
||||
wipe-node-arlen:
|
||||
desc: Trigger a wipe of Rook-Ceph data on node "arlen"
|
||||
cmds:
|
||||
- task: wipe-disk
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460897"
|
||||
- task: wipe-data
|
||||
vars:
|
||||
node: "{{.node}}"
|
||||
vars:
|
||||
node: arlen
|
||||
|
||||
wipe-disk:
|
||||
desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-disk node=aule ceph_disk="/dev/nvme0n1")
|
||||
silent: true
|
||||
internal: true
|
||||
cmds:
|
||||
- envsubst < <(cat {{.wipeRookDiskJobTemplate}}) | kubectl apply -f -
|
||||
- bash {{.waitForJobScript}} {{.wipeCephDiskJobName}} default
|
||||
- kubectl -n default wait job/{{.wipeCephDiskJobName}} --for condition=complete --timeout=1m
|
||||
- kubectl -n default logs job/{{.wipeCephDiskJobName}} --container list
|
||||
- kubectl -n default delete job {{.wipeCephDiskJobName}}
|
||||
vars:
|
||||
node: '{{ or .node (fail "`node` is required") }}'
|
||||
ceph_disk: '{{ or .ceph_disk (fail "`ceph_disk` is required") }}'
|
||||
jobName: 'wipe-disk-{{- .node -}}-{{- .ceph_disk | replace "/" "-" -}}-{{- .ts -}}'
|
||||
wipeRookDiskJobTemplate: "WipeDiskJob.tmpl.yaml"
|
||||
env: *task-vars
|
||||
preconditions:
|
||||
- sh: test -f {{.waitForJobScript}}
|
||||
- sh: test -f {{.wipeRookDiskJobTemplate}}
|
||||
|
||||
wipe-data:
|
||||
desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-data node=aule)
|
||||
silent: true
|
||||
internal: true
|
||||
cmds:
|
||||
- envsubst < <(cat {{.wipeRookDataJobTemplate}}) | kubectl apply -f -
|
||||
- bash {{.waitForJobScript}} {{.wipeRookDataJobName}} default
|
||||
- kubectl -n default wait job/{{.wipeRookDataJobName}} --for condition=complete --timeout=1m
|
||||
- kubectl -n default logs job/{{.wipeRookDataJobName}} --container list
|
||||
- kubectl -n default delete job {{.wipeRookDataJobName}}
|
||||
vars:
|
||||
node: '{{ or .node (fail "`node` is required") }}'
|
||||
jobName: "wipe-rook-data-{{- .node -}}-{{- .ts -}}"
|
||||
wipeRookDataJobTemplate: "WipeRookDataJob.tmpl.yaml"
|
||||
env: *task-vars
|
||||
preconditions:
|
||||
- sh: test -f {{.waitForJobScript}}
|
||||
- sh: test -f {{.wipeRookDataJobTemplate}}
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: "${jobName}"
|
||||
namespace: "default"
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 3600
|
||||
template:
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
restartPolicy: Never
|
||||
nodeName: ${node}
|
||||
containers:
|
||||
- name: disk-wipe
|
||||
image: docker.io/library/alpine:3.20.0
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources: {}
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- apk add --no-cache sgdisk util-linux parted;
|
||||
sgdisk --zap-all ${ceph_disk};
|
||||
blkdiscard ${ceph_disk};
|
||||
dd if=/dev/zero bs=1M count=10000 oflag=direct of=${ceph_disk};
|
||||
partprobe ${ceph_disk};
|
|
@ -1,29 +0,0 @@
|
|||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: "${jobName}"
|
||||
namespace: "default"
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 3600
|
||||
template:
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
restartPolicy: Never
|
||||
nodeName: ${node}
|
||||
containers:
|
||||
- name: disk-wipe
|
||||
image: docker.io/library/alpine:3.20.0
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources: {}
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- rm -rf /mnt/host_var/lib/rook
|
||||
volumeMounts:
|
||||
- mountPath: /mnt/host_var
|
||||
name: host-var
|
||||
volumes:
|
||||
- name: host-var
|
||||
hostPath:
|
||||
path: /var
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: my-pod
|
||||
spec:
|
||||
containers:
|
||||
- name: disk-wipe
|
||||
image: docker.io/library/alpine:3.20.0
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources: {}
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- apk add --no-cache sgdisk util-linux parted e2fsprogs;
|
||||
sgdisk --zap-all /dev/nvme1n1;
|
||||
blkdiscard /dev/nvme1n1;
|
||||
dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/nvme1n1;
|
||||
sgdisk /dev/nvme1n1
|
||||
partprobe /dev/nvme1n1;
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
|
@ -9,7 +9,7 @@ spec:
|
|||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.3.2
|
||||
version: 3.5.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
|
@ -38,7 +38,6 @@ spec:
|
|||
tag: v0.0.1
|
||||
resources:
|
||||
requests:
|
||||
nvidia.com/gpu: 1 # requesting 1 GPU
|
||||
cpu: 500m
|
||||
memory: 2Gi
|
||||
limits:
|
|
@ -14,12 +14,12 @@ spec:
|
|||
- name: nvidia-device-plugin
|
||||
- name: node-feature-discovery
|
||||
- name: volsync
|
||||
- name: openebs
|
||||
- name: rook-ceph-cluster
|
||||
path: ./kubernetes/apps/ai/stable-diffusion/comfyui
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
|
@ -28,6 +28,4 @@ spec:
|
|||
substitute:
|
||||
APP: *app
|
||||
VOLSYNC_CAPACITY: 5Gi
|
||||
VOLSYNC_STORAGECLASS: openebs-zfs
|
||||
VOLSYNC_SNAPSHOTCLASS: openebs-zfs
|
||||
GATUS_SUBDOMAIN: comfyui
|
20
.archive/default/nicehash/app/externalsecret.yaml
Normal file
20
.archive/default/nicehash/app/externalsecret.yaml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: nicehash
|
||||
spec:
|
||||
refreshInterval: 1m
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: nicehash-secret
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
MINING_ADDRESS: "{{ .MINING_ADDRESS }}"
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: nicehash
|
72
.archive/default/nicehash/app/helmrelease.yaml
Normal file
72
.archive/default/nicehash/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,72 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: nicehash
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
nicehash:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/dockerhubnh/nicehash
|
||||
tag: latest
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: nicehash-secret
|
||||
env:
|
||||
TZ: America/Chicago
|
||||
MINING_WORKER_NAME: shadowfax
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities: { drop: ["ALL"] }
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
limits:
|
||||
nvidia.com/gpu: 1 # requesting 1 GPU
|
||||
memory: 10Gi
|
||||
defaultPodOptions:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
seccompProfile: { type: RuntimeDefault }
|
||||
nodeSelector:
|
||||
nvidia.com/gpu.present: "true"
|
||||
runtimeClassName: nvidia
|
||||
persistence:
|
||||
logs:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /var/log/
|
||||
tmp:
|
||||
type: emptyDir
|
||||
cache:
|
||||
existingClaim: nicehash
|
||||
globalMounts:
|
||||
- path: /var/cache/nhm4/
|
|
@ -3,24 +3,23 @@
|
|||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app matter-server
|
||||
name: &app nicehash
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: home-automation
|
||||
targetNamespace: default
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: openebs-system
|
||||
- name: volsync
|
||||
path: ./kubernetes/apps/home-automation/matter-server/app
|
||||
- name: external-secrets-stores
|
||||
- name: rook-ceph-cluster
|
||||
path: ./kubernetes/apps/default/nicehash/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
34
.archive/default/piped/app/externalsecret.yaml
Normal file
34
.archive/default/piped/app/externalsecret.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: piped
|
||||
spec:
|
||||
refreshInterval: 1m
|
||||
secretStoreRef:
|
||||
name: crunchy-pgo-secrets
|
||||
kind: ClusterSecretStore
|
||||
target:
|
||||
name: piped-secret
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
config.properties: |
|
||||
API_URL: https://piped-api.hsn.dev
|
||||
COMPROMISED_PASSWORD_CHECK: true
|
||||
DISABLE_REGISTRATION: true
|
||||
FEED_RETENTION: 30
|
||||
FRONTEND_URL: https://piped.hsn.dev
|
||||
HTTP_WORKERS: 4
|
||||
MATRIX_SERVER: https://element.infosec.exchange
|
||||
PORT: 8080
|
||||
PROXY_PART: https://piped-proxy.jahanson.tech
|
||||
SENTRY_DSN:
|
||||
hibernate.connection.driver_class: org.postgresql.Driver
|
||||
hibernate.connection.url: jdbc:postgresql://{{ index . "host" }}:5432/{{ index . "dbname" }}
|
||||
hibernate.connection.username: {{ index . "user" }}
|
||||
hibernate.connection.password: {{ index . "password" }}
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: postgres-pguser-piped
|
182
.archive/default/piped/app/helmrelease.yaml
Normal file
182
.archive/default/piped/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,182 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: piped
|
||||
spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
interval: 30m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
interval: 30m
|
||||
values:
|
||||
defaultPodOptions:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
|
||||
controllers:
|
||||
backend:
|
||||
strategy: RollingUpdate
|
||||
annotations:
|
||||
secret.reloader.stakater.com/reload: piped-secret
|
||||
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: 1337kavin/piped
|
||||
tag: latest@sha256:18e77857414236edc7245bebb3fb8ab3ac49c44bd76701bfce24f6ba0170d4b8
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 500Mi
|
||||
limits:
|
||||
memory: 2000Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
frontend:
|
||||
strategy: RollingUpdate
|
||||
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/bjw-s-labs/piped-frontend
|
||||
tag: 2024.11.4@sha256:0e413986606f39cdc6afa0379feca912d4a4abbdcbe67b408c9fbe19fbabd10f
|
||||
env:
|
||||
BACKEND_HOSTNAME: piped-api.hsn.dev
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 32Mi
|
||||
limits:
|
||||
memory: 256Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
|
||||
ytproxy:
|
||||
strategy: RollingUpdate
|
||||
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: 1337kavin/piped-proxy
|
||||
tag: latest@sha256:ab9e472107337886d71b0151b6e777fc4cba0dd8251a21d4788a7a7f165f545a
|
||||
command:
|
||||
- /app/piped-proxy
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 500Mi
|
||||
limits:
|
||||
memory: 2000Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
service:
|
||||
backend:
|
||||
controller: backend
|
||||
ports:
|
||||
http:
|
||||
port: 8080
|
||||
frontend:
|
||||
controller: frontend
|
||||
ports:
|
||||
http:
|
||||
port: 8080
|
||||
ytproxy:
|
||||
controller: ytproxy
|
||||
ports:
|
||||
http:
|
||||
port: 8080
|
||||
|
||||
ingress:
|
||||
backend:
|
||||
className: "external-nginx"
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||
nginx.ingress.kubernetes.io/enable-cors: "true"
|
||||
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
|
||||
hosts:
|
||||
- host: piped-api.hsn.dev
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: backend
|
||||
port: http
|
||||
frontend:
|
||||
className: "external-nginx"
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||
nginx.ingress.kubernetes.io/enable-cors: "true"
|
||||
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
|
||||
hosts:
|
||||
- host: piped.hsn.dev
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: frontend
|
||||
port: http
|
||||
ytproxy:
|
||||
className: "internal-nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/enable-cors: "true"
|
||||
nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
|
||||
hosts:
|
||||
- host: piped-proxy.jahanson.tech
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: ytproxy
|
||||
port: http
|
||||
|
||||
persistence:
|
||||
config:
|
||||
type: secret
|
||||
name: piped-secret
|
||||
advancedMounts:
|
||||
backend:
|
||||
app:
|
||||
- path: /app/config.properties
|
||||
subPath: config.properties
|
||||
readOnly: true
|
|
@ -3,26 +3,21 @@
|
|||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app jellyseerr
|
||||
name: &appname piped
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: default
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: "./kubernetes/apps/default/jellyseerr/app"
|
||||
path: "./kubernetes/apps/default/piped/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
name: theshire
|
||||
wait: false
|
||||
dependsOn:
|
||||
- name: openebs
|
||||
- name: crunchy-postgres-operator
|
||||
- name: external-secrets-stores
|
||||
- name: volsync
|
||||
postBuild:
|
||||
substitute:
|
||||
APP: *app
|
||||
VOLSYNC_CAPACITY: 1Gi
|
||||
- name: crunchy-postgres-operator-cluster
|
||||
- name: crunchy-postgres-operator-secretstore
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app jellyfin
|
||||
namespace: flux-system
|
||||
spec:
|
||||
dependsOn:
|
||||
- name: external-secrets-stores
|
||||
path: ./kubernetes/apps/default/jellyfin/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
APP: *app
|
||||
VOLSYNC_CAPACITY: 10Gi
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: home-assistant
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: home-assistant-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
HASS_ELEVATION: "{{ .hass_elevation }}"
|
||||
HASS_LATITUDE: "{{ .hass_latitude }}"
|
||||
HASS_LONGITUDE: "{{ .hass_longitude }}"
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: home-assistant
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "hass_$1"
|
|
@ -1,90 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: home-assistant
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
home-assistant:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
annotations:
|
||||
k8s.v1.cni.cncf.io/networks: |
|
||||
[{
|
||||
"name":"multus-iot",
|
||||
"namespace": "kube-system",
|
||||
"ips": ["10.1.3.151/24"]
|
||||
}]
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
runAsNonRoot: true
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/home-assistant/home-assistant
|
||||
tag: 2024.5.5
|
||||
env:
|
||||
TZ: America/Chicago
|
||||
HASS_HTTP_TRUSTED_PROXY_1: 10.244.0.0/16
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: home-assistant-secret
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
limits:
|
||||
memory: 1Gi
|
||||
service:
|
||||
app:
|
||||
controller: home-assistant
|
||||
ports:
|
||||
http:
|
||||
port: 8123
|
||||
ingress:
|
||||
app:
|
||||
className: internal-nginx
|
||||
hosts:
|
||||
- host: &host hass.jahanson.tech
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
||||
tls:
|
||||
- hosts: [*host]
|
||||
persistence:
|
||||
config:
|
||||
existingClaim: home-assistant
|
||||
logs:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /config/logs
|
||||
