feat(ingress): add ingress-nginx; fix(rook): CRDs v1.10.10

2026-01-27 10:18:27 +00:00 · 2023-01-29 15:55:02 +08:00
parent 73f3486c4d
commit b13046b3e4
8 changed files with 184 additions and 2 deletions
--- a/kube/1-bootstrap/flux/4-core.yaml
+++ b/kube/1-bootstrap/flux/4-core.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: 4-core
+  namespace: flux-system
+spec:
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./kube/4-core
+  interval: 1m0s
+
+  dependsOn:
+    - name: 3-kube-core
+
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+
+  prune: false
+  # wait: true
--- a/kube/1-bootstrap/flux/flux-system/charts/helm/ingress-nginx.yaml
+++ b/kube/1-bootstrap/flux/flux-system/charts/helm/ingress-nginx.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://kubernetes.github.io/ingress-nginx
--- a/kube/2-kube-crds/rook-ceph/kustomization.yaml
+++ b/kube/2-kube-crds/rook-ceph/kustomization.yaml
@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://raw.githubusercontent.com/rook/rook/v1.9.0/deploy/examples/crds.yaml
-  
+  - https://raw.githubusercontent.com/rook/rook/v1.10.10/deploy/examples/crds.yaml
+
--- a/kube/4-core/1-ingress/.sops.yaml
+++ b/kube/4-core/1-ingress/.sops.yaml
@@ -0,0 +1,7 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs)$
+    pgp: >-
+      31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+    age: >-
+      age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
--- a/kube/4-core/1-ingress/1-namespace.yaml
+++ b/kube/4-core/1-ingress/1-namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress
--- a/kube/4-core/1-ingress/2-certs.yaml
+++ b/kube/4-core/1-ingress/2-certs.yaml
@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: short-domain
+    namespace: ingress
+spec:
+    secretName: short-domain-tls
+    issuerRef:
+        name: letsencrypt-production
+        kind: ClusterIssuer
+    commonName: ENC[AES256_GCM,data:kasrwqZp,iv:pmDjK8oJDUFqVpydg2fIKHeecfxaS0hojmYqHp6EwII=,tag:Jy8lcRvkJkGocZC8vO1tUQ==,type:str]
+    dnsNames:
+        - ENC[AES256_GCM,data:DWNY/vyI,iv:UoQgnWraB4dz5qBbZ1d2GQFfi/se+7riPezNBYMzGno=,tag:XO0Bw+XLAWY6jjUXgZaT0w==,type:str]
+        - ENC[AES256_GCM,data:IM9kViiwpXI=,iv:U1eAVCTszFuYM7m2R+IvJTX7LgDOWsEpf3TeY0qVN1E=,tag:4zg/qukVFtU95UZW6nzpbw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-29T07:50:30Z"
+    mac: ENC[AES256_GCM,data:bs73MMXTtVEV3dtesjw5tRlRC1eEWRGtwHgpViigifarKQ82MwftecDGf0vB9NJSPcUuDpiwD7X2Vkw/MQHKzMgDGBihHoNAMsWI5Jh/5ZxSX2+2OKmUEKLxTjDN6gPW9eEHsOIjRYlLr3f+B9BBNFATUuNvy82NmwsNw8H18kQ=,iv:AeQ6XStXZjj3Mpc+txyh6MBiiMk2dpWEAf6YNnYYXg4=,tag:Hbjg1k0KL0l/77k094HInA==,type:str]
+    pgp:
+        - created_at: "2023-01-29T07:50:29Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DAAAAAAAAAAASAQdAv/DmuXRIGyPV4/lmECYaHQygexChFy/r54wBQWV8sRcw
+            D/gKQqJeORYTEK1SO2PbksOSZhCc85HHgghPodMkl/lO7MNKlTzQaAhmj7cnm6Te
+            0l4B/gxXQ1eMLokrCY1z1E7BSprTZH+zCA5XSIYLRngRCKs3l1uzBtwgf/6d0K46
+            DG0Bq0W05zO72G4ACpMIuI/cxeR14/7dOtZTua4hHbugmUvWVD5DI/0ASqqbICtJ
+            =utDz
+            -----END PGP MESSAGE-----
+          fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+    encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs)$
+    version: 3.7.3
--- a/kube/4-core/1-ingress/3-nginx.yaml
+++ b/kube/4-core/1-ingress/3-nginx.yaml
@@ -0,0 +1,94 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: ingress-nginx
+    namespace: ingress
+spec:
+    interval: 15m
+    chart:
+        spec:
+            chart: ingress-nginx
+            version: 4.4.2
+            sourceRef:
+                kind: HelmRepository
+                name: ingress-nginx
+                namespace: flux-system
+    maxHistory: 3
+    install:
+        createNamespace: true
+        remediation:
+            retries: 3
+    upgrade:
+        cleanupOnFail: true
+        remediation:
+            retries: 3
+    uninstall:
+        keepHistory: false
+    values:
+        controller:
+            replicaCount: 3
+            extraEnvs:
+                - name: TZ
+                  value: Asia/Singapore
+            service:
+                externalIPs:
+                    - ENC[AES256_GCM,data:D0xMPtfAVkuv,iv:7cF1Lc24Wsdqhpxc+PoL22JdIA503VJK/+lseERwfTo=,tag:W13yClE6viOIfIgKy3CA4w==,type:str]
+                externalTrafficPolicy: Local
+            publishService:
+                enabled: true
+            ingressClassResource:
+                default: true
+            config:
+                client-body-buffer-size: 100M
+                client-body-timeout: 120
+                client-header-timeout: 120
+                enable-brotli: "true"
+                enable-real-ip: "true"
+                use-forwarded-headers: "true"
+                hsts-max-age: "31449600"
+                keep-alive-requests: 10000
+                keep-alive: 120
+                log-format-escape-json: "true"
+                log-format-upstream: |
+                    {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+                proxy-body-size: 0
+                proxy-buffer-size: 16k
+                ssl-protocols: TLSv1.3 TLSv1.2
+            # metrics:
+            #   enabled: true
+            #   serviceMonitor:
+            #     enabled: true
+            #     namespace: networking
+            #     namespaceSelector:
+            #       any: true
+            extraArgs:
+                default-ssl-certificate: ingress/short-domain
+            resources:
+                requests:
+                    cpu: 10m
+                    memory: 250Mi
+                limits:
+                    memory: 500Mi
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-29T07:49:35Z"
+    mac: ENC[AES256_GCM,data:9pYDjAI1EQO0UhOpV1qzv9AVa04ZyqdRn1Gb/dvfUXHm0uhOC+zDNiTnCySlcL/nhNS4jOwLhBUfK8yHRX8uBkWIFbOgoOWpJ05iPuCJM9XESivBy+CoYcAKmhy2u9CwvplDCvfP9zR6xjcZVIedX9guZjxOopYaS4l2GSTZRNc=,iv:7KkBLUQVrJthLQpFPzf5lPPiaLhKh4RI4wuxuh758/s=,tag:tiAAjsmnauR/i9sxi8Kxrg==,type:str]
+    pgp:
+        - created_at: "2023-01-29T07:49:34Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DAAAAAAAAAAASAQdAk5nWX4DM6JoPx3FOn8S/PhI8mCHBuUl+0JBpnsE3Qisw
+            +RRLnQsBqyHXJuV51kQh2UDGqblHJt77fds8qWuZH1imG4seCz8K5XkqlcjWsFKr
+            0l4Bznc6Ihhm5BNh1RpWa2ztoWnZYeg7nkcvxsSJtkpwAOM5ebBEeQklkt+0Iwwb
+            2ME5XczvWCrDJ7G1mr3uYkud181k7Tv7/9RPy7Yl5x1DMGSl8HLEfZUnpjfa+1FY
+            =jkKQ
+            -----END PGP MESSAGE-----
+          fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+    encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs)$
+    version: 3.7.3
--- a/kube/4-core/1-ingress/kustomization.yaml
+++ b/kube/4-core/1-ingress/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 1-namespace.yaml
+  - 2-certs.sops.yaml
+  - 3-nginx.yaml