├── .sops.yaml ├── LICENSE ├── README.md ├── justfile ├── kubeconfig ├── machineconfigs ├── n1.yaml ├── n2.yaml ├── n3.yaml └── update-configs.sh ├── manifests ├── cluster │ └── flux-system │ │ ├── cilium.yaml │ │ ├── flux-capacitor.yaml │ │ ├── gotk-components.yaml │ │ ├── gotk-sync.yaml │ │ ├── harbor-registry.yaml │ │ ├── ingress.yaml │ │ ├── kubelet-cert-rotation.yaml │ │ ├── kubizone.yaml │ │ ├── kustomization.yaml │ │ ├── metrics-server.yaml │ │ ├── openobserve.yaml │ │ ├── pointclap.yaml │ │ ├── postgres.yaml │ │ ├── pull-secrets.yaml │ │ ├── renovate.yaml │ │ └── rook-ceph.yaml ├── infrastructure │ ├── ceph-cluster │ │ ├── cluster.yaml │ │ ├── kustomization.yaml │ │ ├── replicated-x3-block-store.yaml │ │ └── replicated-x3-cephfs.yaml │ ├── cert-manager │ │ ├── cert-manager.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── cilium │ │ ├── kustomization.yaml │ │ ├── release.yaml │ │ └── repository.yaml │ ├── cluster-issuers │ │ ├── cluster-issuers.yaml │ │ └── kustomization.yaml │ ├── cluster-policies │ │ ├── host-fw-control-plane.yaml │ │ └── kustomization.yaml │ ├── harbor-registry │ │ ├── database.yaml │ │ ├── harbor-registry.yaml │ │ ├── harbor-secrets.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── ingress-nginx │ │ ├── ingress-nginx.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── kubizone │ │ ├── kronform.pius.dev.yaml │ │ ├── kubizone.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── secret.yaml │ ├── metrics-server │ │ ├── kustomization.yaml │ │ └── metrics-server.yaml │ ├── openobserve │ │ ├── agent-collector.yaml │ │ ├── collector-sa.yaml │ │ ├── gateway-collector.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── openobserve.yaml │ │ ├── opentelemetry-operator.yaml │ │ └── secret.yaml │ ├── postgres │ │ ├── cloudnativepg.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── pull-secrets │ │ ├── docker-hub.yaml │ │ └── kustomization.yaml │ ├── renovate │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── renovate.yaml │ │ └── secret.yaml │ └── rook-ceph │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── rook-ceph.yaml └── pointclap │ ├── 7daystodie │ ├── kustomization.yaml │ └── sdtd.yaml │ ├── factorio │ ├── factorio.yaml │ ├── kustomization.yaml │ └── secrets.yaml │ ├── namespace │ ├── kustomization.yaml │ └── namespace.yaml │ ├── teamspeak3 │ ├── aws-secret.yaml │ ├── kustomization.yaml │ └── teamspeak3.yaml │ └── zomboid │ ├── kustomization.yaml │ ├── secrets.yaml │ ├── service.yaml │ └── zomboid.yaml ├── renovate.json ├── secrets.yaml ├── talosconfig └── tools ├── Dockerfile └── entrypoint.sh /.sops.yaml: -------------------------------------------------------------------------------- 1 | # .sops.yaml 2 | --- 3 | creation_rules: 4 | - path_regex: manifests/.*.yaml 5 | encrypted_regex: ^(data|stringData|Authorization)$ 6 | age: >- 7 | age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez, 8 | age1c8rjkuv9px2gfyrlqn75ajhv26l8fdmeugcdegt237c20l8uc4wq6y9h6d 9 | 10 | - path_regex: talosconfig 11 | encrypted_regex: ^key$ 12 | age: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 13 | 14 | - path_regex: kubeconfig 15 | encrypted_regex: ^client-key-data$ 16 | age: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 17 | 18 | - path_regex: secrets.yaml 19 | encrypted_regex: ^(secret|bootstraptoken|secretboxencryptionsecret|token|key)$ 20 | age: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 21 | 22 | - path_regex: machineconfigs/.*.yaml 23 | encrypted_regex: ^(secret|bootstraptoken|secretboxEncryptionSecret|token|key|password)$ 24 | age: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Mathias Pius 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # kronform 2 | 3 | This is the public repository containing most of the configuration for my **kronform** Kubernetes cluster hosted with Hetzner. 4 | 5 | The process for setting up the cluster was/is being documented in a blog series at https://datavirke.dk: 6 | 7 | *Series Index* 8 | * [Part I: Talos on Hetzner](https://datavirke.dk/posts/bare-metal-kubernetes-part-1-talos-on-hetzner) 9 | * [Part II: Cilium CNI & Firewalls](https://datavirke.dk/posts/bare-metal-kubernetes-part-2-cilium-and-firewalls) 10 | * [Part III: Encrypted GitOps with FluxCD](https://datavirke.dk/posts/bare-metal-kubernetes-part-3-encrypted-gitops-with-fluxcd) 11 | * [Part IV: Ingress, DNS and Certificates](https://datavirke.dk/posts/bare-metal-kubernetes-part-4-ingress-dns-certificates) 12 | * [Part V: Scaling Out](https://datavirke.dk/posts/bare-metal-kubernetes-part-5-scaling-out) 13 | * [Part VI: Persistent Storage with Rook Ceph](https://datavirke.dk/posts/bare-metal-kubernetes-part-6-persistent-storage-with-rook-ceph/) 14 | * [Part VII: Private Registry with Harbor](https://datavirke.dk/posts/bare-metal-kubernetes-part-7-private-registry-with-harbor/) 15 | * [Part VIII: Containerizing our Work Environment](https://datavirke.dk/posts/bare-metal-kubernetes-part-8-containerizing-our-work-environment/) 16 | * [Part IX: Renovating old Deployments](https://datavirke.dk/posts/bare-metal-kubernetes-part-9-renovating-old-deployments/) 17 | * [Part X: Metrics and Monitoring with OpenObserve](https://datavirke.dk/posts/bare-metal-kubernetes-part-10-metrics-and-monitoring-with-openobserve/) 18 | 19 | 20 | # Upgrading Flux 21 | 22 | Upgrade the Flux version in the tools container, and run the following command inside the container: 23 | 24 | ```bash 25 | flux install \ 26 | --cluster-domain local.kronform.pius.dev \ 27 | --components-extra image-reflector-controller,image-automation-controller \ 28 | --export > manifests/cluster/flux-system/gotk-components.yaml 29 | ``` 30 | -------------------------------------------------------------------------------- /justfile: -------------------------------------------------------------------------------- 1 | # Builds a "tools" container with most of the tools required 2 | # to interact with the cluster, both Talos itself and Kubernetes. 3 | build: 4 | docker build -t tools:latest tools/ 5 | 6 | # Run the container, mounting in our SSH and GPG identities. 7 | # 8 | # I'm explicitly setting the DNS here, because my host machine 9 | # uses DNS-over-TLS, which means the nameservers specified in 10 | # /etc/resolv.conf won't work with plain DNS traffic, breaking 11 | # resolution within the container. 