tts:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /config/tts
|
||||
tmp:
|
||||
type: emptyDir
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./mosquitto/ks.yaml
|
|
@ -1,107 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app matter-server
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.2.1
|
||||
interval: 15m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
maxHistory: 3
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
matter-server:
|
||||
type: statefulset
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
annotations:
|
||||
k8s.v1.cni.cncf.io/networks: |
|
||||
[{
|
||||
"name":"multus-iot",
|
||||
"namespace": "kube-system",
|
||||
"ips": ["10.1.3.152/24"]
|
||||
}]
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
runAsNonRoot: true
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/home-assistant-libs/python-matter-server
|
||||
tag: 6.0.1
|
||||
pullPolicy: IfNotPresent
|
||||
env:
|
||||
TZ: "America/Chicago"
|
||||
MATTER_SERVER__INSTANCE_NAME: Matter-Server
|
||||
MATTER_SERVER__PORT: &port 5580
|
||||
MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
|
||||
MATTER_SERVER__LOG_LEVEL: info
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
memory: "100M"
|
||||
limits:
|
||||
memory: "500M"
|
||||
service:
|
||||
app:
|
||||
controller: *app
|
||||
type: LoadBalancer
|
||||
annotations:
|
||||
io.cilium/lb-ipam-ips: "10.1.1.37"
|
||||
ports:
|
||||
api:
|
||||
enabled: true
|
||||
primary: true
|
||||
protocol: TCP
|
||||
port: *port
|
||||
externalTrafficPolicy: Cluster
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: matter-server
|
||||
advancedMounts:
|
||||
matter-server:
|
||||
app:
|
||||
- path: "/data"
|
||||
ingress:
|
||||
app:
|
||||
className: internal-nginx
|
||||
hosts:
|
||||
- host: *host
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
||||
tls:
|
||||
- hosts: [*host]
|
|
@ -1,9 +0,0 @@
|
|||
per_listener_settings false
|
||||
listener 1883
|
||||
allow_anonymous false
|
||||
persistence true
|
||||
persistence_location /data
|
||||
autosave_interval 1800
|
||||
connection_messages false
|
||||
autosave_interval 60
|
||||
password_file /mosquitto/external_config/mosquitto_pwd
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: mosquitto
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: mosquitto-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
mosquitto_pwd: |
|
||||
{{ .mosquitto_username }}:{{ .mosquitto_password }}
|
||||
{{ .mosquitto_zwave_username }}:{{ .mosquitto_zwave_password }}
|
||||
{{ .mosquitto_home_assistant_username }}:{{ .mosquitto_home_assistant_password }}
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: mosquitto
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "mosquitto_$1"
|
|
@ -1,105 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app mosquitto
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.2.1
|
||||
interval: 30m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
|
||||
values:
|
||||
controllers:
|
||||
mosquitto:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
|
||||
pod:
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
|
||||
initContainers:
|
||||
init-config:
|
||||
image:
|
||||
repository: public.ecr.aws/docker/library/eclipse-mosquitto
|
||||
tag: 2.0.18
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
args:
|
||||
- cp /tmp/secret/* /mosquitto/external_config/;
|
||||
mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd;
|
||||
chmod 0600 /mosquitto/external_config/mosquitto_pwd;
|
||||
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: public.ecr.aws/docker/library/eclipse-mosquitto
|
||||
tag: 2.0.18
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
cpu: 5m
|
||||
memory: 10M
|
||||
limits:
|
||||
memory: 10M
|
||||
|
||||
service:
|
||||
app:
|
||||
controller: mosquitto
|
||||
type: LoadBalancer
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: "mqtt.jahanson.tech"
|
||||
io.cilium/lb-ipam-ips: "10.1.1.36"
|
||||
externalTrafficPolicy: Local
|
||||
ports:
|
||||
mqtt:
|
||||
enabled: true
|
||||
port: 1883
|
||||
|
||||
persistence:
|
||||
data:
|
||||
existingClaim: *app
|
||||
advancedMounts:
|
||||
mosquitto:
|
||||
app:
|
||||
- path: /data
|
||||
mosquitto-configfile:
|
||||
type: configMap
|
||||
name: mosquitto-configmap
|
||||
advancedMounts:
|
||||
mosquitto:
|
||||
app:
|
||||
- path: /mosquitto/config/mosquitto.conf
|
||||
subPath: mosquitto.conf
|
||||
mosquitto-secret:
|
||||
type: secret
|
||||
name: mosquitto-secret
|
||||
advancedMounts:
|
||||
mosquitto:
|
||||
init-config:
|
||||
- path: /tmp/secret
|
||||
mosquitto-externalconfig:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /mosquitto/external_config
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname mosquitto
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: home-automation
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: "./kubernetes/apps/home-automation/mosquitto/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: openebs
|
||||
- name: volsync
|
||||
- name: external-secrets-stores
|
||||
postBuild:
|
||||
substitute:
|
||||
APP: *appname
|
||||
VOLSYNC_CLAIM: mosquitto-data
|
||||
VOLSYNC_CAPACITY: 512Mi
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: home-automation
|
||||
labels:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
|
@ -1,588 +0,0 @@
|
|||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.14.0
|
||||
creationTimestamp: null
|
||||
name: ciliumbgppeeringpolicies.cilium.io
|
||||
spec:
|
||||
group: cilium.io
|
||||
names:
|
||||
categories:
|
||||
- cilium
|
||||
- ciliumbgp
|
||||
kind: CiliumBGPPeeringPolicy
|
||||
listKind: CiliumBGPPeeringPolicyList
|
||||
plural: ciliumbgppeeringpolicies
|
||||
shortNames:
|
||||
- bgpp
|
||||
singular: ciliumbgppeeringpolicy
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v2alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: CiliumBGPPeeringPolicy is a Kubernetes third-party resource for
|
||||
instructing Cilium's BGP control plane to create virtual BGP routers.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec is a human readable description of a BGP peering policy
|
||||
properties:
|
||||
nodeSelector:
|
||||
description: "NodeSelector selects a group of nodes where this BGP
|
||||
Peering Policy applies. \n If empty / nil this policy applies to
|
||||
all nodes."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements.
|
||||
The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector that
|
||||
contains values, a key, and an operator that relates the key
|
||||
and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies
|
||||
to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship to
|
||||
a set of values. Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
enum:
|
||||
- In
|
||||
- NotIn
|
||||
- Exists
|
||||
- DoesNotExist
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values. If the
|
||||
operator is In or NotIn, the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist, the values
|
||||
array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
description: MatchLabelsValue represents the value from the
|
||||
MatchLabels {key,value} pair.
|
||||
maxLength: 63
|
||||
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs. A single
|
||||
{key,value} in the matchLabels map is equivalent to an element
|
||||
of matchExpressions, whose key field is "key", the operator
|
||||
is "In", and the values array contains only "value". The requirements
|
||||
are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
virtualRouters:
|
||||
description: A list of CiliumBGPVirtualRouter(s) which instructs the
|
||||
BGP control plane how to instantiate virtual BGP routers.
|
||||
items:
|
||||
description: CiliumBGPVirtualRouter defines a discrete BGP virtual
|
||||
router configuration.
|
||||
properties:
|
||||
exportPodCIDR:
|
||||
default: false
|
||||
description: ExportPodCIDR determines whether to export the
|
||||
Node's private CIDR block to the configured neighbors.
|
||||
type: boolean
|
||||
localASN:
|
||||
description: LocalASN is the ASN of this virtual router. Supports
|
||||
extended 32bit ASNs
|
||||
format: int64
|
||||
maximum: 4294967295
|
||||
minimum: 0
|
||||
type: integer
|
||||
neighbors:
|
||||
description: Neighbors is a list of neighboring BGP peers for
|
||||
this virtual router
|
||||
items:
|
||||
description: CiliumBGPNeighbor is a neighboring peer for use
|
||||
in a CiliumBGPVirtualRouter configuration.
|
||||
properties:
|
||||
advertisedPathAttributes:
|
||||
description: AdvertisedPathAttributes can be used to apply
|
||||
additional path attributes to selected routes when advertising
|
||||
them to the peer. If empty / nil, no additional path
|
||||
attributes are advertised.
|
||||
items:
|
||||
description: CiliumBGPPathAttributes can be used to
|
||||
apply additional path attributes to matched routes
|
||||
when advertising them to a BGP peer.
|
||||
properties:
|
||||
communities:
|
||||
description: Communities defines a set of community
|
||||
values advertised in the supported BGP Communities
|
||||
path attributes. If nil / not set, no BGP Communities
|
||||
path attribute will be advertised.
|
||||
properties:
|
||||
large:
|
||||
description: Large holds a list of the BGP Large
|
||||
Communities Attribute (RFC 8092) values.
|
||||
items:
|
||||
description: BGPLargeCommunity type represents
|
||||
a value of the BGP Large Communities Attribute
|
||||
(RFC 8092), as three 4-byte decimal numbers
|
||||
separated by colons.
|
||||
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$
|
||||
type: string
|
||||
type: array
|
||||
standard:
|
||||
description: Standard holds a list of "standard"
|
||||
32-bit BGP Communities Attribute (RFC 1997)
|
||||
values defined as numeric values.
|
||||
items:
|
||||
description: BGPStandardCommunity type represents
|
||||
a value of the "standard" 32-bit BGP Communities
|
||||
Attribute (RFC 1997) as a 4-byte decimal
|
||||
number or two 2-byte decimal numbers separated
|
||||
by a colon (<0-65535>:<0-65535>). For example,
|
||||
no-export community value is 65553:65281.
|
||||
pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$|^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
|
||||
type: string
|
||||
type: array
|
||||
wellKnown:
|
||||
description: WellKnown holds a list "standard"
|
||||
32-bit BGP Communities Attribute (RFC 1997)
|
||||
values defined as well-known string aliases
|
||||
to their numeric values.
|
||||
items:
|
||||
description: "BGPWellKnownCommunity type represents
|
||||
a value of the \"standard\" 32-bit BGP Communities
|
||||
Attribute (RFC 1997) as a well-known string
|
||||
alias to its numeric value. Allowed values
|
||||
and their mapping to the numeric values:
|
||||
\n internet = 0x00000000
|
||||
(0:0) planned-shut = 0xffff0000
|
||||
(65535:0) accept-own = 0xffff0001
|
||||
(65535:1) route-filter-translated-v4 = 0xffff0002
|
||||
(65535:2) route-filter-v4 = 0xffff0003
|
||||
(65535:3) route-filter-translated-v6 = 0xffff0004
|
||||
(65535:4) route-filter-v6 = 0xffff0005
|
||||
(65535:5) llgr-stale = 0xffff0006
|
||||
(65535:6) no-llgr = 0xffff0007
|
||||
(65535:7) blackhole = 0xffff029a
|
||||
(65535:666) no-export =
|
||||
0xffffff01\t(65535:65281) no-advertise =
|
||||
0xffffff02 (65535:65282) no-export-subconfed
|
||||
\ = 0xffffff03 (65535:65283) no-peer
|
||||
\ = 0xffffff04 (65535:65284)"
|
||||
enum:
|
||||
- internet
|
||||
- planned-shut
|
||||
- accept-own
|
||||
- route-filter-translated-v4
|
||||
- route-filter-v4
|
||||
- route-filter-translated-v6
|
||||
- route-filter-v6
|
||||
- llgr-stale
|
||||
- no-llgr
|
||||
- blackhole
|
||||
- no-export
|
||||
- no-advertise
|
||||
- no-export-subconfed
|
||||
- no-peer
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
localPreference:
|
||||
description: LocalPreference defines the preference
|
||||
value advertised in the BGP Local Preference path
|
||||
attribute. As Local Preference is only valid for
|
||||
iBGP peers, this value will be ignored for eBGP
|
||||
peers (no Local Preference path attribute will
|
||||
be advertised). If nil / not set, the default
|
||||
Local Preference of 100 will be advertised in
|
||||
the Local Preference path attribute for iBGP peers.
|
||||
format: int64
|
||||
maximum: 4294967295
|
||||
minimum: 0
|
||||
type: integer
|
||||
selector:
|
||||
description: Selector selects a group of objects
|
||||
of the SelectorType resulting into routes that
|
||||
will be announced with the configured Attributes.
|
||||
If nil / not set, all objects of the SelectorType
|
||||
are selected.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
enum:
|
||||
- In
|
||||
- NotIn
|
||||
- Exists
|
||||
- DoesNotExist
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
description: MatchLabelsValue represents the
|
||||
value from the MatchLabels {key,value} pair.
|
||||
maxLength: 63
|
||||
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
selectorType:
|
||||
description: 'SelectorType defines the object type
|
||||
on which the Selector applies: - For "PodCIDR"
|
||||
the Selector matches k8s CiliumNode resources
|
||||
(path attributes apply to routes announced for
|
||||
PodCIDRs of selected CiliumNodes. Only affects
|
||||
routes of cluster scope / Kubernetes IPAM CIDRs,
|
||||
not Multi-Pool IPAM CIDRs. - For "CiliumLoadBalancerIPPool"
|
||||
the Selector matches CiliumLoadBalancerIPPool
|
||||
custom resources (path attributes apply to routes
|
||||
announced for selected CiliumLoadBalancerIPPools).
|
||||
- For "CiliumPodIPPool" the Selector matches CiliumPodIPPool
|
||||
custom resources (path attributes apply to routes
|
||||
announced for allocated CIDRs of selected CiliumPodIPPools).'
|
||||
enum:
|
||||
- PodCIDR
|
||||
- CiliumLoadBalancerIPPool
|
||||
- CiliumPodIPPool
|
||||
type: string
|
||||
required:
|
||||
- selectorType
|
||||
type: object
|
||||
type: array
|
||||
authSecretRef:
|
||||
description: AuthSecretRef is the name of the secret to
|
||||
use to fetch a TCP authentication password for this
|
||||
peer.
|
||||
type: string
|
||||
connectRetryTimeSeconds:
|
||||
default: 120
|
||||
description: ConnectRetryTimeSeconds defines the initial
|
||||
value for the BGP ConnectRetryTimer (RFC 4271, Section
|
||||
8).
