diff --git a/.github/workflows/meta-labeler.yaml b/.github/workflows/meta-labeler.yaml index 39b3b9a05..02a3e9340 100644 --- a/.github/workflows/meta-labeler.yaml +++ b/.github/workflows/meta-labeler.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Labeler - uses: actions/labeler@9fcb2c2f5584144ca754f8bfe8c6f81e77753375 # v4.1.0 + uses: actions/labeler@0967ca812e7fdc8f5f71402a1b486d5bd061fe20 # v4.2.0 with: configuration-path: .github/labeler.yaml repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index e64e4d0e1..fcaa46a5b 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -10,7 +10,7 @@ jobs: update: runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0 + - uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5.24.0 with: config-name: release-drafter.yaml env: diff --git a/__before_move/cluster/apps/development/code-server/helm-release.yaml b/__before_move/cluster/apps/development/code-server/helm-release.yaml index c3836b18e..eef3ac5f0 100644 --- a/__before_move/cluster/apps/development/code-server/helm-release.yaml +++ b/__before_move/cluster/apps/development/code-server/helm-release.yaml @@ -65,7 +65,7 @@ spec: kubernetes.io/ingress.class: nginx traefik.ingress.kubernetes.io/router.tls: "true" external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hosts: - host: code.${SECRET_DOMAIN_ME} paths: diff --git a/__before_move/cluster/apps/development/documentation/ingress.yaml b/__before_move/cluster/apps/development/documentation/ingress.yaml index 3923f8bad..a9759d1cd 100755 --- a/__before_move/cluster/apps/development/documentation/ingress.yaml +++ b/__before_move/cluster/apps/development/documentation/ingress.yaml @@ -7,11 +7,11 @@ metadata: name: documentation annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd - hajimari.io/enable: 'true' + hajimari.io/enable: "true" hajimari.io/icon: file-document-edit spec: tls: diff --git a/__before_move/cluster/apps/networking/cert-manager/letsencrypt-production.yaml b/__before_move/cluster/apps/networking/cert-manager/letsencrypt-production.yaml index 34001a1a8..26533199d 100644 --- a/__before_move/cluster/apps/networking/cert-manager/letsencrypt-production.yaml +++ b/__before_move/cluster/apps/networking/cert-manager/letsencrypt-production.yaml @@ -6,13 +6,13 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} privateKeySecretRef: name: letsencrypt-production solvers: - dns01: cloudflare: - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} apiTokenSecretRef: name: cloudflare-api-key key: api-key diff --git a/__before_move/cluster/apps/networking/cert-manager/letsencrypt-staging.yaml b/__before_move/cluster/apps/networking/cert-manager/letsencrypt-staging.yaml index 754bd50ec..587e4e757 100644 --- a/__before_move/cluster/apps/networking/cert-manager/letsencrypt-staging.yaml +++ b/__before_move/cluster/apps/networking/cert-manager/letsencrypt-staging.yaml @@ -6,13 +6,13 @@ metadata: spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} privateKeySecretRef: name: letsencrypt-production solvers: - dns01: cloudflare: - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} apiTokenSecretRef: name: cloudflare-api-key key: api-key diff --git a/__before_move/cluster/apps/networking/external-dns/helm-release.yaml b/__before_move/cluster/apps/networking/external-dns/helm-release.yaml index 0a15375a9..7b808a91b 100644 --- a/__before_move/cluster/apps/networking/external-dns/helm-release.yaml +++ b/__before_move/cluster/apps/networking/external-dns/helm-release.yaml @@ -15,7 +15,7 @@ spec: name: external-dns-charts namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -33,7 +33,7 @@ spec: provider: cloudflare env: - name: CF_API_EMAIL - value: ${SECRET_CLOUDFLARE_EMAIL} + value: ${SECRET_ACME_EMAIL} - name: CF_API_TOKEN valueFrom: secretKeyRef: diff --git a/__before_move/cluster/apps/networking/traefik/dashboard/ingress.yaml b/__before_move/cluster/apps/networking/traefik/dashboard/ingress.yaml index b01c54e1f..5ffad009d 100755 --- a/__before_move/cluster/apps/networking/traefik/dashboard/ingress.yaml +++ b/__before_move/cluster/apps/networking/traefik/dashboard/ingress.yaml @@ -5,11 +5,11 @@ metadata: name: traefik-dashboard annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd - hajimari.io/enable: 'true' + hajimari.io/enable: "true" hajimari.io/icon: web hajimari.io/appName: traefik spec: diff --git a/__before_move/cluster/apps/system-upgrade-controller/app/kustomization.yaml b/__before_move/cluster/apps/system-upgrade-controller/app/kustomization.yaml index 53ceeaf1e..b3372c378 100755 --- a/__before_move/cluster/apps/system-upgrade-controller/app/kustomization.yaml +++ b/__before_move/cluster/apps/system-upgrade-controller/app/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - github.com/rancher/system-upgrade-controller?ref=v0.11.0 + - github.com/rancher/system-upgrade-controller?ref=v0.12.0 - plans images: - name: rancher/system-upgrade-controller diff --git a/__before_move/cluster/apps/vcluster/loft/helmrelease.yaml b/__before_move/cluster/apps/vcluster/loft/helmrelease.yaml index af4458c5f..4dfaddfb0 100644 --- a/__before_move/cluster/apps/vcluster/loft/helmrelease.yaml +++ b/__before_move/cluster/apps/vcluster/loft/helmrelease.yaml @@ -15,7 +15,7 @@ spec: name: loft-charts namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true crds: CreateReplace @@ -31,7 +31,7 @@ spec: recreate: true values: admin: - create: 'true' + create: "true" username: admin password: ${CODESERVER_PASSWORD} ingress: @@ -39,10 +39,10 @@ spec: host: loft.${SECRET_DOMAIN_K8S} ingressClass: traefik annotations: - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: mdi:chart-arc tls: enabled: true @@ -50,7 +50,7 @@ spec: # audit audit: - enableSideCar: 'true' + enableSideCar: "true" config: audit: enabled: true diff --git a/__before_move/old/_very_old/ansible-semaphore/semaphore-deployment.yaml b/__before_move/old/_very_old/ansible-semaphore/semaphore-deployment.yaml index 64173b00e..46bf44147 100755 --- a/__before_move/old/_very_old/ansible-semaphore/semaphore-deployment.yaml +++ b/__before_move/old/_very_old/ansible-semaphore/semaphore-deployment.yaml @@ -33,7 +33,7 @@ spec: - name: SEMAPHORE_DB_HOST value: mariadb - name: SEMAPHORE_DB_PORT - value: '3306' + value: "3306" - name: SEMAPHORE_DB value: semaphore - name: SEMAPHORE_PLAYBOOK_PATH @@ -46,7 +46,7 @@ spec: - name: SEMAPHORE_ADMIN_NAME value: admin - name: SEMAPHORE_ADMIN_EMAIL - value: ${SECRET_CLOUDFLARE_EMAIL} + value: ${SECRET_ACME_EMAIL} - name: SEMAPHORE_ADMIN value: admin name: semaphore @@ -94,9 +94,9 @@ kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - external-dns/is-public: 'true' - traefik.ingress.kubernetes.io/router.tls: 'true' + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + external-dns/is-public: "true" + traefik.ingress.kubernetes.io/router.tls: "true" labels: app: semaphore name: semaphore-ingress diff --git a/__before_move/old/_very_old/dokuwiki/ingress.yaml b/__before_move/old/_very_old/dokuwiki/ingress.yaml index 0a169803e..99a7105e5 100755 --- a/__before_move/old/_very_old/dokuwiki/ingress.yaml +++ b/__before_move/old/_very_old/dokuwiki/ingress.yaml @@ -8,11 +8,11 @@ metadata: name: dokuwiki annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd - hajimari.io/enable: 'true' + hajimari.io/enable: "true" hajimari.io/icon: file-document-edit spec: tls: diff --git a/__before_move/old/_very_old/gitea/helm-release.yaml b/__before_move/old/_very_old/gitea/helm-release.yaml index 313922fc6..ee3fedc3b 100755 --- a/__before_move/old/_very_old/gitea/helm-release.yaml +++ b/__before_move/old/_very_old/gitea/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: gitea namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -38,7 +38,7 @@ spec: repository: ROOT: ~/gitea-repositories repository.pull-request: - WORK_IN_PROGRESS_PREFIXES: 'WIP:,[WIP]:' + WORK_IN_PROGRESS_PREFIXES: "WIP:,[WIP]:" cache: builtIn: enabled: true @@ -48,17 +48,17 @@ spec: ROOT_URL: https://git.${SECRET_DOMAIN_ME} DISABLE_SSH: true cron.sync_external_users: - ENABLED: 'true' - RUN_AT_START: 'true' - SCHEDULE: '@every 10m' - UPDATE_EXISTING: 'true' - NO_SUCCESS_NOTICE: 'true' + ENABLED: "true" + RUN_AT_START: "true" + SCHEDULE: "@every 10m" + UPDATE_EXISTING: "true" + NO_SUCCESS_NOTICE: "true" ldap: enabled: true name: k8s-ldap securityProtocol: unencrypted host: openldap.identity.svc.cluster.local - port: '1389' + port: "1389" userSearchBase: ou=users,dc=sky,dc=lab userFilter: (sn=%s) adminFilter: (&(objectClass=groupOfNames)(cn=admins))) @@ -80,10 +80,10 @@ spec: - git.${SECRET_DOMAIN_ME} annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: git tls: - secretName: ${SECRET_DOMAIN_ME//./-}-tls diff --git a/__before_move/old/_very_old/gollum/ingress.yaml b/__before_move/old/_very_old/gollum/ingress.yaml index 66ba13d2f..7aa87bb46 100755 --- a/__before_move/old/_very_old/gollum/ingress.yaml +++ b/__before_move/old/_very_old/gollum/ingress.yaml @@ -8,14 +8,14 @@ metadata: name: gollum annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" ingress.kubernetes.io/auth-type: basic ingress.kubernetes.io/auth-realm: traefik ingress.kubernetes.io/auth-secret: gollum-basic-auth - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd - hajimari.io/enable: 'true' + hajimari.io/enable: "true" hajimari.io/icon: file-document-edit-outline spec: tls: diff --git a/__before_move/old/_very_old/homer/helm-release.yaml b/__before_move/old/_very_old/homer/helm-release.yaml index f7f59088f..0d528ca12 100755 --- a/__before_move/old/_very_old/homer/helm-release.yaml +++ b/__before_move/old/_very_old/homer/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -46,9 +46,9 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd hosts: - host: homer.${SECRET_DOMAIN_ME} diff --git a/__before_move/old/_very_old/joplin/helm-release.yaml b/__before_move/old/_very_old/joplin/helm-release.yaml index fe1fa5de8..d2d055879 100755 --- a/__before_move/old/_very_old/joplin/helm-release.yaml +++ b/__before_move/old/_very_old/joplin/helm-release.yaml @@ -15,7 +15,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -52,10 +52,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: newspaper hosts: - host: joplin.${SECRET_DOMAIN_ME} @@ -69,7 +69,7 @@ spec: service: main: annotations: - prometheus.io/probe: 'true' + prometheus.io/probe: "true" prometheus.io/protocol: tcp persistence: data: diff --git a/__before_move/old/_very_old/k10/helm-release.yaml b/__before_move/old/_very_old/k10/helm-release.yaml index 27baa2a02..b787246c8 100755 --- a/__before_move/old/_very_old/k10/helm-release.yaml +++ b/__before_move/old/_very_old/k10/helm-release.yaml @@ -16,7 +16,7 @@ spec: namespace: flux-system releaseName: k10 test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true crds: CreateReplace @@ -34,7 +34,7 @@ spec: eula: accept: true company: tuxpeople-k8s-homelab - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} clusterName: k8s-homelab resources: requests: @@ -61,10 +61,10 @@ spec: ingress: annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: file-cabinet hajimari.io/appName: Kasten K10 hajimari.io/url: https://k10.eighty-three.me/k10/ diff --git a/__before_move/old/_very_old/keycloak/helm-release.yaml b/__before_move/old/_very_old/keycloak/helm-release.yaml index fbb362c6a..f788b2251 100755 --- a/__before_move/old/_very_old/keycloak/helm-release.yaml +++ b/__before_move/old/_very_old/keycloak/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: codecentric namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -34,9 +34,9 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} rules: - host: sso.${SECRET_DOMAIN_ME} paths: diff --git a/__before_move/old/_very_old/plex.yaml b/__before_move/old/_very_old/plex.yaml index 4f679f44e..97bcb6e42 100755 --- a/__before_move/old/_very_old/plex.yaml +++ b/__before_move/old/_very_old/plex.yaml @@ -15,7 +15,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -74,7 +74,7 @@ metadata: name: plex spec: friendlyName: K8S Plex - url: http://ipv4.${SECRET_DOMAIN_K8S}:32400/identity + url: http://${SECRET_DNS_TARGET}:32400/identity type: HTTP httpMethod: GET interval: 300 diff --git a/__before_move/old/_very_old/podsync/ingress.yaml b/__before_move/old/_very_old/podsync/ingress.yaml index b7e453562..619b1d77a 100755 --- a/__before_move/old/_very_old/podsync/ingress.yaml +++ b/__before_move/old/_very_old/podsync/ingress.yaml @@ -4,9 +4,9 @@ kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - external-dns/is-public: 'true' - hajimari.io/enable: 'true' + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + external-dns/is-public: "true" + hajimari.io/enable: "true" hajimari.io/icon: podcast hajimari.io/appName: podsync labels: diff --git a/__before_move/old/_very_old/tekton-pipelines/example/07-ingress.yaml b/__before_move/old/_very_old/tekton-pipelines/example/07-ingress.yaml index 074f46b70..c779f62c9 100755 --- a/__before_move/old/_very_old/tekton-pipelines/example/07-ingress.yaml +++ b/__before_move/old/_very_old/tekton-pipelines/example/07-ingress.yaml @@ -8,10 +8,10 @@ metadata: name: tekton-pr annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: safe spec: tls: diff --git a/__before_move/old/_very_old/vikunja/helm-release.yaml b/__before_move/old/_very_old/vikunja/helm-release.yaml index f44d89982..dea20e28e 100755 --- a/__before_move/old/_very_old/vikunja/helm-release.yaml +++ b/__before_move/old/_very_old/vikunja/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -40,7 +40,7 @@ spec: enabled: true type: custom readOnly: true - mountPath: '-' + mountPath: "-" volumeSpec: configMap: name: vikunja-config-yml @@ -51,10 +51,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: format-list-checks hosts: - host: todo.${SECRET_DOMAIN_ME} @@ -77,7 +77,7 @@ spec: port: port: 8080 annotations: - prometheus.io/probe: 'true' + prometheus.io/probe: "true" prometheus.io/protocol: http caddy: notls: true @@ -102,11 +102,11 @@ spec: - name: VIKUNJA_MAILER_FROMEMAIL value: todo@${SECRET_DOMAIN_ME} - name: VIKUNJA_MAILER_ENABLED - value: 'true' + value: "true" - name: VIKUNJA_MAILER_HOST value: smtp.utils.svc.cluster.local - name: VIKUNJA_MAILER_PORT - value: '25' + value: "25" - name: VIKUNJA_API_URL value: https://todo.${SECRET_DOMAIN_ME}/api/v1 volumeMounts: diff --git a/__before_move/old/_very_old/wikijs/helm-release.yaml b/__before_move/old/_very_old/wikijs/helm-release.yaml index 637b18917..b6a223180 100755 --- a/__before_move/old/_very_old/wikijs/helm-release.yaml +++ b/__before_move/old/_very_old/wikijs/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -48,9 +48,9 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} tls: - secretName: ${SECRET_DOMAIN_ME//./-}-tls hosts: diff --git a/__before_move/old/apps/apps/changedetection.io/helm-release.yaml b/__before_move/old/apps/apps/changedetection.io/helm-release.yaml index da6c2a74e..aa7ec09a6 100755 --- a/__before_move/old/apps/apps/changedetection.io/helm-release.yaml +++ b/__before_move/old/apps/apps/changedetection.io/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -47,10 +47,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: magnify-scan traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd hosts: diff --git a/__before_move/old/apps/apps/hajimari/helm-release.yaml b/__before_move/old/apps/apps/hajimari/helm-release.yaml index 78beba02c..6678f68b0 100755 --- a/__before_move/old/apps/apps/hajimari/helm-release.yaml +++ b/__before_move/old/apps/apps/hajimari/helm-release.yaml @@ -15,7 +15,7 @@ spec: name: hajimari-charts namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -121,10 +121,10 @@ spec: enabled: true ingressClassName: traefik annotations: - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: weather-sunset traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd hosts: diff --git a/__before_move/old/apps/apps/wallabag/helm-release.yaml b/__before_move/old/apps/apps/wallabag/helm-release.yaml index 17f628805..76dd2116a 100755 --- a/__before_move/old/apps/apps/wallabag/helm-release.yaml +++ b/__before_move/old/apps/apps/wallabag/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -41,9 +41,9 @@ spec: SYMFONY__ENV__DATABASE_PASSWORD: SYMFONY__ENV__REDIS_HOST: wallabag-redis-master SYMFONY__ENV__SERVER_NAME: Wallabag - SYMFONY__ENV__FOSUSER_REGISTRATION: 'false' - SYMFONY__ENV__FOSUSER_CONFIRMATION: 'false' - POPULATE_DATABASE: 'true' + SYMFONY__ENV__FOSUSER_REGISTRATION: "false" + SYMFONY__ENV__FOSUSER_CONFIRMATION: "false" + POPULATE_DATABASE: "true" image: pullPolicy: Always strategy: @@ -60,10 +60,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: newspaper hosts: - host: wallabag.${SECRET_DOMAIN_ME} diff --git a/__before_move/old/apps/identity/dex/helm-release.yaml b/__before_move/old/apps/identity/dex/helm-release.yaml index 158097b62..b66c43cb9 100755 --- a/__before_move/old/apps/identity/dex/helm-release.yaml +++ b/__before_move/old/apps/identity/dex/helm-release.yaml @@ -16,7 +16,7 @@ spec: name: dex-chart namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -37,9 +37,9 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hosts: - host: sso.${SECRET_DOMAIN_ME} paths: diff --git a/__before_move/old/apps/identity/traefik-forward-auth/helm-release.yaml b/__before_move/old/apps/identity/traefik-forward-auth/helm-release.yaml index f4b9652c0..34f7d0031 100755 --- a/__before_move/old/apps/identity/traefik-forward-auth/helm-release.yaml +++ b/__before_move/old/apps/identity/traefik-forward-auth/helm-release.yaml @@ -21,7 +21,7 @@ spec: - name: traefik namespace: networking test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -50,9 +50,9 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hosts: - host: auth.${SECRET_DOMAIN_ME} paths: diff --git a/__before_move/old/apps/kasten-io/k10/helm-release.yaml b/__before_move/old/apps/kasten-io/k10/helm-release.yaml index fe0462c6e..1935a5f22 100644 --- a/__before_move/old/apps/kasten-io/k10/helm-release.yaml +++ b/__before_move/old/apps/kasten-io/k10/helm-release.yaml @@ -16,7 +16,7 @@ spec: namespace: flux-system releaseName: k10 test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true crds: CreateReplace @@ -34,7 +34,7 @@ spec: eula: accept: true company: tuxpeople-k8s-homelab - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} clusterName: k8s-homelab resources: requests: @@ -61,10 +61,10 @@ spec: ingress: annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: file-cabinet hajimari.io/appName: Kasten K10 hajimari.io/url: https://k10.eighty-three.me/k10/ diff --git a/__before_move/old/apps/networking/kubernetes-dashboard/helm-release.yaml b/__before_move/old/apps/networking/kubernetes-dashboard/helm-release.yaml index e3d59a3fc..0519b21e0 100755 --- a/__before_move/old/apps/networking/kubernetes-dashboard/helm-release.yaml +++ b/__before_move/old/apps/networking/kubernetes-dashboard/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: kubernetes-dashboard namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -42,11 +42,11 @@ spec: - dashy.${SECRET_DOMAIN_ME} annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} traefik.ingress.kubernetes.io/router.middlewares: networking-forwardauth-authelia@kubernetescrd - hajimari.io/enable: 'true' + hajimari.io/enable: "true" hajimari.io/icon: kubernetes tls: - secretName: ${SECRET_DOMAIN_ME//./-}-tls diff --git a/__before_move/old/apps/networking/speedtest-plotter/ingress.yaml b/__before_move/old/apps/networking/speedtest-plotter/ingress.yaml index 8939ba97c..2cab4eade 100755 --- a/__before_move/old/apps/networking/speedtest-plotter/ingress.yaml +++ b/__before_move/old/apps/networking/speedtest-plotter/ingress.yaml @@ -8,10 +8,10 @@ metadata: name: speedtest-plotter annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: speedometer spec: tls: diff --git a/__before_move/old/apps/utils/codimd/helm-release.yaml b/__before_move/old/apps/utils/codimd/helm-release.yaml index f0044ead3..78d58a435 100755 --- a/__before_move/old/apps/utils/codimd/helm-release.yaml +++ b/__before_move/old/apps/utils/codimd/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: codimd namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -41,10 +41,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: language-markdown tls: - secretName: ${SECRET_DOMAIN_ME//./-}-tls diff --git a/__before_move/old/apps/utils/hasteserver/helm-release.yaml b/__before_move/old/apps/utils/hasteserver/helm-release.yaml index 402c02b74..a1da9225a 100755 --- a/__before_move/old/apps/utils/hasteserver/helm-release.yaml +++ b/__before_move/old/apps/utils/hasteserver/helm-release.yaml @@ -17,7 +17,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -39,10 +39,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: notebook hajimari.io/appName: hasteserver tls: diff --git a/__before_move/old/apps/utils/onetimesecret/ingress.yaml b/__before_move/old/apps/utils/onetimesecret/ingress.yaml index 58722ad7f..4d68df8d5 100755 --- a/__before_move/old/apps/utils/onetimesecret/ingress.yaml +++ b/__before_move/old/apps/utils/onetimesecret/ingress.yaml @@ -9,10 +9,10 @@ metadata: name: onetimesecret annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: safe spec: tls: diff --git a/__before_move/old/apps/utils/sharry/helm-release.yaml b/__before_move/old/apps/utils/sharry/helm-release.yaml index cc55ecd45..32ef7c6d6 100755 --- a/__before_move/old/apps/utils/sharry/helm-release.yaml +++ b/__before_move/old/apps/utils/sharry/helm-release.yaml @@ -16,7 +16,7 @@ spec: name: k8s-at-home namespace: flux-system test: - enable: false # Enable helm test + enable: false # Enable helm test install: createNamespace: true remediation: @@ -41,10 +41,10 @@ spec: enabled: true annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: share-variant hosts: - host: share.${SECRET_DOMAIN_ME} diff --git a/__before_move/old/apps/utils/static/ingress.yaml b/__before_move/old/apps/utils/static/ingress.yaml index 9c84232c5..b63d5319f 100755 --- a/__before_move/old/apps/utils/static/ingress.yaml +++ b/__before_move/old/apps/utils/static/ingress.yaml @@ -8,10 +8,10 @@ metadata: name: static annotations: kubernetes.io/ingress.class: nginx - traefik.ingress.kubernetes.io/router.tls: 'true' - external-dns/is-public: 'true' - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN_K8S} - hajimari.io/enable: 'true' + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" hajimari.io/icon: semantic-web spec: tls: diff --git a/__before_move/provision/ansible/requirements.yml b/__before_move/provision/ansible/requirements.yml index 7d495da8b..c48a909e9 100755 --- a/__before_move/provision/ansible/requirements.yml +++ b/__before_move/provision/ansible/requirements.yml @@ -1,9 +1,9 @@ --- collections: - name: community.general - version: 7.0.1 + version: 7.1.0 - name: community.sops - version: 1.6.2 + version: 1.6.4 - name: ansible.posix version: 1.5.4 - name: robertdebock.roles diff --git a/ansible/inventory/group_vars/kubernetes/k3s.yml b/ansible/inventory/group_vars/kubernetes/k3s.yml index c2b78e552..e1f486e7e 100644 --- a/ansible/inventory/group_vars/kubernetes/k3s.yml +++ b/ansible/inventory/group_vars/kubernetes/k3s.yml @@ -5,7 +5,7 @@ # # renovate: datasource=github-releases depName=k3s-io/k3s -k3s_release_version: "v1.27.2+k3s1" +k3s_release_version: "v1.27.3+k3s1" k3s_install_hard_links: true k3s_become: true k3s_debug: false diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index bc6bb77ec..8f8f2e702 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -13,5 +13,5 @@ kubernetes: hosts: tpi-node4: ansible_host: 192.168.8.114 -nfs-server: - hosts: tpi-node3 +# nfs-server: +# hosts: tpi-node3 diff --git a/ansible/playbooks/cluster-installation.yml b/ansible/playbooks/cluster-installation.yml index 4c6d334c2..3af3e858e 100644 --- a/ansible/playbooks/cluster-installation.yml +++ b/ansible/playbooks/cluster-installation.yml @@ -56,7 +56,7 @@ - name: Copy kubeconfig to target run_once: true ansible.builtin.copy: - src: "{{ repo_abs_path.stdout }}/kubeconfig" + src: "{{ repository_path.stdout }}/kubeconfig" dest: "{{ kubeconfig_target }}" delegate_to: localhost become: false diff --git a/ansible/playbooks/cluster-prepare.yml b/ansible/playbooks/cluster-prepare.yml index 3968adca0..d7b1a41a5 100644 --- a/ansible/playbooks/cluster-prepare.yml +++ b/ansible/playbooks/cluster-prepare.yml @@ -65,12 +65,6 @@ - name: System Configuration (1) block: - - name: System Configuration (1) | Disable ufw - ansible.builtin.systemd: - service: ufw.service - enabled: false - masked: true - state: stopped - name: System Configuration (1) | Enable fstrim ansible.builtin.systemd: service: fstrim.timer @@ -82,7 +76,7 @@ community.general.modprobe: name: "{{ item }}" state: present - loop: [br_netfilter, ip_vs, ip_vs_rr, overlay, rbd] + loop: [br_netfilter, ip_vs, ip_vs_rr, overlay] - name: System Configuration (2) | Enable kernel modules on boot ansible.builtin.copy: mode: 0644 diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 8894d98cc..ef473f7e8 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,20 +1,20 @@ --- collections: - name: community.general - version: 7.0.1 + version: 7.1.0 - name: community.sops - version: 1.6.2 + version: 1.6.4 - name: ansible.posix version: 1.5.4 - name: ansible.utils version: 2.10.3 - name: kubernetes.core version: 2.4.0 - - name: robertdebock.roles - version: 1.10.6 + # - name: robertdebock.roles + # version: 1.10.6 roles: - name: githubixx.cilium_cli - version: 2.6.0+0.13.2 + version: 2.7.0+0.14.6 - name: xanmanning.k3s src: https://github.com/PyratLabs/ansible-role-k3s.git version: v3.4.2 diff --git a/archive/apps/cert-manager/cert-manager/issuers/issuers.yaml b/archive/apps/cert-manager/cert-manager/issuers/issuers.yaml index c64fc29ba..0b944c341 100644 --- a/archive/apps/cert-manager/cert-manager/issuers/issuers.yaml +++ b/archive/apps/cert-manager/cert-manager/issuers/issuers.yaml @@ -6,7 +6,7 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} privateKeySecretRef: name: letsencrypt-production solvers: @@ -29,7 +29,7 @@ metadata: spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory - email: ${SECRET_CLOUDFLARE_EMAIL} + email: ${SECRET_ACME_EMAIL} privateKeySecretRef: name: letsencrypt-staging solvers: diff --git a/archive/apps/default/code-server/app/helmrelease.yaml b/archive/apps/default/code-server/app/helmrelease.yaml index b51bad902..bcc872d39 100644 --- a/archive/apps/default/code-server/app/helmrelease.yaml +++ b/archive/apps/default/code-server/app/helmrelease.yaml @@ -63,7 +63,7 @@ spec: kubernetes.io/ingress.class: nginx traefik.ingress.kubernetes.io/router.tls: "true" external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hosts: - host: &host code.${SECRET_DOMAIN_ME} paths: diff --git a/archive/apps/default/drop/app/helmrelease.yaml b/archive/apps/default/drop/app/helmrelease.yaml index 880d2837b..863007f3c 100644 --- a/archive/apps/default/drop/app/helmrelease.yaml +++ b/archive/apps/default/drop/app/helmrelease.yaml @@ -39,7 +39,7 @@ spec: enabled: true ingressClassName: nginx annotations: - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hajimari.io/icon: file-arrow-up-down-outline hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN_ME}" diff --git a/archive/apps/default/echo-server/app/helmrelease.yaml b/archive/apps/default/echo-server/app/helmrelease.yaml index e2243b05f..ef55651ab 100644 --- a/archive/apps/default/echo-server/app/helmrelease.yaml +++ b/archive/apps/default/echo-server/app/helmrelease.yaml @@ -59,7 +59,7 @@ spec: enabled: true ingressClassName: nginx annotations: - external-dns.alpha.kubernetes.io/target: "ingress.${SECRET_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_DNS_TARGET}" hajimari.io/icon: video-input-antenna hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN_ME}" diff --git a/archive/apps/default/octoprint/app/ingress.yaml b/archive/apps/default/octoprint/app/ingress.yaml index 4753d5472..b4b93a6b9 100755 --- a/archive/apps/default/octoprint/app/ingress.yaml +++ b/archive/apps/default/octoprint/app/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: octoprint annotations: kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} external-dns/is-public: "true" hajimari.io/enable: "true" hajimari.io/icon: printer-3d-nozzle diff --git a/archive/apps/default/sharry/app/helmrelease.yaml b/archive/apps/default/sharry/app/helmrelease.yaml index a0e10d55a..9559da092 100644 --- a/archive/apps/default/sharry/app/helmrelease.yaml +++ b/archive/apps/default/sharry/app/helmrelease.yaml @@ -109,7 +109,7 @@ spec: enabled: true ingressClassName: nginx annotations: - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hajimari.io/icon: file-arrow-up-down-outline hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN_ME}" diff --git a/archive/apps/flux-system/addons/webhooks/github/ingress.yaml b/archive/apps/flux-system/addons/webhooks/github/ingress.yaml index c8af40c23..e53e888f7 100644 --- a/archive/apps/flux-system/addons/webhooks/github/ingress.yaml +++ b/archive/apps/flux-system/addons/webhooks/github/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: flux-webhook namespace: flux-system annotations: - external-dns.alpha.kubernetes.io/target: "ingress.${SECRET_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_DNS_TARGET}" hajimari.io/enable: "false" spec: ingressClassName: nginx diff --git a/archive/apps/media/mediabox/app/notifiarr-ingress.yaml b/archive/apps/media/mediabox/app/notifiarr-ingress.yaml index be647e18f..aed7bc258 100755 --- a/archive/apps/media/mediabox/app/notifiarr-ingress.yaml +++ b/archive/apps/media/mediabox/app/notifiarr-ingress.yaml @@ -5,7 +5,7 @@ metadata: name: notifiarr annotations: kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} external-dns/is-public: "true" hajimari.io/enable: "true" hajimari.io/icon: filmstrip diff --git a/archive/apps/monitoring/grafana/app/helmrelease.yaml b/archive/apps/monitoring/grafana/app/helmrelease.yaml index d6a91188f..3d8590578 100755 --- a/archive/apps/monitoring/grafana/app/helmrelease.yaml +++ b/archive/apps/monitoring/grafana/app/helmrelease.yaml @@ -290,7 +290,7 @@ spec: kubernetes.io/ingress.class: nginx external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hajimari.io/enable: "true" hajimari.io/icon: mdi:chart-arc tls: diff --git a/archive/apps/monitoring/prometheus/app/helm-release.yaml b/archive/apps/monitoring/prometheus/app/helm-release.yaml index 351cc9d12..c5690597c 100755 --- a/archive/apps/monitoring/prometheus/app/helm-release.yaml +++ b/archive/apps/monitoring/prometheus/app/helm-release.yaml @@ -70,7 +70,7 @@ spec: - name: email email_configs: - send_resolved: true - to: ${SECRET_CLOUDFLARE_EMAIL} + to: ${SECRET_ACME_EMAIL} from: prometheus@tuxpeople.org smarthost: smtp.utils.svc.cluster.local:25 require_tls: false @@ -135,7 +135,7 @@ spec: annotations: kubernetes.io/ingress.class: nginx external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} hajimari.io/enable: "true" hajimari.io/appName: Alertmanager hajimari.io/icon: mdi:alert-decagram-outline @@ -358,7 +358,7 @@ spec: hajimari.io/appName: Prometheus hajimari.io/icon: mdi:fire external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: ingress.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} tls: - secretName: ${SECRET_DOMAIN_ME//./-}-tls hosts: diff --git a/archive/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml b/archive/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml index e9b23add0..1585d9886 100644 --- a/archive/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml +++ b/archive/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization resources: # renovate: datasource=docker image=rancher/system-upgrade-controller - https://github.com/rancher/system-upgrade-controller/releases/download/v0.11.0/crd.yaml - - https://github.com/rancher/system-upgrade-controller?ref=v0.11.0 + - https://github.com/rancher/system-upgrade-controller?ref=v0.12.0 images: - name: rancher/system-upgrade-controller newTag: v0.11.0 diff --git a/kubernetes/apps/default/echo-server/app/helmrelease.yaml b/kubernetes/apps/default/echo-server/app/helmrelease.yaml index f79ea0a3e..9a51c7de9 100644 --- a/kubernetes/apps/default/echo-server/app/helmrelease.yaml +++ b/kubernetes/apps/default/echo-server/app/helmrelease.yaml @@ -59,7 +59,7 @@ spec: enabled: true ingressClassName: nginx annotations: - external-dns.alpha.kubernetes.io/target: "ingress.${SECRET_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_DNS_TARGET}" hajimari.io/icon: video-input-antenna hosts: - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 1e28c1695..8d272c7a4 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ./namespace.yaml - ./echo-server/ks.yaml - ./hajimari/ks.yaml + - ./rancher-logging/ks.yaml diff --git a/kubernetes/apps/default/rancher-logging/app/garbagecollect.yaml b/kubernetes/apps/default/rancher-logging/app/garbagecollect.yaml new file mode 100644 index 000000000..c7cfd3587 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/garbagecollect.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: script-configmap +data: + garbagecollect.sh: |- + #!/bin/sh + echo "Checking for workdir" + [ -d /mnt/workdir ] || exit 1 + echo "Deleting files in workdir older than ${KEEP_DAYS} days" + find /mnt/workdir -type f -mtime +${KEEP_DAYS} -delete + echo "Deleting empty directories in workdir" + find /mnt/workdir -empty -type d -delete + echo "Finished" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: garbagecollect + labels: + app: garbagecollect +spec: + suspend: false + schedule: "10 2 * * *" + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 3 + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: statefulset.kubernetes.io/pod-name + operator: In + values: + - rancher-logging-root-fluentd-0 + topologyKey: kubernetes.io/hostname + restartPolicy: OnFailure + dnsPolicy: ClusterFirst + containers: + - name: garbagecollect + image: alpine + imagePullPolicy: Always + env: + - name: KEEP_DAYS + value: "2" + volumeMounts: + - mountPath: /mnt/workdir + name: logs + - name: garbagecollectscript + mountPath: /script + resources: + limits: + memory: 1000Mi + cpu: 1000m + command: + - /bin/sh + args: + - /script/garbagecollect.sh + volumes: + - name: logs + persistentVolumeClaim: + claimName: test-pv + - name: garbagecollectscript + configMap: + name: script-configmap diff --git a/kubernetes/apps/default/rancher-logging/app/helmrelease.yaml b/kubernetes/apps/default/rancher-logging/app/helmrelease.yaml new file mode 100644 index 000000000..ab40764f7 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/helmrelease.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: rancher-logging + namespace: default +spec: + interval: 15m + chart: + spec: + chart: rancher-logging + version: 102.0.1+up3.17.10 + sourceRef: + kind: HelmRepository + name: rancher-charts-release-2-7 + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: rancher-logging-crd + namespace: default + values: + loggingOverlay: + spec: + fluentd: + extraVolumes: + - volumeName: test + path: "/logs" + containerName: fluentd + volume: + pvc: + source: + claimName: test-pv + # spec: + # accessModes: + # - ReadWriteOnce + # resources: + # requests: + # storage: 10Gi + # storageClassName: local-path + # volumeMode: Filesystem diff --git a/kubernetes/apps/default/rancher-logging/app/kustomization.yaml b/kubernetes/apps/default/rancher-logging/app/kustomization.yaml new file mode 100644 index 000000000..c1456b2a7 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./helmrelease.yaml + - ./logging.yaml + - ./garbagecollect.yaml + - ./webserver.yaml diff --git a/kubernetes/apps/default/rancher-logging/app/logging.yaml b/kubernetes/apps/default/rancher-logging/app/logging.yaml new file mode 100644 index 000000000..9ece83134 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/logging.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: test-pv +spec: + storageClassName: nfs + accessModes: + - ReadWriteOnce + capacity: + storage: 2Gi + nfs: + path: /volume2/kubernetes/static/test-pv + server: 10.20.30.40 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: test-pv +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + storageClassName: nfs +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Flow +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: flow-test +spec: + filters: + # https://kube-logging.dev/docs/configuration/plugins/filters/dedot/ + - dedot: + de_dot_separator: "-" + de_dot_nested: true + # https://kube-logging.dev/docs/configuration/plugins/filters/tagnormaliser/ + - tag_normaliser: + format: ${namespace_name}.${labels.app-kubernetes-io/name}.${container_name} + localOutputRefs: + - file-output + match: + - select: + labels: + app.kubernetes.io/name: echo-server +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Output +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: file-output +spec: + file: + path: /logs/${tag} + append: true + buffer: + timekey: 1d + timekey_use_utc: false + flush_mode: interval # immediate + flush_interval: 60s + format: + type: single_value diff --git a/kubernetes/apps/default/rancher-logging/app/minio.yaml b/kubernetes/apps/default/rancher-logging/app/minio.yaml new file mode 100644 index 000000000..b6f1c67e3 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/minio.yaml @@ -0,0 +1,132 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: logging-s3 +type: Opaque +data: + awsAccessKeyId: dGVzdHVzZXIK + awsSecretAccessKey: dGVzdHBhc3N3b3JkCg== +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: minio + namespace: default +spec: + interval: 15m + chart: + spec: + chart: minio + version: 5.0.11 + sourceRef: + kind: HelmRepository + name: minio + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + mode: standalone + podLabels: + app.kubernetes.io/instance: minio + app.kubernetes.io/name: minio + persistence: + size: 25Gi + storageClass: local-path + consoleIngress: + enabled: true + hosts: + - minio.${SECRET_DOMAIN} + environment: + TZ: Europe/Zurich + resources: + requests: + memory: null + users: + - accessKey: console + secretKey: console123 + policy: consoleAdmin + - accessKey: testuser + secretKey: testpassword + policy: writetestpolicy + buckets: + - name: test + policy: none + purge: false + versioning: false + objectlocking: false + policies: + - name: writetestpolicy + statements: + - resources: + - "arn:aws:s3:::test*/*" + actions: + - "s3:AbortMultipartUpload" + - "s3:GetObject" + - "s3:DeleteObject" + - "s3:PutObject" + - "s3:ListMultipartUploadParts" + - resources: + - "arn:aws:s3:::test*" + actions: + - "s3:CreateBucket" + - "s3:DeleteBucket" + - "s3:GetBucketLocation" + - "s3:ListBucket" + - "s3:ListBucketMultipartUploads" +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Output +metadata: + name: s3-output +spec: + s3: + aws_key_id: + valueFrom: + secretKeyRef: + name: logging-s3 + key: awsAccessKeyId + aws_sec_key: + valueFrom: + secretKeyRef: + name: logging-s3 + key: awsSecretAccessKey + s3_bucket: test + s3_endpoint: "http://minio.default.svc.cluster.local:9000" + force_path_style: "true" + path: "logs/${tag}/%Y/%m" + compress: + parquet_compression_codec: uncompressed + format: + type: out_file + add_newline: true + buffer: + disabled: true + flush_interval: 40m + timekey: 30m + timekey_wait: 0s + timekey_use_utc: false + timekey_zone: Europe/Zurich +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Flow +metadata: + name: flow-test +spec: + filters: + - tag_normaliser: {} + localOutputRefs: + - s3-output + match: + - select: + labels: + app.kubernetes.io/name: fluentbit diff --git a/kubernetes/apps/default/rancher-logging/app/syslog.yaml b/kubernetes/apps/default/rancher-logging/app/syslog.yaml new file mode 100644 index 000000000..a11b4728f --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/syslog.yaml @@ -0,0 +1,225 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebrowser-config +data: + .filebrowser.json: | + { + "port": 80, + "baseURL": "", + "address": "", + "log": "stdout", + "database": "/database/filebrowser.db", + "root": "/srv" + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: rsyslog-custom-config +data: + custom.conf: | + # This file created from k8s configmap + module(load="imtcp") + input(type="imtcp" port="514") + template ( + name="RemoteLogs" + type="string" + string="/var/log/remotelogs/%HOSTNAME%/%PROGRAMNAME%/%$Year%/%$Month%/%$Day%.log" + ) + # gather all log messages from all facilities + # at all severity levels to the RemoteLogs template + *.* -?RemoteLogs + + stop +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rsyslog-deployment + labels: + app: rsyslog +spec: + replicas: 1 + selector: + matchLabels: + app: rsyslog + template: + metadata: + labels: + app: rsyslog + spec: + containers: + - name: rsyslog + image: instantlinux/rsyslogd:latest + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 500m + memory: 320Mi + ports: + - containerPort: 514 + name: udp + protocol: UDP + - containerPort: 514 + name: tcp + protocol: TCP + volumeMounts: + - name: logstore-volume + mountPath: /var/log/remotelogs + - mountPath: /etc/rsyslog.d + name: rsyslog-config + livenessProbe: + tcpSocket: + port: 514 + initialDelaySeconds: 10 + - name: filebrowser + image: filebrowser/filebrowser:latest + command: ["sh"] + args: + [ + "-c", + "/filebrowser config init; /filebrowser config set --auth.method=noauth; /filebrowser --noauth", + ] + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 500m + memory: 320Mi + ports: + - containerPort: 80 + name: web + protocol: TCP + volumeMounts: + - name: database + mountPath: /database + - name: logstore-volume + mountPath: /srv + readOnly: true + - mountPath: /.filebrowser.json + name: filebrowser-config + subPath: .filebrowser.json + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + volumes: + - name: logstore-volume + persistentVolumeClaim: + claimName: logstore + - name: rsyslog-config + configMap: + name: rsyslog-custom-config + - name: filebrowser-config + configMap: + name: filebrowser-config + - name: database + emptyDir: + sizeLimit: 500Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: logstore +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi + storageClassName: local-path +--- +apiVersion: v1 +kind: Service +metadata: + name: "syslog-service-web" +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + selector: + app: "rsyslog" +--- +apiVersion: v1 +kind: Service +metadata: + name: "syslog-service-tcp" +spec: + ports: + - port: 514 + targetPort: 514 + protocol: TCP + selector: + app: "rsyslog" +--- +apiVersion: v1 +kind: Service +metadata: + name: "syslog-service-udp" +spec: + ports: + - port: 514 + targetPort: 514 + protocol: UDP + selector: + app: "rsyslog" +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Output +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: syslog-output +spec: + syslog: + buffer: + flush_interval: 60s + timekey: 10s + timekey_wait: 0s + timekey_use_utc: false + timekey_zone: Europe/Zurich + format: + app_name_field: kubernetes.pod_name + hostname_field: kubernetes.namespace_name + log_field: message + rfc6587_message_size: false + host: syslog-service-udp.default.svc.cluster.local + insecure: true + port: 514 + transport: tcp +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Flow +metadata: + name: flow-test +spec: + filters: + - tag_normaliser: {} + localOutputRefs: + - syslog-output + - file-output + match: + - select: + labels: + app.kubernetes.io/name: echo-server +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Output +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: file-output +spec: + file: + path: /test/${tag}/%Y-%m-%d + append: true + buffer: + timekey: 1m + timekey_wait: 10s + timekey_use_utc: false diff --git a/kubernetes/apps/default/rancher-logging/app/webserver.yaml b/kubernetes/apps/default/rancher-logging/app/webserver.yaml new file mode 100644 index 000000000..290b0b27e --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/app/webserver.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pywebserver + labels: + app: pywebserver +spec: + replicas: 1 + selector: + matchLabels: + app: pywebserver + template: + metadata: + labels: + app: pywebserver + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: statefulset.kubernetes.io/pod-name + operator: In + values: + - rancher-logging-root-fluentd-0 + topologyKey: kubernetes.io/hostname + containers: + - name: pywebserver + image: python:3-alpine + command: ["sh"] + args: ["-c", "python3 /scripts/python-webserver.py"] + resources: + requests: + cpu: 1m + memory: 10Mi + limits: + cpu: 100m + memory: 150Mi + ports: + - containerPort: 80 + name: tcp + protocol: TCP + volumeMounts: + - mountPath: /http_root + name: logs + readOnly: true + - mountPath: /scripts + name: pywebserver-config + livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + volumes: + - name: logs + persistentVolumeClaim: + claimName: test-pv + - name: pywebserver-config + configMap: + name: pywebserver-configmap +--- +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: pywebserver-configmap +data: + python-webserver.py: |- + from http.server import SimpleHTTPRequestHandler + from socketserver import TCPServer + import os + + port = 80 + host = '' + + # https://gist.github.com/HaiyangXu/ec88cbdce3cdbac7b8d5?permalink_comment_id=3275090#gistcomment-3275090 + # https://tuxstash.de/gist/python-http-with-mime-types/ + # https://gist.github.com/wongjustin99/111cbe29f9be40e1b6396262ea22973c + # https://gist.github.com/HaiyangXu/ec88cbdce3cdbac7b8d5 + + handler = SimpleHTTPRequestHandler + handler.extensions_map = { + '.log': 'text/plain', + '': 'application/octet-stream' + } + + server_address = (host, port) + httpd = TCPServer((server_address), handler) + os.chdir("/http_root") + httpd.serve_forever() diff --git a/kubernetes/apps/default/rancher-logging/crd/helmrelease.yaml b/kubernetes/apps/default/rancher-logging/crd/helmrelease.yaml new file mode 100644 index 000000000..072fbc8c0 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/crd/helmrelease.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: rancher-logging-crd + namespace: default +spec: + interval: 15m + chart: + spec: + chart: rancher-logging-crd + version: 102.0.1+up3.17.10 + sourceRef: + kind: HelmRepository + name: rancher-charts-release-2-7 + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false diff --git a/kubernetes/apps/default/rancher-logging/crd/kustomization.yaml b/kubernetes/apps/default/rancher-logging/crd/kustomization.yaml new file mode 100644 index 000000000..c0cd21834 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/crd/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/rancher-logging/ks.yaml b/kubernetes/apps/default/rancher-logging/ks.yaml new file mode 100644 index 000000000..3fc269291 --- /dev/null +++ b/kubernetes/apps/default/rancher-logging/ks.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-rancher-logging-crd + namespace: flux-system +spec: + path: ./kubernetes/apps/default/rancher-logging/crd + prune: true + sourceRef: + kind: GitRepository + name: k8s-homelab + wait: true # no flux ks dependents + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-rancher-logging + namespace: flux-system +spec: + dependsOn: + - name: cluster-apps-rancher-logging-crd + path: ./kubernetes/apps/default/rancher-logging/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-homelab + wait: false # no flux ks dependents + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml index 4857daddf..4cb65389a 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: flux-webhook namespace: flux-system annotations: - external-dns.alpha.kubernetes.io/target: "ingress.${SECRET_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_DNS_TARGET}" hajimari.io/enable: "false" spec: ingressClassName: nginx diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml index 2a099b130..b562b05c9 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml @@ -20,8 +20,8 @@ sops: Mnc2MHFEcjUrVnlYeDhvdndTOHFQVDgK6isR4z6XxWv3nfgK/j2ciCWgBcYOk9+h TGl2VveQqiDOvkvcIcZk5if+umc9xMGdWUV0/l/BPua/YTXrH4dtgA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-18T16:15:31Z" - mac: ENC[AES256_GCM,data:4j8s1rauFHegprS9lx9sPd9qBIi1JfQXNN6PwGXaBeLog2KkEwenxnNbS61W8b0AMzOu1WRlqKXGj24UlFMX4IqStQucLIZ6sjcuQzMJbR8nISv45eDTvY3UxXWly+xrrPmWKiHdZ2OYu6lDCuu991UY/6mGLLLHo2+HtURRYTc=,iv:4vZtuYuZnsQ1V/WyudbAL3lyVVR3hOSgr+ecw0MrYUI=,tag:ws5Wtji8Vs0F0wzz9CDvdg==,type:str] + lastmodified: "2023-06-22T20:19:21Z" + mac: ENC[AES256_GCM,data:ZIuU6g3xQJbRqZ/f8nRf5gvzLLimX6x9HrpRTPIVkK8zIGk/TsrhqXWUFyucZPUfCYIa4mzQ/mtzBi1joRly32ubpdX2J830DOv5qpERX6OC8uAHDobvAqeeP5v5klj3dMPcwnd+rSuguaKtOQ4BIYCM9X3H0jorXqmvkdikoxs=,iv:Imze6rJ1iQ0CSjFjlg0DCHQQRaqJnT1AVc5vaHF1JQs=,tag:6R+FZX4VcfzTbicrv2CPLw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml b/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml index 19785879b..a43a7c500 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: weave-gitops - version: 4.0.23 + version: 4.0.24 sourceRef: kind: HelmRepository name: weave-gitops diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml index cf2a54a13..1de73c43a 100644 --- a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: reloader - version: 1.0.28 + version: 1.0.29 sourceRef: kind: HelmRepository name: stakater diff --git a/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-config.yaml b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-config.yaml new file mode 100755 index 000000000..7f3e39fb2 --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-config.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: monitoring.coreos.com/v1alpha1 +kind: AlertmanagerConfig +metadata: + name: discord + namespace: monitoring + labels: + alertmanagerConfig: discord +spec: + route: + groupBy: + - alertname + groupInterval: 10s + groupWait: 1s + repeatInterval: 30s + receiver: discord + routes: + - matchers: + - namespace: '*' + receivers: + - name: discord + webhookConfigs: + - url: http://alertmanager-discord:9094 diff --git a/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-deployment.yaml b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-deployment.yaml new file mode 100755 index 000000000..6b98e500a --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-deployment.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alertmanager-discord + namespace: monitoring +spec: + selector: + matchLabels: + app: alertmanager-discord + template: + metadata: + labels: + app: alertmanager-discord + spec: + containers: + - image: ghcr.io/tuxpeople/alertmanager-discord:null + imagePullPolicy: Always + name: main + ports: + - containerPort: 9094 + name: http + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 20m + memory: 40Mi + env: + - name: DISCORD_WEBHOOK + valueFrom: + secretKeyRef: + key: address + name: discord-webhook diff --git a/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-service.yaml b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-service.yaml new file mode 100755 index 000000000..52c699f24 --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/app/alertmanager-discord-service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: alertmanager-discord + name: alertmanager-discord + namespace: monitoring +spec: + ports: + - name: http + port: 9094 + targetPort: http + selector: + app: alertmanager-discord diff --git a/kubernetes/apps/monitoring/alertmanager-discord/app/kustomization.yaml b/kubernetes/apps/monitoring/alertmanager-discord/app/kustomization.yaml new file mode 100755 index 000000000..2385eea6c --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - secret.sops.yaml + # - alertmanager-discord-config.yaml + - alertmanager-discord-deployment.yaml + - alertmanager-discord-service.yaml diff --git a/kubernetes/apps/monitoring/alertmanager-discord/app/secret.sops.yaml b/kubernetes/apps/monitoring/alertmanager-discord/app/secret.sops.yaml new file mode 100644 index 000000000..b849fc2fa --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: discord-webhook + namespace: monitoring +stringData: + address: ENC[AES256_GCM,data:TZfqRT14xU3ekXeBH/OQpRikpDIAiypc1HEj+C3lfmuE+iy0HTGmj1u15hpTlBzFMU0Xt2UtBsn3H8/7y0aBpip2ZRbMt1sb8/mIaYTFBviAKoJoqSrq2J4btXZ7+e3Tarw/3davIwKJ4JJkKDv0P/FpLMlgevjA,iv:Oqk28iujqcY4RbJtZGryIedEY63h1eHIU0LbStmyR+Q=,tag:3K9kTp28I+Z04gRgOq3YiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y0kzuf0tn94a74whazwae4r9qal4snuqfuhl5jacscrpr7up5gts74fe5w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOGRIQmNTZDJaNUpDbWVq + bkwvbklvbkRpVE9RQytkeUNWamFsWUFzRzJBCk1qek5ueFBWYUF4NmptRTBqekxr + VXZDazhreHB6UnhGNXZzMTZwV0xxWkkKLS0tIERUQkhOUEhDellUWjNZRU9WU1Z0 + bWZUWDR1SUwvVnJ1SDAydXV6YS9Db3cKEygUxkjdTZjA9y7i0CHSGdfCrgGOXhp3 + 6+67/ce4guTnhNIxux7dOARTg3gjp4lVAbR4SZFkAbEIMOq1JU63aQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-28T19:55:44Z" + mac: ENC[AES256_GCM,data:yMsh0wsWa4Ng/RMsb/dDgsuags9dlvNMu4do7lh7RCmwRY6AKblJhAMEAQ22G4XSdafuJvOu40TAHEZUipW0ZEXDRLMw7A6DkxdKi/1fL3BTmysLjg/lyAYBM8te8ueCQ7V2refSnXpHIIpDWIXAqsaZLrAluGIrSA1uJ7UHWcI=,iv:+Lf7ynNmSkUP4F+CeNLPHbmysjsKdpQhuoV5ob71w08=,tag:Q02RySxsf2RMKFi9IRtrng==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/monitoring/alertmanager-discord/ks.yaml b/kubernetes/apps/monitoring/alertmanager-discord/ks.yaml new file mode 100644 index 000000000..c3d6b23c6 --- /dev/null +++ b/kubernetes/apps/monitoring/alertmanager-discord/ks.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-alertmanager-discord + namespace: flux-system +spec: + path: ./kubernetes/apps/monitoring/alertmanager-discord/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-homelab + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 2c1ce0322..f55dba77b 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: grafana - version: 6.57.2 + version: 6.57.4 sourceRef: kind: HelmRepository name: grafana @@ -36,6 +36,36 @@ spec: env: GF_EXPLORE_ENABLED: true GF_SERVER_ROOT_URL: "https://grafana.${SECRET_DOMAIN}" + auth: + signout_redirect_url: https://auth.${SECRET_DOMAIN}/logout + oauth_auto_login: false + auth.generic_oauth: + enabled: true + name: Homelab Account + icon: signin + client_id: grafana + client_secret: ${SECRET_OIDC_CLIENT_SECRET_GRAFANA} + scopes: openid profile email groups + empty_scopes: false + auth_url: https://auth.${SECRET_DOMAIN}/api/oidc/authorization + token_url: https://auth.${SECRET_DOMAIN}/api/oidc/token + api_url: https://auth.${SECRET_DOMAIN}/api/oidc/userinfo + login_attribute_path: preferred_username + groups_attribute_path: groups + name_attribute_path: name + use_pkce: true + auth.generic_oauth.group_mapping: + role_attribute_path: | + contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'grafana') && 'Viewer' + org_id: 1 + auth.basic: + enabled: false + # disable_login_form: false + auth.anonymous: + enabled: false + org_name: Homelab + org_id: 1 + org_role: Viewer grafana.ini: analytics: check_for_updates: false diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 18c67afbe..12cec792b 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: kube-prometheus-stack - version: 46.8.0 + version: 47.1.0 sourceRef: kind: HelmRepository name: prometheus-community @@ -36,7 +36,120 @@ spec: values: cleanPrometheusOperatorObjectNames: true alertmanager: - enabled: false + enabled: true + config: + global: + slack_api_url: ${SECRET_ALERT_MANAGER_DISCORD_WEBHOOK} + resolve_timeout: 5m + # smtp_smarthost: smtp.gmail.com:587 + # smtp_auth_username: you@gmail.com + # smtp_auth_password: yourapppassword # https://support.google.com/mail/answer/185833?hl=en-GB + # smtp_auth_identity: you@gmail.com + route: + group_by: + - alertname + - job + group_wait: 30s + group_interval: 5m + repeat_interval: 6h + receiver: discord + routes: + - receiver: "null" + match: + alertname: InfoInhibitor + - receiver: DeadMansSnitch + repeat_interval: 30m + match: + alertname: Watchdog + - receiver: discord + matchers: + - severity = "critical" + continue: true + # - receiver: discord + # group_wait: 10s + # match_re: + # issue: Portworx* + # continue: true + receivers: + - name: "null" + - name: email + email_configs: + - send_resolved: true + to: ${SECRET_ACME_EMAIL} + from: prometheus@tuxpeople.org + smarthost: smtp.utils.svc.cluster.local:25 + require_tls: false + - name: DeadMansSnitch + webhook_configs: + - url: https://nosnch.in/c15491ac44 + send_resolved: false + - name: discord + webhook_configs: + - send_resolved: true + url: http://alertmanager-discord:9094 + # title: |- + # [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ if ne .CommonAnnotations.summary ""}}{{ .CommonAnnotations.summary }}{{ else }}{{ .CommonLabels.alertname }}{{ end }} + # text: >- + # {{ range .Alerts -}} + # **Alert:** {{ .Annotations.title }}{{ if .Labels.severity }} - `{{ .Labels.severity }}`{{ end }} + # **Description:** {{ if ne .Annotations.description ""}}{{ .Annotations.description }}{{else}}N/A{{ end }} + # **Details:** + # {{ range .Labels.SortedPairs }} • *{{ .Name }}:* `{{ .Value }}` + # {{ end }} + # {{ end }} + # - name: discord + # webhook_configs: + # - send_resolved: true + # url: 'http://alertmanager-discord:9094' + # Inhibition rules allow to mute a set of alerts given that another alert is firing. + # We use this to mute any warning-level notifications if the same alert is already critical. + inhibit_rules: + - source_matchers: + - severity = "critical" + target_matchers: + - severity = "warning" + equal: + - alertname + - namespace + alertmanagerSpec: + replicas: 1 + podAntiAffinity: hard + storage: + volumeClaimTemplate: + spec: + storageClassName: local-path + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + resources: + limits: + cpu: 500m + memory: 400Mi + # requests: + # cpu: 25m + # memory: 32Mi + # priorityClassName: high-priority + alertmanagerConfigSelector: + matchLabels: + alertmanagerConfig: homelab + ingress: + enabled: true + pathType: Prefix + annotations: + kubernetes.io/ingress.class: nginx + external-dns/is-public: "true" + external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + hajimari.io/enable: "true" + hajimari.io/appName: Alertmanager + hajimari.io/icon: mdi:alert-decagram-outline + tls: + - secretName: ${SECRET_DOMAIN//./-}-tls + hosts: + - alertmanager.${SECRET_DOMAIN} + hosts: + - alertmanager.${SECRET_DOMAIN} grafana: enabled: false forceDeployDashboards: true @@ -139,3 +252,165 @@ spec: resources: requests: storage: 10Gi + # # From archive + # prometheus-node-exporter: + # fullnameOverride: node-exporter + # prometheus: + # monitor: + # enabled: true + # relabelings: + # - action: replace + # regex: (.*) + # replacement: $1 + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: kubernetes_node + # prometheusOperator: + # prometheusConfigReloader: + # resources: + # requests: + # cpu: 100m + # memory: 50Mi + # limits: + # cpu: 200m + # memory: 100Mi + # prometheus: + # enabled: true + # persistentVolume: + # enabled: true + # size: 10Gi + # thanosService: + # enabled: true + # thanosServiceMonitor: + # enabled: true + # prometheusSpec: + # replicas: 1 + # externalLabels: + # cluster: homelab + # thanos: + # image: quay.io/thanos/thanos:v0.31.0 + # objectStorageConfig: + # name: thanos-objstore-secret + # key: objstore.yml + # retention: 12h + # retentionSize: 10GB + # podAntiAffinity: hard + # replicaExternalLabelName: __replica__ + # scrapeInterval: 1m + # ruleSelectorNilUsesHelmValues: false + # serviceMonitorSelectorNilUsesHelmValues: false + # podMonitorSelectorNilUsesHelmValues: false + # probeSelectorNilUsesHelmValues: false + # enableAdminAPI: true + # walCompression: true + # disableCompaction: true + # storageSpec: + # volumeClaimTemplate: + # spec: + # storageClassName: nfs-csi + # resources: + # requests: + # storage: 10Gi + # resources: + # requests: + # cpu: 10m + # memory: 2000Mi + # limits: + # memory: 8000Mi + # additionalScrapeConfigs: + # # - job_name: minio + # # honor_timestamps: true + # # metrics_path: /minio/v2/metrics/cluster + # # static_configs: + # # - targets: + # # - "minio.domain.com:9000" + # - job_name: octoprint + # scrape_interval: 1m + # metrics_path: /plugin/prometheus_exporter/metrics + # params: + # apikey: + # - ${SECRET_OCTOPRINTAPI} + # static_configs: + # - targets: + # - octopi.home:80 + # - job_name: speedtest-exporter + # scrape_interval: 1m + # scrape_timeout: 30s + # static_configs: + # - targets: + # - speedtest-exporter:9090 + # - job_name: minio-job + # bearer_token: ${SECRET_MINIO_BEARERTOKEN} + # metrics_path: /minio/v2/metrics/cluster + # scheme: http + # static_configs: + # - targets: + # - minio.lab.tdeutsch.ch:9091 + # - job_name: mystrom-exporter + # scrape_interval: 1m + # metrics_path: /device + # honor_labels: true + # static_configs: + # - targets: + # - 10.20.30.33 + # labels: + # alias: 3D Drucker + # relabel_configs: + # - source_labels: + # - __address__ + # target_label: __param_target + # - target_label: __address__ + # replacement: mystrom-3dprinter:9452 + # - job_name: prometheus-pushgateway + # scrape_interval: 1m + # scrape_timeout: 30s + # honor_labels: true + # static_configs: + # - targets: + # - prometheus-pushgateway:9091 + # - job_name: wireguard-exporter + # scrape_interval: 1m + # scrape_timeout: 30s + # metrics_path: /metrics + # static_configs: + # - targets: + # - 10.20.30.1:9586 + # - job_name: node-exporter + # scrape_interval: 1m + # scrape_timeout: 30s + # honor_timestamps: true + # # basic_auth: + # # username: randomuser + # # password: examplepassword + # static_configs: + # - targets: # k3s-node01 + # - 192.168.8.111:9100 + # - targets: # k3s-node02 + # - 192.168.8.112:9100 + # - targets: # k3s-node03 + # - 192.168.8.113:9100 + # - targets: # NAS + # - 10.20.30.40:9100 + # ingress: + # enabled: true + # pathType: Prefix + # ingressClassName: nginx + # annotations: + # nginx.ingress.kubernetes.io/auth-method: GET + # nginx.ingress.kubernetes.io/auth-url: https://auth.${SECRET_DOMAIN}/api/verify + # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN}?rm=$request_method + # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + # nginx.ingress.kubernetes.io/auth-snippet: + # proxy_set_header X-Forwarded-Method + # $request_method; + # hajimari.io/enable: "true" + # hajimari.io/appName: Prometheus + # hajimari.io/icon: mdi:fire + # external-dns/is-public: "true" + # external-dns.alpha.kubernetes.io/target: ${SECRET_DNS_TARGET} + # tls: + # - secretName: ${SECRET_DOMAIN//./-}-tls + # hosts: + # - prometheus.${SECRET_DOMAIN} + # hosts: + # - prometheus.${SECRET_DOMAIN} diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml index 1b264a75c..964b41925 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml @@ -5,6 +5,8 @@ metadata: name: cluster-apps-kube-prometheus-stack namespace: flux-system spec: + dependsOn: + - name: cluster-apps-alertmanager-discord path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app prune: true sourceRef: diff --git a/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml b/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml index f3f3cf605..7af1faadd 100644 --- a/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml @@ -5,3 +5,4 @@ namespace: monitoring resources: - ./rbac.yaml - ./helmrelease.yaml + - ./logging.yaml diff --git a/kubernetes/apps/monitoring/kubernetes-dashboard/app/logging.yaml b/kubernetes/apps/monitoring/kubernetes-dashboard/app/logging.yaml new file mode 100644 index 000000000..ba49d68de --- /dev/null +++ b/kubernetes/apps/monitoring/kubernetes-dashboard/app/logging.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Flow +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: flow-test-1 +spec: + filters: + # https://kube-logging.dev/docs/configuration/plugins/filters/dedot/ + - dedot: + de_dot_separator: "-" + de_dot_nested: true + # https://kube-logging.dev/docs/configuration/plugins/filters/tagnormaliser/ + - tag_normaliser: + format: ${namespace_name}.${labels.app-kubernetes-io/component}.${container_name} + localOutputRefs: + - file-output-1 + match: + - select: + labels: + app.kubernetes.io/component: kubernetes-dashboard +--- +apiVersion: logging.banzaicloud.io/v1beta1 +kind: Output +metadata: + annotations: + kustomize.toolkit.fluxcd.io/substitute: disabled + name: file-output-1 +spec: + file: + path: /logs/${tag} + append: true + buffer: + timekey: 1d + timekey_use_utc: false + flush_mode: interval # immediate + flush_interval: 60s + format: + type: single_value diff --git a/kubernetes/apps/monitoring/kustomization.yaml b/kubernetes/apps/monitoring/kustomization.yaml index d032a3649..f356c595a 100644 --- a/kubernetes/apps/monitoring/kustomization.yaml +++ b/kubernetes/apps/monitoring/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml + - ./alertmanager-discord/ks.yaml - ./grafana/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./kubernetes-dashboard/ks.yaml diff --git a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml index e582d4ad8..4dc58fe73 100644 --- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: ingress-nginx - version: 4.7.0 + version: 4.7.1 sourceRef: kind: HelmRepository name: ingress-nginx @@ -25,9 +25,6 @@ spec: retries: 3 uninstall: keepHistory: false - dependsOn: - - name: cloudflared - namespace: networking values: controller: extraEnvs: @@ -35,7 +32,7 @@ spec: value: "${TIMEZONE}" service: annotations: - external-dns.alpha.kubernetes.io/hostname: "ingress.${SECRET_DOMAIN}" + external-dns.alpha.kubernetes.io/hostname: "${SECRET_DNS_TARGET}" loadBalancerIP: "${METALLB_INGRESS_ADDR}" externalTrafficPolicy: Local publishService: diff --git a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml index b77f68850..6139f2a57 100644 --- a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml +++ b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml @@ -29,9 +29,27 @@ spec: fullnameOverride: k8s-gateway domain: "${SECRET_DOMAIN}" ttl: 1 + fallthrough: + enabled: true service: type: LoadBalancer port: 53 annotations: metallb.universe.tf/loadBalancerIPs: "${METALLB_K8S_GATEWAY_ADDR}" externalTrafficPolicy: Local + extraZonePlugins: + - name: log + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: prometheus + parameters: 0.0.0.0:9153 + - name: forward + parameters: . tls://1.1.1.1 tls://1.0.0.1 + configBlock: |- + tls_servername cloudflare-dns.com + - name: loop + - name: reload + - name: loadbalance diff --git a/kubernetes/apps/networking/kustomization.yaml b/kubernetes/apps/networking/kustomization.yaml index 01e2814e2..6b14f9b64 100644 --- a/kubernetes/apps/networking/kustomization.yaml +++ b/kubernetes/apps/networking/kustomization.yaml @@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./cloudflared/ks.yaml - ./external-dns/ks.yaml - ./ingress-nginx/ks.yaml - ./k8s-gateway/ks.yaml diff --git a/kubernetes/apps/system-upgrade/kustomization.yaml b/kubernetes/apps/system-upgrade/kustomization.yaml index 78ca97cbc..9647fd040 100644 --- a/kubernetes/apps/system-upgrade/kustomization.yaml +++ b/kubernetes/apps/system-upgrade/kustomization.yaml @@ -3,7 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - # NOTE: Only enable system-upgrade-controller if you also update the version of k3s in the following file - # otherwise if you run ansible against an already provisioned cluster you might downgrade it - # https://github.com/onedr0p/flux-cluster-template/blob/main/ansible/inventory/group_vars/kubernetes/k3s.yml - # - ./system-upgrade-controller/ks.yaml + - ./system-upgrade-controller/ks.yaml diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml index e9b23add0..1585d9886 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization resources: # renovate: datasource=docker image=rancher/system-upgrade-controller - https://github.com/rancher/system-upgrade-controller/releases/download/v0.11.0/crd.yaml - - https://github.com/rancher/system-upgrade-controller?ref=v0.11.0 + - https://github.com/rancher/system-upgrade-controller?ref=v0.12.0 images: - name: rancher/system-upgrade-controller newTag: v0.11.0 diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml index 93131817b..061b97ad6 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/agent.yaml @@ -6,7 +6,7 @@ metadata: namespace: system-upgrade spec: # renovate: datasource=github-releases depName=k3s-io/k3s - version: "v1.27.2+k3s1" + version: "v1.27.3+k3s1" serviceAccountName: system-upgrade concurrency: 1 nodeSelector: diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml index 2a658c35b..828ca3f91 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./ubuntu.yaml - ./server.yaml - ./agent.yaml diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml index e3c21c132..bc73a508c 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/server.yaml @@ -6,7 +6,7 @@ metadata: namespace: system-upgrade spec: # renovate: datasource=github-releases depName=k3s-io/k3s - version: "v1.27.2+k3s1" + version: "v1.27.3+k3s1" serviceAccountName: system-upgrade concurrency: 1 cordon: true diff --git a/archive/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml similarity index 60% rename from archive/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml rename to kubernetes/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml index 9438acea1..451a31b23 100644 --- a/archive/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/ubuntu.yaml @@ -18,17 +18,33 @@ metadata: name: ubuntu namespace: system-upgrade spec: + version: ubuntu + serviceAccountName: system-upgrade concurrency: 1 + cordon: true + drain: + force: true # nodeSelector: # matchExpressions: # - {key: plan.upgrade.cattle.io/ubuntu, operator: Exists} - serviceAccountName: system-upgrade + tolerations: + - { effect: NoSchedule, operator: Exists } + - { effect: NoExecute, operator: Exists } + - { + key: node-role.kubernetes.io/control-plane, + effect: NoSchedule, + operator: Exists, + } + - { + key: node-role.kubernetes.io/master, + effect: NoSchedule, + operator: Exists, + } + - { key: node-role.kubernetes.io/etcd, effect: NoExecute, operator: Exists } + - { key: CriticalAddonsOnly, operator: Exists } secrets: - name: ubuntu path: /host/run/system-upgrade/secrets/ubuntu - drain: - force: true - version: ubuntu upgrade: image: ubuntu command: ["chroot", "/host"] diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 4c488aa2b..c019fb4f6 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -14,6 +14,8 @@ resources: - ./kubernetes-dashboard.yaml - ./metallb.yaml - ./metrics-server.yaml + - ./minio.yaml - ./prometheus-community.yaml + - ./rancher.yaml - ./stakater.yaml - ./weave-gitops.yaml diff --git a/kubernetes/flux/repositories/helm/minio.yaml b/kubernetes/flux/repositories/helm/minio.yaml new file mode 100644 index 000000000..5e25d87b9 --- /dev/null +++ b/kubernetes/flux/repositories/helm/minio.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: minio + namespace: flux-system +spec: + interval: 1h + url: https://charts.min.io/ diff --git a/kubernetes/flux/repositories/helm/rancher.yaml b/kubernetes/flux/repositories/helm/rancher.yaml new file mode 100644 index 000000000..c752587fd --- /dev/null +++ b/kubernetes/flux/repositories/helm/rancher.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: rancher-charts-release-2-7 + namespace: flux-system +spec: + interval: 1h + url: https://raw.githubusercontent.com/rancher/charts/release-v2.7 diff --git a/terraform/cloudflare/.terraform.lock.hcl b/terraform/cloudflare/.terraform.lock.hcl index a21cbdee1..583097067 100644 --- a/terraform/cloudflare/.terraform.lock.hcl +++ b/terraform/cloudflare/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/carlpett/sops" { constraints = "0.7.2" hashes = [ "h1:+A1/RJ3eNVQHDFHjol70EfC5Yh9e78WMXxh1uoxlAYQ=", + "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=", "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82", "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190", "zh:87b970db8c137f4c2fcbff7a5705419a0aea9268ae0ac94f1ec5b978e42ab0d2", @@ -17,40 +18,52 @@ provider "registry.terraform.io/carlpett/sops" { } provider "registry.terraform.io/cloudflare/cloudflare" { - version = "4.8.0" - constraints = "4.8.0" + version = "4.9.0" + constraints = "4.9.0" hashes = [ - "h1:0QPLVvvs26KNezOlRfyKRvBSgr+Qw5Wkiq/NOwtiODQ=", - "h1:3YH7AQv0Nb7P4nOd1TTxXtpprI3OJu/P9gMUaa2NV3U=", - "h1:8OE9GJTYLYbSCZJJ85wFMs3drlXHTsO67/tg4Vsbggs=", - "h1:Avg2kPe3aP91BqDywYY0OBVS8S4A29uQS/AvdL9KJHE=", - "h1:XPaw3mrsorpg8W7qctswMUbpW5hGfNnalbDwwix3Igc=", - "h1:ZCRWb/hbLzPBOx/U0Hs14cY+j8Y8JZRHpIwZ48c9SmA=", - "h1:bJsSTRI8+vYbwGoZDLcGa8NDlohdGdcnzqvPCf9WQlg=", - "h1:boqELee0OwSdH31Y1ggUu6RtcKaFq/VGbU0bZ6t0bBE=", - "h1:hZh5seOE+xbxNWMtJk1fdL0lgG2KksGmw4d0cl4+ZZ0=", - "h1:iUTSVaIP40Zl0cjlpoKBPGCKAzvSATZstpL2RoCEXJw=", - "h1:kbACaFtp95j2DYLx5p8Z1doy070c8V4TCDRPVnONSA4=", - "h1:n27OZS4vNzLbwU61RgUTKHbxYVrMpma1T1AlrElWfCM=", - "h1:uSCItefs3pDSmhddNLwQBY35k/PJLTRRMg645X0iZE0=", - "h1:y8s0aYJABVKQCH+FvvWYSWlmaGrvFadUqsMUdD/15Cc=", + "h1:+dIBTmu3W4kkuDCP0w4yS+w79xg7mIMMubdyPUYEx6A=", + "h1:1YRtl8aBEzFVBt4hbpwmRZi7+9Ix2vyzqrwQE+7fIVU=", + "h1:FP3yvz9iHYSy+FKwlJFnrBPZTl0SoZWc2gBrW572FqA=", + "h1:O2UMDyPjH7b/fQur5y3aof5HP5jJur+ukLUDa2n/GZI=", + "h1:Sa4hsmj1+5X/iuakHLW449JEBuHxyXJ6CkAbFT1g8rY=", + "h1:WGGor/URtVcD9/+sKNwrNMuDN25nck8O1oBPQL2Gn1w=", + "h1:cetmjVaR9nu5qRwzx+gFq4IvRpk3Po5b9ut1y8dISYo=", + "h1:foJr6Wb/yCsf7Jd0eReTaYOmJElRDtypb1UdJICZeC8=", + "h1:kvonDs/iIu/opgIZKVJFWDgAc1+mmlgBFhqFiZ0C3o8=", + "h1:pcMaKlxds2IpCTvqMV4HuFoJGBIx0jvpABXsHO1nJ5o=", + "h1:rZWJfgov+JEtwmilHqEuc5pdlIsFv8CpQlqvOWmGq30=", + "h1:tC4NX3DWbBi+YsP1GLoLWNVqU/xoSZAjCOnpdlzeTBs=", + "h1:wgUNevFp5ZE7iQT6AwRmIOxE0tlDYqP/68yPoWV6Vy8=", + "h1:wt1AzlMq8kRAquBoB7NQbberp2wMvtke5Re6FtMnXso=", ] } provider "registry.terraform.io/hashicorp/http" { - version = "3.3.0" - constraints = "3.3.0" + version = "3.4.0" + constraints = "3.4.0" hashes = [ - "h1:9bt1TYC4ZznaD/FX8Vmt8H907wEqQ/lg3CS6ESmeDV0=", - "h1:GovJm8ovIEbHSgqrAUrNT7VqlVnbpdd5zsHMPCXV+Jo=", - "h1:Ni+rJmATwiJfu6qMZdL+PvNdl7QPgSm/Jg3laSGzrQ4=", - "h1:O2VLKCxxAgaFRPnhRuz/VOsP5HzQdQm9YAi848kvImg=", - "h1:PibCPPGnpnthg0mCNfLuy1elgOhWGmCxKeohlHdww9I=", - "h1:QL/rtSlbi+F+ukbr/k4MahiO5lX4AiEu37p4kOV9ELk=", - "h1:auwkD6Zy0HtiuTlP4RvUxnDhwB9GyE0Hu6S80rs9lyQ=", - "h1:ixzg6tONUzM3c81ZqSS+OfxC/cFUrIJBXVenAKJp0MU=", - "h1:kNAVQd2MI3XlPQVKaSdO5VqVRxqk7sWDPIDaFt5139o=", - "h1:pK/CC2NlpUbL4x3R386uxfS80HodJXtGREg0k2ABukw=", - "h1:qoI+zxOjH4Gk5EdxZAJIwlVhSAAM9i+8Ueo3k14Camc=", + "h1:AaRLrzxA1t02OIwO32uLp85npqRLZSwPFgrHxb9qp0c=", + "h1:Ebz2ySdvdNR8T1LBlKYjkUVShfDZQOeoEPwE7Kt1R3o=", + "h1:QXyGXwWgTmlhJZhlsZpkZ/Bz0YKzmwO8zmmRM09Jnzc=", + "h1:YWO/DmxRoJwzMcQavmIKO5pTavIPt0bbBRZBpBaC8MY=", + "h1:YifspScDMuGENA14TfTr7fByjWYq1GGNmAULIBXzHGk=", + "h1:ZWoE0ARqUMnujHu62cMkmjF2+FoWwUn9YbHjiKPq0e8=", + "h1:ZYJW4peMhgPv5SxYCCBJ9LB5tWz7Z/q2UoIBGiuDgvI=", + "h1:gLCUuF4yN2uNA0FjVXCJd65ZnI8VKJVsZEYKRem1JUM=", + "h1:h3URn6qAnP36OlSqI1tTuKgPL3GriZaJia9ZDrUvRdg=", + "h1:m0d6+9xK/9TJSE9Z6nM4IwHXZgod4/jkdsf7CZSpUvo=", + "h1:tVyo3HTmBDTeaPRhOXucb5eyRouvXlTydHXPyVLAAFA=", + "zh:56712497a87bc4e91bbaf1a5a2be4b3f9cfa2384baeb20fc9fad0aff8f063914", + "zh:6661355e1090ebacab16a40ede35b029caffc279d67da73a000b6eecf0b58eba", + "zh:67b92d343e808b92d7e6c3bbcb9b9d5475fecfed0836963f7feb9d9908bd4c4f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86ebb9be9b685c96dbb5c024b55d87526d57a4b127796d6046344f8294d3f28e", + "zh:902be7cfca4308cba3e1e7ba6fc292629dfd150eb9a9f054a854fa1532b0ceba", + "zh:9ba26e0215cd53b21fe26a0a98c007de1348b7d13a75ae3cfaf7729e0f2c50bb", + "zh:a195c941e1f1526147134c257ff549bea4c89c953685acd3d48d9de7a38f39dc", + "zh:a7967b3d2a8c3e7e1dc9ae381ca753268f9fce756466fe2fc9e414ca2d85a92e", + "zh:bde56542e9a093434d96bea21c341285737c6d38fea2f05e12ba7b333f3e9c05", + "zh:c0306f76903024c497fd01f9fd9bace5854c263e87a97bc2e89dcc96d35ca3cc", + "zh:f9335a6c336171e85f8e3e99c3d31758811a19aeb21fa8c9013d427e155ae2a9", ] } diff --git a/terraform/cloudflare/main.tf b/terraform/cloudflare/main.tf index 700066fa8..beaa58c78 100644 --- a/terraform/cloudflare/main.tf +++ b/terraform/cloudflare/main.tf @@ -3,11 +3,11 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "4.8.0" + version = "4.9.0" } http = { source = "hashicorp/http" - version = "3.3.0" + version = "3.4.0" } sops = { source = "carlpett/sops"