From 47ba9a89f710face3db870246e757f1526b854bc Mon Sep 17 00:00:00 2001 From: Raiko Koosaar Date: Thu, 14 Nov 2024 18:40:11 +0000 Subject: [PATCH] Initial commit after reset and multi-cluster folder structure :rocket: --- .../cert-manager/app/helmrelease.yaml | 31 +++++ .../cert-manager/app/kustomization.yaml | 5 + .../cert-manager/issuers/issuers.yaml | 39 +++++++ .../cert-manager/issuers/kustomization.yaml | 6 + .../cert-manager/issuers/secret.sops.yaml | 26 +++++ .../apps/cert-manager/cert-manager/ks.yaml | 40 +++++++ .../main/apps/cert-manager/kustomization.yaml | 6 + .../main/apps/cert-manager/namespace.yaml | 7 ++ .../main/apps/flux-system/kustomization.yaml | 6 + .../main/apps/flux-system/namespace.yaml | 7 ++ .../webhooks/app/github/ingress.yaml | 20 ++++ .../webhooks/app/github/kustomization.yaml | 7 ++ .../webhooks/app/github/receiver.yaml | 25 ++++ .../webhooks/app/github/secret.sops.yaml | 26 +++++ .../webhooks/app/kustomization.yaml | 5 + .../main/apps/flux-system/webhooks/ks.yaml | 19 +++ .../kube-system/cilium/app/helm-values.yaml | 59 ++++++++++ .../kube-system/cilium/app/helmrelease.yaml | 76 ++++++++++++ .../kube-system/cilium/app/kustomization.yaml | 11 ++ .../cilium/app/kustomizeconfig.yaml | 7 ++ .../kube-system/cilium/config/cilium-l3.yaml | 28 +++++ .../cilium/config/kustomization.yaml | 5 + .../main/apps/kube-system/cilium/ks.yaml | 40 +++++++ .../kube-system/coredns/app/helm-values.yaml | 50 ++++++++ .../kube-system/coredns/app/helmrelease.yaml | 26 +++++ .../coredns/app/kustomization.yaml | 11 ++ .../coredns/app/kustomizeconfig.yaml | 7 ++ .../main/apps/kube-system/coredns/ks.yaml | 19 +++ .../kubelet-csr-approver/app/helm-values.yaml | 3 + .../kubelet-csr-approver/app/helmrelease.yaml | 30 +++++ .../app/kustomization.yaml | 11 ++ .../app/kustomizeconfig.yaml | 7 ++ .../kube-system/kubelet-csr-approver/ks.yaml | 19 +++ .../main/apps/kube-system/kustomization.yaml | 11 ++ .../metrics-server/app/helmrelease.yaml | 31 +++++ .../metrics-server/app/kustomization.yaml | 5 + .../apps/kube-system/metrics-server/ks.yaml | 19 +++ .../main/apps/kube-system/namespace.yaml | 7 ++ .../kube-system/reloader/app/helmrelease.yaml | 29 +++++ .../reloader/app/kustomization.yaml | 5 + .../main/apps/kube-system/reloader/ks.yaml | 19 +++ .../kube-system/spegel/app/helm-values.yaml | 7 ++ .../kube-system/spegel/app/helmrelease.yaml | 30 +++++ .../kube-system/spegel/app/kustomization.yaml | 11 ++ .../spegel/app/kustomizeconfig.yaml | 7 ++ .../main/apps/kube-system/spegel/ks.yaml | 19 +++ .../cloudflared/app/configs/config.yaml | 10 ++ .../network/cloudflared/app/dnsendpoint.yaml | 10 ++ .../network/cloudflared/app/helmrelease.yaml | 109 ++++++++++++++++++ .../cloudflared/app/kustomization.yaml | 13 +++ .../network/cloudflared/app/secret.sops.yaml | 27 +++++ .../main/apps/network/cloudflared/ks.yaml | 21 ++++ .../network/echo-server/app/helmrelease.yaml | 91 +++++++++++++++ .../echo-server/app/kustomization.yaml | 5 + .../main/apps/network/echo-server/ks.yaml | 19 +++ .../external-dns/cloudflare/helmrelease.yaml | 48 ++++++++ .../cloudflare/kustomization.yaml | 6 + .../external-dns/cloudflare/secret.sops.yaml | 26 +++++ .../main/apps/network/external-dns/ks.yaml | 40 +++++++ .../external-dns/unifi/helmrelease.yaml | 80 +++++++++++++ .../external-dns/unifi/kustomization.yaml | 7 ++ .../external-dns/unifi/secret.sops.yaml | 28 +++++ .../certificates/kustomization.yaml | 6 + .../certificates/production.yaml | 14 +++ .../ingress-nginx/certificates/staging.yaml | 14 +++ .../ingress-nginx/external/helmrelease.yaml | 76 ++++++++++++ .../ingress-nginx/external/kustomization.yaml | 5 + .../ingress-nginx/internal/helmrelease.yaml | 73 ++++++++++++ .../internal/helmrelease.yaml copy | 74 ++++++++++++ .../ingress-nginx/internal/kustomization.yaml | 5 + .../main/apps/network/ingress-nginx/ks.yaml | 63 ++++++++++ .../network/k8s-gateway/app/helmrelease.yaml | 33 ++++++ .../k8s-gateway/app/kustomization.yaml | 5 + .../main/apps/network/k8s-gateway/ks.yaml | 19 +++ .../main/apps/network/kustomization.yaml | 10 ++ kubernetes/main/apps/network/namespace.yaml | 7 ++ .../apps/observability/kustomization.yaml | 6 + .../main/apps/observability/namespace.yaml | 7 ++ .../app/helmrelease.yaml | 22 ++++ .../app/kustomization.yaml | 5 + .../prometheus-operator-crds/ks.yaml | 19 +++ .../apps/openebs-system/kustomization.yaml | 6 + .../main/apps/openebs-system/namespace.yaml | 7 ++ .../openebs/app/helmrelease.yaml | 48 ++++++++ .../openebs/app/kustomization.yaml | 5 + .../main/apps/openebs-system/openebs/ks.yaml | 19 +++ .../flux/github-deploy-key.sops.yaml | 28 +++++ .../main/bootstrap/flux/kustomization.yaml | 61 ++++++++++ kubernetes/main/bootstrap/helmfile.yaml | 59 ++++++++++ .../main/bootstrap/talos/patches/README.md | 15 +++ .../talos/patches/controller/api-access.yaml | 8 ++ .../talos/patches/controller/cluster.yaml | 25 ++++ .../disable-admission-controller.yaml | 2 + .../talos/patches/controller/etcd.yaml | 6 + .../patches/global/cluster-discovery.yaml | 7 ++ .../talos/patches/global/containerd.yaml | 12 ++ .../patches/global/disable-search-domain.yaml | 3 + .../bootstrap/talos/patches/global/dns.yaml | 5 + .../talos/patches/global/hostdns.yaml | 6 + .../talos/patches/global/kubelet.yaml | 7 ++ .../bootstrap/talos/patches/global/ntp.yaml | 6 + .../talos/patches/global/openebs-local.yaml | 10 ++ .../talos/patches/global/sysctl.yaml | 7 ++ .../talos/patches/mango/longhorn.yaml | 14 +++ .../talos/patches/melon/longhorn.yaml | 14 +++ .../talos/patches/nectarine/longhorn.yaml | 14 +++ .../main/bootstrap/talos/talconfig.yaml | 82 +++++++++++++ kubernetes/main/flux/apps.yaml | 56 +++++++++ kubernetes/main/flux/config/cluster.yaml | 42 +++++++ kubernetes/main/flux/config/flux.yaml | 86 ++++++++++++++ .../main/flux/config/kustomization.yaml | 6 + .../flux/repositories/git/kustomization.yaml | 4 + .../helm/actions-runner-controller.yaml | 11 ++ .../main/flux/repositories/helm/angelnu.yaml | 11 ++ .../repositories/helm/authentik-charts.yaml | 11 ++ .../main/flux/repositories/helm/backube.yaml | 11 ++ .../main/flux/repositories/helm/bitnami.yaml | 11 ++ .../main/flux/repositories/helm/bjw-s.yaml | 11 ++ .../main/flux/repositories/helm/cilium.yaml | 9 ++ .../repositories/helm/cloudnative-pg.yaml | 10 ++ .../main/flux/repositories/helm/coredns.yaml | 10 ++ .../flux/repositories/helm/crossplane.yaml | 10 ++ .../flux/repositories/helm/crunchydata.yaml | 11 ++ .../repositories/helm/csi-driver-nfs.yaml | 10 ++ .../main/flux/repositories/helm/emqx.yaml | 10 ++ .../repositories/helm/external-secrets.yaml | 10 ++ .../main/flux/repositories/helm/grafana.yaml | 11 ++ .../flux/repositories/helm/ingress-nginx.yaml | 10 ++ .../main/flux/repositories/helm/intel.yaml | 11 ++ .../main/flux/repositories/helm/jetstack.yaml | 11 ++ .../flux/repositories/helm/k8s-gateway.yaml | 9 ++ .../main/flux/repositories/helm/k8tz.yaml | 11 ++ .../helm/kubernetes-sigs-descheduler.yaml | 10 ++ .../helm/kubernetes-sigs-external-dns.yaml | 9 ++ .../helm/kubernetes-sigs-metrics-server.yaml | 10 ++ .../helm/kubernetes-sigs-nfd.yaml | 11 ++ .../flux/repositories/helm/kustomization.yaml | 40 +++++++ .../main/flux/repositories/helm/kyverno.yaml | 11 ++ .../main/flux/repositories/helm/longhorn.yaml | 11 ++ .../repositories/helm/mariadb-operator.yaml | 10 ++ ...fs-subdir-external-provisioner-charts.yaml | 11 ++ .../main/flux/repositories/helm/openebs.yaml | 11 ++ .../main/flux/repositories/helm/piraeus.yaml | 10 ++ .../flux/repositories/helm/postfinance.yaml | 11 ++ .../helm/prometheus-community.yaml | 10 ++ .../main/flux/repositories/helm/spegel.yaml | 10 ++ .../main/flux/repositories/helm/stakater.yaml | 10 ++ .../flux/repositories/helm/stevehipwell.yaml | 12 ++ .../main/flux/repositories/kustomization.yaml | 7 ++ .../flux/repositories/oci/kustomization.yaml | 4 + .../main/flux/vars/cluster-secrets.sops.yaml | 29 +++++ .../main/flux/vars/cluster-settings.yaml | 8 ++ kubernetes/main/flux/vars/kustomization.yaml | 5 + 153 files changed, 3016 insertions(+) create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/app/kustomization.yaml create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/issuers/issuers.yaml create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/issuers/kustomization.yaml create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml create mode 100644 kubernetes/main/apps/cert-manager/cert-manager/ks.yaml create mode 100644 kubernetes/main/apps/cert-manager/kustomization.yaml create mode 100644 kubernetes/main/apps/cert-manager/namespace.yaml create mode 100644 kubernetes/main/apps/flux-system/kustomization.yaml create mode 100644 kubernetes/main/apps/flux-system/namespace.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/app/github/ingress.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/app/github/kustomization.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/app/github/receiver.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/app/kustomization.yaml create mode 100644 kubernetes/main/apps/flux-system/webhooks/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/app/kustomizeconfig.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/config/cilium-l3.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/coredns/app/helm-values.yaml create mode 100644 kubernetes/main/apps/kube-system/coredns/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/coredns/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/coredns/app/kustomizeconfig.yaml create mode 100644 kubernetes/main/apps/kube-system/coredns/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml create mode 100644 kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml create mode 100644 kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/metrics-server/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/metrics-server/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/namespace.yaml create mode 100644 kubernetes/main/apps/kube-system/reloader/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/reloader/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/reloader/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/spegel/app/helm-values.yaml create mode 100644 kubernetes/main/apps/kube-system/spegel/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/kube-system/spegel/app/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/spegel/app/kustomizeconfig.yaml create mode 100644 kubernetes/main/apps/kube-system/spegel/ks.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/app/configs/config.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/app/dnsendpoint.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/app/kustomization.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/network/cloudflared/ks.yaml create mode 100644 kubernetes/main/apps/network/echo-server/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/echo-server/app/kustomization.yaml create mode 100644 kubernetes/main/apps/network/echo-server/ks.yaml create mode 100644 kubernetes/main/apps/network/external-dns/cloudflare/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/external-dns/cloudflare/kustomization.yaml create mode 100644 kubernetes/main/apps/network/external-dns/cloudflare/secret.sops.yaml create mode 100644 kubernetes/main/apps/network/external-dns/ks.yaml create mode 100644 kubernetes/main/apps/network/external-dns/unifi/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/external-dns/unifi/kustomization.yaml create mode 100644 kubernetes/main/apps/network/external-dns/unifi/secret.sops.