|
||||
format: int32
|
||||
maximum: 2147483647
|
||||
minimum: 1
|
||||
type: integer
|
||||
eBGPMultihopTTL:
|
||||
default: 1
|
||||
description: EBGPMultihopTTL controls the multi-hop feature
|
||||
for eBGP peers. Its value defines the Time To Live (TTL)
|
||||
value used in BGP packets sent to the neighbor. The
|
||||
value 1 implies that eBGP multi-hop feature is disabled
|
||||
(only a single hop is allowed). This field is ignored
|
||||
for iBGP peers.
|
||||
format: int32
|
||||
maximum: 255
|
||||
minimum: 1
|
||||
type: integer
|
||||
families:
|
||||
description: "Families, if provided, defines a set of
|
||||
AFI/SAFIs the speaker will negotiate with it's peer.
|
||||
\n If this slice is not provided the default families
|
||||
of IPv6 and IPv4 will be provided."
|
||||
items:
|
||||
description: CiliumBGPFamily represents a AFI/SAFI address
|
||||
family pair.
|
||||
properties:
|
||||
afi:
|
||||
description: Afi is the Address Family Identifier
|
||||
(AFI) of the family.
|
||||
enum:
|
||||
- ipv4
|
||||
- ipv6
|
||||
- l2vpn
|
||||
- ls
|
||||
- opaque
|
||||
type: string
|
||||
safi:
|
||||
description: Safi is the Subsequent Address Family
|
||||
Identifier (SAFI) of the family.
|
||||
enum:
|
||||
- unicast
|
||||
- multicast
|
||||
- mpls_label
|
||||
- encapsulation
|
||||
- vpls
|
||||
- evpn
|
||||
- ls
|
||||
- sr_policy
|
||||
- mup
|
||||
- mpls_vpn
|
||||
- mpls_vpn_multicast
|
||||
- route_target_constraints
|
||||
- flowspec_unicast
|
||||
- flowspec_vpn
|
||||
- key_value
|
||||
type: string
|
||||
required:
|
||||
- afi
|
||||
- safi
|
||||
type: object
|
||||
type: array
|
||||
gracefulRestart:
|
||||
description: GracefulRestart defines graceful restart
|
||||
parameters which are negotiated with this neighbor.
|
||||
If empty / nil, the graceful restart capability is disabled.
|
||||
properties:
|
||||
enabled:
|
||||
description: Enabled flag, when set enables graceful
|
||||
restart capability.
|
||||
type: boolean
|
||||
restartTimeSeconds:
|
||||
default: 120
|
||||
description: RestartTimeSeconds is the estimated time
|
||||
it will take for the BGP session to be re-established
|
||||
with peer after a restart. After this period, peer
|
||||
will remove stale routes. This is described RFC
|
||||
4724 section 4.2.
|
||||
format: int32
|
||||
maximum: 4095
|
||||
minimum: 1
|
||||
type: integer
|
||||
required:
|
||||
- enabled
|
||||
type: object
|
||||
holdTimeSeconds:
|
||||
default: 90
|
||||
description: HoldTimeSeconds defines the initial value
|
||||
for the BGP HoldTimer (RFC 4271, Section 4.2). Updating
|
||||
this value will cause a session reset.
|
||||
format: int32
|
||||
maximum: 65535
|
||||
minimum: 3
|
||||
type: integer
|
||||
keepAliveTimeSeconds:
|
||||
default: 30
|
||||
description: KeepaliveTimeSeconds defines the initial
|
||||
value for the BGP KeepaliveTimer (RFC 4271, Section
|
||||
8). It can not be larger than HoldTimeSeconds. Updating
|
||||
this value will cause a session reset.
|
||||
format: int32
|
||||
maximum: 65535
|
||||
minimum: 1
|
||||
type: integer
|
||||
peerASN:
|
||||
description: PeerASN is the ASN of the peer BGP router.
|
||||
Supports extended 32bit ASNs
|
||||
format: int64
|
||||
maximum: 4294967295
|
||||
minimum: 0
|
||||
type: integer
|
||||
peerAddress:
|
||||
description: PeerAddress is the IP address of the peer.
|
||||
This must be in CIDR notation and use a /32 to express
|
||||
a single host.
|
||||
format: cidr
|
||||
type: string
|
||||
peerPort:
|
||||
default: 179
|
||||
description: PeerPort is the TCP port of the peer. 1-65535
|
||||
is the range of valid port numbers that can be specified.
|
||||
If unset, defaults to 179.
|
||||
format: int32
|
||||
maximum: 65535
|
||||
minimum: 1
|
||||
type: integer
|
||||
required:
|
||||
- peerASN
|
||||
- peerAddress
|
||||
type: object
|
||||
minItems: 1
|
||||
type: array
|
||||
podIPPoolSelector:
|
||||
description: "PodIPPoolSelector selects CiliumPodIPPools based
|
||||
on labels. The virtual router will announce allocated CIDRs
|
||||
of matching CiliumPodIPPools. \n If empty / nil no CiliumPodIPPools
|
||||
will be announced."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
enum:
|
||||
- In
|
||||
- NotIn
|
||||
- Exists
|
||||
- DoesNotExist
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty. This
|
||||
array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
description: MatchLabelsValue represents the value from
|
||||
the MatchLabels {key,value} pair.
|
||||
maxLength: 63
|
||||
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
serviceSelector:
|
||||
description: "ServiceSelector selects a group of load balancer
|
||||
services which this virtual router will announce. The loadBalancerClass
|
||||
for a service must be nil or specify a class supported by
|
||||
Cilium, e.g. \"io.cilium/bgp-control-plane\". Refer to the
|
||||
following document for additional details regarding load balancer
|
||||
classes: \n https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
|
||||
\n If empty / nil no services will be announced."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector
|
||||
requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a selector
|
||||
that contains values, a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector
|
||||
applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are In, NotIn,
|
||||
Exists and DoesNotExist.
|
||||
enum:
|
||||
- In
|
||||
- NotIn
|
||||
- Exists
|
||||
- DoesNotExist
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string values.
|
||||
If the operator is In or NotIn, the values array
|
||||
must be non-empty. If the operator is Exists or
|
||||
DoesNotExist, the values array must be empty. This
|
||||
array is replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
description: MatchLabelsValue represents the value from
|
||||
the MatchLabels {key,value} pair.
|
||||
maxLength: 63
|
||||
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value} pairs.
|
||||
A single {key,value} in the matchLabels map is equivalent
|
||||
to an element of matchExpressions, whose key field is
|
||||
"key", the operator is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- localASN
|
||||
- neighbors
|
||||
type: object
|
||||
minItems: 1
|
||||
type: array
|
||||
required:
|
||||
- virtualRouters
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources: {}
|
||||
status:
|
||||
acceptedNames:
|
||||
kind: ""
|
||||
plural: ""
|
||||
conditions: []
|
||||
storedVersions: []
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
apiVersion: cilium.io/v2alpha1
|
||||
kind: CiliumBGPPeeringPolicy
|
||||
# comments courtesy of JJGadgets
|
||||
# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED!
|
||||
# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap
|
||||
# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB
|
||||
metadata:
|
||||
name: bgp-loadbalancer-ip-main
|
||||
spec:
|
||||
nodeSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
|
||||
virtualRouters:
|
||||
- localASN: 64512
|
||||
exportPodCIDR: false
|
||||
serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
|
||||
matchExpressions:
|
||||
- {
|
||||
key: thisFakeSelector,
|
||||
operator: NotIn,
|
||||
values: ["will-match-and-announce-all-services"],
|
||||
}
|
||||
neighbors:
|
||||
- peerAddress: "10.1.1.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
|
||||
peerASN: 64512
|
||||
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json
|
||||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
name: main-pool
|
||||
spec:
|
||||
cidrs:
|
||||
- cidr: 10.45.0.1/24
|
|
@ -1,78 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cilium
|
||||
namespace: kube-system
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: cilium
|
||||
version: 1.15.3
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: cilium
|
||||
namespace: flux-system
|
||||
maxHistory: 2
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
uninstall:
|
||||
keepHistory: false
|
||||
values:
|
||||
cluster:
|
||||
name: homelab
|
||||
id: 1
|
||||
hubble:
|
||||
relay:
|
||||
enabled: true
|
||||
ui:
|
||||
enabled: true
|
||||
metrics:
|
||||
enableOpenMetrics: true
|
||||
prometheus:
|
||||
enabled: true
|
||||
operator:
|
||||
prometheus:
|
||||
enabled: true
|
||||
ipam:
|
||||
mode: kubernetes
|
||||
kubeProxyReplacement: true
|
||||
k8sServiceHost: 127.0.0.1
|
||||
k8sServicePort: 7445
|
||||
rollOutCiliumPods: true
|
||||
cgroup:
|
||||
automount:
|
||||
enabled: false
|
||||
hostRoot: /sys/fs/cgroup
|
||||
bgp:
|
||||
enabled: false
|
||||
announce:
|
||||
loadbalancerIP: true
|
||||
podCIDR: false
|
||||
bgpControlPlane:
|
||||
enabled: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
ciliumAgent:
|
||||
- CHOWN
|
||||
- KILL
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
- IPC_LOCK
|
||||
- SYS_ADMIN
|
||||
- SYS_RESOURCE
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- SETGID
|
||||
- SETUID
|
||||
cleanCiliumState:
|
||||
- NET_ADMIN
|
||||
- SYS_ADMIN
|
||||
- SYS_RESOURCE
|
|
@ -1,23 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ssh
|
||||
spec:
|
||||
description: ""
|
||||
nodeSelector:
|
||||
matchLabels:
|
||||
# node-access: ssh
|
||||
node-role.kubernetes.io/control-plane: "true"
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- cluster
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "22"
|
||||
protocol: TCP
|
||||
- icmps:
|
||||
- fields:
|
||||
- type: 8
|
||||
family: IPv4
|
|
@ -1,27 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: api-server
|
||||
spec:
|
||||
nodeSelector:
|
||||
# apply to master nodes
|
||||
matchLabels:
|
||||
node-role.kubernetes.io/control-plane: 'true'
|
||||
ingress:
|
||||
# load balancer -> api server
|
||||
- fromCIDR:
|
||||
- 167.235.217.82/32
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# api server -> kubelet
|
||||
- toEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '10250'
|
||||
protocol: TCP
|
|
@ -1,41 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: cilium-health
|
||||
specs:
|
||||
- endpointSelector:
|
||||
# apply to health endpoints
|
||||
matchLabels:
|
||||
reserved:health: ''
|
||||
ingress:
|
||||
# cilium agent -> cilium agent
|
||||
- fromEntities:
|
||||
- host
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4240'
|
||||
protocol: TCP
|
||||
- nodeSelector:
|
||||
# apply to all nodes
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
# cilium agent -> cilium agent
|
||||
- fromEntities:
|
||||
- health
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4240'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# cilium agent -> cilium agent
|
||||
- toEntities:
|
||||
- health
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4240'
|
||||
protocol: TCP
|
|
@ -1,26 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: cilium-vxlan
|
||||
spec:
|
||||
nodeSelector:
|
||||
# apply to all nodes
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
# node -> vxlan
|
||||
- fromEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '8472'
|
||||
protocol: UDP
|
||||
egress:
|
||||
# node -> vxlan
|
||||
- toEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '8472'
|
||||
protocol: UDP
|
|
@ -1,65 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: core-dns
|
||||
namespace: kube-system
|
||||
specs:
|
||||
- nodeSelector:
|
||||
# apply to master nodes
|
||||
matchLabels:
|
||||
node-role.kubernetes.io/control-plane: 'true'
|
||||
ingress:
|
||||
# core dns -> api server
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: coredns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
||||
- nodeSelector:
|
||||
# apply to all nodes
|
||||
matchLabels: {}
|
||||
egress:
|
||||
# kubelet -> core dns probes
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: coredns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '8080'
|
||||
protocol: TCP
|
||||
- port: '8181'
|
||||
protocol: TCP
|
||||
- endpointSelector:
|
||||
# apply to core dns pods
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: coredns
|
||||
ingress:
|
||||
# kubelet -> core dns probes
|
||||
- fromEntities:
|
||||
- host
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '8080'
|
||||
protocol: TCP
|
||||
- port: '8181'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# core dns -> api server
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
||||
# core dns -> upstream DNS
|
||||
- toCIDR:
|
||||
- 185.12.64.1/32
|
||||
- 185.12.64.2/32
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '53'
|
||||
protocol: UDP
|
|
@ -1,27 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: etcd
|
||||
spec:
|
||||
nodeSelector:
|
||||
# apply to master nodes
|
||||
matchLabels:
|
||||
node-role.kubernetes.io/control-plane: 'true'
|
||||
ingress:
|
||||
# etcd peer -> etcd peer
|
||||
- fromEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '2380'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# etcd peer -> etcd peer
|
||||
- toEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '2380'
|
||||
protocol: TCP
|
|
@ -1,15 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: "cilium.io/v2"
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-specific-traffic
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- host
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
|
@ -1,50 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: hubble-relay
|
||||
namespace: kube-system
|
||||
specs:
|
||||
- nodeSelector:
|
||||
# apply to all nodes
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
