├── .git-crypt ├── .gitattributes └── keys │ └── default │ └── 0 │ └── 26BED46A0FB472D2A23F941D3A5BC5F2174508EF.gpg ├── .gitattributes ├── .github ├── CODEOWNERS ├── labeler.yaml ├── labels.yaml ├── linters │ ├── .markdownlint.yaml │ ├── .prettierignore │ ├── .prettierrc.yaml │ ├── .textlintrc │ └── .yamllint.yaml ├── renovate.json5 ├── renovate │ ├── autoMerge.json │ ├── groups.json5 │ ├── labels.json │ ├── regexManagers.json5 │ └── semanticCommits.json ├── scripts │ ├── cloudflare-ip-ranges.sh │ ├── container-parser.sh │ └── lib │ │ └── functions.sh └── workflows │ ├── flux-diff.yaml │ ├── link-checker.yaml │ ├── megalinter.yaml │ ├── meta-sync-labels.yaml │ ├── pullrequest-lint.yaml │ ├── pullrequest-meta-label-size.yaml │ ├── pullrequest-meta-labeler.yml │ ├── pullrequest-scan-containers.yaml │ ├── pullrequest-todo2github-issues.yaml │ └── renovate.yaml ├── .gitignore ├── .lycheeignore ├── .pre-commit-config.yaml ├── .sops.pub.asc ├── .sops.yaml ├── .sourceignore ├── .taskfiles ├── ClusterTasks.yml ├── flux.yaml └── pre-commit.yaml ├── .tool-versions ├── LICENSE ├── README.md ├── Taskfile.yml ├── _docs ├── TROUBLESHOOTING.md ├── ingress.md ├── scheduling.md └── secrets.md ├── archive ├── .gitkeep └── crds │ └── velero │ ├── crds.yaml │ └── kustomization.yaml ├── cluster ├── apps │ ├── README.md │ ├── home │ │ ├── home-assistant │ │ │ ├── certificate.yaml │ │ │ ├── code-server.enc.yaml │ │ │ ├── config-pvc.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── home-assistant.sops.yaml │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ └── network-policy.yaml │ │ ├── kustomization.yaml │ │ └── postgres │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ └── zalando-postgres.yaml │ ├── hummingbot │ │ ├── kustomization.yaml │ │ └── postgres │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ └── zalando-postgres.yaml │ ├── kube-system │ │ ├── 1password │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── dashboard │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── descheduler │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── external-snapshotter │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ ├── kyverno │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── policies │ │ │ │ ├── delete-cpu-limits.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── rbac.yaml │ │ ├── metrics-server │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ └── reloader │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── media │ │ ├── kustomization.yaml │ │ └── openbooks │ │ │ ├── certificate.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ ├── monitoring │ │ ├── botkube │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── cronitor │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secret.sops.yaml │ │ ├── dashboard │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── goldilocks │ │ │ ├── certificate.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── grafana │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secret.sops.yaml │ │ ├── karma │ │ │ ├── certificate.yaml │ │ │ ├── deployment.yaml │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ └── service.yaml │ │ ├── kustomization.yaml │ │ ├── speedtest-exporter │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ └── vpa │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── system-upgrade │ │ ├── kustomization.yaml │ │ └── system-upgrade-controller │ │ │ ├── kustomization.yaml │ │ │ └── plans │ │ │ ├── agent.yaml │ │ │ ├── kustomization.yaml │ │ │ └── server.yaml │ └── tools │ │ ├── changedetection-io │ │ ├── certificate.yaml │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ ├── ingress-route.yaml │ │ └── kustomization.yaml │ │ └── kustomization.yaml ├── bootstrap │ └── kustomization.yaml ├── config │ ├── README.md │ ├── cluster-secrets.sops.yaml │ ├── cluster-settings.yaml │ └── kustomization.yaml ├── core │ ├── README │ ├── cert-manager │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── letsencrypt-production.yaml │ │ ├── letsencrypt-staging.yaml │ │ └── secret.sops.yaml │ ├── flux-system │ │ ├── kustomization.yaml │ │ ├── monitoring │ │ │ ├── kustomization.yaml │ │ │ ├── pod-monitor.yaml │ │ │ └── prometheus-rule.yaml │ │ ├── notifications │ │ │ ├── discord │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── notification.yaml │ │ │ │ └── secret.sops.yaml │ │ │ ├── github │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── notification.yaml │ │ │ │ └── secret.sops.yaml │ │ │ └── kustomization.yaml │ │ └── webhook │ │ │ ├── github │ │ │ ├── certificate.yaml │ │ │ ├── ingress-route.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── receiver.yaml │ │ │ └── secret.sops.yaml │ │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── monitoring │ │ ├── cronitor-heartbeat │ │ │ ├── cron-job.yaml │ │ │ ├── cronitor-heartbeat.sh │ │ │ ├── kustomization.yaml │ │ │ └── secret.sops.yaml │ │ ├── influxdb │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── jaeger │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── kube-prometheus-stack │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ ├── loki │ │ │ ├── .archive │ │ │ │ └── ingress-route.yaml │ │ │ ├── certificate.yaml │ │ │ ├── config-map.yaml │ │ │ ├── dashboard │ │ │ │ └── kustomization.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── prometheus-rule.yaml │ │ ├── node-problem-detector │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── promtail │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ ├── snmp-exporter │ │ │ ├── config-map.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── prometheus-rule.yaml │ │ │ └── snmp-exporter.yaml │ │ └── vector │ │ │ ├── agent │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ │ ├── aggregator │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ │ │ └── kustomization.yaml │ ├── namespaces │ │ ├── cert-manager.yaml │ │ ├── falco-system.yaml │ │ ├── flux-system.yaml │ │ ├── home.yaml │ │ ├── hummingbot-dev.yaml │ │ ├── hummingbot.yaml │ │ ├── kasten-io.yaml │ │ ├── kube-system.yaml │ │ ├── kustomization.yaml │ │ ├── media.yaml │ │ ├── monitoring.yaml │ │ ├── networking.yaml │ │ ├── node-feature-discovery.yaml │ │ ├── portainer.yaml │ │ ├── postgres.yaml │ │ ├── system-upgrade.yaml │ │ ├── tools.yaml │ │ ├── trivy-system.yaml │ │ └── velero.yaml │ ├── networking │ │ ├── kustomization.yaml │ │ ├── metallb │ │ │ ├── helm-release.yaml │ │ │ ├── ip-address-pool.yaml │ │ │ └── kustomization.yaml │ │ ├── traefik-forward-auth │ │ │ ├── certificate.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── ingress-route.yaml │ │ │ └── kustomization.yaml │ │ ├── traefik-internal │ │ │ ├── dashboard │ │ │ │ ├── ingress-route.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── healthcheck │ │ │ │ ├── ingress-route.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── middlewares │ │ │ │ ├── basic-auth.yaml │ │ │ │ ├── forward-auth.yaml │ │ │ │ ├── ip-whitelist │ │ │ │ │ ├── cloudflare.yaml │ │ │ │ │ ├── github-hooks.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── rfc1918.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── redirect-path.yaml │ │ │ │ └── secret.enc.yaml │ │ │ ├── service-monitor.yaml │ │ │ └── tls-store │ │ │ │ ├── default.yaml │ │ │ │ └── kustomization.yaml │ │ └── wildcard-certificate │ │ │ ├── certificate.yaml │ │ │ └── kustomization.yaml │ ├── postgres │ │ ├── kustomization.yaml │ │ └── zalando-operator │ │ │ ├── helm-release.yaml │ │ │ └── kustomization.yaml │ └── velero │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── prometheus-rule.yaml │ │ ├── restic.secret.sops.yaml │ │ └── velero.secret.sops.yaml ├── crds │ ├── 1password │ │ ├── crds.yaml │ │ └── kustomization.yaml │ ├── README.md │ ├── cert-manager │ │ └── kustomization.yaml │ ├── external-dns │ │ ├── crds.yaml │ │ └── kustomization.yaml │ ├── external-snapshotter │ │ ├── crds.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── system-upgrade-controller │ │ └── kustomization.yaml │ └── traefik │ │ ├── crds.yaml │ │ └── kustomization.yaml ├── flux │ ├── README.md │ ├── apps.yaml │ ├── config.yaml │ ├── core.yaml │ ├── crds.yaml │ ├── flux-system │ │ ├── README.md │ │ ├── flux-cluster.yaml │ │ ├── flux-installation.yaml │ │ ├── github-deploy-key.sops.yaml │ │ └── kustomization.yaml │ └── sources.yaml ├── github-deploy-key.pub └── sources │ ├── README.md │ ├── git │ ├── flux-monitoring.yaml │ ├── kustomization.yaml │ └── postgres-operator.yaml │ ├── helm │ ├── 1password-charts.yaml │ ├── aqua-charts.yaml │ ├── authentik-charts.yaml │ ├── bitnami-charts.yaml │ ├── bjw-s-charts.yaml │ ├── blakeshome-charts.yaml │ ├── coredns-charts.yaml │ ├── cronitor-charts.yaml │ ├── deliveryhero-charts.yaml │ ├── descheduler-charts.yaml │ ├── fairwinds-charts.yaml │ ├── grafana-charts.yaml │ ├── hashicorp-charts.yaml │ ├── influxdata-charts.yaml │ ├── infracloudio-charts.yaml │ ├── ingress-nginx-charts.yaml │ ├── jaeger-charts.yaml │ ├── jetstack-charts.yaml │ ├── k8s-at-home-charts.yaml │ ├── kasten-charts.yaml │ ├── kubernetes-dashboard-charts.yaml │ ├── kubernetes-sigs-descheduler-charts.yaml │ ├── kured-charts.yaml │ ├── kustomization.yaml │ ├── kyverno-charts.yaml │ ├── lwolf-charts.yaml │ ├── metallb-charts.yaml │ ├── metrics-server-charts.yaml │ ├── minio-charts.yaml │ ├── nfs-subdir-external-provisioner-charts.yaml │ ├── node-feature-discovery-charts.yaml │ ├── portainer-charts.yaml │ ├── prometheus-community-charts.yaml │ ├── rook-ceph-charts.yaml │ ├── sealed-secrets-charts.yaml │ ├── stakater-charts.yaml │ ├── traefik-charts.yaml │ ├── vector-charts.yaml │ ├── vernemq-charts.yaml │ ├── victoriametrics-charts.yaml │ └── vmware-tanzu-charts.yaml │ └── kustomization.yaml ├── hack ├── common.sh ├── template.sh └── validate.sh ├── infrastructure └── pagerduty │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf └── templates └── app ├── kustomization.yaml └── release.yaml /.git-crypt/.gitattributes: -------------------------------------------------------------------------------- 1 | # Do not edit this file. To specify the files to encrypt, create your own 2 | # .gitattributes file in the directory where your files are. 3 | * !filter !diff 4 | *.gpg binary 5 | -------------------------------------------------------------------------------- /.git-crypt/keys/default/0/26BED46A0FB472D2A23F941D3A5BC5F2174508EF.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/.git-crypt/keys/default/0/26BED46A0FB472D2A23F941D3A5BC5F2174508EF.gpg -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | **.secrets.env filter=git-crypt diff=git-crypt 2 | .secrets/* filter=git-crypt diff=git-crypt 3 | **.env filter=git-crypt diff=git-crypt 4 | **.envrc filter=git-crypt diff=git-crypt 5 | **.creds filter=git-crypt diff=git-crypt 6 | **/secrets.yml filter=git-crypt diff=git-crypt 7 | **/secrets.yaml filter=git-crypt diff=git-crypt 8 | **.pem filter=git-crypt diff=git-crypt 9 | secret.enc.yaml diff=sopsdiffer 10 | *.sops.yaml diff=sopsdiffer 11 | cluster-secrets.yaml diff=sopsdiffer 12 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | * @kitos9112 3 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | area/docs: 4 | - changed-files: 5 | - any-glob-to-any-file: 6 | - "docs/**/*" 7 | - "README.md" 8 | area/github: 9 | - changed-files: 10 | - any-glob-to-any-file: ".github/**/*" 11 | area/kubernetes: 12 | - changed-files: 13 | - any-glob-to-any-file: "cluster/**/*" 14 | area/taskfile: 15 | - changed-files: 16 | - any-glob-to-any-file: 17 | - ".taskfiles/**/*" 18 | - "Taskfile.yaml" 19 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Area 3 | - name: area/github 4 | color: "72ccf3" 5 | description: >- 6 | Changes made in the github directory 7 | - name: area/cluster 8 | color: "72ccf3" 9 | description: >- 10 | Changes made in the cluster directory 11 | - name: area/hack 12 | color: "72ccf3" 13 | description: >- 14 | Changes made in the hack directory 15 | 16 | # Renovate 17 | - name: renovate/container 18 | color: "ffc300" 19 | - name: renovate/github-action 20 | color: "ffc300" 21 | - name: renovate/github-release 22 | color: "ffc300" 23 | - name: renovate/helm 24 | color: "ffc300" 25 | 26 | # Semantic Type 27 | - name: type/patch 28 | color: "FFEC19" 29 | - name: type/minor 30 | color: "FF9800" 31 | - name: type/major 32 | color: "F6412D" 33 | 34 | # Size 35 | - name: size/XS 36 | color: "009900" 37 | description: >- 38 | Denotes a PR that changes 0-9 lines, ignoring generated files. 39 | - name: size/S 40 | color: "77bb00" 41 | description: >- 42 | Denotes a PR that changes 10-29 lines, ignoring generated files. 43 | - name: size/M 44 | color: "eebb00" 45 | description: >- 46 | Denotes a PR that changes 30-99 lines, ignoring generated files. 47 | - name: size/L 48 | color: "ee9900" 49 | description: >- 50 | Denotes a PR that changes 100-499 lines, ignoring generated files. 51 | - name: size/XL 52 | color: "ee5500" 53 | description: >- 54 | Denotes a PR that changes 500-999 lines, ignoring generated files. 55 | - name: size/XXL 56 | color: "ee0000" 57 | description: >- 58 | Denotes a PR that changes 1000+ lines, ignoring generated files. 59 | 60 | # Uncategorized 61 | - name: bug 62 | color: "ee0701" 63 | - name: do-not-merge 64 | color: "ee0701" 65 | - name: docs 66 | color: "F4D1B7" 67 | - name: enhancement 68 | color: "84b6eb" 69 | - name: link-checker 70 | color: "7B55D7" 71 | - name: question 72 | color: "cc317c" 73 | -------------------------------------------------------------------------------- /.github/linters/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 500 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /.github/linters/.prettierignore: -------------------------------------------------------------------------------- 1 | charts/ 2 | docs/ 3 | .private/ 4 | .terraform/ 5 | .vscode/ 6 | *.sops.* 7 | gotk-components.yaml 8 | -------------------------------------------------------------------------------- /.github/linters/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | bracketSpacing: false 7 | useTabs: false 8 | -------------------------------------------------------------------------------- /.github/linters/.textlintrc: -------------------------------------------------------------------------------- 1 | --- 2 | rules: 3 | no-todo: false 4 | -------------------------------------------------------------------------------- /.github/linters/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | charts/ 4 | docs/ 5 | .private/ 6 | .vscode/ 7 | *.sops.* 8 | gotk-components.yaml 9 | .yamllint.yml 10 | templates/ 11 | *-crds.yaml 12 | extends: default 13 | rules: 14 | truthy: 15 | allowed-values: ["true", "false", "on"] 16 | comments: 17 | min-spaces-from-content: 1 18 | line-length: disable 19 | braces: 20 | min-spaces-inside: 0 21 | max-spaces-inside: 1 22 | brackets: 23 | min-spaces-inside: 0 24 | max-spaces-inside: 0 25 | indentation: enable 26 | -------------------------------------------------------------------------------- /.github/renovate/autoMerge.json: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "automerge": true, 5 | "automergeType": "branch", 6 | "description": "Auto merge GitHub Actions and minio", 7 | "matchDatasources": [ 8 | "github-tags" 9 | ], 10 | "matchPackageNames": [ 11 | "renovatebot/github-action", 12 | "minio" 13 | ], 14 | "matchUpdateTypes": [ 15 | "minor", 16 | "patch" 17 | ], 18 | "requiredStatusChecks": null 19 | }, 20 | { 21 | "automerge": true, 22 | "automergeType": "branch", 23 | "description": "Auto merge container digests", 24 | "matchDatasources": [ 25 | "docker" 26 | ], 27 | "matchPackagePattern": [ 28 | "ghcr.io/onedr0p" 29 | ], 30 | "matchUpdateTypes": [ 31 | "digest" 32 | ], 33 | "requiredStatusChecks": null 34 | }, 35 | { 36 | "automerge": true, 37 | "automergeType": "branch", 38 | "description": "Auto merge helm chart patches", 39 | "matchManagers": [ 40 | "flux", 41 | "helm-requirements", 42 | "helm-values", 43 | "helmv3" 44 | ], 45 | "matchUpdateTypes": [ 46 | "patch" 47 | ], 48 | "requiredStatusChecks": null 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /.github/renovate/groups.json5: -------------------------------------------------------------------------------- 1 | { 2 | packageRules: [ 3 | { 4 | description: "Rook-Ceph image and chart", 5 | group: { 6 | commitMessageTopic: "{{{groupName}}} group", 7 | }, 8 | groupName: "Rook Ceph", 9 | matchDatasources: [ 10 | "docker", 11 | "helm", 12 | ], 13 | matchPackagePatterns: [ 14 | "rook.ceph", 15 | ], 16 | separateMinorPatch: true, 17 | }, 18 | { 19 | description: "Thanos image and chart versions do not match", 20 | group: { 21 | commitMessageTopic: "{{{groupName}}} group", 22 | }, 23 | groupName: "Thanos", 24 | matchDatasources: [ 25 | "docker", 26 | "github-releases", 27 | "helm", 28 | ], 29 | matchPackagePatterns: [ 30 | "thanos", 31 | ], 32 | matchUpdateTypes: [ 33 | "minor", 34 | "patch", 35 | ], 36 | separateMinorPatch: false, 37 | stabilityDays: 3, 38 | }, 39 | { 40 | description: "Vector image and chart versions do not match", 41 | group: { 42 | commitMessageTopic: "{{{groupName}}} group", 43 | }, 44 | groupName: "Vector", 45 | matchDatasources: [ 46 | "docker", 47 | "github-releases", 48 | "helm", 49 | ], 50 | matchPackagePatterns: [ 51 | "vector", 52 | ], 53 | matchUpdateTypes: [ 54 | "minor", 55 | "patch", 56 | ], 57 | separateMinorPatch: false, 58 | stabilityDays: 3, 59 | }, 60 | ], 61 | } 62 | -------------------------------------------------------------------------------- /.github/renovate/labels.json: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "labels": [ 5 | "type/major" 6 | ], 7 | "matchUpdateTypes": [ 8 | "major" 9 | ] 10 | }, 11 | { 12 | "labels": [ 13 | "type/minor" 14 | ], 15 | "matchUpdateTypes": [ 16 | "minor" 17 | ] 18 | }, 19 | { 20 | "labels": [ 21 | "type/patch" 22 | ], 23 | "matchUpdateTypes": [ 24 | "patch" 25 | ] 26 | }, 27 | { 28 | "addLabels": [ 29 | "renovate/container" 30 | ], 31 | "matchDatasources": [ 32 | "docker" 33 | ] 34 | }, 35 | { 36 | "addLabels": [ 37 | "renovate/helm" 38 | ], 39 | "matchDatasources": [ 40 | "helm" 41 | ] 42 | }, 43 | { 44 | "addLabels": [ 45 | "renovate/ansible" 46 | ], 47 | "matchDatasources": [ 48 | "galaxy", 49 | "galaxy-collection" 50 | ] 51 | }, 52 | { 53 | "addLabels": [ 54 | "renovate/terraform" 55 | ], 56 | "matchDatasources": [ 57 | "terraform-provider" 58 | ] 59 | } 60 | ] 61 | } 62 | -------------------------------------------------------------------------------- /.github/renovate/regexManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | regexManagers: [ 3 | { 4 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}helm{{/if}}", 5 | description: "Process Helm Cluster CRD dependencies", 6 | extractVersionTemplate: "{{#if extractVersion}}{{extractVersion}}{{else}}^v?(?.*)${{/if}}", 7 | fileMatch: [ 8 | "cluster/.+\\.ya?ml$", 9 | ], 10 | matchStrings: [ 11 | "# renovate: registryUrl=(?\\S+) chart=(?\\S+)\n.*?(?[^-\\s]*)$", 12 | "# renovate:(\\s+datasource=(?.+))?(\\s+registryUrl=(?\\S+))?\\s+((chart)|(depName))=(?\\S+)?$\\s*tag:.*?(?[^-\\s]*)$", 13 | "# renovate: datasource=(?\\S+)( extractVersion=(?.*))? depName=(?.*)\\n\\s+tag: (?.*)\\n", 14 | "# renovate:( datasource=(?\\S+) registryUrl=(?\\S+))? depName=(?\\S+)\\n.*?-\\s(.*?)\\/(?[^\\/]+)\\/[^\\/]+$", 15 | "registryUrl=(?\\S+) chart=(?\\S+)\n.*?(?[^-\\s]*)$", 16 | "datasource=(?\\S+) depName=(?\\S+)( versioning=(?\\S+))?\n.*?\"(?.*)\"\n", 17 | ], 18 | }, 19 | { 20 | datasourceTemplate: "github-releases", 21 | description: "Process raw GitHub URLs", 22 | fileMatch: [ 23 | "cluster/.+\\.ya?ml$", 24 | ], 25 | matchStrings: [ 26 | "https:\\/\\/raw.githubusercontent.com\\/(?[\\w\\d\\-_]+\\/[\\w\\d\\-_]+)\\/(?[\\w\\d\\.\\-_]+)\\/.*", 27 | ], 28 | versioningTemplate: "semver", 29 | }, 30 | { 31 | description: "Process standalone ASDF tool versions", 32 | extractVersionTemplate: "{{#if extractVersion}}{{extractVersion}}{{else}}^v?(?.+)${{/if}}", 33 | fileMatch: [ 34 | "^.tool-versions$", 35 | ], 36 | matchStrings: [ 37 | "# renovate: datasource=(?.+?) packageName=(?.+?)( extractVersion=(?.+?))?( registryUrl=(?.+?))?\\s+(?.+?) (?.+)", 38 | ], 39 | }, 40 | ], 41 | } 42 | -------------------------------------------------------------------------------- /.github/scripts/cloudflare-ip-ranges.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Get all cloudflare ipv4 ranges in an array 4 | ipv4="$(curl -s https://www.cloudflare.com/ips-v4 | jq --raw-input --slurp 'split("\n")')" 5 | if [[ -z "${ipv4}" ]]; then 6 | exit 1 7 | fi 8 | 9 | # Get all cloudflare ipv6 ranges in an array 10 | ipv6="$(curl -s https://www.cloudflare.com/ips-v6 | jq --raw-input --slurp 'split("\n")')" 11 | if [[ -z "${ipv6}" ]]; then 12 | exit 1 13 | fi 14 | 15 | # Merge both cloudflare ipv4 and ipv6 ranges into one array 16 | ipv4ipv6=$(jq \ 17 | --argjson arr1 "$ipv4" \ 18 | --argjson arr2 "$ipv6" \ 19 | -n '$arr1 + $arr2 | sort_by(.)' \ 20 | ) 21 | 22 | # Output array as a string with \, as delimiter 23 | echo "${ipv4ipv6}" | jq --raw-output '. | join("\\,")' 24 | -------------------------------------------------------------------------------- /.github/scripts/lib/functions.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o nounset 5 | set -o pipefail 6 | shopt -s lastpipe 7 | 8 | check() { 9 | command -v "${1}" >/dev/null 2>&1 || { 10 | echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2 11 | exit 1 12 | } 13 | } 14 | 15 | chart_registry_url() { 16 | local helm_release= 17 | local chart_id= 18 | helm_release="${1}" 19 | chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null) 20 | # Discover all HelmRepository 21 | find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do 22 | # Skip non HelmRepository 23 | [[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue 24 | # Skip unrelated HelmRepository 25 | [[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue 26 | yq eval .spec.url "${file}" 27 | break 28 | done 29 | } 30 | 31 | chart_name() { 32 | local helm_release= 33 | helm_release="${1}" 34 | yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null 35 | } 36 | 37 | chart_version() { 38 | local helm_release= 39 | helm_release="${1}" 40 | yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null 41 | } 42 | 43 | chart_values() { 44 | local helm_release= 45 | helm_release="${1}" 46 | yq eval .spec.values "${helm_release}" 2>/dev/null 47 | } 48 | -------------------------------------------------------------------------------- /.github/workflows/link-checker.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Link Checker 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | - next 10 | schedule: 11 | - cron: "0 0 * * *" # Every day at midnight 12 | 13 | jobs: 14 | link-checker: 15 | name: Link Checker 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - name: Generate Token 19 | uses: actions/create-github-app-token@v1 20 | id: generate-token 21 | with: 22 | app-id: "${{ secrets.BOT_APP_ID }}" 23 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 24 | 25 | - name: Checkout 26 | uses: actions/checkout@v4 27 | with: 28 | token: "${{ steps.generate-token.outputs.token }}" 29 | fetch-depth: 0 30 | 31 | - name: Link Checker 32 | uses: lycheeverse/lychee-action@v1.10.0 33 | id: lychee 34 | env: 35 | GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" 36 | 37 | - name: Find Link Checker Issue 38 | id: link-checker-issue 39 | uses: micalevisk/last-issue-action@v2 40 | with: 41 | state: open 42 | labels: | 43 | link-checker 44 | 45 | - name: Update Issue 46 | uses: peter-evans/create-issue-from-file@v5 47 | with: 48 | title: Broken links detected in docs 🔗 49 | issue-number: "${{ steps.link-checker-issue.outputs.issue_number }}" 50 | content-filepath: ./lychee/out.md 51 | token: "${{ steps.generate-token.outputs.token }}" 52 | labels: | 53 | link-checker 54 | -------------------------------------------------------------------------------- /.github/workflows/megalinter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: MegaLinter 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | pull_request: 7 | branches: 8 | - main 9 | - next 10 | 11 | concurrency: 12 | group: ${{ github.ref }}-${{ github.workflow }} 13 | cancel-in-progress: true 14 | 15 | jobs: 16 | build: 17 | name: MegaLinter 18 | runs-on: ubuntu-24.04 19 | steps: 20 | - name: Generate Token 21 | uses: actions/create-github-app-token@v1 22 | id: generate-token 23 | with: 24 | app-id: "${{ secrets.BOT_APP_ID }}" 25 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 26 | 27 | - name: Checkout 28 | uses: actions/checkout@v4 29 | with: 30 | fetch-depth: 0 31 | token: "${{ steps.generate-token.outputs.token }}" 32 | 33 | - name: MegaLinter 34 | uses: oxsecurity/megalinter@v8.4.0 35 | env: 36 | GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" 37 | PRINT_ALPACA: false 38 | VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }} 39 | ENABLE_LINTERS: |- 40 | ${{ 41 | join( 42 | fromJSON(' 43 | [ 44 | "ACTION_ACTIONLINT", 45 | "ANSIBLE_ANSIBLE_LINT", 46 | "COPYPASTE_JSCPD", 47 | "KUBERNETES_KUBEVAL", 48 | "MARKDOWN_MARKDOWNLINT", 49 | "REPOSITORY_GIT_DIFF", 50 | "REPOSITORY_SECRETLINT", 51 | "TERRAFORM_TERRAFORM_FMT", 52 | "YAML_PRETTIER", 53 | "YAML_YAMLLINT" 54 | ] 55 | '), 56 | ',' 57 | ) 58 | }} 59 | KUBERNETES_DIRECTORY: cluster 60 | KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas 61 | KUBERNETES_KUBEVAL_FILTER_REGEX_INCLUDE: "(kubernetes)" 62 | MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/linters/.markdownlint.yaml 63 | MARKDOWN_MARKDOWNLINT_RULES_PATH: .github/ 64 | YAML_YAMLLINT_CONFIG_FILE: .github/linters/.yamllint.yaml 65 | YAML_PRETTIER_CONFIG_FILE: .github/linters/.prettierrc.yaml 66 | YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "(.*\\.sops\\.ya?ml)" 67 | -------------------------------------------------------------------------------- /.github/workflows/meta-sync-labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Meta - Sync labels 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | - next 10 | paths: 11 | - ".github/labels.yaml" 12 | 13 | jobs: 14 | labels: 15 | name: Sync Labels 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - name: Generate Token 19 | uses: actions/create-github-app-token@v1 20 | id: generate-token 21 | with: 22 | app-id: "${{ secrets.BOT_APP_ID }}" 23 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 24 | 25 | - name: Checkout 26 | uses: actions/checkout@v4 27 | with: 28 | fetch-depth: 0 29 | token: "${{ steps.generate-token.outputs.token }}" 30 | 31 | - name: Sync Labels 32 | uses: EndBug/label-sync@v2 33 | with: 34 | config-file: .github/labels.yaml 35 | token: "${{ steps.generate-token.outputs.token }}" 36 | delete-other-labels: true 37 | -------------------------------------------------------------------------------- /.github/workflows/pullrequest-lint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: lint YAML and Shell 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | branches: 7 | - main 8 | - next 9 | env: 10 | # Currently no way to detect automatically 11 | DEFAULT_BRANCH: main 12 | 13 | jobs: 14 | build: 15 | name: Lint 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - name: Generate Token 19 | uses: actions/create-github-app-token@v1 20 | id: generate-token 21 | with: 22 | app-id: "${{ secrets.BOT_APP_ID }}" 23 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 24 | 25 | - name: Checkout 26 | uses: actions/checkout@v4 27 | with: 28 | fetch-depth: 0 29 | token: "${{ steps.generate-token.outputs.token }}" 30 | 31 | - name: Lint 32 | uses: super-linter/super-linter@v7.2.0 33 | env: 34 | VALIDATE_ALL_CODEBASE: false 35 | DEFAULT_BRANCH: "${{ env.DEFAULT_BRANCH }}" 36 | GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" 37 | MARKDOWN_CONFIG_FILE: .markdownlint.yaml 38 | YAML_CONFIG_FILE: .yamllint.yaml 39 | KUBERNETES_KUBEVAL_OPTIONS: --ignore-missing-schemas 40 | VALIDATE_NATURAL_LANGUAGE: false 41 | -------------------------------------------------------------------------------- /.github/workflows/pullrequest-meta-label-size.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Meta - Label Size 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | branches: 7 | - main 8 | - next 9 | jobs: 10 | label-size: 11 | name: Label Size 12 | runs-on: ubuntu-24.04 13 | steps: 14 | - name: Generate Token 15 | uses: actions/create-github-app-token@v1 16 | id: generate-token 17 | with: 18 | app-id: "${{ secrets.BOT_APP_ID }}" 19 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 20 | 21 | - name: Label Size 22 | uses: pascalgn/size-label-action@v0.5.5 23 | env: 24 | GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" 25 | with: 26 | sizes: > 27 | { 28 | "0": "XS", 29 | "20": "S", 30 | "50": "M", 31 | "200": "L", 32 | "800": "XL", 33 | "2000": "XXL" 34 | } 35 | -------------------------------------------------------------------------------- /.github/workflows/pullrequest-meta-labeler.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Meta - Labeler 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | branches: 7 | - main 8 | - next 9 | 10 | jobs: 11 | labeler: 12 | name: Labeler 13 | runs-on: ubuntu-24.04 14 | steps: 15 | - name: Generate Token 16 | uses: actions/create-github-app-token@v1 17 | id: generate-token 18 | with: 19 | app-id: "${{ secrets.BOT_APP_ID }}" 20 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 21 | 22 | - name: Labeler 23 | uses: actions/labeler@v5 24 | with: 25 | configuration-path: .github/labeler.yaml 26 | repo-token: "${{ steps.generate-token.outputs.token }}" 27 | -------------------------------------------------------------------------------- /.github/workflows/pullrequest-scan-containers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Scan Containers 3 | 4 | on: 5 | pull_request: 6 | branches: 7 | - main 8 | - next 9 | paths: 10 | - "cluster/**.yaml" 11 | workflow_dispatch: 12 | 13 | jobs: 14 | detect-file-changes: 15 | name: Detect File Changes 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - uses: actions/checkout@v4 19 | - uses: dorny/paths-filter@v2 20 | id: filter 21 | with: 22 | list-files: json 23 | filters: | 24 | yaml: 25 | - added|modified: "**.yaml" 26 | - added|modified: "**.yml" 27 | outputs: 28 | yaml_files: ${{ steps.filter.outputs.yaml_files }} 29 | detect-containers: 30 | name: Detect Containers 31 | runs-on: ubuntu-24.04 32 | needs: detect-file-changes 33 | strategy: 34 | matrix: 35 | file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} 36 | steps: 37 | - name: Generate Token 38 | uses: actions/create-github-app-token@v1 39 | id: generate-token 40 | with: 41 | app-id: "${{ secrets.BOT_APP_ID }}" 42 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 43 | 44 | - name: Checkout 45 | uses: actions/checkout@v4 46 | with: 47 | token: "${{ steps.generate-token.outputs.token }}" 48 | fetch-depth: 0 49 | 50 | - name: Install Jo 51 | run: | 52 | sudo apt-get install jo 53 | 54 | - name: Detect Containers in Files 55 | id: containers 56 | run: | 57 | containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}") 58 | echo "{\"containers\": ${containers}}" > containers.json 59 | outputs: 60 | containers: ${{ steps.containers.outputs.containers }} 61 | scan-containers: 62 | name: Scan Containers 63 | runs-on: ubuntu-24.04 64 | needs: detect-containers 65 | strategy: 66 | matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }} 67 | fail-fast: false 68 | steps: 69 | - name: Generate Token 70 | uses: actions/create-github-app-token@v1 71 | id: generate-token 72 | with: 73 | app-id: "${{ secrets.BOT_APP_ID }}" 74 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 75 | 76 | - name: Checkout 77 | uses: actions/checkout@v4 78 | with: 79 | token: "${{ steps.generate-token.outputs.token }}" 80 | fetch-depth: 0 81 | 82 | - name: Scan Container 83 | uses: aquasecurity/trivy-action@0.29.0 84 | with: 85 | image-ref: ${{ matrix.containers }} 86 | vuln-type: os,library 87 | severity: CRITICAL,HIGH 88 | format: template 89 | template: "@/contrib/sarif.tpl" 90 | output: trivy-results.sarif 91 | 92 | - name: Upload Trivy scan results to GitHub Security tab 93 | uses: github/codeql-action/upload-sarif@v2 94 | with: 95 | sarif_file: trivy-results.sarif 96 | -------------------------------------------------------------------------------- /.github/workflows/pullrequest-todo2github-issues.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Create GH issues based on TODO comments" 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | branches: 7 | - main 8 | push: 9 | branches: 10 | - main 11 | - next 12 | 13 | jobs: 14 | build: 15 | runs-on: "ubuntu-24.04" 16 | steps: 17 | - name: Generate Token 18 | uses: actions/create-github-app-token@v1 19 | id: generate-token 20 | with: 21 | app-id: "${{ secrets.BOT_APP_ID }}" 22 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 23 | 24 | - name: Checkout 25 | uses: actions/checkout@v4 26 | with: 27 | fetch-depth: 0 28 | token: "${{ steps.generate-token.outputs.token }}" 29 | 30 | - name: Create Github Issue from TODO comments 31 | uses: alstr/todo-to-issue-action@v4.10 32 | id: "todo" 33 | with: 34 | token: "${{ steps.generate-token.outputs.token }}" 35 | -------------------------------------------------------------------------------- /.github/workflows/renovate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Renovate 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | inputs: 7 | dryRun: 8 | description: "Dry-Run" 9 | default: "false" 10 | required: false 11 | logLevel: 12 | description: "Log-Level" 13 | default: "debug" 14 | required: false 15 | version: 16 | description: Renovate version 17 | default: latest 18 | required: false 19 | schedule: 20 | - cron: "0 * * * *" # Every hour 21 | push: 22 | branches: 23 | - main 24 | - next 25 | paths: 26 | - ".github/renovate.json5" 27 | - ".github/renovate/**.json" 28 | 29 | concurrency: 30 | group: ${{ github.workflow }}-${{ github.event.number || github.ref }} 31 | cancel-in-progress: true 32 | 33 | env: 34 | LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" 35 | RENOVATE_AUTODISCOVER: true 36 | RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}" 37 | RENOVATE_DRY_RUN: "${{ inputs.dryRun == true }}" 38 | RENOVATE_PLATFORM: github 39 | RENOVATE_PLATFORM_COMMIT: true 40 | WORKFLOW_RENOVATE_VERSION: "${{ inputs.version || 'latest' }}" 41 | 42 | jobs: 43 | renovate: 44 | name: Renovate 45 | runs-on: ubuntu-24.04 46 | steps: 47 | - name: Generate Token 48 | uses: actions/create-github-app-token@v1 49 | id: generate-token 50 | with: 51 | app-id: "${{ secrets.BOT_APP_ID }}" 52 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 53 | 54 | - name: Checkout 55 | uses: actions/checkout@v4 56 | with: 57 | fetch-depth: 0 58 | token: "${{ steps.generate-token.outputs.token }}" 59 | 60 | - name: Verify Renovate Configuration 61 | uses: suzuki-shunsuke/github-action-renovate-config-validator@v1.1.1 62 | 63 | - name: Renovate 64 | uses: renovatebot/github-action@v41.0.22 65 | with: 66 | configurationFile: .github/renovate.json5 67 | token: "x-access-token:${{ steps.generate-token.outputs.token }}" 68 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # IDEs 2 | .vscode 3 | idea 4 | .envrc 5 | 6 | # To update flux using Github actions 7 | bin/ 8 | 9 | # nodeJS components 10 | 11 | # sops-decrypted-files 12 | **/.decrypted** 13 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | # Default project settings 2 | 3 | https://github.com/kitos9112/k8s-home/settings -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | ci: 4 | autofix_commit_msg: | 5 | [pre-commit.ci] Auto fixes from pre-commit.com hooks 6 | autofix_prs: true 7 | autoupdate_commit_msg: "[pre-commit.ci] pre-commit autoupdate" 8 | autoupdate_schedule: weekly 9 | skip: 10 | # shellcheck tool cannot be installed on CI 11 | - shellcheck 12 | submodules: false 13 | 14 | repos: 15 | - repo: https://github.com/adrienverge/yamllint.git 16 | rev: v1.35.1 17 | hooks: 18 | - id: yamllint 19 | args: 20 | - -c 21 | - ".github/linters/.yamllint.yaml" 22 | 23 | - repo: https://github.com/pre-commit/pre-commit-hooks 24 | rev: v4.4.0 25 | hooks: 26 | - id: trailing-whitespace 27 | - id: fix-byte-order-marker 28 | - id: mixed-line-ending 29 | - id: check-added-large-files 30 | args: [--maxkb=2048] 31 | - id: check-merge-conflict 32 | - id: check-executables-have-shebangs 33 | - id: pretty-format-json 34 | args: [--autofix, --indent=2] 35 | 36 | - repo: https://github.com/whtsky/pre-commit-pretty-format-json5 37 | rev: "1.0.0" 38 | hooks: 39 | - id: pretty-format-json5 40 | 41 | - repo: https://github.com/Lucas-C/pre-commit-hooks 42 | rev: v1.5.5 43 | hooks: 44 | - id: forbid-crlf 45 | - id: forbid-tabs 46 | 47 | - repo: https://github.com/sirosen/fix-smartquotes 48 | rev: 0.2.0 49 | hooks: 50 | - id: fix-smartquotes 51 | 52 | - repo: https://github.com/jumanjihouse/pre-commit-hooks 53 | rev: 3.0.0 54 | hooks: 55 | - id: shellcheck 56 | 57 | args: [--severity=error] 58 | 59 | - repo: https://github.com/onedr0p/sops-pre-commit 60 | rev: v2.1.1 61 | hooks: 62 | - id: forbid-secrets 63 | 64 | - repo: https://github.com/gitleaks/gitleaks 65 | rev: v8.18.4 66 | hooks: 67 | - id: gitleaks 68 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: cluster/.*\.ya?ml$ 4 | encrypted_regex: ^(data|stringData)$ 5 | pgp: >- 6 | 0x2141D0D63053C652, 7 | 0x03249595A54E0BC8 8 | # TODO: Add support for age as an immediate successor of GNUPG 9 | # 10 | # - path_regex: cluster/.*\.ya?ml 11 | # encrypted_regex: "^(data|stringData)$" 12 | # age: >- 13 | # age1e6svnw727k56t7d8lu6hd36reggwaqvkpkv0zjyk5gkkkw0enf9q53g6lf 14 | -------------------------------------------------------------------------------- /.sourceignore: -------------------------------------------------------------------------------- 1 | # See https://toolkit.fluxcd.io/components/source/gitrepositories/#excluding-files 2 | _docs/ 3 | .gitcrypt/ 4 | .github/ 5 | .taskfiles/ 6 | .vscode/ 7 | hack/ 8 | .envrc 9 | .gitattributes 10 | .gitignore 11 | .pre-commit-config.yaml 12 | .sops.yaml 13 | LICENSE 14 | README.md 15 | Taskfile.yaml 16 | -------------------------------------------------------------------------------- /.taskfiles/ClusterTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | verify: 6 | desc: Verify flux meets the prerequisites 7 | cmds: 8 | - flux check --pre 9 | 10 | install: 11 | desc: Install Flux into your cluster 12 | cmds: 13 | - kubectl apply --kustomize {{.CLUSTER_DIR}}/bootstrap/ 14 | - cat {{.SOPS_AGE_KEY_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin 15 | - kubectl apply --kustomize {{.CLUSTER_DIR}}/flux/flux-system/ 16 | - task: reconcile 17 | preconditions: 18 | - sh: test -f {{.SOPS_AGE_KEY_FILE}} 19 | msg: | 20 | Age key file is not found. Did you forget to create it? 21 | vars: 22 | SOPS_AGE_KEY_FILE: ~/.config/sops/age/keys.txt 23 | 24 | reconcile: 25 | desc: Force update Flux to pull in changes from your Git repository 26 | cmds: 27 | - flux reconcile -n flux-system source git flux-cluster 28 | - flux reconcile -n flux-system kustomization flux-cluster 29 | 30 | nodes: 31 | desc: List all the nodes in your cluster 32 | cmds: 33 | - kubectl get nodes {{.CLI_ARGS | default "-o wide"}} 34 | 35 | pods: 36 | desc: List all the pods in your cluster 37 | cmds: 38 | - kubectl get pods {{.CLI_ARGS | default "-A"}} 39 | 40 | kustomizations: 41 | desc: List all the kustomizations in your cluster 42 | cmds: 43 | - kubectl get kustomizations {{.CLI_ARGS | default "-A"}} 44 | 45 | helmreleases: 46 | desc: List all the helmreleases in your cluster 47 | cmds: 48 | - kubectl get helmreleases {{.CLI_ARGS | default "-A"}} 49 | 50 | helmrepositories: 51 | desc: List all the helmrepositories in your cluster 52 | cmds: 53 | - kubectl get helmrepositories {{.CLI_ARGS | default "-A"}} 54 | 55 | gitrepositories: 56 | desc: List all the gitrepositories in your cluster 57 | cmds: 58 | - kubectl get gitrepositories {{.CLI_ARGS | default "-A"}} 59 | 60 | certificates: 61 | desc: List all the certificates in your cluster 62 | cmds: 63 | - kubectl get certificates {{.CLI_ARGS | default "-A"}} 64 | - kubectl get certificaterequests {{.CLI_ARGS | default "-A"}} 65 | 66 | ingresses: 67 | desc: List all the ingresses in your cluster 68 | cmds: 69 | - kubectl get ingress {{.CLI_ARGS | default "-A"}} 70 | 71 | resources: 72 | desc: Gather common resources in your cluster, useful when asking for support 73 | cmds: 74 | - task: nodes 75 | - task: kustomizations 76 | - task: helmreleases 77 | - task: helmrepositories 78 | - task: gitrepositories 79 | - task: certificates 80 | - task: ingresses 81 | - task: pods 82 | -------------------------------------------------------------------------------- /.taskfiles/flux.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | sync: 6 | desc: Sync flux-system with the Git Repository 7 | cmds: 8 | - flux reconcile source git flux-system 9 | silent: true 10 | 11 | hr: 12 | desc: List all Helm Releases 13 | cmds: 14 | - flux get hr -A 15 | silent: true 16 | 17 | hs: 18 | desc: List all Helm sources 19 | cmds: 20 | - flux get sources helm -A 21 | silent: true 22 | 23 | hc: 24 | desc: List all Helm charts 25 | cmds: 26 | - flux get sources chart -A 27 | silent: true 28 | 29 | k: 30 | desc: List all Kustomizations 31 | cmds: 32 | - flux get kustomizations -A 33 | silent: true 34 | -------------------------------------------------------------------------------- /.taskfiles/pre-commit.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | init: 6 | desc: Initialize pre-commit hooks 7 | cmds: 8 | - pre-commit install-hooks 9 | run: 10 | desc: Run pre-commit 11 | cmds: 12 | - pre-commit run --all-files 13 | -------------------------------------------------------------------------------- /.tool-versions: -------------------------------------------------------------------------------- 1 | # renovate: datasource=github-tags packageName=kubernetes/kubernetes 2 | kubectl 1.31.4 3 | helm 3.13.3 4 | terraform 1.10.2 5 | -------------------------------------------------------------------------------- /Taskfile.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | vars: 5 | PROJECT_DIR: 6 | sh: "git rev-parse --show-toplevel" 7 | CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster" 8 | ANSIBLE_DIR: "{{.PROJECT_DIR}}/provision/ansible" 9 | 10 | # env: 11 | # KUBECONFIG: "{{.PROJECT_DIR}}/kubeconfig" 12 | 13 | includes: 14 | flux: .taskfiles/flux.yaml 15 | pre-commit: .taskfiles/pre-commit.yaml 16 | -------------------------------------------------------------------------------- /_docs/TROUBLESHOOTING.md: -------------------------------------------------------------------------------- 1 | # Troubleshooting 2 | 3 | ## DNS investigation 4 | 5 | Install a short-lived pod from where commands can be triggered 6 | 7 | ```sh 8 | kubectl apply -f https://k8s.io/examples/admin/dns/dnsutils.yaml 9 | ``` 10 | -------------------------------------------------------------------------------- /_docs/ingress.md: -------------------------------------------------------------------------------- 1 | # Ingress Objects 2 | 3 | ## Securing/Protecting Ingress Resources 4 | 5 | All ingress objects exposed by this cluster use `cert-manager` to request and manage SSL/TLS certificates. Thus, all ingress objects are annotated with the `cert-manager.io/cluster-issue` annotation in order to automatically generate a certificate stored as a secret for the ingress object. 6 | 7 | Likewise, most ingress resources are protected with a custom `middleware` layer that will force authentication via Google IDP. This is performed with the `traefik-forward-auth` 8 | -------------------------------------------------------------------------------- /_docs/scheduling.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Node(s), Pod(s), and Storage Scheduling 2 | 3 | Pods in Kubernetes can be scheduled or allocated in a node following a deterministic approach by leveraging `nodeSelection` and `nodeAffinity` fields in the `Pod` resource of any Kubernetes replicaSet controller (e.g. deployment). 4 | 5 | This Kubernetes cluster spans two well-defined geographic delimitations; `internal` || `home`, and `external` || `cloud` node types. Each node is automatically labelled with a `node_locality` label that could be either `internal` or `external`. By taking this approach, some pods will feel more "affinity" to land in a specific node that matches a given label (e.g. `external`). Moreover, other also [well-known labels](https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone) like `topology.kubernetes.io/zone` are in use to facilitate Longhorn storage replica allocation. 6 | 7 | The labeling process is taken care by the K3s Ansible role and should never be a manual task as it is prone to forgiveness. 8 | 9 | More information about how Longhorn scheduling policy can be found [here](https://longhorn.io/docs/1.3.0/volumes-and-nodes/scheduling). -------------------------------------------------------------------------------- /_docs/secrets.md: -------------------------------------------------------------------------------- 1 | # Secrets engines for K8s-home GitOps 2 | 3 | Plain-text files are easily stored and versioned in Git repositories, however, secrets are normally more tedious to deal with. My home K3s cluster relies on the integration of FluxCD with [Mozilla SOPS](https://fluxcd.io/docs/guides/mozilla-sops/). 4 | 5 | Additionally, all secrets get locally encrypted using [age](https://github.com/FiloSottile/age), a simple alternative to [GPG](https://www.gnupg.org/). Make sure the following tools are installed on your local dev. environment: 6 | 7 | ```sh 8 | brew install age fluxcd/tap/flux sops 9 | ``` 10 | 11 | -------------------------------------------------------------------------------- /archive/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/archive/.gitkeep -------------------------------------------------------------------------------- /archive/crds/velero/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: velero 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/vmware-tanzu/helm-charts.git 10 | ref: 11 | # renovate: datasource=github-releases depName=vmware-tanzu/helm-charts 12 | tag: velero-4.1.2 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/charts/velero/crds 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: velero-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: velero 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1 32 | kind: CustomResourceDefinition 33 | name: backups.velero.io 34 | - apiVersion: apiextensions.k8s.io/v1 35 | kind: CustomResourceDefinition 36 | name: backupstoragelocations.velero.io 37 | - apiVersion: apiextensions.k8s.io/v1 38 | kind: CustomResourceDefinition 39 | name: deletebackuprequests.velero.io 40 | - apiVersion: apiextensions.k8s.io/v1 41 | kind: CustomResourceDefinition 42 | name: downloadrequests.velero.io 43 | - apiVersion: apiextensions.k8s.io/v1 44 | kind: CustomResourceDefinition 45 | name: podvolumebackups.velero.io 46 | - apiVersion: apiextensions.k8s.io/v1 47 | kind: CustomResourceDefinition 48 | name: podvolumerestores.velero.io 49 | - apiVersion: apiextensions.k8s.io/v1 50 | kind: CustomResourceDefinition 51 | name: resticrepositories.velero.io 52 | - apiVersion: apiextensions.k8s.io/v1 53 | kind: CustomResourceDefinition 54 | name: restores.velero.io 55 | - apiVersion: apiextensions.k8s.io/v1 56 | kind: CustomResourceDefinition 57 | name: schedules.velero.io 58 | - apiVersion: apiextensions.k8s.io/v1 59 | kind: CustomResourceDefinition 60 | name: serverstatusrequests.velero.io 61 | - apiVersion: apiextensions.k8s.io/v1 62 | kind: CustomResourceDefinition 63 | name: volumesnapshotlocations.velero.io 64 | -------------------------------------------------------------------------------- /archive/crds/velero/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/README.md: -------------------------------------------------------------------------------- 1 | # Apps 2 | 3 | All containerised applications that run in my K8s home cluster follor the same approach as the core category. 4 | 5 | Nevertheless, not many applications have landed here yet. They also depend on **core** and inherently **cdrs** and Flux will prune resources here if they are not tracked by Git anymore. 6 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "hass-${SECRET_DOMAIN/./-}" 6 | namespace: home 7 | spec: 8 | secretName: "hass-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "hass.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "hass.${SECRET_DOMAIN}" 15 | --- 16 | apiVersion: cert-manager.io/v1 17 | kind: Certificate 18 | metadata: 19 | name: "hass-config-${SECRET_DOMAIN/./-}" 20 | namespace: home 21 | spec: 22 | secretName: "hass-config-${SECRET_DOMAIN/./-}-tls" 23 | issuerRef: 24 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 25 | kind: ClusterIssuer 26 | commonName: "hass-config.${SECRET_DOMAIN}" 27 | dnsNames: 28 | - "hass-config.${SECRET_DOMAIN}" 29 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/code-server.enc.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant-config-v1 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: hass 6 | namespace: home 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`hass.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: home-assistant 15 | namespace: home 16 | port: 8123 17 | scheme: http 18 | tls: 19 | secretName: "hass-${SECRET_DOMAIN/./-}-tls" 20 | --- 21 | apiVersion: traefik.io/v1alpha1 22 | kind: IngressRoute 23 | metadata: 24 | name: hass-config 25 | namespace: home 26 | spec: 27 | entryPoints: 28 | - websecure 29 | routes: 30 | - match: Host(`hass-config.${SECRET_DOMAIN}`) 31 | kind: Rule 32 | services: 33 | - name: home-assistant 34 | namespace: home 35 | port: 12321 36 | scheme: http 37 | middlewares: 38 | - name: traefik-forward-auth 39 | namespace: networking 40 | tls: 41 | secretName: "hass-config-${SECRET_DOMAIN/./-}-tls" 42 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - config-pvc.yaml 6 | - ingress-route.yaml 7 | - certificate.yaml 8 | # - code-server.enc.yaml 9 | - home-assistant.sops.yaml 10 | - helm-release.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/home/home-assistant/network-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | -------------------------------------------------------------------------------- /cluster/apps/home/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: home 5 | resources: 6 | - home-assistant 7 | - postgres 8 | -------------------------------------------------------------------------------- /cluster/apps/home/postgres/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRouteTCP 4 | metadata: 5 | name: postgres 6 | spec: 7 | entryPoints: 8 | - home-postgres 9 | routes: 10 | - match: HostSNI(`*`) 11 | services: 12 | - name: home-postgres 13 | port: 5432 14 | -------------------------------------------------------------------------------- /cluster/apps/home/postgres/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingress-route.yaml 6 | - zalando-postgres.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home/postgres/zalando-postgres.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: acid.zalan.do/v1 3 | kind: postgresql 4 | metadata: 5 | name: home-postgres 6 | spec: 7 | teamId: home 8 | nodeAffinity: 9 | requiredDuringSchedulingIgnoredDuringExecution: 10 | nodeSelectorTerms: 11 | - matchExpressions: 12 | - key: kubernetes.io/arch 13 | operator: In 14 | values: 15 | - amd64 16 | - key: topology.kubernetes.io/region 17 | operator: In 18 | values: 19 | - home 20 | numberOfInstances: 3 21 | enableConnectionPooler: false 22 | enableReplicaConnectionPooler: false 23 | enableLogicalBackup: false 24 | patroni: 25 | # Do not set TTL lower than 2X lower_wait (seconds) 26 | # Ref: https://patroni.readthedocs.io/en/latest/watchdog.html 27 | loop_wait: 10 28 | ttl: 20 29 | retry_timeout: 5 30 | volume: 31 | size: 50Gi 32 | preparedDatabases: 33 | grafana: 34 | defaultUsers: true 35 | secretNamespace: monitoring 36 | postgresql: 37 | version: "14" 38 | parameters: 39 | max_connections: "250" 40 | resources: 41 | requests: 42 | cpu: 150m 43 | memory: 256Mi 44 | limits: 45 | cpu: 4000m 46 | memory: 2500Mi 47 | -------------------------------------------------------------------------------- /cluster/apps/hummingbot/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: hummingbot 5 | resources: 6 | - postgres 7 | -------------------------------------------------------------------------------- /cluster/apps/hummingbot/postgres/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRouteTCP 4 | metadata: 5 | name: postgres 6 | spec: 7 | entryPoints: 8 | - hg-pg 9 | routes: 10 | - match: HostSNI(`*`) 11 | services: 12 | - name: hummingbot-postgres 13 | port: 5432 14 | -------------------------------------------------------------------------------- /cluster/apps/hummingbot/postgres/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingress-route.yaml 6 | - zalando-postgres.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/hummingbot/postgres/zalando-postgres.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: acid.zalan.do/v1 3 | kind: postgresql 4 | metadata: 5 | name: hummingbot-postgres 6 | spec: 7 | teamId: hummingbot 8 | numberOfInstances: 0 9 | enableConnectionPooler: false 10 | enableReplicaConnectionPooler: false 11 | patroni: 12 | ttl: 30 13 | retry_timeout: 60 14 | volume: 15 | size: 15Gi 16 | users: 17 | superuser: 18 | - superuser 19 | - createdb 20 | databases: 21 | hummingbot: hummingbot 22 | preparedDatabases: 23 | hummingbot: 24 | defaultUsers: true 25 | extensions: 26 | pg_partman: public 27 | pgcrypto: public 28 | schemas: 29 | data: 30 | defaultUsers: true 31 | postgresql: 32 | version: "14" 33 | parameters: 34 | max_connections: "200" 35 | resources: 36 | requests: 37 | cpu: 500m 38 | memory: 512Mi 39 | limits: 40 | cpu: 2500m 41 | memory: 8192Mi 42 | nodeAffinity: 43 | requiredDuringSchedulingIgnoredDuringExecution: 44 | nodeSelectorTerms: 45 | - matchExpressions: 46 | - key: node_locality 47 | operator: In 48 | values: 49 | - "external" 50 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/1password/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: 1password 6 | spec: 7 | interval: 5m 8 | releaseName: 1password 9 | chart: 10 | spec: 11 | chart: connect 12 | version: 1.14.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: 1password-charts 16 | namespace: flux-system 17 | interval: 1m 18 | install: 19 | # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#install-a-crd-declaration-before-using-the-resource 20 | # https://fluxcd.io/docs/components/helm/helmreleases/#crds 21 | crds: Skip 22 | upgrade: 23 | crds: Skip 24 | values: 25 | connect: 26 | serviceType: ClusterIP 27 | annotations: 28 | reloader.stakater.com/auto: "true" 29 | credentials_base64: ${SECRET_1PASSWORD_CONNECT_CREDENTIALS_B64} 30 | credentialsName: op-credentials 31 | credentialsKey: op-session 32 | operator: 33 | create: true 34 | autoRestart: true 35 | token: 36 | name: onepassword-token 37 | key: token 38 | value: ${SECRET_1PASSWORD_OPERATOR_TOKEN} 39 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/1password/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - helm-release.yaml 7 | # - secret.sops.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/dashboard/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "k8s-${SECRET_DOMAIN/./-}" 6 | namespace: kube-namespace 7 | spec: 8 | secretName: "k8s-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "k8s.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "k8s.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/dashboard/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: kubernetes-dashboard 6 | spec: 7 | interval: 5m 8 | releaseName: kubernetes-dashboard 9 | chart: 10 | spec: 11 | chart: kubernetes-dashboard 12 | version: 7.10.5 13 | sourceRef: 14 | kind: HelmRepository 15 | name: kubernetes-dashboard-charts 16 | namespace: flux-system 17 | interval: 1m 18 | values: 19 | app: 20 | settings: 21 | global: 22 | ## Cluster name that appears in the browser window title if it is set 23 | clusterName: ${SECRET_DOMAIN} 24 | ## Max number of items that can be displayed on each list page 25 | itemsPerPage: 100 26 | ## Number of seconds between every auto-refresh of logs 27 | logsAutoRefreshTimeInterval: 5 28 | ## Number of seconds between every auto-refresh of every resource. Set 0 to disable 29 | resourceAutoRefreshTimeInterval: 5 30 | ## Hide all access denied warnings in the notification panel 31 | disableAccessDeniedNotifications: false 32 | pinnedCRDs: 33 | - ingressroutes.traefik.io 34 | - helmreleases.helm.toolkit.fluxcd.io 35 | cert-manager: 36 | enabled: false 37 | installCRDs: false 38 | nginx: 39 | enabled: false 40 | serviceMonitor: 41 | enabled: true 42 | metrics-server: 43 | enabled: false 44 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/dashboard/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: k8s 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`k8s.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: kubernetes-dashboard 14 | port: https 15 | scheme: https 16 | middlewares: 17 | - name: traefik-forward-auth 18 | namespace: networking 19 | tls: 20 | secretName: "k8s-${SECRET_DOMAIN/./-}-tls" 21 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - certificate.yaml 7 | - ingress-route.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/descheduler/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: descheduler 6 | namespace: kube-system 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: descheduler 12 | version: 0.28.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: descheduler-charts 16 | namespace: flux-system 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 5 21 | upgrade: 22 | remediation: 23 | retries: 5 24 | values: 25 | kind: Deployment 26 | replicas: 1 27 | leaderElection: 28 | enabled: false 29 | deschedulerPolicy: 30 | strategies: 31 | RemoveDuplicates: 32 | enabled: true 33 | RemovePodsViolatingNodeTaints: 34 | enabled: true 35 | RemovePodsViolatingNodeAffinity: 36 | enabled: true 37 | params: 38 | nodeAffinityType: 39 | - "requiredDuringSchedulingIgnoredDuringExecution" 40 | RemovePodsViolatingTopologySpreadConstraint: 41 | enabled: true 42 | params: 43 | includeSoftConstraints: true 44 | RemovePodsViolatingInterPodAntiAffinity: 45 | enabled: true 46 | params: 47 | nodeFit: true 48 | LowNodeUtilization: 49 | enabled: false 50 | RemoveFailedPods: 51 | enabled: true 52 | params: 53 | failedPods: 54 | includingInitContainers: true 55 | excludeOwnerKinds: ["Job"] 56 | minPodLifetimeSeconds: 3600 57 | RemovePodsHavingTooManyRestarts: 58 | enabled: true 59 | params: 60 | podsHavingTooManyRestarts: 61 | podRestartThreshold: 100 62 | includingInitContainers: true 63 | service: 64 | enabled: true 65 | serviceMonitor: 66 | enabled: true 67 | podAnnotations: 68 | configmap.reloader.stakater.com/reload: "descheduler" 69 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/descheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - ./helm-release.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/external-snapshotter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v6.3.4 6 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - metrics-server 7 | - dashboard 8 | - reloader 9 | - external-snapshotter 10 | - 1password 11 | - descheduler 12 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kyverno/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: kyverno 6 | namespace: kyverno 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: kyverno 12 | version: 3.3.9 13 | sourceRef: 14 | kind: HelmRepository 15 | name: kyverno-charts 16 | namespace: flux-system 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 5 21 | upgrade: 22 | remediation: 23 | retries: 5 24 | values: 25 | installCRDs: false 26 | replicaCount: 3 27 | serviceMonitor: 28 | enabled: true 29 | topologySpreadConstraints: 30 | - maxSkew: 1 31 | topologyKey: kubernetes.io/hostname 32 | whenUnsatisfiable: DoNotSchedule 33 | labelSelector: 34 | matchLabels: 35 | app.kubernetes.io/instance: kyverno 36 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kyverno/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kyverno 5 | resources: 6 | - ./helm-release.yaml 7 | - ./rbac.yaml 8 | - ./policies 9 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kyverno/policies/delete-cpu-limits.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kyverno.io/v1 3 | kind: ClusterPolicy 4 | metadata: 5 | name: delete-cpu-limits 6 | annotations: 7 | policies.kyverno.io/title: Delete CPU limits 8 | policies.kyverno.io/subject: Pod 9 | policies.kyverno.io/description: >- 10 | This policy deletes CPU limits from all Pods. 11 | spec: 12 | mutateExistingOnPolicyUpdate: true 13 | generateExistingOnPolicyUpdate: true 14 | rules: 15 | - name: delete-cpu-limits 16 | match: 17 | any: 18 | - resources: 19 | kinds: ["Pod"] 20 | exclude: 21 | any: 22 | - resources: 23 | namespaces: 24 | - calico-system 25 | - tigera-operator 26 | - resources: 27 | kinds: ["Pod"] 28 | selector: 29 | matchLabels: 30 | job-name: "*" 31 | - resources: 32 | kinds: ["Pod"] 33 | selector: 34 | matchLabels: 35 | statefulset.kubernetes.io/pod-name: "*" 36 | - resources: 37 | annotations: 38 | kyverno.io/ignore: "true" 39 | mutate: 40 | patchStrategicMerge: 41 | spec: 42 | initContainers: 43 | - (name): "*" 44 | resources: 45 | limits: 46 | cpu: null 47 | containers: 48 | - (name): "*" 49 | resources: 50 | limits: 51 | cpu: null 52 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kyverno/policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./delete-cpu-limits.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kyverno/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: kyverno:admin 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: kyverno 13 | namespace: kyverno 14 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | spec: 7 | interval: 5m 8 | releaseName: metrics-server 9 | chart: 10 | spec: 11 | chart: metrics-server 12 | version: 3.11.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: metrics-server-charts 16 | namespace: flux-system 17 | interval: 1m 18 | values: 19 | image: 20 | repository: registry.k8s.io/metrics-server/metrics-server 21 | tag: v0.7.2 22 | resources: 23 | requests: 24 | cpu: 100m 25 | memory: 50Mi 26 | limits: 27 | cpu: 1 28 | memory: 450Mi 29 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/reloader/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: reloader 12 | version: 1.2.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: stakater-charts 16 | namespace: flux-system 17 | interval: 5m 18 | values: 19 | nameOverride: reloader 20 | fullnameOverride: reloader 21 | reloader: 22 | readOnlyRootFileSystem: true 23 | podMonitor: 24 | enabled: true 25 | namespace: kube-system 26 | resources: 27 | limits: 28 | cpu: "5000m" 29 | memory: "256Mi" 30 | requests: 31 | cpu: "10m" 32 | memory: "128Mi" 33 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - home 6 | - tools 7 | - monitoring 8 | - media 9 | - kube-system 10 | -------------------------------------------------------------------------------- /cluster/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | resources: 6 | - openbooks 7 | -------------------------------------------------------------------------------- /cluster/apps/media/openbooks/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "openbooks-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "openbooks-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "openbooks.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "openbooks.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/apps/media/openbooks/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 4 | kind: HelmRelease 5 | metadata: 6 | name: openbooks 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 1.5.1 13 | interval: 30m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-charts 17 | namespace: flux-system 18 | values: 19 | controller: 20 | type: deployment 21 | annotations: 22 | reloader.stakater.com/auto: "true" 23 | 24 | image: 25 | repository: docker.io/evanbuss/openbooks 26 | # TODO: Replace latest tag for OpenBooks once they had fixed multi-arch support 27 | # It seems to be an issue with their latest 4.5.0 release 28 | # labels: todo, area/cluster, bug, lifecycle 29 | tag: latest 30 | 31 | command: 32 | - ./openbooks 33 | - server 34 | - --name 35 | - "${SECRET_OPENBOOKS_USERNAME}" 36 | - --persist 37 | - "true" 38 | - --dir 39 | - "/books" 40 | - --port 41 | - &port "8080" 42 | 43 | podSecurityContext: 44 | runAsUser: 568 45 | runAsGroup: 568 46 | fsGroup: 568 47 | fsGroupChangePolicy: "OnRootMismatch" 48 | supplementalGroups: 49 | - 65539 50 | 51 | service: 52 | main: 53 | ports: 54 | http: 55 | port: *port 56 | 57 | persistence: 58 | books: 59 | enabled: true 60 | type: pvc 61 | mountPath: /books 62 | accessMode: ReadWriteOnce 63 | size: 5Gi 64 | 65 | resources: 66 | requests: 67 | cpu: 15m 68 | memory: 64M 69 | limits: 70 | memory: 176M 71 | -------------------------------------------------------------------------------- /cluster/apps/media/openbooks/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: openbooks 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`openbooks.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: openbooks 14 | port: 8080 15 | scheme: http 16 | middlewares: 17 | - name: traefik-forward-auth 18 | namespace: networking 19 | tls: 20 | secretName: "openbooks-${SECRET_DOMAIN/./-}-tls" 21 | -------------------------------------------------------------------------------- /cluster/apps/media/openbooks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./certificate.yaml 8 | - ./ingress-route.yaml 9 | commonLabels: 10 | app.kubernetes.io/name: openbooks 11 | app.kubernetes.io/instance: openbooks 12 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/botkube/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/cronitor/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cronitor 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: cronitor-kubernetes 11 | version: 0.6.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: cronitor-charts 15 | namespace: flux-system 16 | values: 17 | credentials: 18 | secretName: cronitor-secret 19 | config: 20 | sentryEnabled: false 21 | defaultEnvironment: "Production" 22 | resources: 23 | limits: 24 | cpu: 250m 25 | memory: 256Mi 26 | requests: 27 | cpu: 100m 28 | memory: 128Mi 29 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/cronitor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - helm-release.yaml 7 | - secret.sops.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/cronitor/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: cronitor-secret 6 | namespace: monitoring 7 | stringData: 8 | CRONITOR_API_KEY: ENC[AES256_GCM,data:7/yqhJdR5saonwpPs+IUK9DN6ZopxUAxXP98lBO5yt4=,iv:JJBB5rUnt9LLdxGqkvArxTRZuGHhnVYTgIx6EpiKLYs=,tag:+VqkYI5fCYaL+T47Ycs0MQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: [] 15 | lastmodified: "2022-06-27T19:18:39Z" 16 | mac: ENC[AES256_GCM,data:FSNiCtPixTtzoOgey7P0kqsl8yvFgBjoCTF9XddjzqH4ujRdjKMHSrFwHWYkymXu/jvvlI3rZb3KIn88cM2DDJYe0RPtyvA3k/qUhZiHhfLKH0dziqnczAv267UIo2S6RnrSolFHK/v/HWW8I/DFnDG0D4m2AGUX2eeL8+c8SQs=,iv:5Z/M/n1mzbLq80r8xV2TYdlg6PBtQBytkmXRNUfmIQk=,tag:hBGi/7lzhoR/QgSlXQykgw==,type:str] 17 | pgp: 18 | - created_at: "2021-09-30T23:16:15Z" 19 | enc: | 20 | -----BEGIN PGP MESSAGE----- 21 | 22 | hQIMA3t//ZLkhd3HAQ//W8563scIjdkzIv2iw2dN9FGidQNL1VR55gLxMY6DQK/D 23 | uN57AZYaQ0V9VGFXeJy4FNiguwFYT1mK+0Air2RFtpACovSyiETOZMhXD3ZSyy4J 24 | pBRdlfL+bwFyX4pFw9CXKZ+BAK7oaGmJaohOrbpn64kiJAXlbuMFFW4hT4ocwa5W 25 | X8nrcnb2ptB9Tg02Rhfw1Z4DfrxDDZxdKAfRVEoFnpji16ZQN4m4I1gMc+pQlbW0 26 | k6FhPsVg7pPAUyA5X45IXXxpTR1B4bIaujGgY9MqLn55fdb04+nNIZ8XPxFggdRZ 27 | toiiw8IYvzpVXPui+mSrASW9R0XXpvsP21sP8i0N3p1Q+XPdmsKE3gWLJpCmOkh6 28 | hR0U3YRLAxQtPNYBuy2Lwb/VTElIISA+KYZ63XRBD8H1p27spTxM4udgVm1s7hYY 29 | VEsFEiIpudURY08C06IvvifQ8VollI+VP+D4vcOvZWASGt47MNvfWQL7mNhBYntd 30 | TlcaNrSCbldYHTCEgRvnoLYf9ew5k3U4L8IAiypKDQyYWvrbiSFa70EpzwJ6qxyH 31 | AQbay0LwvQaCWtcvPSyyfkRXH1KJTeLGFcr5o2X7cTYFn+ATm3R98Oj6bbR+EU1/ 32 | U2uh/xDpdfz+8UWDGQALmYieD5JREbSLgidc1PCa9/dVS3uruqatz9A/e2iO0evS 33 | XgH+UoSRUlylaXkeVqham0ZWGhKi78AKZmqLljeXUJpltT9v/ZubayUu432QBzK5 34 | MCy8iJiXY5OFpk8CCbBOPos9I1HINzf2fIkboBXngV/QiTSS3/m9bCdPcwXIsNo= 35 | =fP9n 36 | -----END PGP MESSAGE----- 37 | fp: "0x2141D0D63053C652" 38 | - created_at: "2021-09-30T23:16:15Z" 39 | enc: | 40 | -----BEGIN PGP MESSAGE----- 41 | 42 | hQIMAwMklZWlTgvIAQ/9HW4tnrLe2UINdE5gJhE3NSkX1RTcD74PZB/K8EorFNuE 43 | u2vois8MGt3xt78vrSr3FFc62acdtCIkezXhETtksrcofV00Lo4OpgzjHm3Genak 44 | wA6DhA1FHtoQZH8OLYG2IWuRbwjmdehbxQV8DnjhIADdonn5Hir49TE5PmuKDtu7 45 | TThdSfZ1jgvZ+A4VI/OzzkhUfCUKfFIqmbGVk1lGW8K6VP8WCZA1zaP3xu4O+csj 46 | f5bdokQyfr+hi55BUnn6ibCyX90yzjvkBFZ95lZK/KzF3/RqfHmkFzMGcBI5wfzK 47 | m3Fy++VoBFED59QKKd8VJJHqXdqewYzfvzAfL07qtLCxVuisDrrkHx+mBMQ/jk4P 48 | T1mYDFJcuqPEPZcnc1lnYLfjnKlM/fYdy/NSJw7JXBXVbX8dQ6CWJitnodNcLDzi 49 | VJCQBNTSLLyWxhQyPtix8tCqur9V0Umz1501a3NHll7H9LsyTFt7tvw6Foebs01n 50 | HSzhu8/IxDS4ed5c88Tkd/YnzusnneagujH0z2gHfJxeNwwk2iTEBQJjzmtD4zax 51 | TIO/j5K7bdn0V3SkFF/6mWM727TDt5CcihdX6MygqkU27QQ1Vdlm7PsThb83QJmk 52 | kqoC0pVVqfXpJ4CkrlYo6yHIDDO6UFV+xic9IPQBEp1gWqfRTKQSwRZmFoH5Td7S 53 | XgFBQkZ7j1bSCNSasGSXw/R3mnMm5HyLoPUJxR46pHg1/nKY0h9YhgRBmobmU8yn 54 | L8OoBlAxM0fWFR/+nZtdVZ9zEfes9QC2CNAFs1ZbZ4XfJZ3olSOVMLviroZ/C04= 55 | =U6Ze 56 | -----END PGP MESSAGE----- 57 | fp: "0x03249595A54E0BC8" 58 | encrypted_regex: ^(data|stringData)$ 59 | version: 3.7.3 60 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/dashboard/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "dashboard-${SECRET_DOMAIN/./-}" 6 | namespace: monitoring 7 | spec: 8 | secretName: "dashboard-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "dashboard.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "dashboard.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/dashboard/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: heimdall 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 2.0.0-beta.3 12 | interval: 30m 13 | sourceRef: 14 | kind: HelmRepository 15 | name: bjw-s-charts 16 | namespace: flux-system 17 | values: 18 | controllers: 19 | main: 20 | strategy: Recreate 21 | type: deployment 22 | annotations: 23 | reloader.stakater.com/auto: "true" 24 | containers: 25 | main: 26 | image: 27 | repository: linuxserver/heimdall 28 | tag: 2.5.8 29 | env: 30 | TZ: Europe/London 31 | resources: 32 | requests: 33 | cpu: 15m 34 | memory: 64M 35 | limits: 36 | memory: 176M 37 | service: 38 | main: 39 | ports: 40 | http: 41 | port: 80 42 | persistence: 43 | config: 44 | enabled: true 45 | type: persistentVolumeClaim 46 | accessMode: ReadWriteOnce 47 | size: 1Gi 48 | retain: true 49 | mountPath: /config 50 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/dashboard/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: dashboard 6 | namespace: monitoring 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`dashboard.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: heimdall 15 | namespace: monitoring 16 | port: 80 17 | scheme: http 18 | middlewares: 19 | - name: traefik-forward-auth 20 | namespace: networking 21 | tls: 22 | secretName: "dashboard-${SECRET_DOMAIN/./-}-tls" 23 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - helm-release.yaml 7 | - certificate.yaml 8 | - ingress-route.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/goldilocks/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "goldilocks-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "goldilocks-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "goldilocks.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "goldilocks.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/goldilocks/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: goldilocks 6 | namespace: monitoring 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: goldilocks 12 | version: 9.0.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: fairwinds-charts 16 | namespace: flux-system 17 | interval: 30m 18 | timeout: 20m 19 | dependsOn: 20 | - name: vpa 21 | namespace: monitoring 22 | values: 23 | controller: 24 | resources: 25 | requests: 26 | cpu: 15m 27 | memory: 145M 28 | limits: 29 | cpu: 1 30 | memory: 174M 31 | dashboard: 32 | replicaCount: 1 33 | resources: 34 | requests: 35 | cpu: 15m 36 | memory: 64M 37 | limits: 38 | cpu: 1 39 | memory: 64M 40 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/goldilocks/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: goldilocks 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`goldilocks.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: goldilocks-dashboard 14 | port: 80 15 | scheme: http 16 | middlewares: 17 | - name: traefik-forward-auth 18 | namespace: networking 19 | tls: 20 | secretName: "goldilocks-${SECRET_DOMAIN/./-}-tls" 21 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/goldilocks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./certificate.yaml 8 | - ./ingress-route.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/grafana/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "grafana-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "grafana-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "grafana.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "grafana.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/grafana/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: grafana 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`grafana.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: grafana 14 | namespace: monitoring 15 | port: 80 16 | scheme: http 17 | middlewares: 18 | - name: traefik-forward-auth 19 | namespace: networking 20 | tls: 21 | secretName: "grafana-${SECRET_DOMAIN/./-}-tls" 22 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - secret.sops.yaml 7 | - ingress-route.yaml 8 | - certificate.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/karma/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "karma-${SECRET_DOMAIN/./-}" 6 | namespace: monitoring 7 | spec: 8 | secretName: "karma-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "karma.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "karma.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/karma/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: &app karma 6 | namespace: monitoring 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: *app 14 | app.kubernetes.io/instance: *app 15 | strategy: 16 | type: RollingUpdate 17 | template: 18 | metadata: 19 | labels: 20 | app.kubernetes.io/name: *app 21 | app.kubernetes.io/instance: *app 22 | spec: 23 | containers: 24 | - name: *app 25 | image: ghcr.io/prymitive/karma:v0.115 26 | imagePullPolicy: IfNotPresent 27 | env: 28 | - name: ALERTMANAGER_URI 29 | value: http://prometheus-alertmanager:9093 30 | ports: 31 | - name: &port http 32 | containerPort: 8080 33 | protocol: TCP 34 | livenessProbe: 35 | httpGet: 36 | path: /health 37 | port: *port 38 | initialDelaySeconds: 0 39 | periodSeconds: 10 40 | timeoutSeconds: 1 41 | failureThreshold: 3 42 | readinessProbe: 43 | httpGet: 44 | path: /health 45 | port: *port 46 | initialDelaySeconds: 0 47 | periodSeconds: 10 48 | timeoutSeconds: 1 49 | failureThreshold: 3 50 | startupProbe: 51 | httpGet: 52 | path: /health 53 | port: *port 54 | failureThreshold: 30 55 | periodSeconds: 10 56 | resources: 57 | requests: 58 | cpu: 10m 59 | memory: 50Mi 60 | limits: 61 | cpu: 100m 62 | memory: 200Mi 63 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/karma/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: karma 6 | namespace: monitoring 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`karma.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: karma 15 | namespace: monitoring 16 | port: 8080 17 | scheme: http 18 | middlewares: 19 | - name: traefik-forward-auth 20 | namespace: networking 21 | tls: 22 | secretName: "karma-${SECRET_DOMAIN/./-}-tls" 23 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/karma/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - deployment.yaml 6 | - service.yaml 7 | - certificate.yaml 8 | - ingress-route.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/karma/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app karma 6 | namespace: monitoring 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | selector: 12 | app.kubernetes.io/name: *app 13 | app.kubernetes.io/instance: *app 14 | ports: 15 | - name: http 16 | port: 8080 17 | protocol: TCP 18 | targetPort: http 19 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - botkube 7 | - grafana 8 | - dashboard 9 | - karma 10 | - speedtest-exporter 11 | - vpa 12 | - goldilocks 13 | # - cronitor-heartbeat 14 | # - node-problem-detector 15 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/speedtest-exporter/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: speedtest-exporter 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: speedtest-exporter 12 | version: 5.4.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: k8s-at-home-charts 16 | namespace: flux-system 17 | interval: 5m 18 | values: 19 | image: 20 | repository: ghcr.io/miguelndecarvalho/speedtest-exporter 21 | tag: v3.5.4 22 | metrics: 23 | enabled: true 24 | serviceMonitor: 25 | interval: 15m 26 | scrapeTimeout: 1m 27 | prometheusRule: 28 | enabled: true 29 | downloadLimit: 150 30 | uploadLimit: 20 31 | pingLimit: 30 32 | jitterLimit: 30 33 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/speedtest-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/vpa/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: vpa 6 | namespace: monitoring 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: vpa 12 | version: 4.7.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: fairwinds-charts 16 | namespace: flux-system 17 | interval: 30m 18 | timeout: 20m 19 | values: 20 | recommender: 21 | enabled: true 22 | image: 23 | repository: registry.k8s.io/autoscaling/vpa-recommender 24 | tag: 0.14.0 25 | resources: 26 | requests: 27 | cpu: 15m 28 | memory: 145M 29 | limits: 30 | memory: 174M 31 | extraArgs: 32 | pod-recommendation-min-cpu-millicores: 15 33 | pod-recommendation-min-memory-mb: 61 34 | storage: prometheus 35 | prometheus-address: |- 36 | http://thanos-query.monitoring.svc.cluster.local:9090 37 | 38 | updater: 39 | enabled: false 40 | 41 | admissionController: 42 | enabled: false 43 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/vpa/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: system-upgrade 5 | resources: 6 | - system-upgrade-controller 7 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github.com/rancher/system-upgrade-controller?ref=v0.13.4 6 | - plans 7 | images: 8 | - name: rancher/system-upgrade-controller 9 | newTag: v0.13.4 10 | patchesStrategicMerge: 11 | # Add labels 12 | - |- 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | metadata: 16 | name: system-upgrade-controller 17 | namespace: system-upgrade 18 | labels: 19 | app.kubernetes.io/name: system-upgrade-controller 20 | app.kubernetes.io/instance: system-upgrade-controller 21 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-agent 6 | namespace: system-upgrade 7 | labels: 8 | k3s-upgrade: agent 9 | spec: 10 | # renovate: datasource=github-releases depName=k3s-io/k3s 11 | version: "1.28.2+k3s1" 12 | serviceAccountName: system-upgrade 13 | concurrency: 1 14 | nodeSelector: 15 | matchExpressions: 16 | - key: node-role.kubernetes.io/control-plane 17 | operator: DoesNotExist 18 | prepare: 19 | image: rancher/k3s-upgrade 20 | args: 21 | - "prepare" 22 | - "k3s-server" 23 | upgrade: 24 | image: rancher/k3s-upgrade 25 | drain: 26 | force: true 27 | skipWaitForDeleteTimeout: 300 28 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - server.yaml 6 | - agent.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/plans/server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-server 6 | namespace: system-upgrade 7 | labels: 8 | k3s-upgrade: server 9 | spec: 10 | # renovate: datasource=github-releases depName=k3s-io/k3s 11 | version: "1.28.2+k3s1" 12 | serviceAccountName: system-upgrade 13 | concurrency: 1 14 | cordon: true 15 | nodeSelector: 16 | matchExpressions: 17 | - key: node-role.kubernetes.io/control-plane 18 | operator: Exists 19 | upgrade: 20 | image: rancher/k3s-upgrade 21 | drain: 22 | force: true 23 | skipWaitForDeleteTimeout: 300 24 | -------------------------------------------------------------------------------- /cluster/apps/tools/changedetection-io/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "change-detection-${SECRET_DOMAIN/./-}" 6 | namespace: tools 7 | spec: 8 | secretName: "change-detection-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "change-detection.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "change-detection.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /cluster/apps/tools/changedetection-io/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: changedetection-io-config-v1 6 | namespace: tools 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | -------------------------------------------------------------------------------- /cluster/apps/tools/changedetection-io/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: changedetection-io 6 | namespace: tools 7 | spec: 8 | interval: 5m 9 | timeout: 10m 10 | chart: 11 | spec: 12 | chart: app-template 13 | version: 3.5.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-charts 17 | namespace: flux-system 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | defaultPodOptions: 28 | affinity: 29 | nodeAffinity: 30 | requiredDuringSchedulingIgnoredDuringExecution: 31 | nodeSelectorTerms: 32 | - matchExpressions: 33 | - key: kubernetes.io/arch 34 | operator: In 35 | values: 36 | - amd64 37 | annotations: 38 | backup.velero.io/backup-volumes: config 39 | pre.hook.backup.velero.io/container: fsfreeze 40 | pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/datastore"]' 41 | post.hook.backup.velero.io/container: fsfreeze 42 | post.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--unfreeze", "/datastore"]' 43 | controllers: 44 | main: 45 | strategy: Recreate 46 | containers: 47 | main: 48 | image: 49 | repository: dgtlmoon/changedetection.io 50 | tag: "0.48.06" 51 | pullPolicy: IfNotPresent 52 | env: 53 | BASE_URL: "https://change-detection.${SECRET_DOMAIN}" 54 | WEBDRIVER_URL: http://localhost:4444/wd/hub 55 | TZ: "Europe/London" 56 | resources: 57 | requests: 58 | memory: 100Mi 59 | cpu: 100m 60 | limits: 61 | memory: 750Mi 62 | chrome-webdriver: 63 | image: 64 | repository: selenium/standalone-chrome-debug 65 | tag: "3.141.59" 66 | pullPolicy: IfNotPresent 67 | fsfreeze: 68 | image: 69 | repository: ghcr.io/k8s-at-home/fsfreeze 70 | tag: v2.37-r0 71 | pullPolicy: IfNotPresent 72 | securityContext: 73 | privileged: true 74 | global: 75 | nameOverride: changedetection-io 76 | 77 | service: 78 | main: 79 | controller: main 80 | ports: 81 | http: 82 | port: 5000 83 | 84 | persistence: 85 | config: 86 | type: persistentVolumeClaim 87 | enabled: true 88 | existingClaim: changedetection-io-config-v1 89 | advancedMounts: 90 | main: 91 | main: 92 | - path: /datastore 93 | fsfreeze: 94 | - path: /datastore 95 | cache: 96 | enabled: true 97 | type: emptyDir 98 | medium: Memory 99 | sizeLimit: 2Gi 100 | globalMounts: 101 | - path: /dev/shm 102 | -------------------------------------------------------------------------------- /cluster/apps/tools/changedetection-io/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: change-detection 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`change-detection.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: changedetection-io 14 | namespace: tools 15 | port: 5000 16 | scheme: http 17 | middlewares: 18 | - name: traefik-forward-auth 19 | namespace: networking 20 | tls: 21 | secretName: "change-detection-${SECRET_DOMAIN/./-}-tls" 22 | -------------------------------------------------------------------------------- /cluster/apps/tools/changedetection-io/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: tools 5 | resources: 6 | - config-pvc.yaml 7 | - helm-release.yaml 8 | - certificate.yaml 9 | - ingress-route.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/tools/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: tools 5 | resources: 6 | - changedetection-io 7 | -------------------------------------------------------------------------------- /cluster/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0 6 | -------------------------------------------------------------------------------- /cluster/config/README.md: -------------------------------------------------------------------------------- 1 | # Config 2 | 3 | This section offers cluster-wide [secrets](https://github.com/kitos9112/k8s-home/tree/main/cluster/config/cluster-secrets.sops.yaml) and [settings](https://github.com/kitos9112/k8s-home/tree/main/cluster/config/cluster-settings.yaml) available across all other cluster "categories" (e.g. apps). They are implemented in combination with [Flux variable substitution features](https://fluxcd.io/docs/components/kustomize/kustomization/#variable-substitution) which emulates bash string replacements as if they were executed on a terminal. 4 | 5 | ```sh 6 | ${var:=default} 7 | ${var:position} 8 | ${var:position:length} 9 | ${var/substring/replacement} 10 | 11 | # Note that the name of a variable can contain only alphanumeric and underscore characters. 12 | # The Kustomization controller validates the var names using this regular expression: 13 | # ^[_[:alpha:]][_[:alpha:][:digit:]]*$. 14 | ``` 15 | 16 | The values present in these configMaps get interpolated mostly in helmReleases values, but they can be used in any other flux-managed resources. 17 | -------------------------------------------------------------------------------- /cluster/config/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | namespace: flux-system 7 | data: 8 | SETTING_CERT_MANAGER_CLUSTER_ISSUER: letsencrypt-production 9 | SETTING_CERT_MANAGER_CLUSTER_ISSUER_TEST: letsencrypt-staging 10 | -------------------------------------------------------------------------------- /cluster/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cluster-secrets.sops.yaml 6 | - cluster-settings.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/README: -------------------------------------------------------------------------------- 1 | # Core 2 | 3 | Made up of applications that become the heart and the foundation of any Kubernetes cluster to fullfil needs as: 4 | 5 | - Storage 6 | - Namespace declaration 7 | - Certificate management 8 | - Secret Management 9 | - Monitoring and Observability 10 | - Networking and Load Balancing 11 | - Auto-os K8s worker upgrade 12 | - K8s manifests and Persistent Volume Backup and Restore 13 | 14 | They all ensure a well-maintained and secure Kubernetes cluster, each application fulfils a single cause and gets deployed onto its own namespace. 15 | Also, they all depend on **crds** and Flux should never prune them in case a manifest disappears from the source of truth (e.g. Git) 16 | 17 | > Each category contains a directory that depicts the Kubernetes namespace where to deploy `kustomize` objects. 18 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: cert-manager 12 | version: v1.17.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: jetstack-charts 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | values: 26 | crds: 27 | enabled: true 28 | replicaCount: 1 29 | webhook: 30 | resources: 31 | requests: 32 | cpu: 10m 33 | memory: 64Mi 34 | limits: 35 | cpu: 125m 36 | memory: 64Mi 37 | extraArgs: 38 | - --dns01-recursive-nameservers=1.1.1.1:53 39 | - --dns01-recursive-nameservers-only 40 | cainjector: 41 | replicaCount: 1 42 | resources: 43 | requests: 44 | cpu: 10m 45 | memory: 64Mi 46 | limits: 47 | cpu: 2000m 48 | memory: 250Mi 49 | podDnsPolicy: "None" 50 | podDnsConfig: 51 | nameservers: 52 | - "1.1.1.1" 53 | - "8.8.8.8" 54 | prometheus: 55 | enabled: true 56 | servicemonitor: 57 | enabled: true 58 | prometheusInstance: monitoring 59 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - letsencrypt-production.yaml 7 | - letsencrypt-staging.yaml 8 | - secret.sops.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/letsencrypt-production.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | # Use apiTokenSecretRef for Tokens and apiKeySecretRef got GlobalAPI Keys 17 | # https://github.com/jetstack/cert-manager/issues/2384#issuecomment-575301692 18 | apiTokenSecretRef: 19 | name: cloudflare-token-secret 20 | key: cloudflare-token 21 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/letsencrypt-staging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER_TEST} 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER_TEST} 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | # Use apiTokenSecretRef for Tokens and apiKeySecretRef got GlobalAPI Keys 17 | # https://github.com/jetstack/cert-manager/issues/2384#issuecomment-575301692 18 | apiTokenSecretRef: 19 | name: cloudflare-token-secret 20 | key: cloudflare-token 21 | -------------------------------------------------------------------------------- /cluster/core/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - monitoring 7 | - notifications 8 | - webhook 9 | -------------------------------------------------------------------------------- /cluster/core/flux-system/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pod-monitor.yaml 6 | - prometheus-rule.yaml 7 | configMapGenerator: 8 | - name: fluxcd-dashboard 9 | files: 10 | - fluxcd-cluster-dashboard.json=https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/refs/heads/main/monitoring/configs/dashboards/cluster.json 11 | - fluxcd-control-plane-dashboard.json=https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/refs/heads/main/monitoring/configs/dashboards/control-plane.json 12 | - fluxcd-logs-dashboard.json=https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/refs/heads/main/monitoring/configs/dashboards/control-plane.json 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | labels: 18 | grafana_dashboard: "1" 19 | -------------------------------------------------------------------------------- /cluster/core/flux-system/monitoring/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | labels: 8 | app.kubernetes.io/part-of: flux 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - flux-system 13 | selector: 14 | matchExpressions: 15 | - key: app 16 | operator: In 17 | values: 18 | - helm-controller 19 | - source-controller 20 | - kustomize-controller 21 | - notification-controller 22 | - image-automation-controller 23 | - image-reflector-controller 24 | podMetricsEndpoints: 25 | - port: http-prom 26 | relabelings: 27 | - sourceLabels: ["namespace", "job"] 28 | regex: ".+/(.*)" 29 | targetLabel: "job" 30 | replacement: "$1" 31 | -------------------------------------------------------------------------------- /cluster/core/flux-system/monitoring/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: flux 6 | namespace: flux-system 7 | spec: 8 | groups: 9 | - name: flux 10 | rules: 11 | - alert: FluxComponentAbsent 12 | annotations: 13 | description: Flux component has disappeared from Prometheus target discovery. 14 | summary: Flux component is down. 15 | expr: | 16 | absent(up{job=~".*flux-system.*"} == 1) 17 | for: 5m 18 | labels: 19 | severity: critical 20 | - alert: FluxReconciliationFailure 21 | annotations: 22 | description: "{{ $labels.kind }} {{ $labels.namespace }}/{{ $labels.name }} reconciliation has been failing for more than ten minutes." 23 | summary: Flux reconciliation failure. 24 | expr: | 25 | max(gotk_reconcile_condition{status="False",type="Ready"}) by (namespace, name, kind) 26 | + 27 | on(namespace, name, kind) (max(gotk_reconcile_condition{status="Deleted"}) 28 | by (namespace, name, kind)) * 2 == 1 29 | for: 10m 30 | labels: 31 | severity: critical 32 | -------------------------------------------------------------------------------- /cluster/core/flux-system/notifications/discord/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - notification.yaml 6 | - secret.sops.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/flux-system/notifications/discord/notification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 3 | kind: Provider 4 | metadata: 5 | name: discord 6 | namespace: flux-system 7 | spec: 8 | type: discord 9 | username: Flux 10 | channel: flux 11 | secretRef: 12 | name: discord-webhook-url 13 | --- 14 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 15 | kind: Alert 16 | metadata: 17 | name: home-cluster 18 | namespace: flux-system 19 | spec: 20 | providerRef: 21 | name: discord 22 | eventSeverity: error 23 | eventSources: 24 | - kind: GitRepository 25 | name: "*" 26 | - kind: Kustomization 27 | name: "*" 28 | - kind: HelmRepository 29 | name: "*" 30 | - kind: HelmRelease 31 | name: "*" 32 | exclusionList: 33 | - "error.*lookup github\\.com" 34 | - "waiting.*socket" 35 | suspend: false 36 | -------------------------------------------------------------------------------- /cluster/core/flux-system/notifications/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - notification.yaml 6 | - secret.sops.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/flux-system/notifications/github/notification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 3 | kind: Provider 4 | metadata: 5 | name: github 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | address: https://github.com/kitos9112/k8s-home 10 | secretRef: 11 | name: github-token 12 | --- 13 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 14 | kind: Alert 15 | metadata: 16 | name: github 17 | namespace: flux-system 18 | spec: 19 | providerRef: 20 | name: github 21 | eventSeverity: info 22 | eventSources: 23 | - kind: Kustomization 24 | name: "*" 25 | - kind: HelmRelease 26 | name: "*" 27 | -------------------------------------------------------------------------------- /cluster/core/flux-system/notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - discord 6 | - github 7 | -------------------------------------------------------------------------------- /cluster/core/flux-system/webhook/github/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "flux-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "flux-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "flux.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "flux.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/core/flux-system/webhook/github/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: flux 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`flux.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: webhook-receiver 14 | namespace: flux-system 15 | port: 80 16 | scheme: http 17 | tls: 18 | secretName: "flux-${SECRET_DOMAIN/./-}-tls" 19 | -------------------------------------------------------------------------------- /cluster/core/flux-system/webhook/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret.sops.yaml 6 | - ingress-route.yaml 7 | - certificate.yaml 8 | - receiver.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/flux-system/webhook/github/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: k8s-home 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | events: 10 | - "ping" 11 | - "push" 12 | secretRef: 13 | name: github-webhook-token 14 | resources: 15 | - apiVersion: source.toolkit.fluxcd.io/v1 16 | kind: GitRepository 17 | name: flux-cluster 18 | namespace: flux-system 19 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | name: apps 22 | namespace: flux-system 23 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 24 | kind: Kustomization 25 | name: core 26 | namespace: flux-system 27 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 28 | kind: Kustomization 29 | name: crds 30 | namespace: flux-system 31 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 32 | kind: Kustomization 33 | name: flux-cluster 34 | namespace: flux-system 35 | -------------------------------------------------------------------------------- /cluster/core/flux-system/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github 6 | -------------------------------------------------------------------------------- /cluster/core/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespaces 6 | - cert-manager 7 | - flux-system 8 | - networking 9 | - monitoring 10 | - postgres 11 | # - velero 12 | -------------------------------------------------------------------------------- /cluster/core/monitoring/cronitor-heartbeat/cron-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | namespace: monitoring 6 | name: cronitor-heartbeat 7 | spec: 8 | schedule: "*/2 * * * *" 9 | concurrencyPolicy: "Forbid" 10 | activeDeadlineSeconds: 120 11 | successfulJobsHistoryLimit: 0 12 | failedJobsHistoryLimit: 1 13 | jobTemplate: 14 | spec: 15 | backoffLimit: 3 16 | ttlSecondsAfterFinished: 300 17 | template: 18 | spec: 19 | restartPolicy: Never 20 | nodeSelector: 21 | kubernetes.io/arch: amd64 22 | containers: 23 | - name: cronitor-heartbeat 24 | image: alpine/curl:8.9.1 25 | envFrom: 26 | - secretRef: 27 | name: cronitor-heartbeat-url 28 | command: 29 | - "/bin/sh" 30 | - "/app/cronitor-heartbeat.sh" 31 | volumeMounts: 32 | - name: cronitor-heartbeat 33 | mountPath: /app/cronitor-heartbeat.sh 34 | subPath: cronitor-heartbeat.sh 35 | readOnly: true 36 | volumes: 37 | - name: cronitor-heartbeat 38 | projected: 39 | defaultMode: 0777 40 | sources: 41 | - configMap: 42 | name: cronitor-heartbeat 43 | items: 44 | - key: cronitor-heartbeat.sh 45 | path: cronitor-heartbeat.sh 46 | -------------------------------------------------------------------------------- /cluster/core/monitoring/cronitor-heartbeat/cronitor-heartbeat.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | set -o nounset 4 | set -o errexit 5 | 6 | if [ -z "$CRONITOR_URL" ]; then 7 | printf "%s - Yikes - Missing CRONITOR_URL environment variable" "$(date -u)" 8 | exit 0 9 | fi 10 | 11 | status_code=$(curl --connect-timeout 10 --max-time 30 -I -s -o /dev/null -w '%{http_code}' "$CRONITOR_URL") 12 | if [ "${status_code}" != "200" ]; then 13 | printf "%s - Yikes - Heartbeat request failed, http code: %s" "$(date -u)" "$status_code" 14 | exit 0 15 | fi 16 | 17 | printf "%s - Success - Heartbeat request received and processed successfully" "$(date -u)" 18 | -------------------------------------------------------------------------------- /cluster/core/monitoring/cronitor-heartbeat/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cron-job.yaml 6 | - secret.sops.yaml 7 | namespace: monitoring 8 | configMapGenerator: 9 | - name: cronitor-heartbeat 10 | files: 11 | - cronitor-heartbeat.sh 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /cluster/core/monitoring/cronitor-heartbeat/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: cronitor-heartbeat-url 6 | namespace: monitoring 7 | stringData: 8 | CRONITOR_URL: ENC[AES256_GCM,data:7NQoHoqStgICgqwzpXnaxuCmwRik6KqKOfsnLA5hATdeS/ZUkQq6+aN6rIWDVhw4jeGUxcanoGcyU+wj9HDY,iv:D72FFWGG+IqWQFKshIKASgTRm5/gwP9B2uW/EdiZcbw=,tag:YSLRWaVp0/sAL1YfYKnjXg==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: [] 15 | lastmodified: "2021-09-30T23:16:15Z" 16 | mac: ENC[AES256_GCM,data:SPM6M4Ec0wjyQfkl556cK0PR99HP7Ihb4bQShN6PpjTjffaMAim/jDzFYLGDh8NQvWrGJqOq3WF5kNOrtQ26jPk8kQMksMqX+RsSeuiPjvhKuZU5RWAadH2QC4iIXvdft0D6JnPerv4MUyLY5uLILzh9hhGQ21g+or69pYL+r2k=,iv:/qcHsL/Nee+cpq88RHqixFCXvtPqZlgCQvj7wb0aY5o=,tag:XbbIk2nY6vceLfiKeoHu+A==,type:str] 17 | pgp: 18 | - created_at: "2021-09-30T23:16:15Z" 19 | enc: | 20 | -----BEGIN PGP MESSAGE----- 21 | 22 | hQIMA3t//ZLkhd3HAQ//W8563scIjdkzIv2iw2dN9FGidQNL1VR55gLxMY6DQK/D 23 | uN57AZYaQ0V9VGFXeJy4FNiguwFYT1mK+0Air2RFtpACovSyiETOZMhXD3ZSyy4J 24 | pBRdlfL+bwFyX4pFw9CXKZ+BAK7oaGmJaohOrbpn64kiJAXlbuMFFW4hT4ocwa5W 25 | X8nrcnb2ptB9Tg02Rhfw1Z4DfrxDDZxdKAfRVEoFnpji16ZQN4m4I1gMc+pQlbW0 26 | k6FhPsVg7pPAUyA5X45IXXxpTR1B4bIaujGgY9MqLn55fdb04+nNIZ8XPxFggdRZ 27 | toiiw8IYvzpVXPui+mSrASW9R0XXpvsP21sP8i0N3p1Q+XPdmsKE3gWLJpCmOkh6 28 | hR0U3YRLAxQtPNYBuy2Lwb/VTElIISA+KYZ63XRBD8H1p27spTxM4udgVm1s7hYY 29 | VEsFEiIpudURY08C06IvvifQ8VollI+VP+D4vcOvZWASGt47MNvfWQL7mNhBYntd 30 | TlcaNrSCbldYHTCEgRvnoLYf9ew5k3U4L8IAiypKDQyYWvrbiSFa70EpzwJ6qxyH 31 | AQbay0LwvQaCWtcvPSyyfkRXH1KJTeLGFcr5o2X7cTYFn+ATm3R98Oj6bbR+EU1/ 32 | U2uh/xDpdfz+8UWDGQALmYieD5JREbSLgidc1PCa9/dVS3uruqatz9A/e2iO0evS 33 | XgH+UoSRUlylaXkeVqham0ZWGhKi78AKZmqLljeXUJpltT9v/ZubayUu432QBzK5 34 | MCy8iJiXY5OFpk8CCbBOPos9I1HINzf2fIkboBXngV/QiTSS3/m9bCdPcwXIsNo= 35 | =fP9n 36 | -----END PGP MESSAGE----- 37 | fp: "0x2141D0D63053C652" 38 | - created_at: "2021-09-30T23:16:15Z" 39 | enc: | 40 | -----BEGIN PGP MESSAGE----- 41 | 42 | hQIMAwMklZWlTgvIAQ/9HW4tnrLe2UINdE5gJhE3NSkX1RTcD74PZB/K8EorFNuE 43 | u2vois8MGt3xt78vrSr3FFc62acdtCIkezXhETtksrcofV00Lo4OpgzjHm3Genak 44 | wA6DhA1FHtoQZH8OLYG2IWuRbwjmdehbxQV8DnjhIADdonn5Hir49TE5PmuKDtu7 45 | TThdSfZ1jgvZ+A4VI/OzzkhUfCUKfFIqmbGVk1lGW8K6VP8WCZA1zaP3xu4O+csj 46 | f5bdokQyfr+hi55BUnn6ibCyX90yzjvkBFZ95lZK/KzF3/RqfHmkFzMGcBI5wfzK 47 | m3Fy++VoBFED59QKKd8VJJHqXdqewYzfvzAfL07qtLCxVuisDrrkHx+mBMQ/jk4P 48 | T1mYDFJcuqPEPZcnc1lnYLfjnKlM/fYdy/NSJw7JXBXVbX8dQ6CWJitnodNcLDzi 49 | VJCQBNTSLLyWxhQyPtix8tCqur9V0Umz1501a3NHll7H9LsyTFt7tvw6Foebs01n 50 | HSzhu8/IxDS4ed5c88Tkd/YnzusnneagujH0z2gHfJxeNwwk2iTEBQJjzmtD4zax 51 | TIO/j5K7bdn0V3SkFF/6mWM727TDt5CcihdX6MygqkU27QQ1Vdlm7PsThb83QJmk 52 | kqoC0pVVqfXpJ4CkrlYo6yHIDDO6UFV+xic9IPQBEp1gWqfRTKQSwRZmFoH5Td7S 53 | XgFBQkZ7j1bSCNSasGSXw/R3mnMm5HyLoPUJxR46pHg1/nKY0h9YhgRBmobmU8yn 54 | L8OoBlAxM0fWFR/+nZtdVZ9zEfes9QC2CNAFs1ZbZ4XfJZ3olSOVMLviroZ/C04= 55 | =U6Ze 56 | -----END PGP MESSAGE----- 57 | fp: "0x03249595A54E0BC8" 58 | encrypted_regex: ^(data|stringData)$ 59 | version: 3.7.1 60 | -------------------------------------------------------------------------------- /cluster/core/monitoring/influxdb/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "influxdb-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "influxdb-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "influxdb.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "influxdb.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/core/monitoring/influxdb/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: influxdb 6 | namespace: monitoring 7 | spec: 8 | chart: 9 | spec: 10 | chart: influxdb2 11 | interval: 5m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: influxdata-charts 15 | namespace: flux-system 16 | version: 2.1.2 17 | install: 18 | remediation: 19 | retries: 3 20 | interval: 5m 21 | upgrade: 22 | remediation: 23 | retries: 3 24 | values: 25 | image: 26 | repository: influxdb 27 | tag: 2.7.11-alpine 28 | resources: 29 | limits: 30 | cpu: 8000m 31 | memory: 4096Mi 32 | requests: 33 | cpu: 250m 34 | memory: 512Mi 35 | adminUser: 36 | organization: "home" 37 | persistence: 38 | size: 20Gi 39 | nodeSelector: 40 | node_locality: "internal" 41 | kubernetes.io/arch: "amd64" 42 | -------------------------------------------------------------------------------- /cluster/core/monitoring/influxdb/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: influxdb 6 | spec: 7 | entryPoints: 8 | - websecure 9 | routes: 10 | - match: Host(`influxdb.${SECRET_DOMAIN}`) 11 | kind: Rule 12 | services: 13 | - name: influxdb-influxdb2 14 | namespace: monitoring 15 | port: 80 16 | scheme: http 17 | tls: 18 | secretName: "influxdb-${SECRET_DOMAIN/./-}-tls" 19 | -------------------------------------------------------------------------------- /cluster/core/monitoring/influxdb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - ingress-route.yaml 7 | - certificate.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/monitoring/jaeger/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: grafana 6 | namespace: monitoring 7 | spec: 8 | chart: 9 | spec: 10 | chart: grafana 11 | version: 8.6.4 12 | interval: 5m 13 | sourceRef: 14 | kind: HelmRepository 15 | name: grafana-charts 16 | namespace: flux-system 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | interval: 5m 21 | values: 22 | -------------------------------------------------------------------------------- /cluster/core/monitoring/jaeger/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/monitoring/kube-prometheus-stack/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "prometheus-${SECRET_DOMAIN/./-}" 6 | namespace: monitoring 7 | spec: 8 | secretName: "prometheus-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "prometheus.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "prometheus.${SECRET_DOMAIN}" 15 | --- 16 | apiVersion: cert-manager.io/v1 17 | kind: Certificate 18 | metadata: 19 | name: "alertmanager-${SECRET_DOMAIN/./-}" 20 | namespace: monitoring 21 | spec: 22 | secretName: "alertmanager-${SECRET_DOMAIN/./-}-tls" 23 | issuerRef: 24 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 25 | kind: ClusterIssuer 26 | commonName: "alertmanager.${SECRET_DOMAIN}" 27 | dnsNames: 28 | - "alertmanager.${SECRET_DOMAIN}" 29 | -------------------------------------------------------------------------------- /cluster/core/monitoring/kube-prometheus-stack/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: prometheus 6 | namespace: monitoring 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`prometheus.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: prometheus-prometheus 15 | namespace: monitoring 16 | port: 9090 17 | scheme: http 18 | middlewares: 19 | - name: traefik-forward-auth 20 | namespace: networking 21 | tls: 22 | secretName: "prometheus-${SECRET_DOMAIN/./-}-tls" 23 | --- 24 | apiVersion: traefik.io/v1alpha1 25 | kind: IngressRoute 26 | metadata: 27 | name: alertmanager 28 | namespace: monitoring 29 | spec: 30 | entryPoints: 31 | - websecure 32 | routes: 33 | - match: Host(`alertmanager.${SECRET_DOMAIN}`) 34 | kind: Rule 35 | services: 36 | - name: prometheus-alertmanager 37 | namespace: monitoring 38 | port: 9093 39 | scheme: http 40 | middlewares: 41 | - name: traefik-forward-auth 42 | namespace: networking 43 | tls: 44 | secretName: "alertmanager-${SECRET_DOMAIN/./-}-tls" 45 | -------------------------------------------------------------------------------- /cluster/core/monitoring/kube-prometheus-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - helm-release.yaml 7 | - ingress-route.yaml 8 | - certificate.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - kube-prometheus-stack 7 | #- jaeger 8 | - loki 9 | - influxdb 10 | - cronitor-heartbeat 11 | # TODO: Revisit Node Problem Detector once all their CRITICAL Vulnerabilities are fixed 12 | # - node-problem-detector 13 | # - vector 14 | - promtail 15 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/.archive/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: loki 6 | namespace: monitoring 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`loki.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: loki 15 | namespace: monitoring 16 | port: 3100 17 | scheme: http 18 | middlewares: 19 | - name: traefik-forward-auth 20 | namespace: networking 21 | tls: 22 | secretName: "loki-${SECRET_DOMAIN/./-}-tls" 23 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "loki-${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "loki-${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 10 | kind: ClusterIssuer 11 | commonName: "loki.${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "loki.${SECRET_DOMAIN}" 14 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/config-map.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: loki-alerting-rules 6 | namespace: monitoring 7 | data: 8 | loki-alerting-rules.yaml: |- 9 | groups: 10 | # 11 | # home-assistant 12 | # 13 | - name: home-assistant 14 | rules: 15 | - alert: HomeAssistantUnableToReachPostgresql 16 | expr: | 17 | sum by (app) (count_over_time({app="home-assistant"} |~ "(?i)error in database connectivity"[2m])) > 0 18 | for: 2m 19 | labels: 20 | severity: critical 21 | category: logs 22 | annotations: 23 | summary: "Home Assistant is unable to connect to postgresql" 24 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | configMapGenerator: 6 | - name: loki-chunks-dashboard 7 | files: 8 | - loki-chunks-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-chunks.json 9 | - name: loki-deletion-dashboard 10 | files: 11 | - loki-deletion-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-deletion.json 12 | - name: loki-logs-dashboard 13 | files: 14 | - loki-logs-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-logs.json 15 | - name: loki-mixin-recording-rules-dashboard 16 | files: 17 | - loki-mixin-recording-rules-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-mixin-recording-rules.json 18 | - name: loki-operational-dashboard 19 | files: 20 | - loki-operational-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-operational.json 21 | - name: loki-reads-resources-dashboard 22 | files: 23 | - loki-reads-resources-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-reads-resources.json 24 | - name: loki-reads-dashboard 25 | files: 26 | - loki-reads-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-reads.json 27 | - name: loki-retention-dashboard 28 | files: 29 | - loki-retention-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-retention.json 30 | - name: loki-writes-resources-dashboard 31 | files: 32 | - loki-writes-resources-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-writes-resources.json 33 | - name: loki-writes-dashboard 34 | files: 35 | - loki-writes-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/loki/dashboards/loki-writes.json 36 | generatorOptions: 37 | disableNameSuffixHash: true 38 | annotations: 39 | kustomize.toolkit.fluxcd.io/substitute: disabled 40 | labels: 41 | grafana_dashboard: "1" 42 | grafana_folder: Loki 43 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: loki 7 | spec: 8 | interval: 30m 9 | timeout: 15m 10 | chart: 11 | spec: 12 | chart: loki 13 | version: 6.23.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: grafana-charts 17 | namespace: flux-system 18 | install: 19 | crds: Skip 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | cleanupOnFail: true 24 | crds: Skip 25 | remediation: 26 | strategy: rollback 27 | retries: 3 28 | values: 29 | deploymentMode: SingleBinary 30 | loki: 31 | auth_enabled: false 32 | analytics: 33 | reporting_enabled: false 34 | server: 35 | log_level: info 36 | grpc_server_max_concurrent_streams: 250 37 | grpc_server_max_recv_msg_size: 10485760000 38 | grpc_server_max_send_msg_size: 10485760000 39 | commonConfig: 40 | replication_factor: 1 41 | compactor: 42 | working_directory: /var/loki/compactor/retention 43 | delete_request_store: filesystem 44 | retention_enabled: true 45 | ingester: 46 | chunk_encoding: snappy 47 | storage: 48 | type: filesystem 49 | schemaConfig: 50 | configs: 51 | - from: "2024-12-08" # quote 52 | store: tsdb 53 | object_store: filesystem 54 | schema: v13 55 | index: 56 | prefix: loki_index_ 57 | period: 24h 58 | limits_config: 59 | retention_period: 30d 60 | ingestion_rate_mb: 50 61 | ingestion_burst_size_mb: 1000 62 | max_query_lookback: 168h 63 | max_query_series: 5000 64 | max_query_parallelism: 5000 65 | max_streams_matchers_per_query: 10000 66 | max_entries_limit_per_query: 2500000 67 | max_cache_freshness_per_query: 10m 68 | per_stream_rate_limit: 250MB 69 | per_stream_rate_limit_burst: 80MB 70 | split_queries_by_interval: 15m 71 | singleBinary: 72 | replicas: 1 73 | persistence: 74 | enabled: true 75 | size: 50Gi 76 | gateway: 77 | replicas: 0 78 | backend: 79 | replicas: 0 80 | read: 81 | replicas: 0 82 | write: 83 | replicas: 0 84 | chunksCache: 85 | enabled: false 86 | resultsCache: 87 | enabled: false 88 | lokiCanary: 89 | enabled: false 90 | test: 91 | enabled: false 92 | sidecar: 93 | image: 94 | repository: ghcr.io/kiwigrid/k8s-sidecar 95 | rules: 96 | searchNamespace: ALL 97 | -------------------------------------------------------------------------------- /cluster/core/monitoring/loki/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - dashboard 6 | - helm-release.yaml 7 | - prometheus-rule.yaml 8 | - certificate.yaml 9 | - config-map.yaml 10 | -------------------------------------------------------------------------------- /cluster/core/monitoring/node-problem-detector/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: node-problem-detector 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: node-problem-detector 12 | version: 2.3.14 13 | sourceRef: 14 | kind: HelmRepository 15 | name: deliveryhero-charts 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | createNamespace: true 20 | values: 21 | metrics: 22 | enabled: true 23 | serviceMonitor: 24 | enabled: true 25 | # TODO Remove this once node-problem-detector releases a cross-architecture Docker image. 26 | # Keep an eye on https://github.com/kubernetes/node-problem-detector/pull/644 27 | # assignees: @kitos9112 28 | nodeSelector: 29 | kubernetes.io/arch: amd64 30 | -------------------------------------------------------------------------------- /cluster/core/monitoring/node-problem-detector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/monitoring/promtail/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: promtail 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: promtail 12 | version: 6.16.6 13 | sourceRef: 14 | kind: HelmRepository 15 | name: grafana-charts 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | fullnameOverride: promtail 26 | config: 27 | clients: 28 | - url: http://loki-headless.monitoring.svc.cluster.local:3100/loki/api/v1/push 29 | serviceMonitor: 30 | enabled: true 31 | -------------------------------------------------------------------------------- /cluster/core/monitoring/promtail/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/monitoring/snmp-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - prometheus-rule.yaml 6 | - config-map.yaml 7 | - snmp-exporter.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/monitoring/snmp-exporter/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | labels: 6 | prometheus: k8s 7 | role: alert-rules 8 | name: snmp-exporter-rules 9 | namespace: monitoring 10 | spec: 11 | groups: 12 | - name: snmp-exporter.rules 13 | rules: 14 | - alert: SnmpExporterDown 15 | annotations: 16 | message: SNMP Exporter has disappeared from Prometheus target discovery. 17 | expr: absent(up{job="snmp-exporter", namespace="monitoring"} == 1) 18 | for: 15m 19 | labels: 20 | severity: critical 21 | --- 22 | apiVersion: monitoring.coreos.com/v1 23 | kind: PrometheusRule 24 | metadata: 25 | labels: 26 | prometheus: k8s 27 | role: alert-rules 28 | name: ups-rules 29 | namespace: monitoring 30 | spec: 31 | groups: 32 | - name: ups.rules 33 | rules: 34 | - alert: UPS15MinutesRemaining 35 | annotations: 36 | description: ZPM almost depleted 37 | summary: 38 | ZPM {{$labels.instance}} has less than 15 minutes of battery left, 39 | systems are starting to power down. Bye 40 | expr: upsAdvBatteryRunTimeRemaining/60/100 <= 15 41 | for: 10s 42 | labels: 43 | severity: critical 44 | - alert: UPSOnBattery 45 | annotations: 46 | description: ZPM is running on its battery 47 | summary: ZPM {{$labels.instance}} is running on batteries 48 | expr: upsBasicBatteryTimeOnBattery > 0 49 | for: 1m 50 | labels: 51 | severity: critical 52 | --- 53 | apiVersion: monitoring.coreos.com/v1 54 | kind: PrometheusRule 55 | metadata: 56 | labels: 57 | prometheus: k8s 58 | role: alert-rules 59 | name: nas-rules 60 | namespace: monitoring 61 | spec: 62 | groups: 63 | - name: rocinante-disk.rules 64 | rules: 65 | - alert: DiskDegraded 66 | annotations: 67 | description: Disk Degraded 68 | summary: Disk {{$labels.diskIndex}} is in a degraded state 69 | expr: diskSmartInfo != 0 70 | for: 5m 71 | labels: 72 | severity: critical 73 | -------------------------------------------------------------------------------- /cluster/core/monitoring/vector/agent/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: vector-agent 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: vector 12 | version: 0.38.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: vector-charts 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | createNamespace: true 20 | dependsOn: 21 | - name: vector-aggregator 22 | namespace: monitoring 23 | values: 24 | image: 25 | repository: timberio/vector 26 | tag: 0.43.1-alpine 27 | role: Agent 28 | customConfig: 29 | data_dir: /vector-data-dir 30 | api: 31 | enabled: false 32 | address: "[::]:8686" 33 | playground: false 34 | # Sources 35 | sources: 36 | journal_logs: 37 | type: journald 38 | journal_directory: /var/log/journal 39 | kubernetes_logs: 40 | type: kubernetes_logs 41 | glob_minimum_cooldown_ms: 5000 42 | auto_partial_merge: true 43 | host_metrics: 44 | filesystem: 45 | devices: 46 | excludes: [binfmt_misc] 47 | filesystems: 48 | excludes: [binfmt_misc] 49 | mountPoints: 50 | excludes: ["*/proc/sys/fs/binfmt_misc"] 51 | type: host_metrics 52 | internal_metrics: 53 | type: internal_metrics 54 | # Sinks 55 | sinks: 56 | loki_kubernetes_sink: 57 | type: vector 58 | inputs: 59 | - kubernetes_logs 60 | address: vector-aggregator:6010 61 | version: "2" 62 | loki_journal_sink: 63 | type: vector 64 | inputs: 65 | - journal_logs 66 | address: vector-aggregator:6000 67 | version: "2" 68 | prom_exporter: 69 | type: prometheus_exporter 70 | inputs: 71 | - host_metrics 72 | - internal_metrics 73 | address: "[::]:9090" 74 | resources: 75 | requests: 76 | memory: "64Mi" 77 | cpu: "50m" 78 | limits: 79 | memory: "1024Mi" 80 | cpu: "6000m" 81 | service: 82 | enabled: false 83 | podMonitor: 84 | enabled: true 85 | jobLabel: vector-agent 86 | port: prometheus-sink 87 | securityContext: 88 | privileged: true 89 | tolerations: 90 | - effect: NoSchedule 91 | operator: Exists 92 | - effect: NoExecute 93 | operator: Exists 94 | -------------------------------------------------------------------------------- /cluster/core/monitoring/vector/agent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/monitoring/vector/aggregator/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: vector-aggregator 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: vector 12 | version: 0.38.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: vector-charts 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | createNamespace: true 20 | dependsOn: 21 | - name: loki 22 | namespace: monitoring 23 | values: 24 | role: Stateless-Aggregator 25 | replicas: 1 26 | resources: 27 | requests: 28 | memory: "64Mi" 29 | cpu: "100m" 30 | limits: 31 | memory: "1024Mi" 32 | cpu: "4000m" 33 | image: 34 | repository: timberio/vector 35 | tag: 0.43.1-alpine 36 | customConfig: 37 | data_dir: /vector-data-dir 38 | api: 39 | enabled: false 40 | # 41 | # Sources 42 | # 43 | sources: 44 | vector_logs: 45 | type: internal_logs 46 | vector_metrics: 47 | type: internal_metrics 48 | kubernetes_logs: 49 | type: vector 50 | address: 0.0.0.0:6010 51 | version: "2" 52 | journal_logs: 53 | type: vector 54 | address: 0.0.0.0:6000 55 | version: "2" 56 | # 57 | # Transformations 58 | # 59 | transforms: 60 | kubernetes_logs_remap: 61 | type: remap 62 | inputs: 63 | - kubernetes_logs 64 | source: |- 65 | # Delete file label from log event 66 | del(.file) 67 | # Standardize 'app' index 68 | .app = .kubernetes.pod_labels."app.kubernetes.io/name" || .kubernetes.pod_labels.app || .kubernetes.pod_labels."k8s-app" || .kubernetes.pod_name 69 | # 70 | # Sinks 71 | # 72 | sinks: 73 | loki_journal: 74 | type: loki 75 | inputs: 76 | - journal_logs 77 | endpoint: http://loki-write:3100 78 | encoding: 79 | codec: json 80 | batch: 81 | max_bytes: 2049000 82 | out_of_order_action: accept 83 | remove_label_fields: true 84 | remove_timestamp: true 85 | labels: 86 | hostname: >- 87 | {{`{{ host }}`}} 88 | loki_kubernetes: 89 | type: loki 90 | inputs: 91 | - kubernetes_logs_remap 92 | endpoint: http://loki-write:3100 93 | encoding: 94 | codec: json 95 | batch: 96 | max_bytes: 2049000 97 | out_of_order_action: rewrite_timestamp 98 | remove_label_fields: true 99 | remove_timestamp: true 100 | labels: 101 | app: >- 102 | {{`{{ .app }}`}} 103 | container_name: >- 104 | {{`{{ kubernetes.container_name }}`}} 105 | namespace: >- 106 | {{`{{ kubernetes.pod_namespace }}`}} 107 | node: >- 108 | {{`{{ kubernetes.pod_node_name }}`}} 109 | podMonitor: 110 | enabled: true 111 | jobLabel: vector-aggregator 112 | port: prometheus-sink 113 | -------------------------------------------------------------------------------- /cluster/core/monitoring/vector/aggregator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/monitoring/vector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - agent 6 | - aggregator 7 | -------------------------------------------------------------------------------- /cluster/core/namespaces/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | managed-by: flux 8 | goldilocks.fairwinds.com/enabled: "true" 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/falco-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: falco-system 6 | labels: 7 | managed-by: flux 8 | goldilocks.fairwinds.com/enabled: "true" 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/flux-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flux-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/home.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: home 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/hummingbot-dev.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: hummingbot-dev 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/hummingbot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: hummingbot 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kasten-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kasten-io 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kube-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kube-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - tools.yaml 6 | - cert-manager.yaml 7 | - falco-system.yaml 8 | - flux-system.yaml 9 | - home.yaml 10 | - kasten-io.yaml 11 | - kube-system.yaml 12 | - hummingbot.yaml 13 | - hummingbot-dev.yaml 14 | - media.yaml 15 | - monitoring.yaml 16 | - networking.yaml 17 | - node-feature-discovery.yaml 18 | - system-upgrade.yaml 19 | - portainer.yaml 20 | - postgres.yaml 21 | - trivy-system.yaml 22 | - velero.yaml 23 | -------------------------------------------------------------------------------- /cluster/core/namespaces/media.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: media 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: monitoring 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/networking.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: networking 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/node-feature-discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: node-feature-discovery 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/portainer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: portainer 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/postgres.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: postgres 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/system-upgrade.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: system-upgrade 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | kustomize.toolkit.fluxcd.io/prune: disabled 10 | -------------------------------------------------------------------------------- /cluster/core/namespaces/tools.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: tools 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/trivy-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: trivy-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/velero.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: velero 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | managed-by: flux 9 | -------------------------------------------------------------------------------- /cluster/core/networking/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: networking 5 | resources: 6 | - metallb 7 | - traefik-internal 8 | - traefik-forward-auth 9 | - wildcard-certificate 10 | -------------------------------------------------------------------------------- /cluster/core/networking/metallb/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metallb 6 | namespace: networking 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: metallb 12 | version: 0.14.9 13 | sourceRef: 14 | kind: HelmRepository 15 | name: metallb-charts 16 | namespace: flux-system 17 | interval: 5m 18 | timeout: 10m 19 | values: 20 | prometheus: 21 | serviceAccount: prometheus-prometheus 22 | namespace: monitoring 23 | podMonitor: 24 | enabled: true 25 | additionalLabels: 26 | app: metallb 27 | prometheusRule: 28 | enabled: true 29 | bgpSessionDown: 30 | enabled: false 31 | controller: 32 | priorityClassName: "system-node-critical" 33 | resources: 34 | limits: 35 | cpu: 250m 36 | memory: 250Mi 37 | nodeSelector: 38 | node_locality: internal 39 | speaker: 40 | priorityClassName: "system-node-critical" 41 | resources: 42 | limits: 43 | cpu: 250m 44 | memory: 250Mi 45 | nodeSelector: 46 | node_locality: internal 47 | -------------------------------------------------------------------------------- /cluster/core/networking/metallb/ip-address-pool.yaml: -------------------------------------------------------------------------------- 1 | # Default L2 Configuration protocol using https://metallb.universe.tf/configuration/#layer-2-configuration 2 | --- 3 | apiVersion: metallb.io/v1beta1 4 | kind: IPAddressPool 5 | metadata: 6 | name: ipaddresspools 7 | namespace: networking 8 | spec: 9 | addresses: 10 | - 10.10.10.210-10.10.10.220 11 | autoAssign: false 12 | avoidBuggyIPs: true 13 | --- 14 | apiVersion: metallb.io/v1beta1 15 | kind: L2Advertisement 16 | metadata: 17 | name: l2-advertisement 18 | namespace: metallb-system 19 | spec: 20 | ipAddressPools: 21 | - ipaddresspools 22 | -------------------------------------------------------------------------------- /cluster/core/networking/metallb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - ip-address-pool.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-forward-auth/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "auth-${SECRET_DOMAIN/./-}" 6 | namespace: networking 7 | spec: 8 | secretName: "auth-${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "auth.${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "auth.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-forward-auth/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik-forward-auth 6 | namespace: networking 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: traefik-forward-auth 12 | version: 2.2.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: k8s-at-home-charts 16 | namespace: flux-system 17 | interval: 1m 18 | dependsOn: 19 | - name: traefik-internal 20 | values: 21 | controller: 22 | replicas: 1 23 | strategy: RollingUpdate 24 | rollingUpdate: 25 | unavailable: 1 26 | surge: 1 27 | image: 28 | repository: ghcr.io/kitos9112/traefik-forward-auth 29 | tag: v2.6.6 30 | pullPolicy: IfNotPresent 31 | middleware: 32 | enabled: true 33 | nameOverride: traefik-forward-auth 34 | env: 35 | LOG_LEVEL: trace 36 | LOG_FORMAT: pretty 37 | LOGOUT_REDIRECT: "https://www.google.co.uk" 38 | WHITELIST: ${SECRET_TRAEFIK_AUTH_WHITELIST} 39 | LIFETIME: "28000" 40 | URL_PATH: "/_oauth" 41 | AUTH_HOST: "auth.${SECRET_DOMAIN}" 42 | COOKIE_DOMAIN: "${SECRET_DOMAIN}" 43 | PROVIDERS_GOOGLE_CLIENT_ID: "${SECRET_TRAEFIK_AUTH_GOOGLE_CLIENT_ID}" 44 | PROVIDERS_GOOGLE_CLIENT_SECRET: "${SECRET_TRAEFIK_AUTH_GOOGLE_CLIENT_SECRET}" 45 | resources: 46 | requests: 47 | cpu: "25m" 48 | memory: "25Mi" 49 | limits: 50 | cpu: "300m" 51 | memory: "150Mi" 52 | nodeSelector: 53 | node_locality: internal 54 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-forward-auth/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: traefik-forward-auth 6 | namespace: networking 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`auth.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | services: 14 | - name: traefik-forward-auth 15 | port: 4181 16 | middlewares: 17 | - name: traefik-forward-auth 18 | namespace: networking 19 | tls: 20 | secretName: "auth-${SECRET_DOMAIN/./-}-tls" 21 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-forward-auth/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - certificate.yaml 7 | - ingress-route.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/dashboard/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: traefik-dashboard-v2 6 | namespace: networking 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`traefik.${SECRET_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) 12 | kind: Rule 13 | services: 14 | - name: api@internal 15 | kind: TraefikService 16 | middlewares: 17 | - name: rfc1918 18 | namespace: networking 19 | - name: traefik-forward-auth 20 | namespace: networking 21 | tls: 22 | secretName: "${SECRET_DOMAIN/./-}-tls" 23 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingress-route.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/healthcheck/ingress-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: traefik-healthcheck 6 | namespace: networking 7 | spec: 8 | entryPoints: 9 | - traefik 10 | routes: 11 | - match: Host(`traefik.${SECRET_DOMAIN}`) && Path(`/healthz`) 12 | kind: Rule 13 | priority: 10 14 | services: 15 | - name: ping@internal 16 | kind: TraefikService 17 | tls: 18 | secretName: "${SECRET_DOMAIN/./-}-tls" 19 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/healthcheck/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingress-route.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik-internal 6 | namespace: networking 7 | spec: 8 | chart: 9 | spec: 10 | chart: traefik 11 | version: 33.2.1 12 | interval: 5m 13 | sourceRef: 14 | kind: HelmRepository 15 | name: traefik-charts 16 | namespace: flux-system 17 | interval: 5m 18 | dependsOn: 19 | - name: metallb 20 | namespace: networking 21 | install: 22 | crds: Skip 23 | remediation: 24 | retries: 3 25 | upgrade: 26 | crds: Skip 27 | force: true 28 | cleanupOnFail: true 29 | remediation: 30 | strategy: rollback 31 | retries: 3 32 | values: 33 | additionalArguments: 34 | - "--providers.kubernetesingress.ingressendpoint.hostname=${SECRET_DOMAIN}" 35 | deployment: 36 | enabled: true 37 | replicas: 1 38 | globalArguments: 39 | - "--serverstransport.insecureskipverify=true" 40 | - "--providers.kubernetesingress.ingressclass=traefik" 41 | metrics: 42 | prometheus: 43 | entryPoint: metrics 44 | ingressClass: 45 | enabled: true 46 | isDefaultClass: true 47 | ingressRoute: 48 | dashboard: 49 | enabled: false 50 | service: 51 | spec: 52 | externalTrafficPolicy: Cluster 53 | loadBalancerIP: "${SECRET_SVC_TRAEFIK_ADDRESS}" 54 | logs: 55 | access: 56 | enabled: true 57 | fields: 58 | headers: 59 | names: 60 | X-Forwarded-User: keep 61 | ports: 62 | traefik: 63 | port: 9000 64 | metrics: 65 | port: 8082 66 | web: 67 | redirectTo: 68 | port: websecure 69 | websecure: 70 | http3: 71 | enabled: true 72 | tls: 73 | enabled: true 74 | options: default 75 | resources: 76 | limits: 77 | cpu: 4000m 78 | memory: 256Mi 79 | requests: 80 | cpu: 100m 81 | memory: 50Mi 82 | podDisruptionBudget: 83 | enabled: true 84 | maxUnavailable: 1 85 | minAvailable: 0 86 | providers: 87 | kubernetesCRD: 88 | enabled: true 89 | allowCrossNamespace: true 90 | tlsOptions: 91 | default: 92 | cipherSuites: 93 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 94 | - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 95 | - TLS_AES_256_GCM_SHA384 96 | - TLS_CHACHA20_POLY1305_SHA256 97 | curvePreferences: 98 | - CurveP521 99 | - CurveP384 100 | minVersion: VersionTLS12 101 | maxVersion: VersionTLS13 102 | sniStrict: false 103 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - service-monitor.yaml 7 | - tls-store 8 | - healthcheck 9 | - dashboard 10 | - middlewares 11 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/basic-auth.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: basic-auth 6 | namespace: networking 7 | spec: 8 | basicAuth: 9 | secret: basic-auth 10 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/forward-auth.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: traefik-forward-auth 6 | namespace: networking 7 | spec: 8 | forwardAuth: 9 | address: http://traefik-forward-auth:4181 10 | authResponseHeaders: 11 | - X-Forwarded-User 12 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/ip-whitelist/cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: cloudflare-ips 6 | namespace: networking 7 | spec: 8 | ipWhiteList: 9 | sourceRange: 10 | - 173.245.48.0/20 11 | - 103.21.244.0/22 12 | - 103.22.200.0/22 13 | - 103.31.4.0/22 14 | - 141.101.64.0/18 15 | - 108.162.192.0/18 16 | - 190.93.240.0/20 17 | - 188.114.96.0/20 18 | - 197.234.240.0/22 19 | - 198.41.128.0/17 20 | - 162.158.0.0/15 21 | - 104.16.0.0/13 22 | - 104.24.0.0/14 23 | - 172.64.0.0/13dd 24 | - 131.0.72.0/22 25 | - 2400:cb00::/32 26 | - 2606:4700::/32 27 | - 2803:f800::/32 28 | - 2405:b500::/32 29 | - 2405:8100::/32 30 | - 2a06:98c0::/29 31 | - 2c0f:f248::/32 32 | --- 33 | apiVersion: traefik.io/v1alpha1 34 | kind: Middleware 35 | metadata: 36 | name: cloudflare 37 | namespace: networking 38 | spec: 39 | chain: 40 | middlewares: 41 | - name: cloudflare-ips 42 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/ip-whitelist/github-hooks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: github-hooks-ips 6 | namespace: networking 7 | spec: 8 | ipWhiteList: 9 | # https://api.github.com/meta 10 | sourceRange: 11 | - 192.30.252.0/22 12 | - 185.199.108.0/22 13 | - 140.82.112.0/20 14 | - 143.55.64.0/20 15 | - 2a0a:a440::/29 16 | - 2606:50c0::/32 17 | --- 18 | apiVersion: traefik.io/v1alpha1 19 | kind: Middleware 20 | metadata: 21 | name: github-hooks 22 | namespace: networking 23 | spec: 24 | chain: 25 | middlewares: 26 | - name: github-hooks-ips 27 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/ip-whitelist/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cloudflare.yaml 6 | - rfc1918.yaml 7 | - github-hooks.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/ip-whitelist/rfc1918.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: rfc1918-ips 6 | namespace: networking 7 | spec: 8 | ipWhiteList: 9 | sourceRange: 10 | - 10.0.0.0/8 11 | - 172.16.0.0/12 12 | - 192.168.0.0/16 13 | - 169.254.0.0/16 14 | --- 15 | apiVersion: traefik.io/v1alpha1 16 | kind: Middleware 17 | metadata: 18 | name: rfc1918 19 | namespace: networking 20 | spec: 21 | chain: 22 | middlewares: 23 | - name: rfc1918-ips 24 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ip-whitelist 6 | - redirect-path.yaml 7 | - basic-auth.yaml 8 | - secret.enc.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/middlewares/redirect-path.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: redirect-regex 6 | namespace: networking 7 | spec: 8 | redirectRegex: 9 | regex: "^(https?://[^/]+/[a-z0-9_]+)$" 10 | replacement: "${1}/" 11 | permanent: true 12 | --- 13 | apiVersion: traefik.io/v1alpha1 14 | kind: Middleware 15 | metadata: 16 | name: strip-prefix-regex 17 | namespace: networking 18 | spec: 19 | stripPrefixRegex: 20 | regex: 21 | - "/[a-z0-9_]+" 22 | --- 23 | apiVersion: traefik.io/v1alpha1 24 | kind: Middleware 25 | metadata: 26 | name: redirect-path 27 | namespace: networking 28 | spec: 29 | chain: 30 | middlewares: 31 | - name: redirect-regex 32 | - name: strip-prefix-regex 33 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: traefik 6 | namespace: networking 7 | labels: 8 | app.kubernetes.io/name: traefik 9 | spec: 10 | endpoints: 11 | - path: /metrics 12 | targetPort: metrics 13 | jobLabel: traefik 14 | namespaceSelector: 15 | matchNames: 16 | - networking 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/name: traefik 20 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/tls-store/default.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: TLSStore 4 | metadata: 5 | name: default 6 | namespace: networking 7 | spec: 8 | defaultCertificate: 9 | secretName: "${SECRET_DOMAIN/./-}-tls" 10 | -------------------------------------------------------------------------------- /cluster/core/networking/traefik-internal/tls-store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - default.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/networking/wildcard-certificate/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "${SECRET_DOMAIN/./-}" 6 | namespace: networking 7 | spec: 8 | secretName: "${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: ${SETTING_CERT_MANAGER_CLUSTER_ISSUER} 11 | kind: ClusterIssuer 12 | commonName: "${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "${SECRET_DOMAIN}" 15 | - "*.${SECRET_DOMAIN}" 16 | -------------------------------------------------------------------------------- /cluster/core/networking/wildcard-certificate/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - certificate.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/postgres/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: postgres 5 | resources: 6 | - zalando-operator 7 | -------------------------------------------------------------------------------- /cluster/core/postgres/zalando-operator/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: zalando-postgres-operator 6 | spec: 7 | targetNamespace: postgres 8 | releaseName: zalando-postgres-operator 9 | interval: 10m 10 | chart: 11 | spec: 12 | chart: ./charts/postgres-operator 13 | sourceRef: 14 | kind: GitRepository 15 | name: zalando-postgres-operator 16 | namespace: flux-system 17 | values: 18 | configGeneral: 19 | enable_crd_registration: false 20 | configKubernetes: 21 | enable_cross_namespace_secret: true 22 | secret_name_template: "{username}.{cluster}.credentials" 23 | enable_pod_antiaffinity: false 24 | enable_pod_disruption_budget: true 25 | nodeSelector: 26 | kubernetes.io/arch: amd64 27 | podPriorityClassName: "postgres-database-critical" 28 | -------------------------------------------------------------------------------- /cluster/core/postgres/zalando-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: postgres 5 | resources: 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/velero/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: velero 6 | namespace: velero 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: velero 12 | version: 8.1.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: vmware-tanzu-charts 16 | namespace: flux-system 17 | interval: 5m 18 | values: 19 | annotations: 20 | secret.reloader.stakater.com/reload: velero-s3-creds 21 | configuration: 22 | extraEnvVars: 23 | TZ: "Europe/London" 24 | backupStorageLocation: 25 | - name: default 26 | bucket: k8s-home-velero 27 | provider: aws 28 | default: true 29 | config: 30 | region: eu-west-2 31 | resticTimeout: 4h 32 | credentials: 33 | existingSecret: velero-s3-creds 34 | schedules: 35 | daily-backup: 36 | # At 6:00am in the morning every day 37 | schedule: "0 6 * * *" 38 | template: 39 | ttl: "168h" 40 | weekly-backup: 41 | # At the end of the week on a Sunday morning, at 6:00am 42 | schedule: "0 3 * * 0" 43 | template: 44 | ttl: "338h" 45 | metrics: 46 | enabled: true 47 | serviceMonitor: 48 | enabled: true 49 | prometheusRule: 50 | enabled: true 51 | spec: 52 | - alert: VeleroDailyBackupPartialFailures 53 | annotations: 54 | message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partially failed backups. 55 | expr: |- 56 | velero_backup_partial_failure_total{schedule="velero-daily-backup"} / velero_backup_attempt_total{schedule="velero-daily-backup"} > 1 57 | for: 15m 58 | labels: 59 | severity: warning 60 | - alert: VeleroDailyBackupFailures 61 | annotations: 62 | message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} failed backups. 63 | expr: |- 64 | velero_backup_failure_total{schedule="velero-daily-backup"} / velero_backup_attempt_total{schedule="velero-daily-backup"} > 1 65 | for: 15m 66 | labels: 67 | severity: warning 68 | backupsEnabled: true 69 | snapshotsEnabled: false 70 | upgradeCRDs: false 71 | cleanUpCRDs: falsex 72 | kubectl: 73 | image: 74 | repository: docker.io/bitnami/kubectl 75 | tag: 1.31.4 76 | deployNodeAgent: false 77 | initContainers: 78 | - name: velero-plugin-for-aws 79 | image: velero/velero-plugin-for-aws:v1.7.1 80 | imagePullPolicy: IfNotPresent 81 | volumeMounts: 82 | - mountPath: /target 83 | name: plugins 84 | resources: 85 | requests: 86 | memory: 300Mi 87 | cpu: 25m 88 | limits: 89 | memory: 1500Mi 90 | -------------------------------------------------------------------------------- /cluster/core/velero/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - prometheus-rule.yaml 7 | - velero.secret.sops.yaml 8 | - restic.secret.sops.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/velero/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: velero 6 | namespace: velero 7 | spec: 8 | groups: 9 | - name: velero 10 | rules: 11 | - alert: VeleroBackupPartialFailures 12 | annotations: 13 | message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partially failed backups. 14 | expr: |- 15 | velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 16 | for: 15m 17 | labels: 18 | severity: warning 19 | - alert: VeleroBackupFailures 20 | annotations: 21 | message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} failed backups. 22 | expr: |- 23 | velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 24 | for: 15m 25 | labels: 26 | severity: warning 27 | -------------------------------------------------------------------------------- /cluster/crds/1password/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: 1password-crd-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/1Password/connect-helm-charts.git 10 | ref: 11 | # renovate: datasource=github-releases depName=1Password/connect-helm-charts 12 | tag: connect-1.17.0 13 | ignore: | 14 | # exclude all but the CDRs 15 | /* 16 | # path to crds 17 | !/charts/connect/crds/ 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: 1password-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: 1password-crd-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1 32 | kind: CustomResourceDefinition 33 | name: onepassworditems.onepassword.com 34 | -------------------------------------------------------------------------------- /cluster/crds/1password/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/crds/README.md: -------------------------------------------------------------------------------- 1 | # CRDS (Custom Resource Definitions) 2 | 3 | From [Kubernetes custom resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources) 4 | > A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular. 5 | 6 | This directory contains `Custom Resource Definitions (CRDs)` for all underpinned K8s applications installed in the cluster (e.g. `alertmanagerconfigs.monitoring.coreos.com`) 7 | 8 | **These must always be deployed in the first place**, and all other cluster categories (e.g. core, apps) depend on them. Basically, a simple change in one of the CRDs triggers a full cluster re-conciliation. 9 | -------------------------------------------------------------------------------- /cluster/crds/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # renovate: datasource=helm registryUrl=https://charts.jetstack.io depName=cert-manager 6 | - https://github.com/cert-manager/cert-manager/releases/download/1.17.0/cert-manager.crds.yaml 7 | -------------------------------------------------------------------------------- /cluster/crds/external-dns/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: external-dns 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/kubernetes-sigs/external-dns.git 10 | ref: 11 | # renovate: datasource=github-releases depName=kubernetes-sigs/external-dns 12 | tag: 0.15.1 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/docs/contributing/crd-source/crd-manifest.yaml 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: external-dns-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: external-dns 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1beta1 32 | kind: CustomResourceDefinition 33 | name: dnsendpoints.externaldns.k8s.io 34 | -------------------------------------------------------------------------------- /cluster/crds/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/crds/external-snapshotter/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: external-snapshotter-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/kubernetes-csi/external-snapshotter.git 10 | ref: 11 | # renovate: datasource=github-releases depName=kubernetes-csi/external-snapshotter 12 | tag: 8.2.1 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/client/config/crd 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: external-snapshotter-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: external-snapshotter-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1 32 | kind: CustomResourceDefinition 33 | name: volumesnapshotclasses.snapshot.storage.k8s.io 34 | - apiVersion: apiextensions.k8s.io/v1 35 | kind: CustomResourceDefinition 36 | name: volumesnapshotcontents.snapshot.storage.k8s.io 37 | - apiVersion: apiextensions.k8s.io/v1 38 | kind: CustomResourceDefinition 39 | name: volumesnapshots.snapshot.storage.k8s.io 40 | -------------------------------------------------------------------------------- /cluster/crds/external-snapshotter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - 1password 6 | - cert-manager 7 | - external-dns 8 | - external-snapshotter 9 | - system-upgrade-controller 10 | - traefik 11 | -------------------------------------------------------------------------------- /cluster/crds/system-upgrade-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # renovate: datasource=docker depName=rancher/system-upgrade-controller 6 | - https://github.com/rancher/system-upgrade-controller/releases/download/v0.11.0/crd.yaml 7 | -------------------------------------------------------------------------------- /cluster/crds/traefik/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: traefik-crd-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/traefik/traefik-helm-chart.git 10 | ref: 11 | # renovate: datasource=github-tags depName=traefik/traefik-helm-chart 12 | tag: 33.2.1 13 | ignore: | 14 | # exclude all but the CDRs 15 | /* 16 | # path to crds 17 | !/traefik/crds/ 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: traefik-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: traefik-crd-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1 32 | kind: CustomResourceDefinition 33 | name: ingressroutes.traefik.io 34 | - apiVersion: apiextensions.k8s.io/v1 35 | kind: CustomResourceDefinition 36 | name: ingressroutetcps.traefik.io 37 | - apiVersion: apiextensions.k8s.io/v1 38 | kind: CustomResourceDefinition 39 | name: ingressrouteudps.traefik.io 40 | - apiVersion: apiextensions.k8s.io/v1 41 | kind: CustomResourceDefinition 42 | name: middlewares.traefik.io 43 | - apiVersion: apiextensions.k8s.io/v1 44 | kind: CustomResourceDefinition 45 | name: middlewaretcps.traefik.io 46 | - apiVersion: apiextensions.k8s.io/v1 47 | kind: CustomResourceDefinition 48 | name: serverstransports.traefik.io 49 | - apiVersion: apiextensions.k8s.io/v1 50 | kind: CustomResourceDefinition 51 | name: tlsoptions.traefik.io 52 | - apiVersion: apiextensions.k8s.io/v1 53 | kind: CustomResourceDefinition 54 | name: tlsstores.traefik.io 55 | - apiVersion: apiextensions.k8s.io/v1 56 | kind: CustomResourceDefinition 57 | name: traefikservices.traefik.io 58 | -------------------------------------------------------------------------------- /cluster/crds/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/flux/README.md: -------------------------------------------------------------------------------- 1 | # Flux 2 | 3 | Serves as entrypoint to [FluxCD](https://fluxcd.io/docs/) thereby declaring all other cluster components through GitOps methodologies. 4 | 5 | There is a Github-hosted Kustomization file that contains the FluxCD manifests for a quick installation. 6 | -------------------------------------------------------------------------------- /cluster/flux/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | interval: 5m0s 9 | dependsOn: 10 | - name: core 11 | path: ./cluster/apps 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-cluster 16 | decryption: 17 | provider: sops 18 | secretRef: 19 | name: sops-gpg 20 | postBuild: 21 | substituteFrom: 22 | - kind: ConfigMap 23 | name: cluster-settings 24 | - kind: Secret 25 | name: cluster-secrets 26 | -------------------------------------------------------------------------------- /cluster/flux/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: config 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | path: ./cluster/config 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-cluster 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-gpg 18 | -------------------------------------------------------------------------------- /cluster/flux/core.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: core 6 | namespace: flux-system 7 | spec: 8 | interval: 5m0s 9 | dependsOn: 10 | - name: sources 11 | - name: crds 12 | - name: config 13 | path: ./cluster/core 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-cluster 18 | decryption: 19 | provider: sops 20 | secretRef: 21 | name: sops-gpg 22 | postBuild: 23 | substituteFrom: 24 | - kind: ConfigMap 25 | name: cluster-settings 26 | - kind: Secret 27 | name: cluster-secrets 28 | -------------------------------------------------------------------------------- /cluster/flux/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: crds 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./cluster/crds 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-cluster 14 | -------------------------------------------------------------------------------- /cluster/flux/flux-system/README.md: -------------------------------------------------------------------------------- 1 | # SSH Private Key Generation and configuration 2 | 3 | ## Generate new SSH key: 4 | 5 | > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./cluster/github-deploy-key -q -P "" 6 | 7 | Paste public key: https://github.com/kitos9112/k8s-home/settings/keys 8 | Create sops secret in `cluster/flux/flux-system/github-deploy-key.sops.yaml` with the contents of: 9 | 10 | ```yaml 11 | # yamllint disable 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | name: github-deploy-key 16 | namespace: flux-system 17 | stringData: 18 | # Contents of: github-deploy-key 19 | # secretlint-disable 20 | # gitleaks-disable 21 | identity: | 22 | -----BEGIN OPENSSH PRIVATE KEY----- 23 | ... 24 | -----END OPENSSH PRIVATE KEY----- 25 | # secretlint-enable 26 | # Output of: curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]' 27 | known_hosts: | 28 | github.com ssh-ed25519 ... 29 | github.com ecdsa-sha2-nistp256 ... 30 | github.com ssh-rsa ... 31 | ``` 32 | 33 | Encrypt secret: 34 | 35 | > sops --encrypt --in-place ./cluster/flux/flux-system/github-deploy-key.sops.yaml 36 | 37 | Apply secret to cluster: 38 | 39 | > sops -d cluster/flux/flux-system/github-deploy-key.sops.yaml | kubectl apply -f - 40 | 41 | Update cluster/base/flux-system/gotk-sync.yaml: 42 | 43 | ```yaml 44 | --- 45 | apiVersion: source.toolkit.fluxcd.io/v1 46 | kind: GitRepository 47 | metadata: 48 | name: flux-system 49 | namespace: flux-system 50 | spec: 51 | interval: 5m0s 52 | url: ssh://git@github.com/kitos9112/k8s-home 53 | ref: 54 | branch: next 55 | secretRef: 56 | name: github-deploy-key 57 | ``` 58 | 59 | Commit and push changes 60 | Verify git repository is now using SSH: 61 | 62 | > kubectl get gitrepository -n flux-system -------------------------------------------------------------------------------- /cluster/flux/flux-system/flux-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-cluster 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: ssh://git@github.com/kitos9112/k8s-home 10 | ref: 11 | branch: next 12 | secretRef: 13 | name: github-deploy-key 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1 16 | kind: Kustomization 17 | metadata: 18 | name: flux-cluster 19 | namespace: flux-system 20 | spec: 21 | interval: 10m 22 | path: ./cluster/flux 23 | prune: true 24 | wait: false 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-cluster 28 | -------------------------------------------------------------------------------- /cluster/flux/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - flux-installation.yaml 6 | - flux-cluster.yaml 7 | -------------------------------------------------------------------------------- /cluster/flux/sources.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: sources 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | path: ./cluster/sources 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-cluster 14 | -------------------------------------------------------------------------------- /cluster/github-deploy-key.pub: -------------------------------------------------------------------------------- 1 | ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAEUjNBSNe8UC31xvnLkmu4LQqQus90aNCIQE/uwqiO/7JMsno4C64lB6uK2jf9Md1ezortFlnQC1y2XOBuRXXClZAC8MCuV262QZu10QX7ds/epRo2kqEyk8+o7M3H9zzqDG4aXpHnSwdUXQuYKG4ewbugBBZ8DvtrFQxXyVhtbanDvvg== github-deploy-key 2 | -------------------------------------------------------------------------------- /cluster/sources/README.md: -------------------------------------------------------------------------------- 1 | # Sources 2 | 3 | Tracks all helm charts and git repositories utilised by the Flux source controller in the K8s cluster. 4 | 5 | In technical terms, it contains both `GitRepositories` and `HelmRepositories` Custom Resources Definitions (CRDs) that are used as a common interface for artifact acquisition from within the cluster itself. 6 | -------------------------------------------------------------------------------- /cluster/sources/git/flux-monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: monitoring 6 | namespace: flux-system 7 | spec: 8 | interval: 30m0s 9 | ref: 10 | branch: main 11 | url: https://github.com/fluxcd/flux2 12 | -------------------------------------------------------------------------------- /cluster/sources/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - flux-monitoring.yaml 6 | - postgres-operator.yaml 7 | -------------------------------------------------------------------------------- /cluster/sources/git/postgres-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: crunchy-data-postgres-operator 6 | namespace: flux-system 7 | spec: 8 | interval: 30m0s 9 | url: https://github.com/CrunchyData/postgres-operator-examples/ 10 | ref: 11 | branch: main 12 | recurseSubmodules: true 13 | --- 14 | apiVersion: source.toolkit.fluxcd.io/v1 15 | kind: GitRepository 16 | metadata: 17 | name: zalando-postgres-operator 18 | namespace: flux-system 19 | spec: 20 | interval: 30m0s 21 | url: https://github.com/zalando/postgres-operator/ 22 | ref: 23 | tag: v1.13.0 24 | recurseSubmodules: true 25 | -------------------------------------------------------------------------------- /cluster/sources/helm/1password-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: 1password-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://1password.github.io/connect-helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/aqua-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: aqua-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://aquasecurity.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /cluster/sources/helm/authentik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.goauthentik.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.bitnami.com/bitnami 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/bjw-s-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 30m 10 | url: oci://ghcr.io/bjw-s/helm 11 | timeout: 3m 12 | -------------------------------------------------------------------------------- /cluster/sources/helm/blakeshome-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: blakeshome-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://blakeblackshear.github.io/blakeshome-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/coredns-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: coredns-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://coredns.github.io/helm 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/cronitor-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: cronitor-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://cronitorio.github.io/cronitor-kubernetes/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/deliveryhero-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: deliveryhero-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.deliveryhero.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | -------------------------------------------------------------------------------- /cluster/sources/helm/fairwinds-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: fairwinds-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.fairwinds.com/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/grafana-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://grafana.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/hashicorp-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: hashicorp-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://helm.releases.hashicorp.com 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/influxdata-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: influxdata-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://helm.influxdata.com/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/infracloudio-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: infracloudio-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://infracloudio.github.io/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/ingress-nginx-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: ingress-nginx-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes.github.io/ingress-nginx 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/jaeger-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: jaeger-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://jaegertracing.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.jetstack.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/k8s-at-home-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-at-home-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://k8s-at-home.com/charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/kasten-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kasten-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.kasten.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/kubernetes-dashboard-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-dashboard-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes.github.io/dashboard/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/kubernetes-sigs-descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-sigs-descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/kured-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kured-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubereboot.github.io/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - authentik-charts.yaml 6 | - bitnami-charts.yaml 7 | - blakeshome-charts.yaml 8 | - coredns-charts.yaml 9 | - bjw-s-charts.yaml 10 | - deliveryhero-charts.yaml 11 | - grafana-charts.yaml 12 | - infracloudio-charts.yaml 13 | - ingress-nginx-charts.yaml 14 | - jaeger-charts.yaml 15 | - jetstack-charts.yaml 16 | - hashicorp-charts.yaml 17 | - influxdata-charts.yaml 18 | - k8s-at-home-charts.yaml 19 | - kasten-charts.yaml 20 | - fairwinds-charts.yaml 21 | - kubernetes-sigs-descheduler-charts.yaml 22 | - kubernetes-dashboard-charts.yaml 23 | - lwolf-charts.yaml 24 | - minio-charts.yaml 25 | - metallb-charts.yaml 26 | - cronitor-charts.yaml 27 | - metrics-server-charts.yaml 28 | - nfs-subdir-external-provisioner-charts.yaml 29 | - node-feature-discovery-charts.yaml 30 | - portainer-charts.yaml 31 | - prometheus-community-charts.yaml 32 | - rook-ceph-charts.yaml 33 | - sealed-secrets-charts.yaml 34 | - stakater-charts.yaml 35 | - traefik-charts.yaml 36 | - vernemq-charts.yaml 37 | - victoriametrics-charts.yaml 38 | - kured-charts.yaml 39 | - vmware-tanzu-charts.yaml 40 | - 1password-charts.yaml 41 | - vector-charts.yaml 42 | - kyverno-charts.yaml 43 | - descheduler-charts.yaml 44 | - aqua-charts.yaml 45 | -------------------------------------------------------------------------------- /cluster/sources/helm/kyverno-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kyverno-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kyverno.github.io/kyverno/ 10 | -------------------------------------------------------------------------------- /cluster/sources/helm/lwolf-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: lwolf-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.lwolf.org 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/metallb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: metallb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://metallb.github.io/metallb 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/metrics-server-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes-sigs.github.io/metrics-server/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/minio-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: minio-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://operator.min.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/nfs-subdir-external-provisioner-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: nfs-subdir-external-provisioner-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/node-feature-discovery-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: node-feature-discovery-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/portainer-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: portainer-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://portainer.github.io/k8s/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/prometheus-community-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://prometheus-community.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/rook-ceph-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-ceph-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://charts.rook.io/release 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/sealed-secrets-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: sealed-secrets-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://bitnami-labs.github.io/sealed-secrets/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/traefik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: traefik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://helm.traefik.io/traefik 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/vector-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: vector-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://helm.vector.dev 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/vernemq-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: vernemq-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://vernemq.github.io/docker-vernemq 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/victoriametrics-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: victoriametrics-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://victoriametrics.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/helm/vmware-tanzu-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: vmware-tanzu-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 20m 9 | url: https://vmware-tanzu.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/sources/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - helm 7 | - git 8 | -------------------------------------------------------------------------------- /hack/common.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | REPO_ROOT=$(git rev-parse --show-toplevel) 3 | SCRIPT_DIR="$(cd -P -- "$(dirname -- "$(command -v -- "$0")")" && pwd -P)" 4 | CLUSTER="${SCRIPT_DIR}/../cluster" 5 | 6 | export CLUSTER 7 | export REPO_ROOT 8 | 9 | function die() { 10 | echo "!! $*" 11 | exit 1 12 | } 13 | 14 | function log() { 15 | m_time=$(date "+%F %T") 16 | echo $m_time" "$1 17 | } 18 | 19 | function need() { 20 | which "$1" &>/dev/null || die "Binary '$1' is missing but required" 21 | } 22 | 23 | function load_env() { 24 | if [ "$(uname)" == "Darwin" ]; then 25 | set -a 26 | # shellcheck disable=SC1091 27 | source "${REPO_ROOT}/.secrets.env" 28 | set +a 29 | else 30 | # shellcheck disable=SC1091 31 | source "${REPO_ROOT}/.secrets.env" 32 | fi 33 | } 34 | -------------------------------------------------------------------------------- /hack/template.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | source ${BASH_SOURCE[0]%/*}/common.sh 3 | 4 | need "yq" 5 | 6 | function _usage() { 7 | echo "== usage: template.sh path/to/helm-release.yaml" 8 | echo "note:" 9 | echo " - this will not pull valuesFrom values" 10 | echo " - requires all helm repositories be installed locally" 11 | echo " - requires release be from a helm repository and not git" 12 | echo 13 | exit 14 | } 15 | 16 | [ $# -ne 1 ] && _usage 17 | releaseFile=${1} 18 | [ -f "${releaseFile}" ] || _usage 19 | 20 | # extract release, repository and chart names 21 | name=$(yq eval '.metadata.name' ${releaseFile}) 22 | repo=$(yq eval '.spec.chart.spec.sourceRef.name' ${releaseFile}) 23 | chart=$(yq eval '.spec.chart.spec.chart' ${releaseFile}) 24 | 25 | # dump the values into template 26 | yq eval '.spec.values' ${releaseFile} | 27 | helm template ${name} "${repo}/${chart}" --values - 28 | -------------------------------------------------------------------------------- /hack/validate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script downloads the Flux OpenAPI schemas, then it validates the 4 | # Flux custom resources and the kustomize overlays using kubeval. 5 | # This script is meant to be run locally and in CI before the changes 6 | # are merged on the main branch that's synced by Flux. 7 | 8 | # Copyright 2020 The Flux authors. All rights reserved. 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Unless required by applicable law or agreed to in writing, software 17 | # distributed under the License is distributed on an "AS IS" BASIS, 18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | # See the License for the specific language governing permissions and 20 | # limitations under the License. 21 | 22 | # This script is meant to be run locally and in CI to validate the Kubernetes 23 | # manifests (including Flux custom resources) before changes are merged into 24 | # the branch synced by Flux in-cluster. 25 | 26 | # Prerequisites 27 | # - yq v4.6 28 | # - kustomize v4.1 29 | # - kubeval v0.15 30 | 31 | set -o errexit 32 | 33 | echo "INFO - Downloading Flux OpenAPI schemas" 34 | mkdir -p /tmp/flux-crd-schemas/master-standalone-strict 35 | curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict 36 | 37 | find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; do 38 | echo "INFO - Validating $file" 39 | yq e 'true' "$file" >/dev/null 40 | done 41 | 42 | echo "INFO - Validating cluster" 43 | find ./cluster -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; do 44 | kubeval ${file} --strict --ignore-missing-schemas --additional-schema-locations=file:///tmp/flux-crd-schemas 45 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 46 | exit 1 47 | fi 48 | done 49 | 50 | # mirror kustomize-controller build options 51 | kustomize_flags="--load-restrictor=LoadRestrictionsNone --reorder=legacy" 52 | kustomize_config="kustomization.yaml" 53 | 54 | echo "INFO - Validating kustomize overlays" 55 | find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; do 56 | echo "INFO - Validating kustomization ${file/%$kustomize_config/}" 57 | kustomize build "${file/%$kustomize_config/}" $kustomize_flags | 58 | kubeval --ignore-missing-schemas --strict --additional-schema-locations=file:///tmp/flux-crd-schemas 59 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 60 | exit 1 61 | fi 62 | done 63 | -------------------------------------------------------------------------------- /infrastructure/pagerduty/main.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/infrastructure/pagerduty/main.tf -------------------------------------------------------------------------------- /infrastructure/pagerduty/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/infrastructure/pagerduty/outputs.tf -------------------------------------------------------------------------------- /infrastructure/pagerduty/providers.tf: -------------------------------------------------------------------------------- 1 | # Configure the PagerDuty provider 2 | terraform { 3 | required_providers { 4 | pagerduty = { 5 | source = "pagerduty/pagerduty" 6 | version = "3.0.0" 7 | } 8 | } 9 | } 10 | 11 | provider "pagerduty" { 12 | token = var.pagerduty_token 13 | } 14 | -------------------------------------------------------------------------------- /infrastructure/pagerduty/variables.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/infrastructure/pagerduty/variables.tf -------------------------------------------------------------------------------- /templates/app/kustomization.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/templates/app/kustomization.yaml -------------------------------------------------------------------------------- /templates/app/release.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kitos9112/k8s-home/0765c4fcafe6a7e657d6ce9b630f539824dbf12e/templates/app/release.yaml --------------------------------------------------------------------------------