From 1cfd9bcb6314659d6caf3dc0ed28622e54bcac9c Mon Sep 17 00:00:00 2001 From: Toboshii Nakama <63410334+toboshii@users.noreply.github.com> Date: Fri, 1 Jul 2022 05:52:45 -0500 Subject: [PATCH] update: initial cluster redeploy --- .pre-commit-config.yaml | 28 + .sops.yaml | 14 +- cluster/apps/ext-gateway/kustomization.yaml | 2 +- cluster/apps/ext-gateway/secret.sops.yaml | 28 + cluster/apps/ext-gateway/secret.yaml | 59 - .../notifications/discord/kustomization.yaml | 2 +- .../notifications/discord/secret.enc.yaml | 59 - .../notifications/discord/secret.sops.yaml | 28 + .../notifications/github/kustomization.yaml | 2 +- .../notifications/github/secret.enc.yaml | 59 - .../notifications/github/secret.sops.yaml | 28 + .../webhook/github/kustomization.yaml | 2 +- .../webhook/github/secret.enc.yaml | 59 - .../webhook/github/secret.sops.yaml | 28 + .../cert-manager/helm-release.yaml | 13 +- .../cert-manager}/kustomization.yaml | 3 +- .../cert-manager/prometheus-rule.yaml | 68 + .../apps/kube-system/cilium/helm-release.yaml | 26 +- .../kube-cleanup-operator/helm-release.yaml | 29 - .../apps/kube-system/kured/helm-release.yaml | 35 - .../apps/kube-system/kured/kustomization.yaml | 6 - .../kube-system/kured/prometheus-rule.yaml | 29 - .../apps/kube-system/kured/secret.enc.yaml | 59 - cluster/apps/kube-system/kustomization.yaml | 18 +- .../metrics-server/helm-release.yaml | 29 +- .../node-problem-detector/helm-release.yaml | 41 - .../nvidia-device-plugin/helm-release.yaml | 27 - cluster/apps/kustomization.yaml | 28 +- cluster/apps/mail/mailu/kustomization.yaml | 2 +- cluster/apps/mail/mailu/secret.sops.yaml | 28 + cluster/apps/mail/mailu/secret.yaml | 59 - .../apps/monitoring/thanos/secret.sops.yaml | 53 +- .../uptimerobot-heartbeat/kustomization.yaml | 2 +- .../uptimerobot-heartbeat/secret.enc.yaml | 59 - .../uptimerobot-heartbeat/secret.sops.yaml | 28 + .../uptimerobot-operator/helm-release.yaml | 0 .../uptimerobot-operator}/kustomization.yaml | 0 .../apps/networking/blocky/helm-release.yaml | 112 - .../apps/networking/blocky/kustomization.yaml | 4 - .../external-dns/kustomization.yaml | 2 +- .../networking/external-dns/secret.enc.yaml | 60 - .../networking/external-dns/secret.sops.yaml | 29 + .../certificate.yaml | 4 + .../cloudflare-proxied-networks.txt | 1 + .../ingress-nginx/helm-release.yaml | 114 + .../ingress-nginx/kustomization.yaml | 14 + cluster/apps/networking/kustomization.yaml | 7 +- cluster/apps/networking/namespace.yaml | 9 + .../networking/traefik/dashboard/ingress.yaml | 25 - .../networking/traefik/external/minio.yaml | 40 - .../apps/networking/traefik/helm-release.yaml | 101 - .../networking/traefik/kustomization.yaml | 10 - .../traefik/middlewares/basic-auth.yaml | 9 - .../traefik/middlewares/cloudflare.yaml | 45 - .../traefik/middlewares/external-auth.yaml | 11 - .../traefik/middlewares/internal-auth.yaml | 11 - .../traefik/middlewares/kustomization.yaml | 11 - .../traefik/middlewares/redirect-path.yaml | 32 - .../traefik/middlewares/rfc1918.yaml | 22 - .../traefik/middlewares/secret.enc.yaml | 60 - .../networking/traefik/service-monitor.yaml | 19 - .../networking/traefik/tls-store/default.yaml | 9 - .../traefik/tls-store/kustomization.yaml | 4 - .../wildcard-certificate/kustomization.yaml | 4 - cluster/apps/vpn-gateway/kustomization.yaml | 2 +- cluster/apps/vpn-gateway/secret.sops.yaml | 28 + cluster/apps/vpn-gateway/secret.yaml | 59 - .../flux-system/charts/git/benji-charts.yaml | 16 - .../flux-system/charts/git/kustomization.yaml | 5 - .../charts/helm/kustomization.yaml | 34 - .../flux-system/charts/kustomization.yaml | 6 - cluster/base/flux-system/gotk-components.yaml | 4054 ----------------- cluster/base/flux-system/gotk-sync.yaml | 28 - cluster/base/flux-system/kustomization.yaml | 6 - .../external => bootstrap}/kustomization.yaml | 2 +- .../helm => charts}/ananace-charts.yaml | 0 .../helm => charts}/authentik-charts.yaml | 0 .../helm => charts}/bitnami-charts.yaml | 0 .../helm => charts}/blakeshome-charts.yaml | 0 .../charts/helm => charts}/cilium-charts.yaml | 0 .../helm => charts}/coredns-charts.yaml | 0 .../helm => charts}/deliveryhero-charts.yaml | 0 .../charts/helm => charts}/drone-charts.yaml | 0 .../helm => charts}/fairwinds-charts.yaml | 0 .../falco-security-charts.yaml | 0 .../charts/helm => charts}/gitea-charts.yaml | 0 .../helm => charts}/grafana-charts.yaml | 0 .../helm => charts}/hajimari-charts.yaml | 0 .../helm => charts}/infracloudio-charts.yaml | 0 .../helm => charts}/ingress-nginx-charts.yaml | 0 .../helm => charts}/jetstack-charts.yaml | 0 .../helm => charts}/k8s-at-home-charts.yaml | 0 .../kubernetes-sigs-descheduler-charts.yaml | 0 cluster/charts/kustomization.yaml | 35 + .../charts/helm => charts}/lwolf-charts.yaml | 0 .../charts/helm => charts}/mailu-charts.yaml | 0 cluster/charts/metrics-server-charts.yaml | 9 + ...fs-subdir-external-provisioner-charts.yaml | 0 .../node-feature-discovery-charts.yaml | 0 .../charts/helm => charts}/nvidia-charts.yaml | 0 .../prometheus-community-charts.yaml | 0 .../helm => charts}/rook-ceph-charts.yaml | 0 .../helm => charts}/stakater-charts.yaml | 0 .../helm => charts}/toboshii-charts.yaml | 0 .../helm => charts}/traefik-charts.yaml | 0 .../uptimerobot-operator-charts.yaml | 0 .../helm => charts}/vernemq-charts.yaml | 0 .../weaveworks-kured-charts.yaml | 0 .../cluster-secrets.sops.yaml} | 56 +- .../{base => config}/cluster-settings.yaml | 6 +- cluster/core/cert-manager/secret.enc.yaml | 59 - .../kustomization.yaml | 6 +- .../letsencrypt-production.yaml | 0 .../letsencrypt-staging.yaml | 0 cluster/core/cluster-issuers/secret.sops.yaml | 28 + cluster/core/cluster-policies/ingress.yaml | 25 + .../cluster-policies}/kustomization.yaml | 3 +- cluster/core/cluster-policies/resources.yaml | 28 + cluster/core/kube-system/kustomization.yaml | 5 - cluster/core/kustomization.yaml | 9 +- cluster/core/monitoring/kustomization.yaml | 4 - .../uptimerobot-operator/kustomization.yaml | 4 - .../core/rook-ceph/cluster/helm-release.yaml | 43 +- cluster/core/rook-ceph/kustomization.yaml | 8 +- cluster/core/rook-ceph/namespace.yaml | 9 + .../core/rook-ceph/operator/helm-release.yaml | 19 +- .../rook-ceph/rook-direct-mount/backup.sh | 56 + .../rook-direct-mount/deployment.yaml | 115 +- .../rook-direct-mount/kustomization.yaml | 2 +- cluster/{base => flux}/apps.yaml | 9 +- cluster/flux/charts.yaml | 13 + cluster/flux/config.yaml | 17 + cluster/{base => flux}/core.yaml | 19 +- cluster/{base => flux}/crds.yaml | 2 +- cluster/flux/flux-system/flux-cluster.yaml | 25 + .../flux/flux-system/flux-installation.yaml | 31 + .../flux-system}/kustomization.yaml | 3 +- talos/clusterconfig/.gitignore | 7 + talos/cni/install.yaml | 671 +++ talos/cni/kustomization.yaml | 15 + talos/cni/values.yaml | 19 + talos/talconfig.yaml | 204 + talos/talenv.sops.yaml | 35 + 143 files changed, 1950 insertions(+), 5698 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 cluster/apps/ext-gateway/secret.sops.yaml delete mode 100644 cluster/apps/ext-gateway/secret.yaml delete mode 100644 cluster/apps/flux-system/notifications/discord/secret.enc.yaml create mode 100644 cluster/apps/flux-system/notifications/discord/secret.sops.yaml delete mode 100644 cluster/apps/flux-system/notifications/github/secret.enc.yaml create mode 100644 cluster/apps/flux-system/notifications/github/secret.sops.yaml delete mode 100644 cluster/apps/flux-system/webhook/github/secret.enc.yaml create mode 100644 cluster/apps/flux-system/webhook/github/secret.sops.yaml rename cluster/{core => apps/kube-system}/cert-manager/helm-release.yaml (71%) rename cluster/apps/{networking/traefik/dashboard => kube-system/cert-manager}/kustomization.yaml (63%) create mode 100644 cluster/apps/kube-system/cert-manager/prometheus-rule.yaml delete mode 100644 cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml delete mode 100644 cluster/apps/kube-system/kured/helm-release.yaml delete mode 100644 cluster/apps/kube-system/kured/kustomization.yaml delete mode 100644 cluster/apps/kube-system/kured/prometheus-rule.yaml delete mode 100644 cluster/apps/kube-system/kured/secret.enc.yaml delete mode 100644 cluster/apps/kube-system/node-problem-detector/helm-release.yaml delete mode 100644 cluster/apps/kube-system/nvidia-device-plugin/helm-release.yaml create mode 100644 cluster/apps/mail/mailu/secret.sops.yaml delete mode 100644 cluster/apps/mail/mailu/secret.yaml delete mode 100644 cluster/apps/monitoring/uptimerobot-heartbeat/secret.enc.yaml create mode 100644 cluster/apps/monitoring/uptimerobot-heartbeat/secret.sops.yaml rename cluster/{core => apps}/monitoring/uptimerobot-operator/helm-release.yaml (100%) rename cluster/apps/{kube-system/node-problem-detector => monitoring/uptimerobot-operator}/kustomization.yaml (100%) delete mode 100644 cluster/apps/networking/blocky/helm-release.yaml delete mode 100644 cluster/apps/networking/blocky/kustomization.yaml delete mode 100644 cluster/apps/networking/external-dns/secret.enc.yaml create mode 100644 cluster/apps/networking/external-dns/secret.sops.yaml rename cluster/apps/networking/{wildcard-certificate => ingress-nginx}/certificate.yaml (64%) create mode 100644 cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt create mode 100644 cluster/apps/networking/ingress-nginx/helm-release.yaml create mode 100644 cluster/apps/networking/ingress-nginx/kustomization.yaml create mode 100644 cluster/apps/networking/namespace.yaml delete mode 100644 cluster/apps/networking/traefik/dashboard/ingress.yaml delete mode 100644 cluster/apps/networking/traefik/external/minio.yaml delete mode 100644 cluster/apps/networking/traefik/helm-release.yaml delete mode 100644 cluster/apps/networking/traefik/kustomization.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/basic-auth.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/cloudflare.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/external-auth.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/internal-auth.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/kustomization.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/redirect-path.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/rfc1918.yaml delete mode 100644 cluster/apps/networking/traefik/middlewares/secret.enc.yaml delete mode 100644 cluster/apps/networking/traefik/service-monitor.yaml delete mode 100644 cluster/apps/networking/traefik/tls-store/default.yaml delete mode 100644 cluster/apps/networking/traefik/tls-store/kustomization.yaml delete mode 100644 cluster/apps/networking/wildcard-certificate/kustomization.yaml create mode 100644 cluster/apps/vpn-gateway/secret.sops.yaml delete mode 100644 cluster/apps/vpn-gateway/secret.yaml delete mode 100644 cluster/base/flux-system/charts/git/benji-charts.yaml delete mode 100644 cluster/base/flux-system/charts/git/kustomization.yaml delete mode 100644 cluster/base/flux-system/charts/helm/kustomization.yaml delete mode 100644 cluster/base/flux-system/charts/kustomization.yaml delete mode 100644 cluster/base/flux-system/gotk-components.yaml delete mode 100644 cluster/base/flux-system/gotk-sync.yaml delete mode 100644 cluster/base/flux-system/kustomization.yaml rename cluster/{apps/networking/traefik/external => bootstrap}/kustomization.yaml (57%) rename cluster/{base/flux-system/charts/helm => charts}/ananace-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/authentik-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/bitnami-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/blakeshome-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/cilium-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/coredns-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/deliveryhero-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/drone-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/fairwinds-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/falco-security-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/gitea-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/grafana-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/hajimari-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/infracloudio-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/ingress-nginx-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/jetstack-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/k8s-at-home-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/kubernetes-sigs-descheduler-charts.yaml (100%) create mode 100644 cluster/charts/kustomization.yaml rename cluster/{base/flux-system/charts/helm => charts}/lwolf-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/mailu-charts.yaml (100%) create mode 100644 cluster/charts/metrics-server-charts.yaml rename cluster/{base/flux-system/charts/helm => charts}/nfs-subdir-external-provisioner-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/node-feature-discovery-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/nvidia-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/prometheus-community-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/rook-ceph-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/stakater-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/toboshii-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/traefik-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/uptimerobot-operator-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/vernemq-charts.yaml (100%) rename cluster/{base/flux-system/charts/helm => charts}/weaveworks-kured-charts.yaml (100%) rename cluster/{base/cluster-secrets.yaml => config/cluster-secrets.sops.yaml} (70%) rename cluster/{base => config}/cluster-settings.yaml (79%) delete mode 100644 cluster/core/cert-manager/secret.enc.yaml rename cluster/core/{cert-manager => cluster-issuers}/kustomization.yaml (60%) rename cluster/core/{cert-manager => cluster-issuers}/letsencrypt-production.yaml (100%) rename cluster/core/{cert-manager => cluster-issuers}/letsencrypt-staging.yaml (100%) create mode 100644 cluster/core/cluster-issuers/secret.sops.yaml create mode 100644 cluster/core/cluster-policies/ingress.yaml rename cluster/{apps/kube-system/kube-cleanup-operator => core/cluster-policies}/kustomization.yaml (69%) create mode 100644 cluster/core/cluster-policies/resources.yaml delete mode 100644 cluster/core/kube-system/kustomization.yaml delete mode 100644 cluster/core/monitoring/kustomization.yaml delete mode 100644 cluster/core/monitoring/uptimerobot-operator/kustomization.yaml create mode 100644 cluster/core/rook-ceph/namespace.yaml create mode 100644 cluster/core/rook-ceph/rook-direct-mount/backup.sh rename cluster/{base => flux}/apps.yaml (88%) create mode 100644 cluster/flux/charts.yaml create mode 100644 cluster/flux/config.yaml rename cluster/{base => flux}/core.yaml (61%) rename cluster/{base => flux}/crds.yaml (92%) create mode 100644 cluster/flux/flux-system/flux-cluster.yaml create mode 100644 cluster/flux/flux-system/flux-installation.yaml rename cluster/{apps/kube-system/nvidia-device-plugin => flux/flux-system}/kustomization.yaml (62%) create mode 100644 talos/clusterconfig/.gitignore create mode 100644 talos/cni/install.yaml create mode 100644 talos/cni/kustomization.yaml create mode 100644 talos/cni/values.yaml create mode 100644 talos/talconfig.yaml create mode 100644 talos/talenv.sops.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..e1d354e0 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,28 @@ +fail_fast: false +repos: +- repo: https://github.com/adrienverge/yamllint + rev: v1.26.3 + hooks: + - args: + - -c + - .github/yamllint.config.yaml + id: yamllint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: mixed-line-ending +- repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.1.10 + hooks: + - id: remove-crlf + - id: remove-tabs +- repo: https://github.com/sirosen/fix-smartquotes + rev: 0.2.0 + hooks: + - id: fix-smartquotes +- repo: https://github.com/k8s-at-home/sops-pre-commit + rev: v2.0.3 + hooks: + - id: forbid-secrets diff --git a/.sops.yaml b/.sops.yaml index 25f0cbd2..1a6e6447 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,12 @@ --- creation_rules: -- encrypted_regex: '^(data|stringData)$' - pgp: >- - CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B, - 0E883B2F1196288130061C6BA8B44BCF50372B6B + - path_regex: provision/.*\.sops\.ya?ml + unencrypted_regex: "^(kind)$" + key_groups: + - age: + - age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + - path_regex: cluster/.*\.sops\.ya?ml + encrypted_regex: "^(data|stringData)$" + key_groups: + - age: + - age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc \ No newline at end of file diff --git a/cluster/apps/ext-gateway/kustomization.yaml b/cluster/apps/ext-gateway/kustomization.yaml index 58e0d628..8d5c83f9 100644 --- a/cluster/apps/ext-gateway/kustomization.yaml +++ b/cluster/apps/ext-gateway/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml -- secret.yaml +- secret.sops.yaml - netshoot.yaml diff --git a/cluster/apps/ext-gateway/secret.sops.yaml b/cluster/apps/ext-gateway/secret.sops.yaml new file mode 100644 index 00000000..a641841c --- /dev/null +++ b/cluster/apps/ext-gateway/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: ext-gateway-vpnconfig + namespace: ext-gateway +stringData: + vpnConfigfile: ENC[AES256_GCM,data:gsIU74jNgR4JRphs/BeJOiXYjxk9ILhIx3IJmsPi9pmsB052TssFcTF2VxgwaKg0XjrIMZ25UtxNy+0YF91IEFE85mPfdQIQUA4Hn0Ql6sitCGSL1BN2Jh6jlC9ddoVsxlSuFBmu9WTB6a3N4B+ewxwq8oOirSWa/treIvCtpHfnuMGbC5hU3sPEMIVeGo5Ws6I8kY24HyGjmqEGWCRpNyFw06CRJTm+mdwsyRXKSFgHOAobJr8wcVg5MpszwpB6cMskZlUo2UTpBX3PjJuKicCAh7v69Ta0hiZSKcYCajhR4c3Ij0zQw9+lbugS3oq+1DIN2GnAYh7cZJ5oKZJN/NmavZzTu89Ie84MTjeWrW9/bQPWjPC8bB9W/F0LqRGsqvsDoYGcAvlV4sl2uvuw1ngfqiexPP7cB2PboO3PyyIt,iv:BeuAVcIhYU65wuC+zXuhveEaGbmP92xfyjyun5pW+7s=,tag:v/lrrmzWX+wxD6/LEqnPDA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWXd2VnRGNFRJRWlZUTg0 + T1NzL0hiRW80SzEzUkFLNUtUd0MxcFBWMGw0CitnQW5QUmpsZ3ZyV0NCQyszTFBx + YysyNTZnNWJFTkphUGxadUQ0WmFZSG8KLS0tIFBOZi8va2ZlVDljWWlBYnFrNDlG + eTVQNUIrNm1TT0p1SFFSZTQwQWhsbFEKnMTwxp2SU5RUTFFDfzGomJbKKpAw8ZzQ + 43/W1ZjvSCrLqkqWGPOhQfo3gM6v9cwYgkXS5qopcNrsEWRGWLGtpA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-06-05T00:28:20Z" + mac: ENC[AES256_GCM,data:1ulxBabn+jEMHNqxJN67/8com+5PXrSm45kYOQZQUXISL6QNN5cWXyzjIX18jzceseYB6H4dNd5O+dyvZx1/TJHKH0dVbweMkF8/k2g/YUHHjlcNCbzq/ZgDVu0sc4wOSyGAakfVOHWtNWFjLWkxe67jpQZ7KN9zHSdQnDKdmVs=,iv:MI+XGkRFqW/t2bXRpN/isC2XeWW15vBpopQ1QDNOtkY=,tag:/hXBBErzHQAuL4XSP/hFqg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/apps/ext-gateway/secret.yaml b/cluster/apps/ext-gateway/secret.yaml deleted file mode 100644 index 65efaddb..00000000 --- a/cluster/apps/ext-gateway/secret.