# hubble relay -> hubble agent
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4244'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# kubelet -> hubble relay probes
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4245'
|
||||
protocol: TCP
|
||||
- endpointSelector:
|
||||
# apply to hubble relay pods
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
ingress:
|
||||
# kubelet -> hubble relay probes
|
||||
- fromEntities:
|
||||
- host
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4245'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# hubble relay -> hubble agent
|
||||
- toEntities:
|
||||
- host
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4244'
|
||||
protocol: TCP
|
|
@ -1,75 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: hubble-ui
|
||||
namespace: kube-system
|
||||
specs:
|
||||
- nodeSelector:
|
||||
# apply to master nodes
|
||||
matchLabels:
|
||||
node-role.kubernetes.io/control-plane: ''
|
||||
ingress:
|
||||
# hubble ui -> api server
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
||||
- endpointSelector:
|
||||
# apply to core dns endpoints
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: coredns
|
||||
ingress:
|
||||
# hubble ui -> core dns
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '53'
|
||||
protocol: UDP
|
||||
- endpointSelector:
|
||||
# apply to hubble relay endpoints
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
ingress:
|
||||
# hubble ui -> hubble relay
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4245'
|
||||
protocol: TCP
|
||||
- endpointSelector:
|
||||
# apply to hubble ui endpoints
|
||||
matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-ui
|
||||
egress:
|
||||
# hubble ui -> api server
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
||||
# hubble ui -> hubble relay
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: hubble-relay
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '4245'
|
||||
protocol: TCP
|
||||
# hubble ui -> core dns
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.cilium.k8s.policy.serviceaccount: coredns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '53'
|
||||
protocol: UDP
|
|
@ -1,28 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
---
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: kubelet
|
||||
spec:
|
||||
nodeSelector:
|
||||
# apply to all nodes
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
# api server -> kubelet
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '10250'
|
||||
protocol: TCP
|
||||
egress:
|
||||
# kubelet -> load balancer
|
||||
- toCIDR:
|
||||
- 167.235.217.82/32
|
||||
toEntities:
|
||||
- host
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: '6443'
|
||||
protocol: TCP
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: kube-system
|
||||
resources:
|
||||
- ./allow-ssh.yaml
|
||||
- ./apiserver.yaml
|
||||
- ./cilium-health.yaml
|
||||
- ./cilium-vxlan.yaml
|
||||
- ./core-dns.yaml
|
||||
- ./etcd.yaml
|
||||
- ./hubble-relay.yaml
|
||||
- ./hubble-ui.yaml
|
||||
- ./kubelet.yaml
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: cilium
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
path: "./kubernetes/apps/kube-system/cilium/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: false
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
spegel:
|
||||
containerdSock: /run/containerd/containerd.sock
|
||||
containerdRegistryConfigPath: /etc/cri/conf.d/hosts
|
||||
registries:
|
||||
- https://docker.io
|
||||
- https://ghcr.io
|
||||
- https://quay.io
|
||||
- https://mcr.microsoft.com
|
||||
- https://public.ecr.aws
|
||||
- https://gcr.io
|
||||
- https://registry.k8s.io
|
||||
- https://k8s.gcr.io
|
||||
- https://lscr.io
|
||||
service:
|
||||
registry:
|
||||
hostPort: 29999
|
|
@ -1,109 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app zfs-scrub
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.2.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
controllers:
|
||||
kubanetics:
|
||||
type: cronjob
|
||||
cronjob:
|
||||
schedule: "@weekly"
|
||||
parallelism: 1 # Set to my total number of nodes
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/aarnaud/talos-debug-tools
|
||||
tag: latest-6.6.29
|
||||
command: ["/bin/bash", "-c"]
|
||||
args:
|
||||
- |
|
||||
# Trim filesystems
|
||||
chroot /host /usr/local/sbin/zpool scrub nahar
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
resources:
|
||||
requests:
|
||||
cpu: 25m
|
||||
limits:
|
||||
memory: 128Mi
|
||||
securityContext:
|
||||
privileged: true
|
||||
pod:
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: *app
|
||||
persistence:
|
||||
netfs:
|
||||
type: hostPath
|
||||
hostPath: /sys
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- path: /sys
|
||||
readOnly: true
|
||||
dev:
|
||||
type: hostPath
|
||||
hostPath: /dev
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- path: /dev
|
||||
modules:
|
||||
type: hostPath
|
||||
hostPath: /lib/modules
|
||||
hostPathType: ""
|
||||
globalMounts:
|
||||
- path: /lib/modules
|
||||
udev:
|
||||
type: hostPath
|
||||
hostPath: /run/udev
|
||||
hostPathType: ""
|
||||
globalMounts:
|
||||
- path: /run/udev
|
||||
localtime:
|
||||
type: hostPath
|
||||
hostPath: /etc/localtime
|
||||
hostPathType: ""
|
||||
globalMounts:
|
||||
- path: /etc/localtime
|
||||
host:
|
||||
type: hostPath
|
||||
hostPath: /
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- path: /host
|
||||
efivars:
|
||||
type: hostPath
|
||||
hostPath: /sys/firmware/efi/efivars
|
||||
hostPathType: ""
|
||||
globalMounts:
|
||||
- path: /sys/firmware/efi/efivars
|
|
@ -1,20 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
KUBELET_BIN="/usr/local/bin/kubelet"
|
||||
KUBELET_PID="$(pgrep -f $KUBELET_BIN)"
|
||||
ZPOOL="nahar"
|
||||
|
||||
if [ -z "${KUBELET_PID}" ]; then
|
||||
echo "kubelet not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Enter namespaces and run commands
|
||||
nsrun() {
|
||||
nsenter \
|
||||
--mount="/host/proc/${KUBELET_PID}/ns/mnt" \
|
||||
--net="/host/proc/${KUBELET_PID}/ns/net" \
|
||||
-- bash -c "$1"
|
||||
}
|
||||
|
||||
# Scrub filesystems
|
||||
nsrun "zpool scrub ${ZPOOL}"
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: immich-app-config
|
||||
labels:
|
||||
app.kubernetes.io/name: immich
|
||||
data:
|
||||
LOG_LEVEL: verbose
|
||||
DB_VECTOR_EXTENSION: pgvector
|
||||
NODE_ENV: production
|
||||
REDIS_HOSTNAME: dragonfly.database.svc.cluster.local
|
||||
REDIS_PORT: "6379"
|
||||
IMMICH_WEB_URL: http://immich-web.media.svc.cluster.local:3000
|
||||
IMMICH_SERVER_URL: http://immich-server.media.svc.cluster.local:3001
|
||||
IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.media.svc.cluster.local:3003
|
|
@ -1,97 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &name immich
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
controllers:
|
||||
immich-server:
|
||||
type: statefulset
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/immich-app/immich-server
|
||||
tag: v1.105.1
|
||||
command: /bin/sh
|
||||
args:
|
||||
- ./start-server.sh
|
||||
probes:
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 512Mi
|
||||
limits:
|
||||
memory: 4Gi
|
||||
env:
|
||||
TZ: America/Chicago
|
||||
DB_URL:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secret
|
||||
key: DATABASE_URI
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: immich-app-config
|
||||
service:
|
||||
app:
|
||||
controller: immich-server
|
||||
ports:
|
||||
http:
|
||||
port: 3001
|
||||
ingress:
|
||||
app:
|
||||
enabled: true
|
||||
className: external-nginx
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
hosts:
|
||||
- host: &host "im.hsn.dev"
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
type: nfs
|
||||
server: 10.1.1.13
|
||||
path: /eru/media/immich
|
||||
globalMounts:
|
||||
- path: /usr/src/app/upload
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./configmap.yaml
|
||||
- ./externalsecret.yaml
|
||||
- ./gatus.yaml
|
||||
- ./helmrelease.yaml
|
||||
- ./machine-learning
|
||||
- ./microservices
|
||||
- ./postgresCluster.yaml
|
||||
- ./pushsecret.yaml
|
||||
- ./service.yaml
|
||||
configMapGenerator:
|
||||
- name: immich-databse-init-sql
|
||||
files:
|
||||
- init.sql=./resources/init.sql
|
||||
labels:
|
||||
- pairs:
|
||||
app.kubernetes.io/name: immich
|
||||
app.kubernetes.io/instance: immich
|
||||
app.kubernetes.io/part-of: immich
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/substitute: disabled
|
|
@ -1,82 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: immich-machine-learning
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
interval: 15m
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
controllers:
|
||||
immich-machine-learning:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
strategy: Recreate
|
||||
pod:
|
||||
nodeSelector:
|
||||
nvidia.com/gpu.present: "true"
|
||||
runtimeClassName: nvidia
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/immich-app/immich-machine-learning
|
||||
tag: v1.105.1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 15m
|
||||
memory: 250Mi
|
||||
limits:
|
||||
memory: 4000Mi
|
||||
probes:
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: immich-app-config
|
||||
env:
|
||||
DB_URL:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secret
|
||||
key: DATABASE_URI
|
||||
service:
|
||||
app:
|
||||
controller: immich-machine-learning
|
||||
ports:
|
||||
http:
|
||||
port: 3003
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
type: nfs
|
||||
server: 10.1.1.13
|
||||
path: /eru/media/immich
|
||||
globalMounts:
|
||||
- path: /usr/src/app/upload
|
||||
cache:
|
||||
enabled: true
|
||||
type: emptyDir
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
labels:
|
||||
- pairs:
|
||||
app.kubernetes.io/name: immich-machine-learning
|
||||
app.kubernetes.io/instance: immich-machine-learning
|
||||
app.kubernetes.io/part-of: immich
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
|
@ -1,80 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: immich-microservices
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
interval: 15m
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
controllers:
|
||||
immich-microservices:
|
||||
strategy: Recreate
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
nodeSelector:
|
||||
nvidia.com/gpu.present: "true"
|
||||
runtimeClassName: nvidia
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/immich-app/immich-server
|
||||
tag: v1.105.1
|
||||
command: /bin/sh
|
||||
args:
|
||||
- ./start-microservices.sh
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 250Mi
|
||||
limits:
|
||||
memory: 4000Mi
|
||||
probes:
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: immich-app-config
|
||||
env:
|
||||
DB_URL:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-secret
|
||||
key: DATABASE_URI
|
||||
service:
|
||||
app:
|
||||
controller: immich-microservices
|
||||
enabled: false
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
type: nfs
|
||||
server: 10.1.1.13
|
||||
path: /eru/media/immich
|
||||
globalMounts:
|
||||
- path: /usr/src/app/upload
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
labels:
|
||||
- pairs:
|
||||
app.kubernetes.io/name: immich-microservices
|
||||
app.kubernetes.io/instance: immich-microservices
|
||||
app.kubernetes.io/part-of: immich
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
|
@ -1,94 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
|
||||
apiVersion: postgres-operator.crunchydata.com/v1beta1
|
||||
kind: PostgresCluster
|
||||
metadata:
|
||||
name: &name "${APP}"
|
||||
spec:
|
||||
postgresVersion: 16
|
||||
dataSource:
|
||||
pgbackrest:
|
||||
stanza: db
|
||||
configuration:
|
||||
- secret:
|
||||
name: pgo-s3-creds
|
||||
global:
|
||||
repo1-path: "/${APP}/repo1"
|
||||
repo1-s3-uri-style: path
|
||||
repo:
|
||||
name: repo1
|
||||
s3:
|
||||
bucket: "crunchy-postgres"
|
||||
endpoint: "s3.hsn.dev"
|
||||
region: "us-east-1"
|
||||
monitoring:
|
||||
pgmonitor:
|
||||
exporter:
|
||||
# https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml
|
||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3
|
||||
patroni:
|
||||
dynamicConfiguration:
|
||||
synchronous_mode: true
|
||||
postgresql:
|
||||
synchronous_commit: "on"
|
||||
pg_hba:
|
||||
- hostnossl all all 10.244.0.0/16 md5
|
||||
- hostssl all all all md5
|
||||
databaseInitSQL:
|
||||
name: immich-databse-init-sql
|
||||
key: init.sql
|
||||
instances:
|
||||
- name: postgres
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: pgo-${APP}
|
||||
replicas: 1
|
||||
dataVolumeClaimSpec:
|
||||
storageClassName: openebs-zfs
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
whenUnsatisfiable: "DoNotSchedule"
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
postgres-operator.crunchydata.com/cluster: ${APP}
|
||||
postgres-operator.crunchydata.com/data: postgres
|
||||
users:
|
||||
- name: "immich"
|
||||
databases:
|
||||
- "immich"
|
||||
options: "SUPERUSER"
|
||||
password:
|
||||
type: AlphaNumeric
|
||||
backups:
|
||||
pgbackrest:
|
||||
configuration:
|
||||
- secret:
|
||||
name: pgo-s3-creds
|
||||
global:
|
||||
archive-push-queue-max: 4GiB
|
||||
repo1-retention-full: "14"
|
||||
repo1-retention-full-type: time
|
||||
repo1-path: "/${APP}/repo1"
|
||||
repo1-s3-uri-style: path
|
||||
manual:
|
||||
repoName: repo1
|
||||
options:
|
||||
- --type=full
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: pgo-${APP}-backup
|
||||
repos:
|
||||
- name: repo1
|
||||
schedules:
|
