├── .gitignore
├── manifests
├── tools
│ ├── manifests
│ │ ├── argocd
│ │ │ ├── README.md
│ │ │ ├── config
│ │ │ │ └── patches
│ │ │ │ │ ├── deployment.yaml
│ │ │ │ │ ├── argocd-cmd-params-cm.yaml
│ │ │ │ │ ├── argocd-argocd-server-role.yaml
│ │ │ │ │ ├── argocd-rbac-cm.yaml
│ │ │ │ │ └── argocd-cm.yaml
│ │ │ ├── ns.yaml
│ │ │ ├── appprojects
│ │ │ │ ├── kustomization.yaml
│ │ │ │ └── default.yaml
│ │ │ ├── repositories
│ │ │ │ ├── kustomization.yaml
│ │ │ │ ├── home-kubernetes.yaml
│ │ │ │ └── internal-manifests.yaml
│ │ │ ├── httproute.yaml
│ │ │ ├── httproute-statusbadge.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── externalsecret.yaml
│ │ ├── cloudflared
│ │ │ ├── ns.yaml
│ │ │ ├── kustomization.yaml
│ │ │ ├── externalsecret.yaml
│ │ │ └── deployment.yaml
│ │ ├── minio
│ │ │ ├── ns.yaml
│ │ │ ├── kustomization.yaml
│ │ │ ├── externalsecret.yaml
│ │ │ └── httproute.yaml
│ │ ├── prometheus-stack
│ │ │ ├── ns.yaml
│ │ │ ├── kustomization.yaml
│ │ │ ├── httproute.yaml
│ │ │ └── externalsecret.yaml
│ │ ├── cilium
│ │ │ ├── kustomization.yaml
│ │ │ └── httproute.yaml
│ │ ├── storageclass
│ │ │ ├── Chart.yaml
│ │ │ └── templates
│ │ │ │ └── storageclass.yaml
│ │ ├── gha-runner-scale-sets
│ │ │ ├── kustomization.yaml
│ │ │ └── externalsecret.yaml
│ │ ├── external-secrets
│ │ │ ├── kustomization.yaml
│ │ │ ├── sa-wi.yaml
│ │ │ └── clustersecretstore.yaml
│ │ └── gateway
│ │ │ ├── kustomization.yaml
│ │ │ └── gateway.yaml
│ ├── Chart.yaml
│ ├── values.yaml
│ └── templates
│ │ ├── argocd.yaml
│ │ ├── gateway.yaml
│ │ ├── storageclass.yaml
│ │ ├── cloudflared.yaml
│ │ ├── azurefile-csi-driver.yaml
│ │ ├── metrics-server.yaml
│ │ ├── github-actions-runner-controller.yaml
│ │ ├── external-secrets.yaml
│ │ ├── nfs-subdir-external-provisioner.yaml
│ │ ├── minio.yaml
│ │ ├── cilium.yaml
│ │ ├── postgres-operator.yaml
│ │ ├── azure-workload-identity-webhook.yaml
│ │ ├── github-actions-runner-scale-sets.yaml
│ │ ├── _helpers.tpl
│ │ ├── loki-stack.yaml
│ │ └── prometheus-stack.yaml
└── apps
│ ├── Chart.yaml
│ ├── manifests
│ ├── matoru.ru
│ │ ├── ns.yaml
│ │ ├── kustomization.yaml
│ │ ├── service.yaml
│ │ ├── httproute.yaml
│ │ └── deployment.yaml
│ ├── sample-ws
│ │ ├── ns.yaml
│ │ ├── configmap
│ │ │ ├── kustomization.yaml
│ │ │ ├── package.json
│ │ │ └── index.js
│ │ ├── kustomization.yaml
│ │ ├── service.yaml
│ │ ├── httproute.yaml
│ │ └── deployment.yaml
│ └── only-ns
│ │ ├── kustomization.yaml
│ │ └── pod.yaml
│ ├── values.yaml
│ └── templates
│ ├── matoru.ru.yaml
│ ├── sample-ws.yaml
│ └── only-ns.yaml
├── _assets
├── cloudflared.png
├── eso-logo-large.png
├── house-color-icon.png
├── github-action-runner.png
├── nginx-ingress-controller.png
├── home-kubernetes-diagram.drawio.png
├── akv2k8s-b749ec5f4bfd805a88626e0fd2b9ba82.png
├── COLOUR-Raspberry-Pi-Symbol-Registered-300x300.png
├── istio-bluelogo-whitebackground-unframed.svg
└── Argo-CD.svg
├── gha-runner-images
├── golang1-23
│ └── Dockerfile
├── README.md
└── base
│ └── Dockerfile
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | charts/
2 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/README.md:
--------------------------------------------------------------------------------
1 | # Argo CD
2 |
--------------------------------------------------------------------------------
/_assets/cloudflared.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/cloudflared.png
--------------------------------------------------------------------------------
/_assets/eso-logo-large.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/eso-logo-large.png
--------------------------------------------------------------------------------
/_assets/house-color-icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/house-color-icon.png
--------------------------------------------------------------------------------
/manifests/tools/manifests/cloudflared/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: cloudflared
5 |
--------------------------------------------------------------------------------
/_assets/github-action-runner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/github-action-runner.png
--------------------------------------------------------------------------------
/_assets/nginx-ingress-controller.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/nginx-ingress-controller.png
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/config/patches/deployment.yaml:
--------------------------------------------------------------------------------
1 | - op: replace
2 | path: /spec/revisionHistoryLimit
3 | value: 3
4 |
--------------------------------------------------------------------------------
/_assets/home-kubernetes-diagram.drawio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/home-kubernetes-diagram.drawio.png
--------------------------------------------------------------------------------
/manifests/apps/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: apps
3 | description: Applications
4 | type: application
5 | version: 0.0.1
6 | appVersion: "1.0"
--------------------------------------------------------------------------------
/manifests/tools/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: tools
3 | description: Applications
4 | type: application
5 | version: 1.0.0
6 | appVersion: "1.0"
--------------------------------------------------------------------------------
/manifests/tools/manifests/minio/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: minio
5 | labels:
6 | shared-gateway-access: 'true'
7 |
--------------------------------------------------------------------------------
/_assets/akv2k8s-b749ec5f4bfd805a88626e0fd2b9ba82.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/akv2k8s-b749ec5f4bfd805a88626e0fd2b9ba82.png
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: argocd
5 | labels:
6 | shared-gateway-access: 'true'
7 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/matoru.ru/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: matoru-ru
5 | labels:
6 | shared-gateway-access: 'true'
7 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: sample-ws
5 | labels:
6 | shared-gateway-access: 'true'
7 |
--------------------------------------------------------------------------------
/_assets/COLOUR-Raspberry-Pi-Symbol-Registered-300x300.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matoruru/home-kubernetes/HEAD/_assets/COLOUR-Raspberry-Pi-Symbol-Registered-300x300.png
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/appprojects/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | resources:
5 | - default.yaml
6 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/only-ns/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: only-ns
5 |
6 | resources:
7 | - ./pod.yaml
8 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/only-ns/pod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx
5 | spec:
6 | containers:
7 | - name: nginx
8 | image: nginx:latest
9 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/prometheus-stack/ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: prometheus-stack
5 | labels:
6 | shared-gateway-access: 'true'
7 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/cilium/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: kube-system
5 |
6 | resources:
7 | - ./httproute.yaml
8 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/storageclass/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: storageclass
3 | description: Helm Chart for StorageClasses
4 | type: application
5 | version: 1.0.0
6 | appVersion: "1.0"
7 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/gha-runner-scale-sets/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: arc-runners
5 |
6 | resources:
7 | - externalsecret.yaml
8 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/config/patches/argocd-cmd-params-cm.yaml:
--------------------------------------------------------------------------------
1 | - op: add
2 | path: /data/server.insecure
3 | value: "true"
4 | - op: add
5 | path: /data/controller.diff.server.side
6 | value: "true"
7 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/external-secrets/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: default
5 |
6 | resources:
7 | - sa-wi.yaml
8 | - clustersecretstore.yaml
9 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/config/patches/argocd-argocd-server-role.yaml:
--------------------------------------------------------------------------------
1 | - op: add
2 | path: /rules/-
3 | value:
4 | apiGroups:
5 | - ""
6 | resources:
7 | - pods/exec
8 | verbs:
9 | - create
10 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/repositories/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namePrefix: repo-
5 |
6 | resources:
7 | - home-kubernetes.yaml
8 | - internal-manifests.yaml
9 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/minio/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: minio
5 |
6 | resources:
7 | - ./ns.yaml
8 | - ./httproute.yaml
9 | - ./externalsecret.yaml
10 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/cloudflared/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: cloudflared
5 |
6 | resources:
7 | - ns.yaml
8 | - deployment.yaml
9 | - externalsecret.yaml
10 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/config/patches/argocd-rbac-cm.yaml:
--------------------------------------------------------------------------------
1 | - op: add
2 | path: /data
3 | value:
4 | policy.default: ''
5 | policy.csv: |
6 | g, Admin, role:admin
7 | g, ReadOnly, role:readonly
8 | scopes: '[roles]'
9 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/configmap/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | configMapGenerator:
5 | - name: sample-ws-config
6 | files:
7 | - package.json
8 | - index.js
9 |
10 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/configmap/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "sample-ws",
3 | "version": "1.0.0",
4 | "description": "WebSocket echo server",
5 | "main": "index.js",
6 | "dependencies": {
7 | "ws": "^8.14.2"
8 | }
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/prometheus-stack/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: prometheus-stack
5 |
6 | resources:
7 | - ./ns.yaml
8 | - ./httproute.yaml
9 | - ./externalsecret.yaml
10 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/matoru.ru/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: matoru-ru
5 |
6 | resources:
7 | - ./ns.yaml
8 | - ./deployment.yaml
9 | - ./service.yaml
10 | - ./httproute.yaml
11 |
--------------------------------------------------------------------------------
/manifests/apps/values.yaml:
--------------------------------------------------------------------------------
1 | metadata:
2 | namespace: argocd
3 |
4 | spec:
5 | project: default
6 | destination:
7 | server: https://kubernetes.default.svc
8 | source:
9 | repoURL: https://github.com/matoruru/home-kubernetes
10 | targetRevision: main
11 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: sample-ws
5 |
6 | resources:
7 | - ./ns.yaml
8 | - ./deployment.yaml
9 | - ./service.yaml
10 | - ./httproute.yaml
11 | - ./configmap
12 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/external-secrets/sa-wi.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | annotations:
5 | azure.workload.identity/client-id: 34de22c5-a3d1-439e-89f8-3b01ca073e1e
6 | azure.workload.identity/tenant-id: 640dd2c2-336d-4abf-b0ee-0024877ea3fb
7 | name: wi
8 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/gateway/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | resources:
5 | # CRD for Cilium Gateway API
6 | - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml
7 |
8 | - gateway.yaml
9 |
--------------------------------------------------------------------------------
/gha-runner-images/golang1-23/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM matoruru/gha-runner-base:latest
2 |
3 | USER root
4 |
5 | RUN apt-get update && \
6 | apt-get upgrade -y && \
7 | apt-get install -y golang-1.23 && \
8 | apt-get clean && \
9 | rm -rf /var/lib/apt/lists/*
10 |
11 | WORKDIR /home/runner
12 |
13 | USER runner
14 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/matoru.ru/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: web
5 | labels:
6 | app: matoru.ru
7 | spec:
8 | ports:
9 | - name: http
10 | port: 8080
11 | protocol: TCP
12 | targetPort: 3000
13 | selector:
14 | app: matoru.ru
15 | type: ClusterIP
16 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: web
5 | labels:
6 | app: sample-ws
7 | spec:
8 | ports:
9 | - name: http
10 | port: 8080
11 | protocol: TCP
12 | targetPort: 3000
13 | selector:
14 | app: sample-ws
15 | type: ClusterIP
16 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/appprojects/default.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: AppProject
3 | metadata:
4 | name: default
5 | spec:
6 | clusterResourceWhitelist:
7 | - group: '*'
8 | kind: '*'
9 | destinations:
10 | - namespace: '*'
11 | server: '*'
12 | sourceRepos:
13 | - '*'
14 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/repositories/home-kubernetes.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | labels:
5 | argocd.argoproj.io/secret-type: repository
6 | name: home-kubernetes
7 | namespace: argocd
8 | stringData:
9 | url: https://github.com/matoruru/home-kubernetes.git
10 | type: git
11 | type: Opaque
12 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/repositories/internal-manifests.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | labels:
5 | argocd.argoproj.io/secret-type: repository
6 | name: internal-manifests
7 | namespace: argocd
8 | stringData:
9 | url: https://github.com/matoruru/internal-manifests.git
10 | type: git
11 | type: Opaque
12 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute
5 | spec:
6 | hostnames:
7 | - argocd.matoru.ru
8 | parentRefs:
9 | - name: common
10 | namespace: kube-system
11 | rules:
12 | - backendRefs:
13 | - name: argocd-server
14 | port: 80
15 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/matoru.ru/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute
5 | spec:
6 | hostnames:
7 | - matoru.ru
8 | parentRefs:
9 | - kind: Gateway
10 | name: common
11 | namespace: kube-system
12 | rules:
13 | - backendRefs:
14 | - name: web
15 | port: 8080
16 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/storageclass/templates/storageclass.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: storage.k8s.io/v1
2 | kind: StorageClass
3 | metadata:
4 | name: fast # SSD mounted on Ubuntu
5 | provisioner: cluster.local/nfs-subdir-external-provisioner
6 | reclaimPolicy: Retain
7 | parameters:
8 | pathPattern: pvc-${.PVC.namespace}-${.PVC.name}
9 | archiveOnDelete: 'false'
10 |
--------------------------------------------------------------------------------
/_assets/istio-bluelogo-whitebackground-unframed.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute
5 | spec:
6 | hostnames:
7 | - sample-ws.matoru.ru
8 | parentRefs:
9 | - kind: Gateway
10 | name: common
11 | namespace: kube-system
12 | rules:
13 | - backendRefs:
14 | - name: web
15 | port: 8080
16 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/external-secrets/clustersecretstore.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ClusterSecretStore
3 | metadata:
4 | name: azure-store
5 | spec:
6 | provider:
7 | azurekv:
8 | authType: WorkloadIdentity
9 | vaultUrl: https://home-k8s-keyvault.vault.azure.net
10 | serviceAccountRef:
11 | name: wi
12 | namespace: default
13 |
--------------------------------------------------------------------------------
/manifests/tools/values.yaml:
--------------------------------------------------------------------------------
1 | metadata:
2 | namespace: argocd
3 |
4 | spec:
5 | project: default
6 | destination:
7 | server: https://kubernetes.default.svc
8 | source:
9 | repoURL: https://github.com/matoruru/home-kubernetes
10 | targetRevision: main
11 |
12 | gha:
13 | chart:
14 | version: 0.12.1
15 |
16 | istio:
17 | repoURL: https://istio-release.storage.googleapis.com/charts
18 | version: 1.23.0
19 |
--------------------------------------------------------------------------------
/gha-runner-images/README.md:
--------------------------------------------------------------------------------
1 | # home-kubernetes/gha-runner-images
2 |
3 | Dockerfiles for Self-hosted GitHub Action Runner images.
4 |
5 | ## References
6 |
7 | - https://github.com/actions/actions-runner-controller/blob/a152741a1a6afa992f8d836a029d551984149c8f/charts/gha-runner-scale-set/values.yaml#L192C16-L192C53
8 | - https://docs.github.com/en/actions/concepts/runners/about-actions-runner-controller#creating-your-own-runner-image
9 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/cilium/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute
5 | spec:
6 | hostnames:
7 | - hubble.matoru.ru
8 | parentRefs:
9 | - name: common
10 | namespace: kube-system
11 | rules:
12 | - backendRefs:
13 | - name: hubble-ui
14 | port: 80
15 | matches:
16 | - path:
17 | type: PathPrefix
18 | value: /
19 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/cloudflared/externalsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ExternalSecret
3 | metadata:
4 | name: cloudflared-home-k8s-secret
5 | spec:
6 | refreshInterval: 1h
7 | secretStoreRef:
8 | kind: ClusterSecretStore
9 | name: azure-store
10 | target:
11 | name: cloudflared-home-k8s-secret
12 | data:
13 | - secretKey: CLOUDFLARED_TOKEN
14 | remoteRef:
15 | key: secret/cloudflared-home-k8s-token
16 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/prometheus-stack/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute
5 | spec:
6 | hostnames:
7 | - grafana.matoru.ru
8 | parentRefs:
9 | - name: common
10 | namespace: kube-system
11 | rules:
12 | - backendRefs:
13 | - name: prometheus-stack-grafana
14 | port: 80
15 | matches:
16 | - path:
17 | type: PathPrefix
18 | value: /
19 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/httproute-statusbadge.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute-statusbadge
5 | spec:
6 | hostnames:
7 | - argocd-statusbadge.matoru.ru
8 | parentRefs:
9 | - name: common
10 | namespace: kube-system
11 | rules:
12 | - matches:
13 | - path:
14 | type: Exact
15 | value: /api/badge
16 | backendRefs:
17 | - name: argocd-server
18 | port: 80
19 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/minio/externalsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ExternalSecret
3 | metadata:
4 | name: akv-secret
5 | spec:
6 | refreshInterval: 1h
7 | secretStoreRef:
8 | kind: ClusterSecretStore
9 | name: azure-store
10 | target:
11 | name: akv-secret
12 | data:
13 | - secretKey: root-user
14 | remoteRef:
15 | key: secret/minio-root-user
16 | - secretKey: root-password
17 | remoteRef:
18 | key: secret/minio-root-password
19 |
--------------------------------------------------------------------------------
/gha-runner-images/base/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ghcr.io/actions/actions-runner:2.326.0
2 |
3 | USER root
4 |
5 | RUN apt-get update && \
6 | apt-get upgrade -y && \
7 | apt-get install -y ca-certificates curl gpg jq
8 |
9 | # Install Azure CLI
10 | RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
11 |
12 | # Install Kustomize
13 | RUN curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash && \
14 | mv ./kustomize /usr/local/bin/
15 |
16 | WORKDIR /home/runner
17 |
18 | USER runner
19 |
--------------------------------------------------------------------------------
/manifests/tools/templates/argocd.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: argo-cd
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: argocd
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/tools/manifests/argocd
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | automated:
17 | selfHeal: true
18 | prune: true
--------------------------------------------------------------------------------
/manifests/apps/templates/matoru.ru.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: matoru.ru
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: matoru-ru
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/apps/manifests/matoru.ru
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | automated:
17 | selfHeal: true
18 | prune: true
19 |
--------------------------------------------------------------------------------
/manifests/tools/templates/gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: gateway
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: default
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/tools/manifests/gateway
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | automated:
17 | selfHeal: true
18 | prune: true
19 |
20 |
--------------------------------------------------------------------------------
/manifests/apps/templates/sample-ws.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: sample-ws
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: sample-ws
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/apps/manifests/sample-ws
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | automated:
17 | selfHeal: true
18 | prune: true
19 |
20 |
--------------------------------------------------------------------------------
/manifests/tools/templates/storageclass.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: storageclass
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: kube-system
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - path: manifests/tools/manifests/storageclass
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | automated:
17 | selfHeal: true
18 | prune: true
19 |
--------------------------------------------------------------------------------
/manifests/apps/templates/only-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: only-ns
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: only-ns
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/apps/manifests/only-ns
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | syncOptions:
17 | - CreateNamespace=true
18 | automated:
19 | selfHeal: true
20 | prune: true
21 |
--------------------------------------------------------------------------------
/manifests/tools/templates/cloudflared.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: cloudflared
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: cloudflared
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | path: manifests/tools/manifests/cloudflared
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | syncPolicy:
16 | syncOptions:
17 | - CreateNamespace=true
18 | automated:
19 | selfHeal: true
20 | prune: true
21 |
--------------------------------------------------------------------------------
/manifests/tools/templates/azurefile-csi-driver.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: azurefile-csi-driver
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: kube-system
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: azurefile-csi-driver
13 | repoURL: https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/charts
14 | targetRevision: 1.33.3
15 | helm:
16 | valuesObject: {}
17 | syncPolicy:
18 | automated:
19 | selfHeal: true
20 | prune: true
21 |
--------------------------------------------------------------------------------
/manifests/tools/templates/metrics-server.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: metrics-server
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: kube-system
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | chart: metrics-server
13 | repoURL: https://kubernetes-sigs.github.io/metrics-server
14 | targetRevision: 3.12.2
15 | helm:
16 | valuesObject:
17 | args:
18 | - --kubelet-insecure-tls
19 | syncPolicy:
20 | automated:
21 | selfHeal: true
22 | prune: true
23 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/gha-runner-scale-sets/externalsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ExternalSecret
3 | metadata:
4 | name: pre-defined-secret
5 | spec:
6 | refreshInterval: 1h
7 | secretStoreRef:
8 | kind: ClusterSecretStore
9 | name: azure-store
10 | target:
11 | name: pre-defined-secret
12 | data:
13 | - secretKey: github_app_id
14 | remoteRef:
15 | key: secret/arc-github-app-id
16 | - secretKey: github_app_installation_id
17 | remoteRef:
18 | key: secret/arc-github-app-installation-id
19 | - secretKey: github_app_private_key
20 | remoteRef:
21 | key: secret/arc-github-app-private-key
22 |
--------------------------------------------------------------------------------
/manifests/tools/templates/github-actions-runner-controller.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: github-actions-runner-controller
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: arc-systems
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: gha-runner-scale-set-controller
13 | repoURL: ghcr.io/actions/actions-runner-controller-charts
14 | targetRevision: {{ .Values.gha.chart.version }}
15 | helm:
16 | releaseName: arc
17 | syncPolicy:
18 | syncOptions:
19 | - CreateNamespace=true
20 | automated: {}
21 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/gateway/gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: Gateway
3 | metadata:
4 | name: common
5 | namespace: kube-system
6 | spec:
7 | gatewayClassName: cilium
8 | listeners:
9 | - name: http
10 | hostname: "matoru.ru"
11 | port: 8080
12 | protocol: HTTP
13 | allowedRoutes:
14 | namespaces:
15 | from: Selector
16 | selector:
17 | matchLabels:
18 | shared-gateway-access: "true"
19 | - name: http-star
20 | hostname: "*.matoru.ru"
21 | port: 8080
22 | protocol: HTTP
23 | allowedRoutes:
24 | namespaces:
25 | from: Selector
26 | selector:
27 | matchLabels:
28 | shared-gateway-access: "true"
29 |
--------------------------------------------------------------------------------
/manifests/tools/templates/external-secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: external-secrets
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: external-secrets
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: external-secrets
13 | repoURL: https://charts.external-secrets.io
14 | targetRevision: 0.18.2
15 | - path: manifests/tools/manifests/external-secrets
16 | repoURL: {{ .Values.spec.source.repoURL }}
17 | targetRevision: {{ .Values.spec.source.targetRevision }}
18 | syncPolicy:
19 | syncOptions:
20 | - CreateNamespace=true
21 | automated:
22 | selfHeal: true
23 | prune: true
24 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/minio/httproute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: gateway.networking.k8s.io/v1
2 | kind: HTTPRoute
3 | metadata:
4 | name: httproute-ui
5 | spec:
6 | hostnames:
7 | - minio.matoru.ru
8 | parentRefs:
9 | - name: common
10 | namespace: kube-system
11 | rules:
12 | - backendRefs:
13 | - name: minio
14 | port: 9001
15 | matches:
16 | - path:
17 | type: PathPrefix
18 | value: /
19 | ---
20 | apiVersion: gateway.networking.k8s.io/v1
21 | kind: HTTPRoute
22 | metadata:
23 | name: httproute-api
24 | spec:
25 | hostnames:
26 | - s3.matoru.ru
27 | parentRefs:
28 | - name: common
29 | namespace: kube-system
30 | rules:
31 | - backendRefs:
32 | - name: minio
33 | port: 9000
34 | matches:
35 | - path:
36 | type: PathPrefix
37 | value: /
38 |
--------------------------------------------------------------------------------
/manifests/tools/templates/nfs-subdir-external-provisioner.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: nfs-subdir-external-provisioner
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: nfs-provisioner
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: nfs-subdir-external-provisioner
13 | repoURL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner
14 | targetRevision: 4.0.18
15 | helm:
16 | valuesObject:
17 | nfs:
18 | server: 192.168.11.100
19 | path: /export/nfs/home-kubernetes
20 | storageClass:
21 | create: false
22 | syncPolicy:
23 | syncOptions:
24 | - CreateNamespace=true
25 | automated:
26 | selfHeal: true
27 | prune: true
28 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/prometheus-stack/externalsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ExternalSecret
3 | metadata:
4 | name: akv-secret
5 | spec:
6 | refreshInterval: 1h
7 | secretStoreRef:
8 | kind: ClusterSecretStore
9 | name: azure-store
10 | target:
11 | name: akv-secret
12 | data:
13 | - secretKey: GRAFANA_CLIENT_ID
14 | remoteRef:
15 | key: secret/grafana-client-id
16 | conversionStrategy: Default
17 | decodingStrategy: None
18 | metadataPolicy: None
19 | - secretKey: GRAFANA_CLIENT_SECRET
20 | remoteRef:
21 | key: secret/grafana-client-secret
22 | conversionStrategy: Default
23 | decodingStrategy: None
24 | metadataPolicy: None
25 | - secretKey: TENANT_ID
26 | remoteRef:
27 | key: secret/tenant-id
28 | conversionStrategy: Default
29 | decodingStrategy: None
30 | metadataPolicy: None
31 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 |
4 | namespace: argocd
5 |
6 | resources:
7 | - github.com/argoproj/argo-cd//manifests/ha/cluster-install?ref=v3.0.11
8 | - ./ns.yaml
9 | - ./httproute.yaml
10 | - ./httproute-statusbadge.yaml
11 | - ./appprojects/
12 | - ./repositories/
13 | - ./externalsecret.yaml
14 |
15 | patches:
16 | - path: ./config/patches/argocd-cm.yaml
17 | target:
18 | kind: ConfigMap
19 | name: argocd-cm
20 | - path: ./config/patches/argocd-rbac-cm.yaml
21 | target:
22 | kind: ConfigMap
23 | name: argocd-rbac-cm
24 | - path: ./config/patches/argocd-cmd-params-cm.yaml
25 | target:
26 | kind: ConfigMap
27 | name: argocd-cmd-params-cm
28 | - path: ./config/patches/deployment.yaml
29 | target:
30 | kind: Deployment
31 | - path: ./config/patches/argocd-argocd-server-role.yaml
32 | target:
33 | kind: ClusterRole
34 | name: argocd-server
35 |
--------------------------------------------------------------------------------
/manifests/tools/templates/minio.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: minio
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: minio
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - path: manifests/tools/manifests/minio
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | - chart: minio
16 | repoURL: registry-1.docker.io/bitnamicharts
17 | targetRevision: 14.8.1
18 | helm:
19 | valuesObject:
20 | global:
21 | defaultStorageClass: fast
22 | persistence:
23 | size: 50Gi
24 | auth:
25 | existingSecret: akv-secret
26 | rootUserSecretKey: root-user
27 | rootPasswordSecretKey: root-password
28 | syncPolicy:
29 | automated:
30 | selfHeal: true
31 | prune: true
32 |
--------------------------------------------------------------------------------
/manifests/tools/templates/cilium.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: cilium
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: kube-system
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - path: manifests/tools/manifests/cilium
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | - chart: cilium
16 | repoURL: https://helm.cilium.io/
17 | targetRevision: 1.16.1
18 | helm:
19 | valuesObject:
20 | k8sServiceHost: 192.168.11.100
21 | k8sServicePort: 6443
22 | kubeProxyReplacement: true
23 | gatewayAPI:
24 | enabled: true
25 | hostNetwork:
26 | enabled: true
27 | hubble:
28 | relay:
29 | enabled: true
30 | ui:
31 | enabled: true
32 | syncPolicy:
33 | automated:
34 | selfHeal: true
35 | prune: true
36 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/matoru.ru/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: web
5 | namespace: matoru-ru
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: matoru.ru
10 | replicas: 2
11 | template:
12 | metadata:
13 | labels:
14 | app: matoru.ru
15 | spec:
16 | containers:
17 | - image: matoruru/matoru.ru:latest
18 | imagePullPolicy: Always
19 | name: web
20 | ports:
21 | - name: http
22 | containerPort: 3000
23 | protocol: TCP
24 | resources:
25 | requests:
26 | cpu: 20m
27 | memory: 200Mi
28 | limits:
29 | cpu: 100m
30 | memory: 500Mi
31 | startupProbe:
32 | httpGet:
33 | path: /
34 | port: http
35 | failureThreshold: 60
36 | periodSeconds: 1
37 | readinessProbe:
38 | httpGet:
39 | path: /
40 | port: http
41 | failureThreshold: 10
42 | periodSeconds: 1
43 |
--------------------------------------------------------------------------------
/manifests/tools/templates/postgres-operator.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: postgres-operator
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: postgres-operator
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: postgres-operator
13 | repoURL: https://opensource.zalando.com/postgres-operator/charts/postgres-operator
14 | targetRevision: 1.13.0
15 | helm:
16 | valuesObject:
17 | configKubernetes:
18 | enable_persistent_volume_claim_deletion: false
19 | - chart: postgres-operator-ui
20 | repoURL: https://opensource.zalando.com/postgres-operator/charts/postgres-operator-ui
21 | targetRevision: 1.13.0
22 | helm:
23 | valuesObject:
24 | fullnameOverride: postgres-operator-ui
25 | envs:
26 | targetNamespace: "*"
27 | syncPolicy:
28 | syncOptions:
29 | - CreateNamespace=true
30 | automated:
31 | selfHeal: true
32 | prune: true
33 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/configmap/index.js:
--------------------------------------------------------------------------------
1 | const WebSocket = require('ws');
2 | const http = require('http');
3 | const port = 3000;
4 |
5 | // HTTP server for health checks
6 | const server = http.createServer((req, res) => {
7 | res.statusCode = 200;
8 | res.setHeader('Content-Type', 'text/plain');
9 | res.end('WebSocket server is running\n');
10 | });
11 |
12 | // WebSocket server
13 | const wss = new WebSocket.Server({ server });
14 |
15 | wss.on('connection', (ws) => {
16 | console.log('Client connected');
17 |
18 | ws.on('message', (message) => {
19 | console.log(`Received: ${message}`);
20 | // Echo the message back to the client
21 | ws.send(`Echo: ${message}`);
22 | });
23 |
24 | ws.on('close', () => {
25 | console.log('Client disconnected');
26 | });
27 |
28 | ws.on('error', (error) => {
29 | console.error('WebSocket error:', error);
30 | });
31 |
32 | // Send welcome message
33 | ws.send('Connected to WebSocket echo server');
34 | });
35 |
36 | server.listen(port, '0.0.0.0', () => {
37 | console.log(`WebSocket server running at ws://0.0.0.0:${port}/`);
38 | });
39 |
40 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/externalsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: external-secrets.io/v1
2 | kind: ExternalSecret
3 | metadata:
4 | name: argocd-secret
5 | spec:
6 | refreshInterval: 1h
7 | secretStoreRef:
8 | kind: ClusterSecretStore
9 | name: azure-store
10 | target:
11 | name: argocd-secret
12 | creationPolicy: Merge
13 | data:
14 | - secretKey: oidc.azure.clientSecret
15 | remoteRef:
16 | key: secret/oidc-azure-clientSecret
17 | ---
18 | apiVersion: external-secrets.io/v1
19 | kind: ExternalSecret
20 | metadata:
21 | name: github-creds
22 | spec:
23 | refreshInterval: 1h
24 | secretStoreRef:
25 | kind: ClusterSecretStore
26 | name: azure-store
27 | target:
28 | name: github-creds
29 | template:
30 | metadata:
31 | labels:
32 | argocd.argoproj.io/secret-type: repo-creds
33 | data:
34 | url: https://github.com/matoruru
35 | type: git
36 | githubAppID: "1073910"
37 | githubAppInstallationID: "57796268"
38 | githubAppPrivateKey: "{{ .githubAppPrivateKey }}"
39 | data:
40 | - secretKey: githubAppPrivateKey
41 | remoteRef:
42 | key: secret/argocd-github-creds-githubAppPrivateKey
43 |
44 |
--------------------------------------------------------------------------------
/manifests/tools/templates/azure-workload-identity-webhook.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: azure-workload-identity-webhook
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: azure-workload-identity-system
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | source:
12 | chart: workload-identity-webhook
13 | repoURL: https://azure.github.io/azure-workload-identity/charts
14 | targetRevision: 1.5.1
15 | helm:
16 | valuesObject:
17 | azureTenantID: 640dd2c2-336d-4abf-b0ee-0024877ea3fb
18 | replicaCount: 3
19 | ignoreDifferences:
20 | - group: apps
21 | kind: Deployment
22 | name: azure-wi-webhook-controller-manager
23 | namespace: azure-workload-identity-system
24 | # https://github.com/argoproj/argo-cd/issues/3150#issuecomment-1218153486
25 | jqPathExpressions:
26 | - .spec.template.metadata.annotations."kubectl.kubernetes.io/restartedAt"
27 | - if (.spec.template.metadata.annotations | length) == 0 then .spec.template.metadata.annotations else empty end
28 | syncPolicy:
29 | syncOptions:
30 | - CreateNamespace=true
31 | automated:
32 | selfHeal: true
33 | prune: true
34 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/cloudflared/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: cloudflared
6 | name: cloudflared-home-k8s
7 | namespace: cloudflared
8 | spec:
9 | replicas: 2
10 | selector:
11 | matchLabels:
12 | pod: cloudflared-home-k8s
13 | template:
14 | metadata:
15 | labels:
16 | pod: cloudflared-home-k8s
17 | spec:
18 | containers:
19 | - command:
20 | - cloudflared
21 | - tunnel
22 | # In a k8s environment, the metrics server needs to listen outside the pod it runs on.
23 | # The address 0.0.0.0:2000 allows any pod in the namespace.
24 | - --metrics
25 | - 0.0.0.0:2000
26 | - run
27 | args:
28 | - --token
29 | - $(CLOUDFLARED_TOKEN)
30 | image: cloudflare/cloudflared:latest
31 | name: cloudflared-home-k8s
32 | livenessProbe:
33 | httpGet:
34 | # Cloudflared has a /ready endpoint which returns 200 if and only if
35 | # it has an active connection to the edge.
36 | path: /ready
37 | port: 2000
38 | failureThreshold: 1
39 | initialDelaySeconds: 10
40 | periodSeconds: 10
41 | envFrom:
42 | - secretRef:
43 | name: cloudflared-home-k8s-secret
44 |
--------------------------------------------------------------------------------
/manifests/tools/manifests/argocd/config/patches/argocd-cm.yaml:
--------------------------------------------------------------------------------
1 | - op: add
2 | path: /data
3 | value:
4 | admin.enabled: "false"
5 |
6 | # Enabling Exec tab
7 | exec.enabled: 'true'
8 |
9 | kustomize.buildOptions: --enable-helm
10 |
11 | # https://argo-cd.readthedocs.io/en/stable/user-guide/status-badge/#status-badge
12 | statusbadge.enabled: 'true'
13 |
14 | # SSO: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/
15 | url: https://argocd.matoru.ru/ # Replace with the external base URL of your Argo CD
16 | oidc.config: |
17 | name: Azure
18 | issuer: https://login.microsoftonline.com/640dd2c2-336d-4abf-b0ee-0024877ea3fb/v2.0
19 | clientID: 43d9ca70-41c6-4210-a3cc-eb7717b1f4bc
20 | clientSecret: $oidc.azure.clientSecret
21 | requestedIDTokenClaims:
22 | groups:
23 | essential: true
24 | requestedScopes:
25 | - openid
26 | - profile
27 | - email
28 |
29 | # https://docs.cilium.io/en/latest/configuration/argocd-issues/#solution
30 | resource.exclusions: |
31 | - apiGroups:
32 | - cilium.io
33 | kinds:
34 | - CiliumIdentity
35 | clusters:
36 | - "*"
37 | - apiGroups:
38 | - "*"
39 | kinds:
40 | - PersistentVolume
41 | clusters:
42 | - "*"
43 |
--------------------------------------------------------------------------------
/manifests/apps/manifests/sample-ws/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: web
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: sample-ws
9 | replicas: 2
10 | template:
11 | metadata:
12 | labels:
13 | app: sample-ws
14 | spec:
15 | containers:
16 | - image: node:latest
17 | imagePullPolicy: IfNotPresent
18 | name: web
19 | command: ["sh", "-c", "cp -rL /app-mnt/* /app/ && echo 'Installing dependencies...' && npm install && echo 'Starting server...' && node index.js"]
20 | workingDir: /app
21 | ports:
22 | - name: http
23 | containerPort: 3000
24 | protocol: TCP
25 | volumeMounts:
26 | - name: config
27 | mountPath: /app-mnt
28 | readOnly: true
29 | resources:
30 | requests:
31 | cpu: 200m
32 | memory: 200Mi
33 | limits:
34 | cpu: 500m
35 | memory: 500Mi
36 | startupProbe:
37 | httpGet:
38 | path: /
39 | port: http
40 | failureThreshold: 120
41 | periodSeconds: 1
42 | readinessProbe:
43 | httpGet:
44 | path: /
45 | port: http
46 | failureThreshold: 10
47 | periodSeconds: 1
48 | volumes:
49 | - name: config
50 | configMap:
51 | name: sample-ws-config
52 |
--------------------------------------------------------------------------------
/manifests/tools/templates/github-actions-runner-scale-sets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: github-actions-runner-scale-sets
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: arc-runners
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - path: manifests/tools/manifests/gha-runner-scale-sets
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | - chart: gha-runner-scale-set
16 | repoURL: ghcr.io/actions/actions-runner-controller-charts
17 | targetRevision: {{ .Values.gha.chart.version }}
18 | helm:
19 | releaseName: raspi-basic
20 | valuesObject:
21 | {{- include "github-actions-runner-controller.valuesObject.base" . | nindent 8 }}
22 | {{- include "github-actions-runner-controller.valuesObject.dind" (merge (dict "runnerImage" "matoruru/gha-runner-base:2.326.0") .) | nindent 8 }}
23 | githubConfigUrl: https://github.com/matoruru/matoru.ru
24 | - chart: gha-runner-scale-set
25 | repoURL: ghcr.io/actions/actions-runner-controller-charts
26 | targetRevision: {{ .Values.gha.chart.version }}
27 | helm:
28 | releaseName: raspi-golang1-23-3
29 | valuesObject:
30 | {{- include "github-actions-runner-controller.valuesObject.base" . | nindent 8 }}
31 | {{- include "github-actions-runner-controller.valuesObject.dind" (merge (dict "runnerImage" "matoruru/gha-runner-golang:1.23") .) | nindent 8 }}
32 | githubConfigUrl: https://github.com/matoruru/bekidatta.com
33 | syncPolicy:
34 | syncOptions:
35 | - CreateNamespace=true
36 | - ServerSideApply=true
37 | automated: {}
38 |
--------------------------------------------------------------------------------
/manifests/tools/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{- define "github-actions-runner-controller.valuesObject.base" -}}
2 | controllerServiceAccount:
3 | namespace: arc-systems
4 | name: arc-gha-rs-controller
5 | githubConfigSecret: pre-defined-secret
6 | maxRunners: 3
7 | minRunners: 1
8 | {{- end -}}
9 |
10 | {{- define "github-actions-runner-controller.valuesObject.dind" -}}
11 | template:
12 | spec:
13 | initContainers:
14 | - name: init-dind-externals
15 | image: {{ .runnerImage }}
16 | imagePullPolicy: IfNotPresent
17 | command:
18 | ["cp", "-r", "/home/runner/externals/.", "/home/runner/tmpDir/"]
19 | volumeMounts:
20 | - name: dind-externals
21 | mountPath: /home/runner/tmpDir
22 | containers:
23 | - name: runner
24 | image: {{ .runnerImage }}
25 | imagePullPolicy: IfNotPresent
26 | command: ["/home/runner/run.sh"]
27 | env:
28 | - name: DOCKER_HOST
29 | value: unix:///var/run/docker.sock
30 | volumeMounts:
31 | - name: work
32 | mountPath: /home/runner/_work
33 | - name: dind-sock
34 | mountPath: /var/run
35 | - name: dind
36 | image: docker:dind
37 | args:
38 | - dockerd
39 | - --host=unix:///var/run/docker.sock
40 | - --group=$(DOCKER_GROUP_GID)
41 | env:
42 | - name: DOCKER_GROUP_GID
43 | value: "123"
44 | securityContext:
45 | privileged: true
46 | volumeMounts:
47 | - name: work
48 | mountPath: /home/runner/_work
49 | - name: dind-sock
50 | mountPath: /var/run
51 | - name: dind-externals
52 | mountPath: /home/runner/externals
53 | volumes:
54 | - name: work
55 | emptyDir: {}
56 | - name: dind-sock
57 | emptyDir: {}
58 | - name: dind-externals
59 | emptyDir: {}
60 | {{- end -}}
61 |
62 | {{- define "istio.ignoreDifferences" -}}
63 | ignoreDifferences:
64 | - group: admissionregistration.k8s.io
65 | kind: ValidatingWebhookConfiguration
66 | name: istio-validator-istio-system
67 | jsonPointers:
68 | - /webhooks/0/failurePolicy
69 | - group: admissionregistration.k8s.io
70 | kind: ValidatingWebhookConfiguration
71 | name: istiod-default-validator
72 | jsonPointers:
73 | - /webhooks/0/failurePolicy
74 | {{- end -}}
75 |
--------------------------------------------------------------------------------
/manifests/tools/templates/loki-stack.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: loki-stack
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: loki-stack
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - chart: loki-stack
13 | repoURL: https://grafana.github.io/helm-charts
14 | targetRevision: 2.10.2
15 | helm:
16 | valuesObject:
17 | # Grafana Loki: a log aggregation system designed to store and query logs
18 | loki:
19 | enabled: true
20 | schemaConfig:
21 | configs:
22 | - from: 2024-04-01
23 | store: tsdb
24 | object_store: s3
25 | schema: v13
26 | index:
27 | prefix: loki_index_
28 | period: 24h
29 | server:
30 | http_server_read_timeout: 3m
31 | http_server_write_timeout: 3m
32 | ingester:
33 | chunk_encoding: snappy
34 | tracing:
35 | enabled: true
36 | querier:
37 | max_concurrent: 4
38 | deploymentMode: SimpleScalable
39 | frontend:
40 | max_outstanding_per_tenant: 4096
41 | compress_responses: true
42 | backend:
43 | replicas: 3
44 | read:
45 | replicas: 3
46 | write:
47 | replicas: 3
48 | singleBinary:
49 | replicas: 0
50 | ingester:
51 | replicas: 0
52 | querier:
53 | max_concurrent: 2048
54 | query_range:
55 | split_queries_by_interval: 0
56 | parallelise_shardable_queries: true
57 | queryFrontend:
58 | replicas: 0
59 | queryScheduler:
60 | max_outstanding_requests_per_tenant: 4096
61 | distributor:
62 | replicas: 0
63 | compactor:
64 | replicas: 0
65 | indexGateway:
66 | replicas: 0
67 | bloomCompactor:
68 | replicas: 0
69 | bloomGateway:
70 | replicas: 0
71 | persistence:
72 | enabled: true
73 | storageClassName: fast
74 | limits_config:
75 | split_queries_by_interval: 15m
76 | max_query_parallelism: 32
77 | # Promtail: an agent which ships the contents of local logs to Grafana Loki instance
78 | promtail:
79 | enabled: true
80 | syncPolicy:
81 | syncOptions:
82 | - CreateNamespace=true
83 | automated:
84 | selfHeal: true
85 | prune: true
86 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Home-Kubernetes
2 |
3 | ## Introduction
4 |
5 | Welcome to my Home-Kubernetes repository! My Home-Kubernetes cluster is a lightweight, flexible setup designed for middle-scale, personal projects. This setup can be easily adapted to suit various home automation needs, media servers, and other personal services.
6 |
7 | Please refer to the [/manifests](/manifests) folder for its details.
8 |
9 | ## Architecture Diagram
10 |
11 | All HTTPS traffics to the cluster are coming through Cloudflare Tunnels. For public contents like homepages it just directly allow to access to the web server. But for protected contents like any management clients such as Argo CD, it requires the user to be authenticated by Azure AD.
12 |
13 | 
14 |
15 | ## Components
16 |
17 | ### [Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
18 |
19 | 
20 |
21 | The cluster is composed of three *Raspberry Pi 4* devices, each with 8GB of RAM. One Pi serves as the control plane node, while the other two function as worker nodes. The cluster was set up using Kubeadm on Ubuntu Server 22.04 LTS.
22 |
23 | ### [Argo CD](https://argo-cd.readthedocs.io/en/stable/)
24 |
25 | 
26 |
27 | Self-managed. Manages all applications with the beautiful UI.
28 |
29 | ### [GitHub Action Runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)
30 |
31 | 
32 |
33 | My GitHub Action Runners are self-hosted, run on my Raspberry Pis.
34 | Runner's Dockerfiles are stored in [/gha-runner-images](./gha-runner-images/) folder.
35 |
36 | ### [External Secrets Operator (ESO)](https://external-secrets.io/latest/)
37 |
38 | 
39 |
40 |
41 | Fetches Secrets from Azure Key vault and generates K8s Secret resources. Most of applications are relying on this. Can work with Workload Identity.
42 |
43 | ### [Istio Ingress Gateways](https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/)
44 |
45 | 
46 |
47 | Quote from the official docs:
48 |
49 | > Along with support for Kubernetes Ingress resources, Istio also allows you to configure ingress traffic using either an Istio Gateway or Kubernetes Gateway resource. A Gateway provides more extensive customization and flexibility than Ingress, and allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.
50 |
51 | ### [cloudflared](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
52 |
53 | 
54 |
55 | Exposes in-cluster services to the Internet through [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/).
56 |
--------------------------------------------------------------------------------
/manifests/tools/templates/prometheus-stack.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: prometheus-stack
5 | namespace: {{ .Values.metadata.namespace }}
6 | spec:
7 | destination:
8 | namespace: prometheus-stack
9 | server: {{ .Values.spec.destination.server }}
10 | project: {{ .Values.spec.project }}
11 | sources:
12 | - path: manifests/tools/manifests/prometheus-stack
13 | repoURL: {{ .Values.spec.source.repoURL }}
14 | targetRevision: {{ .Values.spec.source.targetRevision }}
15 | - chart: kube-prometheus-stack
16 | repoURL: https://prometheus-community.github.io/helm-charts
17 | targetRevision: 62.7.0
18 | helm:
19 | valuesObject:
20 | fullnameOverride: prometheus-stack
21 | prometheus:
22 | prometheusSpec:
23 | storageSpec:
24 | volumeClaimTemplate:
25 | spec:
26 | storageClassName: fast
27 | accessModes:
28 | - ReadWriteOnce
29 | resources:
30 | requests:
31 | storage: 50Gi
32 | grafana:
33 | envFromSecret: akv-secret
34 | grafana.ini:
35 | server:
36 | root_url: https://grafana.matoru.ru
37 | users:
38 | allow_sign_up: false
39 | auto_assign_org: true
40 | auto_assign_org_role: Viewer
41 | auth:
42 | disable_login_form: true
43 | auth.basic:
44 | enabled: false
45 | auth.azuread:
46 | name: Azure AD
47 | enabled: true
48 | allow_sign_up: true
49 | auto_login: true
50 | client_id: $__env{GRAFANA_CLIENT_ID}
51 | client_secret: $__env{GRAFANA_CLIENT_SECRET}
52 | scopes: openid email profile
53 | auth_url: https://login.microsoftonline.com/$__env{TENANT_ID}/oauth2/v2.0/authorize
54 | token_url: https://login.microsoftonline.com/$__env{TENANT_ID}/oauth2/v2.0/token
55 | allowed_domains:
56 | allowed_group:
57 | allowed_organizations: $__env{TENANT_ID}
58 | role_attribute_strict: false
59 | allow_assign_grafana_admin: false
60 | skip_org_role_sync: false
61 | use_pkce: true
62 | sidecar:
63 | dashboards:
64 | provider:
65 | allowUiUpdates: true
66 | additionalDataSources:
67 | - name: Loki
68 | type: loki
69 | uid: loki
70 | url: http://loki-stack.loki-stack:3100/
71 | access: proxy
72 | editable: false
73 | persistence:
74 | enabled: true
75 | type: pvc
76 | storageClassName: fast
77 | size: 5Gi
78 | # Because of this error: https://github.com/grafana/helm-charts/issues/752
79 | initChownData:
80 | enabled: false
81 | syncPolicy:
82 | syncOptions:
83 | - ServerSideApply=true
84 | automated:
85 | selfHeal: true
86 | prune: true
87 |
--------------------------------------------------------------------------------
/_assets/Argo-CD.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------