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: ext-gateway-vpnconfig - namespace: ext-gateway -stringData: - vpnConfigfile: ENC[AES256_GCM,data:gsIU74jNgR4JRphs/BeJOiXYjxk9ILhIx3IJmsPi9pmsB052TssFcTF2VxgwaKg0XjrIMZ25UtxNy+0YF91IEFE85mPfdQIQUA4Hn0Ql6sitCGSL1BN2Jh6jlC9ddoVsxlSuFBmu9WTB6a3N4B+ewxwq8oOirSWa/treIvCtpHfnuMGbC5hU3sPEMIVeGo5Ws6I8kY24HyGjmqEGWCRpNyFw06CRJTm+mdwsyRXKSFgHOAobJr8wcVg5MpszwpB6cMskZlUo2UTpBX3PjJuKicCAh7v69Ta0hiZSKcYCajhR4c3Ij0zQw9+lbugS3oq+1DIN2GnAYh7cZJ5oKZJN/NmavZzTu89Ie84MTjeWrW9/bQPWjPC8bB9W/F0LqRGsqvsDoYGcAvlV4sl2uvuw1ngfqiexPP7cB2PboO3PyyIt,iv:BeuAVcIhYU65wuC+zXuhveEaGbmP92xfyjyun5pW+7s=,tag:v/lrrmzWX+wxD6/LEqnPDA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-06-05T00:28:20Z" - mac: ENC[AES256_GCM,data:1ulxBabn+jEMHNqxJN67/8com+5PXrSm45kYOQZQUXISL6QNN5cWXyzjIX18jzceseYB6H4dNd5O+dyvZx1/TJHKH0dVbweMkF8/k2g/YUHHjlcNCbzq/ZgDVu0sc4wOSyGAakfVOHWtNWFjLWkxe67jpQZ7KN9zHSdQnDKdmVs=,iv:MI+XGkRFqW/t2bXRpN/isC2XeWW15vBpopQ1QDNOtkY=,tag:/hXBBErzHQAuL4XSP/hFqg==,type:str] - pgp: - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M - NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV - Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE - C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj - B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5 - Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl - 5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal - AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt - pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv - tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI - td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S - XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K - caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo= - =3ulM - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu - K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx - 4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm - zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3 - Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY - RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3 - 1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E - iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA - l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z - 2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb - nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS - XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0 - xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU= - =c0ve - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/flux-system/notifications/discord/kustomization.yaml b/cluster/apps/flux-system/notifications/discord/kustomization.yaml index 627ddea3..c7aa74e1 100644 --- a/cluster/apps/flux-system/notifications/discord/kustomization.yaml +++ b/cluster/apps/flux-system/notifications/discord/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.enc.yaml +- secret.sops.yaml - notification.yaml diff --git a/cluster/apps/flux-system/notifications/discord/secret.enc.yaml b/cluster/apps/flux-system/notifications/discord/secret.enc.yaml deleted file mode 100644 index b7b57b44..00000000 --- a/cluster/apps/flux-system/notifications/discord/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: discord-webhook-url - namespace: flux-system -stringData: - address: ENC[AES256_GCM,data:M6wToVAFMlFXKzIedBjSUms6q7dU/5yOOwtaBe9s37hn+v71ssWIj0hQ/2WdBDskniyDPbJRcRJkalB2XyiryFc5xUJYS/YM6y1/l5jaRmc4FrLRaT9Q4ZWUk44Cvd+kQNRP90W+Yei7zfalHKZRsutpdLndCiJC,iv:Nr5s9qwfkXI+Khkb6wDIcdCWsE0qw1xSzyLdrg3zkMw=,tag:9aPFafkKEw34u38rjfqb/A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-13T08:22:46Z" - mac: ENC[AES256_GCM,data:F2vwsbM8GZJK2J0MFJbnHNLEi68sqTSNb2r3m/V66b123R87h+6JbxGqzYvhqAQydCODHGWRFO9wei4vR3934l9z9Q2Tfk+IE60u2bMOt4LgyM+JjBwFvYb5VffwrZwu48qua2snEDEGtkyMqrjcLyDx0YdMbzkZrTFp1cn2vj4=,iv:MHunMu8x/nm4ZXc8zaAcy5WWFRmDLoiE88i0k9O6Y2k=,tag:bnqP0uSHl2KhqHnNKpnQ7Q==,type:str] - pgp: - - created_at: "2021-05-13T06:16:13Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ/9GDtA2hTWsJJDOmRRBbKI1s5i3fXlhz5i6lP27UJ0d6Ba - KBgb0Lg/rSrcgOaje/LTp0lpLlkHvxeLq7QgT0zVBWTqDOYaLpSnuVAJAdb0ZRW8 - qzTDKCEI6qX0YioduXN8BY8n02sWwthIlI18KEA06w0znmRUzyHQgHTGGrspZNmu - y2GcXSg96fpJYgPFSM+HMcImoOD58OYZK9neJeaqviWphLyeegg3Hb1ihkbueSSq - ln00yrev+FdrzY44IDgJ0q1+2J6/4B16FGtdEHDaCWfqDojnFpfJ8baFHid+rL0/ - puK92ecx52IFq6o/sE7iLfUUWVM460EVybrE8mVqtN21lU3HBuJegULN/QfNv5s1 - GXfGDRgojw/+Pr25N9vk10lCv2Nd5OopkmjEmrSvAMR3cYdH9SKdRUzv5qrrq2iA - +TV7+yP7I9QFGz3hNAmAXd7iYj4cTkobZBQug1gSCnrP6UUrgMIOUnyeW5ZB3sQs - wGI6aaCGhhsaU7ZtQlS89OfE1m+QYfRNtT863QuchxYypl827k6mmW1tdVu3mwjT - i0Wtqr35kaLrdWE/2cnHPGz+EFTlptAggTi5cKhP1+SCUe1TUp5grYycDU8BeWep - wTNEXbT12F52S2YfWDTS++dT82XsGxtUevSOtqiW7pB27L744e/NCKjhQAAVYN7S - XgF/FVxzqc+RXQxiycF4Mhl2Bdtp4G6gVPuETImTeRWarwbFQ0Wzq9F5p+XX+LB2 - sjIooFZJ3m4p8+Apc/S/bOwpbq9p74c0ZiuCkHqUSmCcWb789RUN5sjHGVmvLMY= - =YLf0 - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-13T06:16:13Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ/+Id7QlunUUgM+yCOlAGTsu7PfFIJNCvI4v5b7N0hbpDkp - KAnDQPtsUPPIkqX8JnBa+k2fDqf+Al+303x0z4UJqTxdTBdiL5nLW015hCbi7ZhA - kLflRQxt9Xb9No/3H5wTuNIa2edH5pTkZFoo9o7VBznbMi1vwy6MueaYGuFX/r4M - FznlU6P+/BUx/+Vo9h7THgzoeKYapaZipzz5fjhitN4dp5l04tao9vKZqhkl7Bw8 - 9Au51r87BFzrPC+cU6m95tlkyuy51o8NgpMYB9ceJTa0FEalyYgfEdfYQavlYGjb - XuPQLi9szW1gK5f9J/iy036vfO2oKk1hBjlh42RrAAc5eidgIAcJ7NRZDdwMVWw2 - uWYttaQRfaRW1xs4r6ejEhqKIaTnGUM0rEk7OSGS98r0qoHYv2XWVIO2Pvp8dNwv - HGRs4pKYsfw/Qhji4ptoc4kzuZhjhCVrdne2kGhi9jxCUs8tQr3oXc1FNQGOwAFD - pAt846a7447O+XUrjOv5jDzzl8McrrnrEB3rniiRcT4uY7AyFMGQyJyJq7fTh3aj - L5FnhnRFnvqozbMo/KwVDdk8E04CrjIqiFIbMFiFjrPKfYhvz3EztI0tV2yexr7L - fj9hfRuEsRzNc5Gyl3tPLaadnQWt5/3ZQwxp2mhqHhRTs06OOQTZS00CiCy4Ds7S - XgGxpk4z37+Abr5iWqSja91/uCz0KbyndEBJSkpDLRXhlhPWpPODlk0qZ2DXGwN3 - QVtEhWR5lMreqSoZ4kSuqlrTxJfV9Ya6jQQBJsDQrpQlJ9ATWpDdhwZY3zCwaSQ= - =XtmZ - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/flux-system/notifications/discord/secret.sops.yaml b/cluster/apps/flux-system/notifications/discord/secret.sops.yaml new file mode 100644 index 00000000..39acbdff --- /dev/null +++ b/cluster/apps/flux-system/notifications/discord/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: discord-webhook-url + namespace: flux-system +stringData: + address: ENC[AES256_GCM,data:M6wToVAFMlFXKzIedBjSUms6q7dU/5yOOwtaBe9s37hn+v71ssWIj0hQ/2WdBDskniyDPbJRcRJkalB2XyiryFc5xUJYS/YM6y1/l5jaRmc4FrLRaT9Q4ZWUk44Cvd+kQNRP90W+Yei7zfalHKZRsutpdLndCiJC,iv:Nr5s9qwfkXI+Khkb6wDIcdCWsE0qw1xSzyLdrg3zkMw=,tag:9aPFafkKEw34u38rjfqb/A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N0hTaTBNdDhZRlpnRko5 + SkZHUnVpM3UyQm9vOUdpalpzTzJ0aVFOVkRrClNZWkdBNVpweXBoOEtLZSs3VVRr + QWxLUVY3K0VUVlZDRS9oTmNDNEEwaGsKLS0tICtFZHpkb3Z0WlI5bmU3SDJhTDd2 + VXpQVHFMWEh2U3R2ak9hL2MrNnB6S2cKyh+bnBU/8EwjFqrKLjOfhI60IkLla5rG + a6kvDHyL57+lf9F/B/UOOPCKVRw0gyFUfGv6gwlFpjjVl8DizvPawQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-05-13T08:22:46Z" + mac: ENC[AES256_GCM,data:F2vwsbM8GZJK2J0MFJbnHNLEi68sqTSNb2r3m/V66b123R87h+6JbxGqzYvhqAQydCODHGWRFO9wei4vR3934l9z9Q2Tfk+IE60u2bMOt4LgyM+JjBwFvYb5VffwrZwu48qua2snEDEGtkyMqrjcLyDx0YdMbzkZrTFp1cn2vj4=,iv:MHunMu8x/nm4ZXc8zaAcy5WWFRmDLoiE88i0k9O6Y2k=,tag:bnqP0uSHl2KhqHnNKpnQ7Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/apps/flux-system/notifications/github/kustomization.yaml b/cluster/apps/flux-system/notifications/github/kustomization.yaml index 26914a05..21a09f72 100644 --- a/cluster/apps/flux-system/notifications/github/kustomization.yaml +++ b/cluster/apps/flux-system/notifications/github/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - notification.yaml -- secret.enc.yaml +- secret.sops.yaml diff --git a/cluster/apps/flux-system/notifications/github/secret.enc.yaml b/cluster/apps/flux-system/notifications/github/secret.enc.yaml deleted file mode 100644 index 5e8711a2..00000000 --- a/cluster/apps/flux-system/notifications/github/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-token - namespace: flux-system -stringData: - token: ENC[AES256_GCM,data:oBrTsOP6dY3v9KgIXGRqgQEnq2Xme+T1dbXlrR32yNP/H9aixZZUdQ==,iv:hT5s0OcfOiSIPOVX8LQM2bCOgKT/TZ+66kG4YPQGFe4=,tag:bZ9ZCVMmP+NCEcfiCm6XLA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-13T08:05:42Z" - mac: ENC[AES256_GCM,data:IvEucy+WKU9oUn4lxgGOZ7OfM6cuQ+Ta+Ikbltpbm4dxX6TOjoREYRGCxHiMvEnsHsn9QZQO+amKteqamC/161AtrCED+hkDLUa6wctOMZbKbwTkPcJ3DRMFw9J6AnsDc0pHd3dlelPL41by1PYXZUl8jyqxOBfoMTBREOQtISs=,iv:DccbIC4U+hWvX5f4pNS+CycK9bVQCgU9dZCZskLFgaM=,tag:XX6SkLCLpaycX79EqQU2vg==,type:str] - pgp: - - created_at: "2021-05-13T07:57:32Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7ARAAnA05MxPFk5Dnz0dnk7I6P1J27BGnvCIfGJvFtVXr1ohZ - x/AvU81lloi8hN6FtL4zw+aPM+t8e63sk0djfNUzvApJpTuqa3PuNBiQ9QJOzP6q - k4p/RrMuNCPG3IV4/jkAmDRpuuLeCGjbfzUqS8qjz5yNRvlqtncLjjTA/uZOuua2 - Zt1/vPnh589Azlavpe7SypYe8Lkrx2UR1iPiUNMMl25v0wckrCpti+Q+NFSDct1/ - Cx6Vsr5oslAU6kN97oWychi3odWpDivQMv8Bt87hi/dKce6HWwDqWs4dQor/t/87 - es+VahEkNkS0IYMK4briqG6Jbr4mB+IiWLEZ4Tu6LHwE1WPOu5b56WwpVycXxXkc - yOwcq7a0Q6khNLA1zGzrQooeNyTa4PgHxi32MZQJS+CPwM789dODQfr5FV8lIRPR - kDZqTtY+J+qONaFKJ8A0R7jkBOWcCbkyOPT6UriRS6MQiQceDRLHn+whRMxXWdlJ - ZZYbNZ9AMJMLJ1d0VUiSp4WnHluPZ5eTtoKfYk7i5igbYCO5eDwGxg1QGRdUawro - ShcGfL1+POUG0z/m9m0pFivHWWeOnvqiXhGUUXiOjrpSLNZ3uc75JzeAAJ+tGTQx - QpHm9fnZtIeVEwBP/pMahr0qUkOadLdGfsRvRsIX0zEYD+zzU58ZbcfK7S6xzJvS - XgHhcl0UPsZl1com4pqNYUxuR6ae5LLUwlJv08t1fFMNPg1ZpMYz1BgczT2jV+CW - uRLci8OAo5il1meC6YWI2E8Db6+5PfIWdfPUVV7VTmwQoayHR/UkfZfubwPOZL4= - =/gYw - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-13T07:57:32Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ//cXFuMc8IAANp/ISi3SRc8qiIf8a2ll6AeHRNCR2OvTjM - lI3BfzowlOC/IHSnouP+3gwARlulRSW+tyc7GsJ/1frIyB3la3UFwh0iF72M7Lca - Vdun0v6QcLlundZzcwwKrPlxgBC8aHdxHjnM9FXqVMGEqunhksh/A12AMQRGKA3k - OcnxBb98uBln7r1As0dD+WRXNDBOBTqDZFWNCwUwGdlz4H4GnDdoiitOQhdI5bwU - ZbHwJPydzKQ85kwJxyxWv3ve7YOd9nv6AlH3a8bFDHhMcPxJFXXXhuycW3WybZZN - srVJyIHWluG8zPMb/DdgxkpIUv1UZJbowJ2EP+zzvmcdwgTm5SvvQz5FjW2hXzTq - zuvL0oZc2PrXgK+oUonVuEk6CkTw4t1UH2rBZDjnNIxVPKwBzeWBDSJOvSIH/I0J - Y/ENYdYignx72ox5M7ojL47ECWjoH8ODzh44HQGWvcM140cSff7dtaf4gBNhtZ1h - wXPXG1gEydciD9w0Dz9Hr21HHRWqldBsCzMpejK5rjqYBfnbmEL0m2D9fJc7akxX - XdNxzu6ZTTwfwmDvzaAc/hWdf6zN2o2b5rGF7pIjGX0lURwyA1yZ70TC5s3Jh+uf - RDx1YrEp7gko+shFJGldeTsRcR5B24Y86guo5sWGTAQXMy7+RN2Zw62Fq/HBPCvS - XgGrGv77hwNwjC6FyeAYTISKCdrys+uA7Mjr5XOFphA0MHnaW+U7jp4XA2atbMS9 - tmx13wWplDgvNWdR13UlDdDsTxanm7LvJUiBx3pHChWppoX0V6oU5mXr+36c0+M= - =SLdP - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/flux-system/notifications/github/secret.sops.yaml b/cluster/apps/flux-system/notifications/github/secret.sops.yaml new file mode 100644 index 00000000..cfb2d107 --- /dev/null +++ b/cluster/apps/flux-system/notifications/github/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: github-token + namespace: flux-system +stringData: + token: ENC[AES256_GCM,data:oBrTsOP6dY3v9KgIXGRqgQEnq2Xme+T1dbXlrR32yNP/H9aixZZUdQ==,iv:hT5s0OcfOiSIPOVX8LQM2bCOgKT/TZ+66kG4YPQGFe4=,tag:bZ9ZCVMmP+NCEcfiCm6XLA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQjVvUHNGRHhRUGxPcTMx + Q1ZuV2RwVWxNa2tENmtmbnRyZmtSS2pzU1c4Cm5oQVh2NXJVQkZqZ09WaGlrQ2F6 + VHUrZ1ZOaUJQWEJheUdwd1FYSVQ1aW8KLS0tIEI4MFFYdFBQaHAyUElhRnhFUU9w + MzZSbDlHR0VkU3A1K2xoemJLVGlqcG8KuwpNRILxBupANyaIU2veLpR/mO+b9Wlw + guVoSZK1PTUHbvGernnoI0vY2FXtgldAXV/VEfQASRYJBHhekqV8/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-05-13T08:05:42Z" + mac: ENC[AES256_GCM,data:IvEucy+WKU9oUn4lxgGOZ7OfM6cuQ+Ta+Ikbltpbm4dxX6TOjoREYRGCxHiMvEnsHsn9QZQO+amKteqamC/161AtrCED+hkDLUa6wctOMZbKbwTkPcJ3DRMFw9J6AnsDc0pHd3dlelPL41by1PYXZUl8jyqxOBfoMTBREOQtISs=,iv:DccbIC4U+hWvX5f4pNS+CycK9bVQCgU9dZCZskLFgaM=,tag:XX6SkLCLpaycX79EqQU2vg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/apps/flux-system/webhook/github/kustomization.yaml b/cluster/apps/flux-system/webhook/github/kustomization.yaml index 39d129e4..b93474fc 100644 --- a/cluster/apps/flux-system/webhook/github/kustomization.yaml +++ b/cluster/apps/flux-system/webhook/github/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.enc.yaml +- secret.sops.yaml - ingress.yaml - receiver.yaml diff --git a/cluster/apps/flux-system/webhook/github/secret.enc.yaml b/cluster/apps/flux-system/webhook/github/secret.enc.yaml deleted file mode 100644 index 8fb382fe..00000000 --- a/cluster/apps/flux-system/webhook/github/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-webhook-token - namespace: flux-system -stringData: - token: ENC[AES256_GCM,data:hU5SWjRRxnyV2iw+qBU+era0uQwogOvMgtjYiQOm8JRC31xDwCvyCQ==,iv:8gd3N6bcJpjaZ7XHMShhl5YdjWC0Ix3pbC02BGUC5Fo=,tag:qlM3fXu9BUTexWnqLuWgWg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-13T08:06:04Z" - mac: ENC[AES256_GCM,data:ByfQs8DDN/PoLYyjh+IvkrxFx0EmdnMYNNlOqimJIKBNL7J3p6PVyebI4yCBZonJNF0pJp6d8syB7okhWmYme48jS9PBdPjahCW14icKq8jGpJafB2q64FTXuvYkaCvo40JPtL7eaHFZ1Jy0M4wAFNO/Ll+mWxekD7u43ASHdU4=,iv:twr7r1v5NlqK0GFf987J6iNt+g4UDNz5TZEu399jZqI=,tag:fNhNvmC1RyQtbWzNx0beSQ==,type:str] - pgp: - - created_at: "2021-05-13T06:19:22Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//WWV2S8x8FkqMndbo2RaImJv2Bz20U+sEciAlMaZHs2aM - jPZ4pRwhF8rsoTu+7cIeR6XUOIKpr2nYXcT18aLgiHLFTfxzTU85q3zxLmPy3BPh - u0OT8j46/RK5xInExmVMzj4XNBnFQ/VOmPquBxbK0/YMPc9k0W2jGXMQ3QwwgF36 - buyXem4MeWl4aspukbzf7ZlVS5Si/yvdBftFA5g9EJDB/rxGl2KbiU9geKViBDhW - YN4eS9rrJWqwYrXobFLm+3Mr2M7r5kZzLyTSiC4AXDpySbXVV9wAQ71r0ClRAp49 - R4F7VTBnO6b83G9S44y/jAP41BpMdQyv/qHUAGH7Z106LAnV/g17/3dphh/+WzWc - aYDjb0XftpyxDQGpF9+oE5rV7Uj3VBxVOVsL0vCHpEEzpCt9rVSMZSS4x1XWX4HB - M9RgUzDlbCesR8KxUtXbzYN5Bz9gubYpgFUz1THI2pX4yIOXllFxLzJY2lG1bVn4 - ptZz6+IP5kc+z/xRNfNNjtUejVLaSU9vxHBiPpqwyfjtHtYLbgsACkEVUY7p1xvN - 7r93VI1YKSLqW/LhUo8E2ApdtrSyKuJiiR6qNjMPKa5FZGlThY2QE++pHaDklIC8 - DzJbKhxpx3snWoGebtijqIHiharA/NdhRThza3benqd4+WYpeuuvYypjJS4nBgnS - XAE7Hgi2nMUIaAQ3qxMcSS7BAp48JQcKE1rOcWV/RcaaOyfjX8629agHFts3DO1/ - Zi0a7Di1siVuwW+ppFoh0UbpWNw/qhjdwCCZ1G04/6TKqdLmy7NCpnMOvcER - =RtsT - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-13T06:19:22Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCARAAhnLLbSJ6C4byU8Tv/QUJHQsSp6O5FnYzxAfKeIAJCDPg - Yxd6ERMrIg+6gsLk6pDkc56CE7woGvT+VVQPcO+WWad8QP1AyM9Cw355U+0HTsBx - 9iCpWo1tpfZBvYC/EDVc+z8ElBjCLCo9NGWizZeEpwFqsMXqheSiOYhyEbOmq5fT - 7N+2xSWyHI+kHYIr3gWTPhERmQEc4f+CUjmYauHXpPPy7kzSeL/14FsBDO7fMIl8 - DsDIOQR0gZ4u90DTAkU7TMD6sXYEBTjRUr9jB6mA9cD5wH8Q7ehSTc+KIpNBkLhr - VkJKPOyWQHzvAjv4XdD2i2Wl0V+1WG+Xus/tbXNxECg8KKYH/jNCWv0++MQoVPlM - fo+w9dMTuAH8Y2kj+Xm+H+KXKb8roBLbSgUV4R+T7HzE759bNbLlhDHXcuTQbd4D - VSXaGsN4wmC9s3Wq0y4S+kvlAhw6XTb5Fzf2Y+jR4eYZDB0DJQoUsL7EmWIfHKgQ - xIfdjqq3KBhMv62qJFj20H23wf20vxcHTBRPFtlrLT5Z+GOLXfvfGXuqeuaNwb5W - q6u6s/pEsGTNvP8Z3NwiffdrtVpLmJaO6vFAY7PDg4YMDF4irZ9WobNMMLNpou1a - nvaPJrClh/UbQVt+KtVSKcKoY1rgCmmsy296w8Hsxjr5+3NoY92AA8nTbrgsvFXS - XAEi4l46CHsWt1cgc6WHiVZ32f5TKt6YULsqcxwM7+YbmCFQHSxn9nkoi02wofcf - 8sJyXpjLXQoQGxYZCShADlvouNSuD265KDL9o9D5lJYV0UoF78pSvHiMqQPn - =UvVU - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/flux-system/webhook/github/secret.sops.yaml b/cluster/apps/flux-system/webhook/github/secret.sops.yaml new file mode 100644 index 00000000..93b2c70b --- /dev/null +++ b/cluster/apps/flux-system/webhook/github/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: github-webhook-token + namespace: flux-system +stringData: + token: ENC[AES256_GCM,data:hU5SWjRRxnyV2iw+qBU+era0uQwogOvMgtjYiQOm8JRC31xDwCvyCQ==,iv:8gd3N6bcJpjaZ7XHMShhl5YdjWC0Ix3pbC02BGUC5Fo=,tag:qlM3fXu9BUTexWnqLuWgWg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd09CYzVmU0VpbjF1ZEow + ckdGU2tXNGhmQm5UemdoVDk4Mmo1NTc2N0JzCkJYZ0plZ3Y2M1Uya0Zua0hGYWpO + RFdkMWpiTWNFcWo0K1M0eWgvUVZwTTQKLS0tIFVOTnBSVC9LMW8rV1R2OHJodEhv + VU42OGFyQkRRM0lhKzA2WC9lbGNOTXMKZ7tslckDP8/5fdTXNYiTfo6n1Yjbi5yM + mIYtc/JZbpyrZnHd/fthEm6oF2VHOCVGXl+MeXWkleCAL9NhWDNPxw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-05-13T08:06:04Z" + mac: ENC[AES256_GCM,data:ByfQs8DDN/PoLYyjh+IvkrxFx0EmdnMYNNlOqimJIKBNL7J3p6PVyebI4yCBZonJNF0pJp6d8syB7okhWmYme48jS9PBdPjahCW14icKq8jGpJafB2q64FTXuvYkaCvo40JPtL7eaHFZ1Jy0M4wAFNO/Ll+mWxekD7u43ASHdU4=,iv:twr7r1v5NlqK0GFf987J6iNt+g4UDNz5TZEu399jZqI=,tag:fNhNvmC1RyQtbWzNx0beSQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/core/cert-manager/helm-release.yaml b/cluster/apps/kube-system/cert-manager/helm-release.yaml similarity index 71% rename from cluster/core/cert-manager/helm-release.yaml rename to cluster/apps/kube-system/cert-manager/helm-release.yaml index 92b60441..e71a7c5a 100644 --- a/cluster/core/cert-manager/helm-release.yaml +++ b/cluster/apps/kube-system/cert-manager/helm-release.yaml @@ -5,12 +5,12 @@ metadata: name: cert-manager namespace: cert-manager spec: - interval: 5m + interval: 15m chart: spec: # renovate: registryUrl=https://charts.jetstack.io/ chart: cert-manager - version: v1.5.4 + version: v1.8.2 sourceRef: kind: HelmRepository name: jetstack-charts @@ -20,7 +20,7 @@ spec: webhook: enabled: true extraArgs: - - --dns01-recursive-nameservers=1.1.1.1:53 + - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 - --dns01-recursive-nameservers-only cainjector: replicaCount: 1 @@ -28,4 +28,9 @@ spec: podDnsConfig: nameservers: - "1.1.1.1" - - "8.8.8.8" + - "9.9.9.9" + prometheus: + enabled: true + servicemonitor: + enabled: true + prometheusInstance: monitoring diff --git a/cluster/apps/networking/traefik/dashboard/kustomization.yaml b/cluster/apps/kube-system/cert-manager/kustomization.yaml similarity index 63% rename from cluster/apps/networking/traefik/dashboard/kustomization.yaml rename to cluster/apps/kube-system/cert-manager/kustomization.yaml index c640df0a..60b9afef 100644 --- a/cluster/apps/networking/traefik/dashboard/kustomization.yaml +++ b/cluster/apps/kube-system/cert-manager/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ingress.yaml + - prometheus-rule.yaml + - helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/kube-system/cert-manager/prometheus-rule.yaml b/cluster/apps/kube-system/cert-manager/prometheus-rule.yaml new file mode 100644 index 00000000..80f86926 --- /dev/null +++ b/cluster/apps/kube-system/cert-manager/prometheus-rule.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: cert-manager.rules + namespace: kube-system +spec: + groups: + - name: cert-manager + rules: + - alert: CertManagerAbsent + expr: | + absent(up{job="cert-manager"}) + for: 15m + labels: + severity: critical + annotations: + description: + "New certificates will not be able to be minted, and existing + ones can't be renewed until cert-manager is back." + runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent + summary: "Cert Manager has dissapeared from Prometheus service discovery." + - name: certificates + rules: + - alert: CertManagerCertExpirySoon + expr: | + avg by (exported_namespace, namespace, name) ( + certmanager_certificate_expiration_timestamp_seconds - time()) + < (21 * 24 * 3600) + for: 15m + labels: + severity: warning + annotations: + description: + "The domain that this cert covers will be unavailable after + {{ $value | humanizeDuration }}. Clients using endpoints that this cert + protects will start to fail in {{ $value | humanizeDuration }}." + runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon + summary: + "The cert {{ $labels.name }} is {{ $value | humanizeDuration }} + from expiry, it should have renewed over a week ago." + - alert: CertManagerCertNotReady + expr: | + max by (name, exported_namespace, namespace, condition) ( + certmanager_certificate_ready_status{condition!="True"} == 1) + for: 15m + labels: + severity: critical + annotations: + description: + "This certificate has not been ready to serve traffic for at least + 10m. If the cert is being renewed or there is another valid cert, the ingress + controller _may_ be able to serve that instead." + runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready + summary: "The cert {{ $labels.name }} is not ready to serve traffic." + - alert: CertManagerHittingRateLimits + expr: | + sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) + > 0 + for: 15m + labels: + severity: critical + annotations: + description: + "Depending on the rate limit, cert-manager may be unable to generate + certificates for up to a week." + runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits + summary: "Cert manager hitting LetsEncrypt rate limits." diff --git a/cluster/apps/kube-system/cilium/helm-release.yaml b/cluster/apps/kube-system/cilium/helm-release.yaml index 878d214b..f76eb549 100644 --- a/cluster/apps/kube-system/cilium/helm-release.yaml +++ b/cluster/apps/kube-system/cilium/helm-release.yaml @@ -4,18 +4,32 @@ kind: HelmRelease metadata: name: cilium namespace: kube-system + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm spec: interval: 5m chart: spec: # renovate: registryUrl=https://helm.cilium.io chart: cilium - version: 1.10.5 + version: 1.11.6 sourceRef: kind: HelmRepository name: cilium-charts namespace: flux-system interval: 5m + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + remediateLastFailure: true + cleanupOnFail: true values: cluster: name: "${CLUSTER_NAME}" @@ -59,14 +73,16 @@ spec: rollOutPods: true ingress: enabled: true + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + hajimari.io/enable: "true" + hajimari.io/appName: hubble + hajimari.io/icon: lan hosts: - - "hubble.${SECRET_DOMAIN}" + - &host "hubble.${SECRET_DOMAIN}" tls: - hosts: - - "hubble.