||||
full: "0 1 * * 0"
|
||||
differential: "0 1 * * 1-6"
|
||||
s3:
|
||||
bucket: "crunchy-postgres"
|
||||
endpoint: "s3.hsn.dev"
|
||||
region: "us-east-1"
|
|
@ -1,40 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
|
||||
apiVersion: external-secrets.io/v1alpha1
|
||||
kind: PushSecret
|
||||
metadata:
|
||||
name: immich
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRefs:
|
||||
- name: onepassword-connect
|
||||
kind: ClusterSecretStore
|
||||
selector:
|
||||
secret:
|
||||
name: immich-pguser-immich
|
||||
data:
|
||||
- match:
|
||||
secretKey: dbname
|
||||
remoteRef:
|
||||
remoteKey: immich
|
||||
property: DATABASE_NAME
|
||||
- match:
|
||||
secretKey: host
|
||||
remoteRef:
|
||||
remoteKey: immich
|
||||
property: DATABASE_HOST
|
||||
- match:
|
||||
secretKey: user
|
||||
remoteRef:
|
||||
remoteKey: immich
|
||||
property: DATABASE_USER
|
||||
- match:
|
||||
secretKey: password
|
||||
remoteRef:
|
||||
remoteKey: immich
|
||||
property: DATABASE_PASSWORD
|
||||
- match:
|
||||
secretKey: port
|
||||
remoteRef:
|
||||
remoteKey: immich
|
||||
property: DATABASE_PORT
|
|
@ -1,4 +0,0 @@
|
|||
\c immich\\
|
||||
CREATE EXTENSION vector;
|
||||
CREATE EXTENSION cube;
|
||||
CREATE EXTENSION earthdistance;
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
postgres-operator.crunchydata.com/cluster: immich
|
||||
postgres-operator.crunchydata.com/role: primary
|
||||
name: immich-primary-real
|
||||
namespace: media
|
||||
spec:
|
||||
internalTrafficPolicy: Cluster
|
||||
ports:
|
||||
- name: postgres
|
||||
port: 5432
|
||||
protocol: TCP
|
||||
targetPort: postgres
|
||||
selector:
|
||||
postgres-operator.crunchydata.com/cluster: immich
|
||||
postgres-operator.crunchydata.com/role: master
|
||||
type: ClusterIP
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./immich/ks.yaml
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: grafana-secret
|
||||
namespace: observability
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: grafana-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
|
||||
GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
|
||||
GF_SERVER_ROOT_URL: https://grafana.hsn.dev
|
||||
GF_DATABASE_NAME: "{{ .grafana_GF_DATABASE_NAME }}"
|
||||
GF_DATABASE_HOST: "postgres-primary-real.database.svc"
|
||||
GF_DATABASE_USER: "{{ .grafana_GF_DATABASE_USER }}"
|
||||
GF_DATABASE_PASSWORD: "{{ .grafana_GF_DATABASE_PASSWORD }}"
|
||||
GF_DATABASE_SSL_MODE: "require"
|
||||
GF_DATABASE_TYPE: postgres
|
||||
GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
|
||||
GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
|
||||
GF_ANALYTICS_REPORTING_ENABLED: "false"
|
||||
GF_AUTH_ANONYMOUS_ENABLED: "false"
|
||||
GF_AUTH_BASIC_ENABLED: "false"
|
||||
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
|
||||
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
|
||||
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
|
||||
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
|
||||
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
|
||||
GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
|
||||
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
|
||||
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
|
||||
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
|
||||
GF_EXPLORE_ENABLED: "true"
|
||||
GF_FEATURE_TOGGLES_ENABLE: publicDashboards
|
||||
GF_LOG_MODE: console
|
||||
GF_NEWS_NEWS_FEED_ENABLED: "false"
|
||||
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
|
||||
GF_SECURITY_COOKIE_SAMESITE: grafana
|
||||
GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true"
|
||||
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: Authentik
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "authentik_$1"
|
||||
- extract:
|
||||
key: grafana
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "grafana_$1"
|
|
@ -1,401 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: grafana
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: grafana
|
||||
version: 8.3.7
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: grafana
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
uninstall:
|
||||
keepHistory: false
|
||||
dependsOn:
|
||||
- name: kube-prometheus-stack
|
||||
namespace: observability
|
||||
- name: loki
|
||||
namespace: observability
|
||||
values:
|
||||
replicas: 1
|
||||
envFromSecret: grafana-secret
|
||||
dashboardProviders:
|
||||
dashboardproviders.yaml:
|
||||
apiVersion: 1
|
||||
providers:
|
||||
- name: default
|
||||
orgId: 1
|
||||
folder: ""
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/default-folder
|
||||
- name: ceph
|
||||
orgId: 1
|
||||
folder: Ceph
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/ceph-folder
|
||||
- name: crunchy-postgres
|
||||
orgId: 1
|
||||
folder: Crunchy-postgres
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/crunchy-postgres-folder
|
||||
- name: flux
|
||||
orgId: 1
|
||||
folder: Flux
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/flux-folder
|
||||
- name: kubernetes
|
||||
orgId: 1
|
||||
folder: Kubernetes
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/kubernetes-folder
|
||||
- name: nginx
|
||||
orgId: 1
|
||||
folder: Nginx
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/nginx-folder
|
||||
- name: prometheus
|
||||
orgId: 1
|
||||
folder: Prometheus
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/prometheus-folder
|
||||
- name: thanos
|
||||
orgId: 1
|
||||
folder: Thanos
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/thanos-folder
|
||||
- name: unifi
|
||||
orgId: 1
|
||||
folder: Unifi
|
||||
type: file
|
||||
disableDeletion: false
|
||||
editable: true
|
||||
options:
|
||||
path: /var/lib/grafana/dashboards/unifi-folder
|
||||
datasources:
|
||||
datasources.yaml:
|
||||
apiVersion: 1
|
||||
deleteDatasources:
|
||||
- { name: Alertmanager, orgId: 1 }
|
||||
- { name: Loki, orgId: 1 }
|
||||
- { name: Prometheus, orgId: 1 }
|
||||
datasources:
|
||||
- name: Prometheus
|
||||
type: prometheus
|
||||
uid: prometheus
|
||||
access: proxy
|
||||
url: http://thanos-query-frontend.observability.svc.cluster.local:10902
|
||||
jsonData:
|
||||
prometheusType: Thanos
|
||||
timeInterval: 1m
|
||||
isDefault: true
|
||||
- name: Loki
|
||||
type: loki
|
||||
uid: loki
|
||||
access: proxy
|
||||
url: http://loki-gateway.observability.svc.cluster.local
|
||||
jsonData:
|
||||
maxLines: 250
|
||||
- name: Alertmanager
|
||||
type: alertmanager
|
||||
uid: alertmanager
|
||||
access: proxy
|
||||
url: http://alertmanager-operated.observability.svc.cluster.local:9093
|
||||
jsonData:
|
||||
implementation: prometheus
|
||||
dashboards:
|
||||
default:
|
||||
cloudflared:
|
||||
# renovate: depName="Cloudflare Tunnels (cloudflared)"
|
||||
gnetId: 17457
|
||||
revision: 6
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
external-dns:
|
||||
# renovate: depName="External-dns"
|
||||
gnetId: 15038
|
||||
revision: 3
|
||||
datasource: Prometheus
|
||||
minio:
|
||||
# renovate: depName="MinIO Dashboard"
|
||||
gnetId: 13502
|
||||
revision: 25
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
node-exporter-full:
|
||||
# renovate: depName="Node Exporter Full"
|
||||
gnetId: 1860
|
||||
revision: 33
|
||||
datasource: Prometheus
|
||||
postgres:
|
||||
# renovate: depName="PostgreSQL Database"
|
||||
gnetId: 9628
|
||||
revision: 7
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
smartctl-exporter:
|
||||
# renovate: depName="smartctl_exporter"
|
||||
gnetId: 20204
|
||||
revision: 1
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
spegel:
|
||||
# renovate: depName="Spegel"
|
||||
gnetId: 18089
|
||||
revision: 1
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
unpackerr:
|
||||
# renovate: depName="Unpackerr"
|
||||
gnetId: 18817
|
||||
revision: 1
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
zfs:
|
||||
# renovate: depName="ZFS"
|
||||
gnetId: 7845
|
||||
revision: 4
|
||||
datasource: Prometheus
|
||||
dragonflydb:
|
||||
url: https://raw.githubusercontent.com/dragonflydb/dragonfly/main/tools/local/monitoring/grafana/provisioning/dashboards/dashboard.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
cert-manager:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
|
||||
datasource: Prometheus
|
||||
external-secrets:
|
||||
url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json
|
||||
datasource: Prometheus
|
||||
node-feature-discovery:
|
||||
url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json
|
||||
datasource: Prometheus
|
||||
crunchy-postgres:
|
||||
pgbackrest:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pgbackrest.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
pods:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pod_details.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
postgresql:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_details.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
postgresql-overview:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_overview.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
postgresql-health:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_service_health.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
postgresql-alerts:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/prometheus_alerts.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
query-stats:
|
||||
url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/query_statistics.json
|
||||
datasource:
|
||||
- { name: DS_PROMETHEUS, value: Prometheus }
|
||||
ceph:
|
||||
ceph-cluster:
|
||||
# renovate: depName="Ceph Cluster"
|
||||
gnetId: 2842
|
||||
revision: 17
|
||||
datasource: Prometheus
|
||||
ceph-osd:
|
||||
# renovate: depName="Ceph - OSD (Single)"
|
||||
gnetId: 5336
|
||||
revision: 9
|
||||
datasource: Prometheus
|
||||
ceph-pools:
|
||||
# renovate: depName="Ceph - Pools"
|
||||
gnetId: 5342
|
||||
revision: 9
|
||||
datasource: Prometheus
|
||||
flux:
|
||||
flux-cluster:
|
||||
url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json
|
||||
datasource: Prometheus
|
||||
flux-control-plane:
|
||||
url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json
|
||||
datasource: Prometheus
|
||||
kubernetes:
|
||||
kubernetes-api-server:
|
||||
# renovate: depName="Kubernetes / System / API Server"
|
||||
gnetId: 15761
|
||||
revision: 16
|
||||
datasource: Prometheus
|
||||
kubernetes-coredns:
|
||||
# renovate: depName="Kubernetes / System / CoreDNS"
|
||||
gnetId: 15762
|
||||
revision: 17
|
||||
datasource: Prometheus
|
||||
kubernetes-global:
|
||||
# renovate: depName="Kubernetes / Views / Global"
|
||||
gnetId: 15757
|
||||
revision: 37
|
||||
datasource: Prometheus
|
||||
kubernetes-namespaces:
|
||||
# renovate: depName="Kubernetes / Views / Namespaces"
|
||||
gnetId: 15758
|
||||
revision: 34
|
||||
datasource: Prometheus
|
||||
kubernetes-nodes:
|
||||
# renovate: depName="Kubernetes / Views / Nodes"
|
||||
gnetId: 15759
|
||||
revision: 29
|
||||
datasource: Prometheus
|
||||
kubernetes-pods:
|
||||
# renovate: depName="Kubernetes / Views / Pods"
|
||||
gNetId: 15760
|
||||
revision: 21
|
||||
datasource: Prometheus
|
||||
kubernetes-volumes:
|
||||
# renovate: depName="K8s / Storage / Volumes / Cluster"
|
||||
gnetId: 11454
|
||||
revision: 14
|
||||
datasource: Prometheus
|
||||
nginx:
|
||||
nginx:
|
||||
url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
|
||||
datasource: Prometheus
|
||||
nginx-request-handling-performance:
|
||||
url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
|
||||
datasource: Prometheus
|
||||
prometheus:
|
||||
prometheus:
|
||||
# renovate: depName="Prometheus"
|
||||
gnetId: 19105
|
||||
revision: 3
|
||||
datasource: Prometheus
|
||||
thanos:
|
||||
thanos-bucket-replicate:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json
|
||||
datasource: Prometheus
|
||||
thanos-compact:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json
|
||||
datasource: Prometheus
|
||||
thanos-overview:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json
|
||||
datasource: Prometheus
|
||||
thanos-query:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json
|
||||
datasource: Prometheus
|
||||
thanos-query-frontend:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json
|
||||
datasource: Prometheus
|
||||
thanos-receieve:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json
|
||||
datasource: Prometheus
|
||||
thanos-rule:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json
|
||||
datasource: Prometheus
|
||||
thanos-sidecar:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json
|
||||
datasource: Prometheus
|
||||
thanos-store:
|
||||
url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json
|
||||
datasource: Prometheus
|
||||
unifi:
|
||||
unifi-insights:
|
||||
# renovate: depName="UniFi-Poller: Client Insights - Prometheus"
|
||||
gnetId: 11315
|
||||
revision: 9
|
||||
datasource: Prometheus
|
||||
unifi-network-sites:
|
||||
# renovate: depName="UniFi-Poller: Network Sites - Prometheus"
|
||||
gnetId: 11311
|
||||
revision: 5
|
||||
datasource: Prometheus
|
||||
unifi-uap:
|
||||
# renovate: depName="UniFi-Poller: UAP Insights - Prometheus"
|
||||
gnetId: 11314
|
||||
revision: 10
|
||||
datasource: Prometheus
|
||||
unifi-usw:
|
||||
# renovate: depName="UniFi-Poller: USW Insights - Prometheus"
|
||||
gnetId: 11312
|
||||
revision: 9
|
||||
datasource: Prometheus
|
||||
sidecar:
|
||||
dashboards:
|
||||
enabled: true
|
||||
searchNamespace: ALL
|
||||
labelValue: ""
|
||||
label: grafana_dashboard
|
