├── .gitignore
├── LICENSE
├── README.md
├── docs
├── Cert-Manager.md
├── Database-Operators.md
├── Flux.md
├── Gitea.md
├── Hardware.md
├── Proxmox.md
├── apps
│ ├── README.md
│ ├── linkding.md
│ └── podinfo.md
├── cilium
│ └── README.md
├── clusterdns
│ └── README.md
├── images
│ ├── Proxmox-Cluster.drawio
│ ├── Proxmox-Cluster.png
│ ├── TerraformSecret.png
│ ├── TerraformToken.png
│ ├── VMs-are-running.png
│ ├── gui-node-ceph-install-wizard-step2.png
│ ├── ha-add-resource.png
│ ├── ha-status.png
│ ├── img.png
│ ├── install-ceph.png
│ ├── lxc-template-available.png
│ ├── lxc-template-download.png
│ ├── proxmox-network.png
│ ├── setting-up-gitea.png
│ ├── setting-up-proxmox.png
│ ├── setting-up-vms.png
│ └── vlan.png
├── openTofu
│ ├── .gitignore
│ ├── README.md
│ ├── credentails.auto.tfvars
│ ├── main.tf
│ ├── provider.tf
│ └── virtualmachines.auto.tfvars
├── storage
│ ├── README.md
│ ├── csi-driver-nfs.md
│ └── rook.md
└── talos
│ ├── README.md
│ ├── config-patch-control-plane.yaml
│ ├── config-patch.yaml
│ ├── controlplane.prod.yaml
│ ├── kubeconfig
│ ├── talosconfig
│ └── worker.prod.yaml
└── kubernetes
├── .sops.yaml
├── apps
├── default
│ ├── overlays
│ │ └── prod
│ │ │ └── kustomization.yaml
│ └── podinfo
│ │ ├── apps
│ │ ├── gateway.yaml
│ │ ├── helmrelease.yaml
│ │ ├── http-filter-redirect.yaml
│ │ ├── httproute.yaml
│ │ └── kustomization.yaml
│ │ └── prod
│ │ ├── certificate.yaml
│ │ └── kustomization.yaml
├── linkding
│ ├── apps
│ │ ├── certificate.yaml
│ │ ├── gateway.yaml
│ │ ├── helmrelease.yaml
│ │ ├── httproute.yaml
│ │ └── kustomization.yaml
│ └── prod
│ │ ├── backup-secrets.prod.yaml
│ │ ├── database
│ │ ├── RunManualBackup.yaml
│ │ ├── kustomization.yaml
│ │ ├── linkding-database.yaml
│ │ └── scheduledbackup.yaml
│ │ ├── kustomization.yaml
│ │ ├── linkding-database.yaml
│ │ ├── linkding.yaml
│ │ ├── namespace.yaml
│ │ └── secret.prod.yaml
└── overlays
│ └── prod
│ ├── default.yaml
│ ├── kustomization.yaml
│ └── linkding.yaml
├── clusters
└── prod
│ ├── flux-system
│ ├── gotk-components.yaml
│ ├── gotk-sync.yaml
│ └── kustomization.yaml
│ └── kustomization.yaml
├── infrastructure
├── cert-manager
│ ├── app
│ │ ├── prod
│ │ │ ├── configmap.yaml
│ │ │ └── kustomization.yaml
│ │ └── release
│ │ │ ├── helmrelease.yaml
│ │ │ └── kustomization.yaml
│ └── overlays
│ │ └── prod
│ │ ├── cert-manager.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ ├── resources.yaml
│ │ └── resources
│ │ ├── clusterissuer.yaml
│ │ ├── kustomization.yaml
│ │ └── secret.prod.yaml
├── cilium
│ ├── cilium
│ │ ├── app
│ │ │ ├── gateway.yaml
│ │ │ ├── helmrelease.yaml
│ │ │ ├── httproute.yaml
│ │ │ └── kustomization.yaml
│ │ └── overlays
│ │ │ └── prod
│ │ │ ├── certificate.yaml
│ │ │ ├── cilium-resources.yaml
│ │ │ ├── cilium.yaml
│ │ │ ├── configmap.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── resources
│ │ │ ├── ciliuml2announcementpolicy.yaml
│ │ │ ├── ciliumloadbalancerippool.yaml
│ │ │ └── kustomization.yaml
│ └── overlays
│ │ └── prod
│ │ ├── cilium.yaml
│ │ └── kustomization.yaml
├── clusterdns
│ ├── bind9
│ │ ├── README.md
│ │ ├── app
│ │ │ ├── deployment.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── service.yaml
│ │ └── prod
│ │ │ ├── configmap-etc-bind.yaml
│ │ │ ├── configmap-var-lib-bind.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── secret.prod.yaml
│ ├── external-dns
│ │ ├── app
│ │ │ ├── helmrelease.yaml
│ │ │ └── kustomization.yaml
│ │ └── prod
│ │ │ ├── configmap.yaml
│ │ │ ├── kustomization.yaml
│ │ │ └── secret.prod.yaml
│ └── overlays
│ │ └── prod
│ │ ├── bind9.yaml
│ │ ├── external-dns.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
├── csi-driver-nfs
│ ├── app
│ │ ├── helmrelease.yaml
│ │ └── kustomization.yaml
│ └── overlays
│ │ └── prod
│ │ ├── csi-driver-nfs.yaml
│ │ ├── kustomization.yaml
│ │ ├── storageclasses.yaml
│ │ └── storageclasses
│ │ ├── kustomization.yaml
│ │ └── storageclasses.yaml
├── database-operators
│ ├── cloudnative-pg
│ │ ├── helmrelease.yaml
│ │ └── kustomization.yaml
│ ├── mariadb-operator
│ │ ├── helmrelease.yaml
│ │ └── kustomization.yaml
│ └── overlays
│ │ └── prod
│ │ ├── cloudnative-pg.yaml
│ │ ├── kustomization.yaml
│ │ ├── mariadb-operator.yaml
│ │ └── namespace.yaml
├── overlays
│ └── prod
│ │ ├── cert-manager.yaml
│ │ ├── cilium.yaml
│ │ ├── clusterdns.yaml
│ │ ├── csi-driver-nfs.yaml
│ │ ├── database-operators.yaml
│ │ ├── kustomization.yaml
│ │ └── rook-ceph.yaml
└── rook-ceph
│ ├── overlays
│ └── prod
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ ├── rook-ceph-cluster.yaml
│ │ └── rook-ceph.yaml
│ ├── rook-ceph-cluster
│ ├── app
│ │ ├── gateway.yaml
│ │ ├── helmrelease.yaml
│ │ ├── httproute.yaml
│ │ └── kustomization.yaml
│ └── overlays
│ │ └── prod
│ │ ├── ceph-tools-deployment.yaml
│ │ ├── certificate.yaml
│ │ ├── configmap.yaml
│ │ ├── delete-rook
│ │ ├── README.md
│ │ ├── clean-rook-data-talos-a1.yaml
│ │ ├── clean-rook-data-talos-a2.yaml
│ │ ├── clean-rook-data-talos-a3.yaml
│ │ ├── wipe-dev-talos-a1-sdb.yaml
│ │ ├── wipe-dev-talos-a1-sdc.yaml
│ │ ├── wipe-dev-talos-a2-sdb.yaml
│ │ ├── wipe-dev-talos-a2-sdc.yaml
│ │ ├── wipe-dev-talos-a3-sdb.yaml
│ │ └── wipe-dev-talos-a3-sdc.yaml
│ │ └── kustomization.yaml
│ └── rook-ceph
│ ├── helmrelease.yaml
│ └── kustomization.yaml
├── repositories
├── README.md
├── git
│ └── kustomization.yaml
├── helm
│ ├── bitnami.yaml
│ ├── cilium.yaml
│ ├── cloudnative-pg.yaml
│ ├── coredns.yaml
│ ├── csi-driver-nfs.yaml
│ ├── grafana.yaml
│ ├── harbor.yaml
│ ├── jetstack.yaml
│ ├── kustomization.yaml
│ ├── longhorn.yaml
│ ├── mariadb-operator.yaml
│ ├── metallb.yaml
│ ├── metrics-server.yaml
│ ├── nfs-subdir-external-provisioner.yaml
│ ├── pascaliske.yaml
│ ├── podinfo.yaml
│ ├── prometheus-community.yaml
│ ├── rook-release.yaml
│ └── traefik.yaml
├── kustomization.yaml
├── oci
│ └── kustomization.yaml
└── s3
│ └── kustomization.yaml
└── sops
├── README.md
└── prod
└── flux-sops-agekey.prod.yaml
/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea/
2 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Setting up a high availability SoHo cluster
2 |
3 | ***Very much work in progress, but release early and release often . . .***
4 |
5 | The goal of this project is to learn Kubernetes and at the end of the day, to have a high availability
6 | mini cluster for SoHo tasks. So the result is not so much directed to a 'Home Lab' but more in the
7 | direction of 'Self Hosting', a blurry line to be sure. But you don't really need HA for a home lab.
8 |
9 | Let me get one thing out if the way first: I am only providing this information as a **guide**, use it at your own risk.
10 | I am not responsible for anything that happens to you, your property and especially your data.
11 |
12 | 
13 |
14 | > **IMPORTANT!**
15 | >
16 | > **I am assuming that anyone attempting this kind of cluster, has a good level of technical knowledge, so I'll only be
17 | detailing information relevant to the pitfalls I encountered getting the cluster up and running.**
18 |
19 | # Software
20 |
21 | I am using **Infrastructure as Code** where ever possible to have a repeatable configuration.
22 |
23 | I also use software from the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF) projects where ever
24 | possible. Check out the [CNCF Cloud Native Interactive Landscape](https://landscape.cncf.io/) to see what is available.
25 |
26 | With the various pieces of the hardware in place and bootable, time to get the server up and running and start
27 | installing the infrastructure.
28 |
29 | # Building the cluster
30 |
31 | 1. Virtual Machines - [Proxmox VE](docs/Proxmox.md)
32 | 2. Cluster configuration - [Gitea Server](docs/Gitea.md)
33 | 3. Infrastructure as code (OpenTofu) - [Creating the virtual machines for the Kubernetes nodes](docs/openTofu/README.md)
34 | 4. Configuring a Talos based [Kubernetes cluster](docs/talos/README.md)
35 | 5. Bootstrapping the cluster using [Flux CD](docs/Flux.md)
36 | 6. Cluster certificate management with [Cert-Manager](docs/Cert-Manager.md)
37 | 7. Setting up the network with [cilium](docs/cilium/README.md)
38 | 8. Adding a cluster hosted [DNS server](docs/clusterdns/README.md)
39 | 9. Attaching [storage](docs/storage/README.md)
40 | 10. Database management using [database operators](docs/Database-Operators.md)
41 | 11. Setting up the first [applications](docs/apps/README.md)
42 |
43 | Inspiration and references:
44 |
45 | All of these creators are an absolute wealth of knowledge and gave me a ton of inspiration to do this project.
46 |
47 | * [Tim Stewart](https://technotim.live/) (YouTube: [Techno Tim](https://www.youtube.com/@TechnoTim))
48 | * [The members of Tim's awesome discord server](https://l.technotim.live/discord)
49 | * [Proxmox](https://www.youtube.com/watch?v=GoZaMgEgrHw&list=PL8cwSAAaP9W37Vnxkw6__sshVY-XohWNm)
50 | * [Jeff Geerling](https://www.youtube.com/@JeffGeerling)
51 | * [Pi Cluster](https://www.pidramble.com/)
52 | * [Ansible 101](https://www.youtube.com/watch?v=goclfp6a2IQ&list=PL2_OBreMn7FqZkvMYt6ATmgC0KAGGJNAN)
53 | * [Marcel Dempers](https://www.youtube.com/@MarcelDempers) (That DevOps Guy)
54 | * [Kubernetes GitOps with Flux](https://www.youtube.com/watch?v=OFgziggbCOg)
55 | * [Victor Farcic](https://www.youtube.com/@DevOpsToolkit) (DevOps Toolkit)
56 | * [Kubernetes](https://www.youtube.com/watch?v=Twtbg6LFnAg&list=PLyicRj904Z9-L3XdyttvdPwRngIfGa52Y)
57 | * [Patrick Kennedy](https://www.youtube.com/@ServeTheHomeVideo) (ServeTheHome)
58 | * [Project TinyMiniMicro](https://www.youtube.com/watch?v=bx4_QCX_khU&list=PLC53fzn9608B-MT5KvuuHct5MiUDO8IF4)
59 | * [David McKone](https://www.youtube.com/@TechTutorialsDavidMcKone) (Tech Tutorials - David McKone)
60 | * [How To Create VLANs in Proxmox For a Single NIC](https://www.youtube.com/watch?v=ljq6wlzn4qo)
61 |
62 | **I wholeheartedly und unreservedly, recommend you subscribe to them all!**
63 |
64 | # Back up your data!
65 |
66 | **Now you are self-hosting, you are the system administrator, so don't forget to back up your data!**
67 |
68 | Proxmox allows you to configure snapshots and automated backups, configure and use them.
69 |
70 | Don't forget the 3-2-1 rule - **Have a minimum of 3 backups, 2 local on separate devices and 1 offsite!**
71 |
72 | ---
73 | [Bill Mair](https://github.com/red-lichtie)
74 | [Original document](https://github.com/red-lichtie/homelab-cluster/)
75 |
--------------------------------------------------------------------------------
/docs/Cert-Manager.md:
--------------------------------------------------------------------------------
1 | # Certificate management with Cert-Manager
2 |
3 | [Cert-Manager](https://cert-manager.io/)
4 |
5 | Installation files: [kubernetes/infrastructure/cert-manager](../kubernetes/infrastructure/cert-manager)
6 |
--------------------------------------------------------------------------------
/docs/Database-Operators.md:
--------------------------------------------------------------------------------
1 | # Database operators
2 |
3 | ## CloudNativePG
4 |
5 | Installation files: [kubernetes/infrastructure/database-operators/cloudnative-pg](../kubernetes/infrastructure/database-operators/cloudnative-pg)
6 |
7 |
8 | ## MariaDB Operator
9 |
10 | * **TODO - Not used yet on new cluster**
11 |
12 | Installation files: [kubernetes/infrastructure/database-operators/mariadb-operator](../kubernetes/infrastructure/database-operators/mariadb-operator)
13 |
--------------------------------------------------------------------------------
/docs/Flux.md:
--------------------------------------------------------------------------------
1 | # Managing the cluster with Flux CD
2 |
3 | I use [Flux](https://fluxcd.io/) to manage the software in my cluster.
4 |
5 | Flux natively supports Mozilla SOPS, see the [Flux document](https://fluxcd.io/flux/guides/mozilla-sops/).
6 |
7 | I use [Mozilla SOPS](https://github.com/mozilla/sops) to manage secrets, they are encrypted with
8 | [age](https://github.com/FiloSottile/age) which means they can be pushed to public repositories.
9 |
10 | ## Bootstrapping Flux
11 |
12 | Both the `user` and the `repository` have to be defined on your git server.
13 |
14 | ```bash
15 | $ export GIT_USER=flux
16 | $ export GIT_PASSWORD=verySecretPassword
17 | $ flux bootstrap git \
18 | --username=$GIT_USER --password=$GIT_PASSWORD \
19 | --token-auth \
20 | --ca-file=/home/$USER/certs/SelfSigned-CA-Cert.crt \
21 | --url=https://git.home.themairs.net/flux/homenetwork.git \
22 | --branch=main \
23 | --path=kubernetes/clusters/prod
24 | ```
25 | * You have to define the option `--ca-file=$CA_CERT` if you are using self-signed certificates.
26 |
27 |
28 | ```text
29 | kubernetes/
30 | ├── clusters
31 | │ └── prod
32 | │ └── flux-system
33 | ```
34 |
35 | ### Install your server's sops secret
36 |
37 | This should be the only time you'll need `kubectl` and that is to install a secret for flux, so that it knows how to
38 | process your secrets.
39 |
40 | ```shell
41 | sops --decrypt kubernetes/sops/prod/flux-sops-agekey.prod.yaml | kubectl apply -f -
42 | ```
43 |
44 | ### update flux configuration to use the secret
45 |
46 | I add the sops configuration directly to [kubernetes/clusters/prod/flux-system/gotk-sync.yaml](../kubernetes/clusters/prod/flux-system/gotk-sync.yaml):
47 |
48 | ```yaml
49 | ---
50 | apiVersion: kustomize.toolkit.fluxcd.io/v1
51 | kind: Kustomization
52 | metadata:
53 | name: flux-system
54 | namespace: flux-system
55 | spec:
56 | interval: 10m0s
57 | path: ./kubernetes/clusters/prod
58 | prune: true
59 | sourceRef:
60 | kind: GitRepository
61 | name: flux-system
62 | decryption:
63 | provider: sops
64 | secretRef:
65 | name: flux-sops-agekey
66 | ...
67 | ```
68 |
69 | ## Repository structure
70 |
71 | `tree -a -I .git -I .gitignore --gitignore -d kubernetes`:
72 | ```text
73 | kubernetes
74 | ├── apps
75 | │ ├── default
76 | │ │ ├── overlays
77 | │ │ │ └── prod
78 | │ │ └── podinfo
79 | │ │ ├── base
80 | │ │ └── overlays
81 | │ │ ├── prod
82 | │ │ └── test
83 | │ ├── linkding
84 | │ │ ├── base
85 | │ │ └── overlays
86 | │ │ └── prod
87 | │ │ └── database
88 | │ └── overlays
89 | │ ├── prod
90 | │ └── test
91 | ├── clusters
92 | │ ├── prod
93 | │ │ └── flux-system
94 | │ └── test
95 | │ └── flux-system
96 | ├── infrastructure
97 | │ ├── cert-manager
98 | │ │ ├── app
99 | │ │ │ ├── prod
100 | │ │ │ └── release
101 | │ │ └── overlays
102 | │ │ └── prod
103 | │ │ └── resources
104 | │ ├── clusterdns
105 | │ │ ├── bind9
106 | │ │ │ ├── app
107 | │ │ │ └── prod
108 | │ │ ├── external-dns
109 | │ │ │ ├── app
110 | │ │ │ └── prod
111 | │ │ └── overlays
112 | │ │ └── prod
113 | │ ├── csi-driver-nfs
114 | │ │ ├── app
115 | │ │ └── overlays
116 | │ │ └── prod
117 | │ │ └── storageclasses
118 | │ ├── database
119 | │ │ ├── overlays
120 | │ │ │ └── prod
121 | │ │ └── redis-cluster
122 | │ │ ├── app
123 | │ │ └── prod
124 | │ ├── database-operators
125 | │ │ ├── cloudnative-pg
126 | │ │ ├── crunchydata-pgo
127 | │ │ ├── mariadb-operator
128 | │ │ └── overlays
129 | │ │ └── prod
130 | │ ├── messaging
131 | │ │ ├── overlays
132 | │ │ │ └── prod
133 | │ │ ├── rabbitmq
134 | │ │ │ └── app
135 | │ │ └── rabbitmq-cluster-operator
136 | │ ├── network
137 | │ │ ├── ingress-nginx
138 | │ │ │ ├── app
139 | │ │ │ └── overlays
140 | │ │ │ └── prod
141 | │ │ ├── metallb
142 | │ │ │ ├── app
143 | │ │ │ └── overlays
144 | │ │ │ └── prod
145 | │ │ │ └── resources
146 | │ │ └── overlays
147 | │ │ └── prod
148 | │ ├── overlays
149 | │ │ ├── prod
150 | │ │ └── test
151 | │ └── rook-ceph
152 | │ ├── overlays
153 | │ │ └── prod
154 | │ ├── rook-ceph
155 | │ └── rook-ceph-cluster
156 | │ ├── app
157 | │ └── overlays
158 | │ └── prod
159 | │ └── delete-rook
160 | ├── repositories
161 | │ ├── git
162 | │ ├── helm
163 | │ ├── oci
164 | │ └── s3
165 | └── sops
166 | ├── prod
167 | └── test
168 | ```
--------------------------------------------------------------------------------
/docs/Gitea.md:
--------------------------------------------------------------------------------
1 | # Git Server
2 |
3 | 
4 |
5 | I chose [gitea](https://gitea.io/) for my server. It is lightweight and does exactly what I need it to do.
6 |
7 | This is the first component to be installed because it is required to bootstrap the cluster.
8 |
9 | # Linux Container (LXC)
10 |
11 | LXC containers are natively supported by Proxmox and a VM is not needed for a linux native service like gitea.
12 |
13 | ## Getting a container template
14 |
15 | I store my container templates on the shared `cephfs` storage.
16 |
17 | `pvetest1` --> `cephfs` --> `CT Templates` then click on the `[Templates]` button to download a template.
18 |
19 | 
20 |
21 | Pick the `gitea` template and download it.
22 |
23 | 
24 |
25 | ## Create the container
26 |
27 | At the top there is a blue button labeled `[Create CT]`, use this to create your container.
28 |
29 | ### `General` tab
30 |
31 | Set `Hostname` to `git`, configure password for root and upload your public SSH key.
32 |
33 | ### `Template` tab
34 |
35 | Select the gitea template (`debian-11-turnkey-gitea_17.1-1_amd64.tar.gz` at time of writing)
36 |
37 | ### `Disks` tab
38 | Be sure to select `cephblockdevice` so that the container is available on all nodes.
39 |
40 | ### `Network` tab
41 | **Default is an empty static IP address!**
42 |
43 | Either set the `IP Address` or select `dhcp`, or networking won't work.
44 |
45 | Remember to set the `VLAN Tag` if required.
46 |
47 | ## Configure High Availability for the container
48 |
49 | Navigate to the High Availability settings (`Datacenter` --> `HA`) and add the git server as a new resource.
50 |
51 | 
52 |
53 | The HA will change to reflect the new status:
54 |
55 | 
56 |
57 | # Configure the gitea server
58 |
59 | For configuration details see the [turnkey linux documentation](https://www.turnkeylinux.org/gitea) and the
60 | [gitea documentation](https://docs.gitea.io/en-us/).
61 |
62 | It will ask for a strong `admin` password, use a password manager and not something simple like `giteaP455!`.
--------------------------------------------------------------------------------
/docs/Hardware.md:
--------------------------------------------------------------------------------
1 | # Hardware
2 |
3 | I use 3 * old [HP EliteDesk 800 G3 SFF](https://support.hp.com/us-en/document/c05369814) PCs for my cluster (refurbished).
4 |
5 | I went with x64 instead of ARM (e.g. Raspberry PI 4) for my production servers because there are still so many projects
6 | that only deliver for the AMD64 (X86_64) platform. The ability to expand and add hardware was another major reason for
7 | not using ARM.
8 |
9 | ## Cluster servers
10 |
11 | The HP EliteDesk 800 G3 SFF supports [Intel vPro](https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/what-is-vpro.html),
12 | a poor man's alternative to having a full server board with IPMI.
13 |
14 | ### Additional storage
15 |
16 | I upgraded the hardware for server use.
17 |
18 | * RAM -> 48 GiB DDR4 (2 * 8 GiB + 2 * 16 GiB)
19 | * Storage
20 | * 256 GB SSD Operating System
21 | * 500 GB NMVe (Ceph Storage)
22 | * 500 GB SSD (Ceph Storage)
23 |
24 | ### Optional additional networking adapter
25 |
26 | The 1 GiB ethernet adapter is sufficient for normal usage, but I felt that it wasn't going to
27 | be sufficient for synchronizing the storage.
28 |
29 | So each of the nodes also has an additional 2.5 GiB/S ethernet adapter, sharing a *dumb* 2.5 GiB/S Switch.