${SECRET_DOMAIN}" + - *host bgp: enabled: true announce: diff --git a/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml b/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml deleted file mode 100644 index fef207da..00000000 --- a/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: kube-cleanup-operator - namespace: kube-system -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://charts.lwolf.org - chart: kube-cleanup-operator - version: 1.0.1 - sourceRef: - kind: HelmRepository - name: lwolf-charts - namespace: flux-system - interval: 5m - values: - rbac: - create: true - global: true - args: - - --delete-failed-after=60m - - --delete-successful-after=0 - - --delete-pending-pods-after=0 - - --delete-evicted-pods-after=0 - - --delete-orphaned-pods-after=0 - - --legacy-mode=false diff --git a/cluster/apps/kube-system/kured/helm-release.yaml b/cluster/apps/kube-system/kured/helm-release.yaml deleted file mode 100644 index d95c6c08..00000000 --- a/cluster/apps/kube-system/kured/helm-release.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: kured - namespace: kube-system -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://weaveworks.github.io/kured - chart: kured - version: 2.10.0 - sourceRef: - kind: HelmRepository - name: weaveworks-kured-charts - namespace: flux-system - interval: 5m - values: - updateStrategy: RollingUpdate - extraEnvVars: - - name: slackHookUrl - valueFrom: - secretKeyRef: - name: kured-discord-secret - key: webhook - configuration: - startTime: "3:00" - endTime: "6:00" - timeZone: "America/Chicago" - tolerations: - - operator: "Exists" - effect: "NoSchedule" - metrics: - create: true diff --git a/cluster/apps/kube-system/kured/kustomization.yaml b/cluster/apps/kube-system/kured/kustomization.yaml deleted file mode 100644 index 6ed57d5b..00000000 --- a/cluster/apps/kube-system/kured/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- secret.enc.yaml -- helm-release.yaml -- prometheus-rule.yaml diff --git a/cluster/apps/kube-system/kured/prometheus-rule.yaml b/cluster/apps/kube-system/kured/prometheus-rule.yaml deleted file mode 100644 index 7e299522..00000000 --- a/cluster/apps/kube-system/kured/prometheus-rule.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - labels: - prometheus: k8s - role: alert-rules - name: kured-rules - namespace: kube-system -spec: - groups: - - name: kured.rules - rules: - - alert: RebootRequired - annotations: - description: Node(s) require a manual reboot - summary: Reboot daemon has failed to do so for 24 hours - expr: max(kured_reboot_required) != 0 - for: 24h - labels: - severity: warning - - alert: RebootScheduled - annotations: - description: Node Reboot Scheduled - summary: Node {{$labels.node}} has been scheduled to reboot - expr: kured_reboot_required > 0 - for: 5m - labels: - severity: warning diff --git a/cluster/apps/kube-system/kured/secret.enc.yaml b/cluster/apps/kube-system/kured/secret.enc.yaml deleted file mode 100644 index e05e23a1..00000000 --- a/cluster/apps/kube-system/kured/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: kured-discord-secret - namespace: kube-system -stringData: - webhook: ENC[AES256_GCM,data:fCxlfMDvUsd1/yNbNTXFL7XovFhLx0nJ4nLYj6axVtUYiqVqDKKpnTrl/RzKotfqnIFPDi6kjgk0mYloMvDB1baHp5U4U25PGqK13EWxEW4Rv4NvqCLeK6jorRuMcBVA+ev/K5wVBTUHeVWB1otT9KrdCLgWzpowODmkbZe2nShXIuV1nw==,iv:bF5gQop7VlhSYB5Rp/ABp3xdQoCb/DYQRrsEbtZBdlI=,tag:PhPC8udFrSARz1R5FS+txQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-16T03:12:40Z" - mac: ENC[AES256_GCM,data:vxP4H3m2q3Bxr6mf7KVU9iWx/49whZ9eYapFI0MrvjuNltSTKPGNlhqvtxuwq0Vu51/+LhO4F6m9JKkIRrWUbKKnYPXCV30MSUyZbPGLdG/9nq5n5wbwNnKOy39mM6d+KlcFKUgIAcp/pZMGiMiobGkiML60fAiysWMyS9Hji68=,iv:7PyP0N9YsxYC9Zp6FO4q6ay0twOsmkK+NwtsgjOB1p4=,tag:CvwHS7CAVG5E7KLxZPWs/w==,type:str] - pgp: - - created_at: "2021-05-16T03:12:39Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7ARAAiuZc0Vi2vFbhO92iCBWYPZUHANvmNhNf2ncKWO4pFZYX - mopOMqA2w2DQuFrenF+bIsudKh0pyfE2tC4yhSQbPptSscSVJ9TqzYP6Ewp2No8X - e4wStr8GQwy4HkRFwUJH1EpbbtkL8YegwnuJsvZwotSwlLc5t9f3fEY1oo/nvO1k - WUmAC7+ib/huv12fVmFBoWQOqqQvyBNZzHbnhrgsZf0S0xvrw8euu4sNBtauMb5+ - W3FEJ1E7nP7TrKCblEtoLpL4krs18KltTS2s9NnjrSLW7G2PSkWqtu7t8GqhXrBE - laTOJsD7id2KHiiyCWfeV6TDiw4pA0zf1Lodr/ZJbnrC4LIKm/3GAXsknWOyP6wY - 4OuZh6lbe+ZLQc+tRnUxBkdqDoG740Qrv+bz7B2aXGr96eyw1P92WTTQAPIKtUFq - H3uUFJNPdLvZWq65erX6kHXdVSxfKWkQZJj6LB7u3JLkno729moia6dfqJSJaa9e - aL68BK9bnCxkrkRKULSohKuHWYfaRJqoHUju4iEZQqoLioS336Pap8WJU67SWfoR - 5hzPTG5qhj5wjsCwK91ZjDa93mAvqCefpjY+aUQkOVMJyuWFC7K4UYheUyFRE38Z - XRkouJVen/AJU1Dj0HHo90+VsonE95atr+VYRW6u/pq3cgNoY2NnvFMFK416b3PS - XAFyycwL7XX38xsIZfnW3146P0FfF6kaIa1aS3kJDsPNZQw1TAqeBfP4eohXoVGT - FQDi9vH1qhO69jsjEPoLZKiuh6mzSfQBbf/m9Iv4yUq1tdpg2LlJsBKwWGqi - =yz9z - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-16T03:12:39Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ/9HbYit+0Wc9O8I9PkJRxDuOhmvMoXrbWhO1VDOWmJK4fr - IEqP3zxsqOQ8fhxtfDAuhOzK6aV94cx9ZkzDafdjez6wk0wMBDPlVDv6zCS98yPi - 9AQF/psRUTC+LPx2EqsNnwSMD9lHublHRdoiSmcaeWnm1qEEeokAbyObD1n5V+C9 - U5PVhY1rcqqewHRc5s6vXy6AyTP838+hoBwPWyqrp3AdFwOYsDXzOa+5fsGfXtbZ - +aNMNzhR47y2+qbbzCpsF3qNjM7eWQiNIm40/Ue/5lC5wEAzAbz4SIJkcqIxNNvu - MaPiXYaxHRs2CWGlGEikPp+uxHT4jkhMVdyJTlC3KfKhKR2ozWzyIQML5GdcX/0Z - b5QXHYGM4V1rv6VuW5/W+T12KSyAgvT1FdN6TwPdVwAWkDUJzQgFxaShR3r0AW5L - EoVdLRq+zBq96USBrybTDO8C3gZ2LA82KdmO5vT7JDDhrBdIyLqdEvcCazRwWyV6 - DJPS7ZNPhwt+8RgQrWCd2a98KXdPHvzoi1R+n49OngzK3Pdl6yQbzoNqRO10/kPW - 0Y1f1Bbvca1gh1YpVQc48+c9RPfwxIs4NGqYjh8ayTlM8Cp1X7dy+RhnWWNpvWon - yPoRvIwgmfjHN54Y5Qe7DKT7r1W4CoDcJ9bSAdQthLFQcIN77UOvRiV1oGtIy+nS - XAFaC4A/lpALvgeKwK5xuTYWWvN241irVOOTfbIdXZcccffWTuV0iGpViIizbAJt - 4ZERscb6OuS/HpoO49pBYtIdyd9sNzjf42MP9MmKcta/iMrrVqJsvchWcCxq - =BTAL - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/kube-system/kustomization.yaml b/cluster/apps/kube-system/kustomization.yaml index 9fc543d0..66a421cc 100644 --- a/cluster/apps/kube-system/kustomization.yaml +++ b/cluster/apps/kube-system/kustomization.yaml @@ -2,13 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- cilium -- descheduler -- intel-gpu-plugin -- kube-cleanup-operator -# - kured -- metrics-server -- node-feature-discovery -- node-problem-detector -# - nvidia-device-plugin -- reloader + - namespace.yaml + - cert-manager + - cilium + - descheduler + - intel-gpu-plugin + - metrics-server + - node-feature-discovery + - reloader diff --git a/cluster/apps/kube-system/metrics-server/helm-release.yaml b/cluster/apps/kube-system/metrics-server/helm-release.yaml index b3094b0a..00e233c8 100644 --- a/cluster/apps/kube-system/metrics-server/helm-release.yaml +++ b/cluster/apps/kube-system/metrics-server/helm-release.yaml @@ -5,19 +5,30 @@ metadata: name: metrics-server namespace: kube-system spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://charts.bitnami.com/bitnami chart: metrics-server - version: 5.10.11 + version: 3.8.2 sourceRef: kind: HelmRepository - name: bitnami-charts + name: metrics-server-charts namespace: flux-system + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: - apiService: - create: true - extraArgs: - kubelet-insecure-tls: true - kubelet-preferred-address-types: InternalIP,ExternalIP,Hostname + args: + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/cluster/apps/kube-system/node-problem-detector/helm-release.yaml b/cluster/apps/kube-system/node-problem-detector/helm-release.yaml deleted file mode 100644 index 55656d49..00000000 --- a/cluster/apps/kube-system/node-problem-detector/helm-release.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: node-problem-detector - namespace: kube-system -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://charts.deliveryhero.io/ - chart: node-problem-detector - version: 2.0.9 - sourceRef: - kind: HelmRepository - name: deliveryhero-charts - namespace: flux-system - interval: 5m - values: - image: - repository: k8s.gcr.io/node-problem-detector/node-problem-detector - tag: v0.8.10 - metrics: - serviceMonitor: - enabled: true - postRenderers: - - kustomize: - patchesJson6902: - - target: - kind: DaemonSet - name: node-problem-detector - patch: - - op: replace - path: /spec/template/spec/containers/0/volumeMounts - value: - - name: log - readOnly: true - mountPath: /var/log/ - - name: custom-config - readOnly: true - mountPath: /custom-config diff --git a/cluster/apps/kube-system/nvidia-device-plugin/helm-release.yaml b/cluster/apps/kube-system/nvidia-device-plugin/helm-release.yaml deleted file mode 100644 index a3fc3a76..00000000 --- a/cluster/apps/kube-system/nvidia-device-plugin/helm-release.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: nvidia-device-plugin - namespace: kube-system -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://nvidia.github.io/k8s-device-plugin - chart: nvidia-device-plugin - version: 0.9.0 - sourceRef: - kind: HelmRepository - name: nvidia-charts - namespace: flux-system - interval: 5m - values: - image: - repository: nvcr.io/nvidia/k8s-device-plugin - tag: v0.9.0 - nodeSelector: - feature.node.kubernetes.io/pci-0300_10de.present: "true" - tolerations: - - key: nvidia.com/gpu - operator: Exists diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index ebf518e4..c397e40a 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -2,16 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- backup-system -- downloads -- ext-gateway -# - falco-system -- flux-system -- home -- kube-system -- mail -- media -- monitoring -- networking -- security -- vpn-gateway + - kube-system + - networking + # - flux-system + # - home + # - backup-system + # - downloads + # - ext-gateway + # - falco-system + # - kube-system + # - mail + # - media + # - monitoring + # - networking + # - security + # - vpn-gateway diff --git a/cluster/apps/mail/mailu/kustomization.yaml b/cluster/apps/mail/mailu/kustomization.yaml index 78b43697..314d1f35 100644 --- a/cluster/apps/mail/mailu/kustomization.yaml +++ b/cluster/apps/mail/mailu/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization resources: - data-pvc.yaml - helm-release.yaml -- secret.yaml +- secret.sops.yaml diff --git a/cluster/apps/mail/mailu/secret.sops.yaml b/cluster/apps/mail/mailu/secret.sops.yaml new file mode 100644 index 00000000..244f8bcc --- /dev/null +++ b/cluster/apps/mail/mailu/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: mailu-vpnconfig + namespace: mail +stringData: + vpnConfigfile: ENC[AES256_GCM,data:R59Efd7kY7Hxn/Jd9nDZJ4Qo1AWWVule5i1HFUIrehyBnEZZWeI9AMlcp1dS5Zn4x9oN4rDNLrRnB8feD4pWRGPMeuksuX4knamwAkF0SLb9uw9rFY9tPx6J5YjoGVsaNC2jGiLSRt8Lwi6SLRNgbxM54kbD5gEJIGkHQy4TiipkRHSviWWP8G6i8JjSSxLQjku8mbzUIygoGpTRWHSiOga4uTYZp0NXbfzYPFYzSl0b/VvbgJdaIhNQSBct2wy8TUSbX8N8XxBrb9SL/blw12DAVEbRSJyBioMxfYm7WtXweu+o7azb/OxGw2n7Etgf3YH/AGgeSzmiw3BA1gUBzV3KWcMrDOk0Yb1NsUJwJhABjwxeCYTwT1mQ8jebbaupVNv5WTv/+ZfcaiM=,iv:L984T15Xvgin9/+f7dqb8DrSGFANn0pXeWtYYrbpPaA=,tag:Djr6ZxIqHy01iBOMQnZrwQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMmJJZ1N4OUxlWm1TcHBl + alJRaWkzcVVIci9oanpMYmY5NTMzRGRDa1drCjZDbWtkR0d4cVZUaEtjNXp6M1J3 + TGE0RW9BdXhwQW14dEw2dVNSaXBwTlkKLS0tIEhPVHgybVlOdSsvenFFS1NZNWVB + MXFZVUJ4c1F4TkM5V3Q4QVM5YXdUR2sK5pRgLx+4I0lY3CyyPw9oHpBbg+v/aNHa + ZyLrBu8SIchYKoWMW9ybgxqW7ANjE7xI/dPK2O3xYaXenjPp+XhEqw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-06-03T15:09:58Z" + mac: ENC[AES256_GCM,data:e/u4pZX4vmWquDezPASHc0FtA4Tk4G+lBRRsQ+fOSt9t+Z17ZxOoywwtNWkY3eWcPkFidDZ8Ya2PPh3V8Cqj8Cbj+RfQ4JvbW/7wKMcHURexpDCjxsFYdrc1r/fkBSqpdbhJVcq1PIA67XDsnIei0FA1h+v58IF50sqHwg3gfNw=,iv:gjHLmdyFeztWv+9ODRfv/uTR7KxutCPGhKhJ80jFdwk=,tag:w3q+TjLpGlPhR8yBPxKABQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/apps/mail/mailu/secret.yaml b/cluster/apps/mail/mailu/secret.yaml deleted file mode 100644 index 0f64c574..00000000 --- a/cluster/apps/mail/mailu/secret.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: mailu-vpnconfig - namespace: mail -stringData: - vpnConfigfile: ENC[AES256_GCM,data:R59Efd7kY7Hxn/Jd9nDZJ4Qo1AWWVule5i1HFUIrehyBnEZZWeI9AMlcp1dS5Zn4x9oN4rDNLrRnB8feD4pWRGPMeuksuX4knamwAkF0SLb9uw9rFY9tPx6J5YjoGVsaNC2jGiLSRt8Lwi6SLRNgbxM54kbD5gEJIGkHQy4TiipkRHSviWWP8G6i8JjSSxLQjku8mbzUIygoGpTRWHSiOga4uTYZp0NXbfzYPFYzSl0b/VvbgJdaIhNQSBct2wy8TUSbX8N8XxBrb9SL/blw12DAVEbRSJyBioMxfYm7WtXweu+o7azb/OxGw2n7Etgf3YH/AGgeSzmiw3BA1gUBzV3KWcMrDOk0Yb1NsUJwJhABjwxeCYTwT1mQ8jebbaupVNv5WTv/+ZfcaiM=,iv:L984T15Xvgin9/+f7dqb8DrSGFANn0pXeWtYYrbpPaA=,tag:Djr6ZxIqHy01iBOMQnZrwQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-06-03T15:09:58Z" - mac: ENC[AES256_GCM,data:e/u4pZX4vmWquDezPASHc0FtA4Tk4G+lBRRsQ+fOSt9t+Z17ZxOoywwtNWkY3eWcPkFidDZ8Ya2PPh3V8Cqj8Cbj+RfQ4JvbW/7wKMcHURexpDCjxsFYdrc1r/fkBSqpdbhJVcq1PIA67XDsnIei0FA1h+v58IF50sqHwg3gfNw=,iv:gjHLmdyFeztWv+9ODRfv/uTR7KxutCPGhKhJ80jFdwk=,tag:w3q+TjLpGlPhR8yBPxKABQ==,type:str] - pgp: - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M - NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV - Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE - C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj - B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5 - Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl - 5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal - AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt - pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv - tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI - td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S - XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K - caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo= - =3ulM - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu - K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx - 4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm - zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3 - Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY - RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3 - 1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E - iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA - l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z - 2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb - nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS - XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0 - xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU= - =c0ve - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/monitoring/thanos/secret.sops.yaml b/cluster/apps/monitoring/thanos/secret.sops.yaml index b672e092..33287efe 100644 --- a/cluster/apps/monitoring/thanos/secret.sops.yaml +++ b/cluster/apps/monitoring/thanos/secret.sops.yaml @@ -11,49 +11,18 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OGkxcnZscnJ1TitwQXgv + ZnkwcmdnVWJLbFFGSmRHV2pqbitYQW5IWWtFCjNNdVBwTEQ0VDk2OEtHKzkwSi9h + cVpOR3NONE9HQXB6VDlwMUp0WUYzRGMKLS0tIGRlY0UrOVhzMndJTWFyclg3ZHBV + bk1tZmFPUy9FUEtiMkVHcDBGaUZwdmsKdv0wD5JNfdBN45ba8bbjpVIEHop4AqKX + R+Vp9//6wTxsiafO0Bp0RUls1gHuRUYKhgAcH9PP8TIjZCwbUpHEpg== + -----END AGE ENCRYPTED FILE----- lastmodified: "2021-08-11T23:27:44Z" mac: ENC[AES256_GCM,data:2z0BgAwz408+gSDfuxGtt75mF++qOSgKb/RGdm0fqTORrFB+a/Yc/alXS0NVOl43WAkxY8HpUozQooa6VhdA88OcoNFUUtz8uhpeymBj1t/xXL4gE85Be2FXmhGFHKOaIulgPIiRScwxvaYG4C289QjIHZ8T3E9ykiYnrl1/bQk=,iv:MehdXoE4gTDoF+mG9SRatebR8LHxoy+g+709/I+LHII=,tag:q97WqxBWqRHLmAekD9IzWw==,type:str] - pgp: - - created_at: "2021-08-11T16:45:16Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//W3HMMNXuYZ0ET4cezjUunygCWxtarUJVXngpjQ6bnLqd - drG0E4aI/iLl6xk5S4cTIVeq9b19ygsoOxRbIR0BXKvZ+l8SL18fkt8eFytkcy6/ - fNNrlBXwdI1IqP2my7KZagMN4Ali5ULBGr+XK7Ggf4eG5e8LDY9x1anxVWfdrJ3N - EAxWaAFScs8fh9M0NfbtZK/wyF/wSAarCFvQoJ8UqRd/IIMLnj/Ks5IiDxj/09fv - QwP/4P1eOZKF5TfyIL1+EEdC9ZmXnM+E9sVRAm8NKz5gP/Mmtx4HcJa01TAtHFxq - 7i5N9uYaAQ1JRoqVtuGg4SKuqTqnGDKbhgnXNj0ESXC0GSBQ+GXLHLKTQLe+lxu7 - PSd88Kkyr8bFUTJxQvSigm0BoFcIapeO53qF9+3AeWm/A0lmJ/pABaSl17nmr+IM - n5TcNrmHDvZS25Og2PPLHRKbBllbffe8/YhHv6Oi/STCyMeg+6IqdGvJ8I7tHfxy - ISi00Gc+Z0Bdq+MCOK4OSQiX5oJpDDvJzVE38u2WRDG5xQyB6oStXvj/IoxGH5DR - trWjVgQG4x+vTiPkfRCx2ZYKAeGLm3UK5RMbSbUu598KlmYZJ8aP9Yo/vku08HCB - XjVA1zdjVGmIYx2SSn/EWHS2vaSJyGd45MVKjM6TJzyElRmyExUENQeuRBL4/5jS - XAEp38n+q5FT/xI9yU5vxnrUwFUNnVT5JTiDdLRtdwA9vVM9C0vcjJ8FewujFoM6 - dJaqiZTe65RPRrtrPgBFHir++O4xPdJyGwhUtfniXzUTg35ajIpjPTfnHPnC - =Kbhk - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-08-11T16:45:16Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ//QQszC7rRYuxGvKIE6ZN9aIIVLiRD5YeV2yNghgwpTrbd - 279piWAlrlRQhhoTJppQ+qBzLsK8wpUJnXuM8bMQ1oHj6E+gMIkGRFevC+m0of7t - KLSjnm5dnle9pPGZMQVTxTfr1Cf7mv8CYLM+w+zFLOxgTEPQJKG5X5EhfoQb4hXR - QKFxjSqJVzj3QQ6loufTwMPGEYhQ7P0Y1XPjJJs6aZiPNvGK/8ayNCQpRo3E7NF3 - KqEGsLHQGSEeuWoOhb6Mnike5rox6p4hb7TPl7JHZbCJIP2YwWd3ERGBfLL2pgCg - RLLG/nZwucnxb7lGZRYMN8krGtcdRYKSD0FY9EPoVvQDZ3fGtkwkbBfT9kjD4XPg - 6NGKDrTY/FJTOMIhY0shRBmFx3KHi0dnBKrfBvXyaY4yzgafC5s1p6QooJXMz+Vp - YtfzsiZIESwhfKRdiuZ/eeMYyAedeW2mEd2zZbAfw0QNM4bSWwtQ2Iogh96nwQDL - 2Nt8kN2J+YrUFiyCeECEreUUIlqvMxhymMou/FAFsUPYQXPdTYX5tvrls4AM5PcI - AbYvat4R7du5CKNM6uU3pY/C2Ufam2oSiikQs8HuwT8UnJ1qHxN5N89jlkjL8Esf - bZ+HiTLM+AXvnhnTdnSLUwCiXfEq8lBOrhYMuijdAu1b3AbVH0DxDk94rBndoo/S - XAEaUggPJtMqmxuDudXnoM1vedLyTKJaBaOFh1S0koTgspw3tVotyxFZMkO3F8Wf - TTznEnF/6+dyQ0du9q/ldyT34pP9JRVvQ24w+Fs7zvZM4kcUJSggOnMcqT58 - =oBkN - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B + pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.1 diff --git a/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml b/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml index da26f064..94b153b7 100644 --- a/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml +++ b/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml @@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - cron-job.yaml - - secret.enc.yaml + - secret.sops.yaml namespace: monitoring configMapGenerator: - name: uptimerobot-heartbeat diff --git a/cluster/apps/monitoring/uptimerobot-heartbeat/secret.enc.yaml b/cluster/apps/monitoring/uptimerobot-heartbeat/secret.enc.yaml deleted file mode 100644 index 552bf573..00000000 --- a/cluster/apps/monitoring/uptimerobot-heartbeat/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: uptimerobot-heartbeat-url - namespace: monitoring -stringData: - UPTIMEROBOT_HEARTBEAT_URL: ENC[AES256_GCM,data:m3b/ofgV6nF8+WrUnEmfJI1ZeMU8sd0OB2n846Cu6pTGUAf6Ox89pa67iOMKZvlNt0C40QWcO6bsDfCrg88IE5FQUU7Nop7U+A6NIELjsG0d1HTgNg==,iv:ixqKnjIpD/fb49maF+gU+eeOP1vqnsPxjHf8q/oKJ1U=,tag:Oo7CzCda3u6N2uRORIvAqg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-14T21:07:51Z" - mac: ENC[AES256_GCM,data:tbtw+vy/xMIMIa/2DN4ZcWEcohfqrC4+9NbF0CpSObFSxa8ZKIoIIQNeUcDz/9liGW4CkuhFqnIRTJWjyjCZC2PlzowpRUv4pv1fRP6w45z4R+6TyaoAkWHboJE8pE/mjQU4Pz28E/TAUm0NKLWUBtRI/w8hyk/g+6PeFzqODuk=,iv:trYVyCT9yukbY7U2Ab9N/xpujFNSOUjbV5DZZjGWpfo=,tag:c0eLaDB7C8EsZSMpSFlSKQ==,type:str] - pgp: - - created_at: "2021-05-14T21:07:49Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//XZbM/b8aWMm6iDh2JWxtrnbSkgsL3lGpjm+M5s1xJh08 - qxRjcgulSyFdaYj1eY20lGzs2QuhXxwGBhwUVRfkV4HWheJoIrJoDJr8wS4jxC3e - ESztT2cVJn6m3/paN/TVHC9ceftR1K/VfYRfOUcpByAUQ4ThSQQxbR5TeDnb4GgL - upK5khiLVt5Ii/j1lOvLZqSo0dW7kWDiF/NlitdEz6m361SqdCrm8GdpNOOiT+Ts - AXrIDJxJwSimVcM9ytRSohBS1Impk6XrigRwevRukIFELvUy6PY+UzMlRft/Fce/ - RDucYTbhMAO5UfMUimbMr+lZrQCs2bNyxa7hzYzlqIZzWjsnu2q2zF0GEOmnQkQw - /0O42R0xHSidOWAFBr+fIqO8Ab5XgYhkVcktwzlmkhyX3TYJK/cZQhB8F3rhRoAM - NCkY6lldQSPJRDhRsStGl0uiHXJ2PiUka2lpmfVrlbX9PYAICTv1ZkKVarXdNp4L - 3BydC3lyRvUK/k1dEBT538gyADiOYwYX9r4c44qvgTUy1KFHfb0GbufZjEgK/s3S - 7VqcMfUEfTtNpOQzqHMr3MIS3idL0j3X6a1qX1z+OOEEX0Ydat2WH30hQCbuOnJz - MgJ8WBPdPeWRiDNUJeSjqUdu1OtSA44gIs1c8Zn2equr9yAG7JtBYCGzHDMnQ+bS - XgFgnpcuCopylkdki8PWEhhoS6a6JoU2LRhqKp9roWOITVy4gGi8edYUrebt9Ggj - WSkAReZJpfcpr6bMKJ2BLZ7spvxy1RI0oxaUxh4UwjeO+0XUHaXUZp0TlEkoO+k= - =Ro8B - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-14T21:07:49Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ/+JOx7mf1TncTkvIhsohvCPrFmPhLrkhE3DBUEhu8ko3JN - 3KHraOxbKiEBsM7dCTJZ1GpGZm/WrHYvlXMVKx8gyPpfFiD66i19mgeQ4X519NK1 - mUQfSdLTGIwgM9bX/NOO6OhxVdSX7cJpbDNw7/a+72/P9tJCdI7n3QrM+HNcj1fa - mcKu2feZoHrtmWpNjgDzKaxWTtxydIosLDoytUI7M7NyBdLjlrRJL8BiFRa97HRu - 0SCHIwDkHQTgjPgdRMuEdT81GI+gPql/QMe8c1xe4k7rOuyEIJj248evYmiEwazX - cXzePvP1zaP/0eVX2R5mMmX9j6nHN+IzYMiwF64guVgL+nwJrtJaZU8yW8Dxclb+ - BxHr9MvjgHpqzRpFkzHCTWtJ60vLUXhyqcK6JmrOhDFloYyyRSSOaQhNoyAJSwV5 - 9Oa6AMqDBj+L7NAzUBLU/3xQj6kBFXI+T8rWHSg4dtGOuDwa8uNjXhw256DXOlJ+ - qABxVI413t3RWsKYo1/3uG6KWX9X81kSHDyWcwTaxU4Sc3Tf4tBxXZP+W/LXt1Sz - jj0izN2h4f1MVJ45wqWCBP0dx5pIpq7AMJ/y0TD+gGlR9OYxXV3dA1PjpZ2LZ9t1 - C4hI18B3ddDoZ3eLTt32h98KaCbnn7QBBFAaEcZ9/6HUjpQcF31O0CJzm+tK5kzS - XgFv+PZ4aa6RvRnf3kIYocrx6+KlaejDiSXw7QVtRGBXuYktzGhvdpxhtzgG/MuJ - 2JnuCnL8JhDUeO7Wa9JF7qNCzrVaRNTTMa+Y+cSnXCWADPpiGlprDkM+IZa6E2Q= - =1OR5 - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/monitoring/uptimerobot-heartbeat/secret.sops.yaml