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/certificates/kustomization.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/certificates/production.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/certificates/staging.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/external/kustomization.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml copy create mode 100644 kubernetes/main/apps/network/ingress-nginx/internal/kustomization.yaml create mode 100644 kubernetes/main/apps/network/ingress-nginx/ks.yaml create mode 100644 kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/network/k8s-gateway/app/kustomization.yaml create mode 100644 kubernetes/main/apps/network/k8s-gateway/ks.yaml create mode 100644 kubernetes/main/apps/network/kustomization.yaml create mode 100644 kubernetes/main/apps/network/namespace.yaml create mode 100644 kubernetes/main/apps/observability/kustomization.yaml create mode 100644 kubernetes/main/apps/observability/namespace.yaml create mode 100644 kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml create mode 100644 kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml create mode 100644 kubernetes/main/apps/openebs-system/kustomization.yaml create mode 100644 kubernetes/main/apps/openebs-system/namespace.yaml create mode 100644 kubernetes/main/apps/openebs-system/openebs/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/openebs-system/openebs/app/kustomization.yaml create mode 100644 kubernetes/main/apps/openebs-system/openebs/ks.yaml create mode 100644 kubernetes/main/bootstrap/flux/github-deploy-key.sops.yaml create mode 100644 kubernetes/main/bootstrap/flux/kustomization.yaml create mode 100644 kubernetes/main/bootstrap/helmfile.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/README.md create mode 100644 kubernetes/main/bootstrap/talos/patches/controller/api-access.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/controller/cluster.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/controller/disable-admission-controller.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/controller/etcd.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/cluster-discovery.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/containerd.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/disable-search-domain.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/dns.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/kubelet.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/ntp.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/openebs-local.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/global/sysctl.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/mango/longhorn.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/melon/longhorn.yaml create mode 100644 kubernetes/main/bootstrap/talos/patches/nectarine/longhorn.yaml create mode 100644 kubernetes/main/bootstrap/talos/talconfig.yaml create mode 100644 kubernetes/main/flux/apps.yaml create mode 100644 kubernetes/main/flux/config/cluster.yaml create mode 100644 kubernetes/main/flux/config/flux.yaml create mode 100644 kubernetes/main/flux/config/kustomization.yaml create mode 100644 kubernetes/main/flux/repositories/git/kustomization.yaml create mode 100644 kubernetes/main/flux/repositories/helm/actions-runner-controller.yaml create mode 100644 kubernetes/main/flux/repositories/helm/angelnu.yaml create mode 100644 kubernetes/main/flux/repositories/helm/authentik-charts.yaml create mode 100644 kubernetes/main/flux/repositories/helm/backube.yaml create mode 100644 kubernetes/main/flux/repositories/helm/bitnami.yaml create mode 100644 kubernetes/main/flux/repositories/helm/bjw-s.yaml create mode 100644 kubernetes/main/flux/repositories/helm/cilium.yaml create mode 100644 kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml create mode 100644 kubernetes/main/flux/repositories/helm/coredns.yaml create mode 100644 kubernetes/main/flux/repositories/helm/crossplane.yaml create mode 100644 kubernetes/main/flux/repositories/helm/crunchydata.yaml create mode 100644 kubernetes/main/flux/repositories/helm/csi-driver-nfs.yaml create mode 100644 kubernetes/main/flux/repositories/helm/emqx.yaml create mode 100644 kubernetes/main/flux/repositories/helm/external-secrets.yaml create mode 100644 kubernetes/main/flux/repositories/helm/grafana.yaml create mode 100644 kubernetes/main/flux/repositories/helm/ingress-nginx.yaml create mode 100644 kubernetes/main/flux/repositories/helm/intel.yaml create mode 100644 kubernetes/main/flux/repositories/helm/jetstack.yaml create mode 100644 kubernetes/main/flux/repositories/helm/k8s-gateway.yaml create mode 100644 kubernetes/main/flux/repositories/helm/k8tz.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kubernetes-sigs-descheduler.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kubernetes-sigs-external-dns.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kubernetes-sigs-metrics-server.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kubernetes-sigs-nfd.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kustomization.yaml create mode 100644 kubernetes/main/flux/repositories/helm/kyverno.yaml create mode 100644 kubernetes/main/flux/repositories/helm/longhorn.yaml create mode 100644 kubernetes/main/flux/repositories/helm/mariadb-operator.yaml create mode 100644 kubernetes/main/flux/repositories/helm/nfs-subdir-external-provisioner-charts.yaml create mode 100644 kubernetes/main/flux/repositories/helm/openebs.yaml create mode 100644 kubernetes/main/flux/repositories/helm/piraeus.yaml create mode 100644 kubernetes/main/flux/repositories/helm/postfinance.yaml create mode 100644 kubernetes/main/flux/repositories/helm/prometheus-community.yaml create mode 100644 kubernetes/main/flux/repositories/helm/spegel.yaml create mode 100644 kubernetes/main/flux/repositories/helm/stakater.yaml create mode 100644 kubernetes/main/flux/repositories/helm/stevehipwell.yaml create mode 100644 kubernetes/main/flux/repositories/kustomization.yaml create mode 100644 kubernetes/main/flux/repositories/oci/kustomization.yaml create mode 100644 kubernetes/main/flux/vars/cluster-secrets.sops.yaml create mode 100644 kubernetes/main/flux/vars/cluster-settings.yaml create mode 100644 kubernetes/main/flux/vars/kustomization.yaml diff --git a/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml new file mode 100644 index 00000000..9d479bdf --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: v1.16.1 + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + crds: + enabled: true + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true + prometheus: + enabled: true + servicemonitor: + enabled: true diff --git a/kubernetes/main/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/main/apps/cert-manager/cert-manager/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/issuers.yaml new file mode 100644 index 00000000..1cf7148a --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/issuers.yaml @@ -0,0 +1,39 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/kustomization.yaml new file mode 100644 index 00000000..17754be6 --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./issuers.yaml diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml new file mode 100644 index 00000000..0708dedc --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-secret +stringData: + api-token: ENC[AES256_GCM,data:9FrYCjhfdParNTjYFytXLatUWVkXoda3yUMb7PDJTzmVjlyjGRSnrw==,iv:DFy7yg2bCapDAuvoU9blucqelEU0firrd+1/R26PtRI=,tag:mkjsxptT5Nj7wfuN+/u9cA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ2hlSmxjaFVZRmM3TTdK + bGlDSVBRa2txRjR1aGRwVk00dTdIeDlZVTEwCmJMeUhuOWlEZm1Zd0JnTnlxeW5W + VTBjYmU5WHZqUzZSSmpvaUIwcVYrc3cKLS0tIFJJazZDRytrMGp2MFNGTEh5cFpR + b2xiVGJ3QXR6SFRrYnRSM3RveXhBd28KPCJq2PnGyvYncdMNa6tV9eECJ0azJJNF + qv3jfz50O/5q4XFPH1rNjzWYqwRA7EEUTXLfaK/Vh2v4T5dJRrnK5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:JrDoviqwAWXWKrJXOXcSzDlCu9o3pOV9F8dXqZSu10GVzCPudBKTWgP0yy9vvOTtvjAmYIRuN/nTOl8H/mCHNcdRNw6uT3wwuapttOLSLJ1Z27SzqO81nEXknpz53B2dEOoRxrJwjQrElBqcTY5t9reEiVumnFb38ailYyDn/2g=,iv:/R+RZfeCPk/bBJBmAhhWXZy0jN7tJubfkYJjxXNnldo=,tag:RQ/YUCfjfXzzFxyqlWu4jQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/main/apps/cert-manager/cert-manager/ks.yaml new file mode 100644 index 00000000..96a590b3 --- /dev/null +++ b/kubernetes/main/apps/cert-manager/cert-manager/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/cert-manager/cert-manager/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager-issuers + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager + path: ./kubernetes/main/apps/cert-manager/cert-manager/issuers + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/cert-manager/kustomization.yaml b/kubernetes/main/apps/cert-manager/kustomization.yaml new file mode 100644 index 00000000..a0a3e5ed --- /dev/null +++ b/kubernetes/main/apps/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cert-manager/ks.yaml diff --git a/kubernetes/main/apps/cert-manager/namespace.yaml b/kubernetes/main/apps/cert-manager/namespace.yaml new file mode 100644 index 00000000..ed788350 --- /dev/null +++ b/kubernetes/main/apps/cert-manager/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/flux-system/kustomization.yaml b/kubernetes/main/apps/flux-system/kustomization.yaml new file mode 100644 index 00000000..10587f8c --- /dev/null +++ b/kubernetes/main/apps/flux-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./webhooks/ks.yaml diff --git a/kubernetes/main/apps/flux-system/namespace.yaml b/kubernetes/main/apps/flux-system/namespace.yaml new file mode 100644 index 00000000..b48db452 --- /dev/null +++ b/kubernetes/main/apps/flux-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/flux-system/webhooks/app/github/ingress.yaml b/kubernetes/main/apps/flux-system/webhooks/app/github/ingress.yaml new file mode 100644 index 00000000..e20604f0 --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/app/github/ingress.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: flux-webhook + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" +spec: + ingressClassName: external + rules: + - host: "flux-webhook.${SECRET_DOMAIN}" + http: + paths: + - path: /hook/ + pathType: Prefix + backend: + service: + name: webhook-receiver + port: + number: 80 diff --git a/kubernetes/main/apps/flux-system/webhooks/app/github/kustomization.yaml b/kubernetes/main/apps/flux-system/webhooks/app/github/kustomization.yaml new file mode 100644 index 00000000..786e654a --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/app/github/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./ingress.yaml + - ./receiver.yaml diff --git a/kubernetes/main/apps/flux-system/webhooks/app/github/receiver.yaml b/kubernetes/main/apps/flux-system/webhooks/app/github/receiver.yaml new file mode 100644 index 00000000..cca5931b --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/app/github/receiver.