||||
folderAnnotation: grafana_folder
|
||||
provider:
|
||||
disableDelete: true
|
||||
foldersFromFilesStructure: true
|
||||
datasources:
|
||||
enabled: true
|
||||
searchNamespace: ALL
|
||||
labelValue: ""
|
||||
plugins:
|
||||
- grafana-clock-panel
|
||||
- grafana-piechart-panel
|
||||
- grafana-worldmap-panel
|
||||
- natel-discrete-panel
|
||||
- pr0ps-trackmap-panel
|
||||
- vonage-status-panel
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: external-nginx
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
|
||||
external-dns.alpha.kubernetes.io/target: external.hsn.dev
|
||||
hosts:
|
||||
- &host grafana.hsn.dev
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
persistence:
|
||||
enabled: false
|
||||
testFramework:
|
||||
enabled: false
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: grafana
|
|
@ -1,190 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: kube-prometheus-stack
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: kube-prometheus-stack
|
||||
version: 61.6.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: prometheus-community
|
||||
namespace: flux-system
|
||||
install:
|
||||
crds: CreateReplace
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
crds: CreateReplace
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
crds:
|
||||
enabled: true
|
||||
cleanPrometheusOperatorObjectNames: true
|
||||
alertmanager:
|
||||
ingress:
|
||||
enabled: true
|
||||
pathType: Prefix
|
||||
ingressClassName: internal-nginx
|
||||
hosts:
|
||||
- &host alertmanager.jahanson.tech
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
alertmanagerSpec:
|
||||
replicas: 1
|
||||
useExistingSecret: true
|
||||
configSecret: alertmanager-secret
|
||||
storage:
|
||||
volumeClaimTemplate:
|
||||
spec:
|
||||
storageClassName: openebs-hostpath
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
kubelet:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
metricRelabelings:
|
||||
# Drop high cardinality labels
|
||||
- action: labeldrop
|
||||
regex: (uid)
|
||||
- action: labeldrop
|
||||
regex: (id|name)
|
||||
- action: drop
|
||||
sourceLabels: ["__name__"]
|
||||
regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count)
|
||||
kubeApiServer:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
metricRelabelings:
|
||||
# Drop high cardinality labels
|
||||
- action: drop
|
||||
sourceLabels: ["__name__"]
|
||||
regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket
|
||||
- action: drop
|
||||
sourceLabels: ["__name__"]
|
||||
regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket)
|
||||
kubeControllerManager:
|
||||
enabled: true
|
||||
endpoints: &cp
|
||||
- 10.1.1.61
|
||||
kubeEtcd:
|
||||
enabled: true
|
||||
endpoints: *cp
|
||||
kubeScheduler:
|
||||
enabled: true
|
||||
endpoints: *cp
|
||||
kubeProxy:
|
||||
enabled: false
|
||||
prometheus:
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: internal-nginx
|
||||
pathType: Prefix
|
||||
hosts:
|
||||
- &host prometheus.jahanson.tech
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
thanosService:
|
||||
enabled: true
|
||||
thanosServiceMonitor:
|
||||
enabled: true
|
||||
# thanosServiceExternal:
|
||||
# enabled: true
|
||||
# type: LoadBalancer
|
||||
# annotations:
|
||||
# external-dns.alpha.kubernetes.io/hostname: thanos.jahanson.tech
|
||||
# io.cilium/lb-ipam-ips: 10.45.0.6
|
||||
# externalTrafficPolicy: Cluster
|
||||
prometheusSpec:
|
||||
podMetadata:
|
||||
annotations:
|
||||
secret.reloader.stakater.com/reload: &secret thanos-objstore-config
|
||||
replicas: 1
|
||||
replicaExternalLabelName: __replica__
|
||||
scrapeInterval: 1m # Must match interval in Grafana Helm chart
|
||||
ruleSelectorNilUsesHelmValues: false
|
||||
serviceMonitorSelectorNilUsesHelmValues: false
|
||||
podMonitorSelectorNilUsesHelmValues: false
|
||||
probeSelectorNilUsesHelmValues: false
|
||||
scrapeConfigSelectorNilUsesHelmValues: false
|
||||
enableAdminAPI: true
|
||||
walCompression: true
|
||||
enableFeatures:
|
||||
- auto-gomemlimit
|
||||
- memory-snapshot-on-shutdown
|
||||
- new-service-discovery-manager
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: prometheus/prometheus
|
||||
tag: v2.51.0-dedupelabels
|
||||
thanos:
|
||||
image: quay.io/thanos/thanos:${THANOS_VERSION}
|
||||
version: "${THANOS_VERSION#v}"
|
||||
objectStorageConfig:
|
||||
existingSecret:
|
||||
name: *secret
|
||||
key: config
|
||||
retention: 2d
|
||||
retentionSize: 15GB
|
||||
externalLabels:
|
||||
cluster: main
|
||||
storageSpec:
|
||||
volumeClaimTemplate:
|
||||
spec:
|
||||
storageClassName: openebs-hostpath
|
||||
resources:
|
||||
requests:
|
||||
storage: 20Gi
|
||||
nodeExporter:
|
||||
enabled: true
|
||||
prometheus-node-exporter:
|
||||
fullnameOverride: node-exporter
|
||||
prometheus:
|
||||
monitor:
|
||||
enabled: true
|
||||
relabelings:
|
||||
- action: replace
|
||||
regex: (.*)
|
||||
replacement: $1
|
||||
sourceLabels:
|
||||
- __meta_kubernetes_pod_node_name
|
||||
targetLabel: kubernetes_node
|
||||
kubeStateMetrics:
|
||||
enabled: true
|
||||
kube-state-metrics:
|
||||
fullnameOverride: kube-state-metrics
|
||||
metricLabelsAllowlist:
|
||||
- pods=[*]
|
||||
- deployments=[*]
|
||||
- persistentvolumeclaims=[*]
|
||||
prometheus:
|
||||
monitor:
|
||||
enabled: true
|
||||
relabelings:
|
||||
- action: replace
|
||||
regex: (.*)
|
||||
replacement: $1
|
||||
sourceLabels:
|
||||
- __meta_kubernetes_pod_node_name
|
||||
targetLabel: kubernetes_node
|
||||
grafana:
|
||||
enabled: false
|
||||
forceDeployDashboards: true
|
||||
sidecar:
|
||||
dashboards:
|
||||
annotations:
|
||||
grafana_folder: Kubernetes
|
||||
multicluster:
|
||||
etcd:
|
||||
enabled: true
|
|
@ -1,34 +0,0 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: crunchy-postgres-exporter
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
postgres-operator.crunchydata.com/crunchy-postgres-exporter: 'true'
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- database
|
||||
- media
|
||||
podMetricsEndpoints:
|
||||
- port: "exporter"
|
||||
relabelings:
|
||||
- sourceLabels: [__meta_kubernetes_pod_container_port_number]
|
||||
action: keep
|
||||
regex: "9187"
|
||||
- sourceLabels: [__meta_kubernetes_namespace]
|
||||
targetLabel: kubernetes_namespace
|
||||
- sourceLabels: [__meta_kubernetes_pod_name]
|
||||
targetLabel: pod
|
||||
- sourceLabels: [__meta_kubernetes_namespace, __meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster]
|
||||
separator: ":"
|
||||
targetLabel: pg_cluster
|
||||
replacement: "$1$2"
|
||||
- sourceLabels: [__meta_kubernetes_pod_ip]
|
||||
targetLabel: ip
|
||||
- sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance]
|
||||
targetLabel: deployment
|
||||
- sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role]
|
||||
targetLabel: role
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/prometheusrule_v1.json
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: miscellaneous-rules
|
||||
labels:
|
||||
prometheus: k8s
|
||||
role: alert-rules
|
||||
spec:
|
||||
groups:
|
||||
- name: dockerhub
|
||||
rules:
|
||||
- alert: BootstrapRateLimitRisk
|
||||
annotations:
|
||||
summary: Kubernetes cluster at risk of being rate limited by dockerhub on bootstrap
|
||||
expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100
|
||||
for: 15m
|
||||
labels:
|
||||
severity: critical
|
||||
- name: oom
|
||||
rules:
|
||||
- alert: OOMKilled
|
||||
annotations:
|
||||
summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.
|
||||
expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1
|
||||
labels:
|
||||
severity: critical
|
||||
- name: zfs
|
||||
rules:
|
||||
- alert: ZfsUnexpectedPoolState
|
||||
annotations:
|
||||
summary: ZFS pool {{$labels.zpool}} on {{$labels.instance}} is in a unexpected state {{$labels.state}}
|
||||
expr: node_zfs_zpool_state{state!="online"} > 0
|
||||
for: 15m
|
||||
labels:
|
||||
severity: critical
|
|
@ -1,68 +0,0 @@
|
|||
---
|
||||
global:
|
||||
resolve_timeout: 5m
|
||||
route:
|
||||
group_by: ["alertname", "job"]
|
||||
group_interval: 10m
|
||||
group_wait: 1m
|
||||
receiver: pushover
|
||||
repeat_interval: 12h
|
||||
routes:
|
||||
- receiver: heartbeat
|
||||
group_interval: 5m
|
||||
group_wait: 0s
|
||||
matchers:
|
||||
- alertname =~ "Watchdog"
|
||||
repeat_interval: 5m
|
||||
- receiver: "null"
|
||||
matchers:
|
||||
- alertname =~ "InfoInhibitor"
|
||||
- receiver: pushover
|
||||
continue: true
|
||||
matchers:
|
||||
- severity = "critical"
|
||||
inhibit_rules:
|
||||
- equal: ["alertname", "namespace"]
|
||||
source_matchers:
|
||||
- severity = "critical"
|
||||
target_matchers:
|
||||
- severity = "warning"
|
||||
receivers:
|
||||
- name: heartbeat
|
||||
webhook_configs:
|
||||
- send_resolved: true
|
||||
url: "{{ .alertmanager_heartbeat_url }}"
|
||||
- name: "null"
|
||||
- name: pushover
|
||||
pushover_configs:
|
||||
- html: true
|
||||
# Compooters are hard
|
||||
message: |-
|
||||
{{ "{{-" }} range .Alerts {{ "}}" }}
|
||||
{{ "{{-" }} if ne .Annotations.description "" {{ "}}" }}
|
||||
{{ "{{" }} .Annotations.description {{ "}}" }}
|
||||
{{ "{{-" }} else if ne .Annotations.summary "" {{ "}}" }}
|
||||
{{ "{{" }} .Annotations.summary {{ "}}" }}
|
||||
{{ "{{-" }} else if ne .Annotations.message "" {{ "}}" }}
|
||||
{{ "{{" }} .Annotations.message {{ "}}" }}
|
||||
{{ "{{-" }} else {{ "}}" }}
|
||||
Alert description not available
|
||||
{{ "{{-" }} end {{ "}}" }}
|
||||
{{ "{{-" }} if gt (len .Labels.SortedPairs) 0 {{ "}}" }}
|
||||
<small>
|
||||
{{ "{{-" }} range .Labels.SortedPairs {{ "}}" }}
|
||||
<b>{{ "{{" }} .Name {{ "}}" }}:</b> {{ "{{" }} .Value {{ "}}" }}
|
||||
{{ "{{-" }} end {{ "}}" }}
|
||||
</small>
|
||||
{{ "{{-" }} end {{ "}}" }}
|
||||
{{ "{{-" }} end {{ "}}" }}
|
||||
priority: |-
|
||||
{{ "{{" }} if eq .Status "firing" {{ "}}" }}1{{ "{{" }} else {{ "}}" }}0{{ "{{" }} end {{ "}}" }}
|
||||
send_resolved: true
|
||||
sound: gamelan
|
||||
title: >-
|
||||
{{ "{{" }} .CommonLabels.alertname {{ "}}" }}
|
||||
[{{ "{{" }} .Status | toUpper {{ "}}" }}{{ "{{" }} if eq .Status "firing" {{ "}}" }}:{{ "{{" }} .Alerts.Firing | len {{ "}}" }}{{ "{{" }} end {{ "}}" }}]
|
||||
token: "{{ .alertmanager_token }}"
|
||||
url_title: View in Alertmanager
|
||||
user_key: "{{ .userkey_jahanson }}"
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./node-exporter.yaml
|
||||
- ./zfs-exporter.yaml
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
|
||||
apiVersion: monitoring.coreos.com/v1alpha1
|
||||
kind: ScrapeConfig
|
||||
metadata:
|
||||
name: node-exporter
|
||||
spec:
|
||||
staticConfigs:
|
||||
- targets:
|
||||
- 10.1.1.1:9100
|
||||
metricsPath: /metrics
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
|
||||
apiVersion: monitoring.coreos.com/v1alpha1
|
||||
kind: ScrapeConfig
|
||||
metadata:
|
||||
name: zfs-exporter
|
||||
spec:
|
||||
staticConfigs:
|
||||
- targets:
|
||||
- 10.1.1.13:9134
|
||||
metricsPath: /metrics
|
|
@ -1,29 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app kube-prometheus-stack
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: observability
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: external-secrets-stores
|
||||
- name: openebs
|
||||
- name: volsync
|
||||
path: ./kubernetes/apps/observability/kube-prometheus-stack/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 15m
|
||||
postBuild:
|
||||
substitute:
|
||||
# renovate: datasource=docker depName=quay.io/thanos/thanos
|
||||
THANOS_VERSION: v0.34.1
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: loki
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: loki-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
S3_HOST: s3.hsn.dev
|
||||
S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
|
||||
S3_ACCESS_KEY: "{{ .minio_loki_access_key }}"
|
||||
S3_SECRET_KEY: "{{ .minio_loki_secret_key }}"
|
||||
S3_REGION: us-east-1
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: minio
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "minio_$1"
|
|
@ -1,138 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: loki
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: loki
|
||||
version: 6.7.3
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: grafana
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: uninstall
|
||||
retries: 3
|
||||
valuesFrom:
|
||||
- targetPath: loki.storage.bucketNames.chunks
|
||||
kind: Secret
|
||||
name: loki-secret
|
||||
valuesKey: S3_BUCKET
|
||||
- targetPath: loki.storage.s3.endpoint
|
||||
kind: Secret
|
||||
name: loki-secret
|
||||
valuesKey: S3_HOST
|
||||
- targetPath: loki.storage.s3.region
|
||||
kind: Secret
|
||||
name: loki-secret
|
||||
valuesKey: S3_REGION
|
||||
- targetPath: loki.storage.s3.accessKeyId
|
||||
kind: Secret
|
||||
name: loki-secret
|
||||
valuesKey: S3_ACCESS_KEY
|
||||
- targetPath: loki.storage.s3.secretAccessKey
|
||||
kind: Secret
|
||||
name: loki-secret
|
||||
valuesKey: S3_SECRET_KEY
|
||||
values:
|
||||
deploymentMode: SimpleScalable
|
||||
loki:
|
||||
podAnnotations:
|
||||
secret.reloader.stakater.com/reload: loki-secret
|
||||
ingester:
|
||||
chunk_encoding: snappy
|
||||
storage:
|
||||
type: s3
|
||||
s3:
|
||||
s3ForcePathStyle: true
|
||||
insecure: true
|
||||
schemaConfig:
|
||||
configs:
|
||||
- from: "2024-04-01"
|
||||
store: tsdb
|
||||
object_store: s3
|
||||
schema: v13
|
||||
index:
|
||||
prefix: loki_index_
|
||||
period: 24h
|
||||
structuredConfig:
|
||||
auth_enabled: false
|
||||
server:
|
||||
log_level: info
|
||||