b/cluster/apps/monitoring/uptimerobot-heartbeat/secret.sops.yaml new file mode 100644 index 00000000..dc409abf --- /dev/null +++ b/cluster/apps/monitoring/uptimerobot-heartbeat/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: uptimerobot-heartbeat-url + namespace: monitoring +stringData: + UPTIMEROBOT_HEARTBEAT_URL: ENC[AES256_GCM,data:m3b/ofgV6nF8+WrUnEmfJI1ZeMU8sd0OB2n846Cu6pTGUAf6Ox89pa67iOMKZvlNt0C40QWcO6bsDfCrg88IE5FQUU7Nop7U+A6NIELjsG0d1HTgNg==,iv:ixqKnjIpD/fb49maF+gU+eeOP1vqnsPxjHf8q/oKJ1U=,tag:Oo7CzCda3u6N2uRORIvAqg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUy9aSThsQzcweEtpbHNq + QmYrZXhtdVVMazQxeHMvZDdyL2x1cWd1VTJBCk5iVFBmRmhqLzl4Q0ZPdEt5QTNS + Wm42bnV0Z2p3SzRsWGJpZTljb3ZTb0EKLS0tIG1BdnI5SU43NDdsek1kaU1YZnVJ + aW1MdDJIbklSeGZ5T1hCOUlSbnJoWXMKZh95987xS/3g5LXhCb0yLJeEC6JcdbWz + Nn/ssgiBBkoy8yvo6yqSOlpLtgWevDPRqjg8z/mihxf6g80V+Kqbgg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-05-14T21:07:51Z" + mac: ENC[AES256_GCM,data:tbtw+vy/xMIMIa/2DN4ZcWEcohfqrC4+9NbF0CpSObFSxa8ZKIoIIQNeUcDz/9liGW4CkuhFqnIRTJWjyjCZC2PlzowpRUv4pv1fRP6w45z4R+6TyaoAkWHboJE8pE/mjQU4Pz28E/TAUm0NKLWUBtRI/w8hyk/g+6PeFzqODuk=,iv:trYVyCT9yukbY7U2Ab9N/xpujFNSOUjbV5DZZjGWpfo=,tag:c0eLaDB7C8EsZSMpSFlSKQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/core/monitoring/uptimerobot-operator/helm-release.yaml b/cluster/apps/monitoring/uptimerobot-operator/helm-release.yaml similarity index 100% rename from cluster/core/monitoring/uptimerobot-operator/helm-release.yaml rename to cluster/apps/monitoring/uptimerobot-operator/helm-release.yaml diff --git a/cluster/apps/kube-system/node-problem-detector/kustomization.yaml b/cluster/apps/monitoring/uptimerobot-operator/kustomization.yaml similarity index 100% rename from cluster/apps/kube-system/node-problem-detector/kustomization.yaml rename to cluster/apps/monitoring/uptimerobot-operator/kustomization.yaml diff --git a/cluster/apps/networking/blocky/helm-release.yaml b/cluster/apps/networking/blocky/helm-release.yaml deleted file mode 100644 index 87c2e782..00000000 --- a/cluster/apps/networking/blocky/helm-release.yaml +++ /dev/null @@ -1,112 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: blocky - namespace: networking -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: blocky - version: 9.1.0 - sourceRef: - kind: HelmRepository - name: k8s-at-home-charts - namespace: flux-system - interval: 5m - values: - image: - repository: ghcr.io/0xerr0r/blocky - tag: v0.16 - env: - TZ: "America/Chicago" - controller: - enabled: true - type: deployment - strategy: RollingUpdate - replicas: 3 - service: - main: - ports: - http: - port: 4000 - dns-tcp: - enabled: true - type: LoadBalancer - loadBalancerIP: ${LB_BLOCKY_IP}" - externalTrafficPolicy: Local - ports: - dns-tcp: - enabled: true - port: 53 - protocol: TCP - targetPort: 53 - dns-udp: - enabled: true - type: LoadBalancer - loadBalancerIP: "${LB_BLOCKY_IP}" - externalTrafficPolicy: Local - ports: - dns-tcp: - enabled: true - port: 53 - protocol: UDP - targetPort: 53 - ingress: - main: - enabled: true - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "blocky.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "blocky.${SECRET_DOMAIN}" - config: | - upstream: - externalResolvers: - - udp:${GATEWAY_IP} - blocking: - blackLists: - ads: - # https://oisd.nl/ - - https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt - whiteLists: - ads: - - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt - clientGroupsBlock: - default: - - ads - clientLookup: - upstream: udp:${GATEWAY_IP} - prometheus: - enable: true - path: /metrics - httpPort: 4000 - logLevel: info - prometheus: - serviceMonitor: - enabled: true - podAnnotations: - configmap.reloader.stakater.com/reload: "blocky-config" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - blocky - topologyKey: "kubernetes.io/hostname" - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 750Mi diff --git a/cluster/apps/networking/blocky/kustomization.yaml b/cluster/apps/networking/blocky/kustomization.yaml deleted file mode 100644 index db69d001..00000000 --- a/cluster/apps/networking/blocky/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/networking/external-dns/kustomization.yaml b/cluster/apps/networking/external-dns/kustomization.yaml index 7f8ee098..19a127bc 100644 --- a/cluster/apps/networking/external-dns/kustomization.yaml +++ b/cluster/apps/networking/external-dns/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.enc.yaml +- secret.sops.yaml - helm-release.yaml diff --git a/cluster/apps/networking/external-dns/secret.enc.yaml b/cluster/apps/networking/external-dns/secret.enc.yaml deleted file mode 100644 index ffe78116..00000000 --- a/cluster/apps/networking/external-dns/secret.enc.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: cloudflare-api-key - namespace: networking -stringData: - cloudflare_api_key: ENC[AES256_GCM,data:27GLFDiPCUKD2Kykafrtb+rnmIzlBLySg9x1bB6oo/nOYCJz2Q==,iv:Z0Q6Nogdo2/aa+SOl79rjUShA28Cm3PkpWD64NexVS0=,tag:rswURlC0GXhKrgYcbVGClg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-14T01:49:38Z" - mac: ENC[AES256_GCM,data:+AxMVyTaGtXeKT2kldCSb3tKQzL2MtPmUNoCYHzFpMcBjaustkPeEo67eEaHcnzL0mTZbHQNnyinOP+uCnNkjTe/QMuScm+Pwr7ZFNGj+OrVVOTzHRe2NSuDa1PXwZlG1CuBzmZysFDwyOhj5hiS6387Gpi4tcqYAJSDaL6B2hs=,iv:SFuHIuniSPIcYmBPq/1k6F2ZOKVC4kW5rZoji39lWfc=,tag:pMAmjvzMkTR3Zavd9n2fxw==,type:str] - pgp: - - created_at: "2021-05-14T01:49:36Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7ARAAnCh13ASgSSfXgABIaRe0poS+qut8OFTdRjmUr/H6cJSP - 2WjvSfOSSkFMhzO9PoJS9qWjHb0dkLo/se+awdhHbeLrleF6CrlPWpYEo2nTpzN5 - 7KmIp4zJrwu1h5BeylNhnGgyGw34jwstht/cq0qS0yeu+XUpTl9GxaVFJJoIbneN - /lb6Xpy4XQUM2SCDszkjCc4kO4TtZAGCnaqZYW4DeyFo3qoOes2TMI3QBAYPQFWN - T1bRHm2jCOYp2jhrYG7X5H5L0KtGt7fwx14TrnfZ34/vw/XHXPYav8Mmf0EE7I+y - 9ZeKkxe1VHltTlFItv5wDdnusKiTIRoCVscoYQkPl+miB+Tnci4NPN+8nCgz26vF - m6vS7B8j4czFmWQwl3nYcWZRRec35nhwBcr7BEqsFlaJLNenZfJj+imm3iCYUYpj - Q+U/d6Pyub6TvpIzoy1r/uaRnb7QXM/E3A2Sh/astQW5EYgPqkTIdEbbLpWn3bKn - DZhIpHWea0eSmclzUCOMIAYxqHMLoHmktMfI62TIHqWwRTPsIMko2l4IzXCfoUWR - V9fvy979EJY5IhO8MqpNcp4Arw11nlZ+0p4aUglkfqLet+cvJ5Wurz+GnXkss17s - eh01c62bkIHp78RCLk+qah7DSk1xQGHro7sR5MOxDa/lSPSPWDTo5E9Q569vFOnS - XAGSZ8nU+1ZVn2jDsZP4fWlTLlkQEQYDIn3Sthl3USyJDJf+nYjgY0s1b59w6uw7 - m9RUdHTKqq9SxwOBYpQ4lJITcElJLpRW+LTDR8YVhC2vyNtVxaRiPJwdthwW - =W6Sy - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-14T01:49:36Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ//aykTcpDPcay5AdNXwgF3knbnjkEa0nRe2vLRNFLYel+c - i+XpceBlHXGSH3cMFi1mBLjB6dlBNC9Yu8cxa0WAePKGCrKHOcfc0HcUXrhDSCp7 - 9uxyXG7yx6Oirq2+T8eAqzU8DO7jinGlxZeXCQyn/1wWiuXD6FvSoqO54+pWabIl - ZpCPVqIzK7RZyRXHN03psPRNv11UBzjBLRI9ebkZSuaqsrIsc7s0ptTHcCNCbhha - O7iOXS1gAH8P436SCnfkP0VPTnV3De+PdfCSADoR7GPw2PdCZPJhU8gIANQTqU8v - vgI21Vr1XoPd6wPtbNL1dva/Xzx0jIAzkykGiwTE/oPJNVnep64dGC+3SpuXeIKv - 9QN/5xfe/0zyoMN3CLMjMSWS6NNWpGyw3C85fhnCDFMC8+lpnZKkCDCxhm4op/Rx - cNEbVBRuQHJaCqoj6HxnGR+JjUWzs8Lf/RX6wvOZZ2fr+NhByK4ZN4cVlAoiWE/s - zQ68VebcTXX3MwEChrKBn09W7Fqwcjd/wqE2mYtCjFZtgql86O597NsiXVoSUxQP - GWA9+rYHwyuRI6gkGzuxGvjrFuevqr/szKX7vy5a6MUAYGrNirZKeNk5XVUk7fU7 - LT9rS7PD8eHcAAg29zdXIUZv3cM4ZQtzV3uKpVtViDebajsk5i7dDJBB+FcqDB3S - XAHfYbhCK2cCoIgd+os5uzg5zjHeSRoXa9V1aOSm79+tzWv6z5vIHIoxXmGatb8T - YhfMz3Ue3dgGPkhpS35KPrWhagzxrxNMrV4TlfKVqrKWBcaHQpsjlkHLiXnH - =Pvda - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/networking/external-dns/secret.sops.yaml b/cluster/apps/networking/external-dns/secret.sops.yaml new file mode 100644 index 00000000..2e3167b6 --- /dev/null +++ b/cluster/apps/networking/external-dns/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: cloudflare-api-key + namespace: networking +stringData: + cloudflare_api_key: ENC[AES256_GCM,data:27GLFDiPCUKD2Kykafrtb+rnmIzlBLySg9x1bB6oo/nOYCJz2Q==,iv:Z0Q6Nogdo2/aa+SOl79rjUShA28Cm3PkpWD64NexVS0=,tag:rswURlC0GXhKrgYcbVGClg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWlREN2VZd1JuOS83SmNK + OUNMSnd0NEs1c0dMMjBoM3hWTFhGZVlZT2dzCm1UTXd6Y1U1S090b1FqUWI2VHhS + NHdVSWpKblZVQTZMazFiUkhDVjJEdzgKLS0tIFhKRVJqT2ozOXdYVFpOSHNwMlFZ + aTNMbXV0R3lhclNGYUFGTlR0bmUyblUKvOPRUvUHwOQ20w3eqqloUY1CmCiXgAOX + LAIqWs5P9AXYvbPPFFBGRBEc7zLW1lUS1OaGIRIpZeaUI7dGiWTVtg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2021-05-14T01:49:38Z" + mac: ENC[AES256_GCM,data:+AxMVyTaGtXeKT2kldCSb3tKQzL2MtPmUNoCYHzFpMcBjaustkPeEo67eEaHcnzL0mTZbHQNnyinOP+uCnNkjTe/QMuScm+Pwr7ZFNGj+OrVVOTzHRe2NSuDa1PXwZlG1CuBzmZysFDwyOhj5hiS6387Gpi4tcqYAJSDaL6B2hs=,iv:SFuHIuniSPIcYmBPq/1k6F2ZOKVC4kW5rZoji39lWfc=,tag:pMAmjvzMkTR3Zavd9n2fxw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.1 diff --git a/cluster/apps/networking/wildcard-certificate/certificate.yaml b/cluster/apps/networking/ingress-nginx/certificate.yaml similarity index 64% rename from cluster/apps/networking/wildcard-certificate/certificate.yaml rename to cluster/apps/networking/ingress-nginx/certificate.yaml index 9b04a327..845b151c 100644 --- a/cluster/apps/networking/wildcard-certificate/certificate.yaml +++ b/cluster/apps/networking/ingress-nginx/certificate.yaml @@ -5,6 +5,10 @@ metadata: name: "${SECRET_DOMAIN/./-}" namespace: networking spec: + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kasten-io" secretName: "${SECRET_DOMAIN/./-}-tls" issuerRef: name: letsencrypt-production diff --git a/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt b/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt new file mode 100644 index 00000000..251d1a13 --- /dev/null +++ b/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt @@ -0,0 +1 @@ +173.245.48.0/20\,103.21.244.0/22\,103.22.200.0/22\,103.31.4.0/22\,141.101.64.0/18\,108.162.192.0/18\,190.93.240.0/20\,188.114.96.0/20\,197.234.240.0/22\,198.41.128.0/17\,162.158.0.0/15\,104.16.0.0/13\,104.24.0.0/14\,172.64.0.0/13\,131.0.72.0/22\,2400:cb00::/32\,2606:4700::/32\,2803:f800::/32\,2405:b500::/32\,2405:8100::/32\,2a06:98c0::/29\,2c0f:f248::/32 \ No newline at end of file diff --git a/cluster/apps/networking/ingress-nginx/helm-release.yaml b/cluster/apps/networking/ingress-nginx/helm-release.yaml new file mode 100644 index 00000000..caf2900a --- /dev/null +++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: ingress-nginx + namespace: networking +spec: + interval: 15m + chart: + spec: + chart: ingress-nginx + version: 4.1.4 + sourceRef: + kind: HelmRepository + name: ingress-nginx-charts + namespace: flux-system + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: cert-manager + namespace: kube-system + values: + controller: + replicaCount: 3 + extraEnvs: + - name: TZ + value: "${TIMEZONE}" + service: + externalIPs: + - "${SVC_NGINX_ADDR}" + externalTrafficPolicy: Local + publishService: + enabled: true + ingressClassResource: + default: true + config: + client-header-timeout: 120 + client-body-buffer-size: "100M" + client-body-timeout: 120 + custom-http-errors: |- + 401,403,404,500,501,502,503 + enable-brotli: "true" + forwarded-for-header: "CF-Connecting-IP" + hsts-max-age: "31449600" + keep-alive: 120 + keep-alive-requests: 10000 + proxy-body-size: "100M" + ssl-protocols: "TLSv1.3 TLSv1.2" + use-forwarded-headers: "true" + metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: networking + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-tls" + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + podAnnotations: + configmap.reloader.stakater.com/reload: "cloudflare-proxied-networks" + resources: + requests: + cpu: 10m + memory: 250Mi + limits: + memory: 500Mi + defaultBackend: + enabled: true + image: + repository: ghcr.io/tarampampam/error-pages + tag: 2.16.0 + replicaCount: 3 + extraEnvs: + - name: TEMPLATE_NAME + value: ghost + - name: SHOW_DETAILS + value: "false" + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/component + operator: In + values: + - default-backend + topologyKey: kubernetes.io/hostname + valuesFrom: + # Cloudflare Networks + # https://www.cloudflare.com/ips/ + - targetPath: controller.config.proxy-real-ip-cidr + kind: ConfigMap + name: cloudflare-proxied-networks + valuesKey: cloudflare-proxied-networks.txt diff --git a/cluster/apps/networking/ingress-nginx/kustomization.yaml b/cluster/apps/networking/ingress-nginx/kustomization.yaml new file mode 100644 index 00000000..d52e330a --- /dev/null +++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: networking +resources: + - dashboard + - helm-release.yaml + - certificate.yaml +configMapGenerator: + - name: cloudflare-proxied-networks + files: + - cloudflare-proxied-networks.txt +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index c6cde44e..51f65afa 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -1,7 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- blocky -- external-dns -- traefik -- wildcard-certificate + - namespace.yaml + - ingress-nginx + - external-dns diff --git a/cluster/apps/networking/namespace.yaml b/cluster/apps/networking/namespace.yaml new file mode 100644 index 00000000..63a2c4e8 --- /dev/null +++ b/cluster/apps/networking/namespace.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: networking + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + goldilocks.fairwinds.com/enabled: "true" + k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file diff --git a/cluster/apps/networking/traefik/dashboard/ingress.yaml b/cluster/apps/networking/traefik/dashboard/ingress.yaml deleted file mode 100644 index ecdbdcb9..00000000 --- a/cluster/apps/networking/traefik/dashboard/ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: dashboard - namespace: networking - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" -spec: - tls: - - hosts: - - "traefik.${SECRET_DOMAIN}" - secretName: "${SECRET_DOMAIN/./-}-tls" - rules: - - host: traefik.${SECRET_DOMAIN} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: traefik - port: - number: 9000 diff --git a/cluster/apps/networking/traefik/external/minio.yaml b/cluster/apps/networking/traefik/external/minio.yaml deleted file mode 100644 index 54ff1c7c..00000000 --- a/cluster/apps/networking/traefik/external/minio.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: minio - namespace: networking -spec: - entryPoints: - - websecure - routes: - - match: Host(`s.${SECRET_DOMAIN}`) - kind: Rule - services: - - name: minio - port: 443 - middlewares: - - name: cloudflare - tls: - secretName: "${SECRET_DOMAIN/./-}-tls" ---- -kind: Service -apiVersion: v1 -metadata: - name: minio - namespace: networking -spec: - type: ExternalName - externalName: s3.${SECRET_DOMAIN} ---- -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: minio - namespace: networking -spec: - endpoints: - - dnsName: "s.${SECRET_DOMAIN}" - recordType: CNAME - targets: - - "ipv4.${SECRET_DOMAIN}" diff --git a/cluster/apps/networking/traefik/helm-release.yaml b/cluster/apps/networking/traefik/helm-release.yaml deleted file mode 100644 index 05179f21..00000000 --- a/cluster/apps/networking/traefik/helm-release.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: traefik - namespace: networking -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://helm.traefik.io/traefik - chart: traefik - version: 10.6.2 - sourceRef: - kind: HelmRepository - name: traefik-charts - namespace: flux-system - interval: 5m - dependsOn: - - name: cert-manager - namespace: cert-manager - values: - image: - name: ghcr.io/k8s-at-home/traefik - deployment: - kind: Deployment - replicas: 2 - service: - enabled: true - type: LoadBalancer - spec: - loadBalancerIP: "${LB_TRAEFIK_IP}" - externalTrafficPolicy: Local - annotations: - external-dns.alpha.kubernetes.io/hostname: "ipv4.${SECRET_DOMAIN},ipv4.${SECRET_DOMAIN_2}" - logs: - general: - format: json - level: DEBUG - access: - enabled: true - format: json - ingressClass: - enabled: true - isDefaultClass: true - fallbackApiVersion: v1 - ingressRoute: - dashboard: - enabled: false - globalArguments: - - "--api.insecure=true" - - "--serverstransport.insecureskipverify=true" - - "--metrics.prometheus=true" - - "--metrics.prometheus.entryPoint=metrics" - - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" - additionalArguments: - - "--providers.kubernetesingress.ingressendpoint.ip=${LB_TRAEFIK_IP}" - - "--providers.kubernetesingress.allowexternalnameservices=true" - - "--providers.kubernetescrd.allowexternalnameservices=true" - ports: - traefik: - expose: true - web: - redirectTo: websecure - websecure: - tls: - enabled: true - options: "default" - metrics: - port: 8082 - expose: true - exposedPort: 8082 - tlsOptions: - default: - minVersion: VersionTLS12 - maxVersion: VersionTLS13 - sniStrict: true - pilot: - enabled: false - token: "${SECRET_TRAEFIK_PILOT_TOKEN}" - experimental: - plugins: - enabled: false - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - traefik - topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 100Mi - cpu: 500m - limits: - memory: 500Mi diff --git a/cluster/apps/networking/traefik/kustomization.yaml b/cluster/apps/networking/traefik/kustomization.yaml deleted file mode 100644 index b7ce8086..00000000 --- a/cluster/apps/networking/traefik/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- helm-release.yaml -- service-monitor.yaml -- tls-store -- dashboard -- external -- middlewares diff --git a/cluster/apps/networking/traefik/middlewares/basic-auth.yaml b/cluster/apps/networking/traefik/middlewares/basic-auth.yaml deleted file mode 100644 index 33d4b847..00000000 --- a/cluster/apps/networking/traefik/middlewares/basic-auth.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: basic-auth - namespace: networking -spec: - basicAuth: - secret: basic-auth diff --git a/cluster/apps/networking/traefik/middlewares/cloudflare.yaml b/cluster/apps/networking/traefik/middlewares/cloudflare.yaml deleted file mode 100644 index 53a4d495..00000000 --- a/cluster/apps/networking/traefik/middlewares/cloudflare.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: cloudflare-ips - namespace: networking -spec: - ipWhiteList: - sourceRange: - - 103.21.244.0/22 - - 103.22.200.0/22 - - 103.31.4.0/22 - - 104.16.0.0/13 - - 104.24.0.0/14 - - 108.162.192.0/18 - - 131.0.72.0/22 - - 141.101.64.0/18 - - 162.158.0.0/15 - - 172.64.0.0/13 - - 173.245.48.0/20 - - 188.114.96.0/20 - - 190.93.240.0/20 - - 197.234.240.0/22 - - 198.41.128.0/17 - - 2400:cb00::/32 - - 2606:4700::/32 - - 2803:f800::/32 - - 2405:b500::/32 - - 2405:8100::/32 - - 2a06:98c0::/29 - - 2c0f:f248::/32 - # include rfc1918 ranges since traefik chains don't support OR operations - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: cloudflare - namespace: networking -spec: - chain: - middlewares: - - name: cloudflare-ips diff --git a/cluster/apps/networking/traefik/middlewares/external-auth.yaml b/cluster/apps/networking/traefik/middlewares/external-auth.yaml deleted file mode 100644 index fa17979f..00000000 --- a/cluster/apps/networking/traefik/middlewares/external-auth.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: external-auth - namespace: networking -spec: - chain: - middlewares: - - name: cloudflare-ips - - name: security-ak-outpost-traefik@kubernetescrd diff --git a/cluster/apps/networking/traefik/middlewares/internal-auth.yaml b/cluster/apps/networking/traefik/middlewares/internal-auth.yaml deleted file mode 100644 index 5d341b86..00000000 --- a/cluster/apps/networking/traefik/middlewares/internal-auth.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: internal-auth - namespace: networking -spec: - chain: - middlewares: - - name: rfc1918-ips - - name: security-ak-outpost-traefik@kubernetescrd diff --git a/cluster/apps/networking/traefik/middlewares/kustomization.yaml b/cluster/apps/networking/traefik/middlewares/kustomization.yaml deleted file mode 100644 index c0c07893..00000000 --- a/cluster/apps/networking/traefik/middlewares/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- cloudflare.yaml -- external-auth.yaml -- internal-auth.yaml -- rfc1918.yaml -- redirect-path.yaml -- secret.enc.yaml -- basic-auth.yaml diff --git a/cluster/apps/networking/traefik/middlewares/redirect-path.yaml b/cluster/apps/networking/traefik/middlewares/redirect-path.yaml deleted file mode 100644 index acfea0a1..00000000 --- a/cluster/apps/networking/traefik/middlewares/redirect-path.