30 |
--------------------------------------------------------------------------------
/docs/Proxmox.md:
--------------------------------------------------------------------------------
1 | # Proxmox Virtualization Environment
2 | 
3 |
4 | I choose [Proxmox Virtualization Environment](https://www.proxmox.com/en/proxmox-ve) because it is an easy to
5 | use virtualization platform that comes with an integrated high availability storage system [Ceph](https://ceph.com/).
6 |
7 | ## Getting Proxmox and installing Proxmox
8 |
9 | You can download Proxmox at it's download site [here](https://www.proxmox.com/en/downloads/category/proxmox-virtual-environment).
10 |
11 | I use [Ventoy](https://ventoy.net/) to keep all my bootable images on a single stick.
12 |
13 | See:
14 | * [Get started](https://www.proxmox.com/en/proxmox-ve/get-started)
15 | * [Cluster Manager](https://pve.proxmox.com/pve-docs/chapter-pvecm.html)
16 | * [Deploy Hyper-Converged Ceph Cluster](https://pve.proxmox.com/pve-docs/chapter-pveceph.html)
17 | * Optional: Define 2.5GB/S Adapter for ceph synchronization
18 |
19 | [Documentation](https://pve.proxmox.com/pve-docs/)
20 |
21 | To disable enterprise repository and stop the *unauthorized error* during refresh, edit `/etc/apt/sources.list.d/pve-enterprise.list`
22 | and comment out the repository with a `#` symbol.
23 | ```
24 | # deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise
25 | ```
26 |
27 | ## Network
28 |
29 | Customizations that I did for the network adapters are related to VLAN support and image migration within the cluster.
30 |
31 | ### Configure single adapter for VLAN support
32 |
33 | *This is only required if you are using VLANs **and** the server only has a single NIC*
34 |
35 | If you are using managed (smart) switches with virtual LANs (VLAN) then you will probably want Proxmox to be able to
36 | handle them correctly for your containers and VMs.
37 |
38 | Here the switch has been configured to connect VLANs 200 and 300 to ports 4-6, where the proxmox servers are connected.
39 |
40 | 
41 |
42 | To access the proxmox management interface when VLANs are being used, the NIC has to be configured to *VLAN aware*.
43 |
44 | On my systems, the management VLAN has the id `3`.
45 |
46 | 
47 |
48 |
49 | - eno1
- Network adapter - LAN
50 | - enp1s0
- Network adapter - Storage
51 | - vmbr0
- Internal bridge to connect to eno1
52 | - vmbr0.3
- Connected to VLAN 3 on the bridge
53 |
54 |
55 | I followed the excellent YouTube tutorial "[How To Create VLANs in Proxmox For a Single NIC](https://www.youtube.com/watch?v=ljq6wlzn4qo)" by [David McKone](https://www.youtube.com/@TechTutorialsDavidMcKone).
56 |
57 | ### Image Migration
58 |
59 | As I mentioned in the hardware section, I also have a second NIC for my cluster internal storage connections.
60 |
61 | You have to explicitly tell Proxmox to use that NIC for migrating images.
62 |
63 | This is found at `Datacenter` --> `Options` --> `Migration Settings`, on my systems I have selected the second adapter
64 | `enp1s0` for migration.
65 |
66 | ## Ceph
67 |
68 | Ceph isn't installed by default, so install Ceph, select `Datacenter` --> `Ceph` and you will see this message:
69 |
70 | 
71 |
72 | Install it and configure it as described in the "[Deploy Hyper-Converged Ceph Cluster](https://pve.proxmox.com/pve-docs/chapter-pveceph.html)"
73 | documentation.
74 |
75 | Part of the Ceph installation shows the `Configuration` tab, in the `Cluster Network IP/CIDR` field you can configure
76 | Ceph to use the network on the second adapter.
77 |
78 | 
79 |
80 | ### Configuring Ceph
81 |
82 | I start a monitor and manager on each node (`Ceph` --> `Monitor`):
83 |
84 | 
85 |
86 | The storage devices on each node have to be added (`Ceph` --> `OSD`):
87 |
88 | 
89 |
90 | Create a shared `CephFS` filesystem and start a `Metadata Server` on each node (`Ceph` --> `CephFS`):
91 |
92 | 
93 |
94 | Create a shared `Block Storage` Device, I called mine `cephblockdevice` (`Ceph` --> `Pools`):
95 |
96 | 
97 |
98 | You should now see the shared resources in the Datacenter panel:
99 |
100 | 
101 |
102 | ### Enable RADOS Gateway (S3 support)
103 |
104 | Grafana Loki requires S3 support for HA storage in a cluster, you have to manually configure the RADOS gateway to enable
105 | that in Ceph.
106 |
107 | I followed the instructions that Grin published in the [Proxmox Wiki](https://pve.proxmox.com/wiki/User:Grin/Ceph_Object_Gateway).
108 |
--------------------------------------------------------------------------------
/docs/apps/README.md:
--------------------------------------------------------------------------------
1 | # Applications
2 |
3 | ## Update `default` namespace
4 |
5 | Although the apps are in the same namespace as the default gateway, it is using a selector so the default namespace has
6 | to be updated accordingly (e.g. label `shared-gateway-access: "true"`).
7 |
8 | ```yaml
9 | apiVersion: v1
10 | kind: Namespace
11 | metadata:
12 | labels:
13 | kubernetes.io/metadata.name: default
14 | shared-gateway-access: "true"
15 | name: default
16 | ```
17 |
18 | ## Installed applications
19 |
20 |
21 | * [podinfo](podinfo.md)
22 | * [linkding](linkding.md)
--------------------------------------------------------------------------------
/docs/apps/linkding.md:
--------------------------------------------------------------------------------
1 | # linkding
2 |
3 |
4 |
--------------------------------------------------------------------------------
/docs/apps/podinfo.md:
--------------------------------------------------------------------------------
1 | # podinfo
2 |
3 |
4 |
--------------------------------------------------------------------------------
/docs/cilium/README.md:
--------------------------------------------------------------------------------
1 | # Cilium
2 |
3 | [Cilium](https://cilium.io/) is an implementation of the [Container Network Interface (CNI)](https://www.cni.dev/).
4 |
5 | ## Installing the Gateway Operator and API
6 |
7 | ```shell
8 | kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.8.1/standard-install.yaml
9 | ```
10 |
11 | Reference: [Installing a gateway controller](https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller)
12 |
13 | ## Installing cilium
14 |
15 | Reference: deploying [cilium on Talos](https://www.talos.dev/v1.5/kubernetes-guides/network/deploying-cilium/).
16 |
17 | ## Additional information
18 |
19 | ### Defining IP addresses for load balancers
20 |
21 | Make sure the address range you define in `kind: CiliumLoadBalancerIPPool` doesn't overlap with any other addresses in
22 | your network.
23 |
24 | A nice tool for this is [ipcalc](https://jodies.de/ipcalc), and it should be available as a package on your linux distro.
25 |
26 | * [kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliumloadbalancerippool.yaml](../../kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliumloadbalancerippool.yaml)
27 |
28 | ### Complete OSI L2 announcements
29 |
30 | Even though the OSI option for L2 announcements is enabled, cilium still needs to know how to inform the rest of the
31 | network with a CRD `kind: CiliumL2AnnouncementPolicy`.
32 |
33 | ```yaml
34 | externalIPs:
35 | enabled: true
36 | l2announcements:
37 | enabled: true
38 | ```
39 |
40 | * [kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliuml2announcementpolicy.yaml](../../kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliuml2announcementpolicy.yaml)
41 |
42 | ***
43 | Installation files: [kubernetes/infrastructure/cilium](../../kubernetes/infrastructure/cilium)
44 |
45 |
--------------------------------------------------------------------------------
/docs/clusterdns/README.md:
--------------------------------------------------------------------------------
1 | # Cluster DNS
2 |
3 |
4 |
5 | ## bind9
6 |
7 |
8 |
9 | ## external-dns
10 |
11 | Make sure you enable the gateway API sources:
12 |
13 | ```yaml
14 | sources:
15 | - gateway-httproute
16 | - gateway-tlsroute
17 | ```
18 |
19 | ***
20 | Installation files: [kubernetes/infrastructure/clusterdns](../../kubernetes/infrastructure/clusterdns)
21 |
--------------------------------------------------------------------------------
/docs/images/Proxmox-Cluster.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/Proxmox-Cluster.png
--------------------------------------------------------------------------------
/docs/images/TerraformSecret.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/TerraformSecret.png
--------------------------------------------------------------------------------
/docs/images/TerraformToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/TerraformToken.png
--------------------------------------------------------------------------------
/docs/images/VMs-are-running.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/VMs-are-running.png
--------------------------------------------------------------------------------
/docs/images/gui-node-ceph-install-wizard-step2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/gui-node-ceph-install-wizard-step2.png
--------------------------------------------------------------------------------
/docs/images/ha-add-resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/ha-add-resource.png
--------------------------------------------------------------------------------
/docs/images/ha-status.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/ha-status.png
--------------------------------------------------------------------------------
/docs/images/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/img.png
--------------------------------------------------------------------------------
/docs/images/install-ceph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/install-ceph.png
--------------------------------------------------------------------------------
/docs/images/lxc-template-available.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/lxc-template-available.png
--------------------------------------------------------------------------------
/docs/images/lxc-template-download.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/lxc-template-download.png
--------------------------------------------------------------------------------
/docs/images/proxmox-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/proxmox-network.png
--------------------------------------------------------------------------------
/docs/images/setting-up-gitea.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/setting-up-gitea.png
--------------------------------------------------------------------------------
/docs/images/setting-up-proxmox.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/setting-up-proxmox.png
--------------------------------------------------------------------------------
/docs/images/setting-up-vms.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/setting-up-vms.png
--------------------------------------------------------------------------------
/docs/images/vlan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/red-lichtie/homelab-cluster/a4f10eafdda1c2b9517d65ff784c70eb568ef5dc/docs/images/vlan.png
--------------------------------------------------------------------------------
/docs/openTofu/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform/
2 | .terraform.lock.hcl
3 | *.log
4 | *tfstate*
5 | apply.tf
6 |
--------------------------------------------------------------------------------
/docs/openTofu/README.md:
--------------------------------------------------------------------------------
1 | # Setting up the VMs
2 | 
3 |
4 | # OpenTofu (Terraform)
5 |
6 | Using [OpenTofu](https://opentofu.org/) (or [Terraform](https://www.terraform.io/)) to manage in infrastructure.
7 |
8 | ## Required extension
9 |
10 | * [Telmate Proxmox Extension](https://registry.terraform.io/providers/Telmate/proxmox/latest/docs/resources/vm_qemu)
11 |
12 | # Create kubernetes node using "Infrastructure as Code" (IaC)
13 |
14 | You could manually define all the nodes in your Kubernetes cluster but that is error-prone, so I use
15 | [Terraform](https://www.terraform.io/) to define and create the cluster nodes.
16 |
17 | # Proxmox
18 |
19 | Setting up Proxmox for the installation.
20 |
21 | ## Talos Linux
22 |
23 | [Talos Linux](https://www.talos.dev/) has a great site about installing on
24 | [Proxmox](https://www.talos.dev/v1.5/talos-guides/install/virtualized-platforms/proxmox/), I use IaaS on top of their
25 | recommended installation procedure.
26 |
27 | Download a copy of the latest release from
28 | their [repository](https://github.com/siderolabs/talos/releases) (currently `talos-v1.5.4-amd64.iso`).
29 |
30 | Upload it to Proxmox, on my machine I put it on the `cephfs` drive in the `iso` folder.
31 |
32 | ## Remote access API key
33 |
34 | You have to have a remote access API key with full administrator rights.
35 |
36 | `Datacenter` --> `Permissions` --> `API Tokens` -- `[Add]`
37 |
38 | Create a new token for `root@pam`, the `Token ID` (`TerraformToken`) is the name of the token and also deselect `Priviledge Separation [ ]`.
39 |
40 | 
41 |
42 | You'll see a dialog with the details of the generated token:
43 |
44 | 
45 |
46 | - Token ID
- root@pam!TerraformToken
47 | - Secret
- 857c73fe-2962-4242-8daa-dc3c485e4e14
48 |
49 |
50 | Record the details somewhere, like BitWarden, you'll need them for terraform to access Proxmox.
51 |
52 |
53 | # Included files
54 |
55 | ## credentails.auto.tfvars
56 |
57 | ```terraform
58 | proxmox_api_url = "https://192.168.122.201:8006/api2/json"
59 | proxmox_api_token_id = "root@pam!TerraformToken"
60 | proxmox_api_token_secret = "857c73fe-2962-4242-8daa-dc3c485e4e14"
61 | ```
62 |
63 | ## provider.tf
64 |
65 | [provider.tf](provider.tf) -
66 | Defines the Proxmox provider
67 |
68 | ## main.tf
69 |
70 | [main.tf](main.tf) - The main configuration for the VMs.
71 |
72 | Describes how the variables defined in [virtualmachines.auto.tfvars](virtualmachines.auto.tfvars),
73 | the name of the variable also identifies the file name:
74 | ```terraform
75 | variable "virtualmachines" {
76 | type = map(object({
77 | vmid = number
78 | instance_label = string
79 | instance_name = string
80 | instance_drive_size = string
81 | instance_memory_kb = number
82 | target_node = string
83 | macaddr = string
84 | }))
85 | }
86 | ```
87 | Define the machines based on the values in [virtualmachines](virtualmachines.auto.tfvars)
88 | ```terraform
89 | resource "proxmox_vm_qemu" "talos-node" {
90 | lifecycle {
91 | create_before_destroy = false
92 | prevent_destroy = true
93 | ignore_changes = []
94 | }
95 |
96 | # define the machines
97 | for_each = var.virtualmachines
98 | ...
99 | }
100 | ```
101 |
102 | # Creating the VMs
103 |
104 | ## Load the extension
105 | ```shell
106 | tofu init
107 | ```
108 | ```shell
109 | terraform init
110 | ```
111 |
112 | ## Make sure everything looks correct
113 | ```shell
114 | tofu validate
115 | ```
116 | ```shell
117 | terraform validate
118 | ```
119 |
120 | ## Plan the changes
121 | ```shell
122 | tofu plan
123 | ```
124 | ```shell
125 | terraform plan
126 | ```
127 |
128 | ## Apply the changes
129 | ```shell
130 | tofu apply
131 | ```
132 | ```shell
133 | terraform apply
134 | ```
135 | or . . .
136 | ```shell
137 | tofu apply -auto-approve
138 | ```
139 | ```shell
140 | terraform apply -auto-approve
141 | ```
142 |
143 | The Datacenter summary will now show 6 virtual machines running and a template:
144 | 
145 |
146 | # Pass through drives for container storage
147 |
148 | Making host drives available to the containers.
149 |
150 | _Only required if you are intending to run an in cluster storage provider like [rook](https://rook.io/)_
151 |
152 | See: [Manual: qm.conf](https://pve.proxmox.com/wiki/Manual:_qm.conf)
153 |
154 | On each machine list the drive serial numbers:
155 |
156 | ```shell
157 | $ lsblk --output NAME,SERIAL
158 | NAME SERIAL
159 | sda SERIAL001
160 | ├─sda1
161 | ├─sda2
162 | └─sda3
163 | ├─pve-swap
164 | ├─pve-root
165 | ├─pve-data_tmeta
166 | │ └─pve-data-tpool
167 | │ └─pve-data
168 | └─pve-data_tdata
169 | └─pve-data-tpool
170 | └─pve-data
171 | sdb SERIAL123
172 | sdc SERIAL234
173 | ```
174 |
175 | Identify the devices by their id:
176 | ```shell
177 | ls -l /dev/disk/by-id/ | grep -E "/sd[a-c]$"
178 | lrwxrwxrwx 1 root root 9 Oct 15 09:04 ata-Samsung_SERIAL001 -> ../../sda
179 | lrwxrwxrwx 1 root root 9 Oct 15 15:24 ata-Samsung_SERIAL123 -> ../../sdb
180 | lrwxrwxrwx 1 root root 9 Oct 15 15:24 ata-Samsung_SERIAL123 -> ../../sdc```
181 | ```
182 |
183 | On the nodes add the drives to the configurations.
184 |
185 | ## pvepr0
186 |
187 |
188 | ```shell
189 | qm set 551 -scsi1 /dev/disk/by-id/ata-Samsung_SERIAL123,serial=SERIAL123
190 | qm set 551 -scsi2 /dev/disk/by-id/ata-Samsung_SERIAL234,serial=SERIAL234
191 | ```
192 |
193 | ## pvepr1
194 |
195 | ```shell
196 | qm set 552 -scsi1 /dev/disk/by-id/ata-Samsung_SERIAL345,serial=SERIAL345
197 | qm set 552 -scsi2 /dev/disk/by-id/ata-Samsung_SERIAL678,serial=SERIAL678
198 | ```
199 |
200 | ## pvepr2
201 |
202 | ```shell
203 | qm set 553 -scsi1 /dev/disk/by-id/ata-Samsung_SERIAL789,serial=SERIAL789
204 | qm set 553 -scsi2 /dev/disk/by-id/ata-Samsung_SERIAL890,serial=SERIAL890
205 | ```
206 |
--------------------------------------------------------------------------------
/docs/openTofu/credentails.auto.tfvars:
--------------------------------------------------------------------------------
1 | {
2 | "data": "ENC[AES256_GCM,data:NwMd0zuyGSwk9tr+qvuriF9N/H8TKWrLmPrdsNX2MGaBDPr7a+zzYkc9qyHmloIzIsk9Ug/QN0GhxxW4Nm3ys7i3dNTvwyPzFaGVqEYKuIpvmBXLT8jjUh+ma96quQilo/qiIQgAGVY+34Mcdi8wDT0PhJ0/iv9Rj0+cjCW9oqdspYjGDiATeNeNijsHabUcZVlJ5PpMDin/5WJcmm4Zn4LMtgs0hdHIGiYp8oVF/C+eBqpUfw==,iv:u1ZmSk3fszM2HgfPVgaOo73HPndoswAnzs1A+4EBJtg=,tag:CI2AyYGxVh6k8+jj1qvvhA==,type:str]",
3 | "sops": {
4 | "kms": null,
5 | "gcp_kms": null,
6 | "azure_kv": null,
7 | "hc_vault": null,
8 | "age": [
9 | {
10 | "recipient": "age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95",
11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0E4RkkwZnhxazdGSTI4\najhZNmFMNCtRWTh1MGVnbitYSm0va1NXNnk0CnpQbW44SnVQekI1VW9RWHp4bEpk\nVFdjQ21xS09qd3VKTUxTN3hvQTd3d3cKLS0tIEM0UWpyREZqU3JuZHUyK1dac1lY\nZkFscTl1dG95VFI2SmdKdmNDbmhxK3MKiccUJlGOaDeVtN4wQKtApwoAOyhs57HB\nRi8xhoUX4GeG0KRBRH5jjlZDD7gUbbBn+YOSfv3d+nIvzeMyYIuX2g==\n-----END AGE ENCRYPTED FILE-----\n"
12 | },
13 | {
14 | "recipient": "age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32",
15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmSkxPdXE5WWhHVG80dUhv\nc2F4NzZ3QUJITVB3a1lqUkJqZVYrdGVxSno4CmNvc2tLbkgrVXZ6eTlwTFgyMFpt\ncHpod2czZFJ3R0liNjhSZ0xYNjZGREEKLS0tIGFmTkgxRkdlSzFqeDJBK0hTMGIz\nWjJQK0N4ZE9ZZHNmamt0QW0yUjhIcGsK4Xdb+ahBtO9CWl4+3m+H8gddvtVNlze1\nYLSiy4GqLYqMzc/vLA6WNw63mebWFzFHmJeSM2vE/Lv9m3cuQ31gcQ==\n-----END AGE ENCRYPTED FILE-----\n"
16 | }
17 | ],
18 | "lastmodified": "2023-10-26T17:11:29Z",
19 | "mac": "ENC[AES256_GCM,data:xO4mPaprlIA6s+MF+LBnR/IremKUR4wTfswMr6uq7Cmr28+IT4GO29kX6fu/xiM8IW5czFEnJzr2Ix/gixBAPelHSXNrua0Pve6gqQYKwxCvd14xdGrGstTuDZwcd5pRjhJ2O1HDgKWS5ENr+Q0ycxL85Xq//44SZpOz+9u3r5s=,iv:9zQcumyFdLpNoW6aMMWl46pX09/LyxsRJySg+8uSobE=,tag:oMLJCqr3Mcn7pxviMJh6SQ==,type:str]",
20 | "pgp": null,
21 | "unencrypted_suffix": "_unencrypted",
22 | "version": "3.7.3"
23 | }
24 | }
--------------------------------------------------------------------------------
/docs/openTofu/main.tf:
--------------------------------------------------------------------------------
1 | # Define the structure of records in virtualmachines.auto.tfvars
2 |
3 | variable "virtualmachines" {
4 | type = map(object({
5 | vmid = number
6 | instance_label = string
7 | instance_name = string
8 | instance_drive_size = string
9 | instance_memory_kb = number
10 | target_node = string
11 | macaddr = string
12 | }))
13 | }
14 |
15 | resource "proxmox_vm_qemu" "talos-node" {
16 |
17 | lifecycle {
18 | create_before_destroy = false
19 | prevent_destroy = true
20 | ignore_changes = []
21 | }
22 |
23 | for_each = var.virtualmachines
24 |
25 | # General
26 | vmid = each.value.vmid
27 | name = each.value.instance_name
28 | desc = each.value.instance_label
29 | target_node = each.value.target_node
30 |
31 | # Booting
32 | oncreate = false
33 | onboot = true
34 |
35 | # Talos changes
36 | define_connection_info = false
37 | hotplug = ""
38 |
39 | # OS
40 | iso = "cephfs:iso/talos-v1.5.4-amd64.iso"
41 | qemu_os = "l26"
42 |
43 | # System
44 | bios = "SeaBIOS"
45 | scsihw = "virtio-scsi-pci"
46 |
47 | # Disks
48 | disk {
49 | type = "scsi"
50 | size = each.value.instance_drive_size
51 | storage = "osd"
52 | ssd = 1
53 | }
54 |
55 | # CPU
56 | sockets = 1
57 | cores = 4
58 | vcpus = 4
59 | cpu = "x86-64-v2-AES"
60 |
61 | # Memory
62 | memory = each.value.instance_memory_kb
63 | balloon = 512
64 |
65 | # Network
66 | network {
67 | model = "virtio"
68 | bridge = "vmbr0"
69 | tag = 3
70 | macaddr = each.value.macaddr
71 | }
72 | }
73 |
--------------------------------------------------------------------------------
/docs/openTofu/provider.tf:
--------------------------------------------------------------------------------
1 | # Proxmox Provider
2 | # ---
3 | # Initial Provider Configuration for Proxmox
4 |
5 | terraform {
6 | required_providers {
7 | proxmox = {
8 | source = "telmate/proxmox"
9 | version = ">=1.0.0"
10 | }
11 | }
12 | required_version = ">= 0.14"
13 | }
14 |
15 | variable "proxmox_api_url" {
16 | type = string
17 | }
18 |
19 | variable "proxmox_api_token_id" {
20 | type = string
21 | }
22 |
23 | variable "proxmox_api_token_secret" {
24 | type = string
25 | }
26 |
27 | provider "proxmox" {
28 | pm_api_url = var.proxmox_api_url
29 | pm_api_token_id = var.proxmox_api_token_id
30 | pm_api_token_secret = var.proxmox_api_token_secret
31 | pm_debug = true
32 | pm_log_enable = true
33 | pm_log_file = "proxmox-plugin.log"
34 | pm_log_levels = {
35 | _default = "debug"
36 | _capturelog = ""
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/docs/openTofu/virtualmachines.auto.tfvars:
--------------------------------------------------------------------------------
1 |
2 | virtualmachines = {
3 | talos-node-1 = {
4 | vmid = 501
5 | instance_label = "Talos Production - Controller 1"
6 | instance_name = "talos-c1"
7 | instance_drive_size = "15G"
8 | instance_memory_kb = 6144
9 | target_node = "pvepr0"
10 | macaddr = "0a:69:39:6d:e0:c9" # 192.168.77.101 talos-c1
11 | }
12 | talos-node-2 = {
13 | vmid = 551
14 | instance_label = "Talos Production - Agent 1"
15 | instance_name = "talos-a1"
16 | instance_drive_size = "80G"
17 | instance_memory_kb = 16384
18 | target_node = "pvepr0"
19 | macaddr = "06:ae:38:9d:61:bb" # 192.168.77.151 talos-a1
20 | }
21 | talos-node-3 = {
22 | vmid = 502
23 | instance_label = "Talos Production - Controller 2"
24 | instance_name = "talos-c2"
25 | instance_drive_size = "15G"
26 | instance_memory_kb = 6144
27 | target_node = "pvepr1"
28 | macaddr = "6e:ba:64:73:96:7d" # 192.168.77.102 talos-c2
29 | }
30 | talos-node-4 = {
31 | vmid = 552
32 | instance_label = "Talos Production - Agent 2"
33 | instance_name = "talos-a2"
34 | instance_drive_size = "80G"
35 | instance_memory_kb = 16384
36 | target_node = "pvepr1"
37 | macaddr = "d6:b0:d8:e1:e1:9e" # 192.168.77.152 talos-a2
38 | }
39 | talos-node-5 = {
40 | vmid = 503
41 | instance_label = "Talos Production - Controller 3"
42 | instance_name = "talos-c3"
43 | instance_drive_size = "15G"
44 | instance_memory_kb = 6144
45 | target_node = "pvepr2"
46 | macaddr = "62:80:c2:36:9c:39" # 192.168.77.103 talos-c3
47 | }
48 | talos-node-6 = {
49 | vmid = 553
50 | instance_label = "Talos Production - Agent 3"
51 | instance_name = "talos-a3"
52 | instance_drive_size = "80G"
53 | instance_memory_kb = 16384
54 | target_node = "pvepr2"
55 | macaddr = "82:02:59:dc:b5:ab" # 192.168.77.153 talos-a3
56 | }
57 | }
58 |
--------------------------------------------------------------------------------
/docs/storage/README.md:
--------------------------------------------------------------------------------
1 | # Storage
2 |
3 | * [rook](rook.md)
4 | * [NFS](csi-driver-nfs.md)
5 |
6 |
--------------------------------------------------------------------------------
/docs/storage/csi-driver-nfs.md:
--------------------------------------------------------------------------------
1 | # NFS using csi-driver-nfs
2 |
3 |
4 |
--------------------------------------------------------------------------------
/docs/storage/rook.md:
--------------------------------------------------------------------------------
1 | # Rook
2 |
3 | How to use Proxmox's passed through drives as the backing store for [Rook](https://rook.io/).
4 |
5 | Deploying Rook on [Talos](https://www.talos.dev/v1.5/kubernetes-guides/configuration/ceph-with-rook/)
6 |
7 | Installation files: [kubernetes/infrastructure/rook-ceph](../../kubernetes/infrastructure/rook-ceph)
8 |
9 | # The files
10 |
11 | ## [ConfigMap](../../kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/configmap.yaml)
12 |
13 | The passed through drives on each of the cluster nodes have been individually named, this isn't really required as the
14 | default will use all unused and emtpy/unformatted drives.
15 | ```yaml
16 | storage:
17 | useAllDevices: true
18 | useAllNodes: true
19 | ```
20 |
21 | The dashboard is encrypted using a Gateway API [HTTPRoute](../../kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/httproute.yaml)
22 | ```yaml
23 | dashboard:
24 | ssl: false
25 | ```
26 |
27 | As it isn't a dedicated high performance storage cluster the requested memory and CPU are massively reduced from the
28 | default values.
29 |
30 | ## [Ceph tools](../../kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/ceph-tools-deployment.yaml)
31 |
32 | Used to access the ceph CLI and directly access the cluster.
33 |
34 | ```shell
35 | $ kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash
36 | ```
--------------------------------------------------------------------------------
/docs/talos/README.md:
--------------------------------------------------------------------------------
1 | # Talos Linux
2 |
3 | Proxmox VE virtual machines (VMs) running [Talos Linux](https://www.talos.dev/).
4 |
5 | [Proxmox](https://www.talos.dev/v1.5/talos-guides/install/virtualized-platforms/proxmox/)
6 |
7 |
8 | ## talosctl
9 |
10 | To get the Talos command line interface (CLI) see the [quick start](https://www.talos.dev/v1.5/introduction/quickstart/)
11 | page on the Talos site.
12 |
13 | ### Enable auto completion
14 |
15 | ```shell
16 | source<(talosctl completion bash)
17 | ```
18 |
19 | ## Generate the configuration files
20 |
21 | ```shell
22 | export CONTROL_PLANE_IP=192.168.76.230
23 | talosctl gen config talos-proxmox-cluster https://$CONTROL_PLANE_IP:6443 \
24 | --config-patch-control-plane @config-patch-control-plane.yaml \
25 | --config-patch @config-patch.yaml
26 | ```
27 |
28 | ### Set the configuration for talosctl
29 |
30 | ```shell
31 | export TALOSCONFIG=$PWD/talosconfig
32 | ```
33 |
34 | ## Configure control plane
35 | ```shell
36 | talosctl apply-config --insecure --nodes talos-c1 --file controlplane.yaml
37 | talosctl apply-config --insecure --nodes talos-c2 --file controlplane.yaml
38 | talosctl apply-config --insecure --nodes talos-c3 --file controlplane.yaml
39 | ```
40 |
41 | ## Configure agents/workers
42 | ```shell
43 | talosctl apply-config --insecure --nodes talos-a1 --file worker.yaml
44 | talosctl apply-config --insecure --nodes talos-a2 --file worker.yaml
45 | talosctl apply-config --insecure --nodes talos-a3 --file worker.yaml
46 | ```
47 |
48 | ## Bootstrap the cluster
49 | Pick one of your control plane nodes and use it to bootstrap the cluster.
50 | ```shell
51 | talosctl config node 192.168.77.101
52 | talosctl config endpoint 192.168.77.101
53 | talosctl bootstrap
54 | ```
55 |
56 |
57 | ## Get the kubernetes configuration
58 | Obe the cluster is up and running, you can get the configuration for kubectl.
59 |
60 | ```shell
61 | talosctl kubeconfig .
62 | export KUBECONFIG=$PWD/kubeconfig
63 | ```
64 |
--------------------------------------------------------------------------------
/docs/talos/config-patch-control-plane.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | machine:
3 | network:
4 | interfaces:
5 | - interface: eth0
6 | dhcp: true
7 | vip:
8 | ip: 192.168.76.230
9 |
10 |
--------------------------------------------------------------------------------
/docs/talos/config-patch.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | cluster:
3 | network:
4 | cni:
5 | name: none
6 | proxy:
7 | disabled: true
8 | machine:
9 | features:
10 | kubePrism:
11 | enabled: true
12 | port: 7445
13 | install:
14 | extraKernelArgs:
15 | - net.ifnames=0
16 |
--------------------------------------------------------------------------------
/docs/talos/kubeconfig:
--------------------------------------------------------------------------------
1 | {
2 | "data": "ENC[AES256_GCM,data:KFGrhbShqPZZIIKUzoQaUOuGzCGTnUqk3jI45WgLHA3ikCnp/z93kWI3wHok662KptMg8y1gOZoZ0h9znD6Qy5smi/1iAv7qhUtdQ3nBaztbcFVRPHpBrGHE2qOl4ruLxVXZTJfTwwPtZr230J8UvY2D8HEieOjT5UvnPkctt0xa6Mpez4N31PU8Vm10hE+/t3ZaGjGFZ/wet/TM1qmt6LS2McEBrqeMf5eWfyS1IEGZeWmXE0iQm6TILZov+giytq+QJUi9UD0WMBRgCr+wKhBkNh4NwG91PcORA3ejw7FWiAjAnL0HhAH5yHH72nfJXcEoGy8l4fXJuZQqD0hreLwcIP5zFOc66db9bpEU+J6w3l4tri1W6A4GiOwSX66ZPRpccOk0UYl7PKSUOMkesPRNvB29HVEzyVnHHzu2AvFP18WfyMtKrMuixryP8gY3v4Q/pVmsfwGLTMvDaJv43zc4KBP1unsNRkzYgMhYcZztW664pXzUe1jYjdA4NMBGpt9B9g9s5NqWaBGER6wLyYwoo1zwZ0oINWwZa4LadAs/09cGSjqiQTz191OEll4575b6/G918XbaecEahTqTOgcxwNgk3HPTGx9H9Avz9RGpK0bSBiOvVR0I42WSPCeT7pguY5jqF5/oZTruUZd/ZYHaat3hI2rTgO8xRuNS01FmSwH0n+Oaku1Sm+CErwF7QAqA6ONc7SPcvoprF6Eo0mFFFq55hAUBvBMmJSoarfDov5mi4isnbjiPH7VMGyri2hvDfmIlRZfKB+YuEWHvULkamWxNWs+QkCbbvA2WLOw1Qq6qfh0oCdBmTQyqPXZXL1JDhc3k20yr++bYikRNOy7TbDdKXK/Ny1uhynFIIZ8Yri2kkMaO/lsYJ6w0EDDGrP6YVgMOEOtHya7femA31BsS3F0E9yy/DkfLpdJfqllcGyalOF6P9dkMTcwp2lMjQ7HqtOnHCm1GtmsFugWf2HtKj1oep4zUqThwDMwafCI7rFOcpx9PsuNsApIc+y9jFS1LIcY4UD+z/qg09BSmj/CHRlRgR0nrNcm5iO9bP55X0Cc7IMz4q2n2VrfBSMo1xFye+H4tD6sKYhuBm1o4aZ+7O2sywcEdIy/xnfyskniZnBL5WdID2DtRH2F5gok/eUUtOUt6C8Ky8FCfjjn69DeA3HrBh1BanDXfp51hebZRfHt9+nLRkEkUwTjB8aO7HCiRV/2RHwS3iShgNmaPrQJ5gyS476sQ+oRO9l+6PKj2BAsEhdhUE9wAMwlMytMHsoH4KPkpjJl02Jtrholy/+5AkYADAMMzmxr0kl/+5wT+DVy9Ae9JCv6FjgwcNdXIaT5/Y994Ve3h5sMBS76bKpo4ZDkWUgI7iANk7Dp8Gx8szhjRqanL0cokYsdOlzSf3i15lKKZ3MCs2x5DpkgwvRlYmtUINN44c0UHw41obVNQFJiGP9QNwE8g1fZ//S9rNUkemRDIylGCYDVDBA8/2zVxUMK2tEMDIhlfqt1pKaRiNgXEd6dkH5M6K31rHsKwW1zPItdFr1YqYTwjCtTMROavcSN0hBEVJCtN5XIFbNvkpc6Ufr9wGw1lLBxNoXeYKJ34Eg4CpFXETkHNbFlmkRLYndOISm1AwReBOPpV1k3o1Yj0UrwB89RyfCojkgiLCo0cCfODoHTUtjwWEbCJDjGXMvaYERjxi48OvgqCf4HBye0YwKkg0y0XSKr42aX1O0foi+bYyIHod+2Aq7rT6v0KKroB9U+cX46IxwnjHGFSBfURj8pV56cB6aCvC51I/p1gCvRuqMDTYL4Vp1yln3wNQExd4Klh3NZMieCSdE/AgOeWgqo2ETKR6Ed05plf5zkA+OFtsTC5NTjfOZCHf4I60/Zog71WWMk50XsAaRJrWkSwO2kEY3O+v3mWEX5uEmrXXrYNQLzsmDcRlsXFu7XwiMBOsPg4huL+oYIpnqOfsPjUvXqRoe2e5qyDGUKe/cnMLY7AKXO5wo4IH7yUjOkdkPej1AhHFCWkMVyvpiodqrsq0+afIvMCmm/FLNb7gbX7i81k3xZX+HRU9g5CcQNGilgD6jbA7QilRflma+J8P0xNoKH5orobj5b1AnYq+64GLYyeoYuwO8JQuE3zCLGhS4d4PZJFOt1JQbsMTbgCLV5jojE6wCj9KYUuDVemeuyTJgW40BCo4eNorOevzRvpQMdrdruSmNJ084s9ID7uS+okySuGemwPmYmWQH4x/7mfFzAronZ6wFb39U8RgPIbcovhW4Eq3TN3mrUBEnVy4km653r6VDNJLCe+rnuib6XWoCZ7vXVwYwAds9JWIagYPpssB49CNK4lEKChhRqybbOZm7/ywZvtfMXvVK9ycMQjIxxLKytrSoCsTu5T5S001AA5dDSL/hqnggXp01u2dADddSrWzgASza5Mt8/cwXbgHaEdYbbj53wKerwRnA/dFtkKNdHyY7Vji/uXzx3zdnVKdZZ5wtqz5oVWD5kaOzZdCCpRQ122Cj5mOeAKXR3GjMTJ1XSVoolJbX1ksSI4D4b+bVEtAj89XGCQ4TVgeCawTiAsWRpcs6GLgsSZe4EdL9sEQvzO+8A5rWlhx7xKvk+RtlWoUEfoerfMzgams2byp5WsjXzIpfrDo0RS/X9odGXv6rOQcpl3S4KM0AuLo+bcgPC4T3ecwhVtZ76MSfhw7I8u6602oQwc3/gkketTLIDu+V3QmniBpJx7QgFYuRb24Jvt9wY4FrnCZg3Sn+2k7MaS89wr27sIf/CUQkzOaopTaIriZ2nK5jtcXOirhqQW3UqoLuq+ROfkVmL1CRk9tL86P4OqyjzXhV2vMYuo67IOnhid4JRorxXEY8AUo6vyUW8oAf0fFcGvKZn3ae+Dw0zCtdBvkMyZKzrDeTJZH7k+8zqsDtD1vMANrBaTQzx7kOnGblKo4VcMeqkP3nAtC7Yz0nQMpntLAaikBCpHKxflBzDf7SljQmR9Fbhcf2oidW1USdRTM9kGdH5+xBRMLnfinOiXV07ksixFeYvRn9JzN4wvjs5UEIw/UpuaI6De0g3w3jIPMc92w4N4s8UcM/7BOAGGNdk4O7+8VxoknJHB9+w2hBzk3t8mOQ9QxuDzKLfFhL/9A0kJdGj9fA==,iv:yPiJG6iRXOF2B4S440kUgdUJC3qj4QcApjs5brpi3O4=,tag:ZochLzJmSdTCa6nqqZ7wzA==,type:str]",
3 | "sops": {
4 | "kms": null,
5 | "gcp_kms": null,
6 | "azure_kv": null,
7 | "hc_vault": null,
8 | "age": [
9 | {
10 | "recipient": "age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95",
11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZUJTa0RIYVR1aHNDM0Fv\nR3NYZ05lcWUrWUpNdFJQb1U5M2pVU3UwU0hNCkdLbU1zV25LQlFmaDZYbVBITXpG\nSEQxS3JkK0NjaWVtVGtVL1RFbytrRHMKLS0tIGZzTWJPTDJCOW91bk03NEpBUVJO\nSUNhM2N6aDEyTEJvY2pqODNFQW9VWjQKQ3m3BBZA9/prID7zcCq7y5+n1nt04K11\nQp+PNO334I/7jSUw+XAVVn9JqiOJ4RYOdVIBgZSf5tgVF0NQhFKweQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 | },
13 | {
14 | "recipient": "age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32",
15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5VUVLZ2RaQUw0aFRlQStp\nUEJYSVl3Nk1JZlU1cjBETFpLQ0R3US9jbVJ3ClNzaDFCZUVQaXZDZExaOWxWWWt5\nbW52cEY0dk9ndkFSY0FmeFgvY0pNTzAKLS0tIDZzeXZENGlidW5QS21qZGhNdGFz\neFNMa25OT3cvTzMwTERrZDJ0cFluTE0Kc/KChTh8z+jmVpoqSGwv8a9srW4DIKNL\nvPVHo++6EMkwP+wmxZsxEDtGdSZznfR3y0cL+uRiTFnRhF1SiwBrsg==\n-----END AGE ENCRYPTED FILE-----\n"
16 | }
17 | ],
18 | "lastmodified": "2023-10-26T17:06:15Z",
19 | "mac": "ENC[AES256_GCM,data:LJzw5C2N0UpYx01u7MJ4GyXc3PW0eyV37L+i0GHP8qIbfBki7wFJA1NAfFUoK23XCRiw8aUEoa4NC1V1IAIcHHaleA9ET+qqSk7z2/HGyoByePHo6IoMRttY0RPai5oTh/r2JwR5k3MNPeC8BKWTZZbxw7CfyRFhVeHDwFeY7d4=,iv:1Qa+xVCkeoR6gGbbgXwXEc8yvFeso3pJRXbksxreo14=,tag:Rh52QaRtGGSadnRZ+0bDoQ==,type:str]",
20 | "pgp": null,
21 | "unencrypted_suffix": "_unencrypted",
22 | "version": "3.7.3"
23 | }
24 | }
--------------------------------------------------------------------------------
/docs/talos/talosconfig:
--------------------------------------------------------------------------------
1 | {
2 | "data": "ENC[AES256_GCM,data:motrnUlHlEyHnbtBZZH+IeEp+p+PLZQd+i8I+FEO/ftvfKDAhYyry3T7o0GXBgh0m88A4nZW02GcVQau9hcjc0jV0nI03vUvtkf7cJ0CKHmK+eaADgu8m/NHcDG49OcBYC35iKWhb8UXK+2PvBF+LafjLAKpa50e7mqCC0WjPkbLzrQEkVkRv3YFT4kPEoy6QzbR/BK5RZ85JZyNu/PPCy2RvCPQ8uJJ0/foDYWSE2FhRmiRp/sD7N9cFBU0gAiW05zr5it64dFsX5OfJGz8CjR7P7I9gRMm3Nfig9css8xSE8/I6VFmUWwN0Zt3lv3xz/fihRFCkU9G608ShhOe5oIuJd9G3S+Ik/InEvsorKAV70wrhscD6rHrbFYnoVL/YbosNNLxGkp625Oymm29CThA4JPL2n/BETzGjPja5Fav1YpN9Ev96skmlQvi4VYvMfCn/afS4yDxqo9m3mRtcsn5R9GL8YDuEg39FE/twBYqP3w6B/lBGDQLQYJWs4XM2hP6mMfLs8XnfFcRoN9xNScVDizU1at0lmS4dFqSQVUBkJ9lrC2uI+nTVwrb0PCbnlpmrFPg2/XgdsEgfabYN6xAq8oXAla4AqwH33ct5IbHQ/bXJIhDDRO/39ANbTzMXKXil5ain2taz99huCzj2kDUVG2LYxB1+eJP47d3ktT0W8oZ1cbtxNTmjBmoNW1Dl6/KKsm6AS7AYjaPBKhz+7dRld2L4vTClC0/U6JwLp+fLAsM2r2e1JQQ9/LnQh2IGcf7QA+F3l7cqg8hpptxGGhvRWFlRaNvCsXRp3nE+0Ljk1Y/sWWRrYj7MqHxYyyiOirKE5QyqOfshMYw4pX+ARa9WWpuHC9Tojpm/g4D0/h8HofYaVoBs5f5AaA3SBJXOlg829iZ+4S727f7Ge8KcZKqJ2S665JNEVpH27n4fvICjaguS1Tg4b8PBX+YnU74Q+mc9i9cyH6US+sTRT6YjquFGjWgtff6gXA/FfC8fWWAQTcu3HWehRtzP9BaMqM6RHfmU3QN4e9Av2LYotkN4AW03xG9RLaifg2Y8FPze6lkamykQjz7jeVikz0atsJ9aWosfmROKYGwfwMEZrAVYLPnEIKP4mZRpr+cgz6iDmB1RnhNMUt5TMtJzNw9Rl2WkrqC6SJ1XQmfYT8Q19UeZMAJgLkKDxc+QlMSx9udER93WK3B0zye15ehSkPOoZxGBTNf+uqkaUsUDnpIBQTEwzT4dw4dQ4kT8arLh4GWr+A3D4bRGeR08e2SMEvqWL20mLBNDr22GcpWCiMwL6LbmW3dP/3/H+4xPoPQi7LqNEyJ4I1S17RwoHh7Z11AMCsZTgUpgw1fvSW/V0mdRTratX7v9Bnkw/VJ8Xhm/Dbr+Qcov3UP8j4/lB/Ona6QT9dR9TskrRuDzRrFkgQ67PEDL9/HbTASt2uWGhJ/cFIiTJ7+p1Ba0vP/duFkTyDSTdeSkk1BQkHswF1alHA7KNf32qH0vu00eAKs+82N8HFNbyE2MEYLnjnsFo61o5gjxuBLwXkOt5X8O43gaTBZYjqmjjDabHHiE0opedPUL51BxWvmy9n0YhDsiTnuZcNwahZ0SJy4RjnlObFuSKCNwBhuyRKiRtgnlu4qQrOqxPDVQ8HlLr2hnqP+OzvvZjVyAiaofleBs3YNds0U8aKvtGppPRWR5+6nj8VxiKK9tSi7GteD/kxmyknjLG1Ap3EAnIMh3+Rr52zCSaXum3ZcKZpx1XY/Znhd6/+41b/u0kPDEQqWz2DOCHT9P04DFYNzxtwvqtrAwwKmgy0AkLwOJLryM3OuENgP5PPoxYjC4dDSR9wUbw+w9mEY5MtII+ycp/Y1NWfCkOHTIibipE7LKoF9K6uaMdh+2pHtkfXeGBnCUv8qahUPHfa4qyCIS5ka1p34zK7ofwvBJXEmJUxHSSequttgrEX+4cUg/QkdWFKfsL6SzTVDK86mWuCdb4/773Tu+/AEyfOvSfndKk5fgKbcG25fu8NuVJzsPfmhuNT5XzmTdV5fcTPoqy3MH5E5mQDTv1DF0sYmAolH0/f4//6gnEdj9dEMLyeBiViNErhfxpk+H+1Ff2QxqZ/flkCnQfBiVVsExrXlac5IVf8PMuRas6/kVUcExZ9w6gtxXZyBV76r960HcOEQy7guhMwqPPgHak5jwpsTaQr8fVq9nB9iouSdwiNwpG0haDrrq7o=,iv:D8cKzzntfydbveVpbgoeC9CkKIMEg8oZXXImbbV33Vc=,tag:a8b5j4OHoD7rXUCvXute3A==,type:str]",
3 | "sops": {
4 | "kms": null,
5 | "gcp_kms": null,
6 | "azure_kv": null,
7 | "hc_vault": null,
8 | "age": [
9 | {
10 | "recipient": "age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95",
11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZFhPNTZsZ0VzRDE1L3ll\ndnR1dXZRa0pmTU95aDFQNi83WndONTltbFZvClRLRFNqVGFEMmNPeURaM2wzb2ly\nYWIvM1JGUTNvcXVsRGtINXN6L2pubkkKLS0tIE4zazZLYXlZYTZQWHJlejFEeW1v\nY3BvVlRmb0RzVnhlL3VUTlJXZjV5Sm8KBIl6PET2enjvCzpA+fTZTSjHj4fiuNsc\ngo+r2vkaa2mjaK5+Fzn6dqjgETjtecahLcbuiDxVYyUNA5jMwy7VnQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 | },
13 | {
14 | "recipient": "age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32",
15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVS9XOFZZdDhZckdVeUdx\nUHd1c1V6RU9ISFBDRmtIdTJnSEpsd051dlhBCkoxb1hLdVdIUXd6S1lubEFhbEVD\nT2lObkMwbWREQ1AwcDhCbDEvYlEvTTAKLS0tIEdsZlR2L1pVNm1pcHIvSlg3aE94\nR2hVTFoyZk44MWx4d3NvY2dBQmRvN1UKvp9ryhKvP3kbxvwPYNxioarYnR19YbfC\nwywZPgU9ES/xjQuP9SblLb1F3c4JNO/pAb7SWpmZncSCT1RmCQBnpA==\n-----END AGE ENCRYPTED FILE-----\n"
16 | }
17 | ],
18 | "lastmodified": "2023-10-26T17:05:59Z",
19 | "mac": "ENC[AES256_GCM,data:D6bggpVhMT7DeOhg3QHqB2OhAX6JKaMXuIXr1NbIXW5W0aAX8jFPBDue36O/BlGI91nIhkZy/hiTotGjlpNaS5NcNoDYNNkHL16+mr9HiykFDlCSLLfTDkqbOdW1x9Pcv59JDvUONSmTGFoGLyUgbeEshWdMC3owWfO3oe2onmQ=,iv:4BnNApJTiysIuKa1zg1mOvNx4tPogVDgstTXZbthWHM=,tag:B67OVMcsIWTYcpz5Dye88g==,type:str]",
20 | "pgp": null,
21 | "unencrypted_suffix": "_unencrypted",
22 | "version": "3.7.3"
23 | }
24 | }
--------------------------------------------------------------------------------
/docs/talos/worker.prod.yaml:
--------------------------------------------------------------------------------
1 | # Indicates the schema used to decode the contents.
2 | version: v1alpha1
3 | # Enable verbose logging to the console.
4 | debug: false
5 | # description: |
6 | persist: true
7 | # Provides machine specific configuration options.
8 | machine:
9 | # Defines the role of the machine within the cluster.
10 | type: worker
11 | # The `token` is used by a machine to join the PKI of the cluster.
12 | token: ENC[AES256_GCM,data:WjgzSD6U4Zhuk618I2Wq/9q/QgRHMrg=,iv:VVbNWXiBmWB47pGX/Clt6PJ95JjSnVf6FSipS9QbP3Q=,tag:3E9BklMLTXWnnFgAmoYPzw==,type:str]
13 | # The root certificate authority of the PKI.
14 | ca:
15 | crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBdWFUN2htZzROVDFPbDZ2ck0yRUUzREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXhNREl6TWpBeE16QTJXaGNOTXpNeE1ESXdNakF4TXpBMldqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUFCUlQ0c2ttYmY1d3d5NW41ZEZKRGdSNFMyYW5MdFlWNkxRCnd4eStwTFJqbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVKaTVnYURBR1JnKzhRVAovTkxXcmRiQTJvR25NQVVHQXl0bGNBTkJBSU5TVTFuNEdNRG14S0xlQ0ZjRVJwdXRMUmZWTVFvNXJIWXl5U3hZClhLbzdvQmxraFhhaVJabHR5RFllL2RqNFlYOGpXa2xZWS8wVjNFZ3JnL3R4WEFvPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
16 | key: ""
17 | # Extra certificate subject alternative names for the machine's certificate.
18 | certSANs: []
19 | # # Uncomment this to enable SANs.
20 | # - 10.0.0.10
21 | # - 172.16.0.10
22 | # - 192.168.0.10
23 | # Used to provide additional options to the kubelet.
24 | kubelet:
25 | # The `image` field is an optional reference to an alternative kubelet image.
26 | image: ghcr.io/siderolabs/kubelet:v1.28.2
27 | # Enable container runtime default Seccomp profile.
28 | defaultRuntimeSeccompProfileEnabled: true
29 | # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
30 | disableManifestsDirectory: true
31 | # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
32 | # clusterDNS:
33 | # - 10.96.0.10
34 | # - 169.254.2.53
35 | # # The `extraArgs` field is used to provide additional flags to the kubelet.
36 | # extraArgs:
37 | # key: value
38 | # # The `extraMounts` field is used to add additional mounts to the kubelet container.
39 | # extraMounts:
40 | # - destination: /var/lib/example
41 | # type: bind
42 | # source: /var/lib/example
43 | # options:
44 | # - bind
45 | # - rshared
46 | # - rw
47 | # # The `extraConfig` field is used to provide kubelet configuration overrides.
48 | # extraConfig:
49 | # serverTLSBootstrap: true
50 | # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
51 | # nodeIP:
52 | # # The `validSubnets` field configures the networks to pick kubelet node IP from.
53 | # validSubnets:
54 | # - 10.0.0.0/8
55 | # - '!10.0.0.3/32'
56 | # - fdc7::/16
57 | # Provides machine specific network configuration options.
58 | network: {}
59 | # # `interfaces` is used to define the network interface configuration.
60 | # interfaces:
61 | # - interface: enp0s1 # The interface name.
62 | # # Assigns static IP addresses to the interface.
63 | # addresses:
64 | # - 192.168.2.0/24
65 | # # A list of routes associated with the interface.
66 | # routes:
67 | # - network: 0.0.0.0/0 # The route's network (destination).
68 | # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
69 | # metric: 1024 # The optional metric for the route.
70 | # mtu: 1500 # The interface's MTU.
71 | #
72 | # # # Picks a network device using the selector.
73 | # # # select a device with bus prefix 00:*.
74 | # # deviceSelector:
75 | # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
76 | # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
77 | # # deviceSelector:
78 | # # hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
79 | # # driver: virtio # Kernel driver, supports matching by wildcard.
80 | # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
81 | # # deviceSelector:
82 | # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
83 | # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
84 | # # driver: virtio # Kernel driver, supports matching by wildcard.
85 | # # # Bond specific options.
86 | # # bond:
87 | # # # The interfaces that make up the bond.
88 | # # interfaces:
89 | # # - enp2s0
90 | # # - enp2s1
91 | # # # Picks a network device using the selector.
92 | # # deviceSelectors:
93 | # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
94 | # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
95 | # # driver: virtio # Kernel driver, supports matching by wildcard.
96 | # # mode: 802.3ad # A bond option.
97 | # # lacpRate: fast # A bond option.
98 | # # # Bridge specific options.
99 | # # bridge:
100 | # # # The interfaces that make up the bridge.
101 | # # interfaces:
102 | # # - enxda4042ca9a51
103 | # # - enxae2a6774c259
104 | # # # A bridge option.
105 | # # stp:
106 | # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
107 | # # # Indicates if DHCP should be used to configure the interface.
108 | # # dhcp: true
109 | # # # DHCP specific options.
110 | # # dhcpOptions:
111 | # # routeMetric: 1024 # The priority of all routes received via DHCP.
112 | # # # Wireguard specific configuration.
113 | # # # wireguard server example
114 | # # wireguard:
115 | # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
116 | # # listenPort: 51111 # Specifies a device's listening port.
117 | # # # Specifies a list of peer configurations to apply to a device.
118 | # # peers:
119 | # # - publicKey: ABCDEF... # Specifies the public key of this peer.
120 | # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
121 | # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
122 | # # allowedIPs:
123 | # # - 192.168.1.0/24
124 | # # # wireguard peer example
125 | # # wireguard:
126 | # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
127 | # # # Specifies a list of peer configurations to apply to a device.
128 | # # peers:
129 | # # - publicKey: ABCDEF... # Specifies the public key of this peer.
130 | # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
131 | # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
132 | # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
133 | # # allowedIPs:
134 | # # - 192.168.1.0/24
135 | # # # Virtual (shared) IP address configuration.
136 | # # # layer2 vip example
137 | # # vip:
138 | # # ip: 172.16.199.55 # Specifies the IP address to be used.
139 | # # Used to statically set the nameservers for the machine.
140 | # nameservers:
141 | # - 8.8.8.8
142 | # - 1.1.1.1
143 | # # Allows for extra entries to be added to the `/etc/hosts` file
144 | # extraHostEntries:
145 | # - ip: 192.168.1.100 # The IP of the host.
146 | # # The host alias.
147 | # aliases:
148 | # - example
149 | # - example.domain.tld
150 | # # Configures KubeSpan feature.
151 | # kubespan:
152 | # enabled: true # Enable the KubeSpan feature.
153 | # Used to provide instructions for installations.
154 | install:
155 | # The disk used for installations.
156 | disk: /dev/sda
157 | # Allows for supplying extra kernel args via the bootloader.
158 | extraKernelArgs:
159 | - net.ifnames=0
160 | # Allows for supplying the image used to perform the installation.
161 | image: ghcr.io/siderolabs/installer:v1.5.3
162 | # Indicates if the installation disk should be wiped at installation time.
163 | wipe: false
164 | # # Look up disk using disk attributes like model, size, serial and others.
165 | # diskSelector:
166 | # size: 4GB # Disk size.
167 | # model: WDC* # Disk model `/sys/block//device/model`.
168 | # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
169 | # # Allows for supplying additional system extension images to install on top of base Talos image.
170 | # extensions:
171 | # - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
172 | # Used to configure the machine's container image registry mirrors.
173 | registries: {}
174 | # # Specifies mirror configuration for each registry host namespace.
175 | # mirrors:
176 | # ghcr.io:
177 | # # List of endpoints (URLs) for registry mirrors to use.
178 | # endpoints:
179 | # - https://registry.insecure
180 | # - https://ghcr.io/v2/
181 | # # Specifies TLS & auth configuration for HTTPS image registries.
182 | # config:
183 | # registry.insecure:
184 | # # The TLS configuration for the registry.
185 | # tls:
186 | # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
187 | #
188 | # # # Enable mutual TLS authentication with the registry.
189 | # # clientIdentity:
190 | # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
191 | # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
192 | #
193 | # # # The auth configuration for this registry.
194 | # # auth:
195 | # # username: username # Optional registry authentication.
196 | # # password: password # Optional registry authentication.
197 | # Features describe individual Talos features that can be switched on or off.
198 | features:
199 | # Enable role-based access control (RBAC).
200 | rbac: true
201 | # Enable stable default hostname.
202 | stableHostname: true
203 | # Enable checks for extended key usage of client certificates in apid.
204 | apidCheckExtKeyUsage: true
205 | # Enable XFS project quota support for EPHEMERAL partition and user disks.
206 | diskQuotaSupport: true
207 | # KubePrism - local proxy/load balancer on defined port that will distribute
208 | kubePrism:
209 | # Enable KubePrism support - will start local load balacing proxy.
210 | enabled: true
211 | # KubePrism port.
212 | port: 7445
213 | # # Configure Talos API access from Kubernetes pods.
214 | # kubernetesTalosAPIAccess:
215 | # enabled: true # Enable Talos API access from Kubernetes pods.
216 | # # The list of Talos API roles which can be granted for access from Kubernetes pods.
217 | # allowedRoles:
218 | # - os:reader
219 | # # The list of Kubernetes namespaces Talos API access is available from.
220 | # allowedKubernetesNamespaces:
221 | # - kube-system
222 | # Provides cluster specific configuration options.
223 | cluster:
224 | # # Provides machine specific control plane configuration options.
225 | # # ControlPlane definition example.
226 | # controlPlane:
227 | # # Controller manager machine specific configuration options.
228 | # controllerManager:
229 | # disabled: false # Disable kube-controller-manager on the node.
230 | # # Scheduler machine specific configuration options.
231 | # scheduler:
232 | # disabled: true # Disable kube-scheduler on the node.
233 | # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
234 | # # nginx static pod.
235 | # pods:
236 | # - apiVersion: v1
237 | # kind: pod
238 | # metadata:
239 | # name: nginx
240 | # spec:
241 | # containers:
242 | # - image: nginx
243 | # name: nginx
244 | # # Used to partition, format and mount additional disks.
245 | # # MachineDisks list example.
246 | # disks:
247 | # - device: /dev/sdb # The name of the disk to use.
248 | # # A list of partitions to create on the disk.
249 | # partitions:
250 | # - mountpoint: /var/mnt/extra # Where to mount the partition.
251 | #
252 | # # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
253 | # # # Human readable representation.
254 | # # size: 100 MB
255 | # # # Precise value in bytes.
256 | # # size: 1073741824
257 | # # Allows the addition of user specified files.
258 | # # MachineFiles usage example.
259 | # files:
260 | # - content: '...' # The contents of the file.
261 | # permissions: 0o666 # The file's permissions in octal.
262 | # path: /tmp/file.txt # The path of the file.
263 | # op: append # The operation to use
264 | # # The `env` field allows for the addition of environment variables.
265 | # # Environment variables definition examples.
266 | # env:
267 | # GRPC_GO_LOG_SEVERITY_LEVEL: info
268 | # GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
269 | # https_proxy: http://SERVER:PORT/
270 | # env:
271 | # GRPC_GO_LOG_SEVERITY_LEVEL: error
272 | # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
273 | # env:
274 | # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
275 | # # Used to configure the machine's time settings.
276 | # # Example configuration for cloudflare ntp server.
277 | # time:
278 | # disabled: false # Indicates if the time service is disabled for the machine.
279 | # # Specifies time (NTP) servers to use for setting the system time.
280 | # servers:
281 | # - time.cloudflare.com
282 | # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
283 | # # Used to configure the machine's sysctls.
284 | # # MachineSysctls usage example.
285 | # sysctls:
286 | # kernel.domainname: talos.dev
287 | # net.ipv4.ip_forward: "0"
288 | # # Used to configure the machine's sysfs.
289 | # # MachineSysfs usage example.
290 | # sysfs:
291 | # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
292 | # # Machine system disk encryption configuration.
293 | # systemDiskEncryption:
294 | # # Ephemeral partition encryption.
295 | # ephemeral:
296 | # provider: luks2 # Encryption provider to use for the encryption.
297 | # # Defines the encryption keys generation and storage method.
298 | # keys:
299 | # - # Deterministically generated key from the node UUID and PartitionLabel.
300 | # nodeID: {}
301 | # slot: 0 # Key slot number for LUKS2 encryption.
302 | #
303 | # # # KMS managed encryption key.
304 | # # kms:
305 | # # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
306 | #
307 | # # # Cipher kind to use for the encryption. Depends on the encryption provider.
308 | # # cipher: aes-xts-plain64
309 | # # # Defines the encryption sector size.
310 | # # blockSize: 4096
311 | # # # Additional --perf parameters for the LUKS2 encryption.
312 | # # options:
313 | # # - no_read_workqueue
314 | # # - no_write_workqueue
315 | # # Configures the udev system.
316 | # udev:
317 | # # List of udev rules to apply to the udev system
318 | # rules:
319 | # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
320 | # # Configures the logging system.
321 | # logging:
322 | # # Logging destination.
323 | # destinations:
324 | # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
325 | # format: json_lines # Logs format.
326 | # # Configures the kernel.
327 | # kernel:
328 | # # Kernel modules to load.
329 | # modules:
330 | # - name: brtfs # Module name.
331 | # # Configures the seccomp profiles for the machine.
332 | # seccompProfiles:
333 | # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
334 | # # The `value` field is used to provide the seccomp profile.
335 | # value:
336 | # defaultAction: SCMP_ACT_LOG
337 | # # Configures the node labels for the machine.
338 | # # node labels example.
339 | # nodeLabels:
340 | # exampleLabel: exampleLabelValue
341 | # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
342 | id: WkjLvA28RwKTGYRO9pbmQS_kbG3gx9pc1P9fdmYkn8Y=
343 | # Shared secret of cluster (base64 encoded random 32 bytes).
344 | secret: ENC[AES256_GCM,data:YmNciwNL9+EIG6m6DmxChMTc7zSndcRJqEh8reVP6N+IvPOzVcfLtFaWM7g=,iv:2c/UhXxtVybMVIvaBDI7zyyuJkw6pPbVZVilMi+ZBl0=,tag:7u39m6NBoyHaWB/2kKvvGg==,type:str]
345 | # Provides control plane specific configuration options.
346 | controlPlane:
347 | # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
348 | endpoint: https://192.168.76.230:6443
349 | # Provides cluster specific network configuration options.
350 | network:
351 | # The CNI used.
352 | cni:
353 | # Name of CNI to use.
354 | name: none
355 | # The domain used by Kubernetes DNS.
356 | dnsDomain: cluster.local
357 | # The pod subnet CIDR.
358 | podSubnets:
359 | - 10.244.0.0/16
360 | # The service subnet CIDR.
361 | serviceSubnets:
362 | - 10.96.0.0/12
363 | # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
364 | token: ENC[AES256_GCM,data:4Aj5nYCD6oD7OzUsv9VVw4LYo3KEkB8=,iv:dBuJ958Lmb7iYYaxQL/+DmmbB1V0nlpDGg2tcL38ZkA=,tag:GOlRnqoaGQVqmb099SF4lQ==,type:str]
365 | # The base64 encoded root certificate authority used by Kubernetes.
366 | ca:
367 | crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRY28xL0NPTnFqelZmNlB6cjNJNFB0VEFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXpNVEF5TXpJd01UTXdObG9YRFRNek1UQXlNREl3TVRNdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCRmJTa3VFcTE2YitlS1BQbU9wbHR6MWNwSXVJcjVmbW9lMkJrY1BPVTNBRmNCWmk2Y3lvQ3VONWVmS0UKS0doYjZwYkhVRW5CTUVCeU0razdya1lXTm5XallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVXN0R2NVA2UEVwd3RHWU1PaUFlNmR5OFFndTR3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUxuWWhLWDQKSU5kNXZTUTliZmhuTWlIc3djWTFONGdBYVFCSFVlY1p3aXJVQWlFQTgxVkJSZW1KQk9oUk5TaUhHUHc4eGRqWQo1RmZpSTdKMkRFcEladjAveTFVPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
368 | key: ""
369 | # Kube-proxy server-specific configuration options
370 | proxy:
371 | # Disable kube-proxy deployment on cluster bootstrap.
372 | disabled: true
373 | # # The container image used in the kube-proxy manifest.
374 | # image: registry.k8s.io/kube-proxy:v1.28.2
375 | # Configures cluster member discovery.
376 | discovery:
377 | # Enable the cluster membership discovery feature.
378 | enabled: true
379 | # Configure registries used for cluster member discovery.
380 | registries:
381 | # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
382 | kubernetes:
383 | # Disable Kubernetes discovery registry.
384 | disabled: true
385 | # Service registry is using an external service to push and pull information about cluster members.
386 | service: {}
387 | # # External service endpoint.
388 | # endpoint: https://discovery.talos.dev/
389 | # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
390 | # # Decryption secret example (do not use in production!).
391 | # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
392 | # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
393 | # # Decryption secret example (do not use in production!).
394 | # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
395 | # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
396 | # # AggregatorCA example.
397 | # aggregatorCA:
398 | # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
399 | # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
400 | # # The base64 encoded private key for service account token generation.
401 | # # AggregatorCA example.
402 | # serviceAccount:
403 | # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
404 | # # API server specific configuration options.
405 | # apiServer:
406 | # image: registry.k8s.io/kube-apiserver:v1.28.2 # The container image used in the API server manifest.
407 | # # Extra arguments to supply to the API server.
408 | # extraArgs:
409 | # feature-gates: ServerSideApply=true
410 | # http2-max-streams-per-connection: "32"
411 | # # Extra certificate subject alternative names for the API server's certificate.
412 | # certSANs:
413 | # - 1.2.3.4
414 | # - 4.5.6.7
415 | # # Configure the API server admission plugins.
416 | # admissionControl:
417 | # - name: PodSecurity # Name is the name of the admission controller.
418 | # # Configuration is an embedded configuration object to be used as the plugin's
419 | # configuration:
420 | # apiVersion: pod-security.admission.config.k8s.io/v1alpha1
421 | # defaults:
422 | # audit: restricted
423 | # audit-version: latest
424 | # enforce: baseline
425 | # enforce-version: latest
426 | # warn: restricted
427 | # warn-version: latest
428 | # exemptions:
429 | # namespaces:
430 | # - kube-system
431 | # runtimeClasses: []
432 | # usernames: []
433 | # kind: PodSecurityConfiguration
434 | # # Configure the API server audit policy.
435 | # auditPolicy:
436 | # apiVersion: audit.k8s.io/v1
437 | # kind: Policy
438 | # rules:
439 | # - level: Metadata
440 | # # Controller manager server specific configuration options.
441 | # controllerManager:
442 | # image: registry.k8s.io/kube-controller-manager:v1.28.2 # The container image used in the controller manager manifest.
443 | # # Extra arguments to supply to the controller manager.
444 | # extraArgs:
445 | # feature-gates: ServerSideApply=true
446 | # # Scheduler server specific configuration options.
447 | # scheduler:
448 | # image: registry.k8s.io/kube-scheduler:v1.28.2 # The container image used in the scheduler manifest.
449 | # # Extra arguments to supply to the scheduler.
450 | # extraArgs:
451 | # feature-gates: AllBeta=true
452 | # # Etcd specific configuration options.
453 | # etcd:
454 | # image: gcr.io/etcd-development/etcd:v3.5.9 # The container image used to create the etcd service.
455 | # # The `ca` is the root certificate authority of the PKI.
456 | # ca:
457 | # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
458 | # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
459 | # # Extra arguments to supply to etcd.
460 | # extraArgs:
461 | # election-timeout: "5000"
462 | # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
463 | # advertisedSubnets:
464 | # - 10.0.0.0/8
465 | # # Core DNS specific configuration options.
466 | # coreDNS:
467 | # image: registry.k8s.io/coredns/coredns:v1.10.1 # The `image` field is an override to the default coredns image.
468 | # # External cloud provider configuration.
469 | # externalCloudProvider:
470 | # enabled: true # Enable external cloud provider.
471 | # # A list of urls that point to additional manifests for an external cloud provider.
472 | # manifests:
473 | # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
474 | # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
475 | # # A list of urls that point to additional manifests.
476 | # extraManifests:
477 | # - https://www.example.com/manifest1.yaml
478 | # - https://www.example.com/manifest2.yaml
479 | # # A map of key value pairs that will be added while fetching the extraManifests.
480 | # extraManifestHeaders:
481 | # Token: "1234567"
482 | # X-ExtraInfo: info
483 | # # A list of inline Kubernetes manifests.
484 | # inlineManifests:
485 | # - name: namespace-ci # Name of the manifest.
486 | # contents: |- # Manifest contents as a string.
487 | # apiVersion: v1
488 | # kind: Namespace
489 | # metadata:
490 | # name: ci
491 | # # Settings for admin kubeconfig generation.
492 | # adminKubeconfig:
493 | # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
494 | # # Allows running workload on control-plane nodes.
495 | # allowSchedulingOnControlPlanes: true
496 | sops:
497 | kms: []
498 | gcp_kms: []
499 | azure_kv: []
500 | hc_vault: []
501 | age:
502 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
503 | enc: |
504 | -----BEGIN AGE ENCRYPTED FILE-----
505 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTkpFeitJM1VhalVSRzd1
506 | NVY1aFhIUlJDQzNzV0pzUEhvc0tyZC9tK3k4CnYrQ3dMaXJIWDNLR1BoRHlvS2N4
507 | cWVFSXhTYWRzWk9meUd6SVJJeFNIdjAKLS0tIEM0TytlNzF4czY2RTBrY2ZnVDFz
508 | ZUlqNUJ0NytQMGFJVEdUc3ozTjYzZE0KPlQOgCJmysj89T9MlMxQt2bPJE1mWvsk
509 | zZvMe+9ujGJ29/mzaabdi61dn3Nj41Am6VAUwVs8GzGJJLjfSMcd2g==
510 | -----END AGE ENCRYPTED FILE-----
511 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
512 | enc: |
513 | -----BEGIN AGE ENCRYPTED FILE-----
514 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqV083bUQ2azJmaTZnbDZp
515 | V0pXTjhBQjNKMFVaU1lmSEFoNCt1N3U4RzNvCmt5aERXdWVQVElYSTZXSHU0akkr
516 | Skh6azZib2VKK21UbG1lc2pXZkFMLzQKLS0tIHZCRU83TTI2KzNWZHhCWW5BeTJm
517 | eHE5L3JZUXM1QzU3V0U2WDJjL3k5OTQKD4VuPJO4fDuwb8t//T2025GC0/m84J9O
518 | n2rl756686e5Eq91qF50JHTWnkD9LiVyQoYzNXx7b0tIw9JeoCb2Tg==
519 | -----END AGE ENCRYPTED FILE-----
520 | lastmodified: "2023-10-26T17:02:07Z"
521 | mac: ENC[AES256_GCM,data:ro97viUC7/ElsvSAgsx9W0FkOQqMdcCDbAxk60DkURJG9kZASWXAN0d18hplBLRB1Q//+PVs3JSNjuB22ad3SXoVEplFs6omc7UmZr3a5JkqssZQRX+OEUSNfduq3Mtnl9h/9l4swX00ZzI1M5eGwY7B3tfGVqlnuIb2VsBwONY=,iv:FhG4h4QwdaTJFFnf+LK0hNVn24xjebOpBnLuNqrKhgE=,tag:h7aPniqA5SJegSHjLL5y0Q==,type:str]
522 | pgp: []
523 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
524 | version: 3.7.3
525 |
--------------------------------------------------------------------------------
/kubernetes/.sops.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | creation_rules:
3 | - path_regex: .*.prod.ya?ml
4 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
5 | # Personal, Flux-Prod
6 | age: >-
7 | age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95,
8 | age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
9 | - path_regex: .*.test.ya?ml
10 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
11 | # Personal(, Flux-Test)
12 | age: >-
13 | age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
14 | - path_regex: (kubeconfig|talosconfig|credentails.auto.tfvars)
15 | # Personal, Flux-Prod(, Flux-Test)
16 | age: >-
17 | age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95,
18 | age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
19 | ...
20 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - ../../podinfo/prod
5 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/apps/gateway.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: Gateway
4 | metadata:
5 | name: podinfo-gateway
6 | namespace: default
7 | spec:
8 | gatewayClassName: cilium
9 | listeners:
10 | - protocol: HTTPS
11 | port: 443
12 | name: podinfo-tls-gw
13 | hostname: "podinfo.home.svc"
14 | allowedRoutes:
15 | namespaces:
16 | from: All
17 | tls:
18 | certificateRefs:
19 | - kind: Secret
20 | name: main-gateway
21 | - protocol: HTTP
22 | port: 80
23 | name: podinfo-web-gw
24 | hostname: "podinfo.home.svc"
25 | allowedRoutes:
26 | namespaces:
27 | from: All
28 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/apps/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: podinfo
6 | namespace: default
7 | spec:
8 | interval: 5m
9 | chart:
10 | spec:
11 | chart: podinfo
12 | version: 6.5.2
13 | sourceRef:
14 | kind: HelmRepository
15 | name: podinfo
16 | namespace: flux-system
17 | interval: 1m
18 | values:
19 | replicaCount: 3
20 | ingress:
21 | enabled: false
22 | hosts:
23 | - host: podinfo.home.svc
24 | paths:
25 | - path: /
26 | pathType: ImplementationSpecific
27 | tls:
28 | - hosts:
29 | - podinfo.home.svc
30 | secretName: podinfo-cert
31 | foo: value1
32 | bar:
33 | baz: value2
34 | oof:
35 | - item1
36 | - item2
37 | ...
38 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/apps/http-filter-redirect.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: HTTPRoute
4 | metadata:
5 | name: podinfo-redirect
6 | namespace: default
7 | spec:
8 | parentRefs:
9 | - kind: Gateway
10 | name: podinfo-gateway
11 | namespace: default
12 | sectionName: podinfo-web-gw
13 | hostnames:
14 | - "*.home.svc"
15 | rules:
16 | - filters:
17 | - type: RequestRedirect
18 | requestRedirect:
19 | scheme: https
20 | statusCode: 301
21 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/apps/httproute.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: HTTPRoute
4 | metadata:
5 | name: podinfo
6 | namespace: default
7 | spec:
8 | parentRefs:
9 | - kind: Gateway
10 | name: podinfo-gateway
11 | namespace: default
12 | sectionName: podinfo-tls-gw
13 | hostnames:
14 | - podinfo.home.svc
15 | rules:
16 | - backendRefs:
17 | - name: podinfo
18 | port: 9898
19 |
20 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/apps/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - gateway.yaml
5 | - helmrelease.yaml
6 | - httproute.yaml
7 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/prod/certificate.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cert-manager.io/v1
3 | kind: Certificate
4 | metadata:
5 | name: podinfo-gateway
6 | namespace: default
7 | spec:
8 | secretName: podinfo-gateway
9 | commonName: podinfo.home.svc
10 | dnsNames:
11 | - "podinfo.home.svc"
12 | usages:
13 | - digital signature
14 | - key encipherment
15 | issuerRef:
16 | group: cert-manager.io
17 | kind: ClusterIssuer
18 | name: themairs-production-ca-2022
19 |
--------------------------------------------------------------------------------
/kubernetes/apps/default/podinfo/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - certificate.yaml
5 | - ../apps
6 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/apps/certificate.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cert-manager.io/v1
3 | kind: Certificate
4 | metadata:
5 | name: linkding-gateway
6 | namespace: linkding
7 | spec:
8 | secretName: linkding-gateway
9 | commonName: linkding.home.svc
10 | dnsNames:
11 | - "linkding.home.svc"
12 | usages:
13 | - digital signature
14 | - key encipherment
15 | issuerRef:
16 | group: cert-manager.io
17 | kind: ClusterIssuer
18 | name: themairs-production-ca-2022
19 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/apps/gateway.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: Gateway
4 | metadata:
5 | name: linkding-gateway
6 | namespace: linkding
7 | spec:
8 | gatewayClassName: cilium
9 | listeners:
10 | - protocol: HTTPS
11 | port: 443
12 | name: linkding-tls-gw
13 | hostname: "linkding.home.svc"
14 | allowedRoutes:
15 | namespaces:
16 | from: Same
17 | tls:
18 | certificateRefs:
19 | - kind: Secret
20 | name: linkding-gateway
21 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/apps/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: linkding
6 | namespace: linkding
7 | spec:
8 | targetNamespace: linkding
9 | releaseName: linkding
10 | interval: 12h
11 |
12 | chart:
13 | spec:
14 | chart: linkding
15 | version: 1.1.0
16 | sourceRef:
17 | kind: HelmRepository
18 | name: pascaliske
19 | namespace: flux-system
20 | interval: 12h
21 | values:
22 | persistentVolumeClaim:
23 | create: false
24 |
25 | env:
26 | - name: LD_SUPERUSER_NAME
27 | valueFrom:
28 | secretKeyRef:
29 | name: superuser
30 | key: username
31 | - name: LD_SUPERUSER_PASSWORD
32 | valueFrom:
33 | secretKeyRef:
34 | name: superuser
35 | key: password
36 | - name: LD_DB_ENGINE
37 | value: postgres
38 | - name: LD_DB_HOST
39 | value: linkding-database-rw
40 | - name: LD_DB_USER
41 | valueFrom:
42 | secretKeyRef:
43 | name: linkding
44 | key: username
45 | - name: LD_DB_PASSWORD
46 | valueFrom:
47 | secretKeyRef:
48 | name: linkding
49 | key: password
50 | ...
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/apps/httproute.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: HTTPRoute
4 | metadata:
5 | name: linkding
6 | namespace: linkding
7 | spec:
8 | parentRefs:
9 | - kind: Gateway
10 | name: linkding-gateway
11 | namespace: linkding
12 | hostnames:
13 | - linkding.home.svc
14 | rules:
15 | - backendRefs:
16 | - name: linkding
17 | port: 9090
18 |
19 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/apps/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - certificate.yaml
5 | - gateway.yaml
6 | - helmrelease.yaml
7 | - httproute.yaml
8 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/backup-secrets.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: s3-credentials
5 | namespace: linkding
6 | type: Opaque
7 | stringData:
8 | key: ENC[AES256_GCM,data:RLZ7AfaC/CVIOMQA6UmWxKiViKLC+ldrKPIMWzev,iv:Fc1yeytjZ8Z8c+cVQyVo6SZf+6Oj42M/Q9dvTzlKEtk=,tag:cJBvVFvUfBBFhDL1SRVouw==,type:str]
9 | secret: ENC[AES256_GCM,data:XnB/fYaLD2fShzs0GBUbT6j5h3L8/1EOleoWmtQf7hw=,iv:tq6Bb9yeeJdLMSpayiRUTcO3ckAuZn3vPLfHdC6ifcs=,tag:nlCwWMisdd2X+5VyPBY8vA==,type:str]
10 | tls.crt: ENC[AES256_GCM,data:hs/GVsrSJS58U1Mbuox/D7b909HVWfKJEaoYf24zt855wXX6ytuqbwvie0gZ4C7Ga4RRmgil8KiqhMdv48AnowEAhpbvQhKEsIeFdSgUZlI6XGvjlKZW9IGSzsGdHdGDR8qhsi9H2TKoiY3DseoMEjmY6jizHpXznYztIS8sF7YcXEzNuBt7lFWcBMkXXcxh6RO5nv+j59uxOxtkrllLwvoFQbXXNY41u9+LtEDszLoCtxDgG2FscCoDX9Xo6oBunwVjn7p+T1SPgDvd1QB8lC1sOz6+5XvZMJaNXiB8S/Kb0Kga1jr8gh2vZg+SS8QDU3Qfdg0Y2q4ghyKY6R57pk9DyKWJv0djcAQPF9ZsqZ0AbEo3eX6crjGvIILFOlggKr6RX/ZVIYIzvp9Q7WW7yR6E/ot8vwhSdXkTrFIPopLkKMGV8qMCtYHzNHUs+NLs0ghiCmcmg1HrOGZquU5mvjHYoYA9oKGs7gjwmpf0pG9rQgYHsNc/Vsq5chKaCvHUPHg9BWz4AxsQe8Jqc4iTHzsMsaajsJcFiEUbKuUTYKh2AL9Rt2vm7At0CO/NHNiSkFLRhOgOXgnfrTrdt4Jr0VcYKdTuuKWmVREYuyeAPXcMOvL1MumsC3hjDVtTCocYQdSmCbGu0oFg55SehUoOrIEZqJLMFKjRKrkCas7zgb6EAu8ChsTOK9vDotZIHWjGghaRH2g+hJG389T1VrQGxoBuawtn9DiYwh1LGtrE4JbDKqC5ZcqHhykSocdUH4aqgIWbKagYEaH75uguexqUKzCvmCrGgKppDvTg6vK8j8MKZMmMlwVcGHFMDojfrOmhHYO5ERZXcJ/9FSoNnUdkSH7O3nYQFfWtcngRAzufGb4CtClFIGHxE9xYm0EHZAmHQWwBOEdSCAGKrYhKKu39/f06wGZclX8O3HihZMp65Qqa54RL9oO61uG3sYd5WPTzwzEqdIvb27yx8RpnCU8DzpWlFuWUiHBCsjDO4J7Nz4d8oMPlC0Apdv9IzMiJVncZNDFm2wPSzm78+KfbqOEkHh/6W6iXdd49cNN29GMdWChKX5C2L8IF2VDbDvKPoKjvSfW2tVdEIlOJX/p2+kgJOEujWpTU+74qb6mBFLsLQCTbkg/EHTO0Pqs8n0T7toeT05fUEHGYhmq4fqQ+m768gfKPGwL2Kk3PrjOJxdrTu1FFnYIfyCRyfSCiyRn6+0C29jrsod7UXblVJF1q4/4Eg71jKRlot5pqBopTTrK7k/iP/XmIpQMY66gdjeWGPloOUOwN7A28TIWCCGcnrUdxj4zRtgVHfkBT1ASGk4Jc5iJz4lzOny5gjKkOpPUoe/rIBWDda/2tzrfDYdVWn9/NWKhM19adAQpj/0y0S74N6yGaQ3ylu3WpUIfd94KNzz8WzMML6rMwqnk7yW5yVlqemRemeZ5GGNeAV9lJkWO3qscTzedkL7U2feQnSyAK4xJmG/I+y4iJosnfI4D0RsYESIpCykcSvjEBZczPfVyVFuFJnjil5e0+3P18zIvRmgPSgSHU3SrxXlyx/CEW1Az1cz9G6tFqydNNX18M2m9MVr3Z6zZXtDUCEF/z/7TOOwck8q/gmp9Mt7HcewCaZY8d7mAaxhxg6hLFjasxOnGfmZA4IdRQ0LCG44j9by9Y0eJPvupxglRLx5Gmke7aiy9fIeniYU3hZ+VL3flDw/GOPGWJRtA05tqIYy60aJCAhyFI8HllIB2cagS7gOTb3xW5qs7LjW2Pa6xB80AiQuS5tMHCY6O9/1w26iX/3byGattJnZhJ0y1lmFJHKELsWTkO1HRvze0Il8pDM4Z09LIPXC+hKokIlbB4ZgtUy7eH8/UEF+OHLSUjfv9c8Q8m6nAbGeQmmiahsPL108sUSnNQha28Su5bAfui4SLFS/cB0I9HzPXYAbEf25zVCN7e3rA5piNf09Ih064pd2EEV8FmwCoi3hoX9whDutp52jPs39+meTKi8Moq4qszD/wsbSecOAf3egS1UEtIlNof4uzLB2JrrqzxKdp74krcFgzOUZs6FztfXBI4PcFAJzDGsZzah67k0cVmb6RIU0bkUpdV7tjx99M4EDh1aFsab+HBujW4E2lVvQ/rpNYtixYwkHddz/tdcE/IpcLRy/V5yYEkOldBEnTCtf4kyjD71Q/E3xlJjKY3JICC39leI3zveT2OH6a+QUBWi31qhXV5LFUvz5xJAbjef7OPwHDu1Us04ZAAg/NuGani3d2mZtNwZ7keIjzjrkzT9zFnxHfNnx64BssjXW/a22rbtoHu5z+gG72dZ4qNMoGevuXm5yHovdi3pSuk4D3jt4RsBP5ncTpz4+ci50tEQpfk9H004g6bnV7CtWmxVKkRguT8LbsLiipu6n6lqYSsOhSsH+NZ9Xoox9tq4B4WsCAIcyWDtWZSUptsDEslrFSodbNb1xUpIEGds84HCJMha2Fq72wdsn0YREAbzXTesfPBZTBJ6y2kf1vEv7ACL+qdxwVfxRR4TnI2Kd5n2QKxGul4bX4CWTDq85RZGE0DsAhVEJRnn4NkdPoQctR7eIRpdCWahYyA8lk5JW/QIZ44GsJb56GRkx38b9ZzwmWX7ZNdkar8cG//PJaeUxk=,iv:21stMt3ZWOG5bbW+IOT7UO5e/7ssn3J72+tiDt3SxYI=,tag:9Y4xkeKAIP9Qg7aM/cVrPQ==,type:str]
11 | sops:
12 | kms: []
13 | gcp_kms: []
14 | azure_kv: []
15 | hc_vault: []
16 | age:
17 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
18 | enc: |
19 | -----BEGIN AGE ENCRYPTED FILE-----
20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcjJtdDVqT3pRbHBmQitz
21 | cVRFU3Z5eG55WVlUWHVzQVNPVmZWOWFMMFFjCmNmVlN6aGpJb1F0di9zUGlIQ01Q
22 | bytvRUdEaFptM3AzS0RCRkw2aVErTmcKLS0tIDgrTVZzdHBKQWpQOFhta2dBYm5m
23 | L2tDYkZab2tDbGVEUWFOejBlTjhUQjQK+cVN44SAMJoAwiSiXouO6JyU67w9b7Km
24 | V4unzYpYOEvne0PPkvIy8Pwn8J1joo9VwL1kaoqHtDyiRIihTmkEMA==
25 | -----END AGE ENCRYPTED FILE-----
26 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
27 | enc: |
28 | -----BEGIN AGE ENCRYPTED FILE-----
29 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUWpOVS9Vd1ZxWnVjTE40
30 | Sk9VWGZ6amJvTWxMR3pLOFk1MDBROXdzeFZjCmx6WnM4R3JRY01kN0RKaG9KbDN1
31 | NW5aM1Rjd3lxZHdZczlKell6azUxczAKLS0tIG5xaUg2ampSQXhUZFFxdlA0Nzd4
32 | TTJnd3V2QUZyUDgxUWdScXpFeVVQVHcKiLyR3741pMcMlk+pGsWq8EyNc8tenj0S
33 | F7z8f7DqCloSPJY95LD+XZqwAdQwE9o12WESY6W6nEGWfyRH4nwHCQ==
34 | -----END AGE ENCRYPTED FILE-----
35 | lastmodified: "2023-10-28T16:56:59Z"
36 | mac: ENC[AES256_GCM,data:kIVvyLrwANu4XSBjN901QSYH+p+IZKncW6pQosRVvP6K14qJLUKSuse/cpopDq4WqwVcZ0IdC0369Qo/bw9iIaBEAU+0IsKzdCCe3TN5x7eKaqRGGfPJ42dWfzOxGOl7acU7PKq2f2LK/L85dxXq7Y6trsKB7DbP+Pjf1KE4BdM=,iv:QhHIhUKS8KTEagB/r7883yZR0M2yAMQjccB3b3qY7Us=,tag:+ei7PLKPJLYAWR2np5LFDg==,type:str]
37 | pgp: []
38 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
39 | version: 3.8.1
40 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/database/RunManualBackup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: postgresql.cnpg.io/v1
3 | kind: Backup
4 | metadata:
5 | name: linkding-database
6 | namespace: linkding
7 | spec:
8 | cluster:
9 | name: linkding-database
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/database/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - linkding-database.yaml
5 | - scheduledbackup.yaml
6 |
7 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/database/linkding-database.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: postgresql.cnpg.io/v1
3 | kind: Cluster
4 | metadata:
5 | name: linkding-database
6 | namespace: linkding
7 | spec:
8 | instances: 1
9 | primaryUpdateStrategy: unsupervised
10 | storage:
11 | size: 1Gi
12 | storageClass: ceph-block
13 | pvcTemplate:
14 | accessModes:
15 | - ReadWriteOnce
16 |
17 | superuserSecret:
18 | name: postgres-superuser
19 |
20 | # bootstrap:
21 | # initdb:
22 | # database: linkding
23 | # owner: linkding
24 | # secret:
25 | # name: linkding
26 | bootstrap:
27 | recovery:
28 | source: linkding-database
29 | database: linkding
30 | owner: linkding
31 | secret:
32 | name: linkding
33 |
34 | externalClusters:
35 | - name: linkding-database
36 | barmanObjectStore:
37 | destinationPath: "s3://CloudNativePG"
38 | endpointURL: "https://nas1.net.themairs.net:8010"
39 | endpointCA:
40 | name: s3-credentials
41 | key: tls.crt
42 | s3Credentials:
43 | accessKeyId:
44 | name: s3-credentials
45 | key: key
46 | secretAccessKey:
47 | name: s3-credentials
48 | key: secret
49 | wal:
50 | maxParallel: 8
51 |
52 | # backup:
53 | # retentionPolicy: "30d"
54 | # barmanObjectStore:
55 | # endpointCA:
56 | # name: s3-credentials
57 | # key: tls.crt
58 | # destinationPath: "s3://CloudNativePG"
59 | # endpointURL: "https://nas1.net.themairs.net:8010"
60 | # s3Credentials:
61 | # accessKeyId:
62 | # name: s3-credentials
63 | # key: key
64 | # secretAccessKey:
65 | # name: s3-credentials
66 | # key: secret
67 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/database/scheduledbackup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: postgresql.cnpg.io/v1
3 | kind: ScheduledBackup
4 | metadata:
5 | name: linkding-database
6 | namespace: linkding
7 | spec:
8 | schedule: "0 0 0 * * *"
9 | backupOwnerReference: cluster
10 | cluster:
11 | name: linkding-database
12 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - backup-secrets.prod.yaml
6 | - secret.prod.yaml
7 | - linkding-database.yaml
8 | - linkding.yaml
9 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/linkding-database.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: apps-linkding-database
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/apps/linkding/prod/database
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/linkding.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: apps-linkding
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/apps/linkding/apps
10 | prune: true
11 | dependsOn:
12 | - name: apps-linkding-database
13 | sourceRef:
14 | kind: GitRepository
15 | name: flux-system
16 | decryption:
17 | provider: sops
18 | secretRef:
19 | name: flux-sops-agekey
20 | ...
21 |
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: linkding
6 | labels:
7 | kustomize.toolkit.fluxcd.io/prune: disabled
8 | shared-gateway-access: "true"
9 | ...
--------------------------------------------------------------------------------
/kubernetes/apps/linkding/prod/secret.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: postgres-superuser
5 | namespace: linkding
6 | type: kubernetes.io/basic-auth
7 | stringData:
8 | username: ENC[AES256_GCM,data:zPwdgOVMhGc=,iv:8dTDlWVv+GW8lKAlEL4vm7fGtRqpj+zs/Lh3AcXRJLA=,tag:6z3tNCAl1zW1pMp/lWhd0A==,type:str]
9 | password: ENC[AES256_GCM,data:+oOYxv4wyJk=,iv:nvRzmRjwM97dR/2D8nqS/tz2/Jy7RQb6wUeb5dYhATg=,tag:AXpILvKRDTF6i4JPwn8odw==,type:str]
10 | sops:
11 | kms: []
12 | gcp_kms: []
13 | azure_kv: []
14 | hc_vault: []
15 | age:
16 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
17 | enc: |
18 | -----BEGIN AGE ENCRYPTED FILE-----
19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSFhTZG5ua1BQV2hLMkwx
20 | MUZ1MHMxN0NQREh1UkNMaU9laWlnRlZSekJzCmNtNzJ2TVFESGJtazhZdjhqU1M3
21 | UkhseENJcHhraldCNmFkQW1OZUk4clkKLS0tIGtFY3BJMnJtYisrWlFrMHhrYmtW
22 | WnEzYThvcmh1eFB1ZE02blJhR0lmYm8K7LjbxrxUBRc8KvLPhhb6h7rCCYxiFE+A
23 | nFSUmLI2fj/hIqCgN2zMRfwDQ5q4N6/nECF3Fbq91VUY+DRW98zmww==
24 | -----END AGE ENCRYPTED FILE-----
25 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
26 | enc: |
27 | -----BEGIN AGE ENCRYPTED FILE-----
28 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbmF1U0h5NmhLWkVSZjA1
29 | aHloRGM5SVo2RTkxWUlFSDRJN3hlREl3eUR3Cm4xOVBRcWFaZ0c3VlFteFFaOXVa
30 | c251YjFKK2RzQjFLYWIzTXcvZEs5eEEKLS0tIGRSandVenNWZm1VWHJ2SXh0aldx
31 | S1l2S0h6TlZlZ3R1UGFOakZ3cUhCR0kKoM/v/W20SOJAPtra8sjRpx0VcEOAgaZi
32 | AHm6EZ9achMjyiRl1EfUwfySbsHGiCRHmhsFyUsjItA3uYrVdFW19g==
33 | -----END AGE ENCRYPTED FILE-----
34 | lastmodified: "2023-10-28T12:12:06Z"
35 | mac: ENC[AES256_GCM,data:BYEqbZjGCpiHBAR4PcjlRGgEjWvfrkGWR/dawPWn2aAGknITX0oH9akfAbUuOLl9yl2WhhBkVve2oxfh2Zcr8oQk1pg0RY2qYjebHaTbhQUGchvkAKcIiX3R101J5cOwOovv7XofCnc6MWkImGuoum1uwjSlX9UcEZMczruu6Lo=,iv:QXlmUd3d/sh+v2xl7XoSeUey0fko5wK0q+kJ/IR+8ac=,tag:aZ+185vVBEYImLOFNtJUSA==,type:str]
36 | pgp: []
37 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
38 | version: 3.8.1
39 | ---
40 | apiVersion: v1
41 | kind: Secret
42 | metadata:
43 | name: superuser
44 | namespace: linkding
45 | type: kubernetes.io/basic-auth
46 | stringData:
47 | username: ENC[AES256_GCM,data:SPvQffs=,iv:nnXl8Pl3OEHHuYSVvwRi9qqWeN7PNOweub7KxEAmwBg=,tag:RRQUGoFS+zCqw8CLFwvnNQ==,type:str]
48 | password: ENC[AES256_GCM,data:Jgtr5OFMp88=,iv:D4NsEMIvlHkYNkZlB4x0cqVO3MaWoVfrdTjCxHE20d8=,tag:cvgmHe8itYKU59anKS+G6Q==,type:str]
49 | sops:
50 | kms: []
51 | gcp_kms: []
52 | azure_kv: []
53 | hc_vault: []
54 | age:
55 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
56 | enc: |
57 | -----BEGIN AGE ENCRYPTED FILE-----
58 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSFhTZG5ua1BQV2hLMkwx
59 | MUZ1MHMxN0NQREh1UkNMaU9laWlnRlZSekJzCmNtNzJ2TVFESGJtazhZdjhqU1M3
60 | UkhseENJcHhraldCNmFkQW1OZUk4clkKLS0tIGtFY3BJMnJtYisrWlFrMHhrYmtW
61 | WnEzYThvcmh1eFB1ZE02blJhR0lmYm8K7LjbxrxUBRc8KvLPhhb6h7rCCYxiFE+A
62 | nFSUmLI2fj/hIqCgN2zMRfwDQ5q4N6/nECF3Fbq91VUY+DRW98zmww==
63 | -----END AGE ENCRYPTED FILE-----
64 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
65 | enc: |
66 | -----BEGIN AGE ENCRYPTED FILE-----
67 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbmF1U0h5NmhLWkVSZjA1
68 | aHloRGM5SVo2RTkxWUlFSDRJN3hlREl3eUR3Cm4xOVBRcWFaZ0c3VlFteFFaOXVa
69 | c251YjFKK2RzQjFLYWIzTXcvZEs5eEEKLS0tIGRSandVenNWZm1VWHJ2SXh0aldx
70 | S1l2S0h6TlZlZ3R1UGFOakZ3cUhCR0kKoM/v/W20SOJAPtra8sjRpx0VcEOAgaZi
71 | AHm6EZ9achMjyiRl1EfUwfySbsHGiCRHmhsFyUsjItA3uYrVdFW19g==
72 | -----END AGE ENCRYPTED FILE-----
73 | lastmodified: "2023-10-28T12:12:06Z"
74 | mac: ENC[AES256_GCM,data:BYEqbZjGCpiHBAR4PcjlRGgEjWvfrkGWR/dawPWn2aAGknITX0oH9akfAbUuOLl9yl2WhhBkVve2oxfh2Zcr8oQk1pg0RY2qYjebHaTbhQUGchvkAKcIiX3R101J5cOwOovv7XofCnc6MWkImGuoum1uwjSlX9UcEZMczruu6Lo=,iv:QXlmUd3d/sh+v2xl7XoSeUey0fko5wK0q+kJ/IR+8ac=,tag:aZ+185vVBEYImLOFNtJUSA==,type:str]
75 | pgp: []
76 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
77 | version: 3.8.1
78 | ---
79 | apiVersion: v1
80 | kind: Secret
81 | metadata:
82 | name: linkding
83 | namespace: linkding
84 | type: kubernetes.io/basic-auth
85 | stringData:
86 | username: ENC[AES256_GCM,data:g8LPK1I8a4c=,iv:1bICiePDhyN6exjveyNDvZWZ95JHkZKGvth2B2HCwEg=,tag:laTNkKaxWUw5gpRGxgmVQg==,type:str]
87 | password: ENC[AES256_GCM,data:pq/8b6ahj5E=,iv:KAlGWT0wRh/jL+5qRbRU2/ySxo7MdWJLdyoyZ9ouXqk=,tag:nkotG9vYh35cMiIFcY402A==,type:str]
88 | sops:
89 | kms: []
90 | gcp_kms: []
91 | azure_kv: []
92 | hc_vault: []
93 | age:
94 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
95 | enc: |
96 | -----BEGIN AGE ENCRYPTED FILE-----
97 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSFhTZG5ua1BQV2hLMkwx
98 | MUZ1MHMxN0NQREh1UkNMaU9laWlnRlZSekJzCmNtNzJ2TVFESGJtazhZdjhqU1M3
99 | UkhseENJcHhraldCNmFkQW1OZUk4clkKLS0tIGtFY3BJMnJtYisrWlFrMHhrYmtW
100 | WnEzYThvcmh1eFB1ZE02blJhR0lmYm8K7LjbxrxUBRc8KvLPhhb6h7rCCYxiFE+A
101 | nFSUmLI2fj/hIqCgN2zMRfwDQ5q4N6/nECF3Fbq91VUY+DRW98zmww==
102 | -----END AGE ENCRYPTED FILE-----
103 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
104 | enc: |
105 | -----BEGIN AGE ENCRYPTED FILE-----
106 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbmF1U0h5NmhLWkVSZjA1
107 | aHloRGM5SVo2RTkxWUlFSDRJN3hlREl3eUR3Cm4xOVBRcWFaZ0c3VlFteFFaOXVa
108 | c251YjFKK2RzQjFLYWIzTXcvZEs5eEEKLS0tIGRSandVenNWZm1VWHJ2SXh0aldx
109 | S1l2S0h6TlZlZ3R1UGFOakZ3cUhCR0kKoM/v/W20SOJAPtra8sjRpx0VcEOAgaZi
110 | AHm6EZ9achMjyiRl1EfUwfySbsHGiCRHmhsFyUsjItA3uYrVdFW19g==
111 | -----END AGE ENCRYPTED FILE-----
112 | lastmodified: "2023-10-28T12:12:06Z"
113 | mac: ENC[AES256_GCM,data:BYEqbZjGCpiHBAR4PcjlRGgEjWvfrkGWR/dawPWn2aAGknITX0oH9akfAbUuOLl9yl2WhhBkVve2oxfh2Zcr8oQk1pg0RY2qYjebHaTbhQUGchvkAKcIiX3R101J5cOwOovv7XofCnc6MWkImGuoum1uwjSlX9UcEZMczruu6Lo=,iv:QXlmUd3d/sh+v2xl7XoSeUey0fko5wK0q+kJ/IR+8ac=,tag:aZ+185vVBEYImLOFNtJUSA==,type:str]
114 | pgp: []
115 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
116 | version: 3.8.1
117 |
--------------------------------------------------------------------------------
/kubernetes/apps/overlays/prod/default.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: apps-overlays-default
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/apps/default/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/apps/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - default.yaml
5 | # - linkding.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/apps/overlays/prod/linkding.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: apps-overlays-linkding
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/apps/linkding/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/clusters/prod/flux-system/gotk-sync.yaml:
--------------------------------------------------------------------------------
1 | # This manifest was generated by flux. DO NOT EDIT.
2 | ---
3 | apiVersion: source.toolkit.fluxcd.io/v1
4 | kind: GitRepository
5 | metadata:
6 | name: flux-system
7 | namespace: flux-system
8 | spec:
9 | interval: 1m0s
10 | ref:
11 | branch: main
12 | secretRef:
13 | name: flux-system
14 | url: https://git.home.themairs.net/flux/homenetwork.git
15 | ---
16 | apiVersion: kustomize.toolkit.fluxcd.io/v1
17 | kind: Kustomization
18 | metadata:
19 | name: flux-system
20 | namespace: flux-system
21 | spec:
22 | interval: 10m0s
23 | path: ./kubernetes/clusters/prod
24 | prune: true
25 | sourceRef:
26 | kind: GitRepository
27 | name: flux-system
28 | decryption:
29 | provider: sops
30 | secretRef:
31 | name: flux-sops-agekey
32 |
--------------------------------------------------------------------------------
/kubernetes/clusters/prod/flux-system/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - gotk-components.yaml
5 | - gotk-sync.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/clusters/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - flux-system
5 | - ../../repositories
6 | - ../../infrastructure/overlays/prod
7 | - ../../apps/overlays/prod
8 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/app/prod/configmap.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: cert-manager-helm-chart-overrides
6 | namespace: cert-manager
7 | data:
8 | values.yaml: |
9 | ingressShim:
10 | defaultIssuerName: "themairs-production-ca-2022"
11 | defaultIssuerKind: "ClusterIssuer"
12 | webhook:
13 | enabled: true
14 | installCRDs: true
15 | replicaCount: 1
16 | ...
17 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/app/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - configmap.yaml
5 | - ../release
6 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/app/release/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: cert-manager
6 | namespace: cert-manager
7 | spec:
8 | targetNamespace: cert-manager
9 | releaseName: cert-manager
10 | interval: 30m
11 | chart:
12 | spec:
13 | chart: cert-manager
14 | version: v1.13.1
15 | sourceRef:
16 | kind: HelmRepository
17 | name: jetstack
18 | namespace: flux-system
19 | interval: 30m
20 |
21 | install:
22 | crds: CreateReplace
23 |
24 | upgrade:
25 | crds: CreateReplace
26 |
27 | valuesFrom:
28 | - name: cert-manager-helm-chart-overrides
29 | kind: ConfigMap
30 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/app/release/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helmrelease.yaml
5 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/cert-manager.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-cert-manager
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cert-manager/app/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - namespace.yaml
6 | - cert-manager.yaml
7 | - resources.yaml
8 | ...
9 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: cert-manager
6 | labels:
7 | kustomize.toolkit.fluxcd.io/prune: disabled
8 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/resources.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-cert-manager-resources
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cert-manager/overlays/prod/resources
10 | prune: true
11 | retryInterval: 5s
12 | dependsOn:
13 | - name: infrastructure-cert-manager
14 | sourceRef:
15 | kind: GitRepository
16 | name: flux-system
17 | decryption:
18 | provider: sops
19 | secretRef:
20 | name: flux-sops-agekey
21 | ...
22 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/resources/clusterissuer.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cert-manager.io/v1
3 | kind: ClusterIssuer
4 | metadata:
5 | name: themairs-production-ca-2022
6 | spec:
7 | ca:
8 | secretName: themairs-production-ca-2022
9 | ...
10 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/resources/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - clusterissuer.yaml
5 | - secret.prod.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cert-manager/overlays/prod/resources/secret.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | type: kubernetes.io/tls
4 | metadata:
5 | name: themairs-production-ca-2022
6 | namespace: cert-manager
7 | data:
8 | tls.crt: ENC[AES256_GCM,data:T5NAMCTENan3JuJucwPmcEXmZ7jGQomyXsWFQnGe++uaWWkSLqjST9MLVyNKGRkUASZ6LRDCEMDKituNJ+cytycA+Y4XXIj4R3oSUElTcGm8bpYDSBOU2wT/kHdJkC6mw9MpjKMzR31aPLp/T/KvoA0z2VyKFkug4MdhxQElDcjdokt+8jtoBhUbptUH8/0FqXw1IIBZlHx+pwPTv7RPWl5SSj89x01hf+FoRJixUtdhSZhw6jg1DtOM+8BB8JKfohiLC53cgSx6/O7ucOrm47sZdETWcdKj2XtbbBw+VVy18KiV0m+hrG/Rm1NB8bmlbl92GFTYKykA785YZnaZOjqovfmZvjE5o5UqyWicMVt9y5JXV+v6zWJmprggjbXgx0v/+xluvw34iUdGXrKTuxfGqN8G3biTZwy7LbI9Et8BSDZss0HWdSRGd8d7Ixsp4qZKNWvwuTeYEC+XMS1h0Nu2v0ZRpAAC5v2CFwKx5/qFHwJMkqm5dznJlwV3BLgF+vNpOVHO3wbsO9EYtN06FKhh8/KXg7TKVlYqKrlIEzCU73zzWAvU7zC9UKH7Z3dCcLsaAeBzBh4Gd/QJE5pH0LP7BDrs+4LShxFjqfBua1kPHZdiJSkk/pn12KrFGt/G5HXHuDe3wxUG/crMx6/F3k7lomP3wu+Gi3cVAhd+EpV5NwPExOEhM4BV2oQ2v7HGScxPzleDTgRoF3D7rBMz1JS8MLD7C/1F4ut/tcIaQOOfOHEScT7WsDdYAjgOwD10Oy1jypWA0RCfZuSOaJegsLTqhR9pBcp+r4fUi+xa5yURu3ILQJDRihmFwoiRutP2TUoaUjHLvrnnI2c//KP+o9pNXLqqilIFMNxQhBVdkcEPvPQMX6TXJvvkvhN2caJlNkAI2VuuQq6h/DfEcb2Wo0b0lY6PZkS9d5lInEYY0bXpOo/xEw1NedPkUgSc4H5bnmHAnbJvdq5AaoElc6dvyycxKTkDIB1Bv8rse13Ht18u2bGBxyhjVQlppyIjXgP4ZlWaXQJNwU4XO+AptA6PgEemDXuK2sVtfBP7XdkdGXYfqdEpDcZ5oX/sUfVc1ytslWyLugDiPruejSFMR6v+Fksdy9XIPO1mPn3VcI0WYHGYNAePEyV7mYydDQU+1RVna9HfbiowLWEdU30IZkeJ730Opqtck7rIogdRI4b5i8xrW4hEe9hScUwm7nqc8pxEF8CcrKI6kfLXjQ+ZkM/Za/vW8YSNyeTDJsvey2KCu6lGXHmlmul8Ajbt5s8mo8afmDiTKpNrvUvsTPb6xx1wJAYSaSosweqQHScdKLij0tWpJbuhkUmrH7THsofSBM4gGTBLCFFj5SY4UeYFqQNhIr8ORV48U2zLku2zjBjHyPPVESJOjWQ8y1/HDbAqHZU9/u8uRs8v1u4NHyccJ0WTPHedBgRAnjytWzylUQgozydzA43+a1i2hb/oiagkYiKOL12wTTtrkaaWuZV8wGAU6+QDsfe9Q69dZ2Me8Kw7dvavHKi+C0m2xlcySviJzH5rv/kXINXbt+MVoMgoSvoFK8AfPd8zRFpz0zrmfhHqaNiOoMUJ5cggOmsJr3Mh7YwIEHp5pnbo0Z9gr7pdfVmodwdpxt9JJCPfrkLV/eProj3W0Aei+MK2SixbAM0I5Xm+bQblt9lHirOo3Yu/7rZqcLIpD3M7qLE0Nx7WI7+HqAUTT/qK8WyI5Ny0JoT+2v7CW062xFGd8cU=,iv:52mHKVWgah309E0P6Cd4unviONVha6BH156YP8LDzCw=,tag:UYDzHTWADnmDVrjI+9k2dg==,type:str]
9 | tls.key: ENC[AES256_GCM,data:v2OlVowwmOo+xCyOG88V/Vmcsssqf6diuDl/Be4yGSWZsOF4foCiSj9LMuw9z7dS3o/BB0q4Mw9m65BJj5Qn6YH2UCa0SUVw27Pd6uUxMKncef1wE/gWk2FDOGBuIS+vhKBkLirUTeZ5pTaKDkL1ibn+O2y9jn0zvbebBrFDWgK2GrTCScHKyrljYIE9WEB8XbWIjccSQLoGlSVwjVqx1hWD6riAyyrcqCnCARunznJde64LK+ccf19TIFte0x2Y85CqoGxbluRY7YRSxJ2jk21p1MzbBR6KvI8Yto/eOFx85TcPXVJtOL/phdMgtZAjoWJzhcquQOSriA7+slCtFNqJju+rKOhMkV0Hjy3V0kw3UGXbNAjFG+H+436Zbcwgu5u2NakZmVCYy/jbKzWvTELoPVAF3yruk0gGzMWerDf5Oo0u3cBp5jYoDtRnzmVtPeMx504aoiL3/8wuZ6h+FAXSXJX08D7gX3yYQxBewYGc6f+Is1p0UUDW1bziHQ1z,iv:MRrU6Ds/VRt3D6oLbE/RnArRwp/PsxxaDIql0ffrbjY=,tag:iFBMGrTglZk4cZp6IMjVog==,type:str]
10 | sops:
11 | kms: []
12 | gcp_kms: []
13 | azure_kv: []
14 | hc_vault: []
15 | age:
16 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
17 | enc: |
18 | -----BEGIN AGE ENCRYPTED FILE-----
19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMm5QZVpPR0d3WlFZeXI1
20 | NFNzbnlQaTBjTHJva2VwNklOZFhZd1ZOc0ZNCkQwTk5kTThHQUlLcXZZMEtlRzZu
21 | OU1mdTBUa1JjMEtsdThaU0RkeGdINzAKLS0tIFNGaTRDWExhcVNHQ1p1NVdMbjR2
22 | RFNZbDQ0Z1pQc3F6ZisyZ05oZ1lrbzAKhLhCJ9u5eWO8ezHaaTJ2klCrcPC7fcz+
23 | 1B0FZ+Ed7YWZkXXqDzgkZG4gIJhd0gtmO0+uvxHr6bVjsoRa5kJMUg==
24 | -----END AGE ENCRYPTED FILE-----
25 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
26 | enc: |
27 | -----BEGIN AGE ENCRYPTED FILE-----
28 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWUxob0JoWkcvTm1FZHhI
29 | VUlDdElQS3puc2kwdGZCdVJSK0hkTHNhcWk0CmlQdDJUaHYzL3MvUnYydmdrOWtV
30 | cmkvbmhPaDYxa2VuNmNja2JxWkdyWG8KLS0tIFE0NGdUNFJOMVZQSFN0WENxR2NL
31 | WktNZ3E0UzFPSnZCbWUyYnpscnVTT28KcTCoClxDB1/sXgdbphX5F9snhV8ppkd6
32 | Cj01skh6lmkY+UffCx+Dvz0oq41UKEvT3Gl2CYez8dTKYexb9c8sAA==
33 | -----END AGE ENCRYPTED FILE-----
34 | lastmodified: "2023-10-28T12:19:00Z"
35 | mac: ENC[AES256_GCM,data:/m869WgshwVhH0YuiXS1vHmRjgbipzTd5ugQniupqJ2V86H88Wpj+NhCJRnXVUL2WWqWdVqkAODrYw3Mt1JCFF5StPwt51ntuwd/rvSvlFv8xWwlp/QAu6vEASM2novsBhYVKhv7hY9xEiKGkc4hw4qVUj5r+S6kKaam5XoxkUE=,iv:jNiXMfLWDUwYE7HIZOyBmFRuE4bQh0qBMpQs73L860U=,tag:Iz3OZTo8OJe/3Ug/DZOLIg==,type:str]
36 | pgp: []
37 | encrypted_regex: ^(data|stringData|key|token|secretboxEncryptionSecret|secret)$
38 | version: 3.8.1
39 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/app/gateway.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: Gateway
4 | metadata:
5 | name: cilium-gateway
6 | namespace: kube-system
7 | spec:
8 | gatewayClassName: cilium
9 | listeners:
10 | - protocol: HTTPS
11 | port: 443
12 | name: cilium-ui-tls-gw
13 | hostname: "hubble.home.svc"
14 | allowedRoutes:
15 | namespaces:
16 | from: Same
17 | tls:
18 | certificateRefs:
19 | - kind: Secret
20 | name: cilium-gateway
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/app/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: cilium
6 | namespace: kube-system
7 | spec:
8 | releaseName: cilium
9 | targetNamespace: kube-system
10 | interval: 5m
11 |
12 | install:
13 | crds: CreateReplace
14 |
15 | upgrade:
16 | crds: CreateReplace
17 |
18 | chart:
19 | spec:
20 | chart: cilium
21 | version: 1.14.3
22 | sourceRef:
23 | kind: HelmRepository
24 | name: cilium
25 | namespace: flux-system
26 | interval: 60m
27 |
28 | valuesFrom:
29 | - kind: ConfigMap
30 | name: cilium-helm-values-override
31 |
32 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/app/httproute.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: HTTPRoute
4 | metadata:
5 | name: cilium-gateway
6 | namespace: kube-system
7 | spec:
8 | parentRefs:
9 | - kind: Gateway
10 | name: cilium-gateway
11 | namespace: kube-system
12 | sectionName: cilium-ui-tls-gw
13 | hostnames:
14 | - hubble.home.svc
15 | rules:
16 | - backendRefs:
17 | - name: hubble-ui
18 | port: 80
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - gateway.yaml
5 | - httproute.yaml
6 | - helmrelease.yaml
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/certificate.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cert-manager.io/v1
3 | kind: Certificate
4 | metadata:
5 | name: cilium-gateway
6 | namespace: kube-system
7 | spec:
8 | secretName: cilium-gateway
9 | commonName: hubble.home.svc
10 | dnsNames:
11 | - "hubble.home.svc"
12 | usages:
13 | - digital signature
14 | - key encipherment
15 | issuerRef:
16 | group: cert-manager.io
17 | kind: ClusterIssuer
18 | name: themairs-production-ca-2022
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/cilium-resources.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-cilium-resources
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cilium/cilium/overlays/prod/resources
10 | prune: true
11 | dependsOn:
12 | - name: infrastructure-cilium
13 | sourceRef:
14 | kind: GitRepository
15 | name: flux-system
16 | decryption:
17 | provider: sops
18 | secretRef:
19 | name: flux-sops-agekey
20 | ...
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/cilium.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-cilium
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cilium/cilium/app
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/configmap.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: cilium-helm-values-override
6 | namespace: kube-system
7 | data:
8 | values.yaml: |
9 | gatewayAPI:
10 | enabled: true
11 | ipam:
12 | mode: kubernetes
13 | ingressController:
14 | enabled: true
15 | #loadBalancer:
16 | # mode: hybrid
17 | k8sServiceHost: localhost
18 | k8sServicePort: 7445
19 |
20 | operator:
21 | replicas: 1
22 | kubeProxyReplacement: "true"
23 | kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
24 | cgroup:
25 | autoMount:
26 | enabled: false
27 | hostRoot: /sys/fs/cgroup
28 | hubble:
29 | enabled: true
30 | metrics:
31 | enabled:
32 | - dns:query;ignoreAAAA
33 | - drop
34 | - tcp
35 | - flow
36 | - port-distribution
37 | - icmp
38 | - http
39 | listenAddress: ':4244'
40 | relay:
41 | enabled: true
42 | ui:
43 | enabled: true
44 | #tunnel: disabled
45 | #bandwidthManager:
46 | # enabled: true
47 | # bbr: true
48 | #loadBalancer:
49 | # algorithm: maglev
50 | # mode: dsr
51 | #bpf:
52 | # masquerade: true
53 | # tproxy: true
54 | externalIPs:
55 | enabled: true
56 | l2announcements:
57 | enabled: true
58 | leaseDuration: 120s
59 | leaseRenewDeadline: 60s
60 | leaseRetryPeriod: 1s
61 | securityContext:
62 | capabilities:
63 | ciliumAgent:
64 | # Use to set socket permission
65 | - CHOWN
66 | # Used to terminate envoy child process
67 | - KILL
68 | # Used since cilium modifies routing tables, etc...
69 | - NET_ADMIN
70 | # Used since cilium creates raw sockets, etc...
71 | - NET_RAW
72 | # Used since cilium monitor uses mmap
73 | - IPC_LOCK
74 | # Used in iptables. Consider removing once we are iptables-free
75 | # - SYS_MODULE <--- As Talos does not allow loading kernel modules by Kubernetes workloads, SYS_MODULE capability needs to be dropped from the Cilium default set of values
76 | # We need it for now but might not need it for >= 5.11 specially
77 | # for the 'SYS_RESOURCE'.
78 | # In >= 5.8 there's already BPF and PERMON capabilities
79 | - SYS_ADMIN
80 | # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
81 | - SYS_RESOURCE
82 | # Both PERFMON and BPF requires kernel 5.8, container runtime
83 | # cri-o >= v1.22.0 or containerd >= v1.5.0.
84 | # If available, SYS_ADMIN can be removed.
85 | - PERFMON
86 | - BPF
87 | # Allow discretionary access control (e.g. required for package installation)
88 | - DAC_OVERRIDE
89 | # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)
90 | - FOWNER
91 | # Allow to execute program that changes GID (e.g. required for package installation)
92 | - SETGID
93 | # Allow to execute program that changes UID (e.g. required for package installation)
94 | - SETUID
95 | cleanCiliumState:
96 | - NET_ADMIN
97 | - SYS_ADMIN
98 | - SYS_RESOURCE
99 | # Most of the capabilities here are the same ones used in the
100 | # cilium-agent's container because this container can be used to
101 | # uninstall all Cilium resources, and therefore it is likely that
102 | # will need the same capabilities.
103 | # Used since cilium modifies routing tables, etc...
104 | - NET_ADMIN
105 | # Used in iptables. Consider removing once we are iptables-free
106 | # - SYS_MODULE <--- As Talos does not allow loading kernel modules by Kubernetes workloads, SYS_MODULE capability needs to be dropped from the Cilium default set of values
107 | # We need it for now but might not need it for >= 5.11 specially
108 | # for the 'SYS_RESOURCE'.
109 | # In >= 5.8 there's already BPF and PERMON capabilities
110 | - SYS_ADMIN
111 | # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
112 | - SYS_RESOURCE
113 | # Both PERFMON and BPF requires kernel 5.8, container runtime
114 | # cri-o >= v1.22.0 or containerd >= v1.5.0.
115 | # If available, SYS_ADMIN can be removed.
116 | - PERFMON
117 | - BPF
118 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - certificate.yaml
5 | - configmap.yaml
6 | - cilium.yaml
7 | - cilium-resources.yaml
8 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliuml2announcementpolicy.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://docs.cilium.io/en/latest/network/l2-announcements
3 | apiVersion: cilium.io/v2alpha1
4 | kind: CiliumL2AnnouncementPolicy
5 | metadata:
6 | name: policy
7 | spec:
8 | loadBalancerIPs: true
9 | # NOTE: This might need to be set if you have more than one active NIC on your nodes
10 | # interfaces:
11 | # - ^eno[0-9]+
12 | # - ^eth[0-9]+
13 | nodeSelector:
14 | matchLabels:
15 | kubernetes.io/os: linux
16 | matchExpressions:
17 | - key: node-role.kubernetes.io/control-plane
18 | operator: DoesNotExist
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/ciliumloadbalancerippool.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cilium.io/v2alpha1
3 | kind: CiliumLoadBalancerIPPool
4 | metadata:
5 | name: production
6 | namespace: kube-system
7 | spec:
8 | cidrs:
9 | - cidr: 192.168.77.0/26
10 | ---
11 | apiVersion: cilium.io/v2alpha1
12 | kind: CiliumLoadBalancerIPPool
13 | metadata:
14 | name: static
15 | namespace: kube-system
16 | spec:
17 | cidrs:
18 | - cidr: 192.168.76.224/29
19 | serviceSelector:
20 | matchLabels:
21 | "io.kubernetes.service.namespace": "clusterdns"
22 |
23 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/cilium/overlays/prod/resources/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - ciliumloadbalancerippool.yaml
5 | - ciliuml2announcementpolicy.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/overlays/prod/cilium.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlay-cilium
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cilium/cilium/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/cilium/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - cilium.yaml
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/README.md:
--------------------------------------------------------------------------------
1 | # Configuration
2 |
3 | [configuration](https://wiki.debian.org/Bind9)
4 |
5 | [image](https://hub.docker.com/r/ubuntu/bind9)
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/app/deployment.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bind9
6 | namespace: clusterdns
7 | annotations:
8 | some: thing
9 | spec:
10 | selector:
11 | matchLabels:
12 | app: bind9
13 | replicas: 1
14 | template:
15 | metadata:
16 | labels:
17 | app: bind9
18 | spec:
19 | containers:
20 | - name: bind9
21 | image: ubuntu/bind9:9.16-20.04_edge
22 | ports:
23 | - name: dns-udp
24 | protocol: UDP
25 | containerPort: 53
26 | - name: dns-tcp
27 | protocol: TCP
28 | containerPort: 53
29 | resources:
30 | requests:
31 | memory: 5Mi
32 | cpu: 10m
33 | limits:
34 | memory: 128Mi
35 | cpu: 500m
36 | volumeMounts:
37 | - name: etc-bind
38 | mountPath: /etc/bind/named.conf
39 | subPath: named.conf
40 | - name: etc-bind
41 | mountPath: /etc/bind/named.conf.default-zones
42 | subPath: named.conf.default-zones
43 | - name: etc-bind
44 | mountPath: /etc/bind/named.conf.options
45 | subPath: named.conf.options
46 | - name: etc-bind
47 | mountPath: /etc/bind/named.conf.local
48 | subPath: named.conf.local
49 | - name: etc-bind
50 | mountPath: /etc/bind/named.conf.log
51 | subPath: named.conf.log
52 | - name: var-lib-bind
53 | mountPath: /var/lib/bind/db.home.svc
54 | subPath: db.home.svc
55 | - name: var-lib-bind
56 | mountPath: /var/lib/bind/db.home.svc.inv
57 | subPath: db.home.svc.inv
58 | - name: etc-bind-keys
59 | mountPath: /etc/bind/rndc.key
60 | subPath: rndc-key
61 | - name: var-cache-bind
62 | mountPath: /var/cache/bind
63 | volumes:
64 | - name: etc-bind
65 | configMap:
66 | name: etc-bind
67 | - name: var-lib-bind
68 | configMap:
69 | name: var-lib-bind
70 | - name: etc-bind-keys
71 | secret:
72 | secretName: etc-bind-keys
73 |
74 | - name: var-cache-bind
75 | emptyDir: {}
76 | ...
77 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - service.yaml
6 | - deployment.yaml
7 | ...
8 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/app/service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: bind9
6 | namespace: clusterdns
7 | annotations:
8 | io.cilium/lb-ipam-ips: 192.168.76.226
9 | spec:
10 | selector:
11 | app: bind9
12 | ports:
13 | - name: dns-udp
14 | protocol: UDP
15 | port: 53
16 | targetPort: 53
17 | - name: dns-tcp
18 | protocol: TCP
19 | port: 53
20 | targetPort: 53
21 | type: LoadBalancer
22 | ...
23 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/prod/configmap-etc-bind.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: etc-bind
6 | namespace: clusterdns
7 | data:
8 | named.conf: |-
9 | // Managing acls
10 | acl internals {
11 | 127.0.0.0/8;
12 | 10.0.0.0/8;
13 | 172.16.0.0/12;
14 | 192.168.0.0/16;
15 | };
16 |
17 | // Load options
18 | include "/etc/bind/named.conf.options";
19 |
20 | // TSIG key used for the dynamic update
21 | include "/etc/bind/rndc.key";
22 |
23 | // Configure the communication channel for Administrative BIND9 with rndc
24 | // By default, they key is in the rndc.key file and is used by rndc and bind9
25 | // on the localhost
26 |
27 | // controls {
28 | // inet ( | | * ) [ port ( | * ) ] allow { ; ... } [ keys { ; ... } ] [ read-only ]; // may occur multiple times
29 | // unix perm owner group [ keys { ; ... } ] [ read-only ]; // may occur multiple times
30 | // };
31 |
32 | controls {
33 | inet * port 53 allow { 10.0.0.0/8; };
34 | };
35 |
36 | // controls {
37 | // inet 127.0.0.1 port 953 allow { 127.0.0.1; };
38 | // };
39 |
40 | include "/etc/bind/named.conf.default-zones";
41 | include "/etc/bind/named.conf.local";
42 |
43 | named.conf.default-zones: |-
44 | // be authoritative for the localhost forward and reverse zones, and for
45 | // broadcast zones as per RFC 1912
46 | zone "localhost" {
47 | type master;
48 | file "/etc/bind/db.local";
49 | };
50 | zone "127.in-addr.arpa" {
51 | type master;
52 | file "/etc/bind/db.127";
53 | };
54 | zone "0.in-addr.arpa" {
55 | type master;
56 | file "/etc/bind/db.0";
57 | };
58 | zone "255.in-addr.arpa" {
59 | type master;
60 | file "/etc/bind/db.255";
61 | };
62 |
63 | named.conf.options: |-
64 | options {
65 | directory "/var/cache/bind";
66 |
67 | // Exchange port between DNS servers
68 | query-source address * port *;
69 |
70 | auth-nxdomain no; # conform to RFC1035
71 |
72 | // From 9.9.5 ARM, disables interfaces scanning to prevent unwanted stop listening
73 | interface-interval 0;
74 |
75 | // Listen on local interfaces only(IPV4)
76 | listen-on-v6 {
77 | none;
78 | };
79 | listen-on {
80 | any;
81 | };
82 |
83 | allow-transfer { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
84 |
85 | // Accept requests for internal network only
86 | allow-query {
87 | internals;
88 | };
89 |
90 | // Allow recursive queries to the local hosts
91 | allow-recursion {
92 | internals;
93 | };
94 |
95 | // Do not make public version of BIND
96 | version none;
97 | };
98 |
99 | named.conf.local: |-
100 | include "/etc/bind/named.conf.log";
101 |
102 | zone "home.svc" {
103 | type master;
104 | file "/var/lib/bind/db.home.svc";
105 | allow-update { key rndc-key; };
106 | };
107 | zone "0.168.192.in-addr.arpa" {
108 | type master;
109 | file "/var/lib/bind/db.home.svc.inv";
110 | allow-update { key rndc-key; };
111 | };
112 |
113 | named.conf.log: |-
114 | logging{
115 | channel stderr_log {
116 | stderr;
117 | severity info;
118 | print-time yes;
119 | print-severity yes;
120 | print-category yes;
121 | };
122 | category default{
123 | stderr_log;
124 | };
125 | };
126 | ...
127 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/prod/configmap-var-lib-bind.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: var-lib-bind
6 | namespace: clusterdns
7 | data:
8 | db.home.svc : |-
9 | $TTL 3600
10 | @ IN SOA bind9.home.svc. root.home.svc. (
11 | 2007010401 ; Serial
12 | 3600 ; Refresh [1h]
13 | 600 ; Retry [10m]
14 | 86400 ; Expire [1d]
15 | 600 ) ; Negative Cache TTL [1h]
16 | ;
17 | @ IN NS bind9.home.svc.
18 | bind9 IN A 192.168.76.226
19 | ns IN CNAME bind9
20 |
21 | db.home.svc.inv : |-
22 | @ IN SOA bind9.home.svc. root.home.svc. (
23 | 2007010401 ; Serial
24 | 3600 ; Refresh [1h]
25 | 600 ; Retry [10m]
26 | 86400 ; Expire [1d]
27 | 600 ) ; Negative Cache TTL [1h]
28 | ;
29 | @ IN NS bind9.home.svc.
30 | 226 IN PTR bind9.home.svc.
31 |
32 | ...
33 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - secret.prod.yaml
5 | - configmap-etc-bind.yaml
6 | - configmap-var-lib-bind.yaml
7 | - ../app
8 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/bind9/prod/secret.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: etc-bind-keys
5 | namespace: clusterdns
6 | stringData:
7 | rndc-key: ENC[AES256_GCM,data:6v+pw9vOSViKPs2i8KAOlJq4QScO3KwwddtcAB5euY13Jr+gqrZm8SpnoRIrwLMeUrKgnqi5/aA7X5iaIxLmSkgwJjLK3a/9K2V1484zePMPu1X3a+SL5G9pxy4OoXVdV0c7xnWR,iv:mUYEEQG0KJbrmDvUG7KRRMMwy39ex8+XkgCPIdW5QVo=,tag:8oB+YrvFPlARHXzHSS2Bqg==,type:str]
8 | sops:
9 | kms: []
10 | gcp_kms: []
11 | azure_kv: []
12 | hc_vault: []
13 | age:
14 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
15 | enc: |
16 | -----BEGIN AGE ENCRYPTED FILE-----
17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5d0xVYmEzajFKYlZaTW5t
18 | WG5lT2x1dTRkRmlJeVlwZjNZYWFGVmlUNndFCis2QWtvM1VyTno5MGprNXMwSWJV
19 | bEg3VGl3VHdPc01rQ2lxRGdKaWNDa0UKLS0tIERwbjFRWnZLanBWUXNUcE9aeG0y
20 | QlJFM2pucDFxcTB2eEtSUE9PeWFZek0KRVqKzbcECVGic6EgbESbBm8uuIyh4+zq
21 | tBD6EaY90QVbQao2INautCrD/cXoUjnXWRDG6sS+ECvknfs8oPwNQA==
22 | -----END AGE ENCRYPTED FILE-----
23 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
24 | enc: |
25 | -----BEGIN AGE ENCRYPTED FILE-----
26 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTWdCQlIxTmpRSVpCVHU0
27 | Wk1jc2dIdy96ZkcrcDdPem50d0lXd2pOSjA0Cnd3UkFXdUdHblF5eXBvdy9xaU53
28 | aDgwRjdVZDVhQ1I1aGFrREtaM3o1Q1UKLS0tIFRxeXZCRzI1K2x6Z0VkWmQyT0Rt
29 | dzZvczJpWmVsVTVYaVV1SjJnQW82Z1UKUaPvlEdXFh11zwX1rny6UQIenbect0Nb
30 | qNaPnrd3qdRFTZZv66pG7EwZA+YusIvY96/Z7b1F3tkWe78mezRE2g==
31 | -----END AGE ENCRYPTED FILE-----
32 | lastmodified: "2023-10-16T01:06:37Z"
33 | mac: ENC[AES256_GCM,data:Xxs3PhL+KUiLw+txNAvwhUaaff2vcezm7tP000KwC0cxjL4dou9YxT531n17aUujstqTVljO1f/I6uF92yE4PjVFeQ111+qu4FNH84Gcdoja+8WK7Qe2luN36iiYY0lXaW1HPS89tFMujXLu3vKvyFMKovOTOIq2dop1+DG8/JI=,iv:L9072gOXLpbAsH82xxJ/YIGpSF1OqcXCQ0GjikmWhxY=,tag:oAX1/jYsqHk02KHZllZ2vg==,type:str]
34 | pgp: []
35 | encrypted_regex: ^(data|stringData)$
36 | version: 3.7.3
37 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/external-dns/app/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: external-dns
6 | namespace: clusterdns
7 | spec:
8 | targetNamespace: clusterdns
9 | releaseName: external-dns
10 | interval: 30m
11 | chart:
12 | spec:
13 | chart: external-dns
14 | version: 6.26.4
15 | sourceRef:
16 | kind: HelmRepository
17 | name: bitnami
18 | namespace: flux-system
19 | interval: 30m
20 |
21 | install:
22 | crds: CreateReplace
23 | upgrade:
24 | crds: CreateReplace
25 |
26 | valuesFrom:
27 | - kind: ConfigMap
28 | name: external-dns-helm-chart-overrides
29 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/external-dns/app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | # - gatewayapi.yaml
5 | - helmrelease.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/external-dns/prod/configmap.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: external-dns-helm-chart-overrides
6 | namespace: clusterdns
7 | data:
8 | values.yaml: |
9 | policy: sync
10 | provider: rfc2136
11 | rfc2136:
12 | host: "bind9.clusterdns.svc.cluster.local"
13 | zone: "home.svc"
14 | secretName: "rfc2136-tsig-secrets"
15 | tsigKeyname: "rndc-key"
16 | minTTL: "5s"
17 | sources:
18 | - gateway-httproute
19 | - gateway-tlsroute
20 | # - gateway-grpcroute
21 | # - gateway-tcproute
22 | # - gateway-udproute
23 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/external-dns/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - secret.prod.yaml
5 | - configmap.yaml
6 | - ../app
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/external-dns/prod/secret.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | type: Opaque
4 | metadata:
5 | name: rfc2136-tsig-secrets
6 | namespace: clusterdns
7 | data:
8 | rfc2136_tsig_secret: ENC[AES256_GCM,data:Evs/cizfbQBlBYdnnA2ha9pT8Bc4/xKfZGCUVmRuYu9Y8ZALPsm/TKVGTi7Qx+j0hKHyQy03XXNK+zDQ,iv:X1+KbKTCoxlXhMfQZNK/rkEbrzFqYoGuLl/SdG08HFg=,tag:qbNgzyI8kDSlrq1PS29bpQ==,type:str]
9 | sops:
10 | kms: []
11 | gcp_kms: []
12 | azure_kv: []
13 | hc_vault: []
14 | age:
15 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
16 | enc: |
17 | -----BEGIN AGE ENCRYPTED FILE-----
18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZnd4VHhYRFNWUitleU5o
19 | QjNpTk1VWUZIeEVXMld4THFHRzliT3R4MjN3CjAvKzl0TllSdTN5N2pLZFh0d3RS
20 | U1ZPY1RVeGs3aW51b2srTkg1WHg2WGsKLS0tIEY1Unc0QTBpR3dQZ3JPQUtTb2t3
21 | ajZOdTRhNGoxWG9BY2N4UjZUL253dTgKZY4RLP79v5xUB1A7PkO+5V7DoqlRr/7m
22 | XPoUIPPOUbCL2lcDaLu1qcunpADcbQ0xWFACJ6FREj5TnMLQtMsAkg==
23 | -----END AGE ENCRYPTED FILE-----
24 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
25 | enc: |
26 | -----BEGIN AGE ENCRYPTED FILE-----
27 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUVhnNW9kSnEwdUVLQnFZ
28 | RnRGVWJybEUyMW01REZ2UC9GeC9tMlltRGxnCkdNVDZpVUp0aTlQdXU2cjNGekoz
29 | Z29XdjZwWjVEbXN4ak1MYmd4UFVoM1kKLS0tIEp6d2ZTRXN0WWgrdThGNzhnbjNo
30 | WWJ2YnlBdkNxNkNBL0x2UmNZQ0t3b00KzgL5V54j2B3jRZNIh+gH/4Zw3Q5YAIzI
31 | QthbHeh+GPfopWf5fJJ6OyU2SOL4xra8pfBOxw+QHKOAI6ap0CRDzA==
32 | -----END AGE ENCRYPTED FILE-----
33 | lastmodified: "2023-10-16T01:06:47Z"
34 | mac: ENC[AES256_GCM,data:jUtyrW3fvF2uWg3xLxcJ/1zqzB2KT58UzmzPwh5qTXRmLHqyuYJ1JAcVwHY2pznS6BgvKGgXzysnyzobq5DMyvFE8eypcGlcQN/sh/WFtPLfb1ugHMdAeMTrzF7pDx0/2m4yvXyUDra9wU2/TwMK8QyP8cRY9zQSpaGXIU8nBw4=,iv:ZQOQ/A+8WLh0APT9M0JnXM87yl+e/EgLvZL/JSFOb1s=,tag:/2WGwhMMoZhUJeYCHroavg==,type:str]
35 | pgp: []
36 | encrypted_regex: ^(data|stringData)$
37 | version: 3.7.3
38 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/overlays/prod/bind9.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-bind9
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/clusterdns/bind9/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/overlays/prod/external-dns.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-external-dns
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/clusterdns/external-dns/prod
10 | prune: true
11 | retryInterval: 5s
12 | dependsOn:
13 | - name: infrastructure-bind9
14 | sourceRef:
15 | kind: GitRepository
16 | name: flux-system
17 | decryption:
18 | provider: sops
19 | secretRef:
20 | name: flux-sops-agekey
21 | ...
22 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - namespace.yaml
6 | - bind9.yaml
7 | - external-dns.yaml
8 | ...
9 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/clusterdns/overlays/prod/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: clusterdns
6 | labels:
7 | kustomize.toolkit.fluxcd.io/prune: disabled
8 | pod-security.kubernetes.io/enforce: privileged
9 | pod-security.kubernetes.io/audit: privileged
10 | pod-security.kubernetes.io/warn: privileged
11 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/app/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: csi-driver-nfs
6 | namespace: kube-system
7 | spec:
8 | interval: 30m
9 | chart:
10 | spec:
11 | chart: csi-driver-nfs
12 | version: v4.4.0
13 | sourceRef:
14 | kind: HelmRepository
15 | name: csi-driver-nfs
16 | namespace: flux-system
17 | maxHistory: 2
18 | install:
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | cleanupOnFail: true
23 | remediation:
24 | retries: 3
25 | uninstall:
26 | keepHistory: false
27 | values:
28 | externalSnapshotter:
29 | enabled: false
30 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helmrelease.yaml
5 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/overlays/prod/csi-driver-nfs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-csi-driver-nfs
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/csi-driver-nfs/app
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - csi-driver-nfs.yaml
5 | - storageclasses.yaml
6 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/overlays/prod/storageclasses.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-csi-driver-nfs-storageclasses
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/csi-driver-nfs/overlays/prod/storageclasses
10 | prune: true
11 | dependsOn:
12 | - name: infrastructure-csi-driver-nfs
13 | sourceRef:
14 | kind: GitRepository
15 | name: flux-system
16 | retryInterval: 5s
17 | decryption:
18 | provider: sops
19 | secretRef:
20 | name: flux-sops-agekey
21 | ...
22 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/overlays/prod/storageclasses/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - storageclasses.yaml
5 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/csi-driver-nfs/overlays/prod/storageclasses/storageclasses.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: storage.k8s.io/v1
3 | kind: StorageClass
4 | metadata:
5 | name: nfs
6 | provisioner: nfs.csi.k8s.io
7 | parameters:
8 | server: nas1.home.themairs.net
9 | share: /KubernetesProd
10 | reclaimPolicy: Delete
11 | volumeBindingMode: Immediate
12 | mountOptions:
13 | - "noatime"
14 | # - "hard"
15 | ...
16 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/cloudnative-pg/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # namespace: redis has to be created manually
3 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
4 | kind: HelmRelease
5 | metadata:
6 | name: cloudnative-pg
7 | namespace: database-operators
8 | spec:
9 | targetNamespace: database-operators
10 | releaseName: cloudnative-pg
11 | chart:
12 | spec:
13 | chart: cloudnative-pg
14 | version: 0.18.2
15 | sourceRef:
16 | kind: HelmRepository
17 | name: cloudnative-pg
18 | namespace: flux-system
19 | interval: 60m
20 | ...
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/cloudnative-pg/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - helmrelease.yaml
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/mariadb-operator/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # namespace: redis has to be created manually
3 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
4 | kind: HelmRelease
5 | metadata:
6 | name: mariadb-operator
7 | namespace: database-operators
8 | spec:
9 | targetNamespace: database-operators
10 | releaseName: mariadb-operator
11 | chart:
12 | spec:
13 | chart: mariadb-operator
14 | version: 0.22.0
15 | sourceRef:
16 | kind: HelmRepository
17 | name: mariadb-operator
18 | namespace: flux-system
19 | interval: 60m
20 | ...
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/mariadb-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - helmrelease.yaml
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/overlays/prod/cloudnative-pg.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-cloudnative-pg
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/database-operators/cloudnative-pg
10 | prune: true
11 | retryInterval: 5s
12 | sourceRef:
13 | kind: GitRepository
14 | name: flux-system
15 | decryption:
16 | provider: sops
17 | secretRef:
18 | name: flux-sops-agekey
19 | ...
20 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - cloudnative-pg.yaml
6 | - mariadb-operator.yaml
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/overlays/prod/mariadb-operator.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-mariadb-operator
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/database-operators/mariadb-operator
10 | prune: true
11 | retryInterval: 5s
12 | sourceRef:
13 | kind: GitRepository
14 | name: flux-system
15 | decryption:
16 | provider: sops
17 | secretRef:
18 | name: flux-sops-agekey
19 | ...
20 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/database-operators/overlays/prod/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: database-operators
6 | labels:
7 | kustomize.toolkit.fluxcd.io/prune: disabled
8 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/cert-manager.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-cert-manager
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cert-manager/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/cilium.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-kube-system
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/cilium/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/clusterdns.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-clusterdns
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/clusterdns/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/csi-driver-nfs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-csi-driver-nfs
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/csi-driver-nfs/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/database-operators.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-database-operators
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/database-operators/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - cilium.yaml
5 | - cert-manager.yaml
6 | - clusterdns.yaml
7 | - rook-ceph.yaml
8 | - database-operators.yaml
9 | # - csi-driver-nfs.yaml
10 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/overlays/prod/rook-ceph.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-overlays-rook-ceph
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/rook-ceph/overlays/prod
10 | prune: true
11 | sourceRef:
12 | kind: GitRepository
13 | name: flux-system
14 | decryption:
15 | provider: sops
16 | secretRef:
17 | name: flux-sops-agekey
18 | ...
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | resources:
5 | - namespace.yaml
6 | - rook-ceph.yaml
7 | - rook-ceph-cluster.yaml
8 | ...
9 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/overlays/prod/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: rook-ceph
6 | labels:
7 | kustomize.toolkit.fluxcd.io/prune: disabled
8 | pod-security.kubernetes.io/enforce: privileged
9 | pod-security.kubernetes.io/audit: privileged
10 | pod-security.kubernetes.io/warn: privileged
11 | shared-gateway-access: "true"
12 | ...
13 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/overlays/prod/rook-ceph-cluster.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-rook-ceph-cluster
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod
10 | prune: true
11 | dependsOn:
12 | - name: infrastructure-rook-ceph
13 | sourceRef:
14 | kind: GitRepository
15 | name: flux-system
16 | decryption:
17 | provider: sops
18 | secretRef:
19 | name: flux-sops-agekey
20 | ...
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/overlays/prod/rook-ceph.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.toolkit.fluxcd.io/v1
3 | kind: Kustomization
4 | metadata:
5 | name: infrastructure-rook-ceph
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | path: kubernetes/infrastructure/rook-ceph/rook-ceph
10 | prune: true
11 | retryInterval: 5s
12 | sourceRef:
13 | kind: GitRepository
14 | name: flux-system
15 | decryption:
16 | provider: sops
17 | secretRef:
18 | name: flux-sops-agekey
19 | ...
20 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/app/gateway.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: Gateway
4 | metadata:
5 | name: ceph-gateway
6 | namespace: rook-ceph
7 | spec:
8 | gatewayClassName: cilium
9 | listeners:
10 | - protocol: HTTPS
11 | port: 443
12 | name: ceph-tls-gw
13 | hostname: "ceph.home.svc"
14 | allowedRoutes:
15 | namespaces:
16 | from: Same
17 | tls:
18 | certificateRefs:
19 | - kind: Secret
20 | name: ceph-gateway
21 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/app/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: ceph-cluster
6 | namespace: rook-ceph
7 | spec:
8 | releaseName: ceph-cluster
9 | targetNamespace: rook-ceph
10 | interval: 15m
11 |
12 | install:
13 | crds: Skip
14 |
15 | upgrade:
16 | crds: Skip
17 |
18 | chart:
19 | spec:
20 | chart: rook-ceph-cluster
21 | version: v1.12.7
22 | sourceRef:
23 | kind: HelmRepository
24 | name: rook-release
25 | namespace: flux-system
26 | interval: 120m
27 |
28 | valuesFrom:
29 | - kind: ConfigMap
30 | name: ceph-cluster-helm-overrides
31 |
32 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/app/httproute.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: gateway.networking.k8s.io/v1beta1
3 | kind: HTTPRoute
4 | metadata:
5 | name: ceph
6 | namespace: rook-ceph
7 | spec:
8 | parentRefs:
9 | - kind: Gateway
10 | name: ceph-gateway
11 | namespace: rook-ceph
12 | sectionName: ceph-tls-gw
13 | hostnames:
14 | - ceph.home.svc
15 | rules:
16 | - backendRefs:
17 | - name: rook-ceph-mgr-dashboard
18 | namespace: rook-ceph
19 | port: 7000
20 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/app/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - gateway.yaml
5 | - httproute.yaml
6 | - helmrelease.yaml
7 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/ceph-tools-deployment.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # see https://github.com/rook/rook/blob/master/deploy/examples/toolbox.yaml
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: ceph-tools-deployment
7 | namespace: rook-ceph
8 | labels:
9 | app: rook-ceph-tools
10 | spec:
11 | replicas: 1
12 | selector:
13 | matchLabels:
14 | app: rook-ceph-tools
15 | template:
16 | metadata:
17 | labels:
18 | app: rook-ceph-tools
19 | spec:
20 | dnsPolicy: ClusterFirstWithHostNet
21 | containers:
22 | - name: rook-ceph-tools
23 | image: quay.io/ceph/ceph:v17.2.6
24 | command:
25 | - /bin/bash
26 | - -c
27 | - |
28 | # Replicate the script from toolbox.sh inline so the ceph image
29 | # can be run directly, instead of requiring the rook toolbox
30 | CEPH_CONFIG="/etc/ceph/ceph.conf"
31 | MON_CONFIG="/etc/rook/mon-endpoints"
32 | KEYRING_FILE="/etc/ceph/keyring"
33 |
34 | # create a ceph config file in its default location so ceph/rados tools can be used
35 | # without specifying any arguments
36 | write_endpoints() {
37 | endpoints=$(cat ${MON_CONFIG})
38 |
39 | # filter out the mon names
40 | # external cluster can have numbers or hyphens in mon names, handling them in regex
41 | # shellcheck disable=SC2001
42 | mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g')
43 |
44 | DATE=$(date)
45 | echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}"
46 | cat < ${CEPH_CONFIG}
47 | [global]
48 | mon_host = ${mon_endpoints}
49 |
50 | [client.admin]
51 | keyring = ${KEYRING_FILE}
52 | EOF
53 | }
54 |
55 | # watch the endpoints config file and update if the mon endpoints ever change
56 | watch_endpoints() {
57 | # get the timestamp for the target of the soft link
58 | real_path=$(realpath ${MON_CONFIG})
59 | initial_time=$(stat -c %Z "${real_path}")
60 | while true; do
61 | real_path=$(realpath ${MON_CONFIG})
62 | latest_time=$(stat -c %Z "${real_path}")
63 |
64 | if [[ "${latest_time}" != "${initial_time}" ]]; then
65 | write_endpoints
66 | initial_time=${latest_time}
67 | fi
68 |
69 | sleep 10
70 | done
71 | }
72 |
73 | # read the secret from an env var (for backward compatibility), or from the secret file
74 | ceph_secret=${ROOK_CEPH_SECRET}
75 | if [[ "$ceph_secret" == "" ]]; then
76 | ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring)
77 | fi
78 |
79 | # create the keyring file
80 | cat < ${KEYRING_FILE}
81 | [${ROOK_CEPH_USERNAME}]
82 | key = ${ceph_secret}
83 | EOF
84 |
85 | # write the initial config file
86 | write_endpoints
87 |
88 | # continuously update the mon endpoints if they fail over
89 | watch_endpoints
90 | imagePullPolicy: IfNotPresent
91 | tty: true
92 | securityContext:
93 | runAsNonRoot: true
94 | runAsUser: 2016
95 | runAsGroup: 2016
96 | capabilities:
97 | drop: ["ALL"]
98 | env:
99 | - name: ROOK_CEPH_USERNAME
100 | valueFrom:
101 | secretKeyRef:
102 | name: rook-ceph-mon
103 | key: ceph-username
104 | volumeMounts:
105 | - mountPath: /etc/ceph
106 | name: ceph-config
107 | - name: mon-endpoint-volume
108 | mountPath: /etc/rook
109 | - name: ceph-admin-secret
110 | mountPath: /var/lib/rook-ceph-mon
111 | readOnly: true
112 | volumes:
113 | - name: ceph-admin-secret
114 | secret:
115 | secretName: rook-ceph-mon
116 | optional: false
117 | items:
118 | - key: ceph-secret
119 | path: secret.keyring
120 | - name: mon-endpoint-volume
121 | configMap:
122 | name: rook-ceph-mon-endpoints
123 | items:
124 | - key: data
125 | path: mon-endpoints
126 | - name: ceph-config
127 | emptyDir: {}
128 | tolerations:
129 | - key: "node.kubernetes.io/unreachable"
130 | operator: "Exists"
131 | effect: "NoExecute"
132 | tolerationSeconds: 5
133 |
134 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/certificate.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: cert-manager.io/v1
3 | kind: Certificate
4 | metadata:
5 | name: ceph-gateway
6 | namespace: rook-ceph
7 | spec:
8 | secretName: ceph-gateway
9 | commonName: ceph.home.svc
10 | dnsNames:
11 | - "ceph.home.svc"
12 | usages:
13 | - digital signature
14 | - key encipherment
15 | issuerRef:
16 | group: cert-manager.io
17 | kind: ClusterIssuer
18 | name: themairs-production-ca-2022
19 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/configmap.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: ceph-cluster-helm-overrides
6 | namespace: rook-ceph
7 | data:
8 | values.yaml: |
9 | clusterName: ceph-cluster
10 | cephClusterSpec:
11 | mgr:
12 | rook:
13 | storage_class: ceph-filesystem
14 | modules:
15 | - name: pg_autoscaler
16 | enabled: true
17 | - name: rook
18 | enabled: true
19 | storage:
20 | useAllDevices: false
21 | useAllNodes: false
22 | nodes:
23 | - name: talos-a1
24 | devices:
25 | - name: sdb
26 | - name: sdc
27 | - name: talos-a2
28 | devices:
29 | - name: sdb
30 | - name: sdc
31 | - name: talos-a3
32 | devices:
33 | - name: sdb
34 | - name: sdc
35 | dashboard:
36 | ssl: false
37 | resources:
38 | mgr:
39 | limits:
40 | cpu: "1000m"
41 | memory: "1Gi"
42 | requests:
43 | cpu: "10m"
44 | memory: "512Mi"
45 | mon:
46 | limits:
47 | cpu: "2000m"
48 | memory: "2Gi"
49 | requests:
50 | cpu: "10m"
51 | memory: "512Mi"
52 | osd:
53 | limits:
54 | cpu: "2000m"
55 | memory: "4Gi"
56 | requests:
57 | cpu: "10m"
58 | memory: "512Mi"
59 | mgr-sidecar:
60 | limits:
61 | cpu: "500m"
62 | memory: "100Mi"
63 | requests:
64 | cpu: "10m"
65 | memory: "40Mi"
66 | crashcollector:
67 | limits:
68 | cpu: "500m"
69 | memory: "60Mi"
70 | requests:
71 | cpu: "10m"
72 | memory: "60Mi"
73 | logcollector:
74 | limits:
75 | cpu: "500m"
76 | memory: "1Gi"
77 | requests:
78 | cpu: "10m"
79 | memory: "100Mi"
80 | cleanup:
81 | limits:
82 | cpu: "500m"
83 | memory: "1Gi"
84 | requests:
85 | cpu: "10m"
86 | memory: "100Mi"
87 | exporter:
88 | limits:
89 | cpu: "250m"
90 | memory: "128Mi"
91 | requests:
92 | cpu: "10m"
93 | memory: "50Mi"
94 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/README.md:
--------------------------------------------------------------------------------
1 | # Here be dragons!
2 |
3 | **Hic Sunt Dracones!** These files will wipe the rook configuration and the drives!
4 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/clean-rook-data-talos-a1.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: disk-clean-a1
6 | namespace: rook-ceph
7 | spec:
8 | restartPolicy: Never
9 | nodeName: talos-a1
10 | volumes:
11 | - name: rook-data-dir
12 | hostPath:
13 | path: /var/lib/rook
14 | containers:
15 | - name: disk-clean
16 | image: busybox
17 | securityContext:
18 | privileged: true
19 | volumeMounts:
20 | - name: rook-data-dir
21 | mountPath: /node/rook-data
22 | command: ["/bin/sh", "-c", "rm -rf /node/rook-data/*"]
23 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/clean-rook-data-talos-a2.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: disk-clean-a2
6 | namespace: rook-ceph
7 | spec:
8 | restartPolicy: Never
9 | nodeName: talos-a2
10 | volumes:
11 | - name: rook-data-dir
12 | hostPath:
13 | path: /var/lib/rook
14 | containers:
15 | - name: disk-clean
16 | image: busybox
17 | securityContext:
18 | privileged: true
19 | volumeMounts:
20 | - name: rook-data-dir
21 | mountPath: /node/rook-data
22 | command: ["/bin/sh", "-c", "rm -rf /node/rook-data/*"]
23 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/clean-rook-data-talos-a3.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: disk-clean-a3
6 | namespace: rook-ceph
7 | spec:
8 | restartPolicy: Never
9 | nodeName: talos-a3
10 | volumes:
11 | - name: rook-data-dir
12 | hostPath:
13 | path: /var/lib/rook
14 | containers:
15 | - name: disk-clean
16 | image: busybox
17 | securityContext:
18 | privileged: true
19 | volumeMounts:
20 | - name: rook-data-dir
21 | mountPath: /node/rook-data
22 | command: ["/bin/sh", "-c", "rm -rf /node/rook-data/*"]
23 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a1-sdb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a1-sdb
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a1
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdb"]
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a1-sdc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a1-sdc
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a1
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdc"]
15 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a2-sdb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a2-sdb
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a2
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdb"]
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a2-sdc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a2-sdc
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a2
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdc"]
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a3-sdb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a3-sdb
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a3
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdb"]
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/delete-rook/wipe-dev-talos-a3-sdc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: disk-wipe-a3-sdc
5 | namespace: rook-ceph
6 | spec:
7 | restartPolicy: Never
8 | nodeName: talos-a3
9 | containers:
10 | - name: disk-wipe
11 | image: busybox
12 | securityContext:
13 | privileged: true
14 | command: ["/bin/sh", "-c", "dd if=/dev/zero bs=1M count=100 oflag=direct of=/dev/sdc"]
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph-cluster/overlays/prod/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - certificate.yaml
5 | - configmap.yaml
6 | # - ceph-tools-deployment.yaml
7 | - ../../app
8 |
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph/helmrelease.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1
3 | kind: HelmRelease
4 | metadata:
5 | name: rook-ceph
6 | namespace: rook-ceph
7 | spec:
8 | targetNamespace: rook-ceph
9 | releaseName: rook-ceph
10 | interval: 60m
11 |
12 | install:
13 | crds: CreateReplace
14 | upgrade:
15 | crds: CreateReplace
16 |
17 | chart:
18 | spec:
19 | chart: rook-ceph
20 | version: v1.12.7
21 | sourceRef:
22 | kind: HelmRepository
23 | name: rook-release
24 | namespace: flux-system
25 | interval: 60m
26 |
27 | values:
28 | enableDiscoveryDaemon: true
29 | ...
--------------------------------------------------------------------------------
/kubernetes/infrastructure/rook-ceph/rook-ceph/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helmrelease.yaml
5 |
--------------------------------------------------------------------------------
/kubernetes/repositories/README.md:
--------------------------------------------------------------------------------
1 | # The repositories available to flux
2 |
3 | # [./git](./git)
4 | kubectl explain --recursive GitRepository
5 |
6 | Kind: GitRepository
7 |
8 | # [./helm](./helm)
9 | kubectl explain --recursive HelmRepository
10 |
11 | Kind: HelmRepository
12 |
13 | # [./oci](./oci)
14 | kubectl explain --recursive OciRepository
15 |
16 | Kind: OciRepository
17 |
18 | # [./s3](./s3)
19 | kubectl explain --recursive Bucket
20 |
21 | Kind: Bucket
22 |
23 |
--------------------------------------------------------------------------------
/kubernetes/repositories/git/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | namespace: flux-system
5 | resources: []
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/bitnami.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: bitnami
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://charts.bitnami.com/bitnami
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/cilium.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: cilium
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://helm.cilium.io/
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/cloudnative-pg.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: cloudnative-pg
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://cloudnative-pg.github.io/charts
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/coredns.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: coredns
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://coredns.github.io/helm
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/csi-driver-nfs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: csi-driver-nfs
6 | namespace: flux-system
7 | spec:
8 | interval: 1h
9 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/grafana.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: grafana
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://grafana.github.io/helm-charts
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/harbor.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: harbor
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://helm.goharbor.io
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/jetstack.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: jetstack
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://charts.jetstack.io
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | namespace: flux-system
5 | resources:
6 | - bitnami.yaml
7 | - cilium.yaml
8 | - cloudnative-pg.yaml
9 | - coredns.yaml
10 | - csi-driver-nfs.yaml
11 | - grafana.yaml
12 | - harbor.yaml
13 | - jetstack.yaml
14 | - longhorn.yaml
15 | - mariadb-operator.yaml
16 | - metallb.yaml
17 | - metrics-server.yaml
18 | - nfs-subdir-external-provisioner.yaml
19 | - pascaliske.yaml
20 | - podinfo.yaml
21 | - prometheus-community.yaml
22 | - rook-release.yaml
23 | - traefik.yaml
24 | ...
25 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/longhorn.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: longhorn
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://charts.longhorn.io
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/mariadb-operator.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: mariadb-operator
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://mariadb-operator.github.io/mariadb-operator
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/metallb.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: metallb
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://metallb.github.io/metallb
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/metrics-server.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: metrics-server
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://kubernetes-sigs.github.io/metrics-server/
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/nfs-subdir-external-provisioner.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: nfs-subdir-external-provisioner
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/pascaliske.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: pascaliske
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://charts.pascaliske.dev
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/podinfo.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: podinfo
6 | namespace: flux-system
7 | spec:
8 | interval: 24h
9 | url: https://stefanprodan.github.io/podinfo
10 | ...
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/prometheus-community.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: prometheus-community
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://prometheus-community.github.io/helm-charts
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/rook-release.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: rook-release
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://charts.rook.io/release
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/helm/traefik.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: source.toolkit.fluxcd.io/v1beta2
3 | kind: HelmRepository
4 | metadata:
5 | name: traefik
6 | namespace: flux-system
7 | spec:
8 | interval: 30m0s
9 | url: https://traefik.github.io/charts
10 | ...
11 |
--------------------------------------------------------------------------------
/kubernetes/repositories/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - git
5 | - helm
6 | - oci
7 | - s3
8 |
--------------------------------------------------------------------------------
/kubernetes/repositories/oci/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | namespace: flux-system
5 | resources: []
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/repositories/s3/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | namespace: flux-system
5 | resources: []
6 | ...
7 |
--------------------------------------------------------------------------------
/kubernetes/sops/README.md:
--------------------------------------------------------------------------------
1 | # Basic configuration
2 |
3 | ## Create the age secret key for production
4 |
5 |
6 | ```yaml
7 | ---
8 | apiVersion: kustomize.toolkit.fluxcd.io/v1
9 | kind: Kustomization
10 | metadata:
11 | name: flux-system
12 | namespace: flux-system
13 | spec:
14 | interval: 10m0s
15 | path: ./
16 | prune: true
17 | sourceRef:
18 | kind: GitRepository
19 | name: ${yourRepositoryName}
20 | decryption:
21 | provider: sops
22 | secretRef:
23 | name: sops-age
24 | ...
25 | ```
26 |
--------------------------------------------------------------------------------
/kubernetes/sops/prod/flux-sops-agekey.prod.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | type: Opaque
4 | metadata:
5 | namespace: flux-system
6 | name: flux-sops-agekey
7 | data:
8 | flux-sops.agekey: ENC[AES256_GCM,data:ayDUv/llgGAO7bH5D8N8xwA9N3hlQJomYMPWin6HBd4EOJjB9Zy7E03ESqbjQeM5fdfpPulmhHOudN8PqU0iNQ3pwzuCWeW+V5YJVCZOYgCTFl3tY/dBswzT7jq8C4WSVjt1XiawREwHHX9xrNfx1UNpDLORn6zpAsFyAC0SnXLjUXeBF4ES126ydeLTmODMFFsdSI2ZtWANL51wBWG168+OYoL0i799egmvioVk7HGlBqNfusfAWfcusNE2qOKSDnCHi6pW4XfSAPrxU15RyjsOHyAn+6uNJQXHk0zcmKRJMYwOVRojcKHG+jKzeK99DDcg/fMGB5PMeWaV,iv:SVMSJzjri0HEG9tbt9Zr8AWpti6LDg5gfkwzO5ILBSw=,tag:cJxtGqZitwHxAFvqp29XBQ==,type:str]
9 | sops:
10 | kms: []
11 | gcp_kms: []
12 | azure_kv: []
13 | hc_vault: []
14 | age:
15 | - recipient: age1wgq6wt4yfnqg8nw7nrd27sc90xllpxwgd9vgj653cns8cmn7230syhkq95
16 | enc: |
17 | -----BEGIN AGE ENCRYPTED FILE-----
18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQUpkRDE1TDRWbXdXVStC
19 | Y3lXd2p2MWs3ZlpDU2F5b2hZNWdZczV4aVU0CmtMTFlvSWttdWVSTTV1clArc0M2
20 | MGE5NmhQSHErR0RNK0Z5QVp4MUo0a2sKLS0tIDJvZWxEa1F6TklnQU9MZTNJZFVP
21 | dVV6eWE4b2dHaHpJdVNzQmN3aFo1RjAKKJrrqRqHmRPd2YrL2cm2+FSvDNkB1Lv9
22 | HCgFchwCJVJKhzToZAH87xw16x1OInmQBksVj0IFc0wW/8+DcIkcPw==
23 | -----END AGE ENCRYPTED FILE-----
24 | - recipient: age1jtm9h6g5r9a5rasy6nuaa72zwfx2vfn2wmm6302ju8tsl3l45p4qta2d32
25 | enc: |
26 | -----BEGIN AGE ENCRYPTED FILE-----
27 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRXFNdHVPNTJueGE0UXZw
28 | cXNpN3JkeUhKWVZTZ212M2F6UzA2djZOQlcwCkZtckJxeG5qZ1ZTUW5SSjlUeDdz
29 | UldwRnAwWEMyUmJkT2JwQS9vbUthREkKLS0tIEowWHVKZzdiT1Ard0t5ZFMrNnJX
30 | VHNMQUdXaWVJNTJJSUIwZDJ0MDJXRTgK6c1nux0sHKLfGj8u9HOhOXxOmTbt+W/i
31 | QPAsqaWZNc+Kn34BNxQIiDITxUO9vEXlvqU7gFPkboM7r2V1oBYZGw==
32 | -----END AGE ENCRYPTED FILE-----
33 | lastmodified: "2023-09-24T14:57:50Z"
34 | mac: ENC[AES256_GCM,data:yfOvyu7XtqER8SidIfmDlI3/3AwdAM0FcNpo05Z1+WXsYZ2+9q4KtAeGnD8co1rI0S4bJ44vWeaaEbfBKAycNA5H2XEz3hRj38B5zXedbMmuuILyjdVQBu6ZjfDvHo8ZzIwDhecpvy0xOQRCPy2KZXeeD9tmXuqPpGWMWE3QHbM=,iv:2jm/K5678lx5ML868oeFkiKnteN0QgBTPauddlxsXVM=,tag:WnLxv7/F/Pzxu0bmxgiX+Q==,type:str]
35 | pgp: []
36 | encrypted_regex: ^(data|stringData)$
37 | version: 3.7.3
38 |
--------------------------------------------------------------------------------