12 | tools: 13 | docker run -it --rm \ 14 | --dns 8.8.8.8 \ 15 | -v $(pwd):/data \ 16 | -v /run/user/1000/:/run/user/1000/:ro \ 17 | -v $HOME/.config/sops:/home/user/.config/sops:ro \ 18 | tools:latest || true 19 | 20 | rotate-keys: 21 | find . \ 22 | -not -path '*/\.git/*' \ 23 | -not -name ".sops.yaml" \ 24 | -type f -print0 \ 25 | | while IFS= read -r -d '' file; do \ 26 | sops updatekeys --yes \ 27 | --input-type yaml "$file"; \ 28 | done 29 | exit 0 30 | 31 | update-flux: 32 | docker run -it --rm \ 33 | --dns 8.8.8.8 \ 34 | -v $(pwd):/data \ 35 | -v /run/user/1000/:/run/user/1000/:ro \ 36 | -v $HOME/.config/sops:/home/user/.config/sops:ro \ 37 | tools:latest flux install \ 38 | --cluster-domain "local.kronform.pius.dev" \ 39 | --components-extra="image-reflector-controller,image-automation-controller" \ 40 | --export > manifests/cluster/flux-system/gotk-components.yaml 41 | -------------------------------------------------------------------------------- /kubeconfig: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | clusters: 3 | - cluster: 4 | certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVMrZ0F3SUJBZ0lRVW14SHJ5a2Jvd3NtUU9rUWFKb0tVVEFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFl5TkRFek1qTXdPVm9YRFRNME1EWXlNakV6TWpNdwpPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTFd2YkpIV3hkNzhieTFhVWFnVFVYQTVoMko5R0J1dDlXM0JFUUllQVZFZ3ZkbW45aGZNZkljSkR0QnAKQVRnSU0yeDV0Rkwxemt5QWNaY3hlMDB4dFgrallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVjcGM2d3RNSUpOSStwWEpUOHl2OUhoSW00TG93Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnUUVuVWRzWlgKMWFaMVREU0J5QlpQNk5QZEtRbXhlcEg0OWRnQXJFYTVkemtDSUVJSHROTXNrdUpHSEtQMFJrRmRKMEFvLzNiKwoyWHQ4azIzbjhBdmo2TXpxCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 5 | server: https://api.kronform.pius.dev:6443 6 | name: kronform.pius.dev 7 | contexts: 8 | - context: 9 | cluster: kronform.pius.dev 10 | namespace: default 11 | user: admin@kronform.pius.dev 12 | name: admin@kronform.pius.dev 13 | current-context: admin@kronform.pius.dev 14 | kind: Config 15 | preferences: {} 16 | users: 17 | - name: admin@kronform.pius.dev 18 | user: 19 | client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoVENDQVNxZ0F3SUJBZ0lRQjBBbzJQZFZ6T1p6UVA5dURnQmk0REFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFl5TkRFek1qTXpPVm9YRFRJMU1EWXlOREV6TWpNMApPVm93S1RFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RGpBTUJnTlZCQU1UQldGa2JXbHVNRmt3CkV3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFcVJUQmE0TEhmcXJQZGYzbG5pd1dJT1NaMXlRNldBQTkKcDJhZVZHUGlaZUsxSDN4UXE0WU9JMkwzT0VxWDE1dCtWY29PZ1B0dkRPMWNNTE5aM05xRkNLTklNRVl3RGdZRApWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01COEdBMVVkSXdRWU1CYUFGSEtYCk9zTFRDQ1RTUHFWeVUvTXIvUjRTSnVDNk1Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQ0lRQ0tIdEVrWWpHekk1Zm0KOXM3WGVjZzhVaWRKbEJ3UThKclZjK2F4cDR1Z0ZBSWhBSk1ZYVg0OGpXWkdQK3dkNXVPendkSU53Ym5raWpFTAphWHZPWVJsMWZDZHQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 20 | client-key-data: ENC[AES256_GCM,data:UgieVFRbLiM5qPBF7Py3B9huNsIr+oTpfqqh0zOCpYVrWfmyEQ8ruhszjZZ+K/V9fqr4+I1fx6kXn7ixEgWECUfBpX8H8FXOjyo2JXGsgq62aJRn1CB2GG6wOGRLkI3laecx7EYnpT0sGxNOtk+vXSlOSB0oW8ilO1pK/NQnbnlidxvo8Vc8U4NlLjSQl/uYuh1GJ4RzZvo7n19/Li3c4xYdFAGWY9e5yIN8RfZtUAnDw91JWxjSubtJUMkZ6HIja5ZOvUB7Clq9jS7M/VbpV3ejBfc4IW94B7XvcjhtNBQ1oh7nVUk9aZoFVfPjxDIETtZ4hhtEEQRSs46Fx3EGYORom5CBOJ9uUjBiNNQ2estVdI/V9TCyis50aidCduAeDGM7wBEM0prtZfMCPvCJvA==,iv:QnMTCyN5zBFBIDn9bqfPLFDmTUSdX5RVe+joNCHlxhE=,tag:64y1vzRQiCxfd8/c6SHLwA==,type:str] 21 | sops: 22 | kms: [] 23 | gcp_kms: [] 24 | azure_kv: [] 25 | hc_vault: [] 26 | age: 27 | - recipient: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 28 | enc: | 29 | -----BEGIN AGE ENCRYPTED FILE----- 30 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYXdQams0a1ljMnZPRmw0 31 | TE1qY0Rpd2E2YXVxTk13aElHY3ZPL1llZFdvCmtOcUw2S0hjNnRhbjQwZ1BVTjZv 32 | QmRrZlBpSlJSVmQ5cVI4MFQzUWdDdm8KLS0tIHl6VHcwWVBNalFWOU4rWVY1ZC95 33 | R0VoOHYrazkwVm5EUzVveVB0VmJGclEKHvkonlw8h4aVopn3LgUoNg/yXNL5yKxA 34 | iViD+rBEcoaRD+2WedDVNL18LQg35LS/BZCwolVWwjc85GLRbx1BSw== 35 | -----END AGE ENCRYPTED FILE----- 36 | lastmodified: "2024-06-24T13:25:25Z" 37 | mac: ENC[AES256_GCM,data:++yHpIOrbqRMD0LL3gR/eV9v0toI3AFiaAgKGjskk5d3xxAVDwPSkgWFmBScwloFeFTmUEhzEaRPOVq/cYhoprlrxjEVstuUUwCKMzWGDZTWSCovgGGEmyrKddP4O2leAcwODmNrxkDOkTw8sBudoAMY4fUgdpFkye06otLN5ys=,iv:VVMksOP0Fp1YGf6tx0Sz2nraoGDHGHMrnDsqkG+m6Lw=,tag:j8skVvy3iLcLxV4oczdxCw==,type:str] 38 | pgp: [] 39 | encrypted_regex: ^client-key-data$ 40 | version: 3.8.1 41 | -------------------------------------------------------------------------------- /machineconfigs/update-configs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script passes itself as an editor to the sops edit command 4 | # in order to completely replace the target file in a way that 5 | # allows sops to do a diff and only re-encrypt values that have 6 | # have changed, and updating the mac. 7 | # 8 | # Ideally it would be possible to feed the new machineconfig into 9 | # sops and have it automatically diff the output, but there's no 10 | # such command. Nor can sops read from stdin to replace contents. 11 | # 12 | # The only options for sops are: 13 | # 14 | # 1. Replacing the entire file with the updated plaintext and then 15 | # re-encrypting everything, which means ALL values meant to be 16 | # encrypted will change, making diffs useless. 17 | # 18 | # 2. Using the --set flag configure individual fields, but this 19 | # does not provide any way of removing fields. Setting them to 20 | # null might be an option for simple values, but array entries 21 | # cannot be deleted this way. 22 | # 23 | # 3. Using the sops edit command to manually update the changes. 24 | # 25 | # This script uses the third option, but provides *itself* as the 26 | # $EDITOR to use for the editing, allowing it to programmatically 27 | # override the values file temporarily decrypted by sops for manual 28 | # editing, with the new fetched values file, grabbed from talosctl. 29 | # 30 | # The process works as follows: 31 | # 32 | # 1. Uses talosctl to download the current machineconfig for the 33 | # node, and stores it in a temp file. 34 | # 35 | # 2. Executes sops "$1"; 74 | 75 | # Exit with success, since we have fulfilled our duty as editor. 76 | exit 0 77 | else 78 | # If a file to be edited is provided, but $SOPS_COPY_FROM is not 79 | # this script is probably getting invoked improperly, exit. 80 | echo "SOPS_COPY_FROM variable not provided, exiting with error." 81 | exit 1 82 | fi 83 | fi 84 | 85 | # Update the config using for 86 | function update_config() { 87 | # Create a temporary file to hold the machineconfig from talosctl. 88 | TEMP_MACHINECONFIG_FILE=$(mktemp) 89 | 90 | # Make sure the file exists before continuing. 91 | if [ ! -f "$TEMP_MACHINECONFIG_FILE" ]; then 92 | echo "Temp file not created, exiting." 93 | exit 1 94 | fi 95 | 96 | # Fetch the node's machineconfig, extracting only the spec itself, and 97 | # storing it in our temp file. 98 | echo "Fetching machineconfig for $2 from $1.." 99 | talosctl -e "$1" -n "$2" get machineconfig v1alpha1 -o yaml | yq '.spec' > "$TEMP_MACHINECONFIG_FILE" 100 | 101 | # Invoke sops' edit mode for the target file, causing it to decrypt 102 | # into a temp file and in turn invoke this script as EDITOR. 103 | EDITOR=$(pwd)/"$0" SOPS_COPY_FROM="$TEMP_MACHINECONFIG_FILE" sops machineconfigs/"$2".yaml 104 | 105 | # Clean up. 106 | rm "$TEMP_MACHINECONFIG_FILE" 107 | } 108 | 109 | # If we aren't running as an editor, initate update of all machine configs. 