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: redirect-regex - namespace: networking -spec: - redirectRegex: - regex: "^(https?://[^/]+/[a-z0-9_]+)$" - replacement: "${1}/" - permanent: true ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: strip-prefix-regex - namespace: networking -spec: - stripPrefixRegex: - regex: - - "/[a-z0-9_]+" ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: redirect-path - namespace: networking -spec: - chain: - middlewares: - - name: redirect-regex - - name: strip-prefix-regex diff --git a/cluster/apps/networking/traefik/middlewares/rfc1918.yaml b/cluster/apps/networking/traefik/middlewares/rfc1918.yaml deleted file mode 100644 index 3cc4b7e5..00000000 --- a/cluster/apps/networking/traefik/middlewares/rfc1918.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-ips - namespace: networking -spec: - ipWhiteList: - sourceRange: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: rfc1918 - namespace: networking -spec: - chain: - middlewares: - - name: rfc1918-ips diff --git a/cluster/apps/networking/traefik/middlewares/secret.enc.yaml b/cluster/apps/networking/traefik/middlewares/secret.enc.yaml deleted file mode 100644 index 76fc9857..00000000 --- a/cluster/apps/networking/traefik/middlewares/secret.enc.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: basic-auth - namespace: networking -data: - users: ENC[AES256_GCM,data:Dmf2Is/oY27z0DGI24g8zeCm3t/vmhv2KK7O//4xKEQQOkERY68XfqdaYiOhXVxAuJGtjQzsZ9vX34c/K8bmyw==,iv:kIeKds7aNt0WpMihc4B/o4N2EDa3vwAcEtQ51ImFwzQ=,tag:QDO9hqA4bhp9qz9aKyDURg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-12T07:03:13Z" - mac: ENC[AES256_GCM,data:rscAMwjW5JskPWVhEnb4VcYgXo4XEsjx/xysgKEFkJOR0tj/DQ4avpiVcojP830c2g0n2OPpISlzBTXutPMJ1bPfsvvRJiCYLGuP5NnGaZNww8XraOO0vjgQJgqehhVPNn1ZVfrbrC1UoD1619F220AoCZiLEMdFxLiebDoz9kU=,iv:dB6FmcICT6iMcP4dhYsJizPdR473m93iXB8RXYqYtWE=,tag:3GCFXy0+GBAORTN5AEXsAQ==,type:str] - pgp: - - created_at: "2021-05-12T07:03:12Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//ZhcPN23gHCK3IvHubnVrU99cno9/ogHTT+ufzniI3TSu - 8HnP+QCz+1Sulfbn/USPiiF3CE+9XNBiRAWiMBw7l25nZmeK9hZ4F0t1yxwUZ/Cz - RrSMJjrxg9QYmp8nmY/1BGvrg+KKlFo/IGg25/l391XD7kWIi54ZjwwQDQri4H+f - LB/398LN6gH+Ztydpf1CHkDAYkdgFA1oHKJ5X04oC8iwFAjTzVzGlF64ffO3VANb - gWiAWv7cJe0u5r2EKup/4LLeqi2suV7t5aJwZ1NjuIFDWQqBV6z9gdJydHQ4Ucdd - ngeM7hWAyREPf1FA2MVTSia37WUCjFT/Gz89vdSB5uP6QuKUXauERUixAjovAG6J - kZjkFa3BzRIeBMhdQ320BgJyA24W0FBzykux8bN6lgmUmcybaPlGysjVPJeaH6hD - rImTJb6AEmn1FSKqOneogqOOAnnU05+spAHcz5pv2fehS2K0Vw5fh5wqUW3mhMq3 - E7fIKYB7JjJ1yNz2KFP+54EB0LwK00dpHy2oiScb/B29lBtAsyWGUXMd+9xEZn2F - eDlKCOwG7oUK7ujdi93+krIalSkAQRMHj7k7CyOXTXTP3PXy7x4NIEj5Rv1mItRs - bOZZ3smMOopZ/8YX/fH0n8yFaRXHoBoRCdyUCZoFbLxTZX0yJqEJ3xpHVfxYwCzS - XgGs+JGlEHxTn4Bo5H7luxKQC7S616g0Qxw2ngDxI3uOQN0/f/MCYGOxvv1Arp42 - rdKu+3IgXxak3OcnPitvit94RFW3EzTSKm6L77hy0nnpWfqbswkEbOyVM3io4Sw= - =K8gY - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-12T07:03:12Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ/9HxJPyqYR/K7HVIhHgmDdojQPDVb+89X6vpLPHt1kqh2t - nxHMFM9/l3OUPqDu7TSwFrPIiZIn41tGeAxGaGyCCov7NYu8zZS9nDrU6CSbtUwm - ESyQvngC6oSxR+51JFZ8z4fm7W+ueWjPq0JhQh8HZwu14G3behvhKDs2kAYQcrwl - kHlb5Iy6BHOGyn8Ebm1E3GXkbJrAaojqOhiPs7tM/YSsW609zAoQiI3s6s0inSFK - ygDWWG9RHbt0Av+uuHXTom2ck8eDYWzvFOjsAzSfH0qygBFLZClaJczCixIbyiCS - WDn3VNO+R54LN5xdvUseec4C9wl5K18gSWeqdWtvMOSdLUI6WxJFFBzhF4k7Wxq8 - b5AVIip9DXDR+QdB+3CYsUYN4h1PwYJdZnvHOLhxQIP7hD8lOFPqmWXMPfm80ygh - fcU0D2R3WG85n0USo+ilx47aL32fuwDBUZbE7ioR3oDUAtCNUG3KyeBM70u2xa4o - ioAoI2/+8bMUWzfTjT1JB6dVFcbsRavPBsKYp4KmylrUWbdXbEPs8zsmcDjYP18S - IKyLto+gf8mxzsoHZiW7Hi/ahDv2VTo404udeg4wYFvXJ3vfHySy6voy/mW2hQqB - wogpaV45Vq7SogR0Zwtwj5GAkmPBX9FmKTcPQuT8goHRz8HqRytscaDmgI/4OqfS - XgEfWsuCwDomk0TfBRo/VPWUh0uQSsEbhOgg5U8MbAC57CKKDQXHacwNQcR6Mm18 - TKmNYtIzen//P9RtEci6yq1JMZ7RzWkoHqRMx93KUZoyE3jWU/dkdmMR6pCZTgY= - =BDTE - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/apps/networking/traefik/service-monitor.yaml b/cluster/apps/networking/traefik/service-monitor.yaml deleted file mode 100644 index 557ec929..00000000 --- a/cluster/apps/networking/traefik/service-monitor.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: traefik - namespace: networking - labels: - app.kubernetes.io/name: traefik -spec: - endpoints: - - path: /metrics - targetPort: metrics - jobLabel: traefik - namespaceSelector: - matchNames: - - networking - selector: - matchLabels: - app.kubernetes.io/name: traefik diff --git a/cluster/apps/networking/traefik/tls-store/default.yaml b/cluster/apps/networking/traefik/tls-store/default.yaml deleted file mode 100644 index 52a08394..00000000 --- a/cluster/apps/networking/traefik/tls-store/default.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSStore -metadata: - name: default - namespace: networking -spec: - defaultCertificate: - secretName: "${SECRET_DOMAIN/./-}-tls" diff --git a/cluster/apps/networking/traefik/tls-store/kustomization.yaml b/cluster/apps/networking/traefik/tls-store/kustomization.yaml deleted file mode 100644 index f79cf6a2..00000000 --- a/cluster/apps/networking/traefik/tls-store/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- default.yaml diff --git a/cluster/apps/networking/wildcard-certificate/kustomization.yaml b/cluster/apps/networking/wildcard-certificate/kustomization.yaml deleted file mode 100644 index f1aec46e..00000000 --- a/cluster/apps/networking/wildcard-certificate/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- certificate.yaml \ No newline at end of file diff --git a/cluster/apps/vpn-gateway/kustomization.yaml b/cluster/apps/vpn-gateway/kustomization.yaml index 93831858..42b2f544 100644 --- a/cluster/apps/vpn-gateway/kustomization.yaml +++ b/cluster/apps/vpn-gateway/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml -- secret.yaml +- secret.sops.yaml diff --git a/cluster/apps/vpn-gateway/secret.sops.yaml b/cluster/apps/vpn-gateway/secret.sops.yaml new file mode 100644 index 00000000..b9772759 --- /dev/null +++ b/cluster/apps/vpn-gateway/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: vpn-gateway-vpnconfig + namespace: vpn-gateway +stringData: + vpnConfigfile: ENC[AES256_GCM,data:mSNClcqSUJH8X2TmyKu2BxnmNNUM1a9uef4FBdHEGi8iyc2RD/Icyf4NMqVYwvtcb/qOM6Tpke+0/OxgI9kylSCZhwTFg9wyDoCrxCS1IZqxTrZKA9o5HzFuTTJtNRBD+pckuOL3WCXs6ghgq+1Y4eTITqYU2MgmVzIC6QTMMjr8WFPbfULpCQD3vje+8PVklEMLaXlQoz2xwEMO/XrsRWL/Juz4zMa/XP+lZbPKWPC3fm4W/vQltevkdW2uZsDMnYFcK2kQoaGcc0fzczStv9bU9vgcfKIQ1ECdxz2ExE4NSscy36ShHOBYDbcWZgKVcZYGqJrLQfUfp95etVtoRZDFqRExgKq0iK8=,iv:4fJ8tJ8hJOMTEyASQ7sZU5Sv4LlJqTSrhdZOZqi9PPA=,tag:9QK3YXW04nZsjofw0lDTLA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcWUvRlovRG44K1NvMmJZ + eFF0TzRWaHdLQmY1cXJ5TE1iZ2JpNkdmcFJNCkNacVhNNldqUWNyekk4bkJSOXAw + bGM1YS9BYnpHUG9aZnpFVkRHRWxPa0EKLS0tIHdsam1zSWtIQ1BOUHBXeXlKUHpt + cGdHQ1p2czZOQ2FiUS93NCtPMEM2WEkKrH2EcprBiC3VFVHjN4iqxwQ0DDpdcgWB + RfXKGltH3ldip1DFyosTq3Rmn1C/1b2NbeNmTXUA+mzp1CvSgpEa+A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-23T05:18:19Z" + mac: ENC[AES256_GCM,data:4x37lj39c2Q0FR/5One7xJkgekRk5HVAUTA4JhdNDt19YEUPrZaCVB2LM2OS0ThZOetp8aGywmdSJPuOqFf9AN1hMx1tgXfdNHljEV30YiIBwEpNcjK1AktoZZ63jrV67wA+CB2ax16vtAEMaUn2/e8P2ogbJPR76eRIQZBH6n0=,iv:v2eQdi88JzqvQsYcPBL4I8lvG+StzEnns39sstTNpf4=,tag:xHQ9EzjVmH37dasok8lLMw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/vpn-gateway/secret.yaml b/cluster/apps/vpn-gateway/secret.yaml deleted file mode 100644 index 0d4f9ea8..00000000 --- a/cluster/apps/vpn-gateway/secret.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: vpn-gateway-vpnconfig - namespace: vpn-gateway -stringData: - vpnConfigfile: ENC[AES256_GCM,data:mSNClcqSUJH8X2TmyKu2BxnmNNUM1a9uef4FBdHEGi8iyc2RD/Icyf4NMqVYwvtcb/qOM6Tpke+0/OxgI9kylSCZhwTFg9wyDoCrxCS1IZqxTrZKA9o5HzFuTTJtNRBD+pckuOL3WCXs6ghgq+1Y4eTITqYU2MgmVzIC6QTMMjr8WFPbfULpCQD3vje+8PVklEMLaXlQoz2xwEMO/XrsRWL/Juz4zMa/XP+lZbPKWPC3fm4W/vQltevkdW2uZsDMnYFcK2kQoaGcc0fzczStv9bU9vgcfKIQ1ECdxz2ExE4NSscy36ShHOBYDbcWZgKVcZYGqJrLQfUfp95etVtoRZDFqRExgKq0iK8=,iv:4fJ8tJ8hJOMTEyASQ7sZU5Sv4LlJqTSrhdZOZqi9PPA=,tag:9QK3YXW04nZsjofw0lDTLA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2022-06-23T05:18:19Z" - mac: ENC[AES256_GCM,data:4x37lj39c2Q0FR/5One7xJkgekRk5HVAUTA4JhdNDt19YEUPrZaCVB2LM2OS0ThZOetp8aGywmdSJPuOqFf9AN1hMx1tgXfdNHljEV30YiIBwEpNcjK1AktoZZ63jrV67wA+CB2ax16vtAEMaUn2/e8P2ogbJPR76eRIQZBH6n0=,iv:v2eQdi88JzqvQsYcPBL4I8lvG+StzEnns39sstTNpf4=,tag:xHQ9EzjVmH37dasok8lLMw==,type:str] - pgp: - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M - NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV - Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE - C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj - B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5 - Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl - 5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal - AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt - pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv - tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI - td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S - XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K - caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo= - =3ulM - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-23T04:25:25Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu - K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx - 4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm - zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3 - Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY - RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3 - 1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E - iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA - l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z - 2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb - nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS - XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0 - xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU= - =c0ve - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/cluster/base/flux-system/charts/git/benji-charts.yaml b/cluster/base/flux-system/charts/git/benji-charts.yaml deleted file mode 100644 index fe0c0ba3..00000000 --- a/cluster/base/flux-system/charts/git/benji-charts.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: benji-charts - namespace: flux-system -spec: - interval: 10m - url: https://github.com/elemental-lf/benji - ref: - tag: v0.15.0 - ignore: | - # exclude all - /* - # include charts directory - !/charts/ diff --git a/cluster/base/flux-system/charts/git/kustomization.yaml b/cluster/base/flux-system/charts/git/kustomization.yaml deleted file mode 100644 index 3dceb104..00000000 --- a/cluster/base/flux-system/charts/git/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- benji-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/kustomization.yaml b/cluster/base/flux-system/charts/helm/kustomization.yaml deleted file mode 100644 index f9965157..00000000 --- a/cluster/base/flux-system/charts/helm/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ananace-charts.yaml -- authentik-charts.yaml -- bitnami-charts.yaml -- blakeshome-charts.yaml -- cilium-charts.yaml -- coredns-charts.yaml -- deliveryhero-charts.yaml -- drone-charts.yaml -- fairwinds-charts.yaml -- falco-security-charts.yaml -- grafana-charts.yaml -- infracloudio-charts.yaml -- ingress-nginx-charts.yaml -- jetstack-charts.yaml -- k8s-at-home-charts.yaml -- kubernetes-sigs-descheduler-charts.yaml -- lwolf-charts.yaml -- mailu-charts.yaml -- nfs-subdir-external-provisioner-charts.yaml -- node-feature-discovery-charts.yaml -- nvidia-charts.yaml -- prometheus-community-charts.yaml -- rook-ceph-charts.yaml -- stakater-charts.yaml -- hajimari-charts.yaml -- toboshii-charts.yaml -- traefik-charts.yaml -- uptimerobot-operator-charts.yaml -- vernemq-charts.yaml -- weaveworks-kured-charts.yaml diff --git a/cluster/base/flux-system/charts/kustomization.yaml b/cluster/base/flux-system/charts/kustomization.yaml deleted file mode 100644 index 12298a69..00000000 --- a/cluster/base/flux-system/charts/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- git -- helm diff --git a/cluster/base/flux-system/gotk-components.yaml b/cluster/base/flux-system/gotk-components.yaml deleted file mode 100644 index d60288cc..00000000 --- a/cluster/base/flux-system/gotk-components.yaml +++ /dev/null @@ -1,4054 +0,0 @@ ---- -# Flux version: v0.20.1 -# Components: source-controller,kustomize-controller,helm-controller,notification-controller -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: flux-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: alerts.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Alert - listKind: AlertList - plural: alerts - singular: alert - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects - properties: - eventSeverity: - default: info - description: Filter events based on severity, defaults to ('info'). - If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: Filter events based on the involved objects. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - type: string - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - exclusionList: - description: A list of Golang regular expressions to be used for excluding - messages. - items: - type: string - type: array - providerRef: - description: Send events using this provider. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - summary: - description: Short description of the impact and affected cluster. - type: string - suspend: - description: This flag tells the controller to suspend subsequent - events dispatching. Defaults to false. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of Alert - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: buckets.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec defines the desired state of an S3 compatible - bucket - properties: - bucketName: - description: The bucket name. - type: string - endpoint: - description: The bucket endpoint address. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. - type: boolean - interval: - description: The interval at which to check for bucket updates. - type: string - provider: - default: generic - description: The S3 compatible storage provider name, default ('generic'). - enum: - - generic - - aws - - gcp - type: string - region: - description: The bucket region. - type: string - secretRef: - description: The name of the secret containing authentication credentials - for the Bucket. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 20s - description: The timeout for download operations, defaults to 20s. - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - description: BucketStatus defines the observed state of a bucket - properties: - artifact: - description: Artifact represents the output of the last successful - Bucket sync. - properties: - checksum: - description: Checksum is the SHA1 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last Bucket sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: gitrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - shortNames: - - gitrepo - singular: gitrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec defines the desired state of a Git repository. - properties: - gitImplementation: - default: go-git - description: Determines which git client library to use. Defaults - to go-git, valid values are ('go-git', 'libgit2'). - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Extra git repositories to map into the repository - items: - description: GitRepositoryInclude defines a source with a from and - to path. - properties: - fromPath: - description: The path to copy contents from, defaults to the - root directory. - type: string - repository: - description: Reference to a GitRepository to include. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - toPath: - description: The path to copy contents to, defaults to the name - of the source ref. - type: string - required: - - repository - type: object - type: array - interval: - description: The interval at which to check for repository updates. - type: string - recurseSubmodules: - description: When enabled, after the clone is created, initializes - all submodules within, using their default settings. This option - is available only when using the 'go-git' GitImplementation. - type: boolean - ref: - description: The Git reference to checkout and monitor for changes, - defaults to master branch. - properties: - branch: - description: The Git branch to checkout, defaults to master. - type: string - commit: - description: The Git commit SHA to checkout, if specified Tag - filters will be ignored. - type: string - semver: - description: The Git tag semver expression, takes precedence over - Tag. - type: string - tag: - description: The Git tag to checkout, takes precedence over Branch. - type: string - type: object - secretRef: - description: The secret name containing the Git credentials. For HTTPS - repositories the secret must contain username and password fields. - For SSH repositories the secret must contain identity, identity.pub - and known_hosts fields. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 20s - description: The timeout for remote Git operations like cloning, defaults - to 20s. - type: string - url: - description: The repository URL, can be a HTTP/S or SSH address. - pattern: ^(http|https|ssh):// - type: string - verify: - description: Verify OpenPGP signature for the Git commit HEAD points - to. - properties: - mode: - description: Mode describes what git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: The secret name containing the public keys of all - trusted Git authors. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - required: - - mode - type: object - required: - - interval - - url - type: object - status: - description: GitRepositoryStatus defines the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA1 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts represents the included artifacts from - the last successful repository sync. - items: - description: Artifact represents the output of a source synchronisation. - properties: - checksum: - description: Checksum is the SHA1 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last repository sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: helmcharts.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - shortNames: - - hc - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec defines the desired state of a Helm chart. - properties: - chart: - description: The name or path the Helm chart is available at in the - SourceRef. - type: string - interval: - description: The interval at which to check the Source for updates. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new artifact. - Valid values are ('ChartVersion', 'Revision'). See the documentation - of the values for an explanation on their behavior. Defaults to - ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The reference to the Source the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: Alternative values file to use as the default chart values, - expected to be a relative path in the SourceRef. Deprecated in favor - of ValuesFiles, for backwards compatibility the file defined here - is merged before the ValuesFiles items. Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the chart - values (values.yaml is not included by default), expected to be - a relative path in the SourceRef. Values files are merged in the - order of this list with the last file overriding the first. Ignored - when omitted. - items: - type: string - type: array - version: - default: '*' - description: The chart version semver expression, ignored for charts - from GitRepository and Bucket sources. Defaults to latest when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - description: HelmChartStatus defines the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - chart sync. - properties: - checksum: - description: Checksum is the SHA1 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last chart pulled. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: helmreleases.helm.toolkit.fluxcd.io -spec: - group: helm.toolkit.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - singular: helmrelease - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta1.HelmChart that - should be created for this HelmRelease. - properties: - spec: - description: Spec holds the template for the v1beta1.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which to check the v1beta1.Source - for updates. Defaults to 'HelmReleaseSpec.Interval'. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1beta1.Source - the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta1.GitRepository and v1beta1.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a dependency.CrossNamespaceDependencyReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: CrossNamespaceDependencyReference holds the reference - to a dependency. - properties: - name: - description: Name holds the name reference of a dependency. - type: string - namespace: - description: Namespace holds the namespace reference of a dependency. - type: string - required: - - name - type: object - type: array - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt-in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When specified, KubeConfig takes precedence over ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the HelmRelease. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the HelmRelease. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '10'. - type: integer - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://tools.ietf.org/html/rfc6902#section-4 - properties: - from: - type: string - op: - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - type: string - value: - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline - YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: LastAppliedRevision is the revision of the last successfully - applied source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastAttemptedValuesChecksum: - description: LastAttemptedValuesChecksum is the SHA1 checksum of the - values of the last reconciliation attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - lastReleaseRevision: - description: LastReleaseRevision is the revision of the last successful - Helm release. - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: helmrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - shortNames: - - helmrepo - singular: helmrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec defines the reference to a Helm repository. - properties: - interval: - description: The interval at which to check the upstream for updates. - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - secretRef: - description: The name of the secret containing authentication credentials - for the Helm repository. For HTTP/S basic auth the secret must contain - username and password fields. For TLS the secret must contain a - certFile and keyFile, and/or caCert fields. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout of index downloading, defaults to 60s. - type: string - url: - description: The Helm repository URL, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - description: HelmRepositoryStatus defines the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA1 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last index fetched. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: kustomizations.kustomize.toolkit.fluxcd.io -spec: - group: kustomize.toolkit.fluxcd.io - names: - kind: Kustomization - listKind: KustomizationList - plural: kustomizations - shortNames: - - ks - singular: kustomization - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the desired state of a kustomization. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a dependency.CrossNamespaceDependencyReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: CrossNamespaceDependencyReference holds the reference - to a dependency. - properties: - name: - description: Name holds the name reference of a dependency. - type: string - namespace: - description: Namespace holds the namespace reference of a dependency. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to let you locate the typed referenced object in any namespace - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used - type: string - kind: - description: Kind of the referent - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains either a StrategicMerge or a JSON6902 - patch, either a file or inline, and the target the patch should - be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://tools.ietf.org/html/rfc6902#section-4 - properties: - from: - type: string - op: - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - type: string - value: - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, defaults to the Kustomization - namespace - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: Validate the Kubernetes objects before applying them - on the cluster. The validation strategy can be 'client' (local dry-run), - 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', - validation will fallback to 'client' if set to 'server' because - server-side validation is not supported in this scenario. - enum: - - none - - client - - server - type: string - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - snapshot: - description: The last successfully applied revision metadata. - properties: - checksum: - description: The manifests sha1 checksum. - type: string - entries: - description: A list of Kubernetes kinds grouped by namespace. - items: - description: Snapshot holds the metadata of namespaced Kubernetes - objects - properties: - kinds: - additionalProperties: - type: string - description: The list of Kubernetes kinds. - type: object - namespace: - description: The namespace of this entry. - type: string - required: - - kinds - type: object - type: array - required: - - checksum - - entries - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a dependency.CrossNamespaceDependencyReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: CrossNamespaceDependencyReference holds the reference - to a dependency. - properties: - name: - description: Name holds the name reference of a dependency. - type: string - namespace: - description: Namespace holds the namespace reference of a dependency. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to let you locate the typed referenced object in any namespace - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used - type: string - kind: - description: Kind of the referent - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains either a StrategicMerge or a JSON6902 - patch, either a file or inline, and the target the patch should - be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: - Use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://tools.ietf.org/html/rfc6902#section-4 - properties: - from: - type: string - op: - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - type: string - value: - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline YAML objects. - Deprecated: Use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: 'Deprecated: Not used in v1beta2.' - enum: - - none - - client - - server - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change can be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: providers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of Provider - properties: - address: - description: HTTP/S webhook address of this provider - pattern: ^(http|https):// - type: string - certSecretRef: - description: CertSecretRef can be given the name of a secret containing - a PEM-encoded CA certificate (`caFile`) - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - channel: - description: Alert channel for this provider - type: string - proxy: - description: HTTP/S address of the proxy - pattern: ^(http|https):// - type: string - secretRef: - description: Secret reference containing the provider webhook URL - using "address" as data key - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - type: - description: Type of provider - enum: - - slack - - discord - - msteams - - rocket - - generic - - github - - gitlab - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - type: string - username: - description: Bot username for this provider - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of Provider - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - creationTimestamp: null - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: receivers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Receiver - listKind: ReceiverList - plural: receivers - singular: receiver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of Receiver - properties: - events: - description: A list of events to handle, e.g. 'push' for GitHub or - 'Push Hook' for GitLab. - items: - type: string - type: array - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - type: string - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - secretRef: - description: Secret reference containing the token used to validate - the payload authenticity - properties: - name: - description: Name of the referent - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of Receiver - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - \ // +patchStrategy=merge // +listType=map // +listMapKey=type - \ Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: helm-controller - namespace: flux-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: kustomize-controller - namespace: flux-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: notification-controller - namespace: flux-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: source-controller - namespace: flux-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: crd-controller-flux-system -rules: -- apiGroups: - - source.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - kustomize.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - helm.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - notification.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - image.toolkit.fluxcd.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - configmaps - - configmaps/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: cluster-reconciler-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - name: crd-controller-flux-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: crd-controller-flux-system -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: flux-system -- kind: ServiceAccount - name: helm-controller - namespace: flux-system -- kind: ServiceAccount - name: source-controller - namespace: flux-system -- kind: ServiceAccount - name: notification-controller - namespace: flux-system -- kind: ServiceAccount - name: image-reflector-controller - namespace: flux-system -- kind: ServiceAccount - name: image-automation-controller - namespace: flux-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: source-controller - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: webhook-receiver - namespace: flux-system -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http-webhook - selector: - app: notification-controller - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: helm-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: helm-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: helm-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller/ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/helm-controller:v0.12.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: helm-controller - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: kustomize-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: kustomize-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: kustomize-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller/ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/kustomize-controller:v0.16.0 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 1337 - serviceAccountName: kustomize-controller - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: notification-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: notification-controller - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: notification-controller - spec: - containers: - - args: - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/notification-controller:v0.18.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - - containerPort: 9292 - name: http-webhook - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /tmp - name: temp - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: notification-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/instance: flux-system - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: v0.20.1 - control-plane: controller - name: source-controller - namespace: flux-system -spec: - replicas: 1 - selector: - matchLabels: - app: source-controller - strategy: - type: Recreate - template: - metadata: - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: - app: source-controller - spec: - containers: - - args: - - --events-addr=http://notification-controller/ - - --watch-all-namespaces=true - - --log-level=info - - --log-encoding=json - - --enable-leader-election - - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: ghcr.io/fluxcd/source-controller:v0.17.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - readinessProbe: - httpGet: - path: / - port: http - resources: - limits: - cpu: 1000m - memory: 1Gi - requests: - cpu: 50m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - nodeSelector: - kubernetes.io/os: linux - securityContext: - fsGroup: 1337 - serviceAccountName: source-controller - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp ---- diff --git a/cluster/base/flux-system/gotk-sync.yaml b/cluster/base/flux-system/gotk-sync.yaml deleted file mode 100644 index 38f928be..00000000 --- a/cluster/base/flux-system/gotk-sync.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: flux-system - namespace: flux-system -spec: - interval: 1m0s - ref: - branch: main - url: https://github.com/toboshii/home-cluster ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: flux-system - namespace: flux-system -spec: - interval: 10m0s - path: ./cluster/base - prune: true - sourceRef: - kind: GitRepository - name: flux-system - decryption: - provider: sops - secretRef: - name: sops-gpg diff --git a/cluster/base/flux-system/kustomization.yaml b/cluster/base/flux-system/kustomization.yaml deleted file mode 100644 index 2974f2db..00000000 --- a/cluster/base/flux-system/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- gotk-components.yaml -- gotk-sync.yaml -- charts diff --git a/cluster/apps/networking/traefik/external/kustomization.yaml b/cluster/bootstrap/kustomization.yaml similarity index 57% rename from cluster/apps/networking/traefik/external/kustomization.yaml rename to cluster/bootstrap/kustomization.yaml index 054c2f9a..d49f606b 100644 --- a/cluster/apps/networking/traefik/external/kustomization.yaml +++ b/cluster/bootstrap/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- minio.yaml + - github.com/fluxcd/flux2/manifests/install?ref=v0.31.3 diff --git a/cluster/base/flux-system/charts/helm/ananace-charts.yaml b/cluster/charts/ananace-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/ananace-charts.yaml rename to cluster/charts/ananace-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/authentik-charts.yaml b/cluster/charts/authentik-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/authentik-charts.yaml rename to cluster/charts/authentik-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/bitnami-charts.yaml b/cluster/charts/bitnami-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/bitnami-charts.yaml rename to cluster/charts/bitnami-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/blakeshome-charts.yaml b/cluster/charts/blakeshome-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/blakeshome-charts.yaml rename to cluster/charts/blakeshome-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/cilium-charts.yaml b/cluster/charts/cilium-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/cilium-charts.yaml rename to cluster/charts/cilium-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/coredns-charts.yaml b/cluster/charts/coredns-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/coredns-charts.yaml rename to cluster/charts/coredns-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/deliveryhero-charts.yaml b/cluster/charts/deliveryhero-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/deliveryhero-charts.yaml rename to cluster/charts/deliveryhero-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/drone-charts.yaml b/cluster/charts/drone-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/drone-charts.yaml rename to cluster/charts/drone-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/fairwinds-charts.yaml b/cluster/charts/fairwinds-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/fairwinds-charts.yaml rename to cluster/charts/fairwinds-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/falco-security-charts.yaml b/cluster/charts/falco-security-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/falco-security-charts.yaml rename to cluster/charts/falco-security-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/gitea-charts.yaml b/cluster/charts/gitea-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/gitea-charts.yaml rename to cluster/charts/gitea-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/grafana-charts.yaml b/cluster/charts/grafana-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/grafana-charts.yaml rename to cluster/charts/grafana-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/hajimari-charts.yaml b/cluster/charts/hajimari-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/hajimari-charts.yaml rename to cluster/charts/hajimari-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/infracloudio-charts.yaml b/cluster/charts/infracloudio-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/infracloudio-charts.yaml rename to cluster/charts/infracloudio-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/ingress-nginx-charts.yaml b/cluster/charts/ingress-nginx-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/ingress-nginx-charts.yaml rename to cluster/charts/ingress-nginx-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/jetstack-charts.yaml b/cluster/charts/jetstack-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/jetstack-charts.yaml rename to cluster/charts/jetstack-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/k8s-at-home-charts.yaml b/cluster/charts/k8s-at-home-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/k8s-at-home-charts.yaml rename to cluster/charts/k8s-at-home-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/kubernetes-sigs-descheduler-charts.yaml b/cluster/charts/kubernetes-sigs-descheduler-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/kubernetes-sigs-descheduler-charts.yaml rename to cluster/charts/kubernetes-sigs-descheduler-charts.yaml diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml new file mode 100644 index 00000000..543dbb1f --- /dev/null +++ b/cluster/charts/kustomization.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ananace-charts.yaml + - authentik-charts.yaml + - bitnami-charts.yaml + - blakeshome-charts.yaml + - cilium-charts.yaml + - coredns-charts.yaml + - deliveryhero-charts.yaml + - drone-charts.yaml + - fairwinds-charts.yaml + - falco-security-charts.yaml + - grafana-charts.yaml + - infracloudio-charts.yaml + - ingress-nginx-charts.yaml + - jetstack-charts.yaml + - k8s-at-home-charts.yaml + - kubernetes-sigs-descheduler-charts.yaml + - lwolf-charts.yaml + - mailu-charts.yaml + - metrics-server-charts.yaml + - nfs-subdir-external-provisioner-charts.yaml + - node-feature-discovery-charts.yaml + - nvidia-charts.yaml + - prometheus-community-charts.yaml + - rook-ceph-charts.yaml + - stakater-charts.yaml + - hajimari-charts.yaml + - toboshii-charts.yaml + - traefik-charts.yaml + - uptimerobot-operator-charts.yaml + - vernemq-charts.yaml + - weaveworks-kured-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/lwolf-charts.yaml b/cluster/charts/lwolf-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/lwolf-charts.yaml rename to cluster/charts/lwolf-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/mailu-charts.yaml b/cluster/charts/mailu-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/mailu-charts.yaml rename to cluster/charts/mailu-charts.yaml diff --git a/cluster/charts/metrics-server-charts.yaml b/cluster/charts/metrics-server-charts.yaml new file mode 100644 index 00000000..fd6282f3 --- /dev/null +++ b/cluster/charts/metrics-server-charts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: metrics-server-charts + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/metrics-server \ No newline at end of file diff --git a/cluster/base/flux-system/charts/helm/nfs-subdir-external-provisioner-charts.yaml b/cluster/charts/nfs-subdir-external-provisioner-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/nfs-subdir-external-provisioner-charts.yaml rename to cluster/charts/nfs-subdir-external-provisioner-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/node-feature-discovery-charts.yaml b/cluster/charts/node-feature-discovery-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/node-feature-discovery-charts.yaml rename to cluster/charts/node-feature-discovery-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/nvidia-charts.yaml b/cluster/charts/nvidia-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/nvidia-charts.yaml rename to cluster/charts/nvidia-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/prometheus-community-charts.yaml b/cluster/charts/prometheus-community-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/prometheus-community-charts.yaml rename to cluster/charts/prometheus-community-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/rook-ceph-charts.yaml b/cluster/charts/rook-ceph-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/rook-ceph-charts.yaml rename to cluster/charts/rook-ceph-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/stakater-charts.yaml b/cluster/charts/stakater-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/stakater-charts.yaml rename to cluster/charts/stakater-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/toboshii-charts.yaml b/cluster/charts/toboshii-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/toboshii-charts.yaml rename to cluster/charts/toboshii-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/traefik-charts.yaml b/cluster/charts/traefik-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/traefik-charts.yaml rename to cluster/charts/traefik-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/uptimerobot-operator-charts.yaml b/cluster/charts/uptimerobot-operator-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/uptimerobot-operator-charts.yaml rename to cluster/charts/uptimerobot-operator-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/vernemq-charts.yaml b/cluster/charts/vernemq-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/vernemq-charts.yaml rename to cluster/charts/vernemq-charts.yaml diff --git a/cluster/base/flux-system/charts/helm/weaveworks-kured-charts.yaml b/cluster/charts/weaveworks-kured-charts.yaml similarity index 100% rename from cluster/base/flux-system/charts/helm/weaveworks-kured-charts.yaml rename to cluster/charts/weaveworks-kured-charts.yaml diff --git a/cluster/base/cluster-secrets.yaml b/cluster/config/cluster-secrets.sops.yaml similarity index 70% rename from cluster/base/cluster-secrets.yaml rename to cluster/config/cluster-secrets.sops.yaml index 02907e46..3c55bfc2 100644 --- a/cluster/base/cluster-secrets.yaml +++ b/cluster/config/cluster-secrets.sops.yaml @@ -8,6 +8,7 @@ stringData: SECRET_DOMAIN: ENC[AES256_GCM,data:5cGPwnA/,iv:WK3lnH1d27fZGMJbUAgAUdRmuqU6z1bTsqrhvPD9exY=,tag:q50kOaWyaDdpWAEhidaeUw==,type:str] SECRET_DOMAIN_2: ENC[AES256_GCM,data:0Zp2dDNLIGvkAgIVRA==,iv:DyVDjr6pZZh9BF7MJli1dP0EcqfqUoN0lOnU0wcsWkw=,tag:QUiOVARUJI65jzILuhzH/w==,type:str] SECRET_DOMAIN_3: ENC[AES256_GCM,data:k43bzKF2mg==,iv:A/sXNQa2C8e6SG70STAtfqA5Vcj1jL7g5Gw8sUQCwYU=,tag:zejpxQEsX4Ngpv3g+Kf4Wg==,type:str] + SECRET_PRIVATE_DOMAIN: ENC[AES256_GCM,data:9xaGMfnkUvbLUg==,iv:+jKkQNvQP4NkEZ9ULfOTZ4f1nRadQ99MSUSe/yfzqVs=,tag:qaSfeWMa63aGIxGOU2tK/Q==,type:str] SECRET_EMAIL: ENC[AES256_GCM,data:ZG6+iyDCBgkXpu1/Ptm5gBjZ,iv:D1UC+67k303SyOjL5pLTRcDzQ6KId+7P81qWYhsWg8M=,tag:nv4ljyX9hXy6xLT+DZDbVQ==,type:str] SECRET_CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:Zr/kS7EaXKXLEgzqq2KO52bPbIOv,iv:JsunldN/7zKo5HUg5mXDZZQxRd1TVub6OdxJlqGTajg=,tag:aBCq2CKjlMuoNsjFkpk89Q==,type:str] SECRET_TRAEFIK_PILOT_TOKEN: ENC[AES256_GCM,data:VUz8GFZUPDapU8sHyyRnkDlZGl2gTghQyL5OTROnY/oBDg/m,iv:vBWvNIffVngY608gJVxtm2mnbolbQCK/OGcQJkG9fZc=,tag:AEBUwNgw+FkiXEpFe70JvQ==,type:str] @@ -45,49 +46,18 @@ sops: gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] - lastmodified: "2022-06-25T11:19:46Z" - mac: ENC[AES256_GCM,data:ovgwwS9yNUJMa35cYsEXRgxQfSl1eR5Av715hqucKU/vd2R61PEMw+ZJQnSKtzmFNnvm+cUbKOx27VwsMQs/IocYDy6SAbf2I03VylROQTERqPZ7ntOlJBQFagjSkKt3kM8cmQI3B/7ErcrLTwwfjlAqbx+U78aJ8RJWkhoRTks=,iv:h+O3eb/6Ez3OzVTzCnlogi+cJ2pBa3CWXe43ngfBddM=,tag:QEt8EKhh76xvwydIf9tiCQ==,type:str] - pgp: - - created_at: "2021-05-12T03:55:06Z" + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7AQ//R2Pjy4v7t9YjQ+AxYRRRBCD1mOuCa3id+NzarBzK45yr - sqmVjKsubCQglV8XB88nu3gGvoZK0Ft3kkjhsG58/E9Mx1/fc35gWw4BfawrHRfr - ObLirT2jvcHfuH8tLPYvgsCBb9qzV5z+ReFz3zZyQzQWEq8cS8B+GLsDK/zHP8nW - 7Gzu3gUawwXYCVXQdmHx07HoNT//oNnraK0QTzxKe3Er5fUDc9nH8Ztzj8LqcVvU - LiPbcBtp2WX8Y+9yXjbSFtspiisP2MmOhc7KKwn/G9ULEYHR17trW8IckYHRw31Z - V0NXRIxIC4mxMXc/A+wgmaxwVfK5FPGWL1CbdJyLsMW34LMk/8xeG9T3hns/kIxL - TagUjB1oam72aiMJKkPPMgNxCWu9YbKZEPtJalDqkkxoogZJExfGG50sneZfSMmL - rdsP9ZcWWf9ryVaXMXy4JC4zDCxfz9X3FIGeyNrBUvv67TlWfqxM/1jACnG1cciZ - T0IaKbQWMAXMP2/UhbAXsecP3Q03i89dH1FYLgpMqGdpkPAhNFuYIbYIrPgFOpq9 - k+IFphyWmzgENTBRx22BgQHia0WwVY6DNPy9fwKG1ImeXWjLGFhxWYxEfFnWQ3ab - RXX8a/2p8shDL+Cveb+KfgJrmpyq7qkJWhEtL5lFmcqndQ/ACkIWKorYDoWOpaLS - XAGKy7e05zEauRxN9BnDpfEstlgsWCUBgv2eTcxHj2El1ZkfnpIjnGRxs8xCSEvI - AXGoXGIPWp9xxA4sTzXNSTAL9ata51B6ZyuG9XsPeja4gQcsGbCGh7BGy6JB - =0KP3 - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-12T03:55:06Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ/8DnQR8LOR00hc467+us6a8e8gdhMVW4Ejz1NAH2jNO5Za - 5DJw0jvW1XU79TnkaDk8aPnEBsESbFeT8xSEpkrzHei+aazYM1NCicH/nMvF4+Jm - yNPiIAn8lyIhT4sXzZSGgriLiYBpVAnoE1+D8yN25jfQfLKgfztT5Iq+WzDf7KN4 - 4OMmGVD/VnVJKLQ9iGysvwHs9vU1/lDdllx7X25XjohsK736ci/KVmegounWtdbN - xrHREtl++AWkJ98QYYt59KbIPiKVahnC6AICbuLg7SMBESZm6Q3S3xfxiVID9GSl - v7YA4ZgcTpI80QoEhUQSSYzSffYIjnGtiREROwlLrPDHOMTGXtnsq7xMxeCRk8Yu - eQPnY7oPr73gO5eJchdcO0n+yfSY0M9C6xztDTwRzv+pBdeQiwcP1+RrA3mVcGQo - PWQjGy5UBQdy9c29EyyNGbi+grpbS/eThRCCamr3V4+MTYRRXYOcOCIeweap7gCu - 6BuR1C5kbzhQy87Hf95MTm64lXNh8YAkNWWX/kFq7cfEOsk5Bf7qQ6mSVQOSVldl - w/FYywGktvt212ka/I2IHmc8K8YDjHSl7oAJtZdHz/lGtDwgQsnGdwM3zaM9xEt1 - ab/6i8ESAS7NloJiufsR0YepkxCvctZWtpSsMHU6Y7rHCB2L4ixDz7dHdMqc0a7S - XAGlXKR3zbCgHJgujhybYsDnXzqaQ4iePCku+97qG1jQgHgYpdDYcTQPNMiZDHHg - 10g2FaI02edGTVT16u7V2YzkdKnFh7sCjS8EV4gEAhia3oG71PCVHZdXVeDb - =33Pc - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbFl5U2R4NW5FSWNuaFBa + czM4bkZtcDIrRTdnaDU5dllrVklOaXVzZDM4Cm1xb3U0Z05NcTVLbmtPc0l2SWsw + VHR4MC81WWVGOGVSM2RWTHhPanYwaFUKLS0tIHc3V0lVeEQwbWdHS0RlVUcwV08y + N3UwenYrL21DamtwQ0xHbXIvYUdodG8KWlfKVJJET0CNnwsOiWultSkEE7x2RTBb + exdaCEgmr3mY00DDMFco/gpq9zGqKH7Ry0LG6B5iq98GvJf2VRAJ7g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-01T09:50:48Z" + mac: ENC[AES256_GCM,data:ry6k7+/riEKtgIx9+IQXU41nZzumfZhw6ovY9b//I8KlDY3OlXu7nRJRP8RpFZcaCzxo3DPJffm+mfKY2QG1T+WqBfi4mYziexI5gUkTeJ5W2ubtmA5d5U2QVZq/798+f2hqgrZtAiCtok/zGYY6zZ5XDL5nrXP1fzIV6EF70ak=,iv:NbAv0cd+esMtENxbp2ShyK4Q0Gnxdf6JCyJppnd4mQ8=,tag:94oGzvgtENbWbo1/07H3cQ==,type:str] + pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/cluster/base/cluster-settings.yaml b/cluster/config/cluster-settings.yaml similarity index 79% rename from cluster/base/cluster-settings.yaml rename to cluster/config/cluster-settings.yaml index a1da165d..a301b664 100644 --- a/cluster/base/cluster-settings.yaml +++ b/cluster/config/cluster-settings.yaml @@ -5,9 +5,10 @@ metadata: name: cluster-settings namespace: flux-system data: - CLUSTER_NAME: "cluster-0" + TIMEZONE: "America/Chicago" + CLUSTER_NAME: "cluster01" CLUSTER_ID: "1" - CONTROL_PLANE_ENDPOINT: "cluster-0.dfw.56k.sh" + CONTROL_PLANE_ENDPOINT: "cluster01.dfw.56k.sh" GATEWAY_IP: 10.75.0.1 NETWORK_K8S_CLUSTER_CIDR: 172.22.0.0/16 NETWORK_K8S_SERVICE_CIDR: 172.24.0.0/16 @@ -15,6 +16,7 @@ data: METALLB_LB_RANGE: 10.75.42.100-10.75.42.120 LB_COREDNS_IP: 10.75.45.100 LB_TRAEFIK_IP: 10.75.45.101 + SVC_NGINX_ADDR: 10.75.45.101 LB_LOKI_IP: 10.75.45.102 LB_PLEX_IP: 10.75.45.103 LB_JELLYFIN_IP: 10.75.45.104 diff --git a/cluster/core/cert-manager/secret.enc.yaml b/cluster/core/cert-manager/secret.enc.yaml deleted file mode 100644 index fb43b39b..00000000 --- a/cluster/core/cert-manager/secret.enc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: cloudflare-token-secret - namespace: cert-manager -stringData: - cloudflare-token: ENC[AES256_GCM,data:g9drp6qSn74ICZvTIdnhOuGl0EJ7GPCQpz7xRMrtCJaXVLkqNprogw==,iv:D7XGvbMOQqIl+IhLCiUNYQf5O7sBuerDThAnhzHybPU=,tag:9JU7SwfcfF7t5y1IxafHwA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-12T03:55:09Z" - mac: ENC[AES256_GCM,data:fCUPa+hU3Dm+wVuRWesMZPBcSL5imh5z9xYHqom31oxBZtg8zRGl7SW4UUGwZgVbCTo8WkYXS/jUfnh/0vrTrj+YR+E2R9Uznr//05Qbx8sBAGG6R9xtijo902DS0/ddKkaLiPaYNdkH5GRvyP/ZfdHSmk20yMnfLZMO6pK9D4c=,iv:NxEbO15tyoBnVraSBwY5Z1tR75jKMOKqC2Xu0X4yRm8=,tag:3HU+7a78X/V2IdatrhvINw==,type:str] - pgp: - - created_at: "2021-05-12T03:55:08Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAw1XfxK/K1q7ARAAkDxxBo8z5uIzHNTy1R076ZsuWEQBv+R84uPOEiyO/GaX - 4sCRgGz6R1bHxH9oofJeKAi60zEArqXjfvnzb/Q/cDfR00+1LvnDjSCdKeAo8VH2 - eCDBfJYBxHeT99/rjpf+86OCYqXAA0ByH6amQPtRNleeXbcLcKEXBZ+X/aWuNUX1 - Zwhu7YTBePfOA4RvresxSSsQFZaSUn7Xd80iO4ov96iJOYcXQTGZRnHIe+XNLt2x - g7HBQuNZEkUbbuKSqad2V+mOiXwsr5e0fvHFeWGtThBTSxuzBPdj2kwyAgo6xB2N - Ir1OdK4MHByI5imnbfTQfOk0ONjtLnTyjCnMa56Azf/oURUmEQKNHbpzLTgmK64Y - FN58s8I35+YTiiXdMuzxFmsw5Xt9+Dzi0ZYCoFkLtJwqayPBgsgQxQ3awffhmD9k - ttVESGO6xV6m23sbrfu0dfEPnDjqznFZnoRk89QnjYIDc5g9q9kattcYw2je82XG - 81jz/VfXSMykkHDR9ts5WcEIvE0qMssSw4epSnIXjALmb8IH56M3GGVBwUAeP7Ri - +AO9e7djYtvzpej0mLPktgxhqdfj+5KD3DBEUjerOkoP3ISRL10M9WLumdY2wLLu - 6RvBy8qqK3wYuSZXhmexdhpK/2SJnas5pH7NGhU4d64mzZwNlz+Ik3/peAerV4bS - XgGWxLV/pXBY5EJZlU7RnW8B0Iie3WZjLa9RIBysyXm/9o6HJ01/r/d6MAPYXO/v - j6nLceYLo1JbPuIkyvoC9PrtQBhLUxyLdQESg8EJkPI7C3PwdmQsfnIBoHTmyjY= - =MmfL - -----END PGP MESSAGE----- - fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B - - created_at: "2021-05-12T03:55:08Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAySEZvKqXwiCAQ//fTc+jqtTuH5fBQp9a4THVbQ8ZU3xqER0bHA1SJTGIPOg - XjkWLzMasV2AYXXgeaNqJet8P7F7RXurTpBrDwe34Xne+8VW09PVNzGNRkDvBjpK - hDpPzfNIKfnH323nYz5wdIslWwXMgSbshwSOufkNTeQF//R+jZnZnWTqePmBAK6q - YyKIn56Ilo1beMyWrC1ubARTBNYwce/mxbseDIYf0a36PM2NXYZaBoFtZG0VTPGj - /I28jAsTNkmpLZbNkdBhxvQrJuptZ5YaDQjIfzd8VT5uq9o6WhLv17fHuj5+R6PV - pKL6mzwoOg5jimzo5p9lPYP9n7m5P3Alokq9EhHnHDpNzDMLSInARN+QP5JCmUI5 - SUdc4uM7ZbhTEjmd3dMzEU6qVOB5ayerUvM8u5FWkfilXt9jPcMyRk5fGV7gXmfc - 51cJl/hnoBC59baSEckjOenYVz8JmMgsInfcaE8T0wE/Wc0C+iId2y9LuUZ4O3T1 - h54k45GIltIEM+x6amR8szaedEe+B5uR8N0PMD9TE2rCH0342KBPOtrWJLgUijbb - Zato2XBsHSS9HhJ8+gjxoew9A1kET3wGebjqEhyuY4YDvkFC+9/K2T9Ww1qm7QrI - KF33Hu34nAJUbWgQPYKBZ1OVQimBU1g9044K3WRwMBaeFBFbjpl7CFy9QaD0GY/S - XgGsAy+Iixk0yCu733GTs3nSLGyTbCMKBL4QrOxbAmsTmx2gpKGBP7Xmmxn4xf7d - KhAn+PXtd75n9nTSxhoQLwxsLFS4WFokUS9wQzFTHYSnPDz8YizEvPeEZpefw5Y= - =y9Rp - -----END PGP MESSAGE----- - fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/core/cert-manager/kustomization.yaml b/cluster/core/cluster-issuers/kustomization.yaml similarity index 60% rename from cluster/core/cert-manager/kustomization.yaml rename to cluster/core/cluster-issuers/kustomization.yaml index 0231f584..f437dd62 100644 --- a/cluster/core/cert-manager/kustomization.yaml +++ b/cluster/core/cluster-issuers/kustomization.yaml @@ -1,7 +1,7 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml -- letsencrypt-production.yaml +- secret.sops.yaml - letsencrypt-staging.yaml -- secret.enc.yaml +- letsencrypt-production.yaml \ No newline at end of file diff --git a/cluster/core/cert-manager/letsencrypt-production.yaml b/cluster/core/cluster-issuers/letsencrypt-production.yaml similarity index 100% rename from cluster/core/cert-manager/letsencrypt-production.yaml rename to cluster/core/cluster-issuers/letsencrypt-production.yaml diff --git a/cluster/core/cert-manager/letsencrypt-staging.yaml b/cluster/core/cluster-issuers/letsencrypt-staging.yaml similarity index 100% rename from cluster/core/cert-manager/letsencrypt-staging.yaml rename to cluster/core/cluster-issuers/letsencrypt-staging.yaml diff --git a/cluster/core/cluster-issuers/secret.sops.yaml b/cluster/core/cluster-issuers/secret.sops.yaml new file mode 100644 index 00000000..3d48d7ee --- /dev/null +++ b/cluster/core/cluster-issuers/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-token-secret + namespace: kube-system +stringData: + cloudflare-token: ENC[AES256_GCM,data:g9drp6qSn74ICZvTIdnhOuGl0EJ7GPCQpz7xRMrtCJaXVLkqNprogw==,iv:D7XGvbMOQqIl+IhLCiUNYQf5O7sBuerDThAnhzHybPU=,tag:9JU7SwfcfF7t5y1IxafHwA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bGpTT3Zhc1dLMUVkVFdt + WVc0bXB1MUxyMXZCT1FaWWNiL1ZyQkkrTlZFCjQ0cmhEVUZITDh0aU9rZTNXQ2p0 + SjBpT2pBdzY2UEJwRDVsRXhzRU9FOEkKLS0tIEMyV3dRYlFJVWQxVVhxRk5NMmdD + QWV5TkdDY2FHTHdUMkhrR3REQWxSSFUK7IjIcLw0U4xB4G6UKnbrv6F+cVCPIfEN + AyctlC0wLvTqJQG2/wrtSFLgcavqbvdQnV9sV32UD/o+f3LC4hhg6g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-01T04:22:48Z" + mac: ENC[AES256_GCM,data:gH1r3RQN/IuY19mYVhJwjZxLMk7Vi69fV31rucBKi34qbKVCJTMNM8nYDhgL0qZsP1umCYAH7ZSEkFnpK76J93ZKe5obqGpitCCloYZDdL/npSEMyDtVxrpL44FJ3DZs2rgVgb9AbgPimVqL/wYQMisXa/1ZgoZMPIy19I+gkNE=,iv:ithznHun7ySymt8nZTtTjv1/NU/Uh+VNU1XvXFZbNw0=,tag:yTJSGbycoKPu7+5L+4nPxg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/core/cluster-policies/ingress.yaml b/cluster/core/cluster-policies/ingress.yaml new file mode 100644 index 00000000..ae550dee --- /dev/null +++ b/cluster/core/cluster-policies/ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress +spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: add-whitelist-source-range-annotation + match: + any: + - resources: + kinds: + - Ingress + exclude: + any: + - resources: + annotations: + external-dns/is-public: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + +(nginx.ingress.kubernetes.io/whitelist-source-range): "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" diff --git a/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml b/cluster/core/cluster-policies/kustomization.yaml similarity index 69% rename from cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml rename to cluster/core/cluster-policies/kustomization.yaml index 4990550b..63dc003c 100644 --- a/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml +++ b/cluster/core/cluster-policies/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - ingress.yaml + - resources.yaml \ No newline at end of file diff --git a/cluster/core/cluster-policies/resources.yaml b/cluster/core/cluster-policies/resources.yaml new file mode 100644 index 00000000..ea97135c --- /dev/null +++ b/cluster/core/cluster-policies/resources.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: resources +spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: remove-cpu-limits + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + initContainers: + - (name): "*" + resources: + limits: + cpu: null + containers: + - (name): "*" + resources: + limits: + cpu: null diff --git a/cluster/core/kube-system/kustomization.yaml b/cluster/core/kube-system/kustomization.yaml deleted file mode 100644 index 517b992f..00000000 --- a/cluster/core/kube-system/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: [] -#- kube-vip diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index 9a3287e5..bf1be804 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -1,8 +1,7 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespaces -- cert-manager -- kube-system -- monitoring -- rook-ceph + - cluster-issuers + - cluster-policies + - rook-ceph \ No newline at end of file diff --git a/cluster/core/monitoring/kustomization.yaml b/cluster/core/monitoring/kustomization.yaml deleted file mode 100644 index 2062760c..00000000 --- a/cluster/core/monitoring/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- uptimerobot-operator diff --git a/cluster/core/monitoring/uptimerobot-operator/kustomization.yaml b/cluster/core/monitoring/uptimerobot-operator/kustomization.yaml deleted file mode 100644 index 761d2252..00000000 --- a/cluster/core/monitoring/uptimerobot-operator/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- helm-release.yaml diff --git a/cluster/core/rook-ceph/cluster/helm-release.yaml b/cluster/core/rook-ceph/cluster/helm-release.yaml index e97a57ba..f825628c 100644 --- a/cluster/core/rook-ceph/cluster/helm-release.yaml +++ b/cluster/core/rook-ceph/cluster/helm-release.yaml @@ -5,36 +5,55 @@ metadata: name: rook-ceph-cluster namespace: rook-ceph spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://charts.rook.io/release chart: rook-ceph-cluster - version: v1.7.9 + version: v1.9.6 sourceRef: kind: HelmRepository name: rook-ceph-charts namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 dependsOn: - - name: rook-ceph + - name: rook-ceph-operator + namespace: rook-ceph values: monitoring: enabled: true + createPrometheusRules: true ingress: dashboard: - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + ingressClassName: "nginx" host: - name: "rook.${SECRET_DOMAIN}" + name: &host "rook.${SECRET_DOMAIN}" path: "/" tls: - hosts: - - "rook.${SECRET_DOMAIN}" + - *host + configOverride: | + [global] + bdev_enable_discard = true + bdev_async_discard = true + public network = 10.75.42.0/24 + cluster network = 10.75.42.0/24 + public addr = "" + cluster addr = "" cephClusterSpec: + network: + provider: host + crashCollector: + disable: false dashboard: enabled: true urlPrefix: / + ssl: false storage: useAllNodes: false useAllDevices: false @@ -50,4 +69,8 @@ spec: - name: "k8s-worker03" devices: - name: "nvme0n1" - cephObjectStores: [] + cephBlockPoolsVolumeSnapshotClass: + enabled: true + name: csi-rbdplugin-snapclass + annotations: + k10.kasten.io/is-snapshot-class: "true" diff --git a/cluster/core/rook-ceph/kustomization.yaml b/cluster/core/rook-ceph/kustomization.yaml index 81dd114c..c2f4d8b1 100644 --- a/cluster/core/rook-ceph/kustomization.yaml +++ b/cluster/core/rook-ceph/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- cluster -- operator -- reflector -- rook-direct-mount + - namespace.yaml + - rook-direct-mount + - cluster + - operator \ No newline at end of file diff --git a/cluster/core/rook-ceph/namespace.yaml b/cluster/core/rook-ceph/namespace.yaml new file mode 100644 index 00000000..59bbc27c --- /dev/null +++ b/cluster/core/rook-ceph/namespace.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: rook-ceph + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + goldilocks.fairwinds.com/enabled: "true" + k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file diff --git a/cluster/core/rook-ceph/operator/helm-release.yaml b/cluster/core/rook-ceph/operator/helm-release.yaml index b101ce7c..4227ba20 100644 --- a/cluster/core/rook-ceph/operator/helm-release.yaml +++ b/cluster/core/rook-ceph/operator/helm-release.yaml @@ -2,26 +2,33 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: rook-ceph + name: rook-ceph-operator namespace: rook-ceph spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://charts.rook.io/release chart: rook-ceph - version: v1.7.9 + version: v1.9.6 sourceRef: kind: HelmRepository name: rook-ceph-charts namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: crds: enabled: false + monitoring: + enabled: true resources: requests: - cpu: 100m + cpu: 10m memory: 128Mi limits: - cpu: 1000m memory: 256Mi diff --git a/cluster/core/rook-ceph/rook-direct-mount/backup.sh b/cluster/core/rook-ceph/rook-direct-mount/backup.sh new file mode 100644 index 00000000..f9a31b3c --- /dev/null +++ b/cluster/core/rook-ceph/rook-direct-mount/backup.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# PVC=sonarr-config-v1 \ +# NS=media \ +# kubectl -n rook-ceph exec -it (kubectl -n rook-ceph get pod -l "app=rook-direct-mount" -o jsonpath='{.items[0].metadata.name}') -- /scripts/backup.sh --rbd (k get pv/(kubectl get pv | grep "$PVC" | awk -F' ' '{print $1}') -n "${NS}" -o json | jq -rj '.spec.csi.volumeAttributes.imageName') --pvc "$PVC" + +# Set defaults +NFS_MOUNTPATH="/mnt/backups" +RBD_MOUNTPATH="/mnt/data" +CURRENT_DATE=$(date +"%FT%H%M") + +# Script parameters +rbd="" +pvc="" + +# Collect command line parameters +while [ $# -gt 0 ]; do + if [[ "$1" == *"--"* ]]; then + param="${1/--/}" + declare "$param"="$2" + fi + shift +done + +if [[ -z "${rbd}" ]]; then + echo "Required parameter '--rbd' not set!" + exit 1 +fi + +if [[ -z "${pvc}" ]]; then + echo "Required parameter '--pvc' not set!" + exit 1 +fi + +if ! mountpoint -q ${NFS_MOUNTPATH}; then + echo "NFS mount '${NFS_MOUNTPATH}' is not mounted" + exit 1 +fi + +if [[ ! -d "${RBD_MOUNTPATH}" ]]; then + mkdir -p "${RBD_MOUNTPATH}" +fi + +if [[ ! -d "${NFS_MOUNTPATH}/Manual" ]]; then + mkdir -p "${NFS_MOUNTPATH}/Manual" +fi + +if [[ -f "${NFS_MOUNTPATH}/${pvc}-${CURRENT_DATE}.tar.gz" ]]; then + echo "File '${NFS_MOUNTPATH}/Manual/${pvc}-${CURRENT_DATE}.tar.gz' already exists" + exit 1 +fi + +rbd map -p ceph-blockpool "${rbd}" | xargs -I{} mount {} "${RBD_MOUNTPATH}" +tar czvf "${NFS_MOUNTPATH}/Manual/${pvc}-${CURRENT_DATE}.tar.gz" -C "${RBD_MOUNTPATH}/" . +umount "${RBD_MOUNTPATH}" +rbd unmap -p ceph-blockpool "${rbd}" diff --git a/cluster/core/rook-ceph/rook-direct-mount/deployment.yaml b/cluster/core/rook-ceph/rook-direct-mount/deployment.yaml index 5f42d537..9b9e838d 100644 --- a/cluster/core/rook-ceph/rook-direct-mount/deployment.yaml +++ b/cluster/core/rook-ceph/rook-direct-mount/deployment.yaml @@ -18,62 +18,63 @@ spec: spec: dnsPolicy: ClusterFirstWithHostNet containers: - - name: rook-direct-mount - image: rook/ceph:v1.7.9 - command: ["/tini"] - args: ["-g", "--", "/usr/local/bin/toolbox.sh"] - imagePullPolicy: IfNotPresent - env: - - name: ROOK_CEPH_USERNAME - valueFrom: - secretKeyRef: - name: rook-ceph-mon - key: ceph-username - - name: ROOK_CEPH_SECRET - valueFrom: - secretKeyRef: - name: rook-ceph-mon - key: ceph-secret - securityContext: - privileged: true - volumeMounts: - - mountPath: /dev - name: dev - - mountPath: /sys/bus - name: sysbus - - mountPath: /lib/modules - name: libmodules - - name: mon-endpoint-volume - mountPath: /etc/rook - - name: backups - mountPath: /mnt/backups - - name: direct-mount-backup-script - mountPath: /scripts - # if hostNetwork: false, the "rbd map" command hangs, see https://github.com/rook/rook/issues/2021 + - name: rook-direct-mount + image: rook/ceph:v1.9.6 + imagePullPolicy: IfNotPresent + command: ["/bin/bash"] + args: ["-m", "-c", "/usr/local/bin/toolbox.sh"] + tty: true + env: + - name: ROOK_CEPH_USERNAME + valueFrom: + secretKeyRef: + name: rook-ceph-mon + key: ceph-username + - name: ROOK_CEPH_SECRET + valueFrom: + secretKeyRef: + name: rook-ceph-mon + key: ceph-secret + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /dev + name: dev + - mountPath: /sys/bus + name: sysbus + - mountPath: /lib/modules + name: libmodules + - name: mon-endpoint-volume + mountPath: /etc/rook + - name: backups + mountPath: /mnt/backups + - name: direct-mount-backup-script + mountPath: /scripts hostNetwork: true volumes: - - name: dev - hostPath: - path: /dev - - name: sysbus - hostPath: - path: /sys/bus - - name: libmodules - hostPath: - path: /lib/modules - - name: mon-endpoint-volume - configMap: - name: rook-ceph-mon-endpoints - items: - - key: data - path: mon-endpoints - - name: backups - nfs: - server: 10.75.30.15 - path: /tank/data/ceph/backups - - name: direct-mount-backup-script - projected: - defaultMode: 0775 - sources: - - configMap: - name: direct-mount-backup-script + - name: dev + hostPath: + path: /dev + - name: sysbus + hostPath: + path: /sys/bus + - name: libmodules + hostPath: + path: /lib/modules + - name: mon-endpoint-volume + configMap: + name: rook-ceph-mon-endpoints + items: + - key: data + path: mon-endpoints + - name: backups + nfs: + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/data/ceph/backups + - name: direct-mount-backup-script + projected: + defaultMode: 0775 + sources: + - configMap: + name: direct-mount-backup-script diff --git a/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml b/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml index eedc1bad..eecc6f18 100644 --- a/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml +++ b/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml @@ -11,4 +11,4 @@ configMapGenerator: generatorOptions: disableNameSuffixHash: true annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled + kustomize.toolkit.fluxcd.io/substitute: disabled \ No newline at end of file diff --git a/cluster/base/apps.yaml b/cluster/flux/apps.yaml similarity index 88% rename from cluster/base/apps.yaml rename to cluster/flux/apps.yaml index 8f1f9ebd..88fbdbe0 100644 --- a/cluster/base/apps.yaml +++ b/cluster/flux/apps.yaml @@ -5,20 +5,19 @@ metadata: name: apps namespace: flux-system spec: - interval: 10m0s - dependsOn: - - name: core + interval: 10m path: ./cluster/apps prune: true + dependsOn: + - name: core sourceRef: kind: GitRepository name: flux-system decryption: provider: sops secretRef: - name: sops-gpg + name: sops-age postBuild: - substitute: {} substituteFrom: - kind: ConfigMap name: cluster-settings diff --git a/cluster/flux/charts.yaml b/cluster/flux/charts.yaml new file mode 100644 index 00000000..5d9ac21b --- /dev/null +++ b/cluster/flux/charts.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: charts + namespace: flux-system +spec: + interval: 10m + path: ./cluster/charts + prune: true + sourceRef: + kind: GitRepository + name: flux-cluster \ No newline at end of file diff --git a/cluster/flux/config.yaml b/cluster/flux/config.yaml new file mode 100644 index 00000000..83934449 --- /dev/null +++ b/cluster/flux/config.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: config + namespace: flux-system +spec: + interval: 10m + path: ./cluster/config + prune: true + sourceRef: + kind: GitRepository + name: flux-cluster + decryption: + provider: sops + secretRef: + name: sops-age \ No newline at end of file diff --git a/cluster/base/core.yaml b/cluster/flux/core.yaml similarity index 61% rename from cluster/base/core.yaml rename to cluster/flux/core.yaml index da762a31..2e86dc6a 100644 --- a/cluster/base/core.yaml +++ b/cluster/flux/core.yaml @@ -5,22 +5,23 @@ metadata: name: core namespace: flux-system spec: - interval: 10m0s - dependsOn: - - name: crds + interval: 10m path: ./cluster/core prune: false sourceRef: kind: GitRepository name: flux-system + dependsOn: + - name: charts + - name: config + - name: crds decryption: provider: sops secretRef: - name: sops-gpg + name: sops-age postBuild: - substitute: {} substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/cluster/base/crds.yaml b/cluster/flux/crds.yaml similarity index 92% rename from cluster/base/crds.yaml rename to cluster/flux/crds.yaml index c938c9b5..d222dd01 100644 --- a/cluster/base/crds.yaml +++ b/cluster/flux/crds.yaml @@ -5,7 +5,7 @@ metadata: name: crds namespace: flux-system spec: - interval: 10m0s + interval: 10m path: ./cluster/crds prune: false sourceRef: diff --git a/cluster/flux/flux-system/flux-cluster.yaml b/cluster/flux/flux-system/flux-cluster.yaml new file mode 100644 index 00000000..0fcc4b1b --- /dev/null +++ b/cluster/flux/flux-system/flux-cluster.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: flux-cluster + namespace: flux-system +spec: + interval: 10m + ref: + branch: main + url: https://github.com/toboshii/home-ops +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: flux-cluster + namespace: flux-system +spec: + interval: 10m + path: ./cluster/flux + prune: true + wait: false + sourceRef: + kind: GitRepository + name: flux-cluster diff --git a/cluster/flux/flux-system/flux-installation.yaml b/cluster/flux/flux-system/flux-installation.yaml new file mode 100644 index 00000000..5463fdd3 --- /dev/null +++ b/cluster/flux/flux-system/flux-installation.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: flux-installation + namespace: flux-system +spec: + interval: 10m + ref: + # renovate: datasource=github-releases depName=fluxcd/flux2 + tag: "v0.31.3" + url: https://github.com/fluxcd/flux2 + ignore: | + # exclude all + /* + # path to manifests + !/manifests +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: flux-installation + namespace: flux-system +spec: + interval: 10m + path: ./manifests/install + prune: true + wait: true + sourceRef: + kind: GitRepository + name: flux-installation diff --git a/cluster/apps/kube-system/nvidia-device-plugin/kustomization.yaml b/cluster/flux/flux-system/kustomization.yaml similarity index 62% rename from cluster/apps/kube-system/nvidia-device-plugin/kustomization.yaml rename to cluster/flux/flux-system/kustomization.yaml index 761d2252..c73f5549 100644 --- a/cluster/apps/kube-system/nvidia-device-plugin/kustomization.yaml +++ b/cluster/flux/flux-system/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml +- flux-installation.yaml +- flux-cluster.yaml diff --git a/talos/clusterconfig/.gitignore b/talos/clusterconfig/.gitignore new file mode 100644 index 00000000..745ee9fc --- /dev/null +++ b/talos/clusterconfig/.gitignore @@ -0,0 +1,7 @@ +cluster01-k8s-control01.dfw.56k.sh.yaml +cluster01-k8s-control02.dfw.56k.sh.yaml +cluster01-k8s-control03.dfw.56k.sh.yaml +cluster01-k8s-worker01.dfw.56k.sh.yaml +cluster01-k8s-worker02.dfw.56k.sh.yaml +cluster01-k8s-worker03.dfw.56k.sh.yaml +talosconfig diff --git a/talos/cni/install.yaml b/talos/cni/install.yaml new file mode 100644 index 00000000..53137f46 --- /dev/null +++ b/talos/cni/install.yaml @@ -0,0 +1,671 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-operator + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - list + - watch + - update + - get +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints + - ciliumendpoints/status + - ciliumnodes + - ciliumnodes/status + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumlocalredirectpolicies/status + - ciliumegressnatpolicies + - ciliumendpointslices + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-operator +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - delete +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - update +- apiGroups: + - "" + resources: + - services + - endpoints + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumnetworkpolicies/status + - ciliumnetworkpolicies/finalizers + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status + - ciliumclusterwidenetworkpolicies/finalizers + - ciliumendpoints + - ciliumendpoints/status + - ciliumendpoints/finalizers + - ciliumnodes + - ciliumnodes/status + - ciliumnodes/finalizers + - ciliumidentities + - ciliumendpointslices + - ciliumidentities/status + - ciliumidentities/finalizers + - ciliumlocalredirectpolicies + - ciliumlocalredirectpolicies/status + - ciliumlocalredirectpolicies/finalizers + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system +--- +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + annotate-k8s-node: "true" + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "" + cluster-name: default + custom-cni-conf: "false" + debug: "false" + disable-cnp-status-updates: "true" + disable-endpoint-crd: "false" + enable-auto-protect-node-port-range: "true" + enable-bandwidth-manager: "false" + enable-bpf-clock-probe: "true" + enable-endpoint-health-checking: "true" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-ipv4: "true" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-masquerade: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-local-redirect-policy: "false" + enable-policy: default + enable-remote-node-identity: "true" + enable-session-affinity: "true" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: kubernetes + kube-proxy-replacement: strict + kube-proxy-replacement-healthz-bind-address: "" + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: "true" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + preallocate-bpf-maps: "false" + remove-cilium-node-taints: "true" + set-cilium-is-up-condition: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + tunnel: vxlan + unmanaged-pod-watcher-interval: "15" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + io.cilium/app: operator + name: cilium-operator + name: cilium-operator + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/managed-by: Helm + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + io.cilium/app: operator + name: cilium-operator + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: io.cilium/app + operator: In + values: + - operator + topologyKey: kubernetes.io/hostname + containers: + - args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + command: + - cilium-operator-generic + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + - name: KUBERNETES_SERVICE_HOST + value: cluster01.dfw.56k.sh + - name: KUBERNETES_SERVICE_PORT + value: "6443" + image: quay.io/cilium/operator-generic:v1.11.6@sha256:9f6063c7bcaede801a39315ec7c166309f6a6783e98665f6693939cf1701bc17 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + name: cilium-operator + volumeMounts: + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + hostNetwork: true + priorityClassName: system-cluster-critical + restartPolicy: Always + serviceAccount: cilium-operator + serviceAccountName: cilium-operator + tolerations: + - operator: Exists + volumes: + - configMap: + name: cilium-config + name: cilium-config-path +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + template: + metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - matchExpressions: + - key: beta.kubernetes.io/os + operator: In + values: + - linux + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - cilium + topologyKey: kubernetes.io/hostname + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: CILIUM_CNI_CHAINING_MODE + valueFrom: + configMapKeyRef: + key: cni-chaining-mode + name: cilium-config + optional: true + - name: CILIUM_CUSTOM_CNI_CONF + valueFrom: + configMapKeyRef: + key: custom-cni-conf + name: cilium-config + optional: true + - name: KUBERNETES_SERVICE_HOST + value: cluster01.dfw.56k.sh + - name: KUBERNETES_SERVICE_PORT + value: "6443" + image: quay.io/cilium/cilium:v1.11.6@sha256:f7f93c26739b6641a3fa3d76b1e1605b15989f25d06625260099e01c8243f54c + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - /cni-install.sh + - --enable-debug=false + - --cni-exclusive=true + preStop: + exec: + command: + - /cni-uninstall.sh + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + privileged: true + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/opt/cni/bin + name: cni-path + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + hostNetwork: true + initContainers: + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: quay.io/cilium/cilium:v1.11.6@sha256:f7f93c26739b6641a3fa3d76b1e1605b15989f25d06625260099e01c8243f54c + imagePullPolicy: IfNotPresent + name: mount-cgroup + securityContext: + privileged: true + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + - name: KUBERNETES_SERVICE_HOST + value: cluster01.dfw.56k.sh + - name: KUBERNETES_SERVICE_PORT + value: "6443" + image: quay.io/cilium/cilium:v1.11.6@sha256:f7f93c26739b6641a3fa3d76b1e1605b15989f25d06625260099e01c8243f54c + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + privileged: true + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + priorityClassName: system-node-critical + restartPolicy: Always + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + name: cilium-config + name: cilium-config-path + updateStrategy: + rollingUpdate: + maxUnavailable: 2 + type: RollingUpdate diff --git a/talos/cni/kustomization.yaml b/talos/cni/kustomization.yaml new file mode 100644 index 00000000..58d33acb --- /dev/null +++ b/talos/cni/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: + - name: cilium + repo: https://helm.cilium.io/ + version: 1.11.6 + releaseName: cilium + namespace: kube-system + valuesFile: values.yaml +commonAnnotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system +commonLabels: + app.kubernetes.io/managed-by: Helm \ No newline at end of file diff --git a/talos/cni/values.yaml b/talos/cni/values.yaml new file mode 100644 index 00000000..99fc373f --- /dev/null +++ b/talos/cni/values.yaml @@ -0,0 +1,19 @@ +--- +kubeProxyReplacement: "strict" + +k8sServiceHost: cluster01.dfw.56k.sh +k8sServicePort: 6443 + +ipam: + mode: "kubernetes" + +bgp: + enabled: false + announce: + loadbalancerIP: true + +hubble: + enabled: false + +ipv6: + enabled: false diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml new file mode 100644 index 00000000..4d65f4f2 --- /dev/null +++ b/talos/talconfig.yaml @@ -0,0 +1,204 @@ +clusterName: cluster01 +talosVersion: v1.1.0 +kubernetesVersion: v1.24.2 +endpoint: https://cluster01.${domainName}:6443 +clusterPodNets: + - 172.22.0.0/16 +clusterSvcNets: + - 172.24.0.0/16 +cniConfig: + name: custom + urls: + - https://gist.githubusercontent.com/toboshii/72d5570d8a7a6a9f4daf8a2162d07ee9/raw/6225cb24b8905a145e39438babadce771eb9e4ed/install.yaml +nodes: + - hostname: k8s-control01.${domainName} + ipAddress: 10.75.40.20 + controlPlane: true + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + vip: + ip: 10.75.40.10 + - hostname: k8s-control02.${domainName} + ipAddress: 10.75.40.21 + controlPlane: true + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + vip: + ip: 10.75.40.10 + - hostname: k8s-control03.${domainName} + ipAddress: 10.75.40.22 + controlPlane: true + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + vip: + ip: 10.75.40.10 + - hostname: k8s-worker01.${domainName} + ipAddress: 10.75.40.30 + controlPlane: false + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + vlans: + - addresses: + - 10.75.42.30/24 + dhcp: false + vlanId: 42 + dhcp: true + - hostname: k8s-worker02.${domainName} + ipAddress: 10.75.40.31 + controlPlane: false + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + vlans: + - addresses: + - 10.75.42.31/24 + dhcp: false + vlanId: 42 + dhcp: true + - hostname: k8s-worker03.${domainName} + ipAddress: 10.75.40.32 + controlPlane: false + installDisk: /dev/sda + networkInterfaces: + - interface: eth0 + vlans: + - addresses: + - 10.75.42.32/24 + dhcp: false + vlanId: 42 + dhcp: true +controlPlane: + inlinePatch: + cluster: + aescbcEncryptionSecret: ${aescbcEncryptionKey} + aggregatorCA: + crt: ${k8sAggregatorCert} + key: ${k8sAggregatorCertKey} + apiServer: + certSANs: + - ${clusterEndpointIP} + - cluster01.${domainName} + extraArgs: + feature-gates: MixedProtocolLBService=true,EphemeralContainers=True + ca: + crt: ${clusterCert} + key: ${clusterCertKey} + controllerManager: + extraArgs: + feature-gates: MixedProtocolLBService=true,EphemeralContainers=True + discovery: + registries: + service: + disabled: true + etcd: + ca: + crt: ${etcdCert} + key: ${etcdCertKey} + extraManifests: + - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.5.1/deploy/ha-install.yaml + proxy: + disabled: true + extraArgs: + feature-gates: MixedProtocolLBService=true,EphemeralContainers=True + scheduler: + extraArgs: + feature-gates: MixedProtocolLBService=true,EphemeralContainers=True + secret: ${clusterSecret} + serviceAccount: + key: ${k8sServiceAccountKey} + token: ${clusterToken} + machine: + ca: + crt: ${machineCert} + key: ${machineCertKey} + certSANs: + - ${clusterEndpointIP} + - cluster01.${domainName} + install: + extraKernelArgs: + - talos.logging.kernel=udp://10.75.45.102:6050/ + kubelet: + extraArgs: + feature-gates: GracefulNodeShutdown=true,MixedProtocolLBService=true + rotate-server-certificates: "true" + nodeIP: + validSubnets: + - 10.75.40.0/24 + logging: + destinations: + - endpoint: udp://10.75.45.102:6051/ + format: json_lines + network: + extraHostEntries: + - aliases: + - cluster-0.${domainName} + ip: ${clusterEndpointIP} + registries: + mirrors: + docker.io: + endpoints: + - http://nas01.dfw.56k.sh:5000 + time: + disabled: false + servers: + - 10.75.0.1 + token: ${machineToken} +worker: + inlinePatch: + cluster: + aescbcEncryptionSecret: ${aescbcEncryptionKey} + ca: + crt: ${clusterCert} + key: ${clusterCertKey} + discovery: + registries: + service: + disabled: true + secret: ${clusterSecret} + token: