├── .devcontainer ├── devcontainer.json └── postCreateCommand.sh ├── .github ├── labeler.yaml ├── labels.yaml ├── renovate.json5 ├── scripts │ └── kubeconform.sh └── workflows │ ├── automerge.yaml │ ├── label-sync.yaml │ ├── labeler.yaml │ ├── placeholder.yaml │ └── tests.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── .sops.yaml ├── .vscode ├── extensions.json ├── settings.json └── tasks.json ├── README.md ├── cluster.code-workspace ├── clusters └── main │ ├── .gitignore │ ├── clusterenv.yaml │ ├── kubernetes │ ├── .DS_Store │ ├── apps │ │ ├── actions-runners │ │ │ ├── app │ │ │ │ ├── config.secret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── core │ │ ├── actions-runner-controller │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── rbac.yaml │ │ │ └── ks.yaml │ │ ├── clusterissuer │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── namespace.yaml │ │ │ └── ks.yaml │ │ ├── crowdsec │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── namespace.yaml │ │ │ └── ks.yaml │ │ ├── docker-registry │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── namespace.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── metallb-config │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── namespace.yaml │ │ │ └── ks.yaml │ │ └── system-upgrade-controller-plans │ │ │ ├── app │ │ │ ├── kubernetes.yaml │ │ │ ├── kustomization.yaml │ │ │ └── talos.yaml │ │ │ └── ks.yaml │ ├── flux-entry.yaml │ ├── flux-system │ │ ├── flux │ │ │ ├── bootstrap.yaml.ct │ │ │ ├── clustersettings.secret.yaml │ │ │ ├── deploykey.secret.yaml │ │ │ ├── flux.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── namespace.yaml │ │ │ └── upgradesettings.yaml │ │ ├── ks.yaml │ │ ├── monitoring │ │ │ ├── kustomization.yaml │ │ │ ├── pod-monitor.yaml │ │ │ └── prometheus-rules.yaml │ │ └── weave-gitops │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ ├── kube-system │ │ ├── cilium │ │ │ ├── app │ │ │ │ ├── bootstrap-values.yaml.ct │ │ │ │ ├── helm-release.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── lb.yaml │ │ │ └── ks.yaml │ │ ├── descheduler │ │ │ ├── app │ │ │ │ ├── bootstrap-values.yaml.ct │ │ │ │ ├── helm-release.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kubelet-csr-approver │ │ │ ├── app │ │ │ │ ├── bootstrap-values.yaml.ct │ │ │ │ ├── helm-release.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── metrics-server │ │ │ ├── app │ │ │ │ ├── helm-release.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── namespace.yaml │ │ └── node-feature-discovery │ │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ │ ├── config │ │ │ ├── google-coral-device.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── kustomization.yaml │ └── system │ │ ├── cert-manager │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── cloudnative-pg │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── intel-device-plugin │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ ├── kube-prometheus-stack │ │ ├── app │ │ │ ├── alertmanagerconfig.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── kubernetes-reflector │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── kyverno │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── metallb │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── namespace.yaml │ │ ├── openebs │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── reloader │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ ├── rook-ceph │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── snapshot-controller │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ ├── spegel │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ └── ks.yaml │ │ ├── system-upgrade-controller │ │ ├── app │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── namespace.yaml │ │ │ └── rbac.yaml │ │ └── ks.yaml │ │ └── volsync │ │ ├── app │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ │ ├── install.yaml │ │ └── ks.yaml │ └── talos │ ├── generated │ ├── .gitignore │ └── talsecret.yaml │ ├── patches │ ├── controlplane.yaml │ ├── custom.yaml │ └── worker.yaml │ └── talconfig.yaml ├── repositories ├── entries │ └── kustomization.yaml ├── flux-entry.yaml ├── git │ ├── kustomization.yaml │ ├── this-repo.yaml │ └── truecharts.yaml ├── helm │ ├── actions-runner-controller.yaml │ ├── authentik.yaml │ ├── backube.yaml │ ├── bitnami.yaml │ ├── bjw-s.yaml │ ├── cilium.yaml │ ├── cloudnative-pg.yaml │ ├── coredns.yaml │ ├── crossplane.yaml │ ├── crowdsec.yaml │ ├── crunchydata.yaml │ ├── csi-driver-nfs.yaml │ ├── deliveryhero.yaml │ ├── democratic-csi.yaml │ ├── descheduler.yaml │ ├── dysnix.yaml │ ├── emqx.yaml │ ├── external-dns.yaml │ ├── external-secrets.yaml │ ├── fairwinds.yaml │ ├── fluent-bit.yaml │ ├── grafana.yaml │ ├── home-ops-mirror.yaml │ ├── infracloudio.yaml │ ├── ingress-nginx.yaml │ ├── intel.yaml │ ├── jaegertracing.yaml │ ├── jetstack.yaml │ ├── k8s-at-home.yaml │ ├── kubernetes-sigs-metrics-server.yaml │ ├── kustomization.yaml │ ├── kyverno.yaml │ ├── longhorn.yaml │ ├── lwolf.yaml │ ├── metallb.yaml │ ├── metrics-server.yaml │ ├── node-feature-discovery.yaml │ ├── nvidia.yaml │ ├── openebs.yaml │ ├── piraeus.yaml │ ├── postfinance.yaml │ ├── prometheus-community.yaml │ ├── rook-ceph.yaml │ ├── runix.yaml │ ├── spegel.yaml │ ├── stakater.yaml │ ├── stevehipwell.yaml │ ├── tf-controller.yaml │ ├── topolvm.yaml │ ├── traefik.yaml │ ├── truecharts.yaml │ ├── truechartsoci.yaml │ ├── twuni.yaml │ └── weave-gitops.yaml ├── kustomization.yaml └── oci │ ├── flux-manifests.yaml │ └── kustomization.yaml ├── ssh-public-key.txt ├── talosconfig └── whitelist.txt /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json", 3 | "name": "ClusterTool Cluster", 4 | "image": "tccr.io/tccr/devcontainer:v1.0.0-RC28@sha256:4d155ce53c5e3fdd3560e008e3c0552e2e26c5688d787f1db21c068e8af46cdc", 5 | "initializeCommand": "docker pull tccr.io/tccr/devcontainer:v1.0.0-RC28", 6 | "postCreateCommand": { 7 | "setup": "bash ${containerWorkspaceFolder}/.devcontainer/postCreateCommand.sh" 8 | }, 9 | "postStartCommand": { 10 | "git": "git config --global --add safe.directory ${containerWorkspaceFolder}" 11 | }, 12 | "postAttachCommand": "fish", 13 | "updateRemoteUserUID": false, 14 | "runArgs": ["--privileged"] 15 | } 16 | -------------------------------------------------------------------------------- /.devcontainer/postCreateCommand.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | set -o noglob 4 | 5 | # Setup fisher plugin manager for fish and install plugins 6 | /usr/bin/fish -c " 7 | curl -sL https://git.io/fisher | source && fisher install jorgebucaran/fisher 8 | fisher install decors/fish-colored-man 9 | fisher install edc/bass 10 | fisher install jorgebucaran/autopair.fish 11 | fisher install nickeb96/puffer-fish 12 | fisher install PatrickF1/fzf.fish 13 | " 14 | 15 | # Create/update virtual environment 16 | if ! grep -q "venv /workspaces/" .venv/pyvenv.cfg; then 17 | rm -rf .venv 18 | fi 19 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/github: 3 | - changed-files: 4 | - any-glob-to-any-file: .github/**/* 5 | area/cluster: 6 | - changed-files: 7 | - any-glob-to-any-file: cluster/**/* 8 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Area 3 | - { name: "area/github", color: "0e8a16" } 4 | - { name: "area/cluster", color: "0e8a16" } 5 | - { name: "area/taskfile", color: "0e8a16" } 6 | # Renovate 7 | - { name: "renovate/container", color: "027fa0" } 8 | - { name: "renovate/github-action", color: "027fa0" } 9 | - { name: "renovate/github-release", color: "027fa0" } 10 | - { name: "renovate/helm", color: "027fa0" } 11 | # Semantic Type 12 | - { name: "type/digest", color: "ffec19" } 13 | - { name: "type/patch", color: "ffec19" } 14 | - { name: "type/minor", color: "ff9800" } 15 | - { name: "type/major", color: "f6412d" } 16 | - { name: "type/break", color: "f6412d" } 17 | # Uncategorized 18 | - { name: "hold/upstream", color: "ee0701" } 19 | - { name: "automerge", color: "ee0701" } 20 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended", 5 | "github>truecharts/public//.github/renovate/main.json5" 6 | ], 7 | } 8 | -------------------------------------------------------------------------------- /.github/scripts/kubeconform.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o errexit 3 | set -o pipefail 4 | 5 | KUBERNETES_DIR=$1 6 | 7 | [[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1 8 | 9 | kustomize_args=("--load-restrictor=LoadRestrictionsNone") 10 | kustomize_config="kustomization.yaml" 11 | kubeconform_args=( 12 | "-strict" 13 | "-ignore-missing-schemas" 14 | "-skip" 15 | "Secret" 16 | "-schema-location" 17 | "default" 18 | "-schema-location" 19 | "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" 20 | "-verbose" 21 | ) 22 | 23 | # echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/main ===" 24 | # find "${KUBERNETES_DIR}/main" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 25 | # do 26 | # kubeconform "${kubeconform_args[@]}" "${file}" 27 | # if [[ ${PIPESTATUS[0]} != 0 ]]; then 28 | # exit 1 29 | # fi 30 | # done 31 | # 32 | # echo "=== Validating kustomizations in ${KUBERNETES_DIR}/main ===" 33 | # find "${KUBERNETES_DIR}/main" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 34 | # do 35 | # echo "=== Validating kustomizations in ${file/%$kustomize_config} ===" 36 | # kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \ 37 | # kubeconform "${kubeconform_args[@]}" 38 | # if [[ ${PIPESTATUS[0]} != 0 ]]; then 39 | # exit 1 40 | # fi 41 | # done 42 | 43 | echo "=== Validating kustomizations in ${KUBERNETES_DIR}/apps ===" 44 | find "${KUBERNETES_DIR}/apps" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 45 | do 46 | echo "=== Validating kustomizations in ${file/%$kustomize_config} ===" 47 | kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \ 48 | kubeconform "${kubeconform_args[@]}" 49 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 50 | exit 1 51 | fi 52 | done 53 | 54 | echo "=== Validating kustomizations in ${KUBERNETES_DIR}/core ===" 55 | find "${KUBERNETES_DIR}/core" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 56 | do 57 | echo "=== Validating kustomizations in ${file/%$kustomize_config} ===" 58 | kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \ 59 | kubeconform "${kubeconform_args[@]}" 60 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 61 | exit 1 62 | fi 63 | done 64 | -------------------------------------------------------------------------------- /.github/workflows/automerge.yaml: -------------------------------------------------------------------------------- 1 | name: Automerge and Approve 2 | 3 | on: 4 | workflow_run: 5 | workflows: ["Placeholder"] # Name of the main CI workflow 6 | types: 7 | - completed 8 | 9 | jobs: 10 | automerge: 11 | runs-on: ubuntu-latest 12 | permissions: 13 | contents: write 14 | pull-requests: write 15 | steps: 16 | - id: automerge 17 | name: automerge 18 | uses: "pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67" # v0.16.4 19 | env: 20 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 21 | UPDATE_RETRIES: 24 22 | UPDATE_RETRY_SLEEP: 60000 23 | MERGE_METHOD: "squash" 24 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Label Sync" 4 | 5 | on: 6 | workflow_dispatch: 7 | push: 8 | branches: ["main"] 9 | paths: [".github/labels.yaml"] 10 | 11 | jobs: 12 | label-sync: 13 | name: Label Sync 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 18 | 19 | - name: Sync Labels 20 | uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2 21 | with: 22 | config-file: .github/labels.yaml 23 | delete-other-labels: true 24 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Labeler" 4 | 5 | on: 6 | workflow_dispatch: 7 | pull_request_target: 8 | branches: ["main"] 9 | 10 | jobs: 11 | labeler: 12 | name: Labeler 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: read 16 | pull-requests: write 17 | steps: 18 | - name: Labeler 19 | uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 20 | with: 21 | configuration-path: .github/labeler.yaml 22 | -------------------------------------------------------------------------------- /.github/workflows/placeholder.yaml: -------------------------------------------------------------------------------- 1 | name: "Placeholder" 2 | 3 | on: 4 | pull_request: 5 | 6 | concurrency: 7 | group: ${{ github.head_ref }}-placeholder 8 | # cancel-in-progress: true 9 | 10 | jobs: 11 | 12 | placeholder: 13 | name: Placeholder PR Tests 14 | runs-on: ubuntu-latest 15 | if: always() 16 | steps: 17 | - name: Check Results 18 | run: | 19 | echo "Placeholder Finished" 20 | -------------------------------------------------------------------------------- /.github/workflows/tests.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Tests" 4 | 5 | on: 6 | pull_request: 7 | branches: ["main"] 8 | paths: ["cluster/**"] 9 | 10 | concurrency: 11 | group: ${{ github.workflow }}-${{ github.event.number || github.ref }} 12 | cancel-in-progress: true 13 | 14 | env: 15 | KUBERNETES_DIR: ./cluster 16 | 17 | jobs: 18 | kubeconform: 19 | name: Kubeconform 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 24 | 25 | - name: Setup Homebrew 26 | uses: Homebrew/actions/setup-homebrew@master 27 | 28 | - name: Setup Workflow Tools 29 | run: brew install fluxcd/tap/flux kubeconform kustomize 30 | 31 | - name: Run kubeconform 32 | shell: bash 33 | run: bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} 34 | 35 | 36 | flux-diff: 37 | name: Flux Diff 38 | runs-on: ubuntu-latest 39 | permissions: 40 | contents: read 41 | pull-requests: write 42 | strategy: 43 | matrix: 44 | paths: ["cluster"] 45 | resources: ["kustomization"] 46 | steps: 47 | - name: Checkout 48 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 49 | with: 50 | path: pull 51 | 52 | - name: Checkout Default Branch 53 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 54 | with: 55 | ref: "${{ github.event.repository.default_branch }}" 56 | path: default 57 | 58 | - name: Diff Resources 59 | uses: docker://ghcr.io/allenporter/flux-local:main@sha256:acb664eb158f54c5cf1b11b6ff393505f62b4085fb6047583a9f84eed2689fa7 60 | with: 61 | args: >- 62 | diff ${{ matrix.resources }} 63 | --unified 6 64 | --path /github/workspace/pull/${{ matrix.paths }}/main 65 | --path-orig /github/workspace/default/${{ matrix.paths }}/main 66 | --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" 67 | --limit-bytes 10000 68 | --all-namespaces 69 | --sources "flux-system" 70 | --output-file diff.patch 71 | 72 | - name: Generate Diff 73 | id: diff 74 | run: | 75 | cat diff.patch 76 | echo "diff<> $GITHUB_OUTPUT 77 | cat diff.patch >> $GITHUB_OUTPUT 78 | echo "EOF" >> $GITHUB_OUTPUT 79 | 80 | - if: ${{ steps.diff.outputs.diff != '' }} 81 | name: Add comment 82 | uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2 83 | with: 84 | message-id: "${{ github.event.pull_request.number }}/${{ matrix.paths }}/${{ matrix.resources }}" 85 | message-failure: Diff was not successful 86 | message: | 87 | ```diff 88 | ${{ steps.diff.outputs.diff }} 89 | 90 | automerge-and-approve: 91 | needs: 92 | - kubeconform 93 | - flux-diff 94 | name: Automerge and Approve build 95 | runs-on: ubuntu-latest 96 | steps: 97 | - name: automerge 98 | uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4 99 | env: 100 | GITHUB_TOKEN: "${{ secrets.DEV_PAT }}" 101 | UPDATE_RETRIES: 12 102 | UPDATE_RETRY_SLEEP: 60000 103 | MERGE_METHOD: squash 104 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | age.agekey 2 | *talconfig.json 3 | talconfig.json 4 | patches/sopssecret.yaml 5 | *patches/sopssecret.yaml 6 | *patches/all.yaml 7 | patches/all.yaml 8 | clustertool.exe 9 | kubeconfig 10 | *kubeconfig 11 | clustertool 12 | sopssecret.yaml 13 | .DS_Store 14 | sopsscret.secret.yaml 15 | sopssecret.secret.yaml 16 | .decrypted* 17 | .qodo 18 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | fail_fast: false 4 | repos: 5 | # - repo: https://github.com/adrienverge/yamllint.git 6 | # rev: v1.26.3 7 | # hooks: 8 | # - id: yamllint 9 | # args: 10 | # - --config-file 11 | # - .github/linters/.yamllint.yaml 12 | # - repo: https://github.com/igorshubovych/markdownlint-cli 13 | # rev: v0.31.1 14 | # hooks: 15 | # - id: markdownlint 16 | # args: 17 | # - --config 18 | # - ".github/linters/.markdownlint.yaml" 19 | # - repo: https://github.com/jumanjihouse/pre-commit-hooks 20 | # rev: 2.1.6 21 | # hooks: 22 | # - id: shellcheck 23 | # language: script 24 | # args: [--severity=error] 25 | # additional_dependencies: [] 26 | - repo: https://github.com/pre-commit/pre-commit-hooks 27 | rev: v4.2.0 28 | hooks: 29 | - id: trailing-whitespace 30 | - id: end-of-file-fixer 31 | - id: fix-byte-order-marker 32 | - id: mixed-line-ending 33 | # - id: check-added-large-files 34 | # args: 35 | # - --maxkb=2048 36 | - id: check-merge-conflict 37 | - id: check-executables-have-shebangs 38 | - id: mixed-line-ending 39 | - repo: https://github.com/sirosen/fix-smartquotes 40 | rev: 0.2.0 41 | hooks: 42 | - id: fix-smartquotes 43 | - repo: https://github.com/Lucas-C/pre-commit-hooks 44 | rev: v1.1.13 45 | hooks: 46 | - id: remove-crlf 47 | - id: remove-tabs 48 | - id: forbid-crlf 49 | - id: forbid-tabs 50 | - repo: https://github.com/k8s-at-home/sops-pre-commit 51 | rev: v2.1.0 52 | hooks: 53 | - id: forbid-secrets 54 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | ## Do not edit between this and DO NOT REMOVE 2 | 3 | creation_rules: 4 | - path_regex: ^kubernetes.*values.ya?ml$ 5 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 6 | encrypted_regex: "((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData))" 7 | - path_regex: ^kubernetes.*\.secret.ya?ml 8 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 9 | encrypted_regex: "((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData))" 10 | - path_regex: talenv.yaml 11 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 12 | - path_regex: talsecret.yaml 13 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 14 | 15 | 16 | ## DO NOT REMOVE: Personal setting go under this line 17 | - path_regex: ^clusters.*kubernetes.*values.ya?ml$ 18 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 19 | encrypted_regex: "((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData))" 20 | - path_regex: ^clusters.*kubernetes.*\.secret.ya?ml 21 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 22 | encrypted_regex: "((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData))" 23 | - path_regex: clusterenv.yaml 24 | age: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 25 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "redhat.vscode-yaml", 4 | "mrmlnc.vscode-duplicate", 5 | "mhutchie.git-graph", 6 | "eamodio.gitlens", 7 | "yzhang.markdown-all-in-one", 8 | "searKing.preview-vscode", 9 | "DavidAnson.vscode-markdownlint", 10 | "IgorSbitnev.error-gutters", 11 | "usernamehw.errorlens", 12 | "Tim-Koehler.helm-intellisense", 13 | "ms-kubernetes-tools.vscode-kubernetes-tools", 14 | "sandipchitale.vscode-kubernetes-helm-extras", 15 | "VadzimNestsiarenka.helm-template-preview-and-more", 16 | "karyan40024.helmix" 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | 3 | } 4 | -------------------------------------------------------------------------------- /.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0.0", 3 | "tasks": [ 4 | { 5 | "label": "Install All Recommended Extensions", 6 | "type": "shell", 7 | "windows": { 8 | "command": "foreach ($ext in (Get-Content -Raw .vscode/extensions.json | ConvertFrom-Json).recommendations) { Write-Host Installing $ext; code --install-extension $ext; }" 9 | }, 10 | "linux": { 11 | "command": "cat .vscode/extensions.json | jq .recommendations[] | xargs -n 1 code . --install-extension" 12 | }, 13 | "runOptions": { 14 | "runOn": "folderOpen" 15 | }, 16 | "presentation": { 17 | "reveal": "silent" 18 | }, 19 | "problemMatcher": [] 20 | } 21 | ] 22 | } 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This is a kubernetes cluster Powered by TrueCharts ClusterTool -------------------------------------------------------------------------------- /cluster.code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | } 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /clusters/main/.gitignore: -------------------------------------------------------------------------------- 1 | age.agekey 2 | talconfig.json 3 | clusterconfig 4 | patches/sopssecret.yaml 5 | patches/all.yaml 6 | all.yaml 7 | patches/manifests.yaml 8 | cluster/main/kubernetes/**/bootstrap-values.yaml.ct 9 | ^clustertool.exe 10 | ^clustertool* 11 | ^clustertool 12 | *kubeconfig 13 | *clustertool.exe 14 | clustertool.exe 15 | clustertool -------------------------------------------------------------------------------- /clusters/main/clusterenv.yaml: -------------------------------------------------------------------------------- 1 | #ENC[AES256_GCM,data:QzvhuG+93Fa92Hda0JRa4912uW2rd7ayLeaEOkkRhBJb3QTMZv41fjVYIFU=,iv:VUjXPCWPPzzQd3rQm6q+km1qwAxmrEemUzdp+ese09g=,tag:p+ENbZtD5Tal+7UbHZnzzA==,type:comment] 2 | VIP: ENC[AES256_GCM,data:fmjXbJ3EQMBWYLC/R/M=,iv:8yKGnS+TKhczETcf3Iw+jgILTfOSk0UkVHkTxzAMjlU=,tag:SBtJzDYCJAWb38nUNSx98g==,type:str] 3 | #ENC[AES256_GCM,data:rBeAP2sFn/TeEPe6J+Esf8z6+WQa8HctM4E=,iv:xx/y6L8vh7JuyO/DJPgNnjsZLrJlJn9l8SX0Qk4cGjQ=,tag:oWg/RnwdNlHGpMp07eOtWA==,type:comment] 4 | MASTER1IP: ENC[AES256_GCM,data:7nhX/PuAuHLKaLnxTgg=,iv:iyhfj4cNamFzzzqdnec8UthRq9lcdlxIHVI6/laM9sQ=,tag:iRojbCe6MYnmuowapNvvdg==,type:str] 5 | #ENC[AES256_GCM,data:E+x7EbwqITBtXC5UGOGUsAeSRuX1fG+NgsWQHergAXxNiQ==,iv:K42cyytXEEuLlo8wlSsOyO7XXCHmDGeI6GxWmm6+Fqo=,tag:IMLfhRx9W5aZBLUKDe7/Ng==,type:comment] 6 | GATEWAY: ENC[AES256_GCM,data:TWNz3JrqaJ5aj3pe,iv:m88AWwC+m/923BKuzez/OfQMExRfyOWae8WyxfxPWSE=,tag:9jtax06igZpGhSLQZ3ZftA==,type:str] 7 | METALLB_RANGE: ENC[AES256_GCM,data:m+k6hbYrIlM9Bd7HcVJ/LFPzdYLsmRd7Q17x8Zo=,iv:+WEsyFCoGOp4lqM/h1cudv8gCY+p92qW79XGdYBHCe8=,tag:MrSQfYGBCFW1bst/WnorIQ==,type:str] 8 | LB_RANGE_LOWER: ENC[AES256_GCM,data:DepAMsh5738O788MJpY=,iv:BVvRMUuQr7SeLTQ7ztsY6NeYZ0mCqWmbpuIWxUoS1SY=,tag:P7otPVsXHJU+h6e0TwUcPA==,type:str] 9 | LB_RANGE_UPPER: ENC[AES256_GCM,data:1IofEKMB85pRMES5Syo=,iv:JHCjj0DFSSEBMFBuJyOws3K8TT0QvQR48q6U5Q1ey2w=,tag:Ew1X0zEUrCxOIcfhPqnQhw==,type:str] 10 | #ENC[AES256_GCM,data:E46/qlsUyPNjZlQH6j7c+Sg9/wuDEQn/LEBOXERjnLZoXQDvrC5Ez2aY/7UDBkdQ29xZ1Q2+KeToLFyS1c7+DEkWvstX4DdO8UnD8DBKlfo=,iv:jM4QF/lIGzagrcS05UymVvutFkQNnrkrYYdddZWRRPE=,tag:DJUb7Koj7a/aqrCnHQr5UA==,type:comment] 11 | DASHBOARD_IP: ENC[AES256_GCM,data:BxSRcw/BYOMlJ4vqPHo=,iv:T8hr2+maUj+n193/qRLIGcyBkcPb0W3JJK6LA4vk+r8=,tag:f4hBWCaqSgbuR3VWD1xLfA==,type:str] 12 | DOCKERHUB_USER: ENC[AES256_GCM,data:fWAq38wbCtGw3w==,iv:0JuHh5opoYcTj+e+1uFYNhNOnnF9CuiWtyktk2CQmXg=,tag:9kjs38f8k4YwJLfS19AdRA==,type:str] 13 | DOCKERHUB_PASSWORD: ENC[AES256_GCM,data:nYg6E/GYSHckcGiErsli,iv:JTH2lVOZlhBwB7n+23GkYab9y74jq1pgvjEnLCHMQtI=,tag:s+ArfMwfcF7ei8cNXgUIXw==,type:str] 14 | #ENC[AES256_GCM,data:u/ZAs1NmWoTF8QMOYY5qw8I4dEKFX72ytgyLbhKPd+DdNfcZ5RXBPunKQVs5AAyjCTg13eDLMD3p/CItVGo1ozdIEJ4=,iv:ldl/9/smE2jQ8jL8OJjHtah/L8zgPSf+p1oMu6Ean3U=,tag:1p5AKZQcEoLNbkF4Uu6Kmg==,type:comment] 15 | KUBEAPPS_IP: ENC[AES256_GCM,data:l1kPRDBlmzThMEELDMw=,iv:3tsdWYAf3FcN9e8tZRbyO1PsrJwVERVCLgL/AKGOr9o=,tag:ZfOVL0Rhsc0HEfb/Yp652g==,type:str] 16 | #ENC[AES256_GCM,data:w2xLbYKxcHkgtopub7km6Uw8KHjkRnY5HWwYO7w=,iv:1sHmYoXWTFNS1RppmPoGZ/R0ARlXtMfGiYDX7z4gOog=,tag:YfGyFPrj9yu6jkq6zHpF0g==,type:comment] 17 | GITHUB_REPOSITORY: ENC[AES256_GCM,data:uIQjyAMbND14VLrOqhzeCD85jBUPt4TT+4lPWVltH9pSPA/JPAd1F+TZJQ==,iv:2/OqQ4f5CI3umhcTx1A4sGPD1tQxyb8NPoIASpFTVvw=,tag:N+6PHAY2alt0qQFstzOVwg==,type:str] 18 | #ENC[AES256_GCM,data:jxlPBORZynBqfMi3rA==,iv:gq++3psMqwBRbdWgo09MyPOB1zoIG57DUdtUvHfv3N0=,tag:oSjBJQKizG1ZyxPWYaGsxg==,type:comment] 19 | PODNET: ENC[AES256_GCM,data:78hPE4a4xymdLRzZSw==,iv:IO4+Sm7OfVUNAi2pzPfOiwCaKpKOddxkr8F9sf1s3CI=,tag:lsOOJBqQsfKFefh/62LCqw==,type:str] 20 | SVCNET: ENC[AES256_GCM,data:yAJthb1SrktuwAAOFQ==,iv:p+1dAwPs7mNIBlBOmeJR4c8fRkT/KL7NwEbvUstdhE4=,tag:okN4ufrZq7bd9JeWCqyHfA==,type:str] 21 | #ENC[AES256_GCM,data:4YoCqWWP9ROgBW/+RvLeTlhx,iv:CmTHBJmPfvGEpNQDTVpyKSzaBmbuH6wPv/j24HYSXIE=,tag:EEGKPZnmY/Kcuz9KU7AyVQ==,type:comment] 22 | MASTER2IP: ENC[AES256_GCM,data:HZElf4FkCs/ZXpf0Ig==,iv:dwbn5NzaSdlnBtWiCTmTPJYHlBfDfEWgKamwXg1+Z7s=,tag:r7RTb7y+GbIdV+eL3rAhlw==,type:str] 23 | MASTER3IP: ENC[AES256_GCM,data:ox8n5WQf6uqJOyYhtLU=,iv:JZNrZWApNOdEF2YCdVIHS7kTr3HOHzUGBqhlBcUfKIg=,tag:E9FyUh1IwdPRheyVo5r0eA==,type:str] 24 | BASE_DOMAIN: ENC[AES256_GCM,data:B7fAGqGxqB0IbpOF5a9aew==,iv:ICUAkZGZ01GQPfwnp2TPNOqAP1gcYjGiTj5osp/aYEw=,tag:7Oox+ki/0/KK+50LkigD9w==,type:str] 25 | BASE_DOMAIN2: ENC[AES256_GCM,data:CbMy0vkj7+1mw2ezjHs=,iv:ZB7loB0V2uTa65b2xy/NVCdITbf8QYU3YEfb3EuiKmU=,tag:zo0azXRlcJeIlSkNaMqrNw==,type:str] 26 | BLOCKY_IP: ENC[AES256_GCM,data:n4npaQq71ncNEvcn28M=,iv:16yn3SO9J0O97IfIdUtHvF1ejVah+urCYmGVAcwCS+M=,tag:Y9xAI3lqFy0RQwN63QUpdQ==,type:str] 27 | TRAEFIK_IP: ENC[AES256_GCM,data:14LZa1RGYJGWFqJcERA=,iv:lyliYPIdQ49LZz7zYr3QjaLufw9lof0MAuqFx3T4MZw=,tag:Eg9rCNqeSoiK/klnCH06DQ==,type:str] 28 | HASS_IP: ENC[AES256_GCM,data:CZiyIggzhE+Ieeq+tO4=,iv:Ixg2lKh8RKs6lg+2kyrdWd9EpVQ7a/PhBZeGCjDP5VU=,tag:tswO/yKan7EMhDj4FyqBWw==,type:str] 29 | TORRENT_IP: ENC[AES256_GCM,data:aW+Ij2FK+6WmohJd/RA=,iv:4YaXZuTuPPALEpD/NIaWSDQ+916XH9PqwUGP4klAgGU=,tag:TNXYMIrxJy6M8dZEvPIETg==,type:str] 30 | KMS_IP: ENC[AES256_GCM,data:or/oc7sbBs9s6tlSMaA=,iv:0hJVAqc3QDJ3v2iHsUVsKQrSHhGUe000Zv9fEugTGQM=,tag:T/kKkrmkIydSbyRM/PaxDg==,type:str] 31 | MQTT_IP: ENC[AES256_GCM,data:HZ9ExjTwKawE68+HJIQ=,iv:j26/80KZrIm3LjEhGJEcG4nuGUf+LoAjTcC6Kb/b9uc=,tag:Dkd3nE+6fGbEfqkkzEB7Mg==,type:str] 32 | PLEX_IP: ENC[AES256_GCM,data:uudChFpiIvIRuQUYuGA=,iv:kZtMlNIscHZrI9VOPGKGnl/4YmtoSIIq0Rz1JY+KEDw=,tag:Da9AlTi49pOSp1qMF63KhA==,type:str] 33 | DOCKERMIRROR_IP: ENC[AES256_GCM,data:/MpuAqXnIyu6vUnYy8Q=,iv:XrgJXELiByNvEHOkzOfxvFMvoXSbN6bZVVeRSZD4hlg=,tag:LprC20/rsH781SZAb31mWw==,type:str] 34 | SPEGEL_IP: ENC[AES256_GCM,data:1oQX++0NxGxdlp/s25w=,iv:G8sxHAbSwuTHblVcSrXPz1Hxg0C99UqJVCLbO85PZLs=,tag:RVlomWNNjSIhHz7DqmYXlQ==,type:str] 35 | MINECRAFT_IP: ENC[AES256_GCM,data:ILMBqkx0fWAyczSq3sA=,iv:HD1E34x+mjiwEkA4kfcKi7s8sfCKuJpmNvrXm21gRmo=,tag:LhD3XWwi3VN5cNi7z8CrNw==,type:str] 36 | ARK_IP: ENC[AES256_GCM,data:TnME257BSWf0oeiG6X4=,iv:6ZbAhDxvSpMamSLOWuWaT4NChAhrZXQyL2ovzVYUva4=,tag:4r33XEnlPvaqiX6vGSZWlQ==,type:str] 37 | PROM_THANOS_IP: ENC[AES256_GCM,data:RKjMaTmGx3ZaK+JI7pA=,iv:w9x5vDliGyvOoG1htVqNd780JlNeTm3lR5q85o5nN1w=,tag:EzpR5ZgRHnzGC1zvBVExQw==,type:str] 38 | NGINX_INTERNAL_IP: ENC[AES256_GCM,data:7fjK88G9BKsVapeprEs=,iv:ZthbrHXQ95y6vd53bPYr77nw6K8j2t/ZtTAFcQjcxeE=,tag:t5Zr/4Th5UIr0tp6KRKnSg==,type:str] 39 | NGINX_EXTERNAL_IP: ENC[AES256_GCM,data:XZ7LBvlRl+HnjFQqlnk=,iv:J1MglVPn7Wj2bCOKirpdV8RjIxjs9GwuTefFy5xIgdQ=,tag:zkE66DF6RsZ2CZ52SGYUjQ==,type:str] 40 | TMDB_API_KEY: ENC[AES256_GCM,data:BaVhCUcjcudA+pYee2ysBmX4DH9wMZRu7e4hxnLgEGI=,iv:E1iSI4u/DyJVJSzhAjz4M+Iy1OEc5YCfEhwhlwrBCDI=,tag:lCo9Ui291L3JKo3Vb972aA==,type:str] 41 | S3KEY: ENC[AES256_GCM,data:/tQzEPTrqOSCZ9Bm6spseydjGWIo2h0pjblDWM+509o7IcEZcIfD,iv:b6KcUeLezuc+KcRPOROpf3oTwaWmygpDON+BDea8KxY=,tag:lNL6vv5jAIQx58VmDtAvOg==,type:str] 42 | S3ID: ENC[AES256_GCM,data:E/k8fMl7CqAyA1b06crWwSvweA==,iv:Ng1wp9BZpStKsiAWI5H1Sx1fAkg1Fll32PoWJw1bdvo=,tag:S5aTNz771t2/lAdMS29XuQ==,type:str] 43 | S3NAME: ENC[AES256_GCM,data:IKFbf6IBDg==,iv:b5X6eLaH8c+7FVKGbFDEdrvGP4m2YNb7AjLAp1FzZh0=,tag:vh4cZ+RlgLuMz86p6OmdaA==,type:str] 44 | S3URL: ENC[AES256_GCM,data:v0GoRHdbGaIQjW6oTJw38RXxlLB1XCTgHQ==,iv:a/7ppH6D7mo7mFRw/9LZpbGV4AL3twsRXb7QLdlpx8k=,tag:zQcB5O5SOLs0nBKBVLycJw==,type:str] 45 | S3PREFIX: ENC[AES256_GCM,data:Q0lO6Zx89FS3hv41Tw==,iv:o9vvQuQ7AF+vaWB+hcEsSK471eVPAjNChvAr3gSAWz8=,tag:pZBR3LZXvCH+HUY/lbfdPg==,type:str] 46 | S3NAME_TC: ENC[AES256_GCM,data:pxNepyLgZw==,iv:Mk2tznl92+Py7Zw/jNyLOF2zfH+7EKo91FH49iJdipw=,tag:IK79BMEn1LZZVEJREbXddQ==,type:str] 47 | S3URL_TC: ENC[AES256_GCM,data:d/yfFUAKkFmZfy3oKtUl3qOkfw6eHETsAg==,iv:TLA4GkX3ql+Z+oJADcASK7Eta31gjqkSQ/YRfikwebs=,tag:IqoBEXhx+R5r8/pkI9zNkg==,type:str] 48 | S3PREFIX_TC: ENC[AES256_GCM,data:WwW2wE684a5k4g==,iv:jQIHAKEzPb2lqDnBaiHgmg6kSJctRfQXEad+BE0JAkQ=,tag:pAfIqTQx8JjGcvbELJsLxQ==,type:str] 49 | S3KEY_TC: ENC[AES256_GCM,data:626mUeFvooLvP5zIbA+zlm/WGaAmWNxFyOx6IE2yI7o7BQZATS0f,iv:Pj9krP3GnhUT6V5Tl0l+XxVYyqdcejeeUBua7kat87M=,tag:8j5otb/VPMnTQqJXCpi7aA==,type:str] 50 | S3ID_TC: ENC[AES256_GCM,data:I6M11IFHwe6Zb+veh8d9qfRCiw==,iv:c606hvRpTi2KQ9QMrtWnXBZM+iJv/xYhCQmx1mCYDGw=,tag:m/BGs6bQw+TBr6Kir4WbBw==,type:str] 51 | S3KEY_THANOS: ENC[AES256_GCM,data:QEtz2fT8+WR+OG+uUO1toCqhbh2yidxL4bLvqQXcb0MnKJTCdKH/TQ==,iv:ZdcyxeClKQz5b8LtsWcaEMLsxPreMArjlqlCMZQh+O4=,tag:eUkE6I/m/U7/JdtNOFkn5g==,type:str] 52 | S3ID_THANOS: ENC[AES256_GCM,data:h008KIK1Qm+e7GrxAv1HYjybQ7A=,iv:jt2f0h+WWbwZgqdL1rmClHhG4Hfc5XCiZlpCvODmd3g=,tag:/sYwbKo8l7ErAljJ6djGvg==,type:str] 53 | BWPUSHID: ENC[AES256_GCM,data:iillvTUU8eCrOWji47X7js5dCTTrX/ibwZt630pPHeLsa7r4,iv:abgmO+YnmBxPgUhMXzAHFzdxjwKp3jaBL0WYScYFkuQ=,tag:J3cHXSwvfPeTA7U8n9zIPQ==,type:str] 54 | BWPUSHKEY: ENC[AES256_GCM,data:66rzyGamCCL68o29B+0ipg1Aquw=,iv:2MoqeVJRDtRYzgEJRO/UFc/l+ZBqWmNNsIc+0bq5hpE=,tag:mXfz7xkOXSr/K3cBxnJnog==,type:str] 55 | VWADMIN: ENC[AES256_GCM,data:w/MlRG9H+khx+PL1RmFMjEWpuis4j6kCleJqjOE85LIE2ubErQ==,iv:Hm9aTSEKiUFWInD4NCnFkhnkvkcc9s4Hj+uWssV4OeU=,tag:Fq7bgHgRHtgsuntIY88t5A==,type:str] 56 | ICPASS: ENC[AES256_GCM,data:tddKF4ka7wqjxy2VAOWXtxqTtw==,iv:PslTOJ1uWgMlJkhhPzMw919sJORrdM8H1yWuyukEPJ4=,tag:AJs1MJeEGS/3P3NWVNdvmw==,type:str] 57 | ICLOGIN: ENC[AES256_GCM,data:RdMBk8jwgE+VnQRAgseEMc4tkLTDdg==,iv:irGpIWlOJy4odWtzHxR8RSSuSHnRQHcJJ5UJozmFfuY=,tag:zxjLzBrfXZQQZ8ZiHsWCGg==,type:str] 58 | SMTP: ENC[AES256_GCM,data:NIRcRUcZ6EJpn7G/jsPsnw==,iv:10mgyy4JfC4c88bPOYpVes0ovWmANtjRNGSvgMbKbmA=,tag:yftj9/jOrESwLIbiYX+85Q==,type:str] 59 | AUTHENTIKLOGIN: ENC[AES256_GCM,data:q03RR5iVyKKePkuJOpfHaaJHf4JTmg==,iv:cn4uOLEPyqeFlWpZvaiJL8xSNC2v7sRkVYxbeUf3jyA=,tag:dxyW1gjgT4JKuFw8IUFNiw==,type:str] 60 | DOMAIN_0: ENC[AES256_GCM,data:JGHdrqsgg/YkE2qtQ4/QPg==,iv:MiLGH78xwGODT67ru3g3ymTZeoOR26txQrbtbVjxN9I=,tag:JAfK0mCGgaUSvuw4Vklchw==,type:str] 61 | DOMAIN_0_EMAIL: ENC[AES256_GCM,data:zONSCOjp+Z4+n/C0sRP+cviVl84w,iv:ClBvQW46RvqtM7qbslytb96kEMghvl49dQfb910RVwA=,tag:j4Vyxb743bNnJI/HQW4sIg==,type:str] 62 | DOMAIN_0_CLOUDFLARE_TOKEN: ENC[AES256_GCM,data:lcdGmtTadoQJCNlqjAoCAsAe37qEEvhS3F8EIYxf5hZM0nF8+2gANA==,iv:gUq17xKv6Wb/lHdvEnxeelQ6ssW++Lernk5oJqXC0iI=,tag:zSIx1zHGz2KNRUS6s0ynPQ==,type:str] 63 | DOMAIN_1: ENC[AES256_GCM,data:vst1i7LsrX++1RwH6JU=,iv:MjIztt4fcily6qA/xBQN3dTZK81NPcWqgr8R6VvD7Rs=,tag:judOV/kdK4ji0NLQQu5c7Q==,type:str] 64 | DOMAIN_1_EMAIL: ENC[AES256_GCM,data:B9X8gbGi+zdqQds6E+ZKWTfRmA==,iv:/9BXETctOBfBYaPO1CSSLZfHhCssqnGqoZyh01+ftFU=,tag:Wbtkfa3hxSdgaAzoO3hjzw==,type:str] 65 | DOMAIN_1_CLOUDFLARE_TOKEN: ENC[AES256_GCM,data:4BA6lzST7wQIs52fMXJR6SIjvHaINl8rW2uTCxTc7OUg8m9q7hNszA==,iv:lrKqV5BE69bi3fjDGOhQE2zQN+wLPIlXT07tU1QepFs=,tag:FAZimzT4QEfl59uf0SmirA==,type:str] 66 | AUTHENTIKPASS: ENC[AES256_GCM,data:t5p7umICcwfV5B7W,iv:cpxPEVgsV6dhkQPrQc7Uz3U+LGYLM3xGvbNG3njrx7o=,tag:FYqIBQwwjPPRP5fhoiEjzA==,type:str] 67 | AUTHPROX: ENC[AES256_GCM,data:k1fyOBPnktDDfYFEi/gpxoQTrjkvNdDJ9PqD8Qdnd6LVmfjI6yO7v0z/YONjhWq6PVqb0mBvFVZV8UpkmSOvER1QZ1mU8nXGOud30Dzr7IWXKlLcOcwlZW0dIF1/EvIKTK2QcMf2ynCx8mXEuLVy477GjMyvD2rJTBPekDP4LqU=,iv:HSAxe6aEZaYDf4I85nCOtOXuT87xlFWDvpc2+HcPRNg=,tag:OVGo8sXzJcIjRw1DCwELCg==,type:str] 68 | AUTHLDAP: ENC[AES256_GCM,data:+bbNegws0ex+/E42N80rqUYDefN6Z3VtTqyA3JOVHzt0e75d+DtHi3bmYkgI4kQO6kjb4kLndhfu1fvYdLhXnHbKkNGqKN0jH3UjnfJif9Rt+clrndBlAi4yHlsIRtRn3ydpjCVz0cfkMoao0u3wELwpcfqdBeYTZo1DbewWta4=,iv:QxIo/2CKFUGg3RrDDxUx9Fr3e06/abp/yMJmEZV4UNU=,tag:tk1T59AhUEmUnhSTCVp2hg==,type:str] 69 | AUTHRAD: ENC[AES256_GCM,data:HGgOfjvaqv3ibB5ue94n97NUauPKsThvZSTyIETEKppHdfxmOLuDcIwLKBJ+47cl6NHtR8Kx+GJnS9twS3lXDqQe9JR4WNe9b8hPEk+XENVA+9t5W746NpDlxJqyKOMZKcGYC9mSYiHzW18fHQrejjEMvNUrB5ol817yH6nHQZI=,iv:iA3xL5FZvSecibFPxAwDoqrAjmuPlBYrpn/MpdG/CsA=,tag:kbTkh5oH+9JA29GgcQmIMg==,type:str] 70 | CSKEY: ENC[AES256_GCM,data:0imdCx4ibDfl0kti1Mp3a/W9Kpopwtd0CA==,iv:Xkg+c1sPa+pTXGFFWt2R0hY0Img18Nlj0PooaaSC9ec=,tag:tFvIEvxDzC3VG7g5uIqxaw==,type:str] 71 | ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID: ENC[AES256_GCM,data:TJCg8ihi,iv:UFQxDzBFkNn/if5f9vGPvh7eZR8gA/PJozPFf/FqFLg=,tag:rtZBHjoNqTDpybr2s2HPtA==,type:str] 72 | ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID: ENC[AES256_GCM,data:mhpau1mMTt4=,iv:4YW+7sWrVulVu38YxyG8Bzh2rskgjF6AhWy9yOSrVMk=,tag:mdsbfW6xFdrZPjYlGJCWFA==,type:str] 73 | ACTION_RUNNER_CONTROLLER_GITHUB_WEBHOOK_SECRET_TOKEN: "" 74 | MINECRAFT_RCON_PASS: ENC[AES256_GCM,data:FjTFwLbHJM6+ZxXrc9y2sg==,iv:XNFOcD9o6iIapyH+ZbyO7KJtrY/+AbMqwDSgmNF+5Kk=,tag:+hDDqLcdiSGFihyQ3Yg+mA==,type:str] 75 | MINECRAFT_CF_API_KEY: ENC[AES256_GCM,data:O6yx6Yl7oDYokzaMh2CkTyLdti2hyg51OtOyKWAeCDIy95uej6Tt65jtkkaSBEXEx3dlgg==,iv:IFWLIl/mgTBH5yi6FAhZUij/aEgVjzdCJER7H0c2b64=,tag:2G5lula2MAX+e9n6fEfcZQ==,type:str] 76 | GITHUB_PAT_TC: ENC[AES256_GCM,data:DLDQE+0XBv0oee1nRXJbSN5J0QdYexp1WlnKFki2JC1g7K5NzTeAbA==,iv:srJYN8I/T2xA3psw59r6Db56tZhC5LN/yoU+uxshogA=,tag:fvPC7VPWi5Yes+aOZ+UJww==,type:str] 77 | HASS_TOKEN: ENC[AES256_GCM,data:3SCR1EhcD2k4FVdrbDoyr8mwJOM+bAtl35nD7X9iwXrK4ZrW6Zm0Lozr8kbucU7pLRl+QtY4holU933xfQm+NR6dZxkwSnv67ov/4HRDDg1LjrXVw+Z9roSp9e7LML91Nn8Ep0CiV3zu9Ip7Z/y+hbS5wA+3Bk52LCJgkzNCntCjw2+ERcP2tTo5nlqGxuDuz0RkpaxKSdZke2nluLfqoVxT/O1WtLhQi1nA/2alcYjlGSD05iNE,iv:crA6Guao3CaQGPlSMu9B04q3fIM1e1wU5yw9wr168Mw=,tag:Rqyt2SSJ6CxRWtotp6MuQQ==,type:str] 78 | ARK_PASSWORD: ENC[AES256_GCM,data:IZzfoLmieYM=,iv:8/vgI8XOVuJpSbjgdRKw+uPRBDVJw9VGCf/ZDVzAFK4=,tag:R04RVDiAutaiC7s+xICOsQ==,type:str] 79 | ARK_RCONPASS: ENC[AES256_GCM,data:cDWraNhghme+nf2LGyfMJphimA==,iv:u0n9nccjt/8elLDgL6TXINQkb7CzWYfQBoXVoQyZ864=,tag:11rQEAaYf/jUCMVzwrRwfA==,type:str] 80 | sops: 81 | shamir_threshold: 3 82 | age: 83 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 84 | enc: | 85 | -----BEGIN AGE ENCRYPTED FILE----- 86 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcE1ENnF5MWRTSkxObW9G 87 | QUJPUkIwQTE3TXNZNXlkK0tMUnNVY0NUSDF3ClFtRjhpRDlmQWpyK1ErZGc4b0Uz 88 | cDVIS1pyZ3FGNlBlREluYy9MM21xUjgKLS0tICtta2tWTWR6azRUQU4wR1BZVmVS 89 | SGE5eXB6RGJ0YUduVkwybmNkeGFRTk0KZ9fl3/vH21FXEp+yzU/SmdT2slSoARLh 90 | omdx836bQaWPBAKpCKDBiK7NtKrOeabkbKFf1NFUREK26kc+ac05xA== 91 | -----END AGE ENCRYPTED FILE----- 92 | lastmodified: "2025-05-23T23:42:08Z" 93 | mac: ENC[AES256_GCM,data:RYl8DaFTwUxWcOGHHm1s/r5LEmgQDkp3FErV0o7+10AL3nrNIEyr+LAm60QXvaX1ehb82gkcpCraBCzxvLkSR0jmm0r7h87zdobTWDe05Ok5dYbfwRmI/VgT0XoR4MNQGHtF96kX9d77+OcJceJgeVH1hrQMpusS9czH0JeQG4o=,iv:b1ZpM9D2HX6YDLJmwv0141ga+NfP1C8ZFBikc6QbsXA=,tag:oAhaILMjG2rorttV8qqtBQ==,type:str] 94 | version: 3.10.2 95 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/PrivatePuffin/cluster/c0db3fd23153c1349a4b95664757904f7d997760/clusters/main/kubernetes/.DS_Store -------------------------------------------------------------------------------- /clusters/main/kubernetes/apps/actions-runners/app/config.secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: runner-secret 5 | namespace: gha 6 | type: Opaque 7 | stringData: 8 | github_app_id: ENC[AES256_GCM,data:XwMG7Hb1,iv:+sDqdyDEiTKBfRyMaffrnbRAjVQGbvyHhtnik9NYwO0=,tag:gggCfaG7mU67wzsBf1ulIQ==,type:str] 9 | github_app_installation_id: ENC[AES256_GCM,data:6x33N7vLb5s=,iv:xY6Cjy7bbdREuxTbWRMHp2P5LpbVgg6qdQQn13Gk0UQ=,tag:xWtApqbPeETS/ObZYgkBSQ==,type:str] 10 | github_app_private_key: ENC[AES256_GCM,data:0m3y6DiVG9XlhysjL1KCac0+fgyf67Nl1VNdduIXSlvdD6nsknWsFLjUXOUqlxAPP2iZQm89FBxQ/5i48dAK8eTzvYMdsbE5VNerxuOcVJ6ieaBedAx/LocC4xJ1chWj6oJZlNfBo+JKPBAqwa1WUs5p0dHEKhGNSLUX2jADY+dXw30nrcFu8mAl2vYB3aT3QKQmoVH+0rWfSghR5AUoogIm8h6AUOmxiIT7qUo5v75FMZFoD0FsGuZTlak/P7/a/RVR626yan+WoXo+ha8DZzPnfG0WvTXcPS8BF6I3GkUTMPfTagIZCVT+O9ZjdiRAVxcgF2Sv4i6jYzm2d2VAn+N8yl1Q74aHM3U+Y9kiKBfYCoKzGvfEwXFzDxYB7u+lFbQHnqnUeesURvmNiq2v2iRoSEc9BpOZfLzrPxFt/MLJooJkIXgdUQwJeCkFYtymM9ubU2v6rjNHqlrJCvObwDTQefVhFNvVeUjUzjFKZdULDTE2fREUe/V1HIPdlVKizyzPY8OW+HYwWY+dyG+CPvbLGpuzBFXl4e7yVoB4BvQqizbapPp8NcyEPfYYOCXa+u9+9wIXHnC+zidi+b3+/NiKpohtsCbrepriFOgmLC9cuNruvvpxwEyyoxKz+jP2DZlOp2tZuGalpZj/uwDaPobrJ4GGsqL70k4NnPISnMpQrLtoYiiMJH8JL1KkAaa8ubOT3SNwZ5v8IkyXt7SsF6/9yUt0uoaYDlUItV2m4PA4a4dlV10SSgf82EKowrWx5M75RAeRtVfZ/Ybn7fDcMUK1LsXURXHncPSjpyE6H8ukkb4a5qFpEhje9/IzqH14FqW32uccIQ/3IzcYAQBKYwO65hM00jB58DuNkaa8JU2H8xFLREm5AJmhYyuCiDA8k+vXg/WcSAd32sDzgHXsKctk0GcUwTECV+uXEVTJXsG4QVivH4PnpTfKQ1WIL7kYyfbEGXII2vnnjNXZ5vEYW7Wl2chHdab1G8k406+oSk+d4vdxh8OaCq16C7eZoOb3hJsKlv8G3z3zhPPHjKyvmu58H759TbIRDwxgk2+pA1N8mo3J1My4E2x/7y+M7rZBnuuALE87YccrLT92EEVzSOktlasqPTtcR5+vCd8lTWCnry5i8lL0oaQ+ohQ3Tv5tzoOh44na5vNZbWE/+Cnmhf0o8pu6LaSpZIq8X8nFygXjzpcgoQ3s31a8KxJmD2U06QkS4H+81On5eXQ8CL2CszNQUZEFJbEngIElRWGBz7P0i67uxWYllSOz8Lby7JQFV6SLnWWSst8PjXCGCqb7xXGYnB5DzDl53Q5ZDQZ4ZvWVCCchsFfCnl9UpFvq+IzYCGiq2TBZEfusDHVR/toM9I/vQ1UOUSmgH8gXbWL29RRIrwtvm/Rq0AXJdAs0q0QhGT6mX8LDpqI/GQmKkep8Vj7qvz6Y3Ua6T6wAFjuiOf4J92YYADgdaSVN50JOme97gw2ox4uwlqPArV6RdRBoAYiYAUzEY4dI8aBn1iru2+JxhMD2tDy7drumU5rYraj419Le2bAu8+tT5JGCirtqJqHVguNBqWyC6FWs+/5bamG3WY/yWDmePEwTiXsb1N1GWRgeIM3V+oUP5hmIizUN03VnIO7racOUliq7g9rHma/oOdImBe2iiESm7Xympdt6uoin/aVNCqsDJ+Sq9QpHTtyM2zbLsWRQhMaW0P8ngOE4wfDv8rCjOBqBov87/jg6eE3EtDWzeUpN+HdbXs/7EdyqQpC0lGjZxPoaYfAMBOj4PjoTjk1vOlACIOA6uArWHXdYPxIkBAPdU6ejR2TOSBsDdbg0X2Q8gCF3JEnq/rQwqdztxndBVrLLU7eQRnu+M+IXSeXo1u+3Ua7JiW0Qw4ir26iTHDinu8mfaXYlY3Zc/LSAlEB2pkNQS6JOJVvOzSf5+EoZOc1dPJxXEWjc0qB5bKqYsJlt2IyaxQxBNze0jxLdVzbfBInjCljs6cGe0AQoNOc9+ZjQs70BRVL4K5X2jdt9zcmcZBZ6YATtnJrUlA0/5YMZp7HReqoy2/eMN5d8UF+Bwd/BH4DVyCmYWEw0dhuuronEdlMA4aGh0WuhTyA3WjsHF+mIwkvvBJFv2SI7zB4rPVF64blakLxgkYnDKGlJkd2l5NMX736an2hT3uE52+5Lwxj3ydVv9n0j5TPq0rAqoeFet0BxTzsLgsABkjUbNWQtSC0zg1Drjhhd6irvrlYWAadu,iv:MD5OYjQF56FfchoaH3NZpHs1pavCTL8U3zvEv45KQXs=,tag:olIfooS/wJOKskgk2FwQZQ==,type:str] 11 | sops: 12 | shamir_threshold: 3 13 | age: 14 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 15 | enc: | 16 | -----BEGIN AGE ENCRYPTED FILE----- 17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMlBKT3hVNi9BSThZVXNl 18 | SnI4TEZBZ3dQSUlxR1JqZWpVYUt1RUdxZEFrCnRoTkZvNVdqNlJoOGtkZE11ck5H 19 | Mm41bWZuZ0g3Q05va0xoYUljekZJWGcKLS0tIHlZS3VLbXI2NG9icmdGMVBPNzlM 20 | cTUvNXdnR1ZDMXRZTTdUY056RE5LYkkK4PxlFWMD/r3ciad8eF99I/w3l2nKq07G 21 | I5WJ5Ljtk4ngxBUmgmaIR49rSkCORfORru6xoLT8CAAbw3bLOvH+JQ== 22 | -----END AGE ENCRYPTED FILE----- 23 | lastmodified: "2025-05-23T23:42:08Z" 24 | mac: ENC[AES256_GCM,data:1RW3R7TVN8mOsVe05GTX9CMcKusyhVCpoKph1UFQFFSpCS2cwA5eXsdmObKaitMc6egZ7RdEmoAVkTfGnBBiUbt3y34FeDFAW63axwMS2HD2sfi58DfEirQ+sgZLRCQlxmXzoW3ZdWlkEtS973SoFsM5hQvbMLMUrVlrKku4t9w=,iv:tnUUaA40x3IEpjXIYhB+PRbSpVJjM1bBqMWX1nXfiZM=,tag:h6M3haQ9ixchbrG5md7yhQ==,type:str] 25 | encrypted_regex: ((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData)) 26 | version: 3.10.2 27 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/apps/actions-runners/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: actions-runners 6 | namespace: gha 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: gha-runner-scale-set 12 | version: 0.11.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: actions-runner-controller 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | remediation: 22 | strategy: rollback 23 | retries: 3 24 | dependsOn: 25 | - name: actions-runner-controller 26 | namespace: gha 27 | values: 28 | minRunners: 3 29 | maxRunners: 12 30 | githubConfigSecret: ENC[AES256_GCM,data:LtxMJzzC0sh88Er2AA==,iv:9tr4O3pCPf/Udj4LndI6TebyX2kJdZ0fZwDYaLbXq4g=,tag:NRik2NWsR5UoNJYGAQcIsA==,type:str] 31 | githubConfigUrl: https://github.com/truecharts 32 | controllerServiceAccount: 33 | name: actions-runner-controller 34 | namespace: gha 35 | containerMode: 36 | type: kubernetes 37 | kubernetesModeWorkVolumeClaim: 38 | accessModes: 39 | - ReadWriteOnce 40 | storageClassName: openebs-hostpath 41 | resources: 42 | requests: 43 | storage: 32Gi 44 | template: 45 | spec: 46 | containers: 47 | - name: runner 48 | image: tccr.io/tccr/charts-ci:latest 49 | command: 50 | - /home/runner/run.sh 51 | env: 52 | - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER 53 | value: "false" 54 | sops: 55 | shamir_threshold: 3 56 | kms: [] 57 | gcp_kms: [] 58 | azure_kv: [] 59 | hc_vault: [] 60 | age: 61 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 62 | enc: | 63 | -----BEGIN AGE ENCRYPTED FILE----- 64 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NzJHNWoxN29QOThKbFFT 65 | SW4xSGRPeWEvN1YxeVA2ME9BQy9CemVlcG5FCndvSkpseTJDUlc3SmVKVGhGcG12 66 | TVhWZUs5d25XczhFNVZGSzdlN2lZcUkKLS0tIGszUWhnTklPRzVTWkdDWURuV0NJ 67 | NXpwOTlqcVB6MTVHeDdZdHRkaW9MSk0KYhRgfX2uDUc3IGjmdF+6eNRb2p/XXV4f 68 | irM6dRnRubcS8otnsQIp2HpVw1p3sZ2EyO/bBvlwzBOjU0VGZtPNcA== 69 | -----END AGE ENCRYPTED FILE----- 70 | lastmodified: "2025-05-18T10:06:04Z" 71 | mac: ENC[AES256_GCM,data:xAe4TlNcETYasC5rVP53DJhtAb7vzZV+lfU3rs4/hatPZc9RDPdsmGXrQoP88eLBRmPvlJOBoErAJZbtrJ+J1gLr5P7yym64TBBc5/vPy2YgYuGlaYGSwGhMNELVfd2TFfFgjaNe6I20/DzTS6Qvae/Fsst4S4oFpw1JFWQq1ZQ=,iv:3pNu3I1ApVx05t71c9Z6D8clzA0S8w4/1v0gJQnaoOo=,tag:K5WGm/xRpxK5hrRUG+5FaQ==,type:str] 72 | pgp: [] 73 | encrypted_regex: ((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData)) 74 | version: 3.9.2 75 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/apps/actions-runners/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./config.secret.yaml 8 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/apps/actions-runners/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: actions-runners 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/apps/actions-runners/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - actions-runners/ks.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/actions-runner-controller/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: actions-runner-controller 6 | namespace: gha 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: gha-runner-scale-set-controller 12 | version: 0.11.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: actions-runner-controller 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | crds: CreateReplace 24 | remediation: 25 | strategy: rollback 26 | retries: 3 27 | values: 28 | replicaCount: 2 29 | fullnameOverride: actions-runner-controller 30 | dockerRegistryMirror: http://192.168.10.208:5000 31 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/actions-runner-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ns.yaml 7 | - ./helm-release.yaml 8 | - rbac.yaml 9 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/actions-runner-controller/app/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: gha 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/actions-runner-controller/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: actions-override 5 | rules: 6 | - verbs: 7 | - '*' 8 | apiGroups: 9 | - '*' 10 | resources: 11 | - '*' 12 | --- 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: ClusterRoleBinding 15 | metadata: 16 | name: actions-override 17 | subjects: 18 | - kind: ServiceAccount 19 | name: actions-runner-controller 20 | namespace: gha 21 | roleRef: 22 | apiGroup: rbac.authorization.k8s.io 23 | kind: ClusterRole 24 | name: actions-override -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/actions-runner-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: actions-runner-controller 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/core/actions-runner-controller/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/clusterissuer/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: clusterissuer 7 | namespace: clusterissuer 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: clusterissuer 13 | version: 9.6.6 14 | sourceRef: 15 | kind: HelmRepository 16 | name: truecharts 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | 33 | clusterIssuer: 34 | selfSigned: 35 | enabled: true 36 | name: "selfsigned" 37 | ## Remove these if you do NOT want to use clusterissuer 38 | ACME: 39 | - name: le-staging 40 | # Used for both logging in to the DNS provider AND ACME registration 41 | email: "${DOMAIN_0_EMAIL}" 42 | server: 'https://acme-staging-v02.api.letsencrypt.org/directory' 43 | # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns 44 | type: "cloudflare" 45 | # for cloudflare 46 | cfapitoken: "${DOMAIN_0_CLOUDFLARE_TOKEN}" 47 | - name: le-prod 48 | # Used for both logging in to the DNS provider AND ACME registration 49 | email: "${DOMAIN_0_EMAIL}" 50 | server: 'https://acme-v02.api.letsencrypt.org/directory' 51 | # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns 52 | type: "cloudflare" 53 | # for cloudflare 54 | cfapitoken: "${DOMAIN_0_CLOUDFLARE_TOKEN}" 55 | 56 | ## Remove these if you do NOT want to use clusterissuer 57 | clusterCertificates: 58 | # Namespaces in which the certificates must be available 59 | # Accepts comma-separated regex expressions 60 | replicationNamespaces: '.*' 61 | certificates: 62 | - name: general-wildcard 63 | enabled: true 64 | certificateIssuer: le-prod 65 | hosts: 66 | - ${DOMAIN_0} 67 | - '*.${DOMAIN_0}' 68 | - ${DOMAIN_1} 69 | - '*.${DOMAIN_1}' -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/clusterissuer/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/clusterissuer/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: clusterissuer 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/clusterissuer/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: clusterissuer 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/core/clusterissuer/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/crowdsec/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: crowdsec 7 | namespace: crowdsec 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: crowdsec 13 | version: 0.19.3 14 | sourceRef: 15 | kind: HelmRepository 16 | name: crowdsec 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | crds: CreateReplace 24 | remediation: 25 | retries: 3 26 | upgrade: 27 | cleanupOnFail: true 28 | crds: CreateReplace 29 | remediation: 30 | retries: 3 31 | uninstall: 32 | keepHistory: false 33 | values: 34 | 35 | container_runtime: containerd 36 | tls: 37 | enabled: true 38 | bouncer: 39 | reflector: 40 | namespaces: ["traefik"] 41 | agent: 42 | # Specify each pod whose logs you want to process 43 | acquisition: 44 | # The namespace where the pod is located 45 | - namespace: traefik 46 | # The pod name 47 | podName: traefik-* 48 | # as in crowdsec configuration, we need to specify the program name to find a matching parser 49 | program: traefik 50 | env: 51 | - name: PARSERS 52 | value: "crowdsecurity/cri-logs" 53 | - name: COLLECTIONS 54 | value: "crowdsecurity/traefik" 55 | # When testing, allow bans on private networks 56 | - name: DISABLE_PARSERS 57 | value: "crowdsecurity/whitelists" 58 | metrics: 59 | enabled: true 60 | serviceMonitor: 61 | enabled: true 62 | lapi: 63 | dashboard: 64 | enabled: false 65 | ingress: 66 | enabled: false 67 | annotations: 68 | cert-manager.io/cluster-issuer: le-prod 69 | cert-manager.io/private-key-rotation-policy: Always 70 | meta.helm.sh/release-name: traefik 71 | meta.helm.sh/release-namespace: traefik 72 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 73 | traefik.ingress.kubernetes.io/router.tls: 'true' 74 | traefik.ingress.kubernetes.io/router.middlewares: traefik-chain-basic@kubernetescrd,traefik-bouncer@kubernetescrd,traefik-local@kubernetescrd 75 | host: crowdsec.${DOMAIN_0} 76 | 77 | env: 78 | # For an internal test, disable the Online API 79 | - name: DISABLE_ONLINE_API 80 | value: "false" 81 | - name: ENROLL_KEY 82 | value: "${CSKEY}" 83 | - name: ENROLL_INSTANCE_NAME 84 | value: "cluster" 85 | metrics: 86 | enabled: true 87 | serviceMonitor: 88 | enabled: true 89 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/crowdsec/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/crowdsec/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: crowdsec 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/crowdsec/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: crowdsec 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/core/crowdsec/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/docker-registry/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: docker-registry 6 | namespace: docker-registry 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: docker-registry 12 | version: 2.3.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: twuni 16 | namespace: flux-system 17 | interval: 15m 18 | timeout: 20m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | crds: CreateReplace 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | crds: CreateReplace 28 | remediation: 29 | retries: 3 30 | uninstall: 31 | keepHistory: false 32 | values: 33 | image: 34 | repository: docker.io/library/registry 35 | tag: 2.8.3 36 | 37 | persistence: 38 | enabled: true 39 | size: 100Gi 40 | 41 | configData: 42 | compatibility: 43 | schema1: 44 | enabled: true 45 | proxy: 46 | enabled: true 47 | remoteurl: https://registry-1.docker.io 48 | username: ${DOCKERHUB_USER} 49 | password: ${DOCKERHUB_PASSWORD} 50 | service: 51 | type: LoadBalancer 52 | port: 5000 53 | annotations: 54 | "metallb.universe.tf/loadBalancerIPs": ${DOCKERMIRROR_IP} 55 | "lbipam.cilium.io/ips": ${DOCKERMIRROR_IP} 56 | 57 | ingress: 58 | enabled: true 59 | className: "" 60 | path: / 61 | # Used to create an Ingress record. 62 | hosts: 63 | - dockerhub.${DOMAIN_0} 64 | annotations: 65 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 66 | cert-manager.io/cluster-issuer: le-prod 67 | cert-manager.io/private-key-rotation-policy: Always 68 | traefik.ingress.kubernetes.io/router.tls: 'true' 69 | traefik.ingress.kubernetes.io/router.middlewares: traefik-chain-basic@kubernetescrd,traefik-local@kubernetescrd 70 | labels: {} 71 | tls: 72 | - hosts: 73 | - dockerhub.${DOMAIN_0} 74 | secretName: dockerhub-ingress -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/docker-registry/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/docker-registry/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: docker-registry 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/docker-registry/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: docker-registry 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/core/docker-registry/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | 5 | # - blocky/ks.yaml 6 | - clusterissuer/ks.yaml 7 | # - crowdsec/ks.yaml 8 | # - metallb-config/ks.yaml 9 | # - rook-ceph/ks.yaml 10 | # - system-upgrade-controller-plans/ks.yaml 11 | - actions-runner-controller/ks.yaml 12 | - docker-registry/ks.yaml 13 | # - intel-gpu/ks.yaml 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/metallb-config/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: metallb-config 7 | namespace: metallb-config 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: metallb-config 13 | version: 8.5.3 14 | sourceRef: 15 | kind: HelmRepository 16 | name: truecharts 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | 33 | ipAddressPools: 34 | - name: main 35 | autoAssign: false 36 | avoidBuggyIPs: true 37 | addresses: 38 | - ${METALLB_RANGE} 39 | L2Advertisements: 40 | - name: main 41 | addressPools: 42 | - main 43 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/metallb-config/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/metallb-config/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: metallb-config 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/metallb-config/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: metallb-config 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/core/metallb-config/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/system-upgrade-controller-plans/app/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json 3 | apiVersion: upgrade.cattle.io/v1 4 | kind: Plan 5 | metadata: 6 | name: kubernetes 7 | spec: 8 | version: ${KUBERNETES_VERSION} 9 | serviceAccountName: system-upgrade 10 | secrets: 11 | - name: talos 12 | path: /var/run/secrets/talos.dev 13 | ignoreUpdates: true 14 | concurrency: 1 15 | exclusive: true 16 | nodeSelector: 17 | matchExpressions: 18 | - key: feature.node.kubernetes.io/system-os_release.ID 19 | operator: In 20 | values: ["talos"] 21 | - key: node-role.kubernetes.io/control-plane 22 | operator: Exists 23 | - key: feature.node.kubernetes.io/system-os_release.VERSION_ID 24 | operator: In 25 | values: ["${TALOS_VERSION}"] 26 | tolerations: 27 | - key: CriticalAddonsOnly 28 | operator: Exists 29 | - key: node-role.kubernetes.io/control-plane 30 | operator: Exists 31 | effect: NoSchedule 32 | upgrade: 33 | image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION} 34 | envs: 35 | - name: NODE 36 | valueFrom: 37 | fieldRef: 38 | fieldPath: status.hostIP 39 | args: 40 | - --nodes=$(NODE) 41 | - upgrade-k8s 42 | - --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/system-upgrade-controller-plans/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # - schematics.yaml 7 | - kubernetes.yaml 8 | - talos.yaml 9 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/system-upgrade-controller-plans/app/talos.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: talos 6 | spec: 7 | version: ${TALOS_VERSION} 8 | serviceAccountName: system-upgrade 9 | secrets: 10 | - name: talos 11 | path: /var/run/secrets/talos.dev 12 | ignoreUpdates: true 13 | concurrency: 1 14 | exclusive: true 15 | nodeSelector: 16 | matchExpressions: 17 | - key: kubernetes.io/os 18 | operator: In 19 | values: ["linux"] 20 | - key: feature.node.kubernetes.io/system-os_release.ID 21 | operator: In 22 | values: ["talos"] 23 | - key: feature.node.kubernetes.io/system-os_release.VERSION_ID 24 | operator: NotIn 25 | values: ["${TALOS_VERSION}"] 26 | tolerations: 27 | - key: CriticalAddonsOnly 28 | operator: Exists 29 | - key: node-role.kubernetes.io/control-plane 30 | operator: Exists 31 | effect: NoSchedule 32 | upgrade: 33 | image: ghcr.io/jfroy/tnu:0.4.3 34 | envs: 35 | - name: NODE 36 | valueFrom: 37 | fieldRef: 38 | fieldPath: spec.nodeName 39 | args: 40 | - --node=$(NODE) 41 | - --tag=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) 42 | ## Reenable if your setup REALLY needs full reboots 43 | # - --powercycle 44 | 45 | 46 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/core/system-upgrade-controller-plans/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: system-upgrade-controller-plans 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | path: clusters/main/kubernetes/core/system-upgrade-controller-plans/app 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: cluster 14 | targetNamespace: system-upgrade 15 | dependsOn: 16 | - name: system-upgrade-controller 17 | wait: false 18 | retryInterval: 1m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-entry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: flux-entry 7 | namespace: flux-system 8 | spec: 9 | interval: 10m 10 | path: ./clusters/main/kubernetes 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: cluster 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | postBuild: 20 | substituteFrom: 21 | - kind: ConfigMap 22 | name: cluster-config 23 | patches: 24 | - patch: |- 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: not-used 29 | spec: 30 | decryption: 31 | provider: sops 32 | secretRef: 33 | name: sops-age 34 | postBuild: 35 | substituteFrom: 36 | - kind: ConfigMap 37 | name: cluster-config 38 | - kind: ConfigMap 39 | name: upgrade-settings 40 | target: 41 | group: kustomize.toolkit.fluxcd.io 42 | kind: Kustomization 43 | labelSelector: substitution.flux.home.arpa/disabled notin (true) 44 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/bootstrap.yaml.ct: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - github.com/fluxcd/flux2/manifests/install?ref=v2.3.0 7 | - ./deploykey.secret.yaml 8 | - ./clustersettings.secret.yaml 9 | patches: 10 | # Remove the built-in network policies 11 | - target: 12 | group: networking.k8s.io 13 | kind: NetworkPolicy 14 | patch: | 15 | $patch: delete 16 | apiVersion: networking.k8s.io/v1 17 | kind: NetworkPolicy 18 | metadata: 19 | name: not-used 20 | # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests 21 | - target: 22 | kind: ResourceQuota 23 | name: critical-pods 24 | patch: | 25 | - op: replace 26 | path: /metadata/name 27 | value: critical-pods-flux-system 28 | - target: 29 | kind: ClusterRoleBinding 30 | name: cluster-reconciler 31 | patch: | 32 | - op: replace 33 | path: /metadata/name 34 | value: cluster-reconciler-flux-system 35 | - target: 36 | kind: ClusterRoleBinding 37 | name: crd-controller 38 | patch: | 39 | - op: replace 40 | path: /metadata/name 41 | value: crd-controller-flux-system 42 | - target: 43 | kind: ClusterRole 44 | name: crd-controller 45 | patch: | 46 | - op: replace 47 | path: /metadata/name 48 | value: crd-controller-flux-system 49 | - target: 50 | kind: ClusterRole 51 | name: flux-edit 52 | patch: | 53 | - op: replace 54 | path: /metadata/name 55 | value: flux-edit-flux-system 56 | - target: 57 | kind: ClusterRole 58 | name: flux-view 59 | patch: | 60 | - op: replace 61 | path: /metadata/name 62 | value: flux-view-flux-system -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/clustersettings.secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cluster-config 5 | namespace: flux-system 6 | data: 7 | #ENC[AES256_GCM,data:mYnrz2/J2BVVCJed8R2nWzecrHwNywvQX/pUcOn9HxvYdEwt+mS6SxtSbhc=,iv:pBK7XBEXs7zcI2H9EEdO3sujOqjWAAFlx/bMiU9aKIE=,tag:k5MqTDHWmET/WJQ1WMfd6w==,type:comment] 8 | VIP: ENC[AES256_GCM,data:w+lWNeHwUaM8erBcuNU=,iv:905GHgRHIK3PgNxgoo2oBz/HzcEoLGIeomieAh6OGMQ=,tag:80SgX0qLkgxVxLKajgtWeQ==,type:str] 9 | #ENC[AES256_GCM,data:vdKtu0T+ZEhgGwneSGgfuHNCIcinDa6OU+0=,iv:3Xyknc1Cq4si9I5SQ3qabUMTENjJGvZ2kNvbMQLOKbA=,tag:plN5BGUp1vmAJfOKajCFEw==,type:comment] 10 | MASTER1IP: ENC[AES256_GCM,data:bwvGdSBB4qPIr0E6RTA=,iv:TQK7F1ybpx923UsUMZZfQjPLxWURbIn9RgkusIE+oxU=,tag:0FHl8x/KQ330ppkpPyTEHQ==,type:str] 11 | #ENC[AES256_GCM,data:eoNG+Feh/TORwShNpNeyTcPCqdJ4A77Q/7s+3ceIhZkAbw==,iv:pCadSrff1nqTk16OrVqrCzmTI8L+DBrPJHy7OLVqnxI=,tag:m538kzUF5rZ97bVDN6trtQ==,type:comment] 12 | GATEWAY: ENC[AES256_GCM,data:/bdsgOFLT0BGAIkA,iv:dhZwrZ7sPYzgFnugOU5yiSeGQZZvdUkqjo/8UKPsGWM=,tag:2EA/SgOcz+5GDWwe6f3nIA==,type:str] 13 | METALLB_RANGE: ENC[AES256_GCM,data:OVD/5eK1JnF+TT6Rut1r4TDOKEDDpTVu3ZOab6c=,iv:KKhCfmqKVW5OvE+pe5v7DA8NexQfQuGGzAVwcO3PIc8=,tag:uNmScvEwunOv0kefIhbxbg==,type:str] 14 | LB_RANGE_LOWER: ENC[AES256_GCM,data:mqEX9U9sxXnu/+OBdsI=,iv:KFue1uOri4P2gmm0FAlrJI4wVaH+RS1/g5XBBhyGhQ4=,tag:iK+Hk4A3GSO588NeEY/SIA==,type:str] 15 | LB_RANGE_UPPER: ENC[AES256_GCM,data:CwuX1osG9QPdaS3DVs0=,iv:87py2jQKomZQOr/sVoHbvKExQVwxo8oD4omEVtKExaM=,tag:zqVf/UBmuaZ5KPEQpjxctw==,type:str] 16 | #ENC[AES256_GCM,data:PpaEUqKN9FsN4R0KmVUSFTyuJJHtzVyYsZk5IU+YNvtItrYwirI1mc6rFKSTRUF5jFPdq/h6zJ2/LaX4q0mY+BCMFCJnwyaL3bMizPSXMvw=,iv:ZTq59v/hT6Dep4cr/BnP8l4FYe+HhamE+EQd3niiDOI=,tag:W60H2qbQsn3Bzt7IkEoCKg==,type:comment] 17 | DASHBOARD_IP: ENC[AES256_GCM,data:izFAfdDdtQ+RTPFGt58=,iv:h9ZJYH0wmK5AnNH/eoNtsero9x6kUwTVHZtcTtQWWeI=,tag:tTjsF7yz67iJiF0BJmCWWA==,type:str] 18 | DOCKERHUB_USER: ENC[AES256_GCM,data:HMS23nALLw7QHg==,iv:qBOriR4h+p+HRzAtL0sJpnsKXkuQSacV8SreBfSbgnU=,tag:3LztPTXDS8KoEkXvP/3SnQ==,type:str] 19 | DOCKERHUB_PASSWORD: ENC[AES256_GCM,data:XRdO1r7nr+gexTzF1nH3,iv:1S5iHiggMjqQDjP4uSbDQwgk75YJeCxIXKraOEsqQcU=,tag:c3LAwKzOLKq0vLfjvqHzZw==,type:str] 20 | #ENC[AES256_GCM,data:l4L80hV7D+SYI3p3nM8hGJz7dev1mHKHlpGMeZcEEtTEjiNd1mcs8H+MCqARpk1CSEsAeWws/TZ54QoqZavT7qAqeYw=,iv:cTfIxScBI/kWngBrfYQot53Lq8b4kKOpTpWW0EWXyZw=,tag:vWb5v0QIhbfTdBl/sRk/yQ==,type:comment] 21 | KUBEAPPS_IP: ENC[AES256_GCM,data:bJqNws6Iw4SqsOrQjb8=,iv:CJ0Ooirc2LfNbCLgPK5fLSmkJGzWF3JmsTW8CpA6Hx4=,tag:S4hIuUF36gu4kmWd+5JHlA==,type:str] 22 | #ENC[AES256_GCM,data:zdtA3TJnGH47Aw/HjdkhGNY+g8oMjDz6uTO1mnk=,iv:TKlEhc+E69PfIMLf+65paZPdgWemrbz1IaR5Rbb7b+M=,tag:4mOLUBXSVVFgRe4eqyZVsQ==,type:comment] 23 | GITHUB_REPOSITORY: ENC[AES256_GCM,data:iKI4JD4WtvpXGf3WQSUylLStTyCToOpbQuqchfA3fe7jI+nRIHyXIoPODQ==,iv:6KRk+wzsh/eB5D1orB1qQ5ZcJ812jNxT5PVUij7e75g=,tag:XjJDZEDpQZqwv3ti12ISCA==,type:str] 24 | #ENC[AES256_GCM,data:rOe/nEnPjUIFKBq/8A==,iv:UfBUSeR8P3ifMVdi9ZmkNbXQ2VTmN6EuFOOoRYPdst4=,tag:4FP4pwMCWHgGPRRCK9CKVQ==,type:comment] 25 | PODNET: ENC[AES256_GCM,data:J4f2ee36bvTYp3jxmg==,iv:ILzxCZPexggxGFBve/hLiv5ePa2abpFAik7riF2gr4o=,tag:9VeLZfUOXOEFBbwAHoNjWQ==,type:str] 26 | SVCNET: ENC[AES256_GCM,data:aUuV7C956aOiS9hZQQ==,iv:gLk6k9yms8YShL4d8tRcXwJQTm7jPIOpOSQMBGyab1M=,tag:YEfJcfLN7+Vc1QxPDtq+lQ==,type:str] 27 | #ENC[AES256_GCM,data:CEjXuqUP7NK8bZa1t787xF0q,iv:ymmnTvbpi6FbDjVXASlcC5IOB/f3BuaZi2OsR2NWqtQ=,tag:NFXi15jv0oWAy+MsdWXXDw==,type:comment] 28 | MASTER2IP: ENC[AES256_GCM,data:YP7c+4CLXPcTbXRIBg==,iv:pcDUAV5UrzeBfSzW/9Gb+WkLMX7ZU0+b3Cn8aG9Nc1g=,tag:ybX7kiO7v4pnLqVXqOs0GA==,type:str] 29 | MASTER3IP: ENC[AES256_GCM,data:GvmOcm4S2Q9w8nDOd/0=,iv:JCA3vjcnpVfBVORmiFPNFcX0L9IYikIv6hXcsEMLnWA=,tag:2If62HqKD1J4McsBd+BSBQ==,type:str] 30 | BASE_DOMAIN: ENC[AES256_GCM,data:dMzKJdkK59+ItoOiPX/e9A==,iv:3ybCk1X4TAhQaFw0oyArnIHiaFhEP+/cXmxWv5YsPWc=,tag:szaag3honB/hYvh0ygQlrA==,type:str] 31 | BASE_DOMAIN2: ENC[AES256_GCM,data:vSynB9qI9GAZ5Dkq5z0=,iv:okLT8ZlZtXtDclVFvmJe75Iu6JJ5EHvNwrxlDbi1r48=,tag:CApJMMVQIULCdpoQ+dfj0g==,type:str] 32 | BLOCKY_IP: ENC[AES256_GCM,data:EwLULSNngD/NqSajPuQ=,iv:S0nkUAw3Eydvz1DQggnuBg9opEXIjlCAl0ATyRDvtOs=,tag:kVj1HCVKZL65WOtifu8xSQ==,type:str] 33 | TRAEFIK_IP: ENC[AES256_GCM,data:rCv4KHkqm9V2+N/tIV4=,iv:ADITVIUrtiR9Ww4pxhwRnNBoWA04fTawEmgZspMpZak=,tag:bRDcLwAGlHgtYnhGSlpvkQ==,type:str] 34 | HASS_IP: ENC[AES256_GCM,data:SpEFVXRhREDbQVkivco=,iv:Xqp/oEjOW8Vx/AwtZtJipga1ntLCyt42M1eTnXFk+Ow=,tag:LVIGhPqVzQ/YXcbIuNVaUw==,type:str] 35 | TORRENT_IP: ENC[AES256_GCM,data:9PZ30NJROAbaWpuQNmQ=,iv:Q3tooFLu15Ctxkl1ve2B2/exvCyAzfAW/HTP8IHQfN4=,tag:cmQWMFr1EiN9fWrubXLf6w==,type:str] 36 | KMS_IP: ENC[AES256_GCM,data:Fr+AI8nYVKndjfD7c2k=,iv:2725l6ni50lTD+zwsDCVDFI4UtuqwdFskAOXDcgGPAU=,tag:RvodEEM2+nTZ1mPsf4vkMg==,type:str] 37 | MQTT_IP: ENC[AES256_GCM,data:547YebrEaETUFYV+Duw=,iv:aY82t9o6EbOxl/jL/PkGUqlf2zTdMz8hVTewAn8Um1w=,tag:BurSGWIkkKvHge0Glug9qg==,type:str] 38 | PLEX_IP: ENC[AES256_GCM,data:Ekzf8kHcoY+/LQ3Dg4k=,iv:rNQM9Bo7ZVms0aObIVdENIJiESvQTBbxQtYhf9wpg+Q=,tag:DVPQZL6E8MilfaVuQDOhsg==,type:str] 39 | DOCKERMIRROR_IP: ENC[AES256_GCM,data:b5FNpe6cfJM6gkhZExQ=,iv:p2UBVoh3LVJeaIUvyzHYn2YBlHy2yWRIT+XuvrSryHs=,tag:RtHYYhskLEgQxCpwEOVcoA==,type:str] 40 | SPEGEL_IP: ENC[AES256_GCM,data:UcnddClZlobKc0c3JNs=,iv:W5SAeZ4xI9RGzgDJMdDsuTCGLKzZCx+wM87ZFukKZk4=,tag:Z75lwry3RutMpOxPaPaSxw==,type:str] 41 | MINECRAFT_IP: ENC[AES256_GCM,data:JrbAIPRXAg6kFqZGm+A=,iv:CwYwzs0/BODiHU9IBZHNYUrXnrTb0zbX7EdkF1zzK3c=,tag:psi7XkiG6/grvw6S88MRLg==,type:str] 42 | ARK_IP: ENC[AES256_GCM,data:El1IRl8Msu4vDEYSzts=,iv:Vmn6AVEzvineKLBiYIn7co615YBI+Mf0HlbWi1M6ljA=,tag:tbAwBtBnxHrAUEWF9BYEZQ==,type:str] 43 | PROM_THANOS_IP: ENC[AES256_GCM,data:yJTBJAAaS7TDisaWZ8M=,iv:kHIlwgkBc7iNjYL2iqBT0IyGXvhuYcBjGGodb5r5BA0=,tag:OICvyg7LX1QB7XiSX5+tPA==,type:str] 44 | NGINX_INTERNAL_IP: ENC[AES256_GCM,data:dRq4JhMoFtNPMUPdAbE=,iv:toxz9txD/EFhPfdibiY5aK2vyI2o+MRw6guVJlRvAFw=,tag:lyvLcLRZL33FS98hEsKa8g==,type:str] 45 | NGINX_EXTERNAL_IP: ENC[AES256_GCM,data:N1alLehCLreDBzn8tjQ=,iv:MqYAHJ7oQMAoztaScKKk44ci5SeOpHSdTNXulZunYvM=,tag:0aj5E+7vjEpzlbcR2iTbwg==,type:str] 46 | TMDB_API_KEY: ENC[AES256_GCM,data:QV5m6jMwjlXm15MPSlGaqIsbzsPAsC2I6Z7jh8EQK64=,iv:uoWf/LMy3xLC/pxJkNJ5hOBQOGe3l/dCp291YTpqN2I=,tag:L1zGSNgyUsZ4482PUEi1bQ==,type:str] 47 | S3KEY: ENC[AES256_GCM,data:I3TnO41EOMiAj0uMRks2B3CxixqJDDIfjLbkiFqOxpkSs+3jyFrp,iv:LIcn0p9zG8/Irwp46SydQV7BlLS8GE33HyXbJQUADMQ=,tag:zBhKv35EyrGcqu47HUnwSg==,type:str] 48 | S3ID: ENC[AES256_GCM,data:Mqnb6BDxIqLLzOfqHB/7p0OQlQ==,iv:wub6m7e9bXv75M1wm4yR6zkvZmmIY8wCEkbTriWFcJw=,tag:CECax7AusE3w6Ad1TAjWxg==,type:str] 49 | S3NAME: ENC[AES256_GCM,data:FdQwdWrDfQ==,iv:NT6UmcayiMPrKmrKl62AhA1p69RoEH62QQBaXt4yV58=,tag:UKy4M48gI6FS8GvejlhA4g==,type:str] 50 | S3URL: ENC[AES256_GCM,data:4QFUt9JPYdatgZMmw6Gu0gO38nvHQJdrOg==,iv:o8wJMSDLsJidAJIpumyMdo5H4doa+Wdp6sWObxNH3fk=,tag:utjAe+5agnYxjcaWBBwPCg==,type:str] 51 | S3PREFIX: ENC[AES256_GCM,data:J+DBpI9MeksEZIVi3w==,iv:WlvEUc+D36ftqtNoT4JE89s3hZtpnJn8CoYTHZo7CtU=,tag:Jls0jC5OjZEMTpaSdNRwRQ==,type:str] 52 | S3NAME_TC: ENC[AES256_GCM,data:UWFKsOc3FQ==,iv:xfFkJFGlD1Nw+vtKf6m2MssI78BdxErylwJXXZ25E6w=,tag:wiFhYTDvRaJOcmuHOIC3sg==,type:str] 53 | S3URL_TC: ENC[AES256_GCM,data:RYyH61dXe2W/u08GyuRP5XwC1D7U8tQpRg==,iv:1EbVGLkYEDx5g0RIC0NyZKpOvYevIikAhJkx2kY+9CQ=,tag:chzz5J5PVqcF2lX6eOTS+A==,type:str] 54 | S3PREFIX_TC: ENC[AES256_GCM,data:cAXZgVWuimaFCQ==,iv:iZlNIodcwZLIE8KmA9XPgpOxXcLnKIJ+3KfyaOYWfso=,tag:dhvYAvM5acgjqIzpD3d7PQ==,type:str] 55 | S3KEY_TC: ENC[AES256_GCM,data:rzcemDgIh7UnfRvzCceu4kvXYU2cShnko1cFXEc+NpxcJydi1u0p,iv:x/BdSdMhs8EWebvQRUhMBKRQvoAJs/GTnPrF7uBgsaY=,tag:GGhwot0IoXaJLHfxyV/uww==,type:str] 56 | S3ID_TC: ENC[AES256_GCM,data:G+V+Fc8xhrl78LmMc3r56gUbPA==,iv:7TXGPtO2B1l/iUmKSJieiZOUz9ywQGDw6s9lOWrxcwM=,tag:atyQGoRX208XtahVg/M9tQ==,type:str] 57 | S3KEY_THANOS: ENC[AES256_GCM,data:PzEj7wvF+GS+hRb9hnCh2JyisQvrK2Zlut/zccEIUoGpvBNglvtetQ==,iv:Ks/bdDRSG+t7VakO68XW4W4m8xOvrKIXvPBfg853ZM8=,tag:efevWCSfX5mcr+IU6IW/Fw==,type:str] 58 | S3ID_THANOS: ENC[AES256_GCM,data:oSMXQDy025INqnyDmuAylZeIpGA=,iv:zYthFXoZ4Bbhol9BdxSUWn+OjJ7e1WdrE4wnTJAsdPM=,tag:Smw2cvponlotmhfzZOK3KA==,type:str] 59 | BWPUSHID: ENC[AES256_GCM,data:RaQrB3BbtzCogg3loeIR94e5kGZmsKRBNAwCHNuXjiWfan/f,iv:/WZrO9rEST+HjdUnKMTFVODwkMWCUISbiLYvs5srP3A=,tag:Vr6o1zhTgqT1zQoM1wtMYg==,type:str] 60 | BWPUSHKEY: ENC[AES256_GCM,data:j7x90xwWW/RkPSgbh7jYUvjsGWU=,iv:iw5pevPluyxECfI62SuXif9/EwxtN1AbVHxDUHEepsQ=,tag:/D/EXuP7H0QxpshL6P7D7A==,type:str] 61 | VWADMIN: ENC[AES256_GCM,data:ylRL35chcZfFA5Y0JjhzaGvIkSK4H0rn86Du9TSOIWnTYBPghA==,iv:0+meMDbbwkM84NGEqvoOfLNeOJxPznISmPps4fm1Ff8=,tag:nkkGcvCffjlc5S7/k0VIBg==,type:str] 62 | ICPASS: ENC[AES256_GCM,data:D8QbieTp/b3j7rg4Hahyx2xBIA==,iv:vfscq01pZyVS+lIy2AhzMMeXNQAwLUKRxGuE6egb3oQ=,tag:NMz0m79Y14IKegMwE6mw7A==,type:str] 63 | ICLOGIN: ENC[AES256_GCM,data:6Lp/VSyux3ABflsfEZN104HVnJ8TsQ==,iv:wNXhvxLLQXhrITBmORU3vf8AOkAMn2gtC3XTOVezyZc=,tag:6uAyapI/JH/8X8r48X8jlQ==,type:str] 64 | SMTP: ENC[AES256_GCM,data:w/ia6KsCsmaub18/1Ukenw==,iv:ARzabrgsEm8RsDLjaNMUqN515F1Bscku+F1VC5D39mk=,tag:d2aWrBPWNjSoKQ15azM9hQ==,type:str] 65 | AUTHENTIKLOGIN: ENC[AES256_GCM,data:SpDDerGOckZ+/jzQPMCM50NjmHOSeQ==,iv:DaFWlxCVLHh1uSmozKdXYeltSgd1RsUTzmAriOGSSeQ=,tag:QJKubglBZgZvTGPNchFd5g==,type:str] 66 | DOMAIN_0: ENC[AES256_GCM,data:vEFd+yLxdcW2YGLXiw+Abw==,iv:g25kJ5AQ5n8xRRFm1lq3nbSdhAAOwIyBMk0JON+LPw4=,tag:Tt5PGg0bgm364BAKdGdtnQ==,type:str] 67 | DOMAIN_0_EMAIL: ENC[AES256_GCM,data:pyfToXVDgqh09XUrft6MWZ6pMM4a,iv:o5BkKJwW9cn5MP4hP+mT8jC6IVZEEipw2QP4sJjwU2Q=,tag:zvckPODHq1nTFRwf7y3sIA==,type:str] 68 | DOMAIN_0_CLOUDFLARE_TOKEN: ENC[AES256_GCM,data:24oproElGyPY4po8dc10PjIR0SsMCD+Mw1pWI8wi/WT3Hq8CpmDtqQ==,iv:+vUCzpK9ErFJHqMevScwziAmlPX3i21QQ7fhcJw3hDQ=,tag:TGo/DJptP+Y0yTOIkK2K8g==,type:str] 69 | DOMAIN_1: ENC[AES256_GCM,data:Pg0cMVFeMTcgQzSKxIQ=,iv:UiEgCzYpls/OcwRV008YqCndRORrMEm+SHitxP749L8=,tag:bZtNNdcopxQRBS/e+nQnEg==,type:str] 70 | DOMAIN_1_EMAIL: ENC[AES256_GCM,data:xTPqGZTyBrx/ZuecG93WkLbKaA==,iv:G763+FEoUCzNijZ4UewKjK6ARfXSZA76KEVsuhqcLVI=,tag:jq/2wYRtM+pZwcGUxPhyVw==,type:str] 71 | DOMAIN_1_CLOUDFLARE_TOKEN: ENC[AES256_GCM,data:ZCt2gPnl3u+HINdkwrjpyFaqPvLsx3XcCuwPVEk09Z/ElKzFMYZNhw==,iv:ZkuRc7wljC40+GNsjVTZiMw5DUbXjLIy5AYDenmIi3o=,tag:9lPtMG/0uTSHnQaxLR9pAw==,type:str] 72 | AUTHENTIKPASS: ENC[AES256_GCM,data:V7lg7Y9YzpwzbN/m,iv:rb+0U/euhHbOuShDiCSysXRWJSTrQa2ZoAZaWpvN5gU=,tag:C4ZvDhXCHCbVLh639QD2sA==,type:str] 73 | AUTHPROX: ENC[AES256_GCM,data:En7kklLk8phaEnEGB0tDH7LgsJSG80V2ncwd6M3P1Xh4Su6NYAn93phZYDXY+q1GgMIeP/kiyoSbKPuN5/sP0jtV2eCoKNTB4Kkt91rYkC5XhS/yAD8lh5fyHwUjaZARdMeGCnQ+QAVGfHAE6Pto0t4QEeATUQ4ASQ5F8R1JMWY=,iv:qHYojwExpTgA/SQ+MpAOx4RH6p+u2mIZnLYPnMBiut8=,tag:DcXvcbsnNEsqAxHmVfdDIQ==,type:str] 74 | AUTHLDAP: ENC[AES256_GCM,data:+8XM9ndZ8ecsG9oH/H2azvnr7vZYh4DxM5Ekl3VF/EoZSXBUdPDj1T51+k5waNoTVQ8E98+hoBVIdvH4NZx+gU+OREMWoB+xPDDRB62i3ANd4HlvMcTujPgb0KnaR/fTtW68WNxN/D5cI6th+K4W5WfdnSfufWdNWaf2duJGmT4=,iv:y6AMz0Ec6iXmKr7JrqMdbV2/qolm9HdNAFNX+L5wVFM=,tag:kmNMh/PWN9377fdPoMwMuQ==,type:str] 75 | AUTHRAD: ENC[AES256_GCM,data:XjE81g69b6a1HSpCC6B763/0kFT7P4lzPrR7DrKMAa5y4RzvO0aQr/OSeIWwGbw5I6Ff/gt8ApoTEqM1j+Bz0dScGP9jwZp4DZ00NT0/ThMVGTzrj69eUmDT1eYHp6re9lLikkeaeV+oNFB71h8s0CX9/y27gkkQjPdoQO9FkP8=,iv:+icdnnPavFpt8AUCLJxhwRx94Dt1zRHxOvIjIb4xASY=,tag:2qZRPWgACOqoF4UL1Wkgsg==,type:str] 76 | CSKEY: ENC[AES256_GCM,data:/hOOcW5tVn+aazwLnYRT3Y1cpMWhMwPTVQ==,iv:rYJ5XfJHS2Ip9UKoOehCf42rClQeFeAJtMLENaRsgGs=,tag:y3/DyfiZSuXAGXofRbA+Zw==,type:str] 77 | ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID: ENC[AES256_GCM,data:cq8KqaE/,iv:rYRiE4VXUjI+ap3snVzzuXGZHR560BJc2oRGyKXEx7I=,tag:7GgYOuymY6F1Yp0s5Zw2/A==,type:str] 78 | ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID: ENC[AES256_GCM,data:k3FT0t1Y/4o=,iv:/1pNCxiL+T718HG34iyJz0+KwVSb3zY08KrYcdPLMgQ=,tag:zr5kcBXfvF759CzHvQrhBg==,type:str] 79 | ACTION_RUNNER_CONTROLLER_GITHUB_WEBHOOK_SECRET_TOKEN: "" 80 | MINECRAFT_RCON_PASS: ENC[AES256_GCM,data:uHodthaYDRTS1ZZ8xGDNkw==,iv:nutSprxYyaZa/EMP+bu0XNYhNCWSq3fWVnanm5pfUXQ=,tag:Y7DitUktAildrZ6aAIXOMQ==,type:str] 81 | MINECRAFT_CF_API_KEY: ENC[AES256_GCM,data:r6hfF/VVcwcxpI0NydQnUcqP6W3yZ1Sx0DYiiCTKSzXKKYGIhgCA0rmlkEOsmo0xiENRBg==,iv:+K7lFq4nDoDbdzYgbYMmEqC0TQTKVvSKXWjuEIP0paU=,tag:g+nOaneekNn9T6dokgd1+A==,type:str] 82 | GITHUB_PAT_TC: ENC[AES256_GCM,data:5pnfHr81gZxsuP2Z6dKZYfatWo2RpSpS9m+EC1K3QoeJaRQKSxh2Cg==,iv:bVaXZWqRX7rPPhTyTVfyrU8YZTaWXowKzCjoJzFjsYQ=,tag:lAA52aniYVpLHi89DFQmtw==,type:str] 83 | HASS_TOKEN: ENC[AES256_GCM,data:0PnjLOwBV+4+ivaVce7/dKdik88FXPPA9SzlFVpBpsI61unwWTR7BsJ4Vx/kWVsDsbD/6wb2UH88jgW66WNCH89crxeiojU0id2FR0aWRGMniNoRpXZ8x/u3dW5dIETzjNcO1v82jQjy8EQsqTRVIm6GSWIIxmJbDM55bXOqFKRTVjYF/GcbMRVi0N9/QYjTg5Enuf6XyU1ELV/clwLL5eXml8mtkEPFDSfz03MsHdV+VLuGxZsm,iv:OaXXBmUw0SN6w3XXUYfzHAfer0ssQ6eYI1xSVPLpJBE=,tag:LL3Z9csG8j/T1wvKOPZX6w==,type:str] 84 | ARK_PASSWORD: ENC[AES256_GCM,data:5mT5HXPjSYo=,iv:6C0v4CNtkHZZdUWVXo1xwEBW1nu+SbLG5oi3q8V2GCo=,tag:pOm63zK9OGaAcLpJljvDTQ==,type:str] 85 | ARK_RCONPASS: ENC[AES256_GCM,data:cWJ2FcbZL/T9IqHfo0QUrDswQg==,iv:UWF9aFFUd/zpXiqrPpJZKwwLYouyqOIIIU6Asnh3j/c=,tag:YWgi/1WcEiXAr1h+39lSqQ==,type:str] 86 | CLUSTERNAME: ENC[AES256_GCM,data:uGqtcA==,iv:yG14vLNfP3r9mFqmC1t4QZsRwAVGhW5w7s4jLlLitaw=,tag:SQDUoXeYWr23sA+Epk1HlA==,type:str] 87 | sops: 88 | shamir_threshold: 3 89 | age: 90 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 91 | enc: | 92 | -----BEGIN AGE ENCRYPTED FILE----- 93 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dXZwYzByNzNGRmZhTDRP 94 | M3dCblpxYzNqc2x1b0M4U0xCcGFpZWVJeEQwClFpN1pYODIrVndTendZQURFODN1 95 | bkVEbHJBM3dISDNJWE1lMklWNEtxZGcKLS0tIGc2SldicWo3bUJiUFExTFMxZHYw 96 | YTRPOStobjB3U0xob2J0dDNLbFNrbWcKJUXSLBOMIhC5xbTWogHFhVJBeu6T6KmK 97 | 2SzlkXDeGKnyByCmkqPV6F4K0bscGW47M5OewIGa+8t2xGq+7Cmlxw== 98 | -----END AGE ENCRYPTED FILE----- 99 | lastmodified: "2025-05-23T23:42:08Z" 100 | mac: ENC[AES256_GCM,data:Ke9FTxpWQ90PQJGQJZubOwe5NAkvwl0tX/GqhzsE/WjtH6MNGLeFIyowNox/8MdWJXqx8A3IWXtoNQfKmDvZA1iRRQ/+cbj5gMj/6wLrBFmR5SIZg45Rds8LWnTKuOxCJ2iPNtMQys3JK2lurQkM+8fXmLz/uYeDQL2sRG90XAg=,iv:i4wNIrTC6lmxshb7rZbEaiBgsIyUkvbkoIdaJLjuyeo=,tag:cxW34ChDXiqXRNDVsCMIvA==,type:str] 101 | encrypted_regex: ((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData)) 102 | version: 3.10.2 103 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/deploykey.secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: deploy-key 5 | namespace: flux-system 6 | stringData: 7 | identity: ENC[AES256_GCM,data:KDEkKge6U8TEspblILN+xF98BGeqkRB/gXCel/dAz8BvhbRc20Bszn4lu+n8zBIpFQKmzBOq7t+tjsKgkRFxb1pp3J+R7QHW9oBEWIIFQ0B5sD+MFg7COB9TpQPlxLmUGhZKW9Qka5rv/+gMyTrjQBntwcvBWcuQrohSDtRmEnlbdNLh5CdnV9XwL0JkU9HlMJsPsW+fhEsOZ/81PsEbVvliF27qv3AgmLvA2KEMzXoCQy43V3HpxGc8jLwQI6iPmByysYoyRV5ivpO2m54+RsnLNGsgA1JtvR2uqIDd3dmNQJmgDoGaz1rkKHL6tOvk+1jQk0WjNU7upAnu3c2hoQ9cObbszw736Nzbq7jRhu1brYkxtoLcaR1iQ+XPWEo9,iv:qZj3znYm6QjhMiDqY64Q4lFjd8uuoFeYMQcV43fXvnA=,tag:EGOQEjzguCQLX02o+aVC7g==,type:str] 8 | identity.pub: ENC[AES256_GCM,data:qU/UBhRXXQVdUvXpBBqTGG2OWivUdP9oeHiuwGgjWwNszT4/bHJoBCHATbjPIX6IYlrrwX/KDkPIp/z0oa/CBf/wbDZ4ZaXIre9LpAiXylZc3WQDIZnlWz76qtMWOGXsbWkJMOC/MU+UGa/xLB/YUDZgGePnY31PJGajtzcfvvHky8uprvkCZcuHZ6RmVMouUI8TeAhjMLejb6prgsUApxC8wXz6gPSk1fKRdFm+tL7Vancj9BfI3bi49LjJI3T+zma0AGjrVkA4579/xA==,iv:IWunKF3pe46IFCn9OQPKg4Z42h37qFozS2vrqvg5jwc=,tag:pzUfGtFdauIWxvfELPtE6Q==,type:str] 9 | known_hosts: ENC[AES256_GCM,data:bv0Tqws8czRjWc9f3aPPYheTJ3Zi0iFFFNpvCzZj1C+jtL9oCR99rwtgQl23WQmE+lcN0aR1Eb+hnDF2aCZFvs1xIzAXdthtgX8CG4IjM33Qh6PpkP5Cl4/GpwV1OUvSkvxKm0+kYXudHd/HKuV9A28tZxwvuXMYgSjtekwOPDHfwpr2MI5YrUZo+IYJhPWZ/CajtDuLyDxpC0DftXv78POICcMagFykbiHr,iv:sxLz47PjgLxq3h8V1tMqSZueY1MOsQERq9VM9OJv4kA=,tag:hPHw7qElNgDhXHljGLVm6g==,type:str] 10 | type: Opaque 11 | sops: 12 | shamir_threshold: 3 13 | age: 14 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 15 | enc: | 16 | -----BEGIN AGE ENCRYPTED FILE----- 17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OVArcWxRSmVEM1ZXeVdV 18 | RmtRU1IwaGpmdldvbFdXLzU3OEdXeUtJUkcwCmFDNDFmL1AwbVlzby8rMFg4Ymgr 19 | Z1hITkRxdTltREVhMC9Kek1RT3BWT28KLS0tIC9lRXZBSFFKM3FaZnBNcExXOFhF 20 | TW5XbmVuY2d3eklCUytQUXNWYWwycmsKbfSTFMIzI3Ow5IKixVQaABzroD/IdU5Q 21 | rh6cLoVyOOOeVnLC7Nk25FnQJ3LaCTeDuKvtzHO0UzjMcZSQ2XQmCw== 22 | -----END AGE ENCRYPTED FILE----- 23 | lastmodified: "2025-05-23T23:42:08Z" 24 | mac: ENC[AES256_GCM,data:FuZfHLzm+rKsicZ79EygndFAcx6qScFOa2p5lk1sIc4BFhXTGxSJhQWk+wP2ZvnlHPeAFxii4iSHKgWFG875gcUFs50pHUkWQ+sdWXSSY31HRsaoVI8pDVB6lG0zRqu5XNv+4H+CDpUcknj9nNMSsEsOayED2NbGk3TeTGYOMyc=,iv:Xsnd4a+3xPm7d3aVvBFIVP7WySpG8GQb8d8bPFEB7mI=,tag:+LiaBmosObUhLs4DNTw3gw==,type:str] 25 | encrypted_regex: ((?i)(displayname|email|pass|ca|id|bootstraptoken|secretboxencryptionsecret|secrets|secrets|password|cert|secret($|[^N])|key|token|^data$|^stringData)) 26 | version: 3.10.2 27 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/flux.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: flux 7 | namespace: flux-system 8 | spec: 9 | interval: 10m 10 | path: ./ 11 | prune: true 12 | wait: true 13 | sourceRef: 14 | kind: OCIRepository 15 | name: flux-manifests 16 | patches: 17 | # Remove the network policies that does not work with k3s 18 | - patch: | 19 | $patch: delete 20 | apiVersion: networking.k8s.io/v1 21 | kind: NetworkPolicy 22 | metadata: 23 | name: not-used 24 | target: 25 | group: networking.k8s.io 26 | kind: NetworkPolicy 27 | # Increase the number of reconciliations that can be performed in parallel and bump the resources limits 28 | # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers 29 | - patch: | 30 | - op: add 31 | path: /spec/template/spec/containers/0/args/- 32 | value: --concurrent=12 33 | - op: add 34 | path: /spec/template/spec/containers/0/args/- 35 | value: --kube-api-qps=500 36 | - op: add 37 | path: /spec/template/spec/containers/0/args/- 38 | value: --kube-api-burst=1000 39 | - op: add 40 | path: /spec/template/spec/containers/0/args/- 41 | value: --requeue-dependency=5s 42 | target: 43 | kind: Deployment 44 | name: (kustomize-controller|helm-controller|source-controller) 45 | - patch: | 46 | apiVersion: apps/v1 47 | kind: Deployment 48 | metadata: 49 | name: not-used 50 | spec: 51 | template: 52 | spec: 53 | containers: 54 | - name: manager 55 | resources: 56 | limits: 57 | memory: 2Gi 58 | target: 59 | kind: Deployment 60 | name: (kustomize-controller|helm-controller|source-controller) 61 | # Enable in-memory-kustomize builds 62 | # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#enable-in-memory-kustomize-builds 63 | - patch: | 64 | - op: replace 65 | path: /spec/template/spec/volumes/0 66 | value: 67 | name: temp 68 | emptyDir: 69 | medium: Memory 70 | target: 71 | kind: Deployment 72 | name: kustomize-controller 73 | # Enable Helm near OOM detection 74 | # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection 75 | - patch: | 76 | - op: add 77 | path: /spec/template/spec/containers/0/args/- 78 | value: --feature-gates=OOMWatch=true 79 | - op: add 80 | path: /spec/template/spec/containers/0/args/- 81 | value: --oom-watch-memory-threshold=95 82 | - op: add 83 | path: /spec/template/spec/containers/0/args/- 84 | value: --oom-watch-interval=500ms 85 | target: 86 | kind: Deployment 87 | name: helm-controller -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - github.com/fluxcd/flux2/manifests/install?ref=v2.6.1 7 | - ./deploykey.secret.yaml 8 | - ./clustersettings.secret.yaml 9 | patches: 10 | # Remove the built-in network policies 11 | - target: 12 | group: networking.k8s.io 13 | kind: NetworkPolicy 14 | patch: | 15 | $patch: delete 16 | apiVersion: networking.k8s.io/v1 17 | kind: NetworkPolicy 18 | metadata: 19 | name: not-used 20 | # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests 21 | - target: 22 | kind: ResourceQuota 23 | name: critical-pods 24 | patch: | 25 | - op: replace 26 | path: /metadata/name 27 | value: critical-pods-flux-system 28 | - target: 29 | kind: ClusterRoleBinding 30 | name: cluster-reconciler 31 | patch: | 32 | - op: replace 33 | path: /metadata/name 34 | value: cluster-reconciler-flux-system 35 | - target: 36 | kind: ClusterRoleBinding 37 | name: crd-controller 38 | patch: | 39 | - op: replace 40 | path: /metadata/name 41 | value: crd-controller-flux-system 42 | - target: 43 | kind: ClusterRole 44 | name: crd-controller 45 | patch: | 46 | - op: replace 47 | path: /metadata/name 48 | value: crd-controller-flux-system 49 | - target: 50 | kind: ClusterRole 51 | name: flux-edit 52 | patch: | 53 | - op: replace 54 | path: /metadata/name 55 | value: flux-edit-flux-system 56 | - target: 57 | kind: ClusterRole 58 | name: flux-view 59 | patch: | 60 | - op: replace 61 | path: /metadata/name 62 | value: flux-view-flux-system - namespace.yaml 63 | - flux.yaml 64 | - sopssecret.secret.yaml 65 | - upgradesettings.yaml 66 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flux-system 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | topolvm.io/webhook: ignore -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/flux/upgradesettings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: upgrade-settings 5 | namespace: flux-system 6 | data: 7 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 8 | TALOS_VERSION: v1.10.2 9 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 10 | KUBERNETES_VERSION: v1.32.3 -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: flux-main 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | prune: false 9 | path: clusters/main/kubernetes/flux-system/flux 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | --- 14 | apiVersion: kustomize.toolkit.fluxcd.io/v1 15 | kind: Kustomization 16 | metadata: 17 | name: flux-monitoring 18 | namespace: flux-system 19 | spec: 20 | interval: 10m 21 | path: clusters/main/kubernetes/flux-system/monitoring 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: cluster 26 | --- 27 | apiVersion: kustomize.toolkit.fluxcd.io/v1 28 | kind: Kustomization 29 | metadata: 30 | name: flux-weave 31 | namespace: flux-system 32 | spec: 33 | interval: 10m 34 | path: clusters/main/kubernetes/flux-system/weave-gitops 35 | prune: true 36 | sourceRef: 37 | kind: GitRepository 38 | name: cluster -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pod-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/monitoring/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: kustomize-controller 7 | namespace: flux-system 8 | labels: 9 | app.kubernetes.io/instance: flux-system 10 | app.kubernetes.io/version: latest 11 | spec: 12 | namespaceSelector: 13 | matchNames: 14 | - flux-system 15 | selector: 16 | matchLabels: 17 | app: kustomize-controller 18 | podMetricsEndpoints: 19 | - port: http-prom 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/monitoring.coreos.com/prometheusrule_v1.json 22 | apiVersion: monitoring.coreos.com/v1 23 | kind: PodMonitor 24 | metadata: 25 | name: source-controller 26 | namespace: flux-system 27 | labels: 28 | app.kubernetes.io/instance: flux-system 29 | app.kubernetes.io/version: latest 30 | spec: 31 | namespaceSelector: 32 | matchNames: 33 | - flux-system 34 | selector: 35 | matchLabels: 36 | app: source-controller 37 | podMetricsEndpoints: 38 | - port: http-prom 39 | --- 40 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/monitoring.coreos.com/prometheusrule_v1.json 41 | apiVersion: monitoring.coreos.com/v1 42 | kind: PodMonitor 43 | metadata: 44 | name: helm-controller 45 | namespace: flux-system 46 | labels: 47 | app.kubernetes.io/instance: flux-system 48 | app.kubernetes.io/version: latest 49 | spec: 50 | namespaceSelector: 51 | matchNames: 52 | - flux-system 53 | selector: 54 | matchLabels: 55 | app: helm-controller 56 | podMetricsEndpoints: 57 | - port: http-prom 58 | --- 59 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/monitoring.coreos.com/prometheusrule_v1.json 60 | apiVersion: monitoring.coreos.com/v1 61 | kind: PodMonitor 62 | metadata: 63 | name: notification-controller 64 | namespace: flux-system 65 | labels: 66 | app.kubernetes.io/instance: flux-system 67 | app.kubernetes.io/version: latest 68 | spec: 69 | namespaceSelector: 70 | matchNames: 71 | - flux-system 72 | selector: 73 | matchLabels: 74 | app: notification-controller 75 | podMetricsEndpoints: 76 | - port: http-prom 77 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/monitoring/prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: flux 7 | namespace: flux-system 8 | spec: 9 | groups: 10 | - name: flux 11 | rules: 12 | - alert: FluxComponentAbsent 13 | annotations: 14 | description: Flux component has disappeared from Prometheus target discovery. 15 | summary: Flux component is down. 16 | expr: | 17 | absent(up{job=~".*flux-system.*"} == 1) 18 | for: 5m 19 | labels: 20 | severity: critical 21 | - alert: FluxReconciliationFailure 22 | annotations: 23 | description: 24 | "{{ $labels.kind }} {{ $labels.namespace }}/{{ $labels.name }} reconciliation has been failing 25 | for more than ten minutes." 26 | summary: Flux reconciliation failure. 27 | expr: | 28 | max(gotk_reconcile_condition{status="False",type="Ready"}) by (namespace, name, kind) 29 | + 30 | on(namespace, name, kind) (max(gotk_reconcile_condition{status="Deleted"}) 31 | by (namespace, name, kind)) * 2 == 1 32 | for: 10m 33 | labels: 34 | severity: critical 35 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/weave-gitops/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: weave-gitops 7 | namespace: flux-system 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: weave-gitops 13 | version: 4.0.36 14 | sourceRef: 15 | kind: HelmRepository 16 | name: weave-gitops 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | 33 | adminUser: 34 | create: true 35 | username: admin 36 | passwordHash: "$2a$12$n52fcX4nRDi94sye0bPCS.WQt9.KHmk0anwzwARdCuoVuk5ICFAG2" 37 | ingress: 38 | enabled: true 39 | annotations: 40 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 41 | cert-manager.io/cluster-issuer: le-prod 42 | cert-manager.io/private-key-rotation-policy: Always 43 | traefik.ingress.kubernetes.io/router.tls: 'true' 44 | traefik.ingress.kubernetes.io/router.middlewares: traefik-chain-basic@kubernetescrd,traefik-local@kubernetescrd 45 | tls: 46 | - hosts: 47 | - gitops.${DOMAIN_0} 48 | secretName: flux-system-weave-gitops 49 | hosts: 50 | - host: gitops.${DOMAIN_0} 51 | paths: 52 | - path: / 53 | pathType: Prefix 54 | networkPolicy: 55 | create: false 56 | metrics: 57 | enabled: true 58 | rbac: 59 | create: true 60 | impersonationResourceNames: ["admin"] 61 | additionalRules: 62 | - apiGroups: ["infra.contrib.fluxcd.io"] 63 | resources: ["terraforms"] 64 | verbs: ["get", "list", "patch"] 65 | annotations: 66 | reloader.stakater.com/auto: "true" 67 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/flux-system/weave-gitops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/cilium/app/bootstrap-values.yaml.ct: -------------------------------------------------------------------------------- 1 | ## DO NOT ALTER THIS FILE, CHANGE DO NOT PERSIST. Alter TalEnv.yaml instead. 2 | hubble: 3 | enabled: false 4 | operator: 5 | prometheus: 6 | enabled: false 7 | serviceMonitor: 8 | enabled: false 9 | prometheus: 10 | enabled: false 11 | serviceMonitor: 12 | enabled: false 13 | trustCRDsExist: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/cilium/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cilium 6 | namespace: kube-system 7 | annotations: 8 | meta.helm.sh/release-name: cilium 9 | meta.helm.sh/release-namespace: kube-system 10 | labels: 11 | app.kubernetes.io/managed-by: Helm 12 | spec: 13 | interval: 15m 14 | chart: 15 | spec: 16 | chart: cilium 17 | version: 1.17.4 18 | sourceRef: 19 | kind: HelmRepository 20 | name: cilium 21 | namespace: flux-system 22 | interval: 15m 23 | timeout: 20m 24 | maxHistory: 3 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | remediateLastFailure: true 33 | uninstall: 34 | keepHistory: false 35 | values: 36 | hubble: 37 | enabled: false 38 | metrics: 39 | enabled: 40 | - dns:query 41 | - drop 42 | - tcp 43 | - flow 44 | - port-distribution 45 | - icmp 46 | - http 47 | serviceMonitor: 48 | enabled: false 49 | dashboards: 50 | enabled: false 51 | relay: 52 | enabled: false 53 | rollOutPods: false 54 | prometheus: 55 | serviceMonitor: 56 | enabled: false 57 | ui: 58 | enabled: false 59 | rollOutPods: false 60 | cluster: 61 | name: main 62 | id: 1 63 | autoDirectNodeRoutes: true 64 | bandwidthManager: 65 | enabled: true 66 | bbr: true 67 | bpf: 68 | datapathMode: netkit 69 | masquerade: true 70 | preallocateMaps: true 71 | # tproxy: true 72 | 73 | ## NO BGP 74 | # bgpControlPlane: 75 | # enabled: true 76 | # devices: enp+ 77 | 78 | cni: 79 | exclusive: false 80 | enableIPv4BIGTCP: true 81 | 82 | ## Dont deploy envoy or gatewayAPI as its not going to work nicely with upstream envoy extentions 83 | envoy: 84 | rollOutPods: false 85 | gatewayAPI: 86 | enabled: false 87 | enableAlpn: false 88 | 89 | ## Deploy L2Announcement to replace metallb in the future 90 | l2announcements: 91 | enabled: false 92 | loadBalancer: 93 | algorithm: maglev 94 | mode: dsr 95 | routingMode: native 96 | ipv4NativeRoutingCIDR: ${PODNET} 97 | securityContext: 98 | capabilities: 99 | ciliumAgent: 100 | - CHOWN 101 | - KILL 102 | - NET_ADMIN 103 | - NET_RAW 104 | - IPC_LOCK 105 | - SYS_ADMIN 106 | - SYS_RESOURCE 107 | - PERFMON 108 | - BPF 109 | - DAC_OVERRIDE 110 | - FOWNER 111 | - SETGID 112 | - SETUID 113 | cleanCiliumState: 114 | - NET_ADMIN 115 | - SYS_ADMIN 116 | - SYS_RESOURCE 117 | cgroup: 118 | automount: 119 | enabled: false 120 | hostRoot: /sys/fs/cgroup 121 | endpointRoutes: 122 | enabled: true 123 | ipam: 124 | mode: kubernetes 125 | k8sServiceHost: 127.0.0.1 126 | k8sServicePort: 7445 127 | kubeProxyReplacement: true 128 | kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 129 | localRedirectPolicy: true 130 | rollOutCiliumPods: true 131 | operator: 132 | rollOutPods: true 133 | replicas: 2 134 | tolerations: [] 135 | prometheus: 136 | enabled: false 137 | serviceMonitor: 138 | enabled: false 139 | dashboards: 140 | enabled: false 141 | annotations: 142 | grafana_folder: Cilium 143 | prometheus: 144 | enabled: false 145 | serviceMonitor: 146 | enabled: true 147 | trustCRDsExist: true 148 | dashboards: 149 | enabled: false 150 | annotations: 151 | grafana_folder: Cilium -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: kube-system 4 | resources: 5 | - helm-release.yaml 6 | # - lb.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/cilium/app/lb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumLoadBalancerIPPool 5 | metadata: 6 | name: pool 7 | spec: 8 | allowFirstLastIPs: "No" 9 | blocks: 10 | - start: ${LB_RANGE_LOWER} 11 | stop: ${LB_RANGE_UPPER} 12 | --- 13 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliuml2announcementpolicy_v2alpha1.json 14 | apiVersion: cilium.io/v2alpha1 15 | kind: CiliumL2AnnouncementPolicy 16 | metadata: 17 | name: l2-policy 18 | spec: 19 | loadBalancerIPs: false 20 | externalIPs: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/cilium/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: cilium 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/kube-system/cilium/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/descheduler/app/bootstrap-values.yaml.ct: -------------------------------------------------------------------------------- 1 | ## DO NOT ALTER THIS FILE, CHANGE DO NOT PERSIST. Alter TalEnv.yaml instead. 2 | serviceMonitor: 3 | enabled: false -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/descheduler/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: descheduler 5 | namespace: kube-system 6 | spec: 7 | interval: 15m 8 | chart: 9 | spec: 10 | chart: descheduler 11 | version: 0.33.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: home-ops-mirror 15 | namespace: flux-system 16 | interval: 15m 17 | timeout: 20m 18 | maxHistory: 3 19 | install: 20 | createNamespace: true 21 | remediation: 22 | retries: 3 23 | upgrade: 24 | cleanupOnFail: true 25 | remediation: 26 | retries: 3 27 | uninstall: 28 | keepHistory: false 29 | values: 30 | replicas: 2 31 | kind: Deployment 32 | deschedulerPolicyAPIVersion: descheduler/v1alpha2 33 | deschedulerPolicy: 34 | profiles: 35 | - name: Default 36 | pluginConfig: 37 | - name: DefaultEvictor 38 | args: 39 | evictFailedBarePods: true 40 | evictLocalStoragePods: true 41 | evictSystemCriticalPods: true 42 | - name: RemoveFailedPods 43 | args: 44 | reasons: 45 | - ContainerStatusUnknown 46 | - NodeAffinity 47 | - NodeShutdown 48 | - Terminated 49 | - UnexpectedAdmissionError 50 | includingInitContainers: true 51 | excludeOwnerKinds: 52 | - Job 53 | minPodLifetimeSeconds: 1800 54 | - name: RemovePodsViolatingInterPodAntiAffinity 55 | - name: RemovePodsViolatingNodeAffinity 56 | args: 57 | nodeAffinityType: 58 | - requiredDuringSchedulingIgnoredDuringExecution 59 | - name: RemovePodsViolatingNodeTaints 60 | - name: RemovePodsViolatingTopologySpreadConstraint 61 | plugins: 62 | balance: 63 | enabled: 64 | - RemovePodsViolatingTopologySpreadConstraint 65 | deschedule: 66 | enabled: 67 | - RemoveFailedPods 68 | - RemovePodsViolatingInterPodAntiAffinity 69 | - RemovePodsViolatingNodeAffinity 70 | - RemovePodsViolatingNodeTaints 71 | service: 72 | enabled: true 73 | serviceMonitor: 74 | enabled: true 75 | leaderElection: 76 | enabled: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/descheduler/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/descheduler/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: descheduler 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/kube-system/descheduler/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/kubelet-csr-approver/app/bootstrap-values.yaml.ct: -------------------------------------------------------------------------------- 1 | metrics: 2 | main: 3 | enabled: false 4 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/kubelet-csr-approver/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: kubelet-csr-approver 6 | namespace: kube-system 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: kubelet-csr-approver 12 | version: 1.2.10 13 | sourceRef: 14 | kind: HelmRepository 15 | name: postfinance 16 | namespace: flux-system 17 | interval: 30m 18 | values: 19 | bypassDnsResolution: true 20 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/kubelet-csr-approver/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: kube-system 4 | resources: 5 | - helm-release.yaml 6 | generatorOptions: 7 | disableNameSuffixHash: true 8 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/kubelet-csr-approver/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: kubelet-csr-approver 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/kube-system/kubelet-csr-approver/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - cilium/ks.yaml 6 | - descheduler/ks.yaml 7 | - kubelet-csr-approver/ks.yaml 8 | - metrics-server/ks.yaml 9 | - node-feature-discovery/ks.yaml 10 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/metrics-server/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: metrics-server 12 | version: 3.12.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: kubernetes-sigs-metrics-server 16 | namespace: flux-system 17 | interval: 15m 18 | timeout: 20m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | remediation: 26 | retries: 3 27 | uninstall: 28 | keepHistory: false 29 | values: 30 | 31 | metrics: 32 | enabled: true 33 | serviceMonitor: 34 | enabled: true 35 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: metrics-server 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/kube-system/metrics-server/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kube-system 5 | labels: 6 | kustomize.toolkit.fluxcd.io/prune: disabled 7 | goldilocks.fairwinds.com/enabled: "true" 8 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/node-feature-discovery/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: node-feature-discovery 7 | namespace: kube-system 8 | spec: 9 | interval: 30m 10 | chart: 11 | spec: 12 | chart: node-feature-discovery 13 | version: 0.1.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: truecharts 17 | namespace: flux-system 18 | install: 19 | crds: CreateReplace 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | cleanupOnFail: true 24 | crds: CreateReplace 25 | remediation: 26 | strategy: rollback 27 | retries: 3 28 | values: 29 | worker: 30 | config: 31 | core: 32 | sources: ["pci", "system", "usb"] 33 | prometheus: 34 | enable: true 35 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/node-feature-discovery/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/node-feature-discovery/config/google-coral-device.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: google-coral-device 6 | spec: 7 | rules: 8 | # Google Coral USB Accelerator 9 | - name: google.coral 10 | labels: 11 | google.feature.node.kubernetes.io/coral: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | vendor: 16 | op: In 17 | value: 18 | - 1a6e 19 | - 18d1 20 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/node-feature-discovery/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - google-coral-device.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kube-system/node-feature-discovery/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: node-feature-discovery 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/kube-system/node-feature-discovery/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - flux-entry.yaml 5 | - flux-system/ks.yaml 6 | - kube-system 7 | - system 8 | # - networking 9 | - core 10 | # - observability 11 | - apps 12 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cert-manager/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: cert-manager 5 | namespace: cert-manager 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: cert-manager 11 | version: v1.17.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: home-ops-mirror 15 | namespace: flux-system 16 | interval: 5m 17 | install: 18 | createNamespace: true 19 | crds: CreateReplace 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | crds: CreateReplace 24 | remediation: 25 | retries: 3 26 | values: 27 | dns01RecursiveNameservers: "1.1.1.1:53,1.0.0.1:53" 28 | dns01RecursiveNameserversOnly: false 29 | installCRDs: true 30 | enableCertificateOwnerRef: true 31 | prometheus: 32 | enabled: true 33 | servicemonitor: 34 | enabled: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cert-manager/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cert-manager 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cert-manager/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: cert-manager 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/cert-manager/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cloudnative-pg/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: cloudnative-pg 5 | namespace: cloudnative-pg 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: cloudnative-pg 11 | version: 0.24.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: cloudnative-pg 15 | namespace: flux-system 16 | interval: 5m 17 | install: 18 | createNamespace: true 19 | crds: CreateReplace 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | crds: CreateReplace 24 | remediation: 25 | retries: 3 26 | values: 27 | crds: 28 | create: true 29 | replicaCount: 2 30 | monitoring: 31 | podMonitorEnabled: false 32 | grafanaDashboard: 33 | create: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cloudnative-pg/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cloudnative-pg/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cloudnative-pg 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/cloudnative-pg/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: cloudnative-pg 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/cloudnative-pg/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/intel-device-plugin/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-device-plugin-operator 7 | namespace: system 8 | spec: 9 | interval: 30m 10 | chart: 11 | spec: 12 | chart: intel-device-plugins-operator 13 | version: 0.32.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: intel 17 | namespace: flux-system 18 | install: 19 | crds: CreateReplace 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | cleanupOnFail: true 24 | crds: CreateReplace 25 | remediation: 26 | strategy: rollback 27 | retries: 3 28 | dependsOn: 29 | - name: node-feature-discovery 30 | namespace: kube-system 31 | values: 32 | controllerExtraArgs: | 33 | - --devices=gpu -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/intel-device-plugin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helmrelease.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/intel-device-plugin/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: intel-device-plugin 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/intel-device-plugin/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kube-prometheus-stack/app/alertmanagerconfig.yaml: -------------------------------------------------------------------------------- 1 | # --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/alertmanagerconfig_v1alpha1.json 3 | # apiVersion: monitoring.coreos.com/v1alpha1 4 | # kind: AlertmanagerConfig 5 | # metadata: 6 | # name: alertmanager 7 | # spec: 8 | # route: 9 | # groupBy: ["alertname", "job"] 10 | # groupInterval: 10m 11 | # groupWait: 1m 12 | # receiver: pushover 13 | # repeatInterval: 12h 14 | # routes: 15 | # - receiver: "null" 16 | # matchers: 17 | # - name: alertname 18 | # value: InfoInhibitor 19 | # matchType: = 20 | # - receiver: heartbeat 21 | # groupInterval: 5m 22 | # groupWait: 0s 23 | # repeatInterval: 5m 24 | # matchers: 25 | # - name: alertname 26 | # value: Watchdog 27 | # matchType: = 28 | # - receiver: pushover 29 | # matchers: 30 | # - name: severity 31 | # value: critical 32 | # matchType: = 33 | # inhibitRules: 34 | # - equal: ["alertname", "namespace"] 35 | # sourceMatch: 36 | # - name: severity 37 | # value: critical 38 | # matchType: = 39 | # targetMatch: 40 | # - name: severity 41 | # value: warning 42 | # matchType: = 43 | # receivers: 44 | # - name: "null" 45 | # - name: heartbeat 46 | # webhookConfigs: 47 | # - urlSecret: 48 | # name: &secret alertmanager-secret 49 | # key: ALERTMANAGER_HEARTBEAT_URL 50 | # - name: pushover 51 | # pushoverConfigs: 52 | # - html: true 53 | # message: |- 54 | # {{- range .Alerts }} 55 | # {{- if ne .Annotations.description "" }} 56 | # {{ .Annotations.description }} 57 | # {{- else if ne .Annotations.summary "" }} 58 | # {{ .Annotations.summary }} 59 | # {{- else if ne .Annotations.message "" }} 60 | # {{ .Annotations.message }} 61 | # {{- else }} 62 | # Alert description not available 63 | # {{- end }} 64 | # {{- if gt (len .Labels.SortedPairs) 0 }} 65 | # 66 | # {{- range .Labels.SortedPairs }} 67 | # {{ .Name }}: {{ .Value }} 68 | # {{- end }} 69 | # 70 | # {{- end }} 71 | # {{- end }} 72 | # priority: |- 73 | # {{ if eq .Status "firing" }}1{{ else }}0{{ end }} 74 | # sendResolved: true 75 | # sound: gamelan 76 | # title: >- 77 | # [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] 78 | # {{ .CommonLabels.alertname }} 79 | # ttl: 86400s 80 | # token: 81 | # name: *secret 82 | # key: ALERTMANAGER_PUSHOVER_TOKEN 83 | # userKey: 84 | # name: *secret 85 | # key: PUSHOVER_USER_KEY 86 | # urlTitle: View in Alertmanager -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kube-prometheus-stack/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: kube-prometheus-stack 7 | namespace: kube-prometheus-stack 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: kube-prometheus-stack 13 | version: 69.8.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: prometheus-community 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | crds: 33 | enabled: true 34 | upgradeJob: 35 | enabled: true 36 | forceConflicts: true 37 | prometheusOperator: 38 | enabled: false 39 | ## Everything down here, explicitly disables everything except CRDs and grafana dashboards 40 | global: 41 | rbac: 42 | create: false 43 | defaultRules: 44 | create: false 45 | windowsMonitoring: 46 | enabled: false 47 | prometheus-windows-exporter: 48 | prometheus: 49 | monitor: 50 | enabled: false 51 | alertmanager: 52 | enabled: false 53 | grafana: 54 | enabled: false 55 | forceDeployDashboards: true 56 | defaultDashboardsEnabled: true 57 | forceDeployDatasources: true 58 | kubernetesServiceMonitors: 59 | enabled: true 60 | kubeApiServer: 61 | enabled: false 62 | kubelet: 63 | enabled: false 64 | kubeControllerManager: 65 | enabled: false 66 | coreDns: 67 | enabled: false 68 | kubeDns: 69 | enabled: false 70 | kubeEtcd: 71 | enabled: false 72 | kubeScheduler: 73 | enabled: false 74 | kubeProxy: 75 | enabled: false 76 | kubeStateMetrics: 77 | enabled: false 78 | nodeExporter: 79 | enabled: false 80 | prometheus: 81 | enabled: false 82 | thanosRuler: 83 | enabled: false -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - helm-release.yaml 7 | - alertmanagerconfig.yaml -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kube-prometheus-stack/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kube-prometheus-stack 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: kube-prometheus-stack 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/kube-prometheus-stack/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kubernetes-reflector/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: kubernetes-reflector 6 | namespace: system 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: kubernetes-reflector 12 | version: 6.5.8 13 | sourceRef: 14 | kind: HelmRepository 15 | name: truecharts 16 | namespace: flux-system 17 | interval: 15m 18 | timeout: 20m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | remediation: 27 | retries: 3 28 | uninstall: 29 | keepHistory: false 30 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kubernetes-reflector/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kubernetes-reflector/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: kubernetes-reflector 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/kubernetes-reflector/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - cert-manager/ks.yaml 6 | - kube-prometheus-stack/ks.yaml 7 | # - cloudnative-pg/ks.yaml 8 | # - csi-driver-nfs/ks.yaml 9 | - kubernetes-reflector/ks.yaml 10 | # - metallb/ks.yaml 11 | - openebs/ks.yaml 12 | # - prometheus-operator/ks.yaml 13 | - reloader/ks.yaml 14 | # - rook-ceph/ks.yaml 15 | # - snapshot-controller/ks.yaml 16 | # - system-upgrade-controller/ks.yaml 17 | # - traefik-crds/ks.yaml 18 | # - volsync/ks.yaml 19 | # - kyverno/ks.yaml 20 | - spegel/ks.yaml 21 | # - longhorn/ks.yaml 22 | # - intel-device-plugin/ks.yaml 23 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kyverno/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: kyverno 7 | namespace: kyverno 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: kyverno 13 | version: 3.4.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: kyverno 17 | namespace: flux-system 18 | interval: 15m 19 | timeout: 20m 20 | maxHistory: 3 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | cleanupOnFail: true 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | 33 | crds: 34 | install: true 35 | grafana: 36 | enabled: true 37 | annotations: 38 | grafana_folder: System 39 | backgroundController: 40 | serviceMonitor: 41 | enabled: true 42 | rbac: 43 | clusterRole: 44 | extraResources: 45 | - apiGroups: 46 | - "" 47 | resources: 48 | - ingresses 49 | - pods 50 | - nodes 51 | verbs: 52 | - create 53 | - update 54 | - patch 55 | - delete 56 | - get 57 | - list 58 | cleanupController: 59 | serviceMonitor: 60 | enabled: true 61 | reportsController: 62 | serviceMonitor: 63 | enabled: true 64 | admissionController: 65 | replicas: 3 66 | serviceMonitor: 67 | enabled: true 68 | rbac: 69 | clusterRole: 70 | extraResources: 71 | - apiGroups: 72 | - "" 73 | resources: 74 | - ingresses 75 | - pods 76 | - nodes 77 | verbs: 78 | - create 79 | - update 80 | - delete 81 | topologySpreadConstraints: 82 | - maxSkew: 1 83 | topologyKey: kubernetes.io/hostname 84 | whenUnsatisfiable: DoNotSchedule 85 | labelSelector: 86 | matchLabels: 87 | app.kubernetes.io/instance: kyverno 88 | app.kubernetes.io/component: kyverno 89 | 90 | config: 91 | # -- Resource types to be skipped by the Kyverno policy engine. 92 | # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. 93 | # These are joined together without spaces, run through `tpl`, and the result is set in the config map. 94 | # @default -- See [values.yaml](values.yaml) 95 | resourceFilters: 96 | - '[Event,*,*]' 97 | - '[*/*,kube-system,*]' 98 | - '[*/*,kube-public,*]' 99 | - '[*/*,kube-node-lease,*]' 100 | - '[Node,*,*]' 101 | - '[Node/*,*,*]' 102 | - '[APIService,*,*]' 103 | - '[APIService/*,*,*]' 104 | - '[TokenReview,*,*]' 105 | - '[SubjectAccessReview,*,*]' 106 | - '[SelfSubjectAccessReview,*,*]' 107 | - '[ReplicaSet,*,*]' 108 | - '[ReplicaSet/*,*,*]' 109 | # exclude resources from the chart 110 | - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]' 111 | - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]' 112 | - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]' 113 | - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]' 114 | - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]' 115 | - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]' 116 | - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]' 117 | - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]' 118 | - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]' 119 | - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]' 120 | - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]' 121 | - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]' 122 | - '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]' 123 | - '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]' 124 | - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]' 125 | - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]' 126 | - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' 127 | - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]' 128 | - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' 129 | - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]' 130 | - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' 131 | - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]' 132 | - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' 133 | - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]' 134 | - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]' 135 | - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]' 136 | - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]' 137 | - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]' 138 | - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]' 139 | - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]' 140 | - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]' 141 | - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]' 142 | - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]' 143 | - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]' 144 | - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 145 | - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 146 | - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 147 | - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 148 | - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 149 | - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 150 | - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 151 | - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 152 | - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' 153 | - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]' 154 | - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' 155 | - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]' 156 | - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' 157 | - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]' 158 | - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' 159 | - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]' 160 | - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' 161 | - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]' 162 | - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 163 | - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 164 | - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 165 | - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 166 | - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 167 | - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 168 | - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 169 | - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 170 | - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 171 | - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]' 172 | - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 173 | - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]' 174 | - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 175 | - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 176 | - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 177 | - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]' 178 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' 179 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' 180 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' 181 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' 182 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' 183 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]' 184 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 185 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]' 186 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' 187 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]' 188 | - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' 189 | - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]' 190 | - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]' 191 | - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]' 192 | - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]' 193 | - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]' 194 | - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' 195 | - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]' -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kyverno/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - namespace.yaml 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kyverno/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kyverno 5 | labels: 6 | kustomize.toolkit.fluxcd.io/prune: disabled 7 | goldilocks.fairwinds.com/enabled: "true" 8 | pod-security.kubernetes.io/enforce: privileged 9 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/kyverno/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: kyverno 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/kyverno/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/metallb/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: metallb 5 | namespace: metallb 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | 11 | chart: metallb 12 | version: 0.15.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: metallb 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | createNamespace: true 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | remediation: 24 | retries: 3 25 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/metallb/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/metallb/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: metallb 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/metallb/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: metallb 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/metallb/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: system 5 | annotations: 6 | volsync.backube/privileged-movers: "true" 7 | labels: 8 | kustomize.toolkit.fluxcd.io/prune: disabled 9 | goldilocks.fairwinds.com/enabled: "true" 10 | pod-security.kubernetes.io/enforce: privileged 11 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/openebs/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: openebs 5 | namespace: openebs 6 | spec: 7 | interval: 5m 8 | releaseName: openebs 9 | chart: 10 | spec: 11 | 12 | chart: openebs 13 | version: 4.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: openebs 17 | namespace: flux-system 18 | install: 19 | createNamespace: true 20 | crds: CreateReplace 21 | remediation: 22 | retries: 3 23 | upgrade: 24 | crds: CreateReplace 25 | remediation: 26 | retries: 3 27 | values: 28 | 29 | openebs-crds: 30 | csi: 31 | volumeSnapshots: 32 | enabled: true 33 | keep: true 34 | 35 | # Refer to https://github.com/openebs/dynamic-localpv-provisioner/blob/v4.2.0/deploy/helm/charts/values.yaml for complete set of values. 36 | localpv-provisioner: 37 | rbac: 38 | create: true 39 | 40 | # Refer to https://github.com/openebs/zfs-localpv/blob/v2.7.1/deploy/helm/charts/values.yaml for complete set of values. 41 | zfs-localpv: 42 | crds: 43 | zfsLocalPv: 44 | enabled: false 45 | csi: 46 | volumeSnapshots: 47 | enabled: false 48 | 49 | # Refer to https://github.com/openebs/lvm-localpv/blob/lvm-localpv-1.6.2/deploy/helm/charts/values.yaml for complete set of values. 50 | lvm-localpv: 51 | crds: 52 | lvmLocalPv: 53 | enabled: false 54 | csi: 55 | volumeSnapshots: 56 | enabled: false 57 | 58 | # Refer to https://github.com/openebs/mayastor-extensions/blob/v2.8.0/chart/values.yaml for complete set of values. 59 | mayastor: 60 | csi: 61 | node: 62 | initContainers: 63 | enabled: true 64 | etcd: 65 | # -- Kubernetes Cluster Domain 66 | clusterDomain: cluster.local 67 | localpv-provisioner: 68 | enabled: false 69 | crds: 70 | enabled: false 71 | loki: 72 | enabled: false 73 | alloy: 74 | enabled: false 75 | 76 | # -- Configuration options for pre-upgrade helm hook job. 77 | preUpgradeHook: 78 | # -- Labels to be added to the pod hook job 79 | podLabels: {} 80 | image: 81 | # -- The container image registry URL for the hook job 82 | registry: docker.io 83 | # -- The container repository for the hook job 84 | repo: bitnami/kubectl 85 | # -- The container image tag for the hook job 86 | tag: "1.25.15" 87 | # -- The imagePullPolicy for the container 88 | pullPolicy: IfNotPresent 89 | 90 | engines: 91 | local: 92 | lvm: 93 | enabled: false 94 | zfs: 95 | enabled: false 96 | replicated: 97 | mayastor: 98 | enabled: false 99 | 100 | 101 | alloy: 102 | enabled: false 103 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/openebs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/openebs/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openebs 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/openebs/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: openebs 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/openebs/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/reloader/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: system 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: reloader 12 | version: 1.3.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: stakater 16 | namespace: flux-system 17 | interval: 15m 18 | timeout: 20m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | remediation: 27 | retries: 3 28 | uninstall: 29 | keepHistory: false 30 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: reloader 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/reloader/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/rook-ceph/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: rook-ceph 5 | namespace: rook-ceph 6 | spec: 7 | interval: 5m 8 | releaseName: rook-ceph 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.rook.io/release 12 | chart: rook-ceph 13 | version: v1.17.4 14 | sourceRef: 15 | kind: HelmRepository 16 | name: rook-ceph 17 | namespace: flux-system 18 | install: 19 | createNamespace: true 20 | crds: CreateReplace 21 | remediation: 22 | retries: 3 23 | upgrade: 24 | crds: CreateReplace 25 | remediation: 26 | retries: 3 27 | values: 28 | enableDiscoveryDaemon: true 29 | crds: 30 | enabled: true 31 | csi: 32 | csiAddons: 33 | enabled: false 34 | monitoring: 35 | enabled: true 36 | resources: 37 | requests: 38 | cpu: 100m 39 | memory: 128Mi 40 | limits: 41 | cpu: 1000m 42 | memory: 256Mi 43 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/rook-ceph/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/rook-ceph/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: rook-ceph 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/rook-ceph/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: rook-ceph 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/rook-ceph/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/snapshot-controller/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: snapshot-controller 5 | namespace: system 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: snapshot-controller 11 | version: 3.7.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: truecharts 15 | namespace: flux-system 16 | interval: 5m 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | crds: CreateReplace 24 | remediation: 25 | strategy: rollback 26 | retries: 3 27 | values: 28 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: snapshot-controller 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/snapshot-controller/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/spegel/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: spegel 7 | namespace: spegel 8 | spec: 9 | interval: 30m 10 | chart: 11 | spec: 12 | chart: spegel 13 | version: 3.4.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: truecharts 17 | namespace: flux-system 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | service: 28 | main: 29 | type: LoadBalancer 30 | loadBalancerIP: ${SPEGEL_IP} 31 | "lbipam.cilium.io/ips": ${SPEGEL_IP} -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/spegel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/spegel/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: spegel 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | topolvm.io/webhook: ignore 8 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: spegel 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/spegel/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/system-upgrade-controller/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: system-upgrade-controller 7 | namespace: system-upgrade 8 | spec: 9 | interval: 30m 10 | chart: 11 | spec: 12 | chart: app-template 13 | version: 3.7.3 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s 17 | namespace: flux-system 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | controllers: 28 | system-upgrade-controller: 29 | strategy: RollingUpdate 30 | containers: 31 | app: 32 | image: 33 | repository: docker.io/rancher/system-upgrade-controller 34 | tag: v0.15.2@sha256:3e899833afcea9a8788d384ce976df9a05be84636fe5c01ec2307b5bd8fe9810 35 | env: 36 | SYSTEM_UPGRADE_CONTROLLER_DEBUG: false 37 | SYSTEM_UPGRADE_CONTROLLER_THREADS: 2 38 | SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900 39 | SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99 40 | SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent 41 | SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.33.1 42 | SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed 43 | SYSTEM_UPGRADE_JOB_PRIVILEGED: true 44 | SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900 45 | SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m 46 | SYSTEM_UPGRADE_CONTROLLER_NAME: system-update-controller 47 | SYSTEM_UPGRADE_CONTROLLER_NAMESPACE: 48 | valueFrom: 49 | fieldRef: 50 | fieldPath: metadata.namespace 51 | securityContext: 52 | allowPrivilegeEscalation: false 53 | readOnlyRootFilesystem: true 54 | capabilities: { drop: ["ALL"] } 55 | seccompProfile: 56 | type: RuntimeDefault 57 | defaultPodOptions: 58 | securityContext: 59 | runAsNonRoot: true 60 | runAsUser: 65534 61 | runAsGroup: 65534 62 | seccompProfile: { type: RuntimeDefault } 63 | affinity: 64 | nodeAffinity: 65 | requiredDuringSchedulingIgnoredDuringExecution: 66 | nodeSelectorTerms: 67 | - matchExpressions: 68 | - key: node-role.kubernetes.io/control-plane 69 | operator: Exists 70 | tolerations: 71 | - key: CriticalAddonsOnly 72 | operator: Exists 73 | - key: node-role.kubernetes.io/control-plane 74 | operator: Exists 75 | effect: NoSchedule 76 | - key: node-role.kubernetes.io/master 77 | operator: Exists 78 | effect: NoSchedule 79 | serviceAccount: 80 | create: true 81 | name: system-upgrade 82 | persistence: 83 | tmp: 84 | type: emptyDir 85 | etc-ssl: 86 | type: hostPath 87 | hostPath: /etc/ssl 88 | hostPathType: DirectoryOrCreate 89 | globalMounts: 90 | - readOnly: true 91 | etc-pki: 92 | type: hostPath 93 | hostPath: /etc/pki 94 | hostPathType: DirectoryOrCreate 95 | globalMounts: 96 | - readOnly: true 97 | etc-ca-certificates: 98 | type: hostPath 99 | hostPath: /etc/ca-certificates 100 | hostPathType: DirectoryOrCreate 101 | globalMounts: 102 | - readOnly: true -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/system-upgrade-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - helm-release.yaml 8 | - rbac.yaml 9 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/system-upgrade-controller/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: system-upgrade 5 | annotations: 6 | volsync.backube/privileged-movers: "true" 7 | labels: 8 | kustomize.toolkit.fluxcd.io/prune: disabled 9 | goldilocks.fairwinds.com/enabled: "true" 10 | pod-security.kubernetes.io/enforce: privileged 11 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/system-upgrade-controller/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: system-upgrade 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: system-upgrade 13 | namespace: system-upgrade 14 | --- 15 | apiVersion: talos.dev/v1alpha1 16 | kind: ServiceAccount 17 | metadata: 18 | name: talos 19 | namespace: system-upgrade 20 | spec: 21 | roles: 22 | - os:admin 23 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/system-upgrade-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: system-upgrade-controller 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | path: clusters/main/kubernetes/system/system-upgrade-controller/app 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: cluster 14 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/volsync/app/helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: volsync 5 | namespace: volsync 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | # renovate: registryUrl=https://charts.truecharts.org 11 | chart: volsync 12 | version: 2.11.3 13 | sourceRef: 14 | kind: HelmRepository 15 | name: truecharts 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | createNamespace: true 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | remediation: 24 | retries: 3 25 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/volsync/app/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: volsync 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/volsync/install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: system-volsync 7 | namespace: flux-system 8 | spec: 9 | path: ./cluster/system/volsync/app 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | prune: true 14 | wait: false 15 | interval: 30m 16 | retryInterval: 1m 17 | timeout: 15m 18 | -------------------------------------------------------------------------------- /clusters/main/kubernetes/system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: volsync 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | path: clusters/main/kubernetes/system/volsync/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: cluster 13 | 14 | -------------------------------------------------------------------------------- /clusters/main/talos/generated/.gitignore: -------------------------------------------------------------------------------- 1 | main-k8s-control-1.yaml 2 | talosconfig 3 | main-k8s-control-2.yaml 4 | main-k8s-control-3.yaml 5 | main-k8s-worker-1.yaml 6 | main-k8s-worker-2.yaml 7 | main-k8s-worker-3.yaml 8 | main-k8s-worker-4.yaml 9 | main-talos-control.yaml 10 | main-talos-worker.yaml 11 | main-k8s-control-0.yaml 12 | main-k8s-worker-0.yaml 13 | -------------------------------------------------------------------------------- /clusters/main/talos/generated/talsecret.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | id: ENC[AES256_GCM,data:/0QBSxgTD54SXsubR+z3pGSC7YjhHBhDFUQEJJW7hdJCRjYxRUrc03axGcY=,iv:IjZRIcUu6Zp+PFMb+oQoRqRt13ygjDwI3IkfHy/s6PM=,tag:G5bb/FKDInse7fJR5QcfBg==,type:str] 3 | secret: ENC[AES256_GCM,data:UabpDAsHXuwxNwSDy6B/sRkcqvVPzDrUKQF64YLZ84vc7kz/Yj0WfrxLuYU=,iv:cGgfMbLUiFepvrPfXaMbzd9CVFh/YeJuYc8yiGF5ntw=,tag:2B2lLILJ1GqsDY2p/ZUCLw==,type:str] 4 | secrets: 5 | bootstraptoken: ENC[AES256_GCM,data:Mexlk/RgG+YJRTTIgG0X+7JuXqJj3bk=,iv:5HetTPl67OsKa+ulv9+80PnVLg5ELjdHhzPd5UAXjoo=,tag:rsGri4v44VmdsqF134PxAQ==,type:str] 6 | secretboxencryptionsecret: ENC[AES256_GCM,data:gAnOxx66m/dfE0yde5Y7Y+5xdCwD+HOMMyLUIRToxbBcb+EnHVmqF6Amebo=,iv:TD/3owG06qClJWPmAHLeInkpWBOR6LiJrYmjWfd5bX8=,tag:0vAn9xocn7knIidQZYy63w==,type:str] 7 | trustdinfo: 8 | token: ENC[AES256_GCM,data:6EIFDLKo2PLd6ly86F22EWe75QPX3kw=,iv:W0C+FMjzLdb5Ubslky6dcA258JpYuxECk2+0gVUUl60=,tag:gVFxrJai6uW6A4iUJrnYlw==,type:str] 9 | certs: 10 | etcd: 11 | crt: ENC[AES256_GCM,data:EvdSY8tDxuYLL5Dnvg1N7vXwn48XNfYKWtpvCsrAxfYTigdcILzY06+6IYkJWqDIHReDKXqaY8cj12lrXxR+G6xVaH/pg7MdvHmWZ5vTbONT2GJ1KP+sk/SwurK/OIjZVb4PHYLk0z7/H8vR1s2xloL+2nVmsRawleJgq9y+M21ArEDNcFXzVlRJZ6j6RMlz7uPIzI2iCfbFVIqV6kfwtPKSEINfQ/AlA6UG5DFt51DhtKuhqeL8AWBwWare3CdjWfA4w7JUziJ5u/OiVnCz3MLZCrFqC8LaHwBIDP2aSHFAZUo3W6lHOY9fe45l4JLrwVLcpoqH46S7wj2jPd5EYvVAXAgyI+ToaJxT82/MeOnIKi1NlEBmb518TDtBSOFAeMR5J+bmpQseEgkd8fAz6b+KbzowmzCI6pDgmukrX+I6a+pNyJsQVC08s3oZCkWKpGmf6kmw/NyVG4mFf5lgJiejHpRh/4SUqQA4q2ozO2SXRcHgieMEgcNFmzlb2F/RBoiQwB0ZVaR9BW3VZi5xwFBEC55/JkDr4lM/Mh19uPFyC+xC43MKYlGsQzyagix2SWqgqNGwT1OHpsHW7rSwsMS+xAu5Iu5RRA/AuOVsCplH7Q0NfR3wWV0rfoNRYBlY6fwsh99xpDFrdFbJb61mbyvNqrZVaBRNPVbfhQfltQbla4CwfqKZrQJ//9lHSlhsnm1JFFMePXZtfQk0BV0vaD8fIFpj8ghBj8Ti436FMg48UJddzt2h7OEdhc2l+0G7knaqQd5x/KrrNBfO5ya+y9spOywrRY6nRJPfXsSj0jCd0zN9s9piHiBhgL/Vw2c0cqBxTvhySuVae/RxW7V2Un1aTa4/pVE9/mYePuMssIle29rDaVCPz/DvIj2s+js8rgqyiGYlyA5NtwOqflCdZ8EIX8jIM1ntMkC34Puwd6E5h4fipNBRW2Zr993Wm5BUANloAla4LdSihR8p/I34szmQ3lygj/5RwUe2KV67MhV6u4P4M0OfbUh6Jd+4oEJUgZDBiA==,iv:jLpFDFRQpj3c+rQkuQOQjNjlusPCpDjHWq7lglKiEPY=,tag:hnS8fM5U0La9eGg8mxsVuw==,type:str] 12 | key: ENC[AES256_GCM,data:V8ypF81b3Fapo1nxEzJXsPe/p0MXtgvrTUYjxTNgN/H8p3Cb8k8AZ22FGSisV5DPeKeFzLIiR8kWV9e9wXgC9sUlhZlp5c34QqtzfY7EXJGoA4f2PgqVhgQp4usBh4OZlsCJorC4QU5piuWhdHIvHbHGKQxU6x28jAuCqpZow4yXKj8h3Nas7c/TY2mVxoo9HKmmObPvv6rHxC3H+EuvTTrQN9TLBq3IfWeB2IB+v9qtWTsLUkShPDl1/mXOiCKecxBSOHLE/AubeVuGo5dcTfPNdKSt/lVfGpRLJXmcC43L0+k2TTbDyFj6yNWOCHwQe680LZ8kwMVE+eL7ZYcfVnHxRn/hrUcP1Z2DdeHp5S5SgJbzCknH1zl0HmiOlXvSnaYna9fnrd8mgN4W7ZD9RQ==,iv://ao67BA4A0l7BUYRSdIwSt7EQMngbX1+uKbLn9kjvc=,tag:pntbMKNJramYhmHtLoClGg==,type:str] 13 | k8s: 14 | crt: ENC[AES256_GCM,data:20JODo6e1/JAyy19g3Sie605kt6B+E4muZjzQPVr024q160lo5NlsbyEMb04xX6eTShw82ZwAeuU4z11+VTBBX0vw9TipYjzr24pXVEyqs6r5miNjk6mvDitsf1/lG33ktqDzCNfSm3m4pqjuikIvXGCgOthUbK790VNrM3BzBbiAptiz/M5sPzVDfqJOZEY7cUpTk6471/jPBk9hpT0nWcRFTNJy2JZSgk9cQf5gynDqM/xThn2gOhCBtVIQj1Ay7havivJb1/ywQKULvrK6a4nBkbnpBmBCch4iPl3Tvri8lDdzQKumAd3jA2BpOm6xk1Wg3HsPT6n1waqQAXwVly8Gj5Y4+0BcjUfcaHFMLXibssm6Vuf4YXy9Pn/VQ7EAbh9OMUqd8n9c3i+qr5R1Wm37TeHXbgqhTemEE8MhfMtACOkTBKTWRq65O6r87UqD4RSZBbWre04KZJcJaw2e4wSegqXAEwxCoD07hwsi8nC4zIoItBv1X9kx/yeJqswdpWkdOt6opyMQu740DG+XelTMiyn7ZSyp2MO55rAmct53ShHLlAdQlsWt0ITynWGIU2uMlYIUasy2148QyyksskNyxruAfAPkK6rePEahFZQttwM/MBv0lY6Qj2yT8yAFsQrJ70u8Q721wf7zfXXhHwVaoWpQW3FBntuYXdMcoAvVqVD0QojHXFdv9+gv/bySoC/sM7RrpM0xHKXoTnVz6Qup9qJ74t/yB+zSxWk2lLVGOC6CIfTaXUWY6oclxsdXbKnF794GV+4CYW7FOcUDCjx7lhnIkfe3Mi13ADAoo+BoFytVOKY5ZnQgHB5g2BVgm3vJjplUTTwYR3Xr2OJ4JCXHAFDvIRMfmiuhlSehh2q6bXL3RuHLs9DjgKkVqyH8lnjKvLLJy4mSuvkOFzg04plbVV8h3jDLv2leJIbhfn4rCTWT0D/wBmD2q4sKKUfg4KtEkBLtuHxFMH82p5JC/O2ZxHHdshWG3wZl4G1n5txczZS71pEtfKSAYtucTVbN/1vOy72pywn0sQRM/2XADB8zQOia00Cz54LWg==,iv:obKiQjg11qk+0Mj/2V4Et4FFxFYOlPqM2g8rYR7qlIM=,tag:utqfudpf/QBLuXMUNSeC9Q==,type:str] 15 | key: ENC[AES256_GCM,data:J6SsSapfmM3P+LQdRTvUeteWbbbQPRlzDgR0Ed3QpORMiyzNfCnLHrnP4qt3rvAlI9TuhqfNrS2inq7fg93U3S9RUIHzQg/7c56hzKEbSG9meriEYW5etw8lXySeT8smHwKnETviYWwBy45ZeoFt5MxSF0iOeRRO9yJIeN4sEo7Cn4CjJhtsNnVe6otO9+izohQePSH7JFAnbaUU0onuP/7jaA7ck1GlDKkad2mG3JxA+UAnBF28vSdGFvSiwVfhFVUVXdI2e38DLU18IXCoyUs61L1S6VuBxGLbtRpO/yqBqP22gTp3HFC22U8YLlRs9avVd+kX2D4wBHMqfwcZuLhzsE9BRb2ULsefKUf0NNmTW2wMPQ1Gi+95kDiPnIx7zMRJmMvVvG9lXDySCfb88A==,iv:1lkURspHnRoJf8V1z4EdpDBREtFSYXDnWciEKBW09Zk=,tag:G7hF6DKM/eumzdTzmmz8gQ==,type:str] 16 | k8saggregator: 17 | crt: ENC[AES256_GCM,data:/PpiocQsFLp8TFuvvUuCdzlVlZ2IUYJi1EA7CFm86K7c8ZY0zcJDA085y0tW8IIdASXw418vXrvyfQRbKcra5i20Yvo2rosNRFQB9OSNxP2QaCwTeZ2ExLG6J367CdUGzSpvfp7m0r8pWHj+d1NCb1inRIfqndpFHUa7YZRyVkCYGCp6KDVHPWYBCZaYy4w8tpclqhSpendAW/8lRLoP+Rg1W+mbV9gak0LT6jDBTSlVTOc6V7k34EqX8GpvvprqfEcIPzVkJOzOca2RXmiAhWftAGoRRV5v8FuY4drljUudnqVEc2IqSLHCkk2J/oSZQjCV9kMngNb1NZ3TZecBaddzZZOW4+cDKdPMAi6Kx27PVQ0cFiB2N4VAweG2BM8uD9OTjfGiy9U4N0Ahlo4dPElG2YB5jQ0Nozij+wBdfKjBEE0lTO9SawN3mO9ZeBrY2fywmzs23SmkU1kzs4oCogRBMmefNFTGewwe/bo7atQOr6lEXaxszx39e00FWlT9mcq7uJBrt5/JkVPTKq8OLxeaL7m5LoGysk3IOG48gzOzzDEbBMwm4BcQvmUh8KspDTw4Vvo8xKzurLLud0MZxZBimyGLKTlfYSVVXkwAJiWmR4KjckWC+gpURBKQDNbw2+oQRh/ve41T0ZFoJDEf1Mj7gvD9+RHHolX4R2XmApUVnFGqYgej66iXiA4mwSk6sMMv01LGo7LFUF10FX1Sg81iH24fE0ey9uzNN0l6uymbkJ12YYOZU8tsuv927I3HCNFNhUdvyAmVps890AwoFz0BpVpobLqTOzL1L016qJlRAhQGvHiKzwuCSnfDJ3F3PP6vFW+ceYpfQmGSPcy3dhdUBTfCVAo0Xe+4ngf1x6N7nXxkg6GHTv+o4RZqKrh7ZNBhC7H7jM5WkmG9CgJioONyWbCnkX8tX/q2OjBx46ZRyuAXXvMZsFpKD1bOXO6h,iv:j+svQMURgRa5t8CdTR7eNU9Wyw6IrbbDNcJ854e6uxM=,tag:4vOBsWz9F9Gz4d9lljdvRA==,type:str] 18 | key: ENC[AES256_GCM,data:fqVZZgU0QNSXZTndnejnfs/iamLc87uuX8FEGalHa3i0XDfWU3OHKwCpbt9RpME3OkibMme2XwDG368RELFZpeYcj8hiymJi8YiJ5GBnbe46zdun4CFDN5gqLk8uXCpBQeApRU00TiK29hFWFtp+PcBpmDBtOsGK5R+h/hPGA6oayGz8QWqDkfY6SMC3yqP84SllCvGNP640qzWFQH1eLWhqS4+FHJce5OOCI6n+36KPaNLmuu5bcl2ZKqZecpQa8rzo2dnIf1iOzFKCAvs4rTNIjxBp0rVSpcAw1Gd4m3pdQfxQ5AHsc2CASnCZo6grzfTqcKf9Wj8NRnhhpJIGguTQAS26665UHOJhivp+IdLby/fFogKmGKYVE4aOVGOpBogf1zvKHv9NHrU2uzRbeA==,iv:/66/Og97Fn2k8rwfwLZ6Gw2kkgzOh0VrMSI/vXZ3tc4=,tag:MpJSMdvD4M5wByHHA1356w==,type:str] 19 | k8sserviceaccount: 20 | key: ENC[AES256_GCM,data:zTLRXXX8D7ZXh6VShZA/9U0kNImasIv9SXtD6VdqYXPStGFT/+YsV2FaMZKfKRLMbfrC4JImQuTB5mnVUruIdRLpOI+GMyXQ3kgZAW2mRdQA6gZAr78nMixOTkgM9Pcey/kc3YeeFwonlvtgIVnI8hJMxqaUOn2SeyemTolxpFert/e+io2uY7JONsqXQ5/DrYyILbpzeVXpCUXtl8zYPeVzgCpH2KzRXkLbudG90ZQ/FKEUGkROyTu2lqNvKJFM8hXg/VT5H276erxoBde3WrixNjK3rbiYpAfxwZo/kEug8IZ74EqtewcWy/izH/haqT6aytUSeG7JP/YQcVfQGRtLkwm7lg1mhEeLqlVAoByJMRHJihFXiBOIpUit02BS2vKdRc9KrOT1T/ZbQO6mSQ==,iv:apyxbjrwLKboJOMo9alJRHkEluTOkEn+UHJMEcngWE4=,tag:8paItzTUIYOJEbt7Grc8GQ==,type:str] 21 | os: 22 | crt: ENC[AES256_GCM,data:pUfiM7+9qQL684m8/v7kaT2lmZ/IqjDncCWxZOuFOACZmYdoWZnnqcFvXjoAekfuvi2tkcAPKD8tU7HniLGY30dqhFs5MOXYd1NnpeJ4HLFJnZYelZ4kq1LIOUJpW8sj9x8ffsUET3VztnHGRSuH0r9a3vavFwhewD64ImK1E+i50TF+VtYgteENyaQtCk8qOMqJbQkY/suohHKRq0D9CemhRYB41V7vu6x6KpSaWV56DZUgl8kEP96OaE6uQKauQOThJyKb54I2DgeD0xiBtOCg6q7NkPBmB5pWqA9Qjg25Yba1he12IXanDif/7+ET0u8pipr/68WdyfXbUNTRmTuBNdwfO1M2p5CPpjw+uZqj33FOam+/OmJWOfF+zb3ZqZ5aP90Z+NjoqMHITz4b6UiCVTkPCrl1GZBxBwhcd1upMckTrv3MVpqvedMeVw4IpB1Bt08I3fSDcN/hlxaVsnp5+vNi66o029VBv6Nxj+pXtIJzzDGxuRaHyVDJebJvx2jDwMw/LbutilOA3ixHcvdacQXR3KQc2lQAkQ0Z3S7jqfKMMl3EBQJYh9h7jRDYqSK6I1naVlF+mbTkMroApAtaNOQrP7MSX8Iwc88zN5S0wQBvIO5bmF3X58WkxFzU907wgVwb37EZkY2IoDn/ydFSzdNJMHrRP2yjNEzyTWN84FyaOfhut1XgYTNJHgmjWVTDmXWwRyR18fmjnJMlaVcTvcvv7ZPbAPU5p+4kqWFtQsvHi5AIe0Ztknee9ESVIAtiQxeseLlFjwD61VssFFDGWRAV/koA5nTEpGdL9aANo+LQXQG7uB1hjTSf2JyBXfgfku4spyFY+0RrKZ2Ple1M/GfPdbV7sy1yEPog7ISJORbZ,iv:dka+DLImu+aD0IPMiG1LPO2yhBumvPp4yIDBaHMGmno=,tag:0rMWuTz6IX/gm3M5hMecnQ==,type:str] 23 | key: ENC[AES256_GCM,data:8sjmviC7fGt2l4rIlwe7KiYphmla4W9CiERJzgcn46xU6XdpTmYqJT/2776zwkYpM7Ms+3SudtfcaBMbTOklwuQO4uc/cE9dRrYF4b3dD/g8riLVMFjHvFCgayCWyb30a9XCYiZVH5KEjtBUZVzReOY+pU/Ba0BOfvTa2VnUl1Rl8hGteLAfQk1ruOemOWqq3heeqbl5TPImQcqcSLuN75COc98XAiL+VOUQEB2wStsai5q5,iv:oWtRqXNjEpYOSYYZz4CTbGJ+T17QV4oThR5wJ9O00rk=,tag:wpIlojWccjpCWyqJE0vFbg==,type:str] 24 | sops: 25 | shamir_threshold: 3 26 | age: 27 | - recipient: age1uzy27yg04slm0t4naapemy207fd7uh4lda70dxnh932e5dd8n55skgcdrq 28 | enc: | 29 | -----BEGIN AGE ENCRYPTED FILE----- 30 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYVhBR3F5OFd6TEpSUzBl 31 | YUxIbnNLNnlVSzFCczMwVHBYdjR3aDZ5dWlBCjJUaUN0eGhsSkNpZ1hyNk9nOWUx 32 | RFlGUWFZdGdCN0VBSEgxQUxzRXZnOGMKLS0tIGc5QUlTbk02eDd2aWNJdmZzbFJR 33 | YzlNa3JLd1QrUzUxemxEdXp5ZmhLTjQKfOSaqPK5cCp1lBcVtdXffOvzSLEDUxTj 34 | niIvT6yNW8WmIg3LljvNhGWWU1AwIfRXHurqRInwHgIGaEDeOKSf/g== 35 | -----END AGE ENCRYPTED FILE----- 36 | lastmodified: "2025-05-23T23:42:08Z" 37 | mac: ENC[AES256_GCM,data:fLOMVQ8UYLOFdDw5wlRyM27w5D3zfCXzusDGualFmHYYSfLN2Yjw/zHb4dLxdOXWc5ijjFLvpcVaRcoLNJ2Y0I4cEhTkhnB0oLh3GAdksn2te+PYgD0RbuePJjLn8kt3JrImKunhjGhavKALFADiw5RssYolQQQLEYGqUH8vYVU=,iv:8zxO6yrWZnzju04VizLBTSV7HyiiQJtc5It6cVQKy4w=,tag:24wnLeAB+kGwcVp8/Of1nA==,type:str] 38 | version: 3.10.2 39 | -------------------------------------------------------------------------------- /clusters/main/talos/patches/controlplane.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /cluster/proxy/extraArgs 3 | value: 4 | "metrics-bind-address": "0.0.0.0:10249" 5 | - op: add 6 | path: /cluster/controllerManager/extraArgs 7 | value: 8 | "bind-address": "0.0.0.0" 9 | - op: add 10 | path: /cluster/apiServer/extraArgs 11 | value: 12 | enable-aggregator-routing: true 13 | runtime-config: admissionregistration.k8s.io/v1alpha1=true 14 | - op: add 15 | path: /cluster/scheduler/extraArgs 16 | value: 17 | "bind-address": "0.0.0.0" 18 | - op: replace 19 | path: /cluster/apiServer/admissionControl 20 | value: 21 | - name: PodSecurity 22 | configuration: 23 | apiVersion: pod-security.admission.config.k8s.io/v1alpha1 24 | defaults: 25 | audit: restricted 26 | audit-version: latest 27 | enforce: baseline 28 | enforce-version: latest 29 | warn: restricted 30 | warn-version: latest 31 | exemptions: 32 | namespaces: 33 | - kube-system 34 | - metallb 35 | - metallb-config 36 | - topolvm-system 37 | - longhorn-system 38 | - kyverno 39 | - system-upgrade 40 | - openebs 41 | - snapshot-controller 42 | - volsync 43 | - flux-system 44 | runtimeClasses: [] 45 | usernames: [] 46 | kind: PodSecurityConfiguration 47 | - op: add 48 | path: /machine/features/kubernetesTalosAPIAccess 49 | value: 50 | enabled: true 51 | allowedRoles: 52 | - os:admin 53 | allowedKubernetesNamespaces: 54 | - system-upgrade 55 | -------------------------------------------------------------------------------- /clusters/main/talos/patches/custom.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /cluster/scheduler 3 | value: 4 | config: 5 | apiVersion: kubescheduler.config.k8s.io/v1 6 | kind: KubeSchedulerConfiguration 7 | profiles: 8 | - schedulerName: default-scheduler 9 | plugins: 10 | score: 11 | disabled: 12 | - name: ImageLocality 13 | pluginConfig: 14 | - name: PodTopologySpread 15 | args: 16 | defaultingType: List 17 | defaultConstraints: 18 | - maxSkew: 1 19 | topologyKey: kubernetes.io/hostname 20 | whenUnsatisfiable: ScheduleAnyway 21 | - op: add 22 | path: /machine/sysctls 23 | value: 24 | user.max_user_namespaces: "11255" # For flatpak support 25 | net.core.default_qdisc: fq # 10Gb/s 26 | net.ipv4.tcp_congestion_control: bbr # 10Gb/s 27 | net.ipv4.tcp_fastopen: 3 # Send and accept data in the opening SYN packet 28 | net.ipv4.tcp_mtu_probing: 1 # 10Gb/s | Jumbo frames 29 | net.ipv4.tcp_rmem: 4096 87380 33554432 # 10Gb/s 30 | net.ipv4.tcp_wmem: 4096 65536 33554432 # 10Gb/s 31 | net.ipv4.tcp_window_scaling: 1 # 10Gb/s 32 | vm.nr_hugepages: 1024 # PostgreSQL 33 | - op: replace 34 | path: /machine/registries/mirrors 35 | value: 36 | cgr.dev: 37 | endpoints: 38 | - https://cgr.dev 39 | cgr.io: 40 | endpoints: 41 | - https://cgr.io 42 | docker.io: 43 | endpoints: 44 | - http://192.168.10.209:5000 45 | - http://192.168.10.208:5000 46 | - https://mirror.gcr.io 47 | - https://registry-1.docker.io 48 | - https://docker.io 49 | registry-1.docker.io: 50 | endpoints: 51 | - http://192.168.10.209:5000 52 | - http://192.168.10.208:5000 53 | - https://mirror.gcr.io 54 | - https://registry-1.docker.io 55 | ghcr.io: 56 | endpoints: 57 | - http://192.168.10.209:5000 58 | - https://ghcr.io 59 | quay.io: 60 | endpoints: 61 | - http://192.168.10.209:5000 62 | - https://quay.io 63 | mcr.microsoft.com: 64 | endpoints: 65 | - http://192.168.10.209:5000 66 | - https://mcr.microsoft.com 67 | public.ecr.aws: 68 | endpoints: 69 | - http://192.168.10.209:5000 70 | - https://public.ecr.aws 71 | gcr.io: 72 | endpoints: 73 | - http://192.168.10.209:5000 74 | - https://gcr.io 75 | registry.k8s.io: 76 | endpoints: 77 | - http://192.168.10.209:5000 78 | - https://registry.k8s.io 79 | k8s.gcr.io: 80 | endpoints: 81 | - http://192.168.10.209:5000 82 | - https://k8s.gcr.io 83 | tccr.io: 84 | endpoints: 85 | - http://192.168.10.209:5000 86 | - https://quay.io 87 | - https://tccr.io 88 | factory.talos.dev: 89 | endpoints: 90 | - https://factory.talos.dev -------------------------------------------------------------------------------- /clusters/main/talos/patches/worker.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /machine/time 3 | value: 4 | "disabled": false 5 | "servers": 6 | - "time.cloudflare.com" 7 | -------------------------------------------------------------------------------- /clusters/main/talos/talconfig.yaml: -------------------------------------------------------------------------------- 1 | clusterName: ${CLUSTERNAME} 2 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 3 | talosVersion: v1.10.2 4 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 5 | kubernetesVersion: v1.32.3 6 | endpoint: https://${MASTER1IP}:6443 7 | allowSchedulingOnControlPlanes: false 8 | additionalMachineCertSans: 9 | - 127.0.0.1 10 | - ${MASTER1IP} 11 | - ${VIP} 12 | additionalApiServerCertSans: 13 | - 127.0.0.1 14 | - ${MASTER1IP} 15 | - ${VIP} 16 | # Warning: Also used in Cilium CNI values! 17 | clusterPodNets: 18 | - ${PODNET} 19 | clusterSvcNets: 20 | - ${SVCNET} 21 | cniConfig: 22 | name: none 23 | patches: 24 | - '@./patches/all.yaml' 25 | - '@./patches/custom.yaml' 26 | nodes: 27 | - hostname: k8s-control-1 28 | ipAddress: ${MASTER1IP} 29 | controlPlane: true 30 | nameservers: 31 | - 192.168.10.21 32 | - 1.1.1.1 33 | installDiskSelector: 34 | size: ">= 100GB" 35 | machineSpec: 36 | mode: metal 37 | arch: amd64 38 | useUKI: true 39 | secureboot: true 40 | networkInterfaces: 41 | # suffix is the adapter mac adres. 42 | - deviceSelector: 43 | hardwareAddr: "00:16:3e:88:e6:c5" 44 | addresses: 45 | - ${MASTER1IP}/24 46 | routes: 47 | - network: 0.0.0.0/0 48 | gateway: ${GATEWAY} 49 | vip: 50 | ip: ${VIP} 51 | - hostname: k8s-control-0 52 | ipAddress: ${MASTER2IP} 53 | controlPlane: true 54 | nameservers: 55 | - 192.168.10.21 56 | - 1.1.1.1 57 | installDiskSelector: 58 | size: ">= 100GB" 59 | networkInterfaces: 60 | # suffix is the adapter mac adres. 61 | - deviceSelector: 62 | busPath: "0*" 63 | addresses: 64 | - ${MASTER2IP}/24 65 | routes: 66 | - network: 0.0.0.0/0 67 | gateway: ${GATEWAY} 68 | vip: 69 | ip: ${VIP} 70 | # - hostname: k8s-control-2 71 | # ipAddress: ${MASTER2IP} 72 | # controlPlane: true 73 | # nameservers: 74 | # - 192.168.10.21 75 | # - 1.1.1.1 76 | # installDiskSelector: 77 | # size: <= 1TB 78 | # networkInterfaces: 79 | # # suffix is the adapter mac adres. 80 | # - interface: enxd83add598b01 81 | # addresses: 82 | # - ${MASTER2IP}/24 83 | # routes: 84 | # - network: 0.0.0.0/0 85 | # gateway: ${GATEWAY} 86 | # vip: 87 | # ip: ${VIP} 88 | # - hostname: k8s-control-3 89 | # ipAddress: ${MASTER3IP} 90 | # controlPlane: true 91 | # nameservers: 92 | # - 192.168.10.200 93 | # - 1.1.1.1 94 | # installDiskSelector: 95 | # size: <= 1TB 96 | # networkInterfaces: 97 | # # suffix is the adapter mac adres. 98 | # - interface: enxd83add59cc24 99 | # addresses: 100 | # - ${MASTER3IP}/24 101 | # routes: 102 | # - network: 0.0.0.0/0 103 | # gateway: ${GATEWAY} 104 | # vip: 105 | # ip: ${VIP} 106 | - hostname: k8s-worker-0 107 | ipAddress: 192.168.10.51 108 | nameservers: 109 | - 192.168.10.21 110 | - 1.1.1.1 111 | installDiskSelector: 112 | size: ">= 100GB" 113 | - hostname: k8s-worker-1 114 | ipAddress: 192.168.10.111 115 | nameservers: 116 | - 192.168.10.21 117 | - 1.1.1.1 118 | installDiskSelector: 119 | size: ">= 100GB" 120 | machineSpec: 121 | mode: metal 122 | arch: amd64 123 | useUKI: true 124 | secureboot: true 125 | schematic: 126 | customization: 127 | systemExtensions: 128 | officialExtensions: 129 | - siderolabs/util-linux-tools 130 | 131 | # - hostname: k8s-worker-2 132 | # ipAddress: 192.168.10.121 133 | # nameservers: 134 | # - 192.168.10.21 135 | # - 1.1.1.1 136 | # installDiskSelector: 137 | # size: <= 600GB 138 | # schematic: 139 | # customization: 140 | # systemExtensions: 141 | # officialExtensions: 142 | # - siderolabs/amd-ucode 143 | # - siderolabs/i915 144 | # - siderolabs/intel-ucode 145 | # - siderolabs/mei 146 | # - siderolabs/realtek-firmware 147 | # - hostname: k8s-worker-3 148 | # ipAddress: 192.168.10.131 149 | # nameservers: 150 | # - 192.168.10.21 151 | # - 1.1.1.1 152 | # installDiskSelector: 153 | # size: <= 600GB 154 | # schematic: 155 | # customization: 156 | # systemExtensions: 157 | # officialExtensions: 158 | # - siderolabs/amd-ucode 159 | # - siderolabs/realtek-firmware 160 | controlPlane: 161 | patches: 162 | - '@./patches/controlplane.yaml' 163 | machineFiles: 164 | - content: | 165 | [plugins."io.containerd.grpc.v1.cri"] 166 | enable_unprivileged_ports = true 167 | enable_unprivileged_icmp = true 168 | [plugins."io.containerd.grpc.v1.cri".containerd] 169 | discard_unpacked_layers = false 170 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 171 | discard_unpacked_layers = false 172 | permissions: 0 173 | path: /etc/cri/conf.d/20-customization.part 174 | op: create 175 | - content: | 176 | [ NFSMount_Global_Options ] 177 | nfsvers=4.2 178 | hard=True 179 | noatime=True 180 | nodiratime=True 181 | rsize=131072 182 | wsize=131072 183 | nconnect=8 184 | permissions: 420 185 | path: /etc/nfsmount.conf 186 | op: overwrite 187 | worker: 188 | patches: 189 | - '@./patches/worker.yaml' 190 | machineFiles: 191 | - content: | 192 | [plugins."io.containerd.grpc.v1.cri"] 193 | enable_unprivileged_ports = true 194 | enable_unprivileged_icmp = true 195 | [plugins."io.containerd.grpc.v1.cri".containerd] 196 | discard_unpacked_layers = false 197 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 198 | discard_unpacked_layers = false 199 | permissions: 0 200 | path: /etc/cri/conf.d/20-customization.part 201 | op: create 202 | - content: | 203 | [ NFSMount_Global_Options ] 204 | nfsvers=4.2 205 | hard=True 206 | noatime=True 207 | nodiratime=True 208 | rsize=131072 209 | wsize=131072 210 | nconnect=8 211 | permissions: 420 212 | path: /etc/nfsmount.conf 213 | op: overwrite 214 | -------------------------------------------------------------------------------- /repositories/entries/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: [] -------------------------------------------------------------------------------- /repositories/flux-entry.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: flux-entry-repositories 7 | namespace: flux-system 8 | spec: 9 | interval: 10m 10 | path: ./repositories 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: cluster 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | postBuild: 20 | substituteFrom: 21 | - kind: ConfigMap 22 | name: cluster-config 23 | patches: 24 | - patch: |- 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: not-used 29 | spec: 30 | decryption: 31 | provider: sops 32 | secretRef: 33 | name: sops-age 34 | postBuild: 35 | substituteFrom: 36 | - kind: ConfigMap 37 | name: cluster-config 38 | target: 39 | group: kustomize.toolkit.fluxcd.io 40 | kind: Kustomization 41 | labelSelector: substitution.flux.home.arpa/disabled notin (true) -------------------------------------------------------------------------------- /repositories/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - this-repo.yaml 7 | - truecharts.yaml 8 | -------------------------------------------------------------------------------- /repositories/git/this-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: cluster 7 | namespace: flux-system 8 | spec: 9 | interval: 5m 10 | timeout: 120s 11 | url: ssh://git@github.com/Ornias1993/cluster.git 12 | ref: 13 | branch: main 14 | secretRef: 15 | name: deploy-key 16 | ignore: | 17 | # exclude all 18 | /* 19 | # include flux directories 20 | !/clusters 21 | !/repositories -------------------------------------------------------------------------------- /repositories/git/truecharts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: truecharts 7 | namespace: flux-system 8 | spec: 9 | interval: 30m 10 | url: https://github.com/truecharts/public/ 11 | ref: 12 | branch: master 13 | secretRef: 14 | name: deploy-key 15 | ignore: | 16 | # exclude all 17 | /* 18 | # include flux directories 19 | !/clusters 20 | !/repositories 21 | -------------------------------------------------------------------------------- /repositories/helm/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: actions-runner-controller 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/actions/actions-runner-controller-charts 12 | -------------------------------------------------------------------------------- /repositories/helm/authentik.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: authentik 5 | namespace: flux-system 6 | spec: 7 | interval: 15m 8 | url: https://charts.goauthentik.io 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/backube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: backube 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://backube.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /repositories/helm/bitnami.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: bitnami 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://registry-1.docker.io/bitnamicharts 12 | -------------------------------------------------------------------------------- /repositories/helm/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: bjw-s 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/bjw-s/helm 12 | -------------------------------------------------------------------------------- /repositories/helm/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: cilium 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://helm.cilium.io 11 | -------------------------------------------------------------------------------- /repositories/helm/cloudnative-pg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: cloudnative-pg 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 2h 11 | url: oci://ghcr.io/cloudnative-pg/charts 12 | -------------------------------------------------------------------------------- /repositories/helm/coredns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: coredns 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://coredns.github.io/helm 11 | -------------------------------------------------------------------------------- /repositories/helm/crossplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: crossplane 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.crossplane.io/stable 11 | -------------------------------------------------------------------------------- /repositories/helm/crowdsec.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: crowdsec 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://crowdsecurity.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /repositories/helm/crunchydata.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: crunchydata 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://registry.developers.crunchydata.com/crunchydata 12 | -------------------------------------------------------------------------------- /repositories/helm/csi-driver-nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: csi-driver-nfs 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts 11 | -------------------------------------------------------------------------------- /repositories/helm/deliveryhero.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: deliveryhero 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.deliveryhero.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/democratic-csi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: democratic-csi 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://democratic-csi.github.io/charts/ 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: descheduler 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/descheduler 11 | -------------------------------------------------------------------------------- /repositories/helm/dysnix.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: dysnix 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://dysnix.github.io/charts 10 | -------------------------------------------------------------------------------- /repositories/helm/emqx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: emqx 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://repos.emqx.io/charts 11 | -------------------------------------------------------------------------------- /repositories/helm/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-dns 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/external-dns 11 | -------------------------------------------------------------------------------- /repositories/helm/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-secrets 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.external-secrets.io 11 | -------------------------------------------------------------------------------- /repositories/helm/fairwinds.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: fairwinds 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.fairwinds.com/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/fluent-bit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: fluent-bit 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://fluent.github.io/helm-charts 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: grafana 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://grafana.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /repositories/helm/home-ops-mirror.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: home-ops-mirror 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 2h 11 | url: oci://ghcr.io/home-operations/charts-mirror/ 12 | -------------------------------------------------------------------------------- /repositories/helm/infracloudio.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: infracloudio 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://infracloudio.github.io/charts 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: ingress-nginx 7 | namespace: flux-system 8 | spec: 9 | ## TODO: move to OCI 10 | # type: oci 11 | interval: 5m 12 | url: 'https://kubernetes.github.io/ingress-nginx' 13 | -------------------------------------------------------------------------------- /repositories/helm/intel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: intel 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://intel.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /repositories/helm/jaegertracing.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jaegertracing 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://jaegertracing.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/jetstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: jetstack 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.jetstack.io/ 11 | -------------------------------------------------------------------------------- /repositories/helm/k8s-at-home.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: k8s-at-home 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://k8s-at-home.com/charts 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/kubernetes-sigs-metrics-server.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-sigs-metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/metrics-server/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | metadata: 4 | name: helm-repos 5 | namespace: flux-system 6 | resources: 7 | - actions-runner-controller.yaml 8 | - authentik.yaml 9 | - backube.yaml 10 | - bitnami.yaml 11 | - bjw-s.yaml 12 | - cilium.yaml 13 | - cloudnative-pg.yaml 14 | - coredns.yaml 15 | - crossplane.yaml 16 | - crowdsec.yaml 17 | - crunchydata.yaml 18 | - csi-driver-nfs.yaml 19 | - deliveryhero.yaml 20 | - democratic-csi.yaml 21 | - descheduler.yaml 22 | - dysnix.yaml 23 | - emqx.yaml 24 | - external-dns.yaml 25 | - external-secrets.yaml 26 | - fairwinds.yaml 27 | - fluent-bit.yaml 28 | - grafana.yaml 29 | - home-ops-mirror.yaml 30 | - infracloudio.yaml 31 | - ingress-nginx.yaml 32 | - intel.yaml 33 | - jaegertracing.yaml 34 | - jetstack.yaml 35 | - k8s-at-home.yaml 36 | - kubernetes-sigs-metrics-server.yaml 37 | - kustomization.yaml 38 | - kyverno.yaml 39 | - longhorn.yaml 40 | - lwolf.yaml 41 | - metallb.yaml 42 | - metrics-server.yaml 43 | - node-feature-discovery.yaml 44 | - nvidia.yaml 45 | - openebs.yaml 46 | - piraeus.yaml 47 | - postfinance.yaml 48 | - prometheus-community.yaml 49 | - rook-ceph.yaml 50 | - runix.yaml 51 | - spegel.yaml 52 | - stakater.yaml 53 | - stevehipwell.yaml 54 | - tf-controller.yaml 55 | - topolvm.yaml 56 | - traefik.yaml 57 | - truecharts.yaml 58 | - truechartsoci.yaml 59 | - twuni.yaml 60 | - weave-gitops.yaml 61 | # more goes here! 62 | -------------------------------------------------------------------------------- /repositories/helm/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: kyverno 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/kyverno/charts 12 | -------------------------------------------------------------------------------- /repositories/helm/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: longhorn 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.longhorn.io 11 | -------------------------------------------------------------------------------- /repositories/helm/lwolf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: lwolf 5 | namespace: flux-system 6 | spec: 7 | interval: 1h 8 | url: https://charts.lwolf.org 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/metallb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: metallb 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://metallb.github.io/metallb 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: metrics-server 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/metrics-server 11 | -------------------------------------------------------------------------------- /repositories/helm/node-feature-discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: node-feature-discovery 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 11 | -------------------------------------------------------------------------------- /repositories/helm/nvidia.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: nvidia 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://helm.ngc.nvidia.com/nvidia 11 | -------------------------------------------------------------------------------- /repositories/helm/openebs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: openebs 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://openebs.github.io/openebs 11 | -------------------------------------------------------------------------------- /repositories/helm/piraeus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: piraeus 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://piraeus.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /repositories/helm/postfinance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: postfinance 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://postfinance.github.io/kubelet-csr-approver 11 | -------------------------------------------------------------------------------- /repositories/helm/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: prometheus-community 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/prometheus-community/charts 12 | -------------------------------------------------------------------------------- /repositories/helm/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: rook-ceph 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.rook.io/release 11 | -------------------------------------------------------------------------------- /repositories/helm/runix.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: runix 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://helm.runix.net 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: spegel 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/spegel-org/helm-charts 12 | -------------------------------------------------------------------------------- /repositories/helm/stakater.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: stakater 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/stakater/charts 12 | -------------------------------------------------------------------------------- /repositories/helm/stevehipwell.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: stevehipwell 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/stevehipwell/helm-charts 12 | -------------------------------------------------------------------------------- /repositories/helm/tf-controller.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: tf-controller 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://weaveworks.github.io/tf-controller/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /repositories/helm/topolvm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: topolvm 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://topolvm.github.io/topolvm 11 | -------------------------------------------------------------------------------- /repositories/helm/traefik.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: traefik 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://helm.traefik.io/traefik 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/truecharts.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: truecharts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://tccr.io/truecharts 11 | -------------------------------------------------------------------------------- /repositories/helm/truechartsoci.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: truechartsoci 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://tccr.io/truecharts 11 | -------------------------------------------------------------------------------- /repositories/helm/twuni.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: twuni 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://helm.twun.io 9 | timeout: 3m 10 | -------------------------------------------------------------------------------- /repositories/helm/weave-gitops.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: weave-gitops 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/weaveworks/charts 11 | -------------------------------------------------------------------------------- /repositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./git 7 | - ./helm 8 | - ./oci -------------------------------------------------------------------------------- /repositories/oci/flux-manifests.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1beta2 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-manifests 7 | namespace: flux-system 8 | spec: 9 | interval: 10m 10 | url: oci://ghcr.io/fluxcd/flux-manifests 11 | ref: 12 | tag: v2.6.1 -------------------------------------------------------------------------------- /repositories/oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - flux-manifests.yaml -------------------------------------------------------------------------------- /ssh-public-key.txt: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK+FByRkVDapqWpsyXyVsF1UbAy2TxA9qhO5VpjIwcJxq8mum0IWLhtc+uNDCOvbSN1DJFA0KNRfvK5Ime9czAhVI4YOju7Chu9jNpv2AneDZkAer9dZg8fkoGOdBoWlGw== 2 | -------------------------------------------------------------------------------- /talosconfig: -------------------------------------------------------------------------------- 1 | context: "" 2 | contexts: {} 3 | -------------------------------------------------------------------------------- /whitelist.txt: -------------------------------------------------------------------------------- 1 | gew4-spclient.spotify.com 2 | api-spotify.com 3 | *.spotify.com 4 | apple.com 5 | *.apple.com 6 | fetlife.com --------------------------------------------------------------------------------