110 | update_config 159.69.60.182 n1 111 | update_config 88.99.105.56 n2 112 | update_config 46.4.77.66 n3 113 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: cilium 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | path: ./manifests/infrastructure/cilium 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | --- 14 | apiVersion: kustomize.toolkit.fluxcd.io/v1 15 | kind: Kustomization 16 | metadata: 17 | name: cluster-policies 18 | namespace: flux-system 19 | spec: 20 | interval: 10m0s 21 | path: ./manifests/infrastructure/cluster-policies 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | healthChecks: 27 | - apiVersion: helm.toolkit.fluxcd.io/v2beta2 28 | kind: HelmRelease 29 | name: cilium 30 | namespace: kube-system 31 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/flux-capacitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: capacitor 6 | namespace: flux-system 7 | spec: 8 | interval: 12h 9 | url: oci://ghcr.io/gimlet-io/capacitor-manifests 10 | ref: 11 | semver: "<=0.5.0" 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: capacitor 17 | namespace: flux-system 18 | spec: 19 | targetNamespace: flux-system 20 | interval: 1h 21 | retryInterval: 2m 22 | timeout: 5m 23 | wait: true 24 | prune: true 25 | path: "./" 26 | sourceRef: 27 | kind: OCIRepository 28 | name: capacitor 29 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: main 12 | secretRef: 13 | name: flux-system 14 | url: ssh://git@github.com/MathiasPius/kronform 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./manifests/cluster/ 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/harbor-registry.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/harbor.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: harbor-registry 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/harbor-registry 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | path: ./manifests/infrastructure/ingress-nginx 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | targetNamespace: ingress-nginx 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1 16 | kind: Kustomization 17 | metadata: 18 | name: cert-manager 19 | namespace: flux-system 20 | spec: 21 | interval: 10m0s 22 | path: ./manifests/infrastructure/cert-manager 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | targetNamespace: cert-manager 28 | --- 29 | apiVersion: kustomize.toolkit.fluxcd.io/v1 30 | kind: Kustomization 31 | metadata: 32 | name: cluster-issuers 33 | namespace: flux-system 34 | spec: 35 | interval: 10m0s 36 | path: ./manifests/infrastructure/cluster-issuers 37 | prune: true 38 | sourceRef: 39 | kind: GitRepository 40 | name: flux-system 41 | healthChecks: 42 | - apiVersion: helm.toolkit.fluxcd.io/v2beta2 43 | kind: HelmRelease 44 | name: cert-manager 45 | namespace: cert-manager 46 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/kubelet-cert-rotation.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/kubelet-cert-rotation.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: kubelet-serving-cert-approver 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | semver: ">=0.7.0 < 0.8.0" 12 | secretRef: 13 | name: flux-system 14 | url: ssh://git@github.com/alex1989hu/kubelet-serving-cert-approver 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: kubelet-serving-cert-approver 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./deploy/standalone 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: kubelet-serving-cert-approver 28 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/kubizone.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/renovate.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kubizone 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/kubizone 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | - pull-secrets.yaml 7 | - cilium.yaml 8 | - ingress.yaml 9 | - flux-capacitor.yaml 10 | - pointclap.yaml 11 | - rook-ceph.yaml 12 | - harbor-registry.yaml 13 | - metrics-server.yaml 14 | - kubelet-cert-rotation.yaml 15 | - postgres.yaml 16 | - renovate.yaml 17 | - openobserve.yaml 18 | - kubizone.yaml 19 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/metrics-server.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/metrics-server 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/openobserve.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/openobserve.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: openobserve 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/openobserve 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/pointclap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: pointclap-namespace 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | path: ./manifests/pointclap/namespace 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | --- 14 | apiVersion: kustomize.toolkit.fluxcd.io/v1 15 | kind: Kustomization 16 | metadata: 17 | name: pointclap-teamspeak3 18 | namespace: flux-system 19 | spec: 20 | interval: 10m0s 21 | path: ./manifests/pointclap/teamspeak3 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | targetNamespace: pointclap 27 | dependsOn: 28 | - name: pointclap-namespace 29 | decryption: 30 | provider: sops 31 | secretRef: 32 | name: sops-age 33 | --- 34 | apiVersion: kustomize.toolkit.fluxcd.io/v1 35 | kind: Kustomization 36 | metadata: 37 | name: pointclap-7daystodie 38 | namespace: flux-system 39 | spec: 40 | interval: 10m0s 41 | path: ./manifests/pointclap/7daystodie 42 | prune: true 43 | sourceRef: 44 | kind: GitRepository 45 | name: flux-system 46 | targetNamespace: pointclap 47 | dependsOn: 48 | - name: pointclap-namespace 49 | --- 50 | apiVersion: kustomize.toolkit.fluxcd.io/v1 51 | kind: Kustomization 52 | metadata: 53 | name: pointclap-factorio 54 | namespace: flux-system 55 | spec: 56 | interval: 10m0s 57 | path: ./manifests/pointclap/factorio 58 | prune: true 59 | sourceRef: 60 | kind: GitRepository 61 | name: flux-system 62 | targetNamespace: pointclap 63 | dependsOn: 64 | - name: pointclap-namespace 65 | decryption: 66 | provider: sops 67 | secretRef: 68 | name: sops-age 69 | --- 70 | apiVersion: kustomize.toolkit.fluxcd.io/v1 71 | kind: Kustomization 72 | metadata: 73 | name: pointclap-zomboid 74 | namespace: flux-system 75 | spec: 76 | interval: 10m0s 77 | path: ./manifests/pointclap/zomboid 78 | prune: true 79 | sourceRef: 80 | kind: GitRepository 81 | name: flux-system 82 | targetNamespace: pointclap 83 | dependsOn: 84 | - name: pointclap-namespace 85 | decryption: 86 | provider: sops 87 | secretRef: 88 | name: sops-age 89 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/postgres.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/postgres.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: postgres 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/postgres 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/pull-secrets.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/pull-secrets.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: pull-secrets 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/pull-secrets 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/renovate.yaml: -------------------------------------------------------------------------------- 1 | # manifests/cluster/flux-system/renovate.yaml 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: renovate 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./manifests/infrastructure/renovate 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | -------------------------------------------------------------------------------- /manifests/cluster/flux-system/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: rook-ceph 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | path: ./manifests/infrastructure/rook-ceph 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | --- 14 | apiVersion: kustomize.toolkit.fluxcd.io/v1 15 | kind: Kustomization 16 | metadata: 17 | name: ceph-cluster 18 | namespace: flux-system 19 | spec: 20 | interval: 10m0s 21 | path: ./manifests/infrastructure/ceph-cluster 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | healthChecks: 27 | - apiVersion: helm.toolkit.fluxcd.io/v2beta2 28 | kind: HelmRelease 29 | name: rook-ceph 30 | namespace: rook-ceph 31 | -------------------------------------------------------------------------------- /manifests/infrastructure/ceph-cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/ceph-cluster/cluster.yaml 2 | --- 3 | apiVersion: ceph.rook.io/v1 4 | kind: CephCluster 5 | metadata: 6 | name: rook-ceph 7 | namespace: rook-ceph 8 | spec: 9 | cephConfig: 10 | global: 11 | mon_data_avail_warn: "10" 12 | cephVersion: 13 | image: quay.io/ceph/ceph:v19.2.2 14 | monitoring: 15 | enabled: true 16 | dataDirHostPath: /var/lib/rook 17 | mon: 18 | count: 3 19 | allowMultiplePerNode: false 20 | mgr: 21 | count: 3 22 | modules: 23 | - name: rook 24 | enabled: true 25 | dashboard: 26 | enabled: true 27 | storage: 28 | useAllNodes: true 29 | useAllDevices: true 30 | placement: 31 | all: 32 | tolerations: 33 | - effect: NoSchedule 34 | key: node-role.kubernetes.io/control-plane 35 | operator: Exists 36 | -------------------------------------------------------------------------------- /manifests/infrastructure/ceph-cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cluster.yaml 6 | - replicated-x3-block-store.yaml 7 | - replicated-x3-cephfs.yaml 8 | -------------------------------------------------------------------------------- /manifests/infrastructure/ceph-cluster/replicated-x3-block-store.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/ceph-cluster/replicated-x3-block.store.yaml 2 | --- 3 | apiVersion: ceph.rook.io/v1 4 | kind: CephBlockPool 5 | metadata: 6 | name: replicated-x3-block-store 7 | namespace: rook-ceph 8 | spec: 9 | failureDomain: host 10 | replicated: 11 | size: 3 12 | --- 13 | apiVersion: storage.k8s.io/v1 14 | kind: StorageClass 15 | metadata: 16 | name: replicated-x3-block-store 17 | annotations: 18 | storageclass.kubernetes.io/is-default-class: "true" 19 | provisioner: rook-ceph.rbd.csi.ceph.com 20 | parameters: 21 | # clusterID is the namespace where the rook cluster is running 22 | clusterID: rook-ceph 23 | # Ceph pool into which the RBD image shall be created 24 | pool: replicated-x3-block-store 25 | 26 | imageFormat: "2" 27 | # For more information about these features see: https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features 28 | # tl;dr: They're available from Linux kernel 5.14 and makes I/O faster. 29 | imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock 30 | 31 | # The secrets contain Ceph admin credentials. 32 | csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner 33 | csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph 34 | csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner 35 | csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph 36 | csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node 37 | csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph 38 | csi.storage.k8s.io/fstype: ext4 39 | # Delete the rbd volume when a PVC is deleted 40 | reclaimPolicy: Retain 41 | allowVolumeExpansion: true 42 | -------------------------------------------------------------------------------- /manifests/infrastructure/ceph-cluster/replicated-x3-cephfs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ceph.rook.io/v1 2 | kind: CephFilesystem 3 | metadata: 4 | name: replicated-x3-filesystem 5 | namespace: rook-ceph 6 | spec: 7 | # The metadata pool spec. Must use replication. 8 | metadataPool: 9 | replicated: 10 | size: 3 11 | requireSafeReplicaSize: true 12 | parameters: 13 | # Inline compression mode for the data pool 14 | # Further reference: https://docs.ceph.com/docs/master/rados/configuration/bluestore-config-ref/#inline-compression 15 | compression_mode: 16 | none 17 | # gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity of a given pool 18 | # for more info: https://docs.ceph.com/docs/master/rados/operations/placement-groups/#specifying-expected-pool-size 19 | #target_size_ratio: ".5" 20 | # The list of data pool specs. Can use replication or erasure coding. 21 | dataPools: 22 | - name: data 23 | failureDomain: host 24 | replicated: 25 | size: 3 26 | # Disallow setting pool with replica 1, this could lead to data loss without recovery. 27 | # Make sure you're *ABSOLUTELY CERTAIN* that is what you want 28 | requireSafeReplicaSize: true 29 | parameters: 30 | # Inline compression mode for the data pool 31 | # Further reference: https://docs.ceph.com/docs/master/rados/configuration/bluestore-config-ref/#inline-compression 32 | compression_mode: 33 | none 34 | # gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity of a given pool 35 | # for more info: https://docs.ceph.com/docs/master/rados/operations/placement-groups/#specifying-expected-pool-size 36 | #target_size_ratio: ".5" 37 | # Whether to preserve filesystem after CephFilesystem CRD deletion 38 | preserveFilesystemOnDelete: true 39 | # The metadata service (mds) configuration 40 | metadataServer: 41 | # The number of active MDS instances 42 | activeCount: 1 43 | # Whether each active MDS instance will have an active standby with a warm metadata cache for faster failover. 44 | # If false, standbys will be available, but will not have a warm cache. 45 | activeStandby: true 46 | # The affinity rules to apply to the mds deployment 47 | placement: 48 | # nodeAffinity: 49 | # requiredDuringSchedulingIgnoredDuringExecution: 50 | # nodeSelectorTerms: 51 | # - matchExpressions: 52 | # - key: role 53 | # operator: In 54 | # values: 55 | # - mds-node 56 | # topologySpreadConstraints: 57 | # tolerations: 58 | # - key: mds-node 59 | # operator: Exists 60 | # podAffinity: 61 | podAntiAffinity: 62 | requiredDuringSchedulingIgnoredDuringExecution: 63 | - labelSelector: 64 | matchExpressions: 65 | - key: app 66 | operator: In 67 | values: 68 | - rook-ceph-mds 69 | ## Add this if you want to allow mds daemons for different filesystems to run on one 70 | ## node. The value in "values" must match .metadata.name. 71 | # - key: rook_file_system 72 | # operator: In 73 | # values: 74 | # - myfs 75 | # topologyKey: kubernetes.io/hostname will place MDS across different hosts 76 | topologyKey: kubernetes.io/hostname 77 | preferredDuringSchedulingIgnoredDuringExecution: 78 | - weight: 100 79 | podAffinityTerm: 80 | labelSelector: 81 | matchExpressions: 82 | - key: app 83 | operator: In 84 | values: 85 | - rook-ceph-mds 86 | # topologyKey: */zone can be used to spread MDS across different AZ 87 | # Use in k8s cluster if your cluster is v1.16 or lower 88 | # Use in k8s cluster is v1.17 or upper 89 | topologyKey: topology.kubernetes.io/zone 90 | # A key/value list of annotations 91 | # annotations: 92 | # key: value 93 | # A key/value list of labels 94 | # labels: 95 | # key: value 96 | resources: 97 | # The requests and limits set here, allow the filesystem MDS Pod(s) to use half of one CPU core and 1 gigabyte of memory 98 | limits: 99 | memory: "2048Mi" 100 | requests: 101 | cpu: "500m" 102 | memory: "1024Mi" 103 | priorityClassName: system-cluster-critical 104 | livenessProbe: 105 | disabled: false 106 | startupProbe: 107 | disabled: false 108 | # Filesystem mirroring settings 109 | # mirroring: 110 | # enabled: true 111 | # # list of Kubernetes Secrets containing the peer token 112 | # # for more details see: https://docs.ceph.com/en/latest/dev/cephfs-mirroring/#bootstrap-peers 113 | # # Add the secret name if it already exists else specify the empty list here. 114 | # peers: 115 | # secretNames: 116 | # - secondary-cluster-peer 117 | # # specify the schedule(s) on which snapshots should be taken 118 | # # see the official syntax here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#add-and-remove-schedules 119 | # snapshotSchedules: 120 | # - path: / 121 | # interval: 24h # daily snapshots 122 | # # The startTime should be mentioned in the format YYYY-MM-DDTHH:MM:SS 123 | # # If startTime is not specified, then by default the start time is considered as midnight UTC. 124 | # # see usage here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#usage 125 | # # startTime: 2022-07-15T11:55:00 126 | # # manage retention policies 127 | # # see syntax duration here https://docs.ceph.com/en/latest/cephfs/snap-schedule/#add-and-remove-retention-policies 128 | # snapshotRetention: 129 | # - path: / 130 | # duration: "h 24" 131 | --- 132 | apiVersion: storage.k8s.io/v1 133 | kind: StorageClass 134 | metadata: 135 | name: replicated-x3-cephfs 136 | # Change "rook-ceph" provisioner prefix to match the operator namespace if needed 137 | provisioner: rook-ceph.cephfs.csi.ceph.com 138 | parameters: 139 | # clusterID is the namespace where the rook cluster is running 140 | # If you change this namespace, also change the namespace below where the secret namespaces are defined 141 | clusterID: rook-ceph 142 | 143 | # CephFS filesystem name into which the volume shall be created 144 | fsName: replicated-x3-filesystem 145 | 146 | # Ceph pool into which the volume shall be created 147 | # Required for provisionVolume: "true" 148 | pool: replicated-x3-filesystem-data 149 | 150 | # The secrets contain Ceph admin credentials. These are generated automatically by the operator 151 | # in the same namespace as the cluster. 152 | csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner 153 | csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph 154 | csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner 155 | csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph 156 | csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node 157 | csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph 158 | 159 | reclaimPolicy: Retain 160 | allowVolumeExpansion: true 161 | -------------------------------------------------------------------------------- /manifests/infrastructure/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/cert-manager/cert-manager.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: jetstack 7 | namespace: cert-manager 8 | spec: 9 | interval: 5m0s 10 | url: https://charts.jetstack.io 11 | --- 12 | apiVersion: helm.toolkit.fluxcd.io/v2 13 | kind: HelmRelease 14 | metadata: 15 | name: cert-manager 16 | namespace: cert-manager 17 | spec: 18 | interval: 5m 19 | chart: 20 | spec: 21 | chart: cert-manager 22 | version: "<1.17.3" 23 | sourceRef: 24 | kind: HelmRepository 25 | name: jetstack 26 | namespace: cert-manager 27 | interval: 1m 28 | values: 29 | installCRDs: true 30 | featureGates: ExperimentalCertificateSigningRequestControllers=true 31 | -------------------------------------------------------------------------------- /manifests/infrastructure/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - cert-manager.yaml 7 | -------------------------------------------------------------------------------- /manifests/infrastructure/cert-manager/namespace.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/cert-manager/namespace.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: cert-manager 7 | -------------------------------------------------------------------------------- /manifests/infrastructure/cilium/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - repository.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /manifests/infrastructure/cilium/release.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/cilium/release.yaml 2 | --- 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: cilium 7 | namespace: kube-system 8 | spec: 9 | interval: 5m 10 | chart: 11 | spec: 12 | chart: cilium 13 | version: "<1.17.5" 14 | sourceRef: 15 | kind: HelmRepository 16 | name: cilium 17 | namespace: kube-system 18 | interval: 1m 19 | values: 20 | ipam: 21 | mode: kubernetes 22 | hostFirewall: 23 | enabled: true 24 | bpf: 25 | masquerade: true 26 | ipMasqAgent: 27 | enabled: true 28 | hubble: 29 | relay: 30 | enabled: true 31 | ui: 32 | enabled: true 33 | peerService: 34 | clusterDomain: local.kronform.pius.dev 35 | etcd: 36 | clusterDomain: local.kronform.pius.dev 37 | kubeProxyReplacement: true 38 | securityContext: 39 | capabilities: 40 | ciliumAgent: 41 | - CHOWN 42 | - KILL 43 | - NET_ADMIN 44 | - NET_RAW 45 | - IPC_LOCK 46 | - SYS_ADMIN 47 | - SYS_RESOURCE 48 | - DAC_OVERRIDE 49 | - FOWNER 50 | - SETGID 51 | - SETUID 52 | cleanCiliumState: 53 | - NET_ADMIN 54 | - SYS_ADMIN 55 | - SYS_RESOURCE 56 | cgroup: 57 | autoMount: 58 | enabled: true 59 | hostRoot: /sys/fs/cgroup 60 | k8sServiceHost: api.kronform.pius.dev 61 | k8sServicePort: "6443" 62 | -------------------------------------------------------------------------------- /manifests/infrastructure/cilium/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cilium 6 | namespace: kube-system 7 | spec: 8 | interval: 5m0s 9 | url: https://helm.cilium.io/ 10 | -------------------------------------------------------------------------------- /manifests/infrastructure/cluster-issuers/cluster-issuers.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/cluster-issuers/cluster-issuers.yaml 2 | --- 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: letsencrypt-staging 7 | spec: 8 | acme: 9 | server: https://acme-staging-v02.api.letsencrypt.org/directory 10 | email: contact@pius.io 11 | privateKeySecretRef: 12 | name: letsencrypt-staging 13 | solvers: 14 | - http01: 15 | ingress: 16 | class: nginx 17 | --- 18 | apiVersion: cert-manager.io/v1 19 | kind: ClusterIssuer 20 | metadata: 21 | name: letsencrypt-production 22 | spec: 23 | acme: 24 | server: https://acme-v02.api.letsencrypt.org/directory 25 | email: contact@pius.io 26 | privateKeySecretRef: 27 | name: letsencrypt-production 28 | solvers: 29 | - http01: 30 | ingress: 31 | class: nginx 32 | -------------------------------------------------------------------------------- /manifests/infrastructure/cluster-issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cluster-issuers.yaml 5 | -------------------------------------------------------------------------------- /manifests/infrastructure/cluster-policies/host-fw-control-plane.yaml: -------------------------------------------------------------------------------- 1 | # policies/host-fw-control-plane.yaml 2 | apiVersion: "cilium.io/v2" 3 | kind: CiliumClusterwideNetworkPolicy 4 | metadata: 5 | name: "host-fw-control-plane" 6 | spec: 7 | description: "control-plane specific access rules." 8 | nodeSelector: 9 | matchLabels: 10 | node-role.kubernetes.io/control-plane: "" 11 | ingress: 12 | # Allow access to kube api from anywhere. 13 | - fromEntities: 14 | - world 15 | - cluster 16 | toPorts: 17 | - ports: 18 | - port: "6443" 19 | protocol: "TCP" 20 | 21 | # Allow access to talos from anywhere. 22 | # https://www.talos.dev/v1.4/learn-more/talos-network-connectivity/ 23 | - fromEntities: 24 | - world 25 | - cluster 26 | toPorts: 27 | - ports: 28 | - port: "50000" 29 | protocol: "TCP" 30 | - port: "50001" 31 | protocol: "TCP" 32 | 33 | # Allow kube-proxy-replacement from kube-apiserver 34 | - fromEntities: 35 | - kube-apiserver 36 | toPorts: 37 | - ports: 38 | - port: "10250" 39 | protocol: "TCP" 40 | - port: "4244" 41 | protocol: "TCP" 42 | 43 | # Allow access from hubble-relay to hubble-peer (running on the node) 44 | - fromEndpoints: 45 | - matchLabels: 46 | k8s-app: hubble-relay 47 | toPorts: 48 | - ports: 49 | - port: "4244" 50 | protocol: "TCP" 51 | 52 | # Allow metrics-server to scrape 53 | - fromEndpoints: 54 | - matchLabels: 55 | k8s-app: metrics-server 56 | toPorts: 57 | - ports: 58 | - port: "10250" 59 | protocol: "TCP" 60 | 61 | # Allow ICMP Ping from/to anywhere. 62 | - icmps: 63 | - fields: 64 | - type: 8 65 | family: IPv4 66 | - type: 128 67 | family: IPv6 68 | 69 | # Allow cilium tunnel/health checks from other nodes. 70 | - fromEntities: 71 | - remote-node 72 | toPorts: 73 | - ports: 74 | - port: "8472" 75 | protocol: "UDP" 76 | - port: "4240" 77 | protocol: "TCP" 78 | 79 | # Allow access to etcd and api from other nodes. 80 | - fromEntities: 81 | - remote-node 82 | toPorts: 83 | - ports: 84 | - port: "2379" 85 | protocol: "TCP" 86 | - port: "2380" 87 | protocol: "TCP" 88 | - port: "51871" 89 | protocol: "UDP" 90 | 91 | # Allow access to etcd and api from unconfigured nodes 92 | - fromCIDR: 93 | - 159.69.60.182/32 94 | - 88.99.105.56/32 95 | - 46.4.77.66/32 96 | toPorts: 97 | - ports: 98 | - port: "2379" 99 | protocol: "TCP" 100 | - port: "2380" 101 | protocol: "TCP" 102 | 103 | # Allow wireguard/KubeSpan access from anywhere 104 | - fromEntities: 105 | - world 106 | - cluster 107 | toPorts: 108 | - ports: 109 | - port: "51820" 110 | protocol: "UDP" 111 | 112 | # Allow DHCP Packets 113 | - fromEntities: 114 | - world 115 | - cluster 116 | toPorts: 117 | - ports: 118 | - port: "67" 119 | protocol: "UDP" 120 | - port: "68" 121 | protocol: "UDP" 122 | 123 | # Allow HTTP and HTTPS access from anywhere 124 | - fromEntities: 125 | - world 126 | - cluster 127 | toPorts: 128 | - ports: 129 | - port: "80" 130 | protocol: "TCP" 131 | - port: "443" 132 | protocol: "TCP" 133 | 134 | # Allow SMTP access from anywhere 135 | # This is part of a DMARC project 136 | - fromEntities: 137 | - world 138 | - cluster 139 | toPorts: 140 | - ports: 141 | - port: "25" 142 | protocol: "TCP" 143 | 144 | # Allow access from inside the cluster to 145 | # the admission controller 146 | - fromEntities: 147 | - cluster 148 | toPorts: 149 | - ports: 150 | - port: "8443" 151 | protocol: "TCP" 152 | 153 | # from metrics-server to kubelet API. 154 | - fromEntities: 155 | - cluster 156 | toPorts: 157 | - ports: 158 | - port: "10250" 159 | protocol: "TCP" 160 | 161 | # # Allow DNS lookup from anywhere to the node-port running CoreDNS 162 | # - fromEntities: 163 | # - all 164 | # toPorts: 165 | # - ports: 166 | # - port: "53" 167 | # protocol: "UDP" 168 | # - port: "53" 169 | # protocol: "TCP" 170 | 171 | # Allow kube-ovn access from other nodes 172 | - fromEntities: 173 | - remote-node 174 | toPorts: 175 | - ports: 176 | # ovn-central 177 | - port: "6641" 178 | protocol: "TCP" 179 | - port: "6642" 180 | protocol: "TCP" 181 | - port: "6643" 182 | protocol: "TCP" 183 | - port: "6644" 184 | protocol: "TCP" 185 | 186 | # ovs-ovn 187 | - port: "6081" 188 | protocol: "UDP" 189 | 190 | # metrics 191 | - port: "10660" 192 | protocol: "TCP" 193 | - port: "10661" 194 | protocol: "TCP" 195 | - port: "10665" 196 | protocol: "TCP" 197 | -------------------------------------------------------------------------------- /manifests/infrastructure/cluster-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - host-fw-control-plane.yaml 5 | -------------------------------------------------------------------------------- /manifests/infrastructure/harbor-registry/database.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: postgresql.cnpg.io/v1 2 | kind: Cluster 3 | metadata: 4 | name: harbor-postgresql 5 | namespace: harbor-registry 6 | spec: 7 | instances: 1 8 | bootstrap: 9 | initdb: 10 | database: registry 11 | owner: bn_harbor 12 | secret: 13 | name: harbor-secrets-postgres 14 | storage: 15 | size: 8Gi 16 | -------------------------------------------------------------------------------- /manifests/infrastructure/harbor-registry/harbor-registry.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/harbor-registry/harbor-registry.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: harbor-registry 7 | namespace: harbor-registry 8 | spec: 9 | type: "oci" 10 | interval: 5m0s 11 | url: oci://registry-1.docker.io/bitnamicharts 12 | --- 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | name: harbor-registry 17 | namespace: harbor-registry 18 | spec: 19 | interval: 5m 20 | chart: 21 | spec: 22 | chart: harbor 23 | version: "<26.0.0" 24 | sourceRef: 25 | kind: HelmRepository 26 | name: harbor-registry 27 | namespace: harbor-registry 28 | interval: 1m 29 | values: 30 | clusterDomain: local.kronform.pius.dev 31 | externalURL: https://registry.kronform.pius.dev 32 | existingEnvVarsSecret: "harbor-secrets" 33 | postgresql: 34 | enabled: false 35 | externalDatabase: 36 | host: harbor-postgresql-rw 37 | coreDatabase: registry 38 | existingSecret: harbor-secrets 39 | existingSecretPasswordKey: postgres-password 40 | persistence: 41 | persistentVolumeClaim: 42 | registry: 43 | size: 200Gi 44 | core: 45 | updateStrategy: 46 | type: Recreate 47 | jobservice: 48 | updateStrategy: 49 | type: Recreate 50 | registry: 51 | updateStrategy: 52 | type: Recreate 53 | exposureType: ingress 54 | ingress: 55 | core: 56 | annotations: 57 | cert-manager.io/cluster-issuer: letsencrypt-production 58 | hostname: registry.kronform.pius.dev 59 | tls: true 60 | -------------------------------------------------------------------------------- /manifests/infrastructure/harbor-registry/harbor-secrets.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/harbor-registry/harbor-secrets.yaml 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: harbor-secrets 6 | namespace: harbor-registry 7 | type: Opaque 8 | stringData: 9 | HARBOR_ADMIN_PASSWORD: ENC[AES256_GCM,data:UyrDuitdXdQtxFbC9SxPKorpZlotM0FOFQrnSCipeao=,iv:VDA0gjznwADoN3jaYrD7TsqKedH0eiUTxvkHlyFth+s=,tag:TM0Slgxw+jbvuch2XBt2Sg==,type:str] 10 | POSTGRESQL_PASSWORD: ENC[AES256_GCM,data:YPB/qwbjemG6Hsiro1gqBsIXoOAVhSIZ0147Ew==,iv:KAGd4ziT8sYgVTAC6+oTNue3auIr2rquyl+fnydaQCg=,tag:/OeuvSYj3Q795p+6xTCphA==,type:str] 11 | HARBOR_DATABASE_PASSWORD: ENC[AES256_GCM,data:1zeqKm+P2rXjuzZE791ysFJBjJmt1l1Jsm6/ew==,iv:gSsKt0RsdyguZkEsgud5gcFcBiU8Zk0C0pNIjUy012w=,tag:YtfqtVCpKTl74LayDTsXxw==,type:str] 12 | postgres-password: ENC[AES256_GCM,data:1VEGEzi9xU5RGbRyIuQwakUrjSk0D57qsS99ew==,iv:dbngT8k7DkrpOCpCA4sVzENdlcEhZUrQgXybjyow604=,tag:FVOCQqwSfLnQ37hDWVkr1g==,type:str] 13 | _REDIS_URL_CORE: ENC[AES256_GCM,data:m/B9Bh5R/3etXuSsqKV+maBdsLyW7Rnah2YhohLvQmVt8Q==,iv:6iXae7TNqzQ5pE2xATOL5FsP9auVuI6geGlFklFwyEI=,tag:NprXrfLKMtmfkx0acc1MwA==,type:str] 14 | _REDIS_URL_REG: ENC[AES256_GCM,data:V3GtdNHZLyCBaRbtSCA8V/wpteDL0m+bNAs2SYjmHkf7wA==,iv:f6CS31aJBH/OW5nWShpvKJUkTB+J+eNkH9movHBBwDQ=,tag:d/uxzhGY6HE1FuaagwARHw==,type:str] 15 | sops: 16 | age: 17 | - recipient: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1STlOeUF4b1BtcWl0Nnlv 21 | WVAvNzRFdnVPc3k1aHJmdTg0NHJ3N2tSaXpvCit6azNuaU1qTWxhU3VTZTU5L0Ru 22 | bmYxSFdMNW9TSlh5Z2dseVdrcWJXMzAKLS0tIHpIdW5zVE91dVJUbWl0d0RXcW1u 23 | WGtsUm5ZYnJsckhCZkZwOUMwQmJNdGsK+7xMAcYTXTcMexIaU8viFE+QNLaITHOX 24 | V2Vg6lgnTeEquVelXkdhB1PwZMHXoANflk098OTTnHJrUAgSMblQCw== 25 | -----END AGE ENCRYPTED FILE----- 26 | - recipient: age1c8rjkuv9px2gfyrlqn75ajhv26l8fdmeugcdegt237c20l8uc4wq6y9h6d 27 | enc: | 28 | -----BEGIN AGE ENCRYPTED FILE----- 29 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S1BPSDBNTmdrbXM1WGh4 30 | THYxaUJYU0dyMS94d3FhWldFVVNDZ04zclRjCnVmQmZrbUJmTGpQZUt5OW5KeXhl 31 | c0hxcmswa1p2eWRBM1Jkc29MOGY1Qm8KLS0tIE5nbUNRdnc2TEZQWSt6eGkxaVFS 32 | dG5BRzB3TFo3MlNCc25qVjZUTCswSDgKwA0GzQ4ZhVXrhQlZHtIoi/l+nX4Cl+NQ 33 | KWI90I8cJ97CkVUvjjn4T8NGL5fLwGMchOiawtUCT0cpevwca76Oyg== 34 | -----END AGE ENCRYPTED FILE----- 35 | lastmodified: "2025-05-24T21:54:00Z" 36 | mac: ENC[AES256_GCM,data:GG/BAJraZ8t8F1i2yiSft0rrfzi97kH2hbkXDQiaBN+m1ZPTuMqH675hnezXX0pSpxS0CNMvbYJ8Iz1dw9+iltLzwzFtzkU8m5t/9KB/ljEwvvc6Px8Jp4CAHeWgTR+iIolSHOxd716/a6MG2FtwyIqptxg1v1yKGr0Z17x6kj0=,iv:8UWHvUGTgAlCcyOuPdwoFCcVvjF4FctH2FYHWBvCKgA=,tag:QH9a33J1HW6Q7NSmcrQsKg==,type:str] 37 | encrypted_regex: ^(data|stringData|Authorization)$ 38 | version: 3.10.2 39 | --- 40 | apiVersion: v1 41 | kind: Secret 42 | metadata: 43 | name: harbor-secrets-postgres 44 | namespace: harbor-registry 45 | type: kubernetes.io/basic-auth 46 | stringData: 47 | username: ENC[AES256_GCM,data:PaJh1nxu72Pe,iv:5D152mIvgiMgphVEsa81u8bqj3Rw0RHXrHfWTK128BU=,tag:6WJHcYD0h7mNLAJTX2C4wA==,type:str] 48 | password: ENC[AES256_GCM,data:KEcy6htYMrjs4mV3Q0YNYQthZY/SCuakAB1mhQ==,iv:ok7QXVXSw7ktPkTnS4S3XbIKdyXDjDWG4/CJbOAf40w=,tag:NnMoNItNo7no9SuSGKNPYg==,type:str] 49 | sops: 50 | age: 51 | - recipient: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 52 | enc: | 53 | -----BEGIN AGE ENCRYPTED FILE----- 54 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1STlOeUF4b1BtcWl0Nnlv 55 | WVAvNzRFdnVPc3k1aHJmdTg0NHJ3N2tSaXpvCit6azNuaU1qTWxhU3VTZTU5L0Ru 56 | bmYxSFdMNW9TSlh5Z2dseVdrcWJXMzAKLS0tIHpIdW5zVE91dVJUbWl0d0RXcW1u 57 | WGtsUm5ZYnJsckhCZkZwOUMwQmJNdGsK+7xMAcYTXTcMexIaU8viFE+QNLaITHOX 58 | V2Vg6lgnTeEquVelXkdhB1PwZMHXoANflk098OTTnHJrUAgSMblQCw== 59 | -----END AGE ENCRYPTED FILE----- 60 | - recipient: age1c8rjkuv9px2gfyrlqn75ajhv26l8fdmeugcdegt237c20l8uc4wq6y9h6d 61 | enc: | 62 | -----BEGIN AGE ENCRYPTED FILE----- 63 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6S1BPSDBNTmdrbXM1WGh4 64 | THYxaUJYU0dyMS94d3FhWldFVVNDZ04zclRjCnVmQmZrbUJmTGpQZUt5OW5KeXhl 65 | c0hxcmswa1p2eWRBM1Jkc29MOGY1Qm8KLS0tIE5nbUNRdnc2TEZQWSt6eGkxaVFS 66 | dG5BRzB3TFo3MlNCc25qVjZUTCswSDgKwA0GzQ4ZhVXrhQlZHtIoi/l+nX4Cl+NQ 67 | KWI90I8cJ97CkVUvjjn4T8NGL5fLwGMchOiawtUCT0cpevwca76Oyg== 68 | -----END AGE ENCRYPTED FILE----- 69 | lastmodified: "2025-05-24T21:54:00Z" 70 | mac: ENC[AES256_GCM,data:GG/BAJraZ8t8F1i2yiSft0rrfzi97kH2hbkXDQiaBN+m1ZPTuMqH675hnezXX0pSpxS0CNMvbYJ8Iz1dw9+iltLzwzFtzkU8m5t/9KB/ljEwvvc6Px8Jp4CAHeWgTR+iIolSHOxd716/a6MG2FtwyIqptxg1v1yKGr0Z17x6kj0=,iv:8UWHvUGTgAlCcyOuPdwoFCcVvjF4FctH2FYHWBvCKgA=,tag:QH9a33J1HW6Q7NSmcrQsKg==,type:str] 71 | encrypted_regex: ^(data|stringData|Authorization)$ 72 | version: 3.10.2 73 | -------------------------------------------------------------------------------- /manifests/infrastructure/harbor-registry/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - harbor-secrets.yaml 7 | - database.yaml 8 | - harbor-registry.yaml 9 | -------------------------------------------------------------------------------- /manifests/infrastructure/harbor-registry/namespace.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/harbor-registry/namespace.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: harbor-registry 7 | -------------------------------------------------------------------------------- /manifests/infrastructure/ingress-nginx/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/ingress-nginx/ingress-nginx.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: ingress-nginx 7 | namespace: ingress-nginx 8 | spec: 9 | interval: 5m0s 10 | url: https://kubernetes.github.io/ingress-nginx 11 | --- 12 | apiVersion: helm.toolkit.fluxcd.io/v2 13 | kind: HelmRelease 14 | metadata: 15 | name: ingress-nginx 16 | namespace: ingress-nginx 17 | spec: 18 | interval: 5m 19 | chart: 20 | spec: 21 | chart: ingress-nginx 22 | version: "<4.12.3" 23 | sourceRef: 24 | kind: HelmRepository 25 | name: ingress-nginx 26 | namespace: ingress-nginx 27 | interval: 1m 28 | values: 29 | controller: 30 | hostNetwork: true 31 | hostPort: 32 | enabled: true 33 | kind: DaemonSet 34 | ingressClassResource: 35 | default: true 36 | service: 37 | enabled: false 38 | extraArgs: 39 | enable-ssl-passthrough: "" 40 | config: 41 | enable-real-ip: true 42 | forwarded-for-header: proxy_protocol 43 | -------------------------------------------------------------------------------- /manifests/infrastructure/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - ingress-nginx.yaml 7 | -------------------------------------------------------------------------------- /manifests/infrastructure/ingress-nginx/namespace.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/ingress-nginx/namespace.yaml 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: ingress-nginx 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/enforce-version: latest 10 | -------------------------------------------------------------------------------- /manifests/infrastructure/kubizone/kronform.pius.dev.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubi.zone/v1alpha1 2 | kind: Zone 3 | metadata: 4 | name: kronform-pius-dev 5 | namespace: kubizone 6 | spec: 7 | domainName: kronform.pius.dev. 8 | delegations: 9 | - records: 10 | - pattern: "*" 11 | --- 12 | apiVersion: kubi.zone/v1alpha1 13 | kind: Record 14 | metadata: 15 | name: kube-apiserver-n1 16 | namespace: kube-system 17 | spec: 18 | class: IN 19 | domainName: api.kronform.pius.dev. 20 | rdata: 159.69.60.182 21 | type: A 22 | --- 23 | apiVersion: kubi.zone/v1alpha1 24 | kind: Record 25 | metadata: 26 | name: kube-apiserver-n2 27 | namespace: kube-system 28 | spec: 29 | class: IN 30 | domainName: api.kronform.pius.dev. 31 | rdata: 88.99.105.56 32 | type: A 33 | --- 34 | apiVersion: kubi.zone/v1alpha1 35 | kind: Record 36 | metadata: 37 | name: kube-apiserver-n3 38 | namespace: kube-system 39 | spec: 40 | class: IN 41 | domainName: api.kronform.pius.dev. 42 | rdata: 46.4.77.66 43 | type: A 44 | -------------------------------------------------------------------------------- /manifests/infrastructure/kubizone/kubizone.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/kubizone/kubizone.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: kubizone 7 | namespace: kubizone 8 | spec: 9 | interval: 5m0s 10 | url: https://charts.kubi.zone/ 11 | --- 12 | apiVersion: helm.toolkit.fluxcd.io/v2 13 | kind: HelmRelease 14 | metadata: 15 | name: kubizone 16 | namespace: kubizone 17 | spec: 18 | interval: 5m 19 | chart: 20 | spec: 21 | chart: kubizone 22 | version: "0.4.1" 23 | sourceRef: 24 | kind: HelmRepository 25 | name: kubizone 26 | namespace: kubizone 27 | interval: 1m 28 | values: 29 | externaldns: 30 | enabled: true 31 | webhookEndpoint: "http://localhost:8888" 32 | sidecars: 33 | - name: hetzner-webhook 34 | image: ghcr.io/mconfalonieri/external-dns-hetzner-webhook:v0.7.0 35 | ports: 36 | - containerPort: 8888 37 | name: webhook 38 | - containerPort: 8080 39 | name: http 40 | livenessProbe: 41 | httpGet: 42 | path: /health 43 | port: http 44 | initialDelaySeconds: 10 45 | timeoutSeconds: 5 46 | readinessProbe: 47 | httpGet: 48 | path: /ready 49 | port: http 50 | initialDelaySeconds: 10 51 | timeoutSeconds: 5 52 | env: 53 | - name: DOMAIN_FILTER 54 | value: "kubi.zone" 55 | - name: HETZNER_API_KEY 56 | valueFrom: 57 | secretKeyRef: 58 | name: hcloud-token 59 | key: HCLOUD_TOKEN 60 | -------------------------------------------------------------------------------- /manifests/infrastructure/kubizone/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - https://raw.githubusercontent.com/kubi-zone/kubizone-crds/v0.13.1/crds/kubi.zone/v1alpha1/Record.yaml 6 | - https://raw.githubusercontent.com/kubi-zone/kubizone-crds/v0.13.1/crds/kubi.zone/v1alpha1/Zone.yaml 7 | - namespace.yaml 8 | - secret.yaml 9 | - kubizone.yaml 10 | - kronform.pius.dev.yaml 11 | -------------------------------------------------------------------------------- /manifests/infrastructure/kubizone/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kubizone 6 | -------------------------------------------------------------------------------- /manifests/infrastructure/kubizone/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | stringData: 3 | HCLOUD_TOKEN: ENC[AES256_GCM,data:2APOSS/fIhZMIDV4t5MNEzl07Zr8etXv/ALKhx7yFJA=,iv:nKT2oHvBU++2CiTQpvxJxqIXfkw451lGrgk+5fYKKdg=,tag:jPFG/t6oX2vbNYSz6FgRqQ==,type:str] 4 | kind: Secret 5 | metadata: 6 | name: hcloud-token 7 | namespace: kubizone 8 | type: Opaque 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age10v5jyc5ylreyltm32kfj57fmqle0aumxqvg9lp67r50cl8ynlsmq9kx7ez 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYTZDSllBc05NNU5USDZn 19 | R1Uxdk1IVEIvR2RTM2loSTBHVytDYWlrTGhRCk1PRkprRzJMYTlTRTNiSzJjaEw5 20 | T0g3cURMa2NVODJSMlRYU0NkR1VaZlEKLS0tIG53bE5JTWR6TjVnV21samgzUkdR 21 | bGs3Y3BScGpYL3RpL0RKN3l0R29BcW8KsV81N+du978A6RFEPGbR5GaVBMFz8BRu 22 | Ih/lCaoVIWfaDmbSQc2jC8YY05n+8nyp4mS9LmjhC8JbmVkBykdm9Q== 23 | -----END AGE ENCRYPTED FILE----- 24 | - recipient: age1c8rjkuv9px2gfyrlqn75ajhv26l8fdmeugcdegt237c20l8uc4wq6y9h6d 25 | enc: | 26 | -----BEGIN AGE ENCRYPTED FILE----- 27 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR2laQ3RTY0JSMk9NZkdR 28 | RU80WnFSZVVvT2hBUkVjYlhibXZmSHB0SVdjCnloZm5sUmp0b0xza0NyQnBWdm44 29 | bUxUcmlWcU1SNnp6ZXBndUIwV3RWMVEKLS0tIEhiR1BRWFMzK0lsZlRLeUFmaG1h 30 | WVUxMlhZaVBwWE1GTUV5MEJvK25WVDQKu5jjU7ChfTblBvSRrgbFfsZr77PhNt/B 31 | iwK9CFIjyzy7yFa1x7jCJ35XFwaO3UBZW64Z669e2v8mTh+NHpHSFA== 32 | -----END AGE ENCRYPTED FILE----- 33 | lastmodified: "2024-07-05T12:40:41Z" 34 | mac: ENC[AES256_GCM,data:sWQaW2n8thiU4X9ilgVTLf8zz5eBxf6TJbVdkUvLLjs5hUi0ut30Efg8iTusp4yD5R+jWFYdTIqEW46tU9sM9ryvy+lsJF175Cv859rCUbvxgLs3E1mXxu/A78BBbejaXgI2Nqm3/BII/hL1dUDEAkOFbNfO6lE0kYZEBsKgV2c=,iv:szxvKAu4iETXeRWNy39jnKSXoifej2xmbcCxzZfIukM=,tag:xZ2sT26V5wLuy1P9m2YVZg==,type:str] 35 | pgp: [] 36 | encrypted_regex: ^(data|stringData|Authorization)$ 37 | version: 3.8.1 38 | -------------------------------------------------------------------------------- /manifests/infrastructure/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - metrics-server.yaml 6 | -------------------------------------------------------------------------------- /manifests/infrastructure/metrics-server/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | # manifests/infrastructure/cert-manager/cert-manager.yaml 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: metrics-server 7 | namespace: kube-system 8 | spec: 9 | interval: 5m0s 10 | url: https://kubernetes-sigs.github.io/metrics-server/ 11 | --- 12 | apiVersion: helm.toolkit.fluxcd.io/v2 13 | kind: HelmRelease 14 | metadata: 15 | name: metrics-server 16 | namespace: kube-system 17 | spec: 18 | interval: 5m 19 | chart: 20 | spec: 21 | chart: metrics-server 22 | version: ">=v3.0.0 <4.0.0" 23 | sourceRef: 24 | kind: HelmRepository 25 | name: metrics-server 26 | namespace: kube-system 27 | interval: 1m 28 | values: 29 | args: 30 | - --kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP 31 | -------------------------------------------------------------------------------- /manifests/infrastructure/openobserve/agent-collector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: opentelemetry.io/v1beta1 2 | kind: OpenTelemetryCollector 3 | metadata: 4 | name: openobserve-collector-agent 5 | namespace: openobserve 6 | spec: 7 | config: 8 | exporters: 9 | otlphttp/openobserve: 10 | endpoint: http://openobserve-openobserve-standalone.openobserve.svc.local.kronform.pius.dev:5080/api/default/ 11 | headers: 12 | Authorization: ENC[AES256_GCM,data:ONypvFw8ENxJrCJ1zvGQrp14k1uInkll5DtyYeJjZMLVsvZggAy8GFG24+1tRttFkReB483oRPISpg==,iv:JE5TAdoYBd1MeNM5gzlgfMB/Am7RpATkkLo3D5A5ASA=,tag:jWC1DRrbque+SIqTYvOz3g==,type:str] 13 | otlphttp/openobserve_k8s_events: 14 | endpoint: http://openobserve-openobserve-standalone.openobserve.svc.local.kronform.pius.dev:5080/api/default/ 15 | headers: 16 | Authorization: ENC[AES256_GCM,data:vU5Q+Xj2mgQVe4vRz9fLCW2SE0D5FGUhUGdkHePv4H2ZRqtkfplozpKa8sdQjhrZZwVPrWscXOMKVg==,iv:sG4zM5TugXjNyMdt5pWx2MIVx5jWrHZkCsnbSZyCYgM=,tag:q+Tk+y1MiDNvTT+vhD5Dcw==,type:str] 17 | stream-name: k8s_events 18 | processors: 19 | batch: 20 | send_batch_size: 10000 21 | timeout: 10s 22 | k8sattributes: 23 | auth_type: serviceAccount 24 | extract: 25 | labels: 26 | - from: pod 27 | key: app.kubernetes.io/name 28 | tag_name: service.name 29 | - from: pod 30 | key: k8s-app 31 | tag_name: service.name 32 | - from: pod 33 | key: app.kubernetes.io/instance 34 | tag_name: k8s.app.instance 35 | - from: pod 36 | key: app.kubernetes.io/version 37 | tag_name: service.version 38 | - from: pod 39 | key: app.kubernetes.io/component 40 | tag_name: k8s.app.component 41 | metadata: 42 | - k8s.pod.name 43 | - k8s.pod.uid 44 | - k8s.deployment.name 45 | - k8s.namespace.name 46 | - k8s.node.name 47 | - k8s.pod.start_time 48 | filter: 49 | node_from_env_var: K8S_NODE_NAME 50 | passthrough: false 51 | pod_association: 52 | - sources: 53 | - from: resource_attribute 54 | name: k8s.pod.uid 55 | - sources: 56 | - from: resource_attribute 57 | name: k8s.pod.name 58 | - from: resource_attribute 59 | name: k8s.namespace.name 60 | - from: resource_attribute 61 | name: k8s.node.name 62 | - sources: 63 | - from: resource_attribute 64 | name: k8s.pod.ip 65 | - sources: 66 | - from: resource_attribute 67 | name: k8s.pod.name 68 | - from: resource_attribute 69 | name: k8s.namespace.name 70 | - sources: 71 | - from: connection 72 | resourcedetection: 73 | detectors: 74 | - system 75 | - env 76 | - k8snode 77 | override: true 78 | system: 79 | hostname_sources: 80 | - os 81 | - dns 82 | receivers: 83 | filelog/std: 84 | exclude: 85 | - /var/log/pods/default_daemonset-collector*_*/opentelemetry-collector/*.log 86 | include: 87 | - /var/log/pods/*/*/*.log 88 | include_file_name: false 89 | include_file_path: true 90 | operators: 91 | - id: get-format 92 | routes: 93 | - expr: body matches "^\\{" 94 | output: parser-docker 95 | - expr: body matches "^[^ Z]+ " 96 | output: parser-crio 97 | - expr: body matches "^[^ Z]+Z" 98 | output: parser-containerd 99 | type: router 100 | - id: parser-crio 101 | output: extract_metadata_from_filepath 102 | regex: ^(?P