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1 +kind: Receiver +metadata: + name: github-receiver +spec: + type: github + events: + - ping + - push + secretRef: + name: github-webhook-token-secret + resources: + - apiVersion: source.toolkit.fluxcd.io/v1 + kind: GitRepository + name: home-kubernetes + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster-apps + namespace: flux-system diff --git a/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml new file mode 100644 index 00000000..dd53c44f --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-webhook-token-secret +stringData: + token: ENC[AES256_GCM,data:xETCSkV/Znd+wNCY7Eia9oiUdnIo8nbe6uxtfgSGgn8=,iv:azPN0l942kwuddYVQvkaOuTQmWkgcTauK8SNSTUrdE8=,tag:FMO+Uh9DyEkI3r2wwYR43A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTy9Xeld2YUo3RmJMNVJZ + ZkNMWXpUTEVOcHVLNkdDdXQ0V2U0S2ZuZUFzCjhtZ1ptZmFwM3JpR2V0TWJsVldl + cmErMjNOajlHdGx2aWRhYmpFWFB6bUkKLS0tIGtjS0RyVDRoNXFZc2RURlBTTzBn + TzE3dDdMV0NZS1NDVFBTYU95Yko4aU0KJZzWs5fBpE8UGyxewETP92wtXLw2JI8B + UAEMm9qrCDXS9afJsDG+8X+IX3qUCFEVTQf3xULvWIo9H1s36M+CDg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:G5XAH/N6v7/cDDUe+3ZWwe8UzyKa3zMYB5xCnVdxmmV8XjTtQp2d0PPv5rp9KOT3L437O8Y1amV+CE3cK0wLG163WLUpp9BLK33MuHkb/AVBH1imgnbV/O/Lm6qLtjGMgMIWRf1rRAinQfMIILosmVKRSGYTgH+QZdqu/bm9H2A=,iv:3Y/HI4bBEy8YoytEnXKz4ICf1NXQjD99Rvy9CCx0pqc=,tag:60ZuFeCGykBWjE5Qu3j/3w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/flux-system/webhooks/app/kustomization.yaml b/kubernetes/main/apps/flux-system/webhooks/app/kustomization.yaml new file mode 100644 index 00000000..ccd8b3eb --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./github diff --git a/kubernetes/main/apps/flux-system/webhooks/ks.yaml b/kubernetes/main/apps/flux-system/webhooks/ks.yaml new file mode 100644 index 00000000..f3416af2 --- /dev/null +++ b/kubernetes/main/apps/flux-system/webhooks/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-webhooks + namespace: flux-system +spec: + targetNamespace: flux-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/flux-system/webhooks/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml new file mode 100644 index 00000000..051b54f0 --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml @@ -0,0 +1,59 @@ +--- +autoDirectNodeRoutes: true +bgpControlPlane: + enabled: true +bpf: + masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost` +cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup +cluster: + id: 1 + name: "home-kubernetes" +cni: + exclusive: false +# NOTE: devices might need to be set if you have more than one active NIC on your hosts +# devices: eno+ eth+ +endpointRoutes: + enabled: true +envoy: + enabled: false +hubble: + enabled: false +ipam: + mode: kubernetes +ipv4NativeRoutingCIDR: "10.69.0.0/16" +k8sServiceHost: 127.0.0.1 +k8sServicePort: 7445 +kubeProxyReplacement: true +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 +l2announcements: + enabled: false # https://github.com/cilium/cilium/issues/28985 +loadBalancer: + algorithm: maglev + mode: "dsr" +localRedirectPolicy: true +operator: + replicas: 1 + rollOutPods: true +rollOutCiliumPods: true +routingMode: native +securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 00000000..7f6f48be --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.16.3 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: cilium-helm-values + values: + hubble: + enabled: true + metrics: + enabled: + - dns:query + - drop + - tcp + - flow + - port-distribution + - icmp + - http + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + relay: + enabled: true + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + ui: + enabled: true + rollOutPods: true + ingress: + enabled: true + annotations: + external-dns.alpha.kubernetes.io/target: "internal.${SECRET_DOMAIN}" + className: internal + hosts: ["hubble.${SECRET_DOMAIN}"] + operator: + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium diff --git a/kubernetes/main/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/main/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 00000000..b4f3860b --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: cilium-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/main/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/main/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/main/apps/kube-system/cilium/config/cilium-l3.yaml b/kubernetes/main/apps/kube-system/cilium/config/cilium-l3.yaml new file mode 100644 index 00000000..77b01f3b --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/config/cilium-l3.yaml @@ -0,0 +1,28 @@ +--- +# https://docs.cilium.io/en/latest/network/bgp-control-plane/ +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +metadata: + name: l3-policy +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: linux + virtualRouters: + - localASN: 64512 + neighbors: + - peerAddress: "10.1.0.1/32" + peerASN: 64512 + peerPort: 179 + serviceSelector: + matchExpressions: + - {key: somekey, operator: NotIn, values: ['never-used-value']} +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: l3-pool +spec: + allowFirstLastIPs: "Yes" + blocks: + - cidr: "10.45.0.0/16" diff --git a/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 00000000..ac8cb7b5 --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium-l3.yaml diff --git a/kubernetes/main/apps/kube-system/cilium/ks.yaml b/kubernetes/main/apps/kube-system/cilium/ks.yaml new file mode 100644 index 00000000..219b8c7d --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/cilium/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium-config + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cilium + path: ./kubernetes/main/apps/kube-system/cilium/config + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/main/apps/kube-system/coredns/app/helm-values.yaml new file mode 100644 index 00000000..22da0298 --- /dev/null +++ b/kubernetes/main/apps/kube-system/coredns/app/helm-values.yaml @@ -0,0 +1,50 @@ +--- +fullnameOverride: coredns +k8sAppLabelOverride: kube-dns +serviceAccount: + create: true +service: + name: kube-dns + clusterIP: "10.96.0.10" +servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: log + configBlock: |- + class error + - name: prometheus + parameters: 0.0.0.0:9153 + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists +tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/main/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/coredns/app/helmrelease.yaml new file mode 100644 index 00000000..72c947c2 --- /dev/null +++ b/kubernetes/main/apps/kube-system/coredns/app/helmrelease.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns +spec: + interval: 30m + chart: + spec: + chart: coredns + version: 1.36.1 + sourceRef: + kind: HelmRepository + name: coredns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + valuesFrom: + - kind: ConfigMap + name: coredns-helm-values diff --git a/kubernetes/main/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/main/apps/kube-system/coredns/app/kustomization.yaml new file mode 100644 index 00000000..691355b5 --- /dev/null +++ b/kubernetes/main/apps/kube-system/coredns/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: coredns-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/main/apps/kube-system/coredns/app/kustomizeconfig.yaml b/kubernetes/main/apps/kube-system/coredns/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/coredns/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/main/apps/kube-system/coredns/ks.yaml b/kubernetes/main/apps/kube-system/coredns/ks.yaml new file mode 100644 index 00000000..db2af0c2 --- /dev/null +++ b/kubernetes/main/apps/kube-system/coredns/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app coredns + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/coredns/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml new file mode 100644 index 00000000..5ae3f42f --- /dev/null +++ b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml @@ -0,0 +1,3 @@ +--- +providerRegex: ^(mango|melon|nectarine)$ +bypassDnsResolution: true diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml new file mode 100644 index 00000000..f3e6a7d1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kubelet-csr-approver +spec: + interval: 30m + chart: + spec: + chart: kubelet-csr-approver + version: 1.2.3 + sourceRef: + kind: HelmRepository + name: postfinance + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-helm-values + values: + metrics: + enable: true + serviceMonitor: + enabled: true diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml new file mode 100644 index 00000000..30dddafc --- /dev/null +++ b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: kubelet-csr-approver-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml new file mode 100644 index 00000000..507320ba --- /dev/null +++ b/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kubelet-csr-approver + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/kubelet-csr-approver/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/kustomization.yaml b/kubernetes/main/apps/kube-system/kustomization.yaml new file mode 100644 index 00000000..7a71f70f --- /dev/null +++ b/kubernetes/main/apps/kube-system/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cilium/ks.yaml + - ./coredns/ks.yaml + - ./metrics-server/ks.yaml + - ./reloader/ks.yaml + - ./kubelet-csr-approver/ks.yaml + - ./spegel/ks.yaml diff --git a/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml new file mode 100644 index 00000000..b5628f97 --- /dev/null +++ b/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: metrics-server +spec: + interval: 30m + chart: + spec: + chart: metrics-server + version: 3.12.2 + sourceRef: + kind: HelmRepository + name: kubernetes-sigs-metrics-server + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + args: + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/main/apps/kube-system/metrics-server/app/kustomization.yaml b/kubernetes/main/apps/kube-system/metrics-server/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/kube-system/metrics-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/metrics-server/ks.yaml b/kubernetes/main/apps/kube-system/metrics-server/ks.yaml new file mode 100644 index 00000000..8911c71e --- /dev/null +++ b/kubernetes/main/apps/kube-system/metrics-server/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app metrics-server + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/metrics-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/namespace.yaml b/kubernetes/main/apps/kube-system/namespace.yaml new file mode 100644 index 00000000..5eeb2c91 --- /dev/null +++ b/kubernetes/main/apps/kube-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/reloader/app/helmrelease.yaml new file mode 100644 index 00000000..64dc3493 --- /dev/null +++ b/kubernetes/main/apps/kube-system/reloader/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: reloader +spec: + interval: 30m + chart: + spec: + chart: reloader + version: 1.1.0 + sourceRef: + kind: HelmRepository + name: stakater + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: reloader + reloader: + readOnlyRootFileSystem: true + podMonitor: + enabled: true + namespace: "{{ .Release.Namespace }}" diff --git a/kubernetes/main/apps/kube-system/reloader/app/kustomization.yaml b/kubernetes/main/apps/kube-system/reloader/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/kube-system/reloader/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/reloader/ks.yaml b/kubernetes/main/apps/kube-system/reloader/ks.yaml new file mode 100644 index 00000000..bfd2e073 --- /dev/null +++ b/kubernetes/main/apps/kube-system/reloader/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app reloader + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/reloader/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/kube-system/spegel/app/helm-values.yaml b/kubernetes/main/apps/kube-system/spegel/app/helm-values.yaml new file mode 100644 index 00000000..a4185ae3 --- /dev/null +++ b/kubernetes/main/apps/kube-system/spegel/app/helm-values.yaml @@ -0,0 +1,7 @@ +--- +spegel: + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 diff --git a/kubernetes/main/apps/kube-system/spegel/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/spegel/app/helmrelease.yaml new file mode 100644 index 00000000..ea255fc4 --- /dev/null +++ b/kubernetes/main/apps/kube-system/spegel/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: spegel +spec: + interval: 30m + chart: + spec: + chart: spegel + version: v0.0.27 + sourceRef: + kind: HelmRepository + name: spegel + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: spegel-helm-values + values: + grafanaDashboard: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/main/apps/kube-system/spegel/app/kustomization.yaml b/kubernetes/main/apps/kube-system/spegel/app/kustomization.yaml new file mode 100644 index 00000000..1e1aa1d1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/spegel/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: spegel-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/main/apps/kube-system/spegel/app/kustomizeconfig.yaml b/kubernetes/main/apps/kube-system/spegel/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/main/apps/kube-system/spegel/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/main/apps/kube-system/spegel/ks.yaml b/kubernetes/main/apps/kube-system/spegel/ks.yaml new file mode 100644 index 00000000..015445c2 --- /dev/null +++ b/kubernetes/main/apps/kube-system/spegel/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app spegel + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/spegel/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/cloudflared/app/configs/config.yaml b/kubernetes/main/apps/network/cloudflared/app/configs/config.yaml new file mode 100644 index 00000000..05bcef5c --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/app/configs/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + originServerName: "external.${SECRET_DOMAIN}" + +ingress: + - hostname: "${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - hostname: "*.${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/main/apps/network/cloudflared/app/dnsendpoint.yaml b/kubernetes/main/apps/network/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 00000000..43d7d7b2 --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared +spec: + endpoints: + - dnsName: "external.${SECRET_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml new file mode 100644 index 00000000..7e482f7d --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + cloudflared: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.11.0 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - "$(TUNNEL_ID)" + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ready + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: cloudflared + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/main/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/main/apps/network/cloudflared/app/kustomization.yaml new file mode 100644 index 00000000..891a864a --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./dnsendpoint.yaml + - ./secret.sops.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: cloudflared-configmap + files: + - ./configs/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/main/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/main/apps/network/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..cb98984c --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:1qpPZNQ/eDFMWCrS+cQA0Cc2CuEalBAc+MQ/k593GneM3wjQ,iv:EIzpeOeOIyD2/cMp8GdPLEbOtarZz6/CBFBn8MAdrw4=,tag:CjtOL2jKdiD4Y8jgmpI55g==,type:str] + credentials.json: ENC[AES256_GCM,data:Kwe+LMxws+sYHXP6EEF6j6MyxwVCspG7HGFA5bCup1VsU9BND5wtOGxWecqzNzyjEbStUoIIfjJQOnpGgxUp2tbd/eQyMHQi4D5mod5q57/Mhu4n292cYnJYG0Zri3jAkP49lutD+TefFg6viPfZArtlKk+IIrcjZIjCZBb4MNYGfIG8yNHB2NTZcw8HVxWVAxfQ1rlEd2U6F4VmW64fLA1QvqdEZF7yQRgxK3Wqvw==,iv:FTeEezK+6NBqqhwNmbEQVdnsIji/a6PAXjmwSP0kftI=,tag:izrwjjnIeHlku+D58mHe7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbjlraXlBNTNlTWwvb285 + Ums1TW1Idm1DR2hqRzFjODB5VjMySTg1b0NZCndlOVNpcmpMOXl6WFJPWGoyelFk + dVBIZ0V3SVNzUGk1UkMrY0kxY2ZzMTgKLS0tIHppSENMMS9GcUh4b0dBR1Y0dzdX + dFJ0ditxSC9UNEw3TmhxSlpOTUVrcWsKe2XwCTib7AECiCu02Q43Ri8y/raVwo8F + NFZLwLbz6dHT9mKA6865cWn/ZOwFbivJ+aNM2f9QbJmwPPf/jdkFsw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:lgZlEm4R9ojR9a6YKQx7pKSG/yNgPDKZ2vaAVgQusKmvK7kJTBAaOoBTGGMRfWvD+jsfn7be/OQQuTM1ZLvvBssOFFmVPOe9xM6V7NwW541MuaS5JhPfNWDDlFYTcR419It90lZmBRE1lCduAzibo3i8S1PJaleLht5ON+RXkDM=,iv:Zad7N94qRhD9W2IkpGtIMvrK1JyyzjE2cZ1G6/MrqNw=,tag:YmYjvOwMnKLFd8Wknm46hQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/network/cloudflared/ks.yaml b/kubernetes/main/apps/network/cloudflared/ks.yaml new file mode 100644 index 00000000..d720978b --- /dev/null +++ b/kubernetes/main/apps/network/cloudflared/ks.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-dns-cloudflare + path: ./kubernetes/main/apps/network/cloudflared/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml b/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml new file mode 100644 index 00000000..26c17a56 --- /dev/null +++ b/kubernetes/main/apps/network/echo-server/app/helmrelease.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: echo-server +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + echo-server: + strategy: RollingUpdate + containers: + app: + image: + repository: ghcr.io/mendhak/http-https-echo + tag: 35 + env: + HTTP_PORT: &port 8080 + LOG_WITHOUT_NEWLINE: true + LOG_IGNORE_PATH: /healthz + PROMETHEUS_ENABLED: true + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 64Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: echo-server + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: echo-server + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + ingress: + app: + className: external + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + hosts: + - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/main/apps/network/echo-server/app/kustomization.yaml b/kubernetes/main/apps/network/echo-server/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/network/echo-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/echo-server/ks.yaml b/kubernetes/main/apps/network/echo-server/ks.yaml new file mode 100644 index 00000000..671db2af --- /dev/null +++ b/kubernetes/main/apps/network/echo-server/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app echo-server + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/network/echo-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/external-dns/cloudflare/helmrelease.yaml b/kubernetes/main/apps/network/external-dns/cloudflare/helmrelease.yaml new file mode 100644 index 00000000..f43ec865 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/cloudflare/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns-cloudflare +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: kubernetes-sigs-external-dns + namespace: flux-system + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-cloudflare-secret + key: CF_API_TOKEN + extraArgs: + - --ingress-class=external + - --cloudflare-proxied + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 + - --crd-source-kind=DNSEndpoint + policy: sync + sources: ["crd", "ingress"] + txtPrefix: k8s. + txtOwnerId: default + domainFilters: ["${SECRET_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-cloudflare-secret diff --git a/kubernetes/main/apps/network/external-dns/cloudflare/kustomization.yaml b/kubernetes/main/apps/network/external-dns/cloudflare/kustomization.yaml new file mode 100644 index 00000000..95bf4747 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/cloudflare/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/external-dns/cloudflare/secret.sops.yaml b/kubernetes/main/apps/network/external-dns/cloudflare/secret.sops.yaml new file mode 100644 index 00000000..e514acd3 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/cloudflare/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-cloudflare-secret +stringData: + CF_API_TOKEN: ENC[AES256_GCM,data:hSlbQgS7JUUHCCpOYvyEr3t5VIPNwQtw7Z4qlasoT+wjsku6+IMqmw==,iv:PXVXBmu2eduQmyVsJUcH3L8eT1NPoIoAYQR273MzqF0=,tag:93+myAz0zVkJmxFrm3gnQQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWLzZKSk84bUdXWVBiZmNP + eGFzVmgxN08wcVhVZ0hndzZ6aTcwdkFZZTNrCmRYQ0FPd1BKT1JqRUM3ajdwVXZ5 + U2dDaG5oWExiREdZMTY0YnFwMWI1aGsKLS0tIEVkNm5BLysySWVWYjEzRnptN1Ra + Yy8rWEYrSFI0SlZXTkZhYXUrU054QXcKlk2lej4YNnTKyzpUqTlUY7ZsG+tMT8AQ + a2Bxu2UMunIacS3jzSosYYkj0zQ7KGflnuk60wCyC9xQroRyDgHq4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:3VndTIgnumsffs9GXhf85d0VFSZPC273CWnzN8A5SMX9zCz/U+pNv05GMoW5k7MuL7nZw0mY0YBMaBl8khr1YgKocP9/wJvHt+zN73Xc79d7Ajao5HLLZZQBW5GMpjXeKRiQfrYCW16B944Sg5+MQkRZ1Caarsn2SkyVd40FN8k=,iv:SXmcVsdumFjBGRkwZvdT+QOJE4gaKlpu8ODrsbAeTms=,tag:gOiliZONocLMySjTnsr/Kw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/network/external-dns/ks.yaml b/kubernetes/main/apps/network/external-dns/ks.yaml new file mode 100644 index 00000000..3a88f411 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns-cloudflare + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/network/external-dns/cloudflare + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns-unifi + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + # dependsOn: + # - name: external-secrets-stores + path: ./kubernetes/main/apps/network/external-dns/unifi + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/external-dns/unifi/helmrelease.yaml b/kubernetes/main/apps/network/external-dns/unifi/helmrelease.yaml new file mode 100644 index 00000000..5132e42a --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/unifi/helmrelease.yaml @@ -0,0 +1,80 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns-unifi +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: kubernetes-sigs-external-dns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + logLevel: debug + provider: + name: webhook + webhook: + image: + repository: ghcr.io/kashalls/external-dns-unifi-webhook + tag: v0.3.1@sha256:593eeb3594a8418084d3235b2a30ca8aa4c58b949fac3433b86df6c725364e32 + env: + - name: UNIFI_HOST + valueFrom: + secretKeyRef: + name: &secret external-dns-unifi-secret + key: EXTERNAL_DNS_UNIFI_HOST + - name: UNIFI_USER + valueFrom: + secretKeyRef: + name: *secret + key: EXTERNAL_DNS_UNIFI_USER + - name: UNIFI_PASS + valueFrom: + secretKeyRef: + name: *secret + key: EXTERNAL_DNS_UNIFI_PASS + - name: LOG_LEVEL + value: "debug" + livenessProbe: + httpGet: + path: /healthz + port: http-webhook + initialDelaySeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: http-webhook + initialDelaySeconds: 10 + timeoutSeconds: 5 + extraArgs: + - --ignore-ingress-tls-spec + policy: sync + sources: ["ingress", "service"] + txtOwnerId: default + txtPrefix: k8s. + domainFilters: ["${SECRET_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: *secret + resources: + requests: + cpu: 16m + memory: 90M + limits: + memory: 90M diff --git a/kubernetes/main/apps/network/external-dns/unifi/kustomization.yaml b/kubernetes/main/apps/network/external-dns/unifi/kustomization.yaml new file mode 100644 index 00000000..16a6ce30 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/unifi/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/external-dns/unifi/secret.sops.yaml b/kubernetes/main/apps/network/external-dns/unifi/secret.sops.yaml new file mode 100644 index 00000000..c3087891 --- /dev/null +++ b/kubernetes/main/apps/network/external-dns/unifi/secret.sops.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-unifi-secret +stringData: + EXTERNAL_DNS_UNIFI_HOST: ENC[AES256_GCM,data:sWhsCFCCHjQiuXK4dPoEsw==,iv:+ZDctAK+4JHph5yGF7RtVRZnWJ1d4tAQcO9jcFg6Yas=,tag:Uny6mhfwa84y9G6P8TNQTg==,type:str] + EXTERNAL_DNS_UNIFI_USER: ENC[AES256_GCM,data:PGxTQMVhQr7dqshEh4tMIOws5U69Fco=,iv:cPJQGrNG6d3Xjz2rRU4G5M1S1fIbMlasJ4HFuO/OoGk=,tag:N1S79gblv4LGlmTLytGyvw==,type:str] + EXTERNAL_DNS_UNIFI_PASS: ENC[AES256_GCM,data:VA1x2iUxdnYWBM+c1yX5xecH3QE=,iv:0k4yma0V3JxJ+jCpqPFlgSVLmGfpcbJVBXbLLdTcHCM=,tag:rYsSLNAuDVrOgNjNl6+jgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclBRdlFYd2x6Ukh0Nk4z + TDNBVWFlVG5qMFFYU2lFdDJrMk5BdHlBYUMwClNIMmVUQXlydUh6ZUFpVVBLd0NK + Y3lPT2dmOFR1VERhQ1hBdFFoVTZiTTgKLS0tIERJNGhSRlVSYUtDbzQ0bjlONzBT + U0xDR1B4WkdCUFJIM1AwK1VUd0tPWDQKCPxnuyDfkkWK7OITt6zi0gtlGUJfr574 + UKj4ZC8h98d0Lyylf+Sbc64wW7wwPNt7ZJzlcIAmCO9sVIdkJ7U4Wg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:xNBYpbcp4nEh9R+dd98iI0EVaatR5QpGqZ50Uxa3dMe0AmPOJRTO91QPmWFiIxpEogtIjhGFdmRQ2UMXSh0Gie9ctOX06sUjgjorH3iaOr57pOJR7xJcdZGQndHzLTcyI8NLKcSCRTmgoF1JL9/F1NxCIaNU5M+P/fDGAhtr/DM=,iv:wjw3832R9Lxhu/lcOSww1IpplQGk0IuQoaO3Al0fxLU=,tag:eDb25x6UV1wKYFm/b8wpKQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/network/ingress-nginx/certificates/kustomization.yaml b/kubernetes/main/apps/network/ingress-nginx/certificates/kustomization.yaml new file mode 100644 index 00000000..f58e4a76 --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/certificates/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./staging.yaml + - ./production.yaml diff --git a/kubernetes/main/apps/network/ingress-nginx/certificates/production.yaml b/kubernetes/main/apps/network/ingress-nginx/certificates/production.yaml new file mode 100644 index 00000000..b5afdf41 --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/certificates/production.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-production" +spec: + secretName: "${SECRET_DOMAIN/./-}-production-tls" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/main/apps/network/ingress-nginx/certificates/staging.yaml b/kubernetes/main/apps/network/ingress-nginx/certificates/staging.yaml new file mode 100644 index 00000000..9c869425 --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/certificates/staging.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-staging" +spec: + secretName: "${SECRET_DOMAIN/./-}-staging-tls" + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml new file mode 100644 index 00000000..9dc69901 --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + dependsOn: + - name: cloudflared + namespace: network + values: + fullnameOverride: ingress-nginx-external + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" + lbipam.cilium.io/ips: "10.45.0.3" + externalTrafficPolicy: Cluster + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/main/apps/network/ingress-nginx/external/kustomization.yaml b/kubernetes/main/apps/network/ingress-nginx/external/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/external/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml new file mode 100644 index 00000000..de63dfbd --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: ingress-nginx-internal + controller: + service: + annotations: + lbipam.cilium.io/ips: "10.45.0.1" + externalTrafficPolicy: Cluster + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml copy b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml copy new file mode 100644 index 00000000..0bc9a716 --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml copy @@ -0,0 +1,74 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: ingress-nginx-internal + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "internal.${SECRET_DOMAIN}" + io.cilium/lb-ipam-ips: "10.45.0.1" + externalTrafficPolicy: Cluster + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/main/apps/network/ingress-nginx/internal/kustomization.yaml b/kubernetes/main/apps/network/ingress-nginx/internal/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/internal/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/ingress-nginx/ks.yaml b/kubernetes/main/apps/network/ingress-nginx/ks.yaml new file mode 100644 index 00000000..9d9a41ff --- /dev/null +++ b/kubernetes/main/apps/network/ingress-nginx/ks.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-certificates + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager-issuers + path: ./kubernetes/main/apps/network/ingress-nginx/certificates + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-internal + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/main/apps/network/ingress-nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-external + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/main/apps/network/ingress-nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml b/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml new file mode 100644 index 00000000..1998bffa --- /dev/null +++ b/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: k8s-gateway +spec: + interval: 30m + chart: + spec: + chart: k8s-gateway + version: 2.4.0 + sourceRef: + kind: HelmRepository + name: k8s-gateway + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: k8s-gateway + domain: "${SECRET_DOMAIN}" + ttl: 1 + service: + type: LoadBalancer + port: 53 + annotations: + lbipam.cilium.io/ips: "10.1.1.30" + externalTrafficPolicy: Cluster + watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/main/apps/network/k8s-gateway/app/kustomization.yaml b/kubernetes/main/apps/network/k8s-gateway/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/network/k8s-gateway/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/k8s-gateway/ks.yaml b/kubernetes/main/apps/network/k8s-gateway/ks.yaml new file mode 100644 index 00000000..3297eb81 --- /dev/null +++ b/kubernetes/main/apps/network/k8s-gateway/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app k8s-gateway + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/network/k8s-gateway/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/network/kustomization.yaml b/kubernetes/main/apps/network/kustomization.yaml new file mode 100644 index 00000000..7043c963 --- /dev/null +++ b/kubernetes/main/apps/network/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cloudflared/ks.yaml + - ./echo-server/ks.yaml + - ./external-dns/ks.yaml + - ./ingress-nginx/ks.yaml + #- ./k8s-gateway/ks.yaml diff --git a/kubernetes/main/apps/network/namespace.yaml b/kubernetes/main/apps/network/namespace.yaml new file mode 100644 index 00000000..4d78d7b1 --- /dev/null +++ b/kubernetes/main/apps/network/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml new file mode 100644 index 00000000..b213c83e --- /dev/null +++ b/kubernetes/main/apps/observability/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./prometheus-operator-crds/ks.yaml diff --git a/kubernetes/main/apps/observability/namespace.yaml b/kubernetes/main/apps/observability/namespace.yaml new file mode 100644 index 00000000..ce3a5bd2 --- /dev/null +++ b/kubernetes/main/apps/observability/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml b/kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml new file mode 100644 index 00000000..28766e08 --- /dev/null +++ b/kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: prometheus-operator-crds +spec: + interval: 30m + chart: + spec: + chart: prometheus-operator-crds + version: 16.0.0 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml b/kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml b/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml new file mode 100644 index 00000000..83b97723 --- /dev/null +++ b/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app prometheus-operator-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/observability/prometheus-operator-crds/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/openebs-system/kustomization.yaml b/kubernetes/main/apps/openebs-system/kustomization.yaml new file mode 100644 index 00000000..9cd8d4e4 --- /dev/null +++ b/kubernetes/main/apps/openebs-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./openebs/ks.yaml diff --git a/kubernetes/main/apps/openebs-system/namespace.yaml b/kubernetes/main/apps/openebs-system/namespace.yaml new file mode 100644 index 00000000..f173c6c9 --- /dev/null +++ b/kubernetes/main/apps/openebs-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openebs-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/openebs-system/openebs/app/helmrelease.yaml b/kubernetes/main/apps/openebs-system/openebs/app/helmrelease.yaml new file mode 100644 index 00000000..8cb7c52e --- /dev/null +++ b/kubernetes/main/apps/openebs-system/openebs/app/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs +spec: + interval: 30m + chart: + spec: + chart: openebs + version: 4.1.1 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + engines: + local: + lvm: + enabled: false + zfs: + enabled: false + replicated: + mayastor: + enabled: false + openebs-crds: + csi: + volumeSnapshots: + enabled: false + localpv-provisioner: + localpv: + image: + registry: quay.io/ + helperPod: + image: + registry: quay.io/ + hostpathClass: + enabled: true + name: openebs-hostpath + isDefaultClass: false + basePath: /var/openebs/local diff --git a/kubernetes/main/apps/openebs-system/openebs/app/kustomization.yaml b/kubernetes/main/apps/openebs-system/openebs/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/main/apps/openebs-system/openebs/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/openebs-system/openebs/ks.yaml b/kubernetes/main/apps/openebs-system/openebs/ks.yaml new file mode 100644 index 00000000..c8f95440 --- /dev/null +++ b/kubernetes/main/apps/openebs-system/openebs/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app openebs + namespace: flux-system +spec: + targetNamespace: openebs-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/openebs-system/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/bootstrap/flux/github-deploy-key.sops.yaml b/kubernetes/main/bootstrap/flux/github-deploy-key.sops.yaml new file mode 100644 index 00000000..b9bbfd8c --- /dev/null +++ b/kubernetes/main/bootstrap/flux/github-deploy-key.sops.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-deploy-key + namespace: flux-system +stringData: + identity: ENC[AES256_GCM,data:cEB0MbM6ZhnUwzAJ739LuAX/EWTSidGwFYwObbUDPBz/fV8Am/hybqXenr/WQY1AjGIMWHURmC+ODomNsKOHiQWG65J9/r9uucrsAdz4j+/YPS/GvfiOhbfnvtMyBOmYY4J6mPkH1GsKJJqJRL+bvLbQS4xqk3sCFmTOBYq5xJu3XkMdprsff0hAKA4h7zp5CYo5qwP/+TpBIqfIfhGa5Ccuz3fgeIItQjRXLT18FB3bwkRwALJpwSaffJu0zYG5/fGB9YxMozNOM35qxnYmlP+AZlL6UpUUngR20aaAFhJM1h536FjcGAFC/ThGMe9YSM1JR+JMW/BbfrwXMBzj32gtxOPTZzHamvkdld2ajDCfpNCv3D5avlKrpJ17DY9pJCCsfOQE/DIscaTtU9hkGNbfaHhmvUQyMhmQ7sy/qjJ3QKUAW55t8J+cg62rZIP9xlp42CpBtshLBtVJZsAz6qWKtPrkdvyBjISOgoQOHqCvGPCpMSC/9DmLNrpENTE2o6nl,iv:EPPIySOPmRaYmiYUTa2zFY/HazU94SCyi3TwRAXveEI=,tag:nxZHYlL8LY2w/BfHGKIrUg==,type:str] + known_hosts: ENC[AES256_GCM,data:2olJEYbBkg8lPhVkxt8VZpdurb+vPVWIuoljS1nQvli/8okNZsAF8NNYJhBYVcLj1yIX0gRqmNEaexJqFNQ01GLRulssS46WdiX3QT6q5pKMKfSaFYW9vEaawuuKb278N1GKzXoOpbjlpWl5IXVQ4Woj07d2GFGMZdsva/1suh4DfuNH/+C91J9RI5YRt1AVrGs9iRyo9tQqx3yDQF72QQmUE+ds7FF32VxSxKgbC9fDADRYAevCh1Er17PDSYxelpIzVn7iKwlAI5f9XdnwjJc25owqKmgUraaaDEMdecO0n4z3n2hiJR0ZaHuoNxEK4XN9tiJtg0lnWJQ1RAwS8GNk7yGs0rmIlYz9ONIC+uuJ60R8B66UZ2R1qZSuxqHWd7IU3IuFdliKGexRbrZukFUQAVrziEkgmCL/+YAqb6z8vwvYm9fIERbzTN9HNdZ0zrxtooLyDBQ/CwOREP4uRvT3+6cz092gqFFs8fPMrK5LqMqJuqtjbMIeiKok48Pyt/WoTaOxcHWanSXuy0hegehE5BpmL1u/RxJAgykHo0DzIR6l/XGOa4q2DzMSCbasDGT55Rgb+KxNBaLTVJb0E1Q2UWFdUOMeUxRNEQKP8Xf6yXwLqv4VlY3sYyTaR1HznTF5figrMbNexzlXCPzJBIhPbk7fDWLRUK+PfivVyeqDg3yQxxZdVdtL6DSJnBhQx9RZsFpegVLvRa476li4Icf26vy9wwVPpusOjWR43pIMFXcgPbFDrd/2gy129NMsRcn3PnD4K0wz1yMiOTqoMGVfNPOsXC4yVIWnHlYjDjeZH1ZZO8FrAT8wiTH/Fst2sDF9rn26+gr11UOs5KBiOcXy/rzAH1SMsPL43sumbCldSf3UPeQc6SgDoStEUOclh9ssgK3SHazdD3wUNDBSegQE+zN7g6+/rJPhausqojSMcJkfADAnpof0V/EKhtMbGLSw2WqJDAn04MtgDQDEmgRbXgIjpm3pgZWkgGdsTp25hK9jpLMbAhzjyjPiSPAPoOVnXntwDWnwVl0Sz28NGAqyzyUjwt5dcWWGxkeS3+GYQDElMACBJB7hnU7Hh8vq1ObLqmR/OXt49cDY,iv:HrpCdOe7ywrf1iauyuotkVVh1guHJdhi5ZasPtWJGzI=,tag:rP9AJe2rlXUxl4tIVEutsA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcHRoQ2txWTA3aTE2d3Yv + c3FyQUJmT1B0a09IdElGSEdDQW50TU1ZSUhRCkFjc0FvWmVJY0F6QVRMZEs3N1VT + Vkc4dldJMEZKNnRHVy9kdElUaVhaVlUKLS0tIEw3MWNoNGt6bjJodWkwVkN3WmxQ + TCtwaERiSGN5TzE3dzJVZ2tNK0pxOHMKTl/Q6O4ZysoGO5xL5laG6MOfAhcEppiL + BacyKqUevgJ+T5YA0SzbMz+jdHU9Y0REGyagNzNb218aDw7wX+InDw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:WI4cFiXX9G1BCFUl/dcMJIibe4qAjKLHnPxiEbZnvGlKiXjWpq3hRC7pLZW66+HZUP25+XxpQT+PxP0wSn7xfPFmkebz7Z+jIasEZm4KMxGVhLcA7IpUVnfoe7fy16xu6e2/NYIi9WBxRs9SwnVBr+Q160RMCFsp7qxJ8LPrvJk=,iv:osVNf8ZorvzxAwPCpfUtL9FzZqeLOm64Xo9kAol9B98=,tag:S0c5iu3/o2i8IbYd0tAbbA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/bootstrap/flux/kustomization.yaml b/kubernetes/main/bootstrap/flux/kustomization.yaml new file mode 100644 index 00000000..30f33642 --- /dev/null +++ b/kubernetes/main/bootstrap/flux/kustomization.yaml @@ -0,0 +1,61 @@ +# IMPORTANT: This file is not tracked by flux and should never be. Its +# purpose is to only install the Flux components and CRDs into your cluster. +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0 +patches: + # Remove the default network policies + - patch: |- + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests + - target: + kind: ResourceQuota + name: critical-pods + patch: | + - op: replace + path: /metadata/name + value: critical-pods-flux-system + - target: + kind: ClusterRoleBinding + name: cluster-reconciler + patch: | + - op: replace + path: /metadata/name + value: cluster-reconciler-flux-system + - target: + kind: ClusterRoleBinding + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: flux-edit + patch: | + - op: replace + path: /metadata/name + value: flux-edit-flux-system + - target: + kind: ClusterRole + name: flux-view + patch: | + - op: replace + path: /metadata/name + value: flux-view-flux-system diff --git a/kubernetes/main/bootstrap/helmfile.yaml b/kubernetes/main/bootstrap/helmfile.yaml new file mode 100644 index 00000000..b4da58a9 --- /dev/null +++ b/kubernetes/main/bootstrap/helmfile.yaml @@ -0,0 +1,59 @@ +--- +helmDefaults: + wait: true + waitForJobs: true + timeout: 600 + recreatePods: true + force: true + +repositories: + - name: cilium + url: https://helm.cilium.io + - name: coredns + url: https://coredns.github.io/helm + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + +releases: + - name: prometheus-operator-crds + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds + version: 16.0.0 + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.3 + values: + - ../apps/kube-system/cilium/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.36.1 + values: + - ../apps/kube-system/coredns/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - name: kubelet-csr-approver + namespace: kube-system + chart: postfinance/kubelet-csr-approver + version: 1.2.3 + values: + - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - name: spegel + namespace: kube-system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.27 + values: + - ../apps/kube-system/spegel/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - kube-system/kubelet-csr-approver diff --git a/kubernetes/main/bootstrap/talos/patches/README.md b/kubernetes/main/bootstrap/talos/patches/README.md new file mode 100644 index 00000000..b9681888 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/README.md @@ -0,0 +1,15 @@ +# Talos Patching + +This directory contains Kustomization patches that are added to the talhelper configuration file. + + + +## Patch Directories + +Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. +Each directory is optional and therefore might not created by default. + +- `global/`: patches that are applied to both the controller and worker configurations +- `controller/`: patches that are applied to the controller configurations +- `worker/`: patches that are applied to the worker configurations +- `${node-hostname}/`: patches that are applied to the node with the specified name diff --git a/kubernetes/main/bootstrap/talos/patches/controller/api-access.yaml b/kubernetes/main/bootstrap/talos/patches/controller/api-access.yaml new file mode 100644 index 00000000..77232844 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/controller/api-access.yaml @@ -0,0 +1,8 @@ +machine: + features: + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade diff --git a/kubernetes/main/bootstrap/talos/patches/controller/cluster.yaml b/kubernetes/main/bootstrap/talos/patches/controller/cluster.yaml new file mode 100644 index 00000000..b4a9685b --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/controller/cluster.yaml @@ -0,0 +1,25 @@ +cluster: + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + coreDNS: + disabled: true + proxy: + disabled: true + scheduler: + extraArgs: + bind-address: 0.0.0.0 + config: + apiVersion: kubescheduler.config.k8s.io/v1 + kind: KubeSchedulerConfiguration + profiles: + - schedulerName: default-scheduler + pluginConfig: + - name: PodTopologySpread + args: + defaultingType: List + defaultConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway diff --git a/kubernetes/main/bootstrap/talos/patches/controller/disable-admission-controller.yaml b/kubernetes/main/bootstrap/talos/patches/controller/disable-admission-controller.yaml new file mode 100644 index 00000000..e311789f --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/controller/disable-admission-controller.yaml @@ -0,0 +1,2 @@ +- op: remove + path: /cluster/apiServer/admissionControl diff --git a/kubernetes/main/bootstrap/talos/patches/controller/etcd.yaml b/kubernetes/main/bootstrap/talos/patches/controller/etcd.yaml new file mode 100644 index 00000000..e0f754ac --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/controller/etcd.yaml @@ -0,0 +1,6 @@ +cluster: + etcd: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 10.1.1.0/24 diff --git a/kubernetes/main/bootstrap/talos/patches/global/cluster-discovery.yaml b/kubernetes/main/bootstrap/talos/patches/global/cluster-discovery.yaml new file mode 100644 index 00000000..ecafec6e --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/cluster-discovery.yaml @@ -0,0 +1,7 @@ +cluster: + discovery: + registries: + kubernetes: + disabled: false + service: + disabled: true diff --git a/kubernetes/main/bootstrap/talos/patches/global/containerd.yaml b/kubernetes/main/bootstrap/talos/patches/global/containerd.yaml new file mode 100644 index 00000000..2952d6b4 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/containerd.yaml @@ -0,0 +1,12 @@ +machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false diff --git a/kubernetes/main/bootstrap/talos/patches/global/disable-search-domain.yaml b/kubernetes/main/bootstrap/talos/patches/global/disable-search-domain.yaml new file mode 100644 index 00000000..8ba647c4 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/disable-search-domain.yaml @@ -0,0 +1,3 @@ +machine: + network: + disableSearchDomain: true diff --git a/kubernetes/main/bootstrap/talos/patches/global/dns.yaml b/kubernetes/main/bootstrap/talos/patches/global/dns.yaml new file mode 100644 index 00000000..7f801083 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/dns.yaml @@ -0,0 +1,5 @@ +machine: + network: + nameservers: + - 1.1.1.1 + - 1.0.0.1 diff --git a/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml new file mode 100644 index 00000000..6033ccd2 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml @@ -0,0 +1,6 @@ +machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` diff --git a/kubernetes/main/bootstrap/talos/patches/global/kubelet.yaml b/kubernetes/main/bootstrap/talos/patches/global/kubelet.yaml new file mode 100644 index 00000000..006e5c7e --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/kubelet.yaml @@ -0,0 +1,7 @@ +machine: + kubelet: + extraArgs: + rotate-server-certificates: true + nodeIP: + validSubnets: + - 10.1.1.0/24 diff --git a/kubernetes/main/bootstrap/talos/patches/global/ntp.yaml b/kubernetes/main/bootstrap/talos/patches/global/ntp.yaml new file mode 100644 index 00000000..b7d65948 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/ntp.yaml @@ -0,0 +1,6 @@ +machine: + time: + disabled: false + servers: + - 162.159.200.1 + - 162.159.200.123 diff --git a/kubernetes/main/bootstrap/talos/patches/global/openebs-local.yaml b/kubernetes/main/bootstrap/talos/patches/global/openebs-local.yaml new file mode 100644 index 00000000..e4095d17 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/openebs-local.yaml @@ -0,0 +1,10 @@ +machine: + kubelet: + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw diff --git a/kubernetes/main/bootstrap/talos/patches/global/sysctl.yaml b/kubernetes/main/bootstrap/talos/patches/global/sysctl.yaml new file mode 100644 index 00000000..67ff333d --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/global/sysctl.yaml @@ -0,0 +1,7 @@ +machine: + sysctls: + fs.inotify.max_user_watches: "1048576" + fs.inotify.max_user_instances: "8192" + net.core.rmem_max: "7500000" + net.core.wmem_max: "7500000" + vm.nr_hugepages: "2048" diff --git a/kubernetes/main/bootstrap/talos/patches/mango/longhorn.yaml b/kubernetes/main/bootstrap/talos/patches/mango/longhorn.yaml new file mode 100644 index 00000000..869bee09 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/mango/longhorn.yaml @@ -0,0 +1,14 @@ +machine: + kubelet: + extraMounts: + - destination: /var/lib/longhorn + type: bind + source: /var/lib/longhorn + options: + - bind + - rshared + - rw + disks: + - device: /dev/disk/by-id/usb-SSK_SSK_Storage_DD56419883935-0:0 + partitions: + - mountpoint: /var/lib/longhorn diff --git a/kubernetes/main/bootstrap/talos/patches/melon/longhorn.yaml b/kubernetes/main/bootstrap/talos/patches/melon/longhorn.yaml new file mode 100644 index 00000000..5d22362e --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/melon/longhorn.yaml @@ -0,0 +1,14 @@ +machine: + kubelet: + extraMounts: + - destination: /var/lib/longhorn + type: bind + source: /var/lib/longhorn + options: + - bind + - rshared + - rw + disks: + - device: /dev/disk/by-id/usb-SSK_SSK_Storage_012345678913-0:0 + partitions: + - mountpoint: /var/lib/longhorn diff --git a/kubernetes/main/bootstrap/talos/patches/nectarine/longhorn.yaml b/kubernetes/main/bootstrap/talos/patches/nectarine/longhorn.yaml new file mode 100644 index 00000000..5d22362e --- /dev/null +++ b/kubernetes/main/bootstrap/talos/patches/nectarine/longhorn.yaml @@ -0,0 +1,14 @@ +machine: + kubelet: + extraMounts: + - destination: /var/lib/longhorn + type: bind + source: /var/lib/longhorn + options: + - bind + - rshared + - rw + disks: + - device: /dev/disk/by-id/usb-SSK_SSK_Storage_012345678913-0:0 + partitions: + - mountpoint: /var/lib/longhorn diff --git a/kubernetes/main/bootstrap/talos/talconfig.yaml b/kubernetes/main/bootstrap/talos/talconfig.yaml new file mode 100644 index 00000000..3650a53f --- /dev/null +++ b/kubernetes/main/bootstrap/talos/talconfig.yaml @@ -0,0 +1,82 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json +--- +# renovate: datasource=docker depName=ghcr.io/siderolabs/installer +talosVersion: v1.8.2 +# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet +kubernetesVersion: v1.31.2 + +clusterName: "home-kubernetes" +endpoint: https://10.1.1.30:6443 + +clusterPodNets: + - "10.69.0.0/16" +clusterSvcNets: + - "10.96.0.0/16" + +additionalApiServerCertSans: &sans + - "10.1.1.30" + - "k8s-api.kvshs.cc" + - "127.0.0.1" +additionalMachineCertSans: *sans + +# Disable built-in Flannel to use Cilium +cniConfig: + name: none + +nodes: + - hostname: "mango" + ipAddress: "10.1.1.31" + installDisk: "/dev/nvme0n1" + talosImageURL: factory.talos.dev/installer/87521388a0ade6d1e9e0ae8ed108d529bdb16508c3d8e46d8b8e2636bc366c86 + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "00:02:c9:e8:b4:81" + dhcp: false + addresses: + - "10.1.1.31/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.1.1.1" + mtu: 1500 + vip: + ip: "10.1.1.30" + - hostname: "melon" + ipAddress: "10.1.1.32" + installDisk: "/dev/nvme0n1" + talosImageURL: factory.talos.dev/installer/87521388a0ade6d1e9e0ae8ed108d529bdb16508c3d8e46d8b8e2636bc366c86 + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "00:02:c9:3b:b2:61" + dhcp: false + addresses: + - "10.1.1.32/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.1.1.1" + mtu: 1500 + vip: + ip: "10.1.1.30" + - hostname: "nectarine" + ipAddress: "10.1.1.33" + installDisk: "/dev/nvme0n1" + talosImageURL: factory.talos.dev/installer/87521388a0ade6d1e9e0ae8ed108d529bdb16508c3d8e46d8b8e2636bc366c86 + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "00:02:c9:3b:b1:41" + dhcp: false + addresses: + - "10.1.1.33/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.1.1.1" + mtu: 1500 + vip: + ip: "10.1.1.30" + +# Global patches +patches: + + diff --git a/kubernetes/main/flux/apps.yaml b/kubernetes/main/flux/apps.yaml new file mode 100644 index 00000000..f850e832 --- /dev/null +++ b/kubernetes/main/flux/apps.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/main/apps + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + patches: + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + target: + group: kustomize.toolkit.fluxcd.io + kind: Kustomization + labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/main/flux/config/cluster.yaml b/kubernetes/main/flux/config/cluster.yaml new file mode 100644 index 00000000..15c02239 --- /dev/null +++ b/kubernetes/main/flux/config/cluster.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: home-kubernetes + namespace: flux-system +spec: + interval: 30m + url: "ssh://git@github.com/rkoosaar/home-ops" + secretRef: + name: github-deploy-key + ref: + branch: "main" + ignore: | + # exclude all + /* + # include kubernetes directory + !/kubernetes +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/flux + prune: true + wait: false + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/kubernetes/main/flux/config/flux.yaml b/kubernetes/main/flux/config/flux.yaml new file mode 100644 index 00000000..973cbfe5 --- /dev/null +++ b/kubernetes/main/flux/config/flux.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: flux-manifests + namespace: flux-system +spec: + interval: 10m + url: oci://ghcr.io/fluxcd/flux-manifests + ref: + tag: v2.4.0 +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux + namespace: flux-system +spec: + interval: 10m + path: ./ + prune: true + wait: true + sourceRef: + kind: OCIRepository + name: flux-manifests + patches: + # Remove the network policies + - patch: | + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Increase the number of reconciliations that can be performed in parallel and bump the resources limits + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=8 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-qps=500 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-burst=1000 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 2000m + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + # Enable Helm near OOM detection + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/main/flux/config/kustomization.yaml b/kubernetes/main/flux/config/kustomization.yaml new file mode 100644 index 00000000..ef231746 --- /dev/null +++ b/kubernetes/main/flux/config/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./flux.yaml + - ./cluster.yaml diff --git a/kubernetes/main/flux/repositories/git/kustomization.yaml b/kubernetes/main/flux/repositories/git/kustomization.yaml new file mode 100644 index 00000000..fe0f332a --- /dev/null +++ b/kubernetes/main/flux/repositories/git/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/main/flux/repositories/helm/actions-runner-controller.yaml b/kubernetes/main/flux/repositories/helm/actions-runner-controller.yaml new file mode 100644 index 00000000..54fa67be --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/actions-runner-controller.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: actions-runner-controller + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/actions/actions-runner-controller-charts diff --git a/kubernetes/main/flux/repositories/helm/angelnu.yaml b/kubernetes/main/flux/repositories/helm/angelnu.yaml new file mode 100644 index 00000000..1ffa32b7 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/angelnu.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: angelnu + namespace: flux-system +spec: + interval: 2h + url: https://angelnu.github.io/helm-charts + diff --git a/kubernetes/main/flux/repositories/helm/authentik-charts.yaml b/kubernetes/main/flux/repositories/helm/authentik-charts.yaml new file mode 100644 index 00000000..f296b475 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/authentik-charts.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kube-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: authentik-charts + namespace: flux-system +spec: + interval: 30m + url: https://charts.goauthentik.io + timeout: 3m diff --git a/kubernetes/main/flux/repositories/helm/backube.yaml b/kubernetes/main/flux/repositories/helm/backube.yaml new file mode 100644 index 00000000..aae3737a --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/backube.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: backube + namespace: flux-system +spec: + interval: 2h + url: https://backube.github.io/helm-charts/ + diff --git a/kubernetes/main/flux/repositories/helm/bitnami.yaml b/kubernetes/main/flux/repositories/helm/bitnami.yaml new file mode 100644 index 00000000..9f84188c --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/bitnami.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bitnami + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://registry-1.docker.io/bitnamicharts diff --git a/kubernetes/main/flux/repositories/helm/bjw-s.yaml b/kubernetes/main/flux/repositories/helm/bjw-s.yaml new file mode 100644 index 00000000..c32ccd8d --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/bjw-s.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjw-s + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/main/flux/repositories/helm/cilium.yaml b/kubernetes/main/flux/repositories/helm/cilium.yaml new file mode 100644 index 00000000..0cfe70bd --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/cilium.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: flux-system +spec: + interval: 2h + url: https://helm.cilium.io diff --git a/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml b/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml new file mode 100644 index 00000000..4b2f0e61 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/cloudnative-pg.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cloudnative-pg + namespace: flux-system +spec: + interval: 2h + url: https://cloudnative-pg.github.io/charts diff --git a/kubernetes/main/flux/repositories/helm/coredns.yaml b/kubernetes/main/flux/repositories/helm/coredns.yaml new file mode 100644 index 00000000..ed0bb65a --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/coredns.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns + namespace: flux-system +spec: + interval: 2h + url: https://coredns.github.io/helm diff --git a/kubernetes/main/flux/repositories/helm/crossplane.yaml b/kubernetes/main/flux/repositories/helm/crossplane.yaml new file mode 100644 index 00000000..ed899589 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/crossplane.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crossplane + namespace: flux-system +spec: + interval: 2h + url: https://charts.crossplane.io/stable diff --git a/kubernetes/main/flux/repositories/helm/crunchydata.yaml b/kubernetes/main/flux/repositories/helm/crunchydata.yaml new file mode 100644 index 00000000..011b1376 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/crunchydata.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crunchydata + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://registry.developers.crunchydata.com/crunchydata diff --git a/kubernetes/main/flux/repositories/helm/csi-driver-nfs.yaml b/kubernetes/main/flux/repositories/helm/csi-driver-nfs.yaml new file mode 100644 index 00000000..869fce39 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/csi-driver-nfs.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: csi-driver-nfs + namespace: flux-system +spec: + interval: 2h + url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts diff --git a/kubernetes/main/flux/repositories/helm/emqx.yaml b/kubernetes/main/flux/repositories/helm/emqx.yaml new file mode 100644 index 00000000..eed64ab2 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/emqx.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: emqx + namespace: flux-system +spec: + interval: 2h + url: https://repos.emqx.io/charts diff --git a/kubernetes/main/flux/repositories/helm/external-secrets.yaml b/kubernetes/main/flux/repositories/helm/external-secrets.yaml new file mode 100644 index 00000000..2acd768a --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/external-secrets.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 2h + url: https://charts.external-secrets.io diff --git a/kubernetes/main/flux/repositories/helm/grafana.yaml b/kubernetes/main/flux/repositories/helm/grafana.yaml new file mode 100644 index 00000000..2b9bd1e0 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/grafana.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana + namespace: flux-system +spec: + interval: 2h + url: https://grafana.github.io/helm-charts + diff --git a/kubernetes/main/flux/repositories/helm/ingress-nginx.yaml b/kubernetes/main/flux/repositories/helm/ingress-nginx.yaml new file mode 100644 index 00000000..8e107adc --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/ingress-nginx.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/main/flux/repositories/helm/intel.yaml b/kubernetes/main/flux/repositories/helm/intel.yaml new file mode 100644 index 00000000..79231419 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/intel.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: intel + namespace: flux-system +spec: + interval: 2h + url: https://intel.github.io/helm-charts + diff --git a/kubernetes/main/flux/repositories/helm/jetstack.yaml b/kubernetes/main/flux/repositories/helm/jetstack.yaml new file mode 100644 index 00000000..30419cd7 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/jetstack.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 2h + url: https://charts.jetstack.io + diff --git a/kubernetes/main/flux/repositories/helm/k8s-gateway.yaml b/kubernetes/main/flux/repositories/helm/k8s-gateway.yaml new file mode 100644 index 00000000..41149873 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/k8s-gateway.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: k8s-gateway + namespace: flux-system +spec: + interval: 2h + url: https://ori-edge.github.io/k8s_gateway diff --git a/kubernetes/main/flux/repositories/helm/k8tz.yaml b/kubernetes/main/flux/repositories/helm/k8tz.yaml new file mode 100644 index 00000000..a3c44a5c --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/k8tz.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: k8tz + namespace: flux-system +spec: + interval: 2h + url: https://k8tz.github.io/k8tz/ + diff --git a/kubernetes/main/flux/repositories/helm/kubernetes-sigs-descheduler.yaml b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-descheduler.yaml new file mode 100644 index 00000000..2b563ddd --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-descheduler.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kubernetes-sigs-descheduler + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes-sigs.github.io/descheduler diff --git a/kubernetes/main/flux/repositories/helm/kubernetes-sigs-external-dns.yaml b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-external-dns.yaml new file mode 100644 index 00000000..48929464 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-external-dns.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kubernetes-sigs-external-dns + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/main/flux/repositories/helm/kubernetes-sigs-metrics-server.yaml b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-metrics-server.yaml new file mode 100644 index 00000000..5618e210 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-metrics-server.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kubernetes-sigs-metrics-server + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes-sigs.github.io/metrics-server/ diff --git a/kubernetes/main/flux/repositories/helm/kubernetes-sigs-nfd.yaml b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-nfd.yaml new file mode 100644 index 00000000..203b3f81 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kubernetes-sigs-nfd.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kubernetes-sigs-nfd + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes-sigs.github.io/node-feature-discovery/charts + diff --git a/kubernetes/main/flux/repositories/helm/kustomization.yaml b/kubernetes/main/flux/repositories/helm/kustomization.yaml new file mode 100644 index 00000000..eff90cf4 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kustomization.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./actions-runner-controller.yaml + - ./angelnu.yaml + - ./authentik-charts.yaml + - ./backube.yaml + - ./bitnami.yaml + - ./bjw-s.yaml + - ./cilium.yaml + - ./cloudnative-pg.yaml + - ./coredns.yaml + - ./crossplane.yaml + - ./crunchydata.yaml + - ./csi-driver-nfs.yaml + - ./emqx.yaml + - ./external-secrets.yaml + - ./grafana.yaml + - ./intel.yaml + - ./jetstack.yaml + - ./k8tz.yaml + - ./kubernetes-sigs-descheduler.yaml + - ./kubernetes-sigs-metrics-server.yaml + - ./kubernetes-sigs-nfd.yaml + - ./kyverno.yaml + - ./longhorn.yaml + - ./mariadb-operator.yaml + - ./nfs-subdir-external-provisioner-charts.yaml + - ./openebs.yaml + - ./piraeus.yaml + - ./postfinance.yaml + - ./prometheus-community.yaml + - ./spegel.yaml + - ./stakater.yaml + - ./stevehipwell.yaml + - ./ingress-nginx.yaml + - ./k8s-gateway.yaml + - ./kubernetes-sigs-external-dns.yaml diff --git a/kubernetes/main/flux/repositories/helm/kyverno.yaml b/kubernetes/main/flux/repositories/helm/kyverno.yaml new file mode 100644 index 00000000..b86efb0a --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/kyverno.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kyverno + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/kyverno/charts diff --git a/kubernetes/main/flux/repositories/helm/longhorn.yaml b/kubernetes/main/flux/repositories/helm/longhorn.yaml new file mode 100644 index 00000000..ca8adfc3 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/longhorn.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://lds-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: longhorn + namespace: flux-system +spec: + interval: 1h + url: https://charts.longhorn.io + timeout: 3m diff --git a/kubernetes/main/flux/repositories/helm/mariadb-operator.yaml b/kubernetes/main/flux/repositories/helm/mariadb-operator.yaml new file mode 100644 index 00000000..78e590a4 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/mariadb-operator.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: mariadb-operator + namespace: flux-system +spec: + interval: 2h + url: https://mariadb-operator.github.io/mariadb-operator diff --git a/kubernetes/main/flux/repositories/helm/nfs-subdir-external-provisioner-charts.yaml b/kubernetes/main/flux/repositories/helm/nfs-subdir-external-provisioner-charts.yaml new file mode 100644 index 00000000..58929742 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/nfs-subdir-external-provisioner-charts.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://lds-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: nfs-subdir-external-provisioner-charts + namespace: flux-system +spec: + interval: 2h + url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner + diff --git a/kubernetes/main/flux/repositories/helm/openebs.yaml b/kubernetes/main/flux/repositories/helm/openebs.yaml new file mode 100644 index 00000000..59e4cf8c --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/openebs.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 2h + url: https://openebs.github.io/openebs + diff --git a/kubernetes/main/flux/repositories/helm/piraeus.yaml b/kubernetes/main/flux/repositories/helm/piraeus.yaml new file mode 100644 index 00000000..4fe31ddb --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/piraeus.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: piraeus + namespace: flux-system +spec: + interval: 2h + url: https://piraeus.io/helm-charts/ diff --git a/kubernetes/main/flux/repositories/helm/postfinance.yaml b/kubernetes/main/flux/repositories/helm/postfinance.yaml new file mode 100644 index 00000000..c91da707 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/postfinance.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: postfinance + namespace: flux-system +spec: + interval: 2h + url: https://postfinance.github.io/kubelet-csr-approver + diff --git a/kubernetes/main/flux/repositories/helm/prometheus-community.yaml b/kubernetes/main/flux/repositories/helm/prometheus-community.yaml new file mode 100644 index 00000000..318a1a51 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/prometheus-community.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/prometheus-community/charts diff --git a/kubernetes/main/flux/repositories/helm/spegel.yaml b/kubernetes/main/flux/repositories/helm/spegel.yaml new file mode 100644 index 00000000..d9a8b2cd --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/spegel.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: spegel + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/spegel-org/helm-charts diff --git a/kubernetes/main/flux/repositories/helm/stakater.yaml b/kubernetes/main/flux/repositories/helm/stakater.yaml new file mode 100644 index 00000000..c727f37f --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/stakater.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: stakater + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/stakater/charts diff --git a/kubernetes/main/flux/repositories/helm/stevehipwell.yaml b/kubernetes/main/flux/repositories/helm/stevehipwell.yaml new file mode 100644 index 00000000..7725bdbd --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/stevehipwell.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: stevehipwell + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/stevehipwell/helm-charts + timeout: 3m diff --git a/kubernetes/main/flux/repositories/kustomization.yaml b/kubernetes/main/flux/repositories/kustomization.yaml new file mode 100644 index 00000000..d158d426 --- /dev/null +++ b/kubernetes/main/flux/repositories/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./git + - ./helm + - ./oci diff --git a/kubernetes/main/flux/repositories/oci/kustomization.yaml b/kubernetes/main/flux/repositories/oci/kustomization.yaml new file mode 100644 index 00000000..fe0f332a --- /dev/null +++ b/kubernetes/main/flux/repositories/oci/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/main/flux/vars/cluster-secrets.sops.yaml b/kubernetes/main/flux/vars/cluster-secrets.sops.yaml new file mode 100644 index 00000000..ba6d2910 --- /dev/null +++ b/kubernetes/main/flux/vars/cluster-secrets.sops.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +stringData: + SECRET_DOMAIN: ENC[AES256_GCM,data:9Zo6BFScnbDw,iv:ptgK5x0F3lHSg6H6M4F8O+KAXDV0kSXniBxcex3F0sA=,tag:lEdjNwnh8R/p20Dm0nVkcA==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:AangfaUlwFHZooS3SeWcKzMK,iv:vsfLATwzBq/I2eE7UOtb1Ot/4A9oyF9EmQUP7LT4VS0=,tag:kFgWCZ3uPIFOW14DjSDC8Q==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:OKcY1Ou8Ordr4xpor/iMLsliWKwlFrvAs0C9DRBqoV2/5OE7,iv:wkntYq56nHRBCSKrGtl3ayFBeC0CXc9fjAkaS7fHnu8=,tag:NnJrR9BTw0023sv4Q9I/Ew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZWEya3AzYjZrTFBBOHpq + VU5MenpEUE96c3M1bTRDOGhvQWdNU28veEZBCjBidWtFVlFZK09LRndGZEx0UXdC + MmFHc0pydWw5a25CektWRk1UeHptSVUKLS0tIDJmOWtleEdzUU9NRld2K2NBcTIv + WTlzQXN2Qjk5S1FyQTFLZzF2eVMyemsKHLb9KwnvsmXbK4Tc7yOVVcbATFeHkqV7 + RJ0hYcZcwwxXRZt2/nTsUNpFsl3I/DKAybP8NdkqQskc6IKo2MGsVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T18:39:10Z" + mac: ENC[AES256_GCM,data:ewAtGt61z2ExTkOiAUPuWHvKKdpICEzNe+RIGkxvf2IUo7XIorymN9ZrCoT/TULa04iNlkVt2wfh6v2ECriyZTplhHstSYjv85PwqnXPPWt7rZWofi3ho3V+2NM0Yyd9wwgPtC0M9ad1agTJPHKKONo+p0mMWgsZfqdPtNWpLPw=,iv:IxLrituwvsp0MFcKW6QSbV6c62F0rGGpwQy9wxIqe0I=,tag:OWHuEf9/zIvcI/2gP6cVAQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/flux/vars/cluster-settings.yaml b/kubernetes/main/flux/vars/cluster-settings.yaml new file mode 100644 index 00000000..b64f194e --- /dev/null +++ b/kubernetes/main/flux/vars/cluster-settings.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings + namespace: flux-system +data: + SETTING_EXAMPLE: Global settings for your cluster go in this file, this file is NOT encrypted diff --git a/kubernetes/main/flux/vars/kustomization.yaml b/kubernetes/main/flux/vars/kustomization.yaml new file mode 100644 index 00000000..8db2fe91 --- /dev/null +++ b/kubernetes/main/flux/vars/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster-settings.yaml + - ./cluster-secrets.sops.yaml