http_listen_port: 3100
|
||||
grpc_listen_port: 9095
|
||||
grpc_server_max_recv_msg_size: 8388608
|
||||
grpc_server_max_send_msg_size: 8388608
|
||||
limits_config:
|
||||
ingestion_burst_size_mb: 128
|
||||
ingestion_rate_mb: 64
|
||||
max_query_parallelism: 100
|
||||
per_stream_rate_limit: 64M
|
||||
per_stream_rate_limit_burst: 128M
|
||||
reject_old_samples: true
|
||||
reject_old_samples_max_age: 168h
|
||||
retention_period: 30d
|
||||
shard_streams:
|
||||
enabled: true
|
||||
split_queries_by_interval: 1h
|
||||
query_scheduler:
|
||||
max_outstanding_requests_per_tenant: 4096
|
||||
frontend:
|
||||
max_outstanding_per_tenant: 4096
|
||||
ruler:
|
||||
enable_api: true
|
||||
enable_alertmanager_v2: true
|
||||
alertmanager_url: http://alertmanager-operated.observability.svc.cluster.local:9093
|
||||
storage:
|
||||
type: local
|
||||
local:
|
||||
directory: /rules
|
||||
rule_path: /rules/fake
|
||||
analytics:
|
||||
reporting_enabled: false
|
||||
backend:
|
||||
replicas: 1
|
||||
persistence:
|
||||
size: 20Gi
|
||||
storageClass: openebs-hostpath
|
||||
gateway:
|
||||
replicas: 1
|
||||
image:
|
||||
registry: ghcr.io
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: internal-nginx
|
||||
hosts:
|
||||
- host: &host loki.jahanson.tech
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts: [*host]
|
||||
read:
|
||||
replicas: 1
|
||||
write:
|
||||
replicas: 1
|
||||
persistence:
|
||||
size: 20Gi
|
||||
storageClass: openebs-hostpath
|
||||
sidecar:
|
||||
image:
|
||||
repository: ghcr.io/kiwigrid/k8s-sidecar
|
||||
rules:
|
||||
searchNamespace: ALL
|
||||
folder: /rules/fake
|
||||
lokiCanary:
|
||||
enabled: false
|
||||
test:
|
||||
enabled: false
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: thanos
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: thanos-secret
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
data:
|
||||
S3_HOST: s3.hsn.dev
|
||||
S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
|
||||
S3_ACCESS_KEY: "{{ .minio_thanos_access_key }}"
|
||||
S3_SECRET_KEY: "{{ .minio_thanos_secret_key }}"
|
||||
S3_REGION: us-east-1
|
||||
dataFrom:
|
||||
- extract:
|
||||
key: Minio
|
||||
rewrite:
|
||||
- regexp:
|
||||
source: "(.*)"
|
||||
target: "minio_$1"
|
|
@ -1,120 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: thanos
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: thanos
|
||||
version: 1.17.2
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: stevehipwell
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
valuesFrom:
|
||||
- targetPath: objstoreConfig.value.config.bucket
|
||||
kind: Secret
|
||||
name: thanos-secret
|
||||
valuesKey: S3_BUCKET
|
||||
- targetPath: objstoreConfig.value.config.endpoint
|
||||
kind: Secret
|
||||
name: thanos-secret
|
||||
valuesKey: S3_HOST
|
||||
- targetPath: objstoreConfig.value.config.region
|
||||
kind: Secret
|
||||
name: thanos-secret
|
||||
valuesKey: S3_REGION
|
||||
- targetPath: objstoreConfig.value.config.access_key
|
||||
kind: Secret
|
||||
name: thanos-secret
|
||||
valuesKey: S3_ACCESS_KEY
|
||||
- targetPath: objstoreConfig.value.config.secret_key
|
||||
kind: Secret
|
||||
name: thanos-secret
|
||||
valuesKey: S3_SECRET_KEY
|
||||
values:
|
||||
objstoreConfig:
|
||||
value:
|
||||
type: s3
|
||||
config:
|
||||
insecure: false
|
||||
additionalEndpoints:
|
||||
- dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.observability.svc.cluster.local
|
||||
additionalReplicaLabels: ["__replica__"]
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
compact:
|
||||
enabled: true
|
||||
extraArgs:
|
||||
- --compact.concurrency=4
|
||||
- --delete-delay=30m
|
||||
- --retention.resolution-raw=14d
|
||||
- --retention.resolution-5m=30d
|
||||
- --retention.resolution-1h=60d
|
||||
persistence: &persistence
|
||||
enabled: true
|
||||
storageClass: openebs-hostpath
|
||||
size: 10Gi
|
||||
query:
|
||||
replicas: 1
|
||||
extraArgs: ["--alert.query-url=https://thanos.jahanson.tech"]
|
||||
queryFrontend:
|
||||
enabled: true
|
||||
replicas: 1
|
||||
extraEnv: &extraEnv
|
||||
- name: THANOS_CACHE_CONFIG
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: &configMap thanos-cache-configmap
|
||||
key: cache.yaml
|
||||
extraArgs: ["--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)"]
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: internal-nginx
|
||||
hosts:
|
||||
- &host thanos.jahanson.tech
|
||||
tls:
|
||||
- hosts: [*host]
|
||||
podAnnotations: &podAnnotations
|
||||
configmap.reloader.stakater.com/reload: *configMap
|
||||
rule:
|
||||
enabled: true
|
||||
replicas: 1
|
||||
extraArgs: ["--web.prefix-header=X-Forwarded-Prefix"]
|
||||
alertmanagersConfig:
|
||||
value: |-
|
||||
alertmanagers:
|
||||
- api_version: v2
|
||||
static_configs:
|
||||
- dnssrv+_http-web._tcp.alertmanager-operated.observability.svc.cluster.local
|
||||
rules:
|
||||
value: |-
|
||||
groups:
|
||||
- name: PrometheusWatcher
|
||||
rules:
|
||||
- alert: PrometheusDown
|
||||
annotations:
|
||||
summary: A Prometheus has disappeared from Prometheus target discovery
|
||||
expr: absent(up{job="kube-prometheus-stack-prometheus"})
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
persistence: *persistence
|
||||
storeGateway:
|
||||
replicas: 1
|
||||
extraEnv: *extraEnv
|
||||
extraArgs: ["--index-cache.config=$(THANOS_CACHE_CONFIG)"]
|
||||
persistence: *persistence
|
||||
podAnnotations: *podAnnotations
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
type: REDIS
|
||||
config:
|
||||
addr: dragonfly.database.svc.cluster.local:6379
|
||||
db: 1
|
|
@ -1,103 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: vector-agent
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.3.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
dependsOn:
|
||||
- name: vector-aggregator
|
||||
namespace: observability
|
||||
values:
|
||||
controllers:
|
||||
vector:
|
||||
type: daemonset
|
||||
strategy: RollingUpdate
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/timberio/vector
|
||||
tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
|
||||
env:
|
||||
PROCFS_ROOT: /host/proc
|
||||
SYSFS_ROOT: /host/sys
|
||||
VECTOR_SELF_NODE_NAME:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
VECTOR_SELF_POD_NAME:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
VECTOR_SELF_POD_NAMESPACE:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
args: ["--config", "/etc/vector/vector.yaml"]
|
||||
securityContext:
|
||||
privileged: true
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: vector-agent
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: configMap
|
||||
name: vector-agent-configmap
|
||||
globalMounts:
|
||||
- path: /etc/vector/vector.yaml
|
||||
subPath: vector.yaml
|
||||
readOnly: true
|
||||
data:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /vector-data-dir
|
||||
procfs:
|
||||
type: hostPath
|
||||
hostPath: /proc
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- path: /host/proc
|
||||
readOnly: true
|
||||
sysfs:
|
||||
type: hostPath
|
||||
hostPath: /sys
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- path: /host/sys
|
||||
readOnly: true
|
||||
var-lib:
|
||||
type: hostPath
|
||||
hostPath: /var/lib
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
var-log:
|
||||
type: hostPath
|
||||
hostPath: /var/log
|
||||
hostPathType: Directory
|
||||
globalMounts:
|
||||
- readOnly: true
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: vector-agent
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces", "nodes", "pods"]
|
||||
verbs: ["list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: vector-agent
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: vector-agent
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: vector-agent
|
||||
namespace: observability
|
|
@ -1,91 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app vector-aggregator
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.3.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
values:
|
||||
controllers:
|
||||
vector-aggregator:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
initContainers:
|
||||
init-geoip:
|
||||
image:
|
||||
repository: ghcr.io/maxmind/geoipupdate
|
||||
tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0
|
||||
env:
|
||||
GEOIPUPDATE_EDITION_IDS: GeoLite2-City
|
||||
GEOIPUPDATE_FREQUENCY: "0"
|
||||
GEOIPUPDATE_VERBOSE: "1"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: vector-aggregator-secret
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/timberio/vector
|
||||
tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
|
||||
args: ["--config", "/etc/vector/vector.yaml"]
|
||||
pod:
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: *app
|
||||
service:
|
||||
app:
|
||||
controller: vector-aggregator
|
||||
type: LoadBalancer
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: vector.jahanson.tech
|
||||
io.cilium/lb-ipam-ips: 10.1.1.33
|
||||
ports:
|
||||
http:
|
||||
port: 8686
|
||||
journald:
|
||||
port: 6000
|
||||
kubernetes:
|
||||
port: 6010
|
||||
vyos:
|
||||
port: 6020
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: configMap
|
||||
name: vector-aggregator-configmap
|
||||
globalMounts:
|
||||
- path: /etc/vector/vector.yaml
|
||||
subPath: vector.yaml
|
||||
readOnly: true
|
||||
data:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /vector-data-dir
|
||||
geoip:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /usr/share/GeoIP
|
|
@ -1,132 +0,0 @@
|
|||
---
|
||||
data_dir: /vector-data-dir
|
||||
api:
|
||||
enabled: true
|
||||
address: 0.0.0.0:8686
|
||||
|
||||
enrichment_tables:
|
||||
geoip_table:
|
||||
type: geoip
|
||||
path: /usr/share/GeoIP/GeoLite2-City.mmdb
|
||||
|
||||
#
|
||||
# Sources
|
||||
#
|
||||
|
||||
sources:
|
||||
journald_source:
|
||||
type: vector
|
||||
version: "2"
|
||||
address: 0.0.0.0:6000
|
||||
|
||||
kubernetes_source:
|
||||
type: vector
|
||||
version: "2"
|
||||
address: 0.0.0.0:6010
|
||||
|
||||
vyos_source:
|
||||
type: syslog
|
||||
address: 0.0.0.0:6020
|
||||
mode: tcp
|
||||
|
||||
#
|
||||
# Transforms
|
||||
#
|
||||
|
||||
transforms:
|
||||
kubernetes_remap:
|
||||
type: remap
|
||||
inputs: ["kubernetes_source"]
|
||||
source: |
|
||||
# Standardize 'app' index
|
||||
.custom_app_name = .pod_labels."app.kubernetes.io/name" || .pod_labels.app || .pod_labels."k8s-app" || "unknown"
|
||||
# Drop pod_labels
|
||||
del(.pod_labels)
|
||||
|
||||
# [63950.153039] [wan-local-default-D]IN=eth4 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=60610 PROTO=TCP SPT=53451 DPT=2002 WINDOW=1024 RES=0x00 SYN URGP=0
|
||||
vyos_firewall_route:
|
||||
type: route
|
||||
inputs: ["vyos_source"]
|
||||
route:
|
||||
firewall: |
|
||||
.facility == "kern" && match!(.message, r'^\[(.*?)\].(.*)')
|
||||
|
||||
vyos_firewall_remap:
|
||||
type: remap
|
||||
inputs: ["vyos_firewall_route.firewall"]
|
||||
source: |
|
||||
# Parse firewall rule message
|
||||
split_message, split_err = parse_regex(.message, r'^\[.*\].\[(?P<rule>.*?)\](?P<fields>.*)')
|
||||
if split_err != null {
|
||||
abort
|
||||
}
|
||||
# Extract separate fields from message
|
||||
split_message.fields, split_err = strip_whitespace(split_message.fields)
|
||||
if split_err != null {
|
||||
abort
|
||||
}
|
||||
.message, parse_err = parse_key_value(split_message.fields, whitespace: "strict")
|
||||
if parse_err != null {
|
||||
abort
|
||||
}
|
||||
# Add more information about the triggered rule
|
||||
.message.RULE, parse_err = parse_regex(split_message.rule, r'^ipv4-(?P<from_zone>\w+)-(?P<to_zone>\w+)-(?P<id>\w+)-(?P<action>\w+)$')
|
||||
if parse_err != null {
|
||||
abort
|
||||
}
|
||||
|
||||
vyos_firewall_wan_route:
|
||||
type: route
|
||||
inputs: ["vyos_firewall_remap"]
|
||||
route:
|
||||
from_wan: .message.RULE.from_zone == "wan"
|
||||
|
||||
vyos_firewall_geoip_remap:
|
||||
type: remap
|
||||
inputs: ["vyos_firewall_wan_route.from_wan"]
|
||||
source: |
|
||||
.geoip = get_enrichment_table_record!(
|
||||
"geoip_table", {
|
||||
"ip": .message.SRC
|
||||
}
|
||||
)
|
||||
|
||||
#
|
||||
# Sinks
|
||||
#
|
||||
|
||||
sinks:
|
||||
journald:
|
||||
inputs: ["journald_source"]
|
||||
type: loki
|
||||
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||
encoding: { codec: json }
|
||||
out_of_order_action: accept
|
||||
remove_label_fields: true
|
||||
remove_timestamp: true
|
||||
labels:
|
||||
hostname: '{{ host }}'
|
||||
|
||||
kubernetes:
|
||||
inputs: ["kubernetes_remap"]
|
||||
type: loki
|
||||
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||
encoding: { codec: json }
|
||||
out_of_order_action: accept
|
||||
remove_label_fields: true
|
||||
remove_timestamp: true
|
||||
labels:
|
||||
app: '{{ custom_app_name }}'
|
||||
namespace: '{{ kubernetes.pod_namespace }}'
|
||||
node: '{{ kubernetes.pod_node_name }}'
|
||||
|
||||
vyos:
|
||||
inputs: ["vyos_source", "vyos_firewall_geoip_remap"]
|
||||
type: loki
|
||||
endpoint: http://loki-gateway.observability.svc.cluster.local
|
||||
encoding: { codec: json }
|
||||
out_of_order_action: accept
|
||||
remove_label_fields: true
|
||||
remove_timestamp: true
|
||||
labels:
|
||||
hostname: '{{ host }}'
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./openebs/ks.yaml
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: openebs-system
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./storageclass.yaml
|
||||
- ./volumesnapshotclass.yaml
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
name: openebs-zfs
|
||||
annotations:
|
||||
storageclass.kubevirt.io/is-default-virt-class: "true"
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
provisioner: zfs.csi.openebs.io
|
||||
parameters:
|
||||
recordsize: "128k"
|
||||
compression: "off"
|
||||
dedup: "off"
|
||||
fstype: "zfs"
|
||||
poolname: "nahar"
|
||||
allowVolumeExpansion: true
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/snapshot.storage.k8s.io/volumesnapshotclass_v1.json
|
||||
kind: VolumeSnapshotClass
|
||||
apiVersion: snapshot.storage.k8s.io/v1
|
||||
metadata:
|
||||
name: openebs-zfs
|
||||
annotations:
|
||||
snapshot.storage.kubernetes.io/is-default-class: "true"
|
||||
driver: zfs.csi.openebs.io
|
||||
deletionPolicy: Delete
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: rook-ceph-dashboard-password
|
||||
stringData:
|
||||
password: ENC[AES256_GCM,data:WWTt7SN6ssndLahsOA1gujEeGAM=,iv:YbHGNN+11wA/MLq9vFVM6v4mhPO58JmwXBDj0Qs7+Wk=,tag:5Xn0tqpiIiEt8ZWZHRTM3w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzb2ZpaDd0azNHNTJoUTB6
|
||||
VVpKbm94ZEprSHplb2UrQnkzTzdGUEFjcGxBCnhxR1BwNmFIOExtMW5GRkVJWTl5
|
||||
blQzSmZ0Tm5CWTk3N25nUUM0dFpKUTQKLS0tIEgwSHNlVXNRdHZvcE10VzExU0hE
|
||||
L0dGK1lFd0ZSQ0lTcEdMNTBkSDJ6WWsKQuiJmRSLbvmgenlu4F2/CQYCCbZTtS/K
|
||||
nz7NsY2om+mWMvPSvLAp1pOHDAdFW79ggQAiCyslDi9iOkaD8MOnxQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-01-16T23:22:39Z"
|
||||
mac: ENC[AES256_GCM,data:djsWoz/MuUhEKsM03+iaGV/dZUjRAGkiBEz4hROi+rfNWeHLJG2/xXPSKYYgT3h7JOZGh2Gnz7NXiB7TuixlWrAfT2BUBzd+2o9/hzg3xQzLAjApSfZdyap6oafatKxZAR/JHBSw7s0saVNnop9d/DZK4c1Fb1qNKoTrnWqqrF8=,iv:oitjHdZl07CaoBtNtX/sOPLHu7AS/R4YE4TKBJKrUBw=,tag:Br8mBH+mATEwsLzSZmoVYg==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.8.1
|
|
@ -6,4 +6,4 @@ resources:
|
|||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./democratic-csi/ks.yaml
|
||||
- ./system-upgrade-controller/ks.yaml
|
38
.archive/system-upgrade/namespace.yaml
Normal file
38
.archive/system-upgrade/namespace.yaml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Provider
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
type: alertmanager
|
||||
address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Alert
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
providerRef:
|
||||
name: alert-manager
|
||||
eventSeverity: error
|
||||
eventSources:
|
||||
- kind: HelmRelease
|
||||
name: "*"
|
||||
exclusionList:
|
||||
- "error.*lookup github\\.com"
|
||||
- "error.*lookup raw\\.githubusercontent\\.com"
|
||||
- "dial.*tcp.*timeout"
|
||||
- "waiting.*socket"
|
||||
suspend: false
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
system-upgrade-controller:
|
||||
strategy: RollingUpdate
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/rancher/system-upgrade-controller
|
||||
tag: v0.14.2@sha256:3cdbfdd90f814702cefb832fc4bdb09ea93865a4d06c6bafd019d1dc6a9f34c9
|
||||
env:
|
||||
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
|
||||
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
|
||||
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
|
||||
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
|
||||
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
|
||||
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
|
||||
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
|
||||
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
|
||||
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
|
||||
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities: { drop: ["ALL"] }
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
defaultPodOptions:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile: { type: RuntimeDefault }
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: system-upgrade
|
||||
persistence:
|
||||
tmp:
|
||||
type: emptyDir
|
||||
etc-ssl:
|
||||
type: hostPath
|
||||
hostPath: /etc/ssl
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-pki:
|
||||
type: hostPath
|
||||
hostPath: /etc/pki
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-ca-certificates:
|
||||
type: hostPath
|
||||
hostPath: /etc/ca-certificates
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
|
@ -3,5 +3,5 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./agent
|
||||
- ./aggregator
|
||||
- helmrelease.yaml
|
||||
- rbac.yaml
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: system-upgrade
|
||||
namespace: system-upgrade
|
||||
---
|
||||
apiVersion: talos.dev/v1alpha1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
roles:
|
||||
- os:admin
|
50
.archive/system-upgrade/system-upgrade-controller/ks.yaml
Normal file
50
.archive/system-upgrade/system-upgrade-controller/ks.yaml
Normal file
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: node-feature-discovery-rules
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller-plans
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: system-upgrade-controller
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
|
||||
TALOS_VERSION: v1.8.2
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
|
||||
KUBERNETES_VERSION: v1.30.2
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: kubernetes
|
||||
spec:
|
||||
version: ${KUBERNETES_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade-k8s
|
||||
- --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
|
@ -3,4 +3,5 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./prometheusrule.yaml
|
||||
- ./kubernetes.yaml
|
||||
- ./talos.yaml
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
version: ${TALOS_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: feature.node.kubernetes.io/system-os_release.VERSION_ID
|
||||
operator: NotIn
|
||||
values: ["${TALOS_VERSION}"]
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: TALOS_SCHEMATIC_ID
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations['extensions.talos.dev/schematic']
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade
|
||||
- --image=factory.talos.dev/installer/$(TALOS_SCHEMATIC_ID):$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
||||
- --wait=false
|
27
.archive/vault/app/externalsecret.yaml
Normal file
27
.archive/vault/app/externalsecret.yaml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: security
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: vault-secret
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: AWS_SECRET_ACCESS_KEY
|
||||
remoteRef:
|
||||
key: vault
|
||||
property: AWS_SECRET_ACCESS_KEY
|
||||
- secretKey: AWS_ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
key: vault
|
||||
property: AWS_ACCESS_KEY_ID
|
||||
- secretKey: VAULT_AWSKMS_SEAL_KEY_ID
|
||||
remoteRef:
|
||||
key: vault
|
||||
property: VAULT_AWSKMS_SEAL_KEY_ID
|
141
.archive/vault/app/helmrelease.yaml
Normal file
141
.archive/vault/app/helmrelease.yaml
Normal file
|
@ -0,0 +1,141 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: vault
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: vault
|
||||
version: 0.28.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: hashicorp
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: uninstall
|
||||
values:
|
||||
server:
|
||||
image:
|
||||
repository: public.ecr.aws/hashicorp/vault
|
||||
tag: "1.17.5"
|
||||
logLevel: "info"
|
||||
logFormat: "json"
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: internal-nginx
|
||||
hosts:
|
||||
- host: &host "vault.jahanson.tech"
|
||||
paths: []
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
service:
|
||||
type: "ClusterIP"
|
||||
port: &port 8200
|
||||
targetPort: *port
|
||||
# off until it's online for the first time
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
path: "/v1/sys/health?standbyok=true"
|
||||
initialDelaySeconds: 60
|
||||
# If you need to use a http path instead of the default exec
|
||||
# path: /v1/sys/health?standbyok=true
|
||||
# Port number on which readinessProbe will be checked.
|
||||
port: *port
|
||||
extraEnvironmentVars:
|
||||
# This is required because they will lose their values when the pod is upgraded in my experience.
|
||||
# Probably a Flux thing.
|
||||
VAULT_CLUSTER_ADDR: http://$(HOSTNAME).vault-internal:8201
|
||||
extraSecretEnvironmentVars:
|
||||
- envName: AWS_SECRET_ACCESS_KEY
|
||||
secretName: vault-secret
|
||||
secretKey: AWS_SECRET_ACCESS_KEY
|
||||
- envName: AWS_ACCESS_KEY_ID
|
||||
secretName: vault-secret
|
||||
secretKey: AWS_ACCESS_KEY_ID
|
||||
- envName: VAULT_AWSKMS_SEAL_KEY_ID
|
||||
secretName: vault-secret
|
||||
secretKey: VAULT_AWSKMS_SEAL_KEY_ID
|
||||
# These are defaults but explicitly set here for clarity.
|
||||
dataStorage:
|
||||
size: 4Gi
|
||||
mountPath: /vault/data
|
||||
storageClass: ceph-block
|
||||
auditStorage:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
mountPath: /vault/audit
|
||||
storageClass: ceph-block
|
||||
# We want high availability. If standalone is true it sets the storage backend to file
|
||||
# and the max replicas can only be 1.
|
||||
standalone:
|
||||
enabled: false
|
||||
ha:
|
||||
enabled: true
|
||||
# maxUnavailable will default to (n/2)-1 where n is the number of replicas
|
||||
# so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
|
||||
replicas: 3
|
||||
config: ""
|
||||
raft:
|
||||
enabled: true
|
||||
config: |
|
||||
ui = true
|
||||
|
||||
listener "tcp" {
|
||||
tls_disable = 1
|
||||
address = "[::]:8200"
|
||||
cluster_address = "[::]:8201"
|
||||
# For prometheus!
|
||||
telemetry {
|
||||
unauthenticated_metrics_access = "true"
|
||||
}
|
||||
}
|
||||
|
||||
storage "raft" {
|
||||
path = "/vault/data"
|
||||
retry_join {
|
||||
auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"security\""
|
||||
auto_join_scheme = "http"
|
||||
}
|
||||
}
|
||||
|
||||
seal "awskms" {
|
||||
region = "us-east-2"
|
||||
}
|
||||
|
||||
service_registration "kubernetes" {}
|
||||
statefulSet:
|
||||
securityContext:
|
||||
pod:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
runAsNonRoot: true
|
||||
fsGroup: 568
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
supplementalGroups: [10000]
|
||||
container:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
ui:
|
||||
enabled: true
|
||||
publishNotReadyAddresses: true
|
||||
# The service should only contain selectors for active Vault pod
|
||||
activeVaultPodOnly: true
|
||||
serviceType: "LoadBalancer"
|
||||
externalPort: *port
|
||||
targetPort: *port
|
8
.archive/vault/app/kustomization.yaml
Normal file
8
.archive/vault/app/kustomization.yaml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: security
|
||||
resources:
|
||||
- ./externalsecret.yaml
|
||||
- ./helmrelease.yaml
|
|
@ -3,17 +3,18 @@
|
|||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname thelounge
|
||||
name: &app vault
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: default
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 10m
|
||||
path: "./kubernetes/apps/default/thelounge/app"
|
||||
app.kubernetes.io/name: *app
|
||||
interval: 1m
|
||||
path: "./kubernetes/apps/security/vault/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: homelab
|
||||
name: theshire
|
||||
wait: false
|
||||
dependsOn:
|
||||
- name: rook-ceph-cluster
|
8
.envrc
8
.envrc
|
@ -2,6 +2,12 @@
|
|||
export KUBECONFIG="$(expand_path ./kubeconfig)"
|
||||
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
|
||||
export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)"
|
||||
export KREW_ROOT="$(expand_path ~/.krew/bin)";
|
||||
export KREW_ROOT="$(expand_path ~/.krew/bin)"
|
||||
export CLUSTER="theshire"
|
||||
export KUBERNETES_DIR="$(expand_path ./kubernetes)"
|
||||
#export MQTTUI_BROKER="mqtt://10.1.1.38"
|
||||
#export MQTTUI_BROKER=$(op item get "emqx [jahanson]" --fields broker)
|
||||
#export MQTTUI_USERNAME=$(op item get "emqx [jahanson]" --fields username)
|
||||
#export MQTTUI_PASSWORD=$(op item get "emqx [jahanson]" --fields mqtt-password)
|
||||
PATH_add $KREW_ROOT
|
||||
use nix
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
||||
name: "Schemas"
|
||||
name: "K8S json Schemas --> Cloudflare R2"
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
@ -53,7 +53,7 @@ jobs:
|
|||
with:
|
||||
encodedString: "${{ secrets.MCCONFIG }}"
|
||||
fileName: config.json
|
||||
fileDir: $HOME/.mc
|
||||
fileDir: ${{ env.GITHUB_WORKSPACE }}
|
||||
|
||||
- name: Extracting CRDs to yaml and converting to JSON schema
|
||||
env:
|
||||
|
@ -130,6 +130,9 @@ jobs:
|
|||
rm -rf $TMP_CRD_DIR
|
||||
|
||||
- name: Deploy to Cloudflare R2
|
||||
env:
|
||||
MC_CONFIG_DIR: "${{ steps.mcconfig.outputs.fileDir }}"
|
||||
shell: bash
|
||||
run: |
|
||||
echo $GITHUB_WORKSPACE/crdSchemas/
|
||||
mc cp --recursive $GITHUB_WORKSPACE/crdSchemas/ r2-ks/kubernetes-schema
|
||||
|
|
26
.gitignore
vendored
26
.gitignore
vendored
|
@ -1,21 +1,29 @@
|
|||
# OS generated files
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# Development environments
|
||||
.direnv
|
||||
.private/
|
||||
.idea/
|
||||
.venv/
|
||||
.pytest_cache/
|
||||
|
||||
# Infrastructure and deployment
|
||||
.terraform
|
||||
.direnv
|
||||
*.tfvars
|
||||
kubeconfig*
|
||||
*talosconfig.yaml
|
||||
omniconfig.yaml
|
||||
|
||||
# Security and credentials
|
||||
.private/
|
||||
.decrypted~*
|
||||
*.agekey
|
||||
*.pub
|
||||
*.key
|
||||
*.pem
|
||||
kubeconfig*
|
||||
*talosconfig.yaml
|
||||
omniconfig.yaml
|
||||
*.secrets
|
||||
config.xml
|
||||
.idea/
|
||||
.env
|
||||
.secrets
|
||||
.github
|
||||
|
||||
# syncthing
|
||||
**/*sync-conflict*
|
||||
|
|
4
.krmignore
Normal file
4
.krmignore
Normal file
|
@ -0,0 +1,4 @@
|
|||
.archive
|
||||
.forgejo
|
||||
.git
|
||||
.taskfiles
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue