├── .editorconfig ├── .gitattributes ├── .github ├── actions │ ├── terragrunt │ │ └── action.yaml │ └── update-check │ │ └── action.yaml ├── renovate.json5 └── workflows │ ├── renovate.yaml │ ├── require-terragrunt.yaml │ ├── slash-command-dispatch.yaml │ └── terragrunt-command.yml ├── .gitignore ├── .opentofu-version ├── .taskfiles ├── inventory │ ├── resources │ │ └── inventory.yaml.dist │ └── taskfile.yaml ├── kubernetes │ ├── resources │ │ └── template-helm-release.sh │ └── taskfile.yaml └── terragrunt │ └── taskfile.yaml ├── .terragrunt-version ├── .vscode ├── extensions.json └── settings.json ├── Brewfile ├── LICENSE ├── README.md ├── Taskfile.yaml ├── docs ├── images │ ├── home-network-firewall.png │ ├── k8s-logo.png │ ├── network-1.jpg │ ├── rack-back.jpg │ └── rack-front.jpg └── runbooks │ ├── resize-volume.md │ └── supermicro-machine-setup.md ├── infrastructure ├── accounts.hcl ├── clusters │ ├── common.hcl │ ├── dev │ │ ├── .terraform.lock.hcl │ │ └── terragrunt.hcl │ ├── live │ │ ├── .terraform.lock.hcl │ │ └── terragrunt.hcl │ └── staging │ │ ├── .terraform.lock.hcl │ │ └── terragrunt.hcl ├── hosts │ └── pxeboot │ │ ├── .terraform.lock.hcl │ │ └── terragrunt.hcl ├── inventory.hcl ├── networking.hcl └── root.hcl └── kubernetes ├── clusters ├── base │ ├── _network-policy │ │ ├── allow-all-kube-system.yaml │ │ ├── allow-cluster-kubedns.yaml │ │ ├── allow-labeled-egress-internet.yaml │ │ ├── allow-labeled-egress-kubeapi.yaml │ │ ├── allow-labeled-egress-private.yaml │ │ ├── allow-labeled-ingress-external.yaml │ │ ├── allow-labeled-ingress-internal.yaml │ │ ├── allow-labeled-ingress-private.yaml │ │ ├── allow-labeled-ingress-prometheus.yaml │ │ ├── allow-labeled-to-cluster.yaml │ │ └── kustomization.yaml │ ├── actions-runner-system │ │ ├── actions-runner-controller.yaml │ │ └── kustomization.yaml │ ├── cert-manager │ │ ├── cert-manager.yaml │ │ ├── issuers.yaml │ │ ├── kustomization.yaml │ │ └── policy.yaml │ ├── kube-system │ │ ├── cilium-config.yaml │ │ ├── cilium.yaml │ │ ├── descheduler.yaml │ │ ├── kustomization.yaml │ │ └── policy.yaml │ ├── kubevirt │ │ ├── containerized-data-importer-operator.yaml │ │ ├── containerized-data-importer.yaml │ │ ├── kubevirt-operator.yaml │ │ ├── kubevirt.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── longhorn-system │ │ ├── kustomization.yaml │ │ ├── longhorn-storage.yaml │ │ ├── longhorn.yaml │ │ └── policy.yaml │ ├── monitoring │ │ ├── canary-checker.yaml │ │ ├── grafana-loki-single-binary.yaml │ │ ├── grafana.yaml │ │ ├── kube-prometheus-stack-crds.yaml │ │ ├── kube-prometheus-stack.yaml │ │ ├── kustomization.yaml │ │ ├── policy.yaml │ │ └── promtail.yaml │ ├── network │ │ ├── certificates.yaml │ │ ├── ingress-nginx-external.yaml │ │ ├── ingress-nginx-internal.yaml │ │ ├── kustomization.yaml │ │ └── policy.yaml │ ├── rook-ceph │ │ ├── cluster.yaml │ │ ├── kustomization.yaml │ │ ├── operator.yaml │ │ └── resources │ │ │ ├── example.yaml │ │ │ ├── kustomization.yaml │ │ │ └── values.yaml │ ├── system │ │ ├── external-secrets-stores.yaml │ │ ├── external-secrets.yaml │ │ ├── kustomization.yaml │ │ ├── policy.yaml │ │ ├── reloader.yaml │ │ ├── replicator.yaml │ │ └── secret-generator.yaml │ └── tailscale │ │ ├── kustomization.yaml │ │ └── operator.yaml ├── dev │ ├── cert-manager │ │ ├── cert-manager.yaml │ │ ├── issuers.yaml │ │ └── kustomization.yaml │ ├── default │ │ ├── helm-release-app-template-repo.yaml │ │ └── kustomization.yaml │ ├── flux-system │ │ ├── gotk-components.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml │ ├── games │ │ ├── kustomization.yaml │ │ └── valheim-devheim.yaml │ ├── kube-system │ │ ├── cilium-config.yaml │ │ ├── cilium.yaml │ │ ├── descheduler.yaml │ │ ├── kustomization.yaml │ │ └── spegel.yaml │ ├── kustomization.yaml │ ├── longhorn-system │ │ ├── kustomization.yaml │ │ ├── longhorn-storage.yaml │ │ └── longhorn.yaml │ ├── network │ │ ├── certificates.yaml │ │ ├── ingress-nginx-external.yaml │ │ ├── ingress-nginx-internal.yaml │ │ └── kustomization.yaml │ └── system │ │ ├── external-secrets-stores.yaml │ │ ├── external-secrets.yaml │ │ ├── kustomization.yaml │ │ ├── reloader.yaml │ │ ├── replicator.yaml │ │ └── secret-generator.yaml ├── integration │ └── generated-cluster-vars.env ├── live │ ├── .network-policies │ │ ├── allow-egress-to-internet-except-private │ │ │ └── source │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ ├── allow-egress-to-private │ │ │ └── source │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ ├── allow-ingress-from-external │ │ │ ├── destination │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ │ └── source │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ ├── allow-ingress-from-internal │ │ │ ├── destination │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ │ └── source │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ ├── allow-ingress-from-private │ │ │ └── destination │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ ├── allow-same-namespace │ │ │ └── source │ │ │ │ ├── kustomization.yaml │ │ │ │ └── network-policy.yaml │ │ └── kustomization.yaml │ ├── actions-runner-system │ │ ├── actions-runner-controller.yaml │ │ └── kustomization.yaml │ ├── actions-runners │ │ ├── actions-runner-homelab-modules.yaml │ │ ├── actions-runner-homelab.yaml │ │ └── kustomization.yaml │ ├── cert-manager │ │ ├── cert-manager.yaml │ │ ├── issuers.yaml │ │ └── kustomization.yaml │ ├── cluster-vars.env │ ├── default │ │ ├── helm-release-app-template-repo.yaml │ │ └── kustomization.yaml │ ├── flux-system │ │ ├── gotk-components.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml │ ├── games │ │ ├── kustomization.yaml │ │ └── valheim-plexheim.yaml │ ├── generated-cluster-vars.env │ ├── kube-system │ │ ├── cilium-config.yaml │ │ ├── cilium.yaml │ │ ├── descheduler.yaml │ │ ├── kustomization.yaml │ │ └── spegel.yaml │ ├── kubevirt │ │ ├── containerized-data-importer-operator.yaml │ │ ├── containerized-data-importer.yaml │ │ ├── kubevirt-operator.yaml │ │ ├── kubevirt.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── longhorn-system │ │ ├── kustomization.yaml │ │ ├── longhorn-storage.yaml │ │ └── longhorn.yaml │ ├── monitoring │ │ ├── grafana-k8s-monitoring.yaml │ │ ├── grafana-loki-single-binary.yaml │ │ ├── grafana-loki-smple-scalable.yaml │ │ ├── grafana-mimir.yaml │ │ ├── grafana-minio-tenant.yaml │ │ ├── grafana-pyroscope.yaml │ │ ├── grafana-tempo.yaml │ │ ├── grafana.yaml │ │ ├── kube-prometheus-stack-crds.yaml │ │ ├── kube-prometheus-stack.yaml │ │ ├── kustomization.yaml │ │ ├── prometheus-ipmi-exporter-supermicro-node2.yaml │ │ ├── prometheus-ipmi-exporter-supermicro-node41.yaml │ │ ├── prometheus-ipmi-exporter-supermicro-node42.yaml │ │ ├── prometheus-ipmi-exporter-supermicro-rules.yaml │ │ └── promtail.yaml │ ├── network │ │ ├── certificates.yaml │ │ ├── ingress-nginx-external.yaml │ │ ├── ingress-nginx-internal.yaml │ │ └── kustomization.yaml │ └── system │ │ ├── cloudflared.yaml │ │ ├── external-secrets-stores.yaml │ │ ├── external-secrets.yaml │ │ ├── kustomization.yaml │ │ ├── minio-operator.yaml │ │ ├── nsinjector.yaml │ │ ├── reloader.yaml │ │ ├── replicator.yaml │ │ └── secret-generator.yaml └── staging │ ├── actions-runners │ ├── actions-runner-homelab.yaml │ └── kustomization.yaml │ ├── flux-system │ ├── gotk-components.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml │ ├── generated-cluster-vars.env │ └── kustomization.yaml └── manifests ├── common ├── components │ ├── configurations │ │ ├── cluster-issuer │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── git-repository │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── helm-release │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── image-policy │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── image-repository │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── image-update-automation │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── kustomization │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── minio-tenant │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── namespace │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ ├── origin-issuer │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ │ └── service-monitor │ │ │ ├── configuration.yaml │ │ │ └── kustomization.yaml │ └── flux-kustomization-defaults │ │ ├── kustomization.yaml │ │ └── patch-kustomization.yaml └── resources │ ├── certificates │ ├── external-certificate.yaml │ ├── internal-certificate.yaml │ └── kustomization.yaml │ ├── cilium-config │ ├── kustomization.yaml │ ├── l2.yaml │ └── pool.yaml │ ├── external-secret-stores │ ├── cluster-secret-store.yaml │ ├── external-secret-test.yaml │ └── kustomization.yaml │ ├── helm-release-app-template-repo │ ├── bjw-s-oci.yaml │ ├── bjw-s.yaml │ └── kustomization.yaml │ ├── helm-release-app-template │ ├── configuration.yaml │ ├── helm-release.yaml │ └── kustomization.yaml │ ├── helm-release-oci │ ├── helm-release.yaml │ ├── helm-repository.yaml │ └── kustomization.yaml │ ├── helm-release │ ├── helm-release.yaml │ ├── helm-repository.yaml │ └── kustomization.yaml │ ├── issuers │ ├── cloudflare-issuer │ │ ├── cluster-issuer.yaml │ │ ├── external-secret.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml │ ├── longhorn-storage │ ├── kustomization.yaml │ ├── recurring-jobs │ │ ├── backup-weekly.yaml │ │ ├── filesystem-trim-daily.yaml │ │ └── snapshot-daily.yaml │ └── storage-classes │ │ ├── fast-critical.yaml │ │ ├── fast-unmanaged.yaml │ │ ├── fast.yaml │ │ ├── slow-critical.yaml │ │ ├── slow-unmanaged.yaml │ │ └── slow.yaml │ ├── namespace │ ├── kustomization.yaml │ └── namespace.yaml │ └── prometheus-ipmi-exporter-supermico-rules │ ├── kustomization.yaml │ └── prometheus-rule.yaml ├── helm-release-app-template-oci ├── cloudflared │ ├── config │ │ └── config.yaml │ ├── dns-endpoint.yaml │ ├── external-secret.yaml │ ├── kustomization.yaml │ ├── network-policy.yaml │ └── values.yaml └── valheim │ ├── kustomization.yaml │ ├── network-policy.yaml │ └── values.yaml ├── helm-release-oci ├── actions-runner-controller │ ├── kustomization.yaml │ └── values.yaml └── actions-runner-scale-set │ ├── external-secret.yaml │ ├── kustomization.yaml │ ├── rbac.yaml │ └── values.yaml ├── helm-release ├── canary-checker │ ├── kustomization.yaml │ └── values.yaml ├── cert-manager │ ├── kustomization.yaml │ ├── prometheus-rules.yaml │ └── values.yaml ├── cilium │ ├── canary.yaml │ ├── kustomization.yaml │ ├── patch-values.yaml │ └── values.yaml ├── descheduler │ ├── kustomization.yaml │ ├── patch-helm-release.yaml │ └── values.yaml ├── external-secrets │ ├── kustomization.yaml │ └── values.yaml ├── grafana-k8s-monitoring │ ├── kustomization.yaml │ └── values.yaml ├── grafana-loki-simple-scalable │ ├── kustomization.yaml │ └── values.yaml ├── grafana-loki-single-binary │ ├── kustomization.yaml │ └── values.yaml ├── grafana-mimir │ ├── kustomization.yaml │ └── values.yaml ├── grafana-minio-tenant │ ├── kustomization.yaml │ └── values.yaml ├── grafana-pyroscope │ ├── kustomization.yaml │ └── values.yaml ├── grafana-tempo │ ├── kustomization.yaml │ └── values.yaml ├── grafana │ ├── canary.yaml │ ├── kustomization.yaml │ └── values.yaml ├── ingress-nginx │ ├── kustomization.yaml │ └── values.yaml ├── kube-prometheus-stack-crds │ ├── kustomization.yaml │ └── values.yaml ├── kube-prometheus-stack │ ├── alertmanager-config.yaml │ ├── canary.yaml │ ├── external-secret.yaml │ ├── kustomization.yaml │ └── values.yaml ├── longhorn │ ├── alerts.yaml │ ├── canary.yaml │ ├── kustomization.yaml │ └── values.yaml ├── minio-operator │ ├── kustomization.yaml │ └── values.yaml ├── prometheus-ipmi-exporter-supermicro │ ├── external-secret.yaml │ ├── kustomization.yaml │ ├── service-monitor.yaml │ └── values.yaml ├── promtail │ ├── kustomization.yaml │ └── values.yaml ├── reloader │ ├── kustomization.yaml │ └── values.yaml ├── replicator │ ├── kustomization.yaml │ └── values.yaml ├── rook-ceph │ ├── kustomization.yaml │ └── values.yaml ├── secret-generator │ ├── kustomization.yaml │ └── values.yaml ├── spegel │ ├── kustomization.yaml │ └── values.yaml └── tailscale-operator │ ├── external-secret.yaml │ ├── kustomization.yaml │ └── values.yaml └── kustomize ├── containerized-data-importer-operator └── kustomization.yaml ├── containerized-data-importer ├── instance.yaml └── kustomization.yaml ├── kubevirt-operator └── kustomization.yaml ├── kubevirt ├── instance.yaml └── kustomization.yaml ├── nsinjector-crd └── kustomization.yaml ├── nsinjector-homelab-modules ├── cluster-role-binding.yaml ├── cluster-role.yaml ├── injector.yaml └── kustomization.yaml └── nsinjector ├── cluster-role-binding.yaml ├── cluster-role.yaml ├── deployment.yaml ├── kustomization.yaml └── service-account.yaml /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | 3 | [*] 4 | indent_style = space 5 | indent_size = 2 6 | end_of_line = lf 7 | charset = utf-8 8 | trim_trailing_whitespace = true 9 | insert_final_newline = true 10 | 11 | [*.{tf,tfvars,hcl}] 12 | indent_size = 2 13 | indent_style = space 14 | 15 | [{Makefile,**.mk}] 16 | indent_style = tab 17 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.yaml linguist-detectable=true 2 | *.yaml linguist-language=YAML 3 | *.tf linguist-detectable=true 4 | *.tf linguist-language=Terraform 5 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended", 5 | ":dependencyDashboard", 6 | ":timezone(America/New_York)" 7 | ], 8 | "dependencyDashboardTitle": "Dependency Dashboard", 9 | "terraform": { 10 | "managerFilePatterns": ["/(^|/)infrastructure/.+\\.tf$/"], 11 | "registryUrls": ["https://registry.opentofu.org"] 12 | }, 13 | "kubernetes": {"managerFilePatterns": ["/^kubernetes/.*\\.ya?ml$/"]}, 14 | "customManagers": [ 15 | { 16 | "customType": "regex", 17 | "managerFilePatterns": ["/^\\.opentofu-version$/"], 18 | "matchStrings": ["^(?\\d+\\.\\d+\\.\\d+)$"], 19 | "depNameTemplate": "opentofu", 20 | "datasourceTemplate": "github-releases", 21 | "packageNameTemplate": "opentofu/opentofu" 22 | }, 23 | { 24 | "customType": "regex", 25 | "managerFilePatterns": ["/^\\.terragrunt-version$/"], 26 | "matchStrings": ["^(?\\d+\\.\\d+\\.\\d+)$"], 27 | "depNameTemplate": "terragrunt", 28 | "datasourceTemplate": "github-releases", 29 | "packageNameTemplate": "gruntwork-io/terragrunt" 30 | } 31 | ], 32 | "ignorePaths": [ 33 | "kubernetes/clusters/*/flux-system/**", 34 | "kubernetes/clusters/generated-cluster-vars.env" 35 | ] 36 | } 37 | -------------------------------------------------------------------------------- /.github/workflows/renovate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: Renovate 4 | on: 5 | schedule: 6 | - cron: "0 * * * *" 7 | 8 | workflow_dispatch: 9 | inputs: 10 | dryRun: 11 | description: Run Renovate in dry run mode 12 | type: boolean 13 | required: false 14 | default: false 15 | logLevel: 16 | description: Log level for Renovate 17 | type: choice 18 | default: info 19 | options: 20 | - debug 21 | - info 22 | required: false 23 | version: 24 | description: Renovate version to use 25 | type: string 26 | default: latest 27 | required: false 28 | 29 | jobs: 30 | renovate: 31 | runs-on: ubuntu-latest 32 | steps: 33 | - name: Get Token 34 | uses: actions/create-github-app-token@v2.0.6 35 | id: token 36 | with: 37 | app-id: ${{ secrets.RENOVATE_APP_ID }} 38 | private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }} 39 | owner: ${{ github.repository_owner }} 40 | repositories: homelab 41 | 42 | - name: Checkout 43 | uses: actions/checkout@v4.2.2 44 | 45 | - name: Run Renovate 46 | uses: renovatebot/github-action@v43.0.2 47 | env: 48 | LOG_LEVEL: ${{ inputs.logLevel }} 49 | RENOVATE_AUTODISCOVER: true 50 | RENOVATE_AUTODISCOVER_FILTER: ${{ github.repository }} 51 | RENOVATE_DRY_RUN: ${{ inputs.dryRun }} 52 | RENOVATE_PLATFORM: github 53 | with: 54 | token: ${{ steps.token.outputs.token }} 55 | renovate-version: ${{ inputs.version }} 56 | -------------------------------------------------------------------------------- /.github/workflows/require-terragrunt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: Require Terragrunt Plan and Apply 4 | on: 5 | pull_request: 6 | branches: 7 | - main 8 | paths: 9 | - infrastructure/** 10 | 11 | jobs: 12 | create-plan-check: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Checkout code 16 | uses: actions/checkout@v4 17 | 18 | - name: Get Token 19 | id: get_workflow_token 20 | uses: peter-murray/workflow-application-token-action@v4 21 | with: 22 | application_id: ${{ secrets.APPLICATION_ID }} 23 | application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} 24 | 25 | - name: Create 'terragrunt-plan' Check run 26 | id: create-terragrunt-plan-check 27 | uses: LouisBrunner/checks-action@v2 28 | with: 29 | name: Terragrunt plan 30 | token: ${{ steps.get_workflow_token.outputs.token }} 31 | status: queued 32 | 33 | - name: Create 'terragrunt-apply' Check run 34 | id: create-terragrunt-apply-check 35 | uses: LouisBrunner/checks-action@v2 36 | with: 37 | name: Terragrunt apply 38 | token: ${{ steps.get_workflow_token.outputs.token }} 39 | status: queued 40 | -------------------------------------------------------------------------------- /.github/workflows/slash-command-dispatch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | 4 | name: Slash Command Dispatch 5 | on: 6 | issue_comment: 7 | types: [created] 8 | jobs: 9 | slashCommandDispatch: 10 | runs-on: ubuntu-latest 11 | permissions: 12 | actions: write # Allow create workflow dispatch events 13 | pull-requests: write # For doing the emoji reaction on a PR comment 14 | issues: write # For doing the emoji reaction on an issue comment 15 | contents: write # For executing the repository_dispatch event 16 | steps: 17 | - uses: xt0rted/pull-request-comment-branch@v3 18 | id: comment-branch 19 | 20 | - name: Get Token 21 | id: get_workflow_token 22 | uses: peter-murray/workflow-application-token-action@v4 23 | with: 24 | application_id: ${{ secrets.APPLICATION_ID }} 25 | application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} 26 | 27 | - name: Slash Command Dispatch 28 | id: scd 29 | uses: peter-evans/slash-command-dispatch@v4 30 | with: 31 | token: ${{ secrets.GITHUB_TOKEN }} # https://github.com/peter-evans/slash-command-dispatch/issues/147 32 | permission: admin 33 | commands: | 34 | terragrunt 35 | dispatch-type: workflow 36 | static-args: | 37 | path="infrastructure/clusters/staging" 38 | commit_sha="${{ steps.comment-branch.outputs.head_sha }}" 39 | 40 | - name: Edit comment with error message 41 | if: steps.scd.outputs.error-message 42 | uses: peter-evans/create-or-update-comment@v4 43 | with: 44 | comment-id: ${{ github.event.comment.id }} 45 | body: | 46 | > ${{ steps.scd.outputs.error-message }} 47 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.secret 2 | kubeconfig.yaml 3 | *.kubeconfig 4 | age.agekey 5 | Brewfile.lock.json 6 | 7 | .certs/ 8 | .secrets/ 9 | 10 | *.tfvars 11 | **/./terraform/ 12 | **/.terraform 13 | terraform.* 14 | */secrets.hcl 15 | tfplan 16 | .DS_Store 17 | **/rke_debug.log 18 | 19 | # Terraform 20 | .terraform 21 | *.tfstate 22 | *.tfstate.backup 23 | 24 | # Terragrunt 25 | .terragrunt-cache 26 | 27 | out.yaml 28 | errors.log 29 | krr.yaml 30 | 31 | .task 32 | 33 | 34 | **/inventory.yaml 35 | **/.rendered 36 | -------------------------------------------------------------------------------- /.opentofu-version: -------------------------------------------------------------------------------- 1 | 1.8.9 2 | -------------------------------------------------------------------------------- /.taskfiles/inventory/resources/inventory.yaml.dist: -------------------------------------------------------------------------------- 1 | hosts: 2 | host1: 3 | hostname: host1-ipmi.local 4 | username: user 5 | password: pass 6 | -------------------------------------------------------------------------------- /.taskfiles/kubernetes/resources/template-helm-release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | release=$1 6 | values=$2 7 | outdir=$3 8 | 9 | kustomize=$(kustomize build "$release" | flux envsubst) 10 | url=$(echo "$kustomize" | yq 'select(.kind == "HelmRepository") | .spec.url') 11 | oci=$(echo "$kustomize" | yq 'select(.kind == "HelmRepository") | .spec.type') 12 | chart=$(echo "$kustomize" | yq 'select(.kind == "HelmRelease") | .spec.chart.spec.chart') 13 | version=$(echo "$kustomize" | yq 'select(.kind == "HelmRelease") | .spec.chart.spec.version') 14 | 15 | if [ -z $HELM_CHART_VERSION ]; then 16 | echo "❌ Helm chart version not found in environment" 17 | exit 1 18 | fi 19 | 20 | if [ -z "$url" ]; then 21 | echo "❌ HelmRepository not found in $release/kustomization.yaml" 22 | exit 1 23 | fi 24 | 25 | if [ -z "$chart" ]; then 26 | echo "❌ HelmRelease not found in $release/kustomization.yaml" 27 | exit 1 28 | fi 29 | 30 | if [ -z "$version" ]; then 31 | echo "❌ HelmRelease version not found in $release/kustomization.yaml" 32 | exit 1 33 | fi 34 | 35 | if [ $oci == "oci" ]; then 36 | helm template $chart $url/$chart --version $version --values $values --output-dir $outdir 37 | else 38 | helm template $chart --repo $url --version $version --values $values --output-dir $outdir 39 | fi 40 | -------------------------------------------------------------------------------- /.taskfiles/terragrunt/taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | vars: 6 | INFRASTRUCTURE_DIR: "{{.ROOT_DIR}}/infrastructure" 7 | 8 | tasks: 9 | format: 10 | desc: Formats Open Tofu & Terragrunt files. 11 | cmds: 12 | - terragrunt hclfmt 13 | - tofu fmt -recursive 14 | preconditions: 15 | - which tofu terragrunt 16 | sources: 17 | - "{{.INFRASTRUCTURE_DIR}}/**/*.tf" 18 | 19 | apply: 20 | desc: Applies terraform changes. 21 | cmds: 22 | - terragrunt apply -compact-warnings -concise 23 | 24 | plan: 25 | desc: Shows terraform changes. 26 | cmds: 27 | - terragrunt plan -compact-warnings -concise 28 | -------------------------------------------------------------------------------- /.terragrunt-version: -------------------------------------------------------------------------------- 1 | 0.83.0 2 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "EditorConfig.EditorConfig", 4 | "hashicorp.terraform", 5 | "redhat.vscode-yaml", 6 | "BahramJoharshamshiri.hcl-lsp" 7 | ] 8 | } 9 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "editor.formatOnSave": true, 3 | "yaml.schemaStore.enable": true, 4 | "yaml.schemas": { 5 | "kubernetes": "manifests/**/*.yaml, clusters/**/*.yaml" 6 | }, 7 | "yaml.customTags": [ 8 | "!secret scalar", 9 | "!env_var scalar" 10 | ], 11 | "gitlens.blame.line.enabled": false,// was working in previous versions 12 | "gitlens.currentLine.enabled": false,// in modern version 13 | "gitlens.codeLens.authors.enabled": false, 14 | "gitlens.codeLens.recentChange.enabled": false, 15 | } 16 | -------------------------------------------------------------------------------- /Brewfile: -------------------------------------------------------------------------------- 1 | # Inventory 2 | brew "ipmitool" 3 | 4 | # Cloud Dependencies 5 | brew "awscli" 6 | 7 | # Kubernetes 8 | brew "kubectl" 9 | 10 | # Kubernetes tools 11 | brew "yq" 12 | brew "jq" 13 | brew "helm" 14 | brew "kustomize" 15 | brew "kubeconform" 16 | 17 | # Flux 18 | tap "fluxcd/tap" 19 | brew "fluxcd/tap/flux" 20 | 21 | # Cloudflare 22 | tap "cloudflare/cloudflare" 23 | brew "cloudflare/cloudflare/cf-terraforming" 24 | 25 | # Task 26 | brew "go-task" 27 | 28 | # OpenTofu 29 | tap 'tofuutils/tap' 30 | brew 'tgenv' 31 | brew 'tofuenv' 32 | brew "tflint" # Does not officially support OpenTofu https://github.com/terraform-linters/tflint/issues/2194#issuecomment-2558127231 33 | brew "terraform-docs" 34 | 35 | # Talos 36 | brew "talosctl" 37 | 38 | # Cilium 39 | brew "cilium-cli" 40 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2004 Sam Hocevar 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | includes: 5 | inventory: .taskfiles/inventory 6 | terragrunt: .taskfiles/terragrunt 7 | kubernetes: .taskfiles/kubernetes 8 | 9 | tasks: 10 | default: 11 | silent: true 12 | cmds: ["task -l"] 13 | -------------------------------------------------------------------------------- /docs/images/home-network-firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/docs/images/home-network-firewall.png -------------------------------------------------------------------------------- /docs/images/k8s-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/docs/images/k8s-logo.png -------------------------------------------------------------------------------- /docs/images/network-1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/docs/images/network-1.jpg -------------------------------------------------------------------------------- /docs/images/rack-back.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/docs/images/rack-back.jpg -------------------------------------------------------------------------------- /docs/images/rack-front.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/docs/images/rack-front.jpg -------------------------------------------------------------------------------- /infrastructure/accounts.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | unifi = { 3 | address = "https://192.168.1.1" 4 | site = "default" 5 | api_key_store = "/homelab/infrastructure/accounts/unifi/api-key" 6 | } 7 | 8 | github = { 9 | org = "ionfury" 10 | repository = "homelab" 11 | repository_path = "kubernetes/clusters" 12 | token_store = "/homelab/infrastructure/accounts/github/token" 13 | } 14 | 15 | cloudflare = { 16 | account = "homelab" 17 | email = "ionfury@gmail.com" 18 | api_token_store = "/homelab/infrastructure/accounts/cloudflare/token" 19 | zone_id = "799905ff93d585a9a0633949275cbf98" 20 | } 21 | 22 | #external_secrets = { 23 | # id_store = "/homelab/infrastructure/accounts/external-secrets/id" 24 | # secret_store = "/homelab/infrastructure/accounts/external-secrets/secret" 25 | #} 26 | 27 | healthchecksio = { 28 | api_key_store = "/homelab/infrastructure/accounts/healthchecksio/api-key" 29 | } 30 | } 31 | 32 | -------------------------------------------------------------------------------- /infrastructure/hosts/pxeboot/terragrunt.hcl: -------------------------------------------------------------------------------- 1 | include "root" { 2 | path = find_in_parent_folders("root.hcl") 3 | } 4 | 5 | terraform { 6 | source = "git::git@github.com:ionfury/homelab-modules.git//modules/pxe-pi?ref=v0.72.0" 7 | } 8 | 9 | inputs = { 10 | raspberry_pi = "rpi3" 11 | 12 | raspberry_pis = { 13 | rpi3 = { 14 | lan = { 15 | ip = "192.168.10.210" 16 | mac = "b8:27:eb:68:d4:92" 17 | } 18 | ssh = { 19 | user_store = "/homelab/infrastructure/hosts/rpi3/ssh/user" 20 | pass_store = "/homelab/infrastructure/hosts/rpi3/ssh/pass" 21 | } 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /infrastructure/root.hcl: -------------------------------------------------------------------------------- 1 | locals { 2 | accounts_vars = read_terragrunt_config(find_in_parent_folders("accounts.hcl")) 3 | } 4 | 5 | inputs = merge( 6 | local.accounts_vars.locals, 7 | ) 8 | 9 | catalog { 10 | urls = [ 11 | "https://github.com/ionfury/homelab-modules" 12 | ] 13 | } 14 | 15 | remote_state { 16 | backend = "s3" 17 | generate = { 18 | path = "backend.tf" 19 | if_exists = "overwrite" 20 | } 21 | config = { 22 | bucket = "homelab-terragrunt-remote-state" 23 | key = "${path_relative_to_include()}/terraform.tfstate" 24 | region = "us-east-2" 25 | encrypt = true 26 | dynamodb_table = "terragrunt" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-all-kube-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-all-kube-system 7 | namespace: kube-system 8 | spec: 9 | endpointSelector: {} 10 | ingress: 11 | - fromEntities: 12 | - cluster 13 | - fromEndpoints: 14 | - {} 15 | - fromEntities: 16 | - world 17 | egress: 18 | - toEntities: 19 | - world 20 | - toEndpoints: 21 | - {} 22 | - toEntities: 23 | - cluster 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-cluster-kubedns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumClusterwideNetworkPolicy 5 | metadata: 6 | name: allow-cluster-kube-dns-ingress 7 | spec: 8 | description: "Policy for ingress allow to kube-dns from all Cilium managed endpoints in the cluster" 9 | endpointSelector: 10 | matchLabels: 11 | k8s:io.kubernetes.pod.namespace: kube-system 12 | k8s-app: kube-dns 13 | ingress: 14 | - fromEndpoints: 15 | - {} 16 | toPorts: 17 | - ports: 18 | - port: "53" 19 | protocol: ANY 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 22 | apiVersion: cilium.io/v2 23 | kind: CiliumClusterwideNetworkPolicy 24 | metadata: 25 | name: allow-cluster-kube-dns-egress 26 | spec: 27 | description: "Policy for egress allow to kube-dns from all Cilium managed endpoints in the cluster" 28 | endpointSelector: {} 29 | egress: 30 | - toEndpoints: 31 | - matchLabels: 32 | k8s:io.kubernetes.pod.namespace: kube-system 33 | k8s-app: kube-dns 34 | toPorts: 35 | - ports: 36 | - port: "53" 37 | protocol: ANY 38 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-egress-internet.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumClusterwideNetworkPolicy 5 | metadata: 6 | name: allow-labeled-internet-egress 7 | spec: 8 | description: Allows egress to the public internet from pods labeled networking/allow-egress-internet=true, excluding RFC1918 private IP ranges. 9 | endpointSelector: 10 | matchLabels: 11 | networking/allow-egress-internet: "true" 12 | egress: 13 | - toCIDRSet: 14 | - cidr: 0.0.0.0/0 15 | except: 16 | - 10.0.0.0/8 17 | - 172.16.0.0/12 18 | - 192.168.0.0/16 19 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-egress-kubeapi.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 2 | apiVersion: cilium.io/v2 3 | kind: CiliumClusterwideNetworkPolicy 4 | metadata: 5 | name: allow-labeled-egress-kubeapi 6 | spec: 7 | description: "Policy for allowing traffic to egress to the kube api server." 8 | endpointSelector: 9 | matchLabels: 10 | networking/allow-egress-kubeapi: "true" 11 | egress: 12 | - toEntities: 13 | - kube-apiserver 14 | #--- 15 | #apiVersion: cilium.io/v2 16 | #kind: CiliumClusterwideNetworkPolicy 17 | #metadata: 18 | # name: allow-labeled-ingress-kubeapi 19 | #spec: 20 | # description: "Policy for allowing traffic to ingress to the kube api server." 21 | # endpointSelector: 22 | # ingress: 23 | # - fromEntities: 24 | # - kube-apiserver 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-egress-private.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumClusterwideNetworkPolicy 5 | metadata: 6 | name: allow-labeled-egress-private 7 | spec: 8 | description: Allows egress to RFC1918 private IP ranges from pods labeled networking/allow-egress-private=true. 9 | endpointSelector: 10 | matchLabels: 11 | networking/allow-egress-private: "true" 12 | egress: 13 | - toCIDR: 14 | - 192.168.0.0/16 15 | - 10.0.0.0/8 16 | - 172.16.0.0/12 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-ingress-external.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 2 | apiVersion: cilium.io/v2 3 | kind: CiliumClusterwideNetworkPolicy 4 | metadata: 5 | name: allow-labeled-ingress-external 6 | spec: 7 | description: Allows ingress to pods labeled networking/allow-ingress-external=true from external nginx pods. 8 | endpointSelector: 9 | matchLabels: 10 | networking/allow-ingress-external: "true" 11 | ingress: 12 | - fromEndpoints: 13 | - matchLabels: 14 | k8s:io.kubernetes.pod.namespace: network 15 | app.kubernetes.io/instance: ingress-nginx-external-app 16 | app.kubernetes.io/name: ingress-nginx 17 | --- 18 | apiVersion: cilium.io/v2 19 | kind: CiliumClusterwideNetworkPolicy 20 | metadata: 21 | name: allow-labeled-egress-internal 22 | spec: 23 | description: Allows egress from external nginx pods to pods labeled networking/allow-ingress-external=true. 24 | endpointSelector: 25 | matchLabels: 26 | k8s:io.kubernetes.pod.namespace: network 27 | app.kubernetes.io/instance: ingress-nginx-external-app 28 | app.kubernetes.io/name: ingress-nginx 29 | egress: 30 | - toEndpoints: 31 | - matchLabels: 32 | networking/allow-ingress-external: "true" 33 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-ingress-internal.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 2 | apiVersion: cilium.io/v2 3 | kind: CiliumClusterwideNetworkPolicy 4 | metadata: 5 | name: allow-labeled-ingress-internal 6 | spec: 7 | description: Allows ingress to pods labeled networking/allow-ingress-internal=true from internal nginx pods. 8 | endpointSelector: 9 | matchLabels: 10 | networking/allow-ingress-internal: "true" 11 | ingress: 12 | - fromEndpoints: 13 | - matchLabels: 14 | k8s:io.kubernetes.pod.namespace: network 15 | app.kubernetes.io/instance: ingress-nginx-internal-app 16 | app.kubernetes.io/name: ingress-nginx 17 | --- 18 | apiVersion: cilium.io/v2 19 | kind: CiliumClusterwideNetworkPolicy 20 | metadata: 21 | name: allow-labeled-egress-internal 22 | spec: 23 | description: Allows egress from internal nginx pods to pods labeled networking/allow-ingress-internal=true. 24 | endpointSelector: 25 | matchLabels: 26 | k8s:io.kubernetes.pod.namespace: network 27 | app.kubernetes.io/instance: ingress-nginx-internal-app 28 | app.kubernetes.io/name: ingress-nginx 29 | egress: 30 | - toEndpoints: 31 | - matchLabels: 32 | networking/allow-ingress-internal: "true" 33 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-ingress-private.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumClusterwideNetworkPolicy 5 | metadata: 6 | name: allow-labeled-ingress-private 7 | spec: 8 | description: Allows ingress from the 192.168.0.0/16 private IP range to pods labeled networking/allow-ingress-private=true. 9 | endpointSelector: 10 | matchLabels: 11 | networking/allow-ingress-private: "true" 12 | ingress: 13 | - fromCIDR: 14 | - 192.168.0.0/16 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-ingress-prometheus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumClusterwideNetworkPolicy 5 | metadata: 6 | name: allow-labeled-ingress-prometheus 7 | spec: 8 | endpointSelector: 9 | matchLabels: 10 | networking/allow-ingress-prometheus: "true" 11 | ingress: 12 | - fromEndpoints: 13 | - matchLabels: 14 | app.kubernetes.io/name: prometheus 15 | k8s:io.kubernetes.pod.namespace: monitoring 16 | #--- 17 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json 18 | #apiVersion: cilium.io/v2 19 | #kind: CiliumClusterwideNetworkPolicy 20 | #metadata: 21 | # name: allow-labeled-egress 22 | #spec: 23 | # endpointSelector: 24 | # matchLabels: 25 | # app.kubernetes.io/name: prometheus 26 | # k8s:io.kubernetes.pod.namespace: monitoring 27 | # egress: 28 | # - toEndpoints: 29 | # - matchLabels: 30 | # networking/allow-ingress-prometheus: "true" 31 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/allow-labeled-to-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2 2 | kind: CiliumClusterwideNetworkPolicy 3 | metadata: 4 | name: allow-egress-to-cluster 5 | spec: 6 | description: "Allow labeled pods to egress to cluster node IPs" 7 | endpointSelector: 8 | matchLabels: 9 | networking/allow-cluster-egress: "true" 10 | egress: 11 | - toEntities: 12 | - cluster 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/_network-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - allow-all-kube-system.yaml 7 | #- allow-cluster-kubedns.yaml 8 | #- allow-labeled-egress-internet.yaml 9 | #- allow-labeled-egress-kubeapi.yaml 10 | #- allow-labeled-egress-private.yaml 11 | #- allow-labeled-ingress-internal.yaml 12 | #- allow-labeled-ingress-private.yaml 13 | - allow-labeled-ingress-prometheus.yaml 14 | - allow-labeled-to-cluster.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/actions-runner-system/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: actions-runner-controller 6 | spec: 7 | path: kubernetes/manifests/helm-release-oci/actions-runner-controller 8 | postBuild: 9 | substitute: 10 | OCI_REPOSITORY_TAG: 0.11.0 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - actions-runner-controller.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | path: kubernetes/manifests/helm-release/cert-manager 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.17.1 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: issuers 5 | spec: 6 | dependsOn: 7 | - name: cert-manager 8 | - name: external-secrets 9 | path: kubernetes/manifests/common/resources/issuers 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - cert-manager.yaml 9 | - issuers.yaml 10 | - policy.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/cert-manager/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: cert-manager 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: cert-manager 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kube-system/cilium-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium-config 6 | spec: 7 | dependsOn: 8 | - name: cilium 9 | path: kubernetes/manifests/common/resources/cilium-config 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kube-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium 6 | spec: 7 | path: kubernetes/manifests/helm-release/cilium 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: ${cilium_version} 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kube-system/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: descheduler 6 | spec: 7 | path: kubernetes/manifests/helm-release/descheduler 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 0.32.1 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../../manifests/common/components/configurations/namespace 8 | resources: 9 | - cilium-config.yaml 10 | - cilium.yaml 11 | - descheduler.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kube-system/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: your-namespace 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: your-namespace 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kubevirt/containerized-data-importer-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: containerized-data-importer-operator 6 | spec: 7 | path: kubernetes/manifests/kustomize/containerized-data-importer-operator 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kubevirt/containerized-data-importer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: containerized-data-importer 6 | spec: 7 | dependsOn: 8 | - name: containerized-data-importer-operator 9 | path: kubernetes/manifests/kustomize/containerized-data-importer 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kubevirt/kubevirt-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kubevirt-operator 6 | spec: 7 | path: kubernetes/manifests/kustomize/kubevirt-operator 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kubevirt/kubevirt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kubevirt 6 | spec: 7 | dependsOn: 8 | - name: kubevirt-operator 9 | path: kubernetes/manifests/kustomize/kubevirt 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kubevirt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kubevirt 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - containerized-data-importer-operator.yaml 9 | - containerized-data-importer.yaml 10 | - kubevirt-operator.yaml 11 | - kubevirt.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | #components: 6 | # - ../../manifests/common/components/configurations/kustomization 7 | # - ../../manifests/common/components/flux-kustomization-defaults 8 | resources: 9 | - _network-policy 10 | - actions-runner-system 11 | - cert-manager 12 | - kube-system 13 | - kubevirt 14 | - longhorn-system 15 | - monitoring 16 | - network 17 | - system 18 | - tailscale 19 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/longhorn-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: longhorn-system 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - longhorn-storage.yaml 11 | - longhorn.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/longhorn-system/longhorn-storage.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn-storage 6 | spec: 7 | path: kubernetes/manifests/common/resources/longhorn-storage 8 | dependsOn: 9 | - name: longhorn 10 | postBuild: 11 | substitute: 12 | replica_count: ${default_replica_count} 13 | 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/longhorn-system/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn 6 | spec: 7 | path: kubernetes/manifests/helm-release/longhorn 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.8.0 11 | storage_replica_count: ${default_replica_count} 12 | 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/longhorn-system/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: your-namespace 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: your-namespace 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/canary-checker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: canary-checker 5 | spec: 6 | path: kubernetes/manifests/helm-release/canary-checker 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 1.1.1 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/grafana-loki-single-binary.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-loki-single-binary 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-loki-single-binary 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 6.25.0 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana 8 | dependsOn: 9 | - name: kube-prometheus-stack 10 | - name: promtail 11 | postBuild: 12 | substitute: 13 | HELM_CHART_VERSION: 8.8.5 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/kube-prometheus-stack-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack-crds 6 | spec: 7 | path: kubernetes/manifests/helm-release/kube-prometheus-stack-crds 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 17.0.2 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/kube-prometheus-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack 6 | spec: 7 | path: kubernetes/manifests/helm-release/kube-prometheus-stack 8 | dependsOn: 9 | - name: kube-prometheus-stack-crds 10 | - name: external-secrets 11 | postBuild: 12 | substitute: 13 | HELM_CHART_VERSION: 72.3.1 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | 9 | - canary-checker.yaml 10 | - grafana.yaml 11 | - grafana-loki-single-binary.yaml 12 | - kube-prometheus-stack-crds.yaml 13 | - kube-prometheus-stack.yaml 14 | - promtail.yaml 15 | #- policy.yaml 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: monitoring 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: monitoring 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/monitoring/promtail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: promtail 6 | spec: 7 | path: kubernetes/manifests/helm-release/promtail 8 | dependsOn: 9 | - name: grafana-loki-single-binary 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 6.16.6 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/network/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: certificates 6 | spec: 7 | path: kubernetes/manifests/common/resources/certificates 8 | dependsOn: 9 | - name: cert-manager 10 | - name: issuers 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/network/ingress-nginx-external.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-external 5 | spec: 6 | dependsOn: 7 | - name: issuers 8 | - name: cilium-config 9 | path: kubernetes/manifests/helm-release/ingress-nginx 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 4.12.0 13 | ingress_class: external 14 | domain: ${external_domain} 15 | ingress_ip: ${external_ingress_ip} 16 | default_cert: network/external-tls 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/network/ingress-nginx-internal.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-internal 5 | spec: 6 | dependsOn: 7 | - name: issuers 8 | - name: cilium-config 9 | path: kubernetes/manifests/helm-release/ingress-nginx 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 4.12.0 13 | ingress_class: internal 14 | domain: ${internal_domain} 15 | ingress_ip: ${internal_ingress_ip} 16 | default_cert: network/internal-tls 17 | 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - certificates.yaml 11 | - ingress-nginx-external.yaml 12 | - ingress-nginx-internal.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/network/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: your-namespace 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: your-namespace 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/rook-ceph/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rook-ceph-staging-cluster 6 | spec: 7 | dependsOn: 8 | - name: rook-ceph 9 | path: kubernetes/clusters/base/rook-ceph/resources 10 | postBuild: 11 | substitute: 12 | #OCI_REPOSITORY_TAG: 0.11.0 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | namespace: rook-ceph 4 | commonLabels: 5 | pod-security.kubernetes.io/enforce: privileged 6 | pod-security.kubernetes.io/enforce-version: latest 7 | resources: 8 | - ../../../manifests/common/resources/namespace 9 | - operator.yaml 10 | - cluster.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/rook-ceph/operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: rook-ceph 5 | spec: 6 | dependsOn: 7 | - name: cilium 8 | - name: cilium-config 9 | path: kubernetes/manifests/helm-release/rook-ceph 10 | #postBuild: 11 | # substitute: 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/rook-ceph/resources/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: staging- 6 | resources: 7 | - ../../../../manifests/common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: rook-ceph-cluster 20 | - op: add 21 | path: /spec/releaseName 22 | value: staging 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://charts.rook.io/release 30 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/rook-ceph/resources/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/rook/rook/blob/master/deploy/charts/rook-ceph-cluster/values.yaml 2 | cluster_name: "staging" 3 | operatorNamespace: rook-ceph 4 | configOverride: | 5 | [global] 6 | osd_pool_default_size: "1" 7 | mon_warn_on_pool_no_redundancy: "false" 8 | bdev_flock_retry: "20" 9 | bluefs_buffered_io: "false" 10 | mon_data_avail_warn: "10" 11 | monitoring: 12 | enabled: true 13 | createPrometheusRules: true 14 | cephClusterSpec: 15 | dataDirHostPath: /var/lib/rook 16 | cephVersion: 17 | image: quay.io/ceph/ceph:v19 18 | allowUnsupported: true 19 | mon: 20 | count: 1 21 | allowMultiplePerNode: true 22 | # test environments can skip ok-to-stop checks during upgrades 23 | skipUpgradeChecks: true 24 | mgr: 25 | count: 1 26 | allowMultiplePerNode: true 27 | modules: 28 | - name: rook 29 | enabled: true 30 | dashboard: 31 | enabled: true 32 | crashCollector: 33 | disable: true 34 | storage: 35 | useAllNodes: false 36 | useAllDevices: false 37 | nodes: 38 | - name: "node44" 39 | devicePathFilter: "^/dev/disk/by-id/ata-KINGSTON_SEDC500M480G.*" 40 | healthCheck: 41 | daemonHealth: 42 | mon: 43 | interval: 45s 44 | timeout: 600s 45 | priorityClassNames: 46 | all: system-node-critical 47 | mgr: system-cluster-critical 48 | disruptionManagement: 49 | managePodBudgets: true 50 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/external-secrets-stores.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-secrets-stores 6 | spec: 7 | path: kubernetes/manifests/common/resources/external-secret-stores 8 | dependsOn: 9 | - name: external-secrets 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: external-secrets 5 | spec: 6 | path: kubernetes/manifests/helm-release/external-secrets 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 0.13.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | namespace: system 4 | 5 | resources: 6 | - ../../../manifests/common/resources/namespace 7 | 8 | - external-secrets-stores.yaml 9 | - external-secrets.yaml 10 | - reloader.yaml 11 | - replicator.yaml 12 | - secret-generator.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: allow-same-namespace 7 | spec: 8 | endpointSelector: {} 9 | ingress: 10 | - fromEndpoints: 11 | - matchLabels: 12 | k8s:io.kubernetes.pod.namespace: your-namespace 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: your-namespace 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/reloader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: reloader 5 | spec: 6 | path: kubernetes/manifests/helm-release/reloader 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: v1.2.1 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/replicator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: replicator 5 | spec: 6 | path: kubernetes/manifests/helm-release/replicator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 2.11.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/system/secret-generator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: secret-generator 5 | spec: 6 | path: kubernetes/manifests/helm-release/secret-generator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 3.4.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/tailscale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: tailscale 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - operator.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/clusters/base/tailscale/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tailscale-operator 6 | spec: 7 | path: kubernetes/manifests/helm-release/tailscale-operator 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | path: kubernetes/manifests/helm-release/cert-manager 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.16.3 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: issuers 6 | spec: 7 | path: kubernetes/manifests/common/resources/issuers 8 | dependsOn: 9 | - name: cert-manager 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | 9 | - cert-manager.yaml 10 | - issuers.yaml 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/default/helm-release-app-template-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: helm-release-app-template-repo 6 | spec: 7 | path: kubernetes/manifests/common/resources/helm-release-app-template-repo 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - helm-release-app-template-repo.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: main 12 | secretRef: 13 | name: flux-system 14 | url: https://github.com/ionfury/homelab.git 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./kubernetes/clusters/dev 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/games/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: games 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - valheim-devheim.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/games/valheim-devheim.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: valheim-devheim 6 | spec: 7 | path: kubernetes/manifests/helm-release-app-template-oci/valheim 8 | postBuild: 9 | substitute: 10 | instance: devheim 11 | ingress_ip: ${devheim_ingress_ip} 12 | #IMAGE_REPOSITORY: docker.io/mbround18/valheim 13 | #IMAGE_TAG: 3.1.0 14 | 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kube-system/cilium-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium-config 6 | spec: 7 | path: kubernetes/manifests/common/resources/cilium-config 8 | dependsOn: 9 | - name: cilium 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kube-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium 6 | spec: 7 | path: kubernetes/manifests/helm-release/cilium 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: ${cilium_version} 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kube-system/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: descheduler 6 | spec: 7 | path: kubernetes/manifests/helm-release/descheduler 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 0.32.1 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../../manifests/common/components/configurations/namespace 8 | resources: 9 | - cilium-config.yaml 10 | - cilium.yaml 11 | - descheduler.yaml 12 | - spegel.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kube-system/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: spegel 6 | spec: 7 | path: kubernetes/manifests/helm-release/spegel 8 | dependsOn: 9 | - name: cilium 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: v0.0.28 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../manifests/common/components/configurations/kustomization 7 | - ../../manifests/common/components/flux-kustomization-defaults 8 | resources: 9 | - default 10 | - cert-manager 11 | - flux-system 12 | - kube-system 13 | - games 14 | - longhorn-system 15 | - network 16 | - system 17 | patches: 18 | - target: 19 | kind: Kustomization 20 | patch: | 21 | - op: replace 22 | path: /metadata/namespace 23 | value: flux-system 24 | configMapGenerator: 25 | - name: cluster-vars 26 | options: 27 | disableNameSuffixHash: true 28 | namespace: flux-system 29 | behavior: create 30 | envs: 31 | - generated-cluster-vars.env 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/longhorn-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: longhorn-system 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - longhorn-storage.yaml 11 | - longhorn.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/longhorn-system/longhorn-storage.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn-storage 6 | spec: 7 | path: kubernetes/manifests/common/resources/longhorn-storage 8 | dependsOn: 9 | - name: longhorn 10 | 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/longhorn-system/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn 6 | spec: 7 | path: kubernetes/manifests/helm-release/longhorn 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.8.0 11 | 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/network/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: certificates 6 | spec: 7 | path: kubernetes/manifests/common/resources/certificates 8 | dependsOn: 9 | - name: cert-manager 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/network/ingress-nginx-external.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-external 5 | spec: 6 | path: kubernetes/manifests/helm-release/ingress-nginx 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 4.12.0 10 | ingress_class: external 11 | domain: ${external_domain} 12 | ingress_ip: ${external_ingress_ip} 13 | default_cert: network/default-tls 14 | 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/network/ingress-nginx-internal.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-internal 5 | spec: 6 | path: kubernetes/manifests/helm-release/ingress-nginx 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 4.12.0 10 | ingress_class: internal 11 | domain: ${internal_domain} 12 | ingress_ip: ${internal_ingress_ip} 13 | default_cert: network/default-tls 14 | 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - certificates.yaml 11 | - ingress-nginx-external.yaml 12 | - ingress-nginx-internal.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/external-secrets-stores.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-secrets-stores 6 | spec: 7 | path: kubernetes/manifests/common/resources/external-secret-stores 8 | dependsOn: 9 | - name: external-secrets 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: external-secrets 5 | spec: 6 | path: kubernetes/manifests/helm-release/external-secrets 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 0.13.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: system 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - external-secrets-stores.yaml 11 | - external-secrets.yaml 12 | - reloader.yaml 13 | - replicator.yaml 14 | - secret-generator.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/reloader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: reloader 5 | spec: 6 | path: kubernetes/manifests/helm-release/reloader 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: v1.2.1 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/replicator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: replicator 5 | spec: 6 | path: kubernetes/manifests/helm-release/replicator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 2.11.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/dev/system/secret-generator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: secret-generator 5 | spec: 6 | path: kubernetes/manifests/helm-release/secret-generator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 3.4.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/integration/generated-cluster-vars.env: -------------------------------------------------------------------------------- 1 | cilium_version=1.16.5 2 | cluster_endpoint=https://integration.tomnowak.work:6443 3 | cluster_name=integration 4 | cluster_node_subnet=192.168.10.0/24 5 | cluster_path=kubernetes/clusters/integration 6 | cluster_pod_subnet=172.30.0.0/16 7 | cluster_service_subnet=172.31.0.0/16 8 | cluster_vip=192.168.10.6 9 | default_replica_count=1 10 | flux_version=v2.4.0 11 | prometheus_version=20.0.0 12 | talos_version=v1.10.0 13 | test=best 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-egress-to-internet-except-private/source/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-egress-to-internet-except-private/source/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-egress-to-internet-except-private 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | networking/allow-egress-to-internet-except-private: "true" 9 | policyTypes: 10 | - Egress 11 | egress: 12 | - to: 13 | - ipBlock: 14 | cidr: 0.0.0.0/0 15 | except: 16 | - 10.0.0.0/8 17 | - 172.16.0.0/12 18 | - 192.168.0.0/16 19 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-egress-to-private/source/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-egress-to-private/source/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-egress-to-private 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | networking/allow-egress-to-private: "true" 9 | policyTypes: 10 | - Egress 11 | egress: 12 | - to: 13 | - ipBlock: 14 | cidr: 192.168.0.0/16 15 | - ipBlock: 16 | cidr: 10.0.0.0/8 17 | - ipBlock: 18 | cidr: 172.16.0.0/12 19 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-external/destination/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-external/destination/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-ingress-from-external 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | networking/allow-ingress-to-external-nginx: "true" 9 | policyTypes: 10 | - Ingress 11 | ingress: 12 | - from: 13 | - namespaceSelector: 14 | matchLabels: 15 | kubernetes.io/metadata.name: network 16 | podSelector: 17 | matchLabels: 18 | app.kubernetes.io/instance: ingress-nginx-external-app 19 | app.kubernetes.io/name: ingress-nginx 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-external/source/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-external/source/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-egress-from-external 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app.kubernetes.io/instance: ingress-nginx-external-app 9 | app.kubernetes.io/name: ingress-nginx 10 | policyTypes: 11 | - Egress 12 | egress: 13 | - to: 14 | - podSelector: 15 | matchLabels: 16 | networking/allow-ingress-to-external-nginx: "true" 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-internal/destination/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-internal/destination/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-ingress-from-internal 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | networking/allow-ingress-to-internal-nginx: "true" 9 | policyTypes: 10 | - Ingress 11 | ingress: 12 | - from: 13 | - namespaceSelector: 14 | matchLabels: 15 | kubernetes.io/metadata.name: network 16 | podSelector: 17 | matchLabels: 18 | app.kubernetes.io/instance: ingress-nginx-internal-app 19 | app.kubernetes.io/name: ingress-nginx 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-internal/source/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-internal/source/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-egress-from-internal 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app.kubernetes.io/instance: ingress-nginx-internal-app 9 | app.kubernetes.io/name: ingress-nginx 10 | policyTypes: 11 | - Egress 12 | egress: 13 | - to: 14 | - podSelector: 15 | matchLabels: 16 | networking/allow-ingress-to-internal-nginx: "true" 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-private/destination/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-ingress-from-private/destination/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-ingress-from-private 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | networking/allow-ingress-from-private: "true" 9 | policyTypes: 10 | - Ingress 11 | ingress: 12 | - from: 13 | - ipBlock: 14 | cidr: 192.168.0.0/16 15 | #- ipBlock: 16 | # cidr: 10.0.0.0/8 17 | #- ipBlock: 18 | # cidr: 172.16.0.0/12 19 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-same-namespace/source/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - network-policy.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/allow-same-namespace/source/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-same-namespace 5 | spec: 6 | podSelector: {} 7 | policyTypes: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - from: 12 | - podSelector: {} 13 | egress: 14 | - to: 15 | - podSelector: {} 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/.network-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | components: 6 | # Generic Policies 7 | - allow-egress-to-internet-except-private/source 8 | - allow-same-namespace/source 9 | 10 | # Egress policies 11 | 12 | # Ingress Policies 13 | - allow-ingress-from-external/destination 14 | - allow-ingress-from-internal/destination 15 | - allow-ingress-from-private/destination 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/actions-runner-system/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: actions-runner-controller 6 | spec: 7 | path: kubernetes/manifests/helm-release-oci/actions-runner-controller 8 | postBuild: 9 | substitute: 10 | OCI_REPOSITORY_TAG: 0.11.0 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - actions-runner-controller.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/actions-runners/actions-runner-homelab.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: actions-runner-homelab-staging 6 | spec: 7 | path: kubernetes/manifests/helm-release-oci/actions-runner-scale-set 8 | postBuild: 9 | substitute: 10 | name: homelab-runner-staging 11 | secret: /homelab/kubernetes/live/homelab-runner 12 | storage_class: fast-unmanaged 13 | github_config_url: https://github.com/ionfury/homelab 14 | service_account: homelab-runner-staging 15 | image: ghcr.io/ionfury/homelab-modules-runner 16 | tag: latest 17 | OCI_REPOSITORY_TAG: 0.11.0 18 | --- 19 | apiVersion: v1 20 | kind: ServiceAccount 21 | metadata: 22 | name: homelab-runner-staging 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: Role 26 | metadata: 27 | name: homelab-runner-staging 28 | rules: 29 | - apiGroups: [""] 30 | resources: ["pods"] 31 | verbs: ["get", "list", "create", "delete"] 32 | - apiGroups: [""] 33 | resources: ["pods/exec"] 34 | verbs: ["get", "create"] 35 | - apiGroups: [""] 36 | resources: ["pods/log"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["batch"] 39 | resources: ["jobs"] 40 | verbs: ["get", "list", "create", "delete"] 41 | - apiGroups: [""] 42 | resources: ["secrets"] 43 | verbs: ["create", "delete", "get", "list"] 44 | --- 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: RoleBinding 47 | metadata: 48 | name: homelab-runner-staging 49 | roleRef: 50 | apiGroup: rbac.authorization.k8s.io 51 | kind: Role 52 | name: homelab-runner-staging 53 | subjects: 54 | - kind: ServiceAccount 55 | name: homelab-runner-staging 56 | namespace: actions-runners 57 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/actions-runners/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runners 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - actions-runner-homelab-modules.yaml 9 | - actions-runner-homelab.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | path: kubernetes/manifests/helm-release/cert-manager 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.17.1 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: issuers 6 | spec: 7 | path: kubernetes/manifests/common/resources/issuers 8 | dependsOn: 9 | - name: cert-manager 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - cert-manager.yaml 9 | - issuers.yaml 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/cluster-vars.env: -------------------------------------------------------------------------------- 1 | 2 | cluster_vip=192.168.10.69 3 | cluster_ip_pool_start=192.168.10.70 4 | cluster_ip_pool_stop=192.168.10.90 5 | cluster_l2_interfaces=["enp1s0f0","ens1f0"] 6 | 7 | internal_domain=tomnowak.work 8 | internal_ingress_ip=192.168.10.70 9 | external_domain=tomnowak.work 10 | external_ingress_ip=192.168.10.80 11 | 12 | default_replica_count="3" 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/default/helm-release-app-template-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: helm-release-app-template-repo 6 | spec: 7 | path: kubernetes/manifests/common/resources/helm-release-app-template-repo 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - helm-release-app-template-repo.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: main 12 | secretRef: 13 | name: flux-system 14 | url: https://github.com/ionfury/homelab.git 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./kubernetes/clusters/live 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/games/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: games 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - valheim-plexheim.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/games/valheim-plexheim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: plexheim 5 | spec: 6 | path: ./manifests/apps/valheim-from-backup 7 | postBuild: 8 | substitute: 9 | IMAGE_REPOSITORY: lloesche/valheim-server 10 | IMAGE_TAG: latest 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/generated-cluster-vars.env: -------------------------------------------------------------------------------- 1 | cluster_id=1 2 | cluster_ip_pool_start=192.168.10.21 3 | cluster_ip_pool_stop=192.168.10.29 4 | internal_ingress_ip=192.168.10.22 5 | external_ingress_ip=192.168.10.23 6 | internal_domain=internal.tomnowak.work 7 | external_domain=external.tomnowak.work 8 | cluster_l2_interfaces=["ens1f0"] 9 | cluster_name=live 10 | cluster_tld=tomnowak.work 11 | cluster_endpoint=https://live.k8s.tomnowak.work:6443 12 | cluster_vip=192.168.10.20 13 | cluster_node_subnet=192.168.10.0/24 14 | cluster_pod_subnet=172.18.0.0/16 15 | cluster_service_subnet=172.19.0.0/16 16 | cluster_path=kubernetes/clusters/live 17 | talos_version=v1.10.4 18 | cilium_version=1.17.4 19 | flux_version=v2.6.1 20 | prometheus_version=17.0.2 21 | kubernetes_version=1.33.0 22 | default_replica_count="3" 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kube-system/cilium-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium-config 6 | spec: 7 | path: kubernetes/manifests/common/resources/cilium-config 8 | dependsOn: 9 | - name: cilium 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kube-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium 6 | spec: 7 | path: kubernetes/manifests/helm-release/cilium 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: ${cilium_version} 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kube-system/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: descheduler 6 | spec: 7 | path: kubernetes/manifests/helm-release/descheduler 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 0.32.1 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../../manifests/common/components/configurations/namespace 8 | resources: 9 | - cilium-config.yaml 10 | - cilium.yaml 11 | - descheduler.yaml 12 | - spegel.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kube-system/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: spegel 6 | spec: 7 | path: kubernetes/manifests/helm-release/spegel 8 | dependsOn: 9 | - name: cilium 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: v0.0.28 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kubevirt/containerized-data-importer-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: containerized-data-importer-operator 6 | spec: 7 | path: kubernetes/manifests/kustomize/containerized-data-importer-operator 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kubevirt/containerized-data-importer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: containerized-data-importer 6 | spec: 7 | path: kubernetes/manifests/kustomize/containerized-data-importer 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kubevirt/kubevirt-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kubevirt-operator 6 | spec: 7 | path: kubernetes/manifests/kustomize/kubevirt-operator 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kubevirt/kubevirt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kubevirt 6 | spec: 7 | path: kubernetes/manifests/kustomize/kubevirt 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kubevirt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kubevirt 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - containerized-data-importer-operator.yaml 9 | - containerized-data-importer.yaml 10 | - kubevirt-operator.yaml 11 | - kubevirt.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../manifests/common/components/configurations/kustomization 7 | - ../../manifests/common/components/flux-kustomization-defaults 8 | resources: 9 | - actions-runner-system 10 | - actions-runners 11 | - cert-manager 12 | - flux-system 13 | - kube-system 14 | - kubevirt 15 | - longhorn-system 16 | - monitoring 17 | - network 18 | - system 19 | patches: 20 | - target: 21 | kind: Kustomization 22 | patch: | 23 | - op: replace 24 | path: /metadata/namespace 25 | value: flux-system 26 | 27 | configMapGenerator: 28 | - name: cluster-vars 29 | options: 30 | disableNameSuffixHash: true 31 | namespace: flux-system 32 | behavior: create 33 | envs: 34 | - generated-cluster-vars.env 35 | 36 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/longhorn-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: longhorn-system 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - longhorn-storage.yaml 11 | - longhorn.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/longhorn-system/longhorn-storage.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn-storage 6 | spec: 7 | path: kubernetes/manifests/common/resources/longhorn-storage 8 | dependsOn: 9 | - name: longhorn 10 | postBuild: 11 | substitute: 12 | replica_count: "3" 13 | 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/longhorn-system/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn 6 | spec: 7 | path: kubernetes/manifests/helm-release/longhorn 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 1.8.0 11 | storage_replica_count: "3" 12 | 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-k8s-monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-k8s-monitoring 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-k8s-monitoring 8 | dependsOn: 9 | - name: grafana-tempo 10 | # - name: grafana-pyroscope 11 | - name: grafana-mimir 12 | - name: grafana-loki 13 | postBuild: 14 | substitute: 15 | HELM_CHART_VERSION: 2.x 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-loki-single-binary.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-loki-single-binary 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-loki-single-binary 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 6.25.0 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-loki-smple-scalable.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-loki-simple-scalable 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-loki-simple-scalable 8 | dependsOn: 9 | - name: grafana-minio-tenant 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 6.25.0 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-mimir.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-mimir 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-mimir 8 | dependsOn: 9 | - name: grafana-minio-tenant 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 5.x 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-minio-tenant.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-minio-tenant 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-minio-tenant 8 | dependsOn: 9 | - name: minio-operator 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 7.x 13 | 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-pyroscope.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-pyroscope 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-pyroscope 8 | dependsOn: 9 | - name: grafana-minio-tenant 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 1.x 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana-tempo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana-tempo 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana-tempo 8 | dependsOn: 9 | - name: grafana-minio-tenant 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 1.x 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana 6 | spec: 7 | path: kubernetes/manifests/helm-release/grafana 8 | dependsOn: 9 | - name: kube-prometheus-stack 10 | - name: promtail 11 | postBuild: 12 | substitute: 13 | HELM_CHART_VERSION: 8.8.5 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/kube-prometheus-stack-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack-crds 6 | spec: 7 | path: kubernetes/manifests/helm-release/kube-prometheus-stack-crds 8 | postBuild: 9 | substitute: 10 | HELM_CHART_VERSION: 17.0.2 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/kube-prometheus-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack 6 | spec: 7 | path: kubernetes/manifests/helm-release/kube-prometheus-stack 8 | dependsOn: 9 | - name: kube-prometheus-stack-crds 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 68.3.3 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | 9 | - grafana.yaml 10 | - grafana-loki-single-binary.yaml 11 | - kube-prometheus-stack-crds.yaml 12 | - kube-prometheus-stack.yaml 13 | - promtail.yaml 14 | 15 | #- prometheus-ipmi-exporter-supermicro-node2.yaml 16 | #- prometheus-ipmi-exporter-supermicro-node41.yaml 17 | #- prometheus-ipmi-exporter-supermicro-node42.yaml 18 | #- prometheus-ipmi-exporter-supermicro-rules.yaml 19 | 20 | #- grafana-k8s-monitoring.yaml 21 | #- grafana-loki.yaml 22 | #- grafana-mimir.yaml 23 | #- grafana-minio-tenant.yaml 24 | #- grafana-pyroscope.yaml 25 | #- grafana-tempo.yaml 26 | # - grafana.yaml 27 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/prometheus-ipmi-exporter-supermicro-node2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: prometheus-ipmi-exporter-supermicro-node2 6 | spec: 7 | path: kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro 8 | dependsOn: 9 | - name: kube-prometheus-stack-crds 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 0.5.0 13 | machine: node2 14 | machine_address: 192.168.10.249 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/prometheus-ipmi-exporter-supermicro-node41.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: prometheus-ipmi-exporter-supermicro-node41 6 | spec: 7 | path: kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro 8 | dependsOn: 9 | - name: kube-prometheus-stack-crds 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 0.5.0 13 | machine: node41 14 | machine_address: 192.168.10.221 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/prometheus-ipmi-exporter-supermicro-node42.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: prometheus-ipmi-exporter-supermicro-node42 6 | spec: 7 | path: kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro 8 | dependsOn: 9 | - name: kube-prometheus-stack-crds 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 0.5.0 13 | machine: node42 14 | machine_address: 192.168.10.245 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/prometheus-ipmi-exporter-supermicro-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: prometheus-ipmi-exporter-supermicro-rules 6 | spec: 7 | path: kubernetes/manifests/common/resources/prometheus-ipmi-exporter-supermico-rules 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/monitoring/promtail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: promtail 6 | spec: 7 | path: kubernetes/manifests/helm-release/promtail 8 | dependsOn: 9 | - name: grafana-loki-single-binary 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 6.16.6 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/network/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: certificates 6 | spec: 7 | path: kubernetes/manifests/common/resources/certificates 8 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/network/ingress-nginx-external.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-external 5 | spec: 6 | dependsOn: 7 | - name: issuers 8 | - name: cilium-config 9 | path: kubernetes/manifests/helm-release/ingress-nginx 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 4.12.0 13 | ingress_class: external 14 | domain: ${external_domain} 15 | ingress_ip: ${external_ingress_ip} 16 | default_cert: network/external-tls 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/network/ingress-nginx-internal.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: ingress-nginx-internal 5 | spec: 6 | dependsOn: 7 | - name: issuers 8 | - name: cilium-config 9 | path: kubernetes/manifests/helm-release/ingress-nginx 10 | postBuild: 11 | substitute: 12 | HELM_CHART_VERSION: 4.12.0 13 | ingress_class: internal 14 | domain: ${internal_domain} 15 | ingress_ip: ${internal_ingress_ip} 16 | default_cert: network/internal-tls 17 | 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | #components: 7 | # - ../.network-policies 8 | resources: 9 | - ../../../manifests/common/resources/namespace 10 | - certificates.yaml 11 | - ingress-nginx-external.yaml 12 | - ingress-nginx-internal.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/cloudflared.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: cloudflared 5 | spec: 6 | path: ./manifests/apps/cloudflared 7 | postBuild: 8 | substitute: 9 | IMAGE_REPOSITORY: docker.io/cloudflare/cloudflared 10 | IMAGE_TAG: 2024.6.1 # {"$imagepolicy": "network:cloudflared-automation:tag"} 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/external-secrets-stores.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-secrets-stores 6 | spec: 7 | path: kubernetes/manifests/common/resources/external-secret-stores 8 | dependsOn: 9 | - name: external-secrets 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: external-secrets 5 | spec: 6 | path: kubernetes/manifests/helm-release/external-secrets 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 0.13.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | namespace: system 4 | 5 | resources: 6 | - ../../../manifests/common/resources/namespace 7 | 8 | - external-secrets-stores.yaml 9 | - external-secrets.yaml 10 | #- nsinjector.yaml 11 | - reloader.yaml 12 | - replicator.yaml 13 | - secret-generator.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/minio-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: minio-operator 5 | spec: 6 | path: kubernetes/manifests/helm-release/minio-operator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 7.0.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/nsinjector.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: nsinjector-crd 6 | spec: 7 | path: kubernetes/manifests/kustomize/nsinjector-crd 8 | --- 9 | apiVersion: kustomize.toolkit.fluxcd.io/v1 10 | kind: Kustomization 11 | metadata: 12 | name: nsinjector 13 | spec: 14 | path: kubernetes/manifests/kustomize/nsinjector 15 | dependsOn: 16 | - name: nsinjector-crd 17 | 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/reloader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: reloader 5 | spec: 6 | path: kubernetes/manifests/helm-release/reloader 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: v1.2.1 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/replicator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: replicator 5 | spec: 6 | path: kubernetes/manifests/helm-release/replicator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 2.11.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/live/system/secret-generator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: secret-generator 5 | spec: 6 | path: kubernetes/manifests/helm-release/secret-generator 7 | postBuild: 8 | substitute: 9 | HELM_CHART_VERSION: 3.4.0 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/staging/actions-runners/actions-runner-homelab.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: actions-runner-homelab-live 6 | spec: 7 | path: kubernetes/manifests/helm-release-oci/actions-runner-scale-set 8 | postBuild: 9 | substitute: 10 | name: homelab-runner-live 11 | secret: /homelab/kubernetes/live/homelab-runner 12 | storage_class: fast-unmanaged 13 | github_config_url: https://github.com/ionfury/homelab 14 | service_account: homelab-runner-live 15 | image: ghcr.io/ionfury/homelab-modules-runner 16 | tag: latest 17 | OCI_REPOSITORY_TAG: 0.11.0 18 | --- 19 | apiVersion: v1 20 | kind: ServiceAccount 21 | metadata: 22 | name: homelab-runner-live 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: Role 26 | metadata: 27 | name: homelab-runner-live 28 | rules: 29 | - apiGroups: [""] 30 | resources: ["pods"] 31 | verbs: ["get", "list", "create", "delete"] 32 | - apiGroups: [""] 33 | resources: ["pods/exec"] 34 | verbs: ["get", "create"] 35 | - apiGroups: [""] 36 | resources: ["pods/log"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["batch"] 39 | resources: ["jobs"] 40 | verbs: ["get", "list", "create", "delete"] 41 | - apiGroups: [""] 42 | resources: ["secrets"] 43 | verbs: ["create", "delete", "get", "list"] 44 | --- 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: RoleBinding 47 | metadata: 48 | name: homelab-runner-live 49 | roleRef: 50 | apiGroup: rbac.authorization.k8s.io 51 | kind: Role 52 | name: homelab-runner-live 53 | subjects: 54 | - kind: ServiceAccount 55 | name: homelab-runner-live 56 | namespace: actions-runners 57 | -------------------------------------------------------------------------------- /kubernetes/clusters/staging/actions-runners/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runners 6 | resources: 7 | - ../../../manifests/common/resources/namespace 8 | - actions-runner-homelab.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/clusters/staging/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: main 12 | secretRef: 13 | name: flux-system 14 | url: https://github.com/ionfury/homelab.git 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./kubernetes/clusters/staging 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/staging/generated-cluster-vars.env: -------------------------------------------------------------------------------- 1 | cluster_id=3 2 | cluster_ip_pool_start=192.168.10.41 3 | cluster_ip_pool_stop=192.168.10.49 4 | internal_ingress_ip=192.168.10.42 5 | external_ingress_ip=192.168.10.43 6 | internal_domain=internal.staging.tomnowak.work 7 | external_domain=external.staging.tomnowak.work 8 | cluster_l2_interfaces=["ens1f0"] 9 | cluster_name=staging 10 | cluster_tld=tomnowak.work 11 | cluster_endpoint=https://staging.k8s.tomnowak.work:6443 12 | cluster_vip=192.168.10.40 13 | cluster_node_subnet=192.168.10.0/24 14 | cluster_pod_subnet=172.22.0.0/16 15 | cluster_service_subnet=172.23.0.0/16 16 | cluster_path=kubernetes/clusters/staging 17 | talos_version=v1.10.4 18 | cilium_version=1.17.4 19 | flux_version=v2.6.1 20 | prometheus_version=17.0.2 21 | kubernetes_version=1.33.0 22 | default_replica_count="1" 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../manifests/common/components/configurations/kustomization 7 | - ../../manifests/common/components/flux-kustomization-defaults 8 | resources: 9 | - ../base 10 | - actions-runners 11 | - flux-system 12 | patches: 13 | - target: 14 | kind: Kustomization 15 | patch: | 16 | - op: replace 17 | path: /metadata/namespace 18 | value: flux-system 19 | 20 | configMapGenerator: 21 | - name: cluster-vars 22 | options: 23 | disableNameSuffixHash: true 24 | namespace: flux-system 25 | behavior: create 26 | envs: 27 | - generated-cluster-vars.env 28 | 29 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/cluster-issuer/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Secret 3 | fieldSpecs: 4 | - path: spec/acme/privateKeySecretRef/name 5 | kind: ClusterIssuer 6 | - path: spec/acme/solvers/dns01/cloudflare/apiTokenSecretRef/name 7 | kind: ClusterIssuer 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/cluster-issuer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/git-repository/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Secret 3 | fieldSpecs: 4 | - path: spec/secretRef/name 5 | kind: GitRepository 6 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/git-repository/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/helm-release/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: ConfigMap 3 | version: v1 4 | fieldSpecs: 5 | - path: spec/valuesFrom/name 6 | kind: HelmRelease 7 | - kind: Secret 8 | version: v1 9 | fieldSpecs: 10 | - path: spec/valuesFrom/name 11 | kind: HelmRelease 12 | - kind: HelmRepository 13 | fieldSpecs: 14 | - path: spec/chart/spec/sourceRef/name 15 | kind: HelmRelease 16 | - kind: Namespace 17 | version: v1 18 | fieldSpecs: 19 | - path: spec/targetNamespace 20 | kind: HelmRelease 21 | - kind: OCIRepository 22 | version: v1beta2 23 | fieldSpecs: 24 | - path: spec/chartRef/name 25 | kind: HelmRelease 26 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/helm-release/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-policy/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: ImageRepository 3 | fieldSpecs: 4 | - path: spec/imageRepositoryRef/name 5 | kind: ImagePolicy -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-repository/configuration.yaml: -------------------------------------------------------------------------------- 1 | images: 2 | - path: spec/image 3 | kind: ImageRepository -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-repository/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-update-automation/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: GitRepository 3 | fieldSpecs: 4 | - path: spec/sourceRef/name 5 | kind: ImageUpdateAutomation -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/image-update-automation/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/kustomization/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: GitRepository 3 | fieldSpecs: 4 | - path: spec/sourceRef/name 5 | kind: Kustomization 6 | - kind: ServiceAccount 7 | fieldSpecs: 8 | - path: spec/serviceAccountName 9 | kind: Kustomization 10 | - kind: Secret 11 | fieldSpecs: 12 | - path: spec/decryption/secretRef/name 13 | kind: Kustomization 14 | - kind: ConfigMap 15 | fieldSpecs: 16 | - path: spec/postBuild/substituteFrom/name 17 | kind: Kustomization 18 | - kind: ConfigMap 19 | fieldSpecs: 20 | - path: spec/name 21 | kind: Kustomization 22 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/kustomization/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | 5 | configurations: 6 | - configuration.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/minio-tenant/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Secret 3 | fieldSpecs: 4 | - path: spec/configuration/name 5 | kind: Tenant 6 | - kind: Tenant 7 | fieldSpecs: 8 | - path: spec/configuration/name 9 | kind: Secret 10 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/minio-tenant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | 5 | configurations: 6 | - configuration.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/namespace/configuration.yaml: -------------------------------------------------------------------------------- 1 | namespace: 2 | - kind: Kustomization 3 | path: spec/postBuild/substitute/NAMESPACE 4 | create: true 5 | - kind: Kustomization 6 | path: spec/targetNamespace 7 | create: true 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/origin-issuer/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Secret 3 | fieldSpecs: 4 | - path: spec/auth/serviceKeyRef/name 5 | kind: OriginIssuer -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/origin-issuer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/service-monitor/configuration.yaml: -------------------------------------------------------------------------------- 1 | commonLabels: 2 | - path: spec/selector/matchLabels 3 | create: true 4 | kind: ServiceMonitor 5 | nameReference: 6 | - kind: Secret 7 | fieldSpecs: 8 | - path: spec/endpoints/basicAuth/password/name 9 | version: v1 10 | kind: ServiceMonitor 11 | - path: spec/endpoints/basicAuth/username/name 12 | version: v1 13 | kind: ServiceMonitor 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/configurations/service-monitor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | 6 | configurations: 7 | - configuration.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/flux-kustomization-defaults/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | patches: 5 | - target: 6 | kind: Kustomization 7 | path: patch-kustomization.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/components/flux-kustomization-defaults/patch-kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: not-used 5 | spec: 6 | interval: 10m 7 | prune: true 8 | sourceRef: 9 | kind: GitRepository 10 | name: flux-system 11 | namespace: flux-system 12 | postBuild: 13 | substituteFrom: 14 | - kind: ConfigMap 15 | name: cluster-vars 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/certificates/external-certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: external 5 | spec: 6 | secretName: external-tls 7 | issuerRef: 8 | name: cloudflare 9 | kind: ClusterIssuer 10 | commonName: ${external_domain} 11 | dnsNames: 12 | - ${external_domain} 13 | - "*.${external_domain}" 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/certificates/internal-certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: internal 5 | spec: 6 | secretName: internal-tls 7 | issuerRef: 8 | name: cloudflare 9 | kind: ClusterIssuer 10 | commonName: ${internal_domain} 11 | dnsNames: 12 | - ${internal_domain} 13 | - "*.${internal_domain}" 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/certificates/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - internal-certificate.yaml 7 | - external-certificate.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/cilium-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - l2.yaml 7 | - pool.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/cilium-config/l2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliuml2announcementpolicy_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumL2AnnouncementPolicy 5 | metadata: 6 | name: l2-policy 7 | spec: 8 | loadBalancerIPs: true 9 | interfaces: ${cluster_l2_interfaces} 10 | nodeSelector: 11 | matchLabels: 12 | kubernetes.io/os: linux 13 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/cilium-config/pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumLoadBalancerIPPool 5 | metadata: 6 | name: pool 7 | spec: 8 | allowFirstLastIPs: "Yes" 9 | blocks: 10 | - start: ${cluster_ip_pool_start} 11 | stop: ${cluster_ip_pool_stop} 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/external-secret-stores/cluster-secret-store.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ClusterSecretStore 3 | metadata: 4 | name: aws-ssm 5 | spec: 6 | provider: 7 | aws: 8 | service: ParameterStore 9 | region: us-east-2 10 | auth: 11 | secretRef: 12 | accessKeyIDSecretRef: 13 | namespace: kube-system 14 | name: external-secrets-access-key 15 | key: access_key 16 | secretAccessKeySecretRef: 17 | namespace: kube-system 18 | name: external-secrets-access-key 19 | key: secret_access_key 20 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/external-secret-stores/external-secret-test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: example 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: aws-ssm 12 | target: 13 | name: test-secret 14 | data: 15 | - secretKey: test-secret-1 16 | remoteRef: 17 | key: /homelab/kubernetes/test-secret 18 | 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/external-secret-stores/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - cluster-secret-store.yaml 7 | - external-secret-test.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template-repo/bjw-s-oci.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: bjw-s-oci 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | type: oci 11 | url: oci://ghcr.io/bjw-s/helm 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template-repo/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: bjw-s 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://bjw-s.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template-repo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - bjw-s.yaml 7 | - bjw-s-oci.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template/configuration.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: ConfigMap 3 | version: v1 4 | fieldSpecs: 5 | - path: spec/values/persistence/config/name 6 | kind: HelmRelease 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: app 7 | spec: 8 | maxHistory: 2 9 | interval: 10m 10 | install: 11 | createNamespace: false 12 | crds: CreateReplace 13 | remediation: 14 | retries: 3 15 | upgrade: 16 | crds: CreateReplace 17 | remediation: 18 | retries: 3 19 | uninstall: 20 | keepHistory: false 21 | chart: 22 | spec: 23 | chart: app-template 24 | version: ${APP_TEMPLATE_VERSION:=3.6.0} 25 | sourceRef: 26 | kind: HelmRepository 27 | name: bjw-s 28 | namespace: flux-system 29 | interval: 10m 30 | values: 31 | image: 32 | repository: ${IMAGE_REPOSITORY} 33 | tag: ${IMAGE_TAG} 34 | pullPolicy: ${IMAGE_PULL_POLICY:=IfNotPresent} 35 | valuesFrom: 36 | - kind: ConfigMap 37 | name: values 38 | - kind: Secret 39 | name: secret-values 40 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-app-template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | components: 4 | - ../../components/configurations/helm-release 5 | configurations: 6 | - configuration.yaml 7 | resources: 8 | - helm-release.yaml 9 | configMapGenerator: 10 | - name: values 11 | literals: 12 | - values.yaml= 13 | secretGenerator: 14 | - name: secret-values 15 | literals: 16 | - values.yaml= 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-oci/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: app 7 | spec: 8 | maxHistory: 2 9 | interval: 10m 10 | install: 11 | createNamespace: false 12 | crds: CreateReplace 13 | remediation: 14 | retries: 3 15 | upgrade: 16 | cleanupOnFail: true 17 | crds: CreateReplace 18 | remediation: 19 | strategy: rollback 20 | retries: 3 21 | uninstall: 22 | keepHistory: false 23 | chartRef: 24 | kind: OCIRepository 25 | name: app 26 | valuesFrom: 27 | - kind: ConfigMap 28 | name: values 29 | - kind: Secret 30 | name: secret-values 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-oci/helm-repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1beta2 4 | kind: OCIRepository 5 | metadata: 6 | name: app 7 | spec: 8 | interval: 10m 9 | ref: 10 | tag: ${OCI_REPOSITORY_TAG} 11 | url: oci://${OCI_REPOSITORY} 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release-oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../components/configurations/helm-release 7 | resources: 8 | - helm-release.yaml 9 | - helm-repository.yaml 10 | configMapGenerator: 11 | - name: values 12 | literals: 13 | - values.yaml= 14 | secretGenerator: 15 | - name: secret-values 16 | literals: 17 | - values.yaml= 18 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: app 7 | spec: 8 | maxHistory: 2 9 | interval: 10m 10 | install: 11 | createNamespace: false 12 | crds: CreateReplace 13 | remediation: 14 | retries: 3 15 | upgrade: 16 | crds: CreateReplace 17 | remediation: 18 | retries: 3 19 | uninstall: 20 | keepHistory: false 21 | chart: 22 | spec: 23 | chart: ${HELM_CHART} 24 | version: ${HELM_CHART_VERSION} 25 | sourceRef: 26 | kind: HelmRepository 27 | name: app 28 | interval: 10m 29 | valuesFrom: 30 | - kind: ConfigMap 31 | name: values 32 | - kind: Secret 33 | name: secret-values 34 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release/helm-repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: app 6 | spec: 7 | interval: 10m 8 | url: ${HELM_CHART_REPOSITORY} 9 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/helm-release/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../components/configurations/helm-release 7 | resources: 8 | - helm-release.yaml 9 | - helm-repository.yaml 10 | configMapGenerator: 11 | - name: values 12 | literals: 13 | - values.yaml= 14 | secretGenerator: 15 | - name: secret-values 16 | literals: 17 | - values.yaml= 18 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/issuers/cloudflare-issuer/cluster-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: cloudflare 5 | namespace: default 6 | spec: 7 | acme: 8 | email: ionfury@gmail.com 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-prod 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: ionfury@gmail.com 16 | apiTokenSecretRef: 17 | name: cloudflare-api-token 18 | key: token 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/issuers/cloudflare-issuer/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflare-api-token 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: aws-ssm 12 | target: 13 | name: cloudflare-api-token 14 | data: 15 | - secretKey: token 16 | remoteRef: 17 | key: /homelab/kubernetes/${cluster_name}/cloudflare-api-token 18 | property: token 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/issuers/cloudflare-issuer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../../components/configurations/cluster-issuer 7 | resources: 8 | - cluster-issuer.yaml 9 | - external-secret.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - cloudflare-issuer 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - recurring-jobs/backup-weekly.yaml 8 | - recurring-jobs/snapshot-daily.yaml 9 | - recurring-jobs/filesystem-trim-daily.yaml 10 | - storage-classes/fast-critical.yaml 11 | - storage-classes/fast.yaml 12 | - storage-classes/fast-unmanaged.yaml 13 | - storage-classes/slow-critical.yaml 14 | - storage-classes/slow.yaml 15 | - storage-classes/slow-unmanaged.yaml 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/recurring-jobs/backup-weekly.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: longhorn.io/v1beta1 3 | kind: RecurringJob 4 | metadata: 5 | name: &name backup-weekly 6 | spec: 7 | cron: "@weekly" 8 | task: snapshot 9 | groups: 10 | - *name 11 | retain: 3 12 | concurrency: 5 13 | labels: 14 | jobname: *name 15 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/recurring-jobs/filesystem-trim-daily.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: longhorn.io/v1beta1 3 | kind: RecurringJob 4 | metadata: 5 | name: &name filesystem-trim-daily 6 | spec: 7 | name: trim 8 | cron: "0 4 * * *" 9 | task: filesystem-trim 10 | concurrency: 1 11 | groups: 12 | - *name 13 | labels: 14 | jobname: *name 15 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/recurring-jobs/snapshot-daily.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: longhorn.io/v1beta1 3 | kind: RecurringJob 4 | metadata: 5 | name: &name snapshot-daily 6 | spec: 7 | cron: "@daily" 8 | task: snapshot 9 | groups: 10 | - *name 11 | retain: 3 12 | concurrency: 5 13 | labels: 14 | jobname: *name 15 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/fast-critical.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: fast-critical 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: Immediate 10 | parameters: 11 | numberOfReplicas: ${default_replica_count} 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: best-effort 15 | diskSelector: fast 16 | recurringJobSelectors: '[{"name": "snapshot-daily", "isGroup": true}, {"name": "backup-weekly", "isGroup": true}, {"name": "filesystem-trim-daily", "isGroup": true}]' 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/fast-unmanaged.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: fast-unmanaged 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: WaitForFirstConsumer 10 | parameters: 11 | numberOfReplicas: "1" 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: disabled 15 | diskSelector: fast 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/fast.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: fast 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: Immediate 10 | parameters: 11 | numberOfReplicas: ${default_replica_count} 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: best-effort 15 | diskSelector: fast 16 | recurringJobSelectors: '[{"name": "filesystem-trim-daily", "isGroup": true}]' 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/slow-critical.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: slow-critical 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: Immediate 10 | parameters: 11 | numberOfReplicas: ${default_replica_count} 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: best-effort 15 | diskSelector: slow 16 | recurringJobSelectors: '[{"name": "snapshot-daily", "isGroup": true}, {"name": "backup-weekly", "isGroup": true}, {"name": "filesystem-trim-daily", "isGroup": true}]' 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/slow-unmanaged.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: slow-unmanaged 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: WaitForFirstConsumer 10 | parameters: 11 | numberOfReplicas: "1" 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: disabled 15 | diskSelector: slow 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/longhorn-storage/storage-classes/slow.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: slow 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | reclaimPolicy: Delete 9 | volumeBindingMode: Immediate 10 | parameters: 11 | numberOfReplicas: ${default_replica_count} 12 | fsType: xfs 13 | staleReplicaTimeout: "30" 14 | dataLocality: best-effort 15 | diskSelector: slow 16 | recurringJobSelectors: '[{"name": "filesystem-trim-daily", "isGroup": true}]' 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | components: 6 | - ../../components/configurations/namespace 7 | resources: 8 | - namespace.yaml 9 | 10 | 11 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/namespace/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: default 5 | labels: 6 | pod-security.kubernetes.io/enforce: privileged 7 | pod-security.kubernetes.io/audit: baseline 8 | pod-security.kubernetes.io/warn: baseline 9 | -------------------------------------------------------------------------------- /kubernetes/manifests/common/resources/prometheus-ipmi-exporter-supermico-rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - prometheus-rule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/cloudflared/config/config.yaml: -------------------------------------------------------------------------------- 1 | originRequest: 2 | originServerName: ${CLUSTER_NAME}.${EXTERNAL_DOMAIN} 3 | 4 | ingress: 5 | - hostname: "${EXTERNAL_DOMAIN}" 6 | service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 7 | - hostname: "*.${EXTERNAL_DOMAIN}" 8 | service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 9 | - service: http_status:404 10 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/cloudflared/dns-endpoint.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: externaldns.k8s.io/v1alpha1 2 | kind: DNSEndpoint 3 | metadata: 4 | name: tunnel 5 | spec: 6 | endpoints: 7 | - dnsName: ${CLUSTER_NAME}.${EXTERNAL_DOMAIN} 8 | recordType: CNAME 9 | targets: ["${CLUSTER_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] 10 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/cloudflared/external-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | name: tunnel 5 | spec: 6 | secretStoreRef: 7 | kind: ClusterSecretStore 8 | name: aws-ssm 9 | target: 10 | name: cloudflare-tunnel 11 | template: 12 | engineVersion: v2 13 | data: 14 | credentials.json: | 15 | { 16 | "AccountTag": "{{ .account }}", 17 | "TunnelSecret": "{{ .secret }}", 18 | "TunnelID": "{{ .id }}" 19 | } 20 | TunnelID: "{{ .id }}" 21 | dataFrom: 22 | - extract: 23 | key: k8s-${CLUSTER_NAME}-cloudflare-tunnel 24 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/cloudflared/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | 4 | namePrefix: cloudflared- 5 | components: 6 | - ../../components/helm-release-app-template-oci-v3 7 | resources: 8 | - dns-endpoint.yaml 9 | - external-secret.yaml 10 | configMapGenerator: 11 | - name: values 12 | behavior: replace 13 | files: 14 | - values.yaml 15 | - name: configmap 16 | behavior: create 17 | options: 18 | disableNameSuffixHash: true 19 | files: 20 | - ./config/config.yaml 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/cloudflared/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-cloudflared-to-ingress-nginx-external 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app.kubernetes.io/name: cloudflared-app 9 | policyTypes: 10 | - Egress 11 | - Ingress 12 | egress: 13 | - to: 14 | - podSelector: 15 | matchLabels: 16 | app.kubernetes.io/name: ingress-nginx 17 | app.kubernetes.io/instance: ingress-nginx-external-app 18 | ingress: [] 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/valheim/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | namePrefix: valheim-${instance}- 4 | resources: 5 | - ../../common/resources/helm-release-app-template 6 | #resources: 7 | # - network-policy.yaml 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | secretGenerator: 14 | - name: envs 15 | behavior: create 16 | options: 17 | disableNameSuffixHash: true 18 | annotations: 19 | secret-generator.v1.mittwald.de/autogenerate: PASSWORD 20 | literals: 21 | - PORT=2456 22 | - TZ="America/Chicago" 23 | - NAME="valheim" 24 | - WORLD="valheim" 25 | - PUBLIC=0 26 | - AUTO_UPDATE_SCHEDULE="0 1 * * *" 27 | - AUTO_BACKUP=1 28 | - AUTO_BACKUP_SCHEDULE="*/15 * * * *" 29 | - AUTO_BACKUP_REMOVE_OLD=1 30 | - AUTO_BACKUP_DAYS_TO_LIVE=3 31 | - AUTO_BACKUP_ON_UPDATE=1 32 | - AUTO_BACKUP_ON_SHUTDOWN=1 33 | - UPDATE_ON_STARTUP=0 34 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/valheim/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | network/allow-valheim-game: "true" 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - ports: 14 | - protocol: UDP 15 | port: 2456 # Port range for Valheim game traffic 16 | egress: 17 | - ports: 18 | - protocol: UDP 19 | port: 2456 # Port range for Valheim game traffic 20 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-app-template-oci/valheim/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.1/charts/other/app-template/values.schema.json 3 | 4 | service: 5 | main: 6 | controller: main 7 | type: LoadBalancer 8 | externalTrafficPolicy: Cluster 9 | annotations: 10 | io.cilium/lb-ipam-ips: "${ingress_ip}" 11 | ports: 12 | http: 13 | port: 80 14 | gameplay: 15 | enabled: true 16 | port: 2456 17 | protocol: UDP 18 | auth: 19 | enabled: true 20 | port: 2457 21 | protocol: UDP 22 | voip: 23 | enabled: true 24 | port: 2458 25 | protocol: UDP 26 | controllers: 27 | main: 28 | annotations: 29 | reloader.stakater.com/auto: "true" 30 | pod: 31 | securityContext: 32 | runAsUser: 111 33 | runAsGroup: 1000 34 | runAsNonRoot: true 35 | containers: 36 | main: 37 | image: 38 | repository: docker.io/mbround18/valheim 39 | tag: 3.1.2 40 | probes: 41 | liveness: 42 | enabled: false 43 | readiness: 44 | enabled: false 45 | startup: 46 | enabled: false 47 | env: 48 | - name: PUID 49 | value: 111 50 | - name: PGID 51 | value: 1000 52 | envFrom: 53 | - secretRef: 54 | name: valheim-${instance}-envs 55 | resources: 56 | requests: 57 | cpu: 400m 58 | memory: 2Gi 59 | persistence: 60 | data: 61 | enabled: true 62 | retain: true 63 | accessMode: ReadWriteOnce 64 | storageClass: fast-critical 65 | size: 50Gi 66 | globalMounts: 67 | - path: /home/steam/.config/unity3d/IronGate/Valheim/ 68 | - path: /home/steam/valheim/ 69 | - path: /home/steam/backups/ 70 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: actions-runner-controller- 6 | resources: 7 | - ../../common/resources/helm-release-oci 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: OCIRepository 16 | name: app 17 | patch: |- 18 | - op: replace 19 | path: /spec/url 20 | value: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-controller/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: actions-runner-controller 2 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-scale-set/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: aws-ssm 11 | target: 12 | name: ${name}-runner 13 | template: 14 | data: 15 | github_app_id: "{{ .ACTIONS_RUNNER_APP_ID }}" 16 | github_app_installation_id: "{{ .ACTIONS_RUNNER_INSTALLATION_ID }}" 17 | github_app_private_key: "{{ .ACTIONS_RUNNER_PRIVATE_KEY | b64dec }}" 18 | dataFrom: 19 | - extract: 20 | key: ${secret} 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-scale-set/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: ${name}-runner- 6 | resources: 7 | - ../../common/resources/helm-release-oci 8 | - external-secret.yaml 9 | #- rbac.yaml 10 | configMapGenerator: 11 | - name: values 12 | behavior: replace 13 | files: 14 | - values.yaml 15 | patches: 16 | - target: 17 | kind: OCIRepository 18 | name: app 19 | patch: |- 20 | - op: replace 21 | path: /spec/url 22 | value: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set 23 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-scale-set/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: svc 6 | #--- 7 | #apiVersion: rbac.authorization.k8s.io/v1 8 | #kind: ClusterRoleBinding 9 | #metadata: 10 | # name: home-ops-runner 11 | #roleRef: 12 | # apiGroup: rbac.authorization.k8s.io 13 | # kind: ClusterRole 14 | # name: cluster-admin 15 | #subjects: 16 | # - kind: ServiceAccount 17 | # name: home-ops-runner 18 | # namespace: actions-runner-system 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release-oci/actions-runner-scale-set/values.yaml: -------------------------------------------------------------------------------- 1 | githubConfigUrl: ${github_config_url} 2 | githubConfigSecret: ${name}-runner 3 | minRunners: 1 4 | maxRunners: ${max_runners:=1} 5 | containerMode: 6 | type: kubernetes 7 | kubernetesModeWorkVolumeClaim: 8 | accessModes: ["ReadWriteOnce"] 9 | storageClassName: ${storage_class:=default} 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | controllerServiceAccount: 14 | name: actions-runner-controller 15 | namespace: actions-runner-system 16 | template: 17 | spec: 18 | securityContext: # https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#error-access-to-the-path-homerunner_work_tool-is-denied 19 | fsGroup: 123 20 | containers: 21 | - name: runner 22 | image: ${image}:${tag} 23 | command: ["/home/runner/run.sh"] 24 | env: 25 | - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER 26 | value: "false" 27 | - name: NODE 28 | valuesFrom: 29 | fieldRef: 30 | fieldPath: status.hostIP 31 | #volumeMounts: 32 | # - mountPath: /var/run/secrets/github 33 | # name: github 34 | # readOnly: true 35 | serviceAccountName: ${service_account} 36 | enableServiceLinks: true 37 | #volumes: 38 | # - name: github 39 | # secret: 40 | # secretName: ${name}-runner 41 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/canary-checker/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: canary-checker- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: canary-checker 20 | - op: add 21 | path: /spec/releaseName 22 | value: canary-checker 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://flanksource.github.io/charts 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/canary-checker/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # https://github.com/flanksource/canary-checker/blob/master/chart/values.yaml 3 | # yaml-language-server: $schema=https://raw.githubusercontent.com/flanksource/canary-checker/refs/heads/master/chart/values.schema.json 4 | serviceMonitor: true 5 | grafanaDashboards: true 6 | db: 7 | embedded: 8 | persist: false 9 | flanksource-ui: 10 | enabled: false 11 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: cert-manager- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - prometheus-rules.yaml 9 | configMapGenerator: 10 | - name: values 11 | behavior: replace 12 | files: 13 | - values.yaml 14 | patches: 15 | - target: 16 | kind: HelmRelease 17 | patch: |- 18 | - op: replace 19 | path: /spec/chart/spec/chart 20 | value: cert-manager 21 | - op: add 22 | path: /spec/releaseName 23 | value: cert-manager 24 | - target: 25 | kind: HelmRepository 26 | name: app 27 | patch: |- 28 | - op: replace 29 | path: /spec/url 30 | value: https://charts.jetstack.io 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/cert-manager/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml 2 | global: 3 | leaderElection: 4 | namespace: "${NAMESPACE:kube-system}" 5 | commonLabels: 6 | podLabels: 7 | networking/allow-egress-internet: "true" 8 | networking/allow-ingress-prometheus: "true" 9 | networking/allow-cluster-egress: "true" 10 | namespace: "${NAMESPACE:kube-system}" 11 | installCRDs: true 12 | prometheus: 13 | enabled: true 14 | servicemonitor: 15 | enabled: true 16 | webhook: 17 | podLabels: 18 | networking/allow-ingress-prometheus: "true" 19 | networking/allow-cluster-egress: "true" 20 | networkPolicy: 21 | enabled: false 22 | cainjector: 23 | podLabels: 24 | networking/allow-ingress-prometheus: "true" 25 | networking/allow-cluster-egress: "true" 26 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/cilium/canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: canaries.flanksource.com/v1 2 | kind: Canary 3 | metadata: 4 | name: http-check 5 | spec: 6 | schedule: "@every 1m" 7 | http: 8 | - name: http pass response 200 status code 9 | url: https://hubble.${internal_domain} 10 | responseCodes: [200] 11 | maxSSLExpiry: 7 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/cilium/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: cilium- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - canary.yaml 9 | configMapGenerator: 10 | - name: values 11 | behavior: replace 12 | files: 13 | - values.yaml 14 | patches: 15 | - path: patch-values.yaml 16 | - target: 17 | kind: HelmRelease 18 | patch: |- 19 | - op: replace 20 | path: /spec/chart/spec/chart 21 | value: cilium 22 | - op: add 23 | path: /spec/releaseName 24 | value: cilium 25 | - target: 26 | kind: HelmRepository 27 | name: app 28 | patch: |- 29 | - op: replace 30 | path: /spec/url 31 | value: https://helm.cilium.io/ 32 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/cilium/patch-values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: app 5 | spec: 6 | values: 7 | cluster: 8 | id: ${cluster_id} 9 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/descheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: descheduler- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - path: patch-helm-release.yaml 15 | - target: 16 | kind: HelmRelease 17 | patch: |- 18 | - op: replace 19 | path: /spec/chart/spec/chart 20 | value: descheduler 21 | - op: add 22 | path: /spec/releaseName 23 | value: descheduler 24 | - target: 25 | kind: HelmRepository 26 | name: app 27 | patch: |- 28 | - op: replace 29 | path: /spec/url 30 | value: https://kubernetes-sigs.github.io/descheduler 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/descheduler/patch-helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2 2 | kind: HelmRelease 3 | metadata: 4 | name: app 5 | spec: 6 | postRenderers: 7 | - kustomize: 8 | patches: 9 | - target: 10 | kind: ClusterRole 11 | patch: | 12 | - op: add 13 | path: /rules/- 14 | value: 15 | verbs: ["get", "watch", "list"] 16 | apiGroups: ["policy"] 17 | resources: ["poddisruptionbudgets"] 18 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/descheduler/values.yaml: -------------------------------------------------------------------------------- 1 | replicas: 2 2 | kind: Deployment 3 | deschedulerPolicyAPIVersion: descheduler/v1alpha2 4 | deschedulerPolicy: 5 | profiles: 6 | - name: Default 7 | pluginConfig: 8 | - name: DefaultEvictor 9 | args: 10 | evictFailedBarePods: true 11 | evictLocalStoragePods: true 12 | evictSystemCriticalPods: false 13 | nodeFit: true 14 | - name: RemovePodsViolatingInterPodAntiAffinity 15 | - name: RemovePodsViolatingNodeAffinity 16 | args: 17 | nodeAffinityType: 18 | - requiredDuringSchedulingIgnoredDuringExecution 19 | - name: RemovePodsViolatingNodeTaints 20 | - name: RemovePodsViolatingTopologySpreadConstraint 21 | args: 22 | constraints: 23 | - DoNotSchedule 24 | - ScheduleAnyway 25 | - name: RemoveFailedPods 26 | args: 27 | excludeOwnerKinds: 28 | - Job 29 | includingInitContainers: true 30 | minPodLifetimeSeconds: 3600 31 | plugins: 32 | balance: 33 | enabled: 34 | - RemovePodsViolatingTopologySpreadConstraint 35 | deschedule: 36 | enabled: 37 | - RemovePodsViolatingInterPodAntiAffinity 38 | - RemovePodsViolatingNodeAffinity 39 | - RemovePodsViolatingNodeTaints 40 | - RemoveFailedPods 41 | service: 42 | enabled: true 43 | serviceMonitor: 44 | enabled: true 45 | leaderElection: 46 | enabled: true 47 | leaseDuration: 15s 48 | renewDeadline: 10s 49 | retryPeriod: 2s 50 | resourceLock: "leases" 51 | resourceName: "descheduler" 52 | resourceNamescape: "kube-system" 53 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: external-secrets- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: external-secrets 20 | - op: add 21 | path: /spec/releaseName 22 | value: external-secrets 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://charts.external-secrets.io 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/external-secrets/values.yaml: -------------------------------------------------------------------------------- 1 | installCRDs: true 2 | serviceMonitor: 3 | enabled: true 4 | interval: 1m 5 | webhook: 6 | serviceMonitor: 7 | enabled: true 8 | interval: 1m 9 | resources: 10 | requests: 11 | cpu: 10m 12 | memory: 100Mi 13 | certController: 14 | serviceMonitor: 15 | enabled: true 16 | interval: 1m 17 | resources: 18 | requests: 19 | cpu: 10m 20 | memory: 100Mi 21 | resources: 22 | requests: 23 | cpu: 10m 24 | memory: 100Mi 25 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-k8s-monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-k8s-monitoring- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: k8s-monitoring 20 | - op: add 21 | path: /spec/releaseName 22 | value: grafana-k8s-monitoring 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://grafana.github.io/helm-charts 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-k8s-monitoring/values.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | name: ${cluster_name:=default} 3 | destinations: 4 | - name: local_mimir 5 | type: prometheus 6 | url: http://mimir-gateway.${NAMESPACE:=monitoring}.svc.cluster.local:9090/api/v1/push 7 | - name: local_loki 8 | type: loki 9 | url: http://loki-gateway.${NAMESPACE:=monitoring}.svc.cluster.local:9090/api/v1/push 10 | # - name: local_pyroscope 11 | # type: pyroscope 12 | # url: http://pyroscope-distributor.${NAMESPACE:=monitoring}.svc.cluster.local:4040 13 | - name: local_tempo 14 | type: otlp 15 | url: http://tempo-distributor.${NAMESPACE:=monitoring}.svc.cluster.local 16 | metrics: { enabled: true } 17 | logs: { enabled: true } 18 | traces: { enabled: true } 19 | #profiles: 20 | # enabled: true 21 | #traces: 22 | # enabled: true 23 | #prometheus-operator-crds: 24 | # enabled: true 25 | #metrics: 26 | # apiserver: 27 | # enabled: true 28 | # kubeControllerManager: 29 | # enabled: true 30 | # kubeProxy: 31 | # enabled: true 32 | # kubeScheduler: 33 | # enabled: true 34 | #autoDiscover: 35 | # extraRelabelingRules: | 36 | # rule { 37 | # source_labels = [ 38 | # "__meta_kubernetes_pod_label_app", 39 | # "__meta_kubernetes_pod_label_k8s_app", 40 | # "__meta_kubernetes_service_label_app", 41 | # "__meta_kubernetes_service_label_k8s_app", 42 | # "__meta_kubernetes_endpoints_label_app", 43 | # "__meta_kubernetes_endpoints_label_k8s_app", 44 | # ] 45 | # action = "replace" 46 | # target_label = "app" 47 | # separator = "" 48 | # } 49 | #opencost: 50 | # enabled: false 51 | #alloy: 52 | # alloy: 53 | # clustering: 54 | # enabled: true 55 | #extraConfig: 56 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-loki-simple-scalable/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-loki-simple-scalable- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: loki 20 | - op: add 21 | path: /spec/releaseName 22 | value: grafana-loki-simple-scalable 23 | - op: add 24 | path: /spec/valuesFrom/- 25 | value: 26 | targetPath: loki.storage.s3.accessKeyId 27 | kind: Secret 28 | name: grafana-minio-tenant-root-generated 29 | valuesKey: accessKey 30 | - op: add 31 | path: /spec/valuesFrom/- 32 | value: 33 | targetPath: loki.storage.s3.secretAccessKey 34 | kind: Secret 35 | name: grafana-minio-tenant-root-generated 36 | valuesKey: secretKey 37 | - target: 38 | kind: HelmRepository 39 | name: app 40 | patch: |- 41 | - op: replace 42 | path: /spec/url 43 | value: https://grafana.github.io/helm-charts 44 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-loki-single-binary/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-loki-single-binary- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: loki 20 | - op: add 21 | path: /spec/releaseName 22 | value: grafana-loki-single-binary 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://grafana.github.io/helm-charts 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-loki-single-binary/values.yaml: -------------------------------------------------------------------------------- 1 | deploymentMode: SingleBinary 2 | loki: 3 | auth_enabled: false 4 | analytics: 5 | reporting_enabled: false 6 | server: 7 | log_level: info 8 | commonConfig: 9 | replication_factor: 1 10 | compactor: 11 | working_directory: /var/loki/compactor/retention 12 | delete_request_store: filesystem 13 | retention_enabled: true 14 | ingester: 15 | chunk_encoding: snappy 16 | storage: 17 | type: filesystem 18 | schemaConfig: 19 | configs: 20 | - from: "2024-04-01" # quote 21 | store: tsdb 22 | object_store: filesystem 23 | schema: v13 24 | index: 25 | prefix: loki_index_ 26 | period: 24h 27 | limits_config: 28 | retention_period: 14d 29 | singleBinary: 30 | replicas: 1 31 | persistence: 32 | enabled: true 33 | storageClass: fast 34 | size: 50Gi 35 | gateway: 36 | replicas: 0 37 | backend: 38 | replicas: 0 39 | read: 40 | replicas: 0 41 | write: 42 | replicas: 0 43 | chunksCache: 44 | enabled: false 45 | resultsCache: 46 | enabled: false 47 | lokiCanary: 48 | enabled: false 49 | test: 50 | enabled: false 51 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-mimir/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-mimir- 6 | components: 7 | - ../../common/components/configurations/minio-tenant 8 | resources: 9 | - ../../common/resources/helm-release 10 | configMapGenerator: 11 | - name: values 12 | behavior: replace 13 | files: 14 | - values.yaml 15 | patches: 16 | - target: 17 | kind: HelmRelease 18 | patch: |- 19 | - op: replace 20 | path: /spec/chart/spec/chart 21 | value: mimir-distributed 22 | - op: add 23 | path: /spec/releaseName 24 | value: grafana-mimir 25 | - op: add 26 | path: /spec/valuesFrom/- 27 | value: 28 | targetPath: mimir.structuredConfig.common.storage.s3.access_key_id 29 | kind: Secret 30 | name: grafana-minio-tenant-root-generated 31 | valuesKey: accessKey 32 | - op: add 33 | path: /spec/valuesFrom/- 34 | value: 35 | targetPath: mimir.structuredConfig.common.storage.s3.secret_access_key 36 | kind: Secret 37 | name: grafana-minio-tenant-root-generated 38 | valuesKey: secretKey 39 | - target: 40 | kind: HelmRepository 41 | name: app 42 | patch: |- 43 | - op: replace 44 | path: /spec/url 45 | value: https://grafana.github.io/helm-charts 46 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-mimir/values.yaml: -------------------------------------------------------------------------------- 1 | nginx: 2 | enabled: false 3 | minio: 4 | enabled: false 5 | runtimeConfig: 6 | ingester_limits: 7 | max_series: 1000000 8 | mimir: 9 | structuredConfig: 10 | common: 11 | storage: 12 | backend: s3 13 | s3: 14 | endpoint: minio.${NAMESPACE:=monitoring}.svc 15 | insecure: true 16 | alertmanager_storage: 17 | s3: 18 | bucket_name: mimir-ruler 19 | blocks_storage: 20 | s3: 21 | bucket_name: mimir-blocks 22 | ruler_storage: 23 | s3: 24 | bucket_name: mimir-ruler 25 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-minio-tenant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-minio-tenant- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | secretGenerator: 14 | - name: root-generated 15 | options: 16 | disableNameSuffixHash: true 17 | annotations: 18 | secret-generator.v1.mittwald.de/autogenerate: accessKey,secretKey 19 | secret-generator.v1.mittwald.de/encoding: base64url 20 | secret-generator.v1.mittwald.de/length: "32" 21 | patches: 22 | - target: 23 | kind: HelmRelease 24 | patch: |- 25 | - op: replace 26 | path: /spec/chart/spec/chart 27 | value: tenant 28 | - op: add 29 | path: /spec/releaseName 30 | value: grafana-minio-tenant 31 | - op: add 32 | path: /spec/valuesFrom/- 33 | value: 34 | targetPath: tenant.configSecret.accessKey 35 | kind: Secret 36 | name: root-generated 37 | valuesKey: accessKey 38 | - op: add 39 | path: /spec/valuesFrom/- 40 | value: 41 | targetPath: tenant.configSecret.secretKey 42 | kind: Secret 43 | name: root-generated 44 | valuesKey: secretKey 45 | - target: 46 | kind: HelmRepository 47 | name: app 48 | patch: |- 49 | - op: replace 50 | path: /spec/url 51 | value: https://operator.min.io/ 52 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-minio-tenant/values.yaml: -------------------------------------------------------------------------------- 1 | tenant: 2 | name: grafana-minio 3 | pools: 4 | - name: grafana-pool 5 | servers: 2 6 | volumesPerServer: 2 7 | size: ${size:=20Gi} 8 | storageClassName: fast-unmanaged 9 | runtimeClassName: "" 10 | securityContext: 11 | runAsUser: 1000 12 | runAsGroup: 1000 13 | fsGroup: 1000 14 | fsGroupChangePolicy: "OnRootMismatch" 15 | runAsNonRoot: true 16 | containerSecurityContext: 17 | allowPrivilegeEscalation: false 18 | capabilities: 19 | drop: 20 | - ALL 21 | runAsUser: 1000 22 | runAsGroup: 1000 23 | runAsNonRoot: true 24 | seccompProfile: 25 | type: RuntimeDefault 26 | buckets: 27 | - name: mimir-ruler 28 | - name: mimir-blocks 29 | - name: mimir-alertmanager 30 | - name: loki-ruler 31 | - name: loki-chunks 32 | - name: loki-admin 33 | - name: pyroscope-data 34 | - name: tempo-traces 35 | metrics: 36 | enabled: true 37 | port: 9000 38 | protocol: http 39 | certificate: 40 | requestAutoCert: false 41 | env: 42 | - name: MINIO_STORAGE_CLASS_STANDARD 43 | value: EC:1 44 | - name: MINIO_STORAGE_CLASS_RRS 45 | value: EC:0 46 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-pyroscope/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-pyroscope- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: pyroscope 20 | - op: add 21 | path: /spec/releaseName 22 | value: grafana-pyroscope 23 | - op: add 24 | path: /spec/valuesFrom/- 25 | value: 26 | targetPath: pyroscope.structuredConfig.storage.s3.access_key_id 27 | kind: Secret 28 | name: grafana-minio-tenant-root 29 | valuesKey: accessKey 30 | - op: add 31 | path: /spec/valuesFrom/- 32 | value: 33 | targetPath: pyroscope.structuredConfig.storage.s3.secret_access_key 34 | kind: Secret 35 | name: grafana-minio-tenant-root 36 | valuesKey: secretKey 37 | - target: 38 | kind: HelmRepository 39 | name: app 40 | patch: |- 41 | - op: replace 42 | path: /spec/url 43 | value: https://grafana.github.io/helm-charts 44 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-tempo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana-tempo- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: tempo-distributed 20 | - op: add 21 | path: /spec/releaseName 22 | value: grafana-tempo 23 | - op: add 24 | path: /spec/valuesFrom/- 25 | value: 26 | targetPath: storage.trace.s3.access_key 27 | kind: Secret 28 | name: grafana-minio-tenant-root 29 | valuesKey: accessKey 30 | - op: add 31 | path: /spec/valuesFrom/- 32 | value: 33 | targetPath: storage.trace.s3.secret_key 34 | kind: Secret 35 | name: grafana-minio-tenant-root 36 | valuesKey: secretKey 37 | - target: 38 | kind: HelmRepository 39 | name: app 40 | patch: |- 41 | - op: replace 42 | path: /spec/url 43 | value: https://grafana.github.io/helm-charts 44 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana-tempo/values.yaml: -------------------------------------------------------------------------------- 1 | gateway: 2 | enabled: false 3 | metricsGenerator: 4 | enabled: true 5 | config: 6 | storage: 7 | remote_write_add_org_id_header: false 8 | remote_write: 9 | - url: http://mimir-gateway.${NAMESPACE:=monitoring}.svc/api/v1/push 10 | send_exemplars: true 11 | traces: 12 | otlp: 13 | grpc: 14 | enabled: true 15 | http: 16 | enabled: true 17 | zipkin: 18 | enabled: true 19 | jaeger: 20 | thriftHttp: 21 | enabled: true 22 | opencensus: 23 | enabled: true 24 | storage: 25 | trace: 26 | backend: s3 27 | s3: 28 | bucket: tempo-traces 29 | endpoint: minio.${NAMESPACE:=monitoring}.svc 30 | insecure: true 31 | global_overrides: 32 | metrics_generator_processors: [service-graphs, span-metrics] 33 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana/canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: canaries.flanksource.com/v1 2 | kind: Canary 3 | metadata: 4 | name: http-check 5 | spec: 6 | schedule: "@every 1m" 7 | http: 8 | - name: http pass response 200 status code 9 | url: https://grafana.${internal_domain} 10 | responseCodes: [200] 11 | maxSSLExpiry: 7 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: grafana- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - canary.yaml 9 | configMapGenerator: 10 | - name: values 11 | behavior: replace 12 | files: 13 | - values.yaml 14 | patches: 15 | - target: 16 | kind: HelmRelease 17 | patch: |- 18 | - op: replace 19 | path: /spec/chart/spec/chart 20 | value: grafana 21 | - op: add 22 | path: /spec/releaseName 23 | value: grafana 24 | - target: 25 | kind: HelmRepository 26 | name: app 27 | patch: |- 28 | - op: replace 29 | path: /spec/url 30 | value: https://grafana.github.io/helm-charts 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: ingress-nginx-${ingress_class:=internal}- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: ingress-nginx 20 | - op: add 21 | path: /spec/releaseName 22 | value: ingress-nginx-${ingress_class:=internal} 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://kubernetes.github.io/ingress-nginx 30 | 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack-crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: kube-prometheus-stack-crds- 6 | resources: 7 | - ../../common/resources/helm-release 8 | patches: 9 | - target: 10 | kind: HelmRelease 11 | patch: |- 12 | - op: replace 13 | path: /spec/chart/spec/chart 14 | value: prometheus-operator-crds 15 | - target: 16 | kind: HelmRepository 17 | name: app 18 | patch: |- 19 | - op: replace 20 | path: /spec/url 21 | value: https://prometheus-community.github.io/helm-charts 22 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack-crds/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/kubernetes/manifests/helm-release/kube-prometheus-stack-crds/values.yaml -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack/alertmanager-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/alertmanagerconfig_v1alpha1.json 3 | apiVersion: monitoring.coreos.com/v1alpha1 4 | kind: AlertmanagerConfig 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | 9 | route: 10 | groupBy: ["alertname", "job"] 11 | groupInterval: 10m 12 | groupWait: 1m 13 | receiver: discord 14 | repeatInterval: 12h 15 | routes: 16 | - receiver: "null" 17 | matchers: 18 | - name: alertname 19 | value: InfoInhibitor 20 | matchType: = 21 | - receiver: heartbeat 22 | groupInterval: 1m 23 | groupWait: 0s 24 | repeatInterval: 1m 25 | matchers: 26 | - name: alertname 27 | value: Watchdog 28 | matchType: = 29 | - receiver: "discord" 30 | matchers: 31 | - name: severity 32 | value: critical 33 | matchType: = 34 | receivers: 35 | - name: "null" 36 | - name: heartbeat 37 | webhookConfigs: 38 | - urlSecret: 39 | key: url 40 | name: kube-prometheus-stack-heartbeat-ping-url 41 | - name: discord 42 | discordConfigs: 43 | - apiURL: 44 | key: url 45 | name: kube-prometheus-stack-discord-webhook-secret 46 | sendResolved: true 47 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack/canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: canaries.flanksource.com/v1 2 | kind: Canary 3 | metadata: 4 | name: http-check-alertmanager 5 | spec: 6 | schedule: "@every 1m" 7 | http: 8 | - name: http pass response 200 status code 9 | url: https://alertmanager.${internal_domain} 10 | responseCodes: [200] 11 | maxSSLExpiry: 7 12 | --- 13 | apiVersion: canaries.flanksource.com/v1 14 | kind: Canary 15 | metadata: 16 | name: http-check-prometheus 17 | spec: 18 | schedule: "@every 1m" 19 | http: 20 | - name: http pass response 200 status code 21 | url: https://prometheus.${internal_domain} 22 | responseCodes: [200] 23 | maxSSLExpiry: 7 24 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: aws-ssm 11 | target: 12 | name: kube-prometheus-stack-discord-webhook-secret 13 | data: 14 | - secretKey: url 15 | remoteRef: 16 | key: /homelab/kubernetes/${cluster_name}/discord-webhook-secret 17 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/kube-prometheus-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: kube-prometheus-stack- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - external-secret.yaml 9 | - alertmanager-config.yaml 10 | - canary.yaml 11 | configMapGenerator: 12 | - name: values 13 | behavior: replace 14 | files: 15 | - values.yaml 16 | secretGenerator: 17 | - name: heartbeat-ping-url 18 | options: 19 | disableNameSuffixHash: true 20 | annotations: 21 | replicator.v1.mittwald.de/replicate-from: kube-system/heartbeat-ping-url 22 | 23 | patches: 24 | - target: 25 | kind: HelmRelease 26 | patch: |- 27 | - op: replace 28 | path: /spec/chart/spec/chart 29 | value: kube-prometheus-stack 30 | - op: add 31 | path: /spec/releaseName 32 | value: kube-prometheus-stack 33 | - target: 34 | kind: HelmRepository 35 | name: app 36 | patch: |- 37 | - op: replace 38 | path: /spec/url 39 | value: https://prometheus-community.github.io/helm-charts 40 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/longhorn/canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: canaries.flanksource.com/v1 2 | kind: Canary 3 | metadata: 4 | name: http-check 5 | spec: 6 | schedule: "@every 1m" 7 | http: 8 | - name: http pass response 200 status code 9 | url: https://longhorn.${internal_domain} 10 | responseCodes: [200] 11 | maxSSLExpiry: 7 12 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/longhorn/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: longhorn- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - canary.yaml 9 | - alerts.yaml 10 | configMapGenerator: 11 | - name: values 12 | behavior: replace 13 | files: 14 | - values.yaml 15 | patches: 16 | - target: 17 | kind: HelmRelease 18 | patch: |- 19 | - op: replace 20 | path: /spec/chart/spec/chart 21 | value: longhorn 22 | - op: add 23 | path: /spec/releaseName 24 | value: longhorn 25 | - target: 26 | kind: HelmRepository 27 | name: app 28 | patch: |- 29 | - op: replace 30 | path: /spec/url 31 | value: https://charts.longhorn.io 32 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/longhorn/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/longhorn/charts/blob/v1.9.x/charts/longhorn/values.yaml 2 | persistence: 3 | defaultFsType: xfs 4 | defaultClassReplicaCount: ${default_replica_count} 5 | defaultSettings: 6 | defaultReplicaCount: ${default_replica_count} 7 | createDefaultDiskLabeledNodes: true 8 | csi: 9 | attacherReplicaCount: ${default_replica_count} 10 | provisionerReplicaCount: ${default_replica_count} 11 | resizerReplicaCount: ${default_replica_count} 12 | snapshotterReplicaCount: ${default_replica_count} 13 | ingress: 14 | enabled: true 15 | ingressClassName: internal 16 | tls: true 17 | host: longhorn.${internal_domain} 18 | metrics: 19 | serviceMonitor: 20 | enabled: true 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/minio-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: minio-operator- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: operator 20 | - op: add 21 | path: /spec/releaseName 22 | value: minio-operator 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://operator.min.io/ 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/minio-operator/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ionfury/homelab/f0a1a75edfad191d8f19c1d1017af493e9b843db/kubernetes/manifests/helm-release/minio-operator/values.yaml -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro/external-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | name: monitoring 5 | spec: 6 | refreshInterval: 1h 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: aws-ssm 10 | target: 11 | name: ipmi-exporter-supermicro-monitoring-${machine:=node} 12 | data: 13 | - secretKey: username 14 | remoteRef: 15 | key: /homelab/kubernetes/live/${machine:=node}/ipmi/monitoring 16 | property: username 17 | - secretKey: password 18 | remoteRef: 19 | key: /homelab/kubernetes/live/${machine:=node}/ipmi/monitoring 20 | property: password 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: prometheus-ipmi-exporter-supermicro-${machine:=node}- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - external-secret.yaml 9 | - service-monitor.yaml 10 | configMapGenerator: 11 | - name: values 12 | behavior: replace 13 | files: 14 | - values.yaml 15 | patches: 16 | - target: 17 | kind: HelmRelease 18 | patch: |- 19 | - op: replace 20 | path: /spec/chart/spec/chart 21 | value: prometheus-ipmi-exporter 22 | - op: add 23 | path: /spec/releaseName 24 | value: prometheus-ipmi-exporter-supermicro-${machine:=node} 25 | - op: add 26 | path: /spec/valuesFrom/- 27 | value: 28 | targetPath: modules.supermicro.user 29 | kind: Secret 30 | name: ipmi-exporter-supermicro-monitoring-${machine:=node} 31 | valuesKey: username 32 | - op: add 33 | path: /spec/valuesFrom/- 34 | value: 35 | targetPath: modules.supermicro.pass 36 | kind: Secret 37 | name: ipmi-exporter-supermicro-monitoring-${machine:=node} 38 | valuesKey: password 39 | - target: 40 | kind: HelmRepository 41 | name: app 42 | patch: |- 43 | - op: replace 44 | path: /spec/url 45 | value: https://prometheus-community.github.io/helm-charts 46 | 47 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: target 5 | spec: 6 | endpoints: 7 | - honorLabels: true 8 | params: 9 | module: 10 | - supermicro 11 | target: 12 | - ${machine_address} 13 | path: /ipmi 14 | port: http 15 | relabelings: 16 | - action: replace 17 | sourceLabels: 18 | - __param_target 19 | targetLabel: instance 20 | - targetLabel: instance 21 | replacement: "${machine:=node}" 22 | scrapeTimeout: 10s 23 | jobLabel: prometheus-ipmi-exporter-supermicro-${machine:=node}-target 24 | selector: 25 | matchLabels: 26 | app.kubernetes.io/instance: prometheus-ipmi-exporter-supermicro-${machine:=node} 27 | app.kubernetes.io/name: prometheus-ipmi-exporter 28 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/prometheus-ipmi-exporter-supermicro/values.yaml: -------------------------------------------------------------------------------- 1 | additionalAnnotation: 2 | reloader.stakater.com/auto: "true" 3 | serviceMonitor: 4 | enabled: false 5 | modules: 6 | supermicro: 7 | privilege: user 8 | collectors: 9 | - bmc 10 | - ipmi 11 | - chassis 12 | driver: LAN_2_0 13 | timeout: 10000 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/promtail/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: promtail- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: promtail 20 | - op: add 21 | path: /spec/releaseName 22 | value: promtail 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://grafana.github.io/helm-charts 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/promtail/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: promtail 2 | config: 3 | clients: 4 | - url: http://loki-headless.${NAMESPACE:=monitoring}.svc.cluster.local:3100/loki/api/v1/push 5 | snippets: 6 | extraScrapeConfigs: | 7 | - job_name: drop-loki-logs 8 | kubernetes_sd_configs: 9 | - role: pod 10 | relabel_configs: 11 | - source_labels: 12 | - __meta_kubernetes_pod_label_app_kubernetes_io_name 13 | - __meta_kubernetes_pod_label_app 14 | - __tmp_controller_name 15 | - __meta_kubernetes_pod_name 16 | - app 17 | action: drop 18 | regex: ^loki$ 19 | serviceMonitor: 20 | enabled: true 21 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: reloader- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: reloader 20 | - op: add 21 | path: /spec/releaseName 22 | value: reloader 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://stakater.github.io/stakater-charts 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/reloader/values.yaml: -------------------------------------------------------------------------------- 1 | reloader: 2 | podMonitor: 3 | enabled: true 4 | reloadStrategy: annotations 5 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/replicator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: replicator- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: kubernetes-replicator 20 | - op: add 21 | path: /spec/releaseName 22 | value: replicator 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://helm.mittwald.de 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/replicator/values.yaml: -------------------------------------------------------------------------------- 1 | image: 2 | pullPolicy: IfNotPresent 3 | 4 | serviceAccount: 5 | create: true 6 | 7 | resources: 8 | requests: 9 | cpu: 10m 10 | memory: 100Mi 11 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: rook-ceph- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: rook-ceph 20 | - op: add 21 | path: /spec/releaseName 22 | value: rook-ceph 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://charts.rook.io/release 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/secret-generator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: secret-generator- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: kubernetes-secret-generator 20 | - op: add 21 | path: /spec/releaseName 22 | value: secret-generator 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: https://helm.mittwald.de 30 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/secret-generator/values.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | requests: 3 | cpu: 10m 4 | memory: 100Mi 5 | 6 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/spegel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: spegel- 6 | resources: 7 | - ../../common/resources/helm-release 8 | configMapGenerator: 9 | - name: values 10 | behavior: replace 11 | files: 12 | - values.yaml 13 | patches: 14 | - target: 15 | kind: HelmRelease 16 | patch: |- 17 | - op: replace 18 | path: /spec/chart/spec/chart 19 | value: spegel 20 | - op: add 21 | path: /spec/releaseName 22 | value: spegel 23 | - target: 24 | kind: HelmRepository 25 | name: app 26 | patch: |- 27 | - op: replace 28 | path: /spec/url 29 | value: oci://ghcr.io/spegel-org/helm-charts 30 | - op: add 31 | path: /spec/type 32 | value: oci 33 | 34 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/spegel/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/spegel-org/spegel/blob/main/charts/spegel/values.yaml 2 | --- 3 | spegel: 4 | appendMirrors: true 5 | containerdSock: /run/containerd/containerd.sock 6 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 7 | service: 8 | registry: 9 | hostPort: 29999 10 | serviceMonitor: 11 | enabled: true 12 | grafanaDashboard: 13 | enabled: true 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/tailscale-operator/external-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | name: client 5 | spec: 6 | secretStoreRef: 7 | kind: ClusterSecretStore 8 | name: aws-ssm 9 | target: 10 | name: operator-oauth 11 | template: 12 | engineVersion: v2 13 | data: 14 | client_id: "{{ .id }}" 15 | client_secret: "{{ .secret }}" 16 | dataFrom: 17 | - extract: 18 | key: /homelab/kubernetes/${cluster_name}/tailscale-operator 19 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/tailscale-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namePrefix: tailscale-operator- 6 | resources: 7 | - ../../common/resources/helm-release 8 | - external-secret.yaml 9 | configMapGenerator: 10 | - name: values 11 | behavior: replace 12 | files: 13 | - values.yaml 14 | patches: 15 | - target: 16 | kind: HelmRelease 17 | patch: |- 18 | - op: replace 19 | path: /spec/chart/spec/chart 20 | value: tailscale-operator 21 | - op: add 22 | path: /spec/releaseName 23 | value: tailscale-operator 24 | - target: 25 | kind: HelmRepository 26 | name: app 27 | patch: |- 28 | - op: replace 29 | path: /spec/url 30 | value: https://pkgs.tailscale.com/helmcharts 31 | -------------------------------------------------------------------------------- /kubernetes/manifests/helm-release/tailscale-operator/values.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/chart/values.yaml 2 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/containerized-data-importer-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - https://github.com/kubevirt/containerized-data-importer/releases/download/v1.62.0/cdi-operator.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/containerized-data-importer/instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cdi.kubevirt.io/v1beta1 3 | kind: CDI 4 | metadata: 5 | name: cdi 6 | spec: 7 | config: 8 | scratchSpaceStorageClass: fast-unmanaged 9 | podResourceRequirements: 10 | requests: 11 | cpu: 100m 12 | memory: 60M 13 | limits: 14 | cpu: 750m 15 | memory: 2Gi 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/containerized-data-importer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - instance.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/kubevirt-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - https://github.com/kubevirt/kubevirt/releases/download/v1.5.0/kubevirt-operator.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/kubevirt/instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kubevirt.io/v1 3 | kind: KubeVirt 4 | metadata: 5 | name: kubevirt 6 | namespace: kubevirt 7 | spec: 8 | configuration: 9 | #developerConfiguration: 10 | # featureGates: 11 | # - LiveMigration 12 | # - NetworkBindingPlugins 13 | smbios: 14 | sku: TalosCloud 15 | version: v0.1.0 16 | manufacturer: Talos Virtualization 17 | product: talosvm 18 | family: ccio 19 | #workloadUpdateStrategy: 20 | # workloadUpdateMethods: 21 | # - LiveMigrate # enable if you have deployed either Longhorn or NFS-CSI for shared storage. 22 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/kubevirt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - instance.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector-crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - https://raw.githubusercontent.com/blakelead/nsinjector/refs/heads/master/deploy/k8s/crd/namespaceresourcesinjector-crd-1.16.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector-homelab-modules/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: nsinjector-homelab-modules 6 | subjects: 7 | - kind: ServiceAccount 8 | name: nsinjector-controller 9 | namespace: system 10 | roleRef: 11 | kind: ClusterRole 12 | name: nsinjector-homelab-modules 13 | apiGroup: rbac.authorization.k8s.io 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector-homelab-modules/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: nsinjector-homelab-modules 6 | rules: 7 | - apiGroups: ["rbac.authorization.k8s.io"] 8 | resources: ["rolebindings"] 9 | verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] 10 | - apiGroups: ["rbac.authorization.k8s.io"] 11 | resources: ["roles"] 12 | verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] 13 | # Delegate permissions 14 | - apiGroups: ["kubevirt.io"] 15 | resources: ["virtualmachines"] 16 | verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] 17 | - apiGroups: [""] 18 | resources: ["services"] 19 | verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] 20 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector-homelab-modules/injector.yaml: -------------------------------------------------------------------------------- 1 | kind: NamespaceResourcesInjector 2 | apiVersion: blakelead.com/v1alpha1 3 | metadata: 4 | name: nri-test 5 | spec: 6 | namespaces: 7 | - homelab-modules-.* 8 | resources: 9 | - | 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: Role 12 | metadata: 13 | name: vm-deployer 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["services"] 17 | verbs: ["create", "get", "list", "delete"] 18 | - apiGroups: ["kubevirt.io"] 19 | resources: ["virtualmachines"] 20 | verbs: ["create", "get", "list", "delete"] 21 | - | 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | kind: RoleBinding 24 | metadata: 25 | name: vm-deployer-binding 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: Role 29 | name: vm-deployer 30 | subjects: 31 | - kind: ServiceAccount 32 | name: ${service_account} 33 | namespace: actions-runners 34 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector-homelab-modules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - injector.yaml 7 | - cluster-role-binding.yaml 8 | - cluster-role.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: nsinjector-controller 6 | subjects: 7 | - kind: ServiceAccount 8 | name: nsinjector-controller 9 | namespace: system 10 | roleRef: 11 | kind: ClusterRole 12 | name: nsinjector-controller 13 | apiGroup: rbac.authorization.k8s.io 14 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: nsinjector-controller 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["namespaces"] 9 | verbs: ["list", "get", "watch"] 10 | - apiGroups: ["blakelead.com"] 11 | resources: ["namespaceresourcesinjectors"] 12 | verbs: ["list", "get", "watch", "update"] 13 | - apiGroups: ["rbac"] 14 | resources: ["*"] 15 | verbs: ["list", "get", "watch", "update"] 16 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: nsinjector-controller 6 | namespace: nsinjector-controller 7 | labels: 8 | app: nsinjector-controller 9 | spec: 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | app: nsinjector-controller 14 | template: 15 | metadata: 16 | labels: 17 | app: nsinjector-controller 18 | spec: 19 | serviceAccountName: nsinjector-controller 20 | containers: 21 | - name: nsinjector-controller 22 | image: blakelead/nsinjector-controller 23 | imagePullPolicy: Always 24 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # - https://raw.githubusercontent.com/blakelead/nsinjector/refs/heads/master/deploy/k8s/nsinjector-controller.yaml 7 | - cluster-role-binding.yaml 8 | - cluster-role.yaml 9 | - deployment.yaml 10 | - service-account.yaml 11 | 12 | 13 | -------------------------------------------------------------------------------- /kubernetes/manifests/kustomize/nsinjector/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: nsinjector-controller 6 | namespace: nsinjector-controller 7 | --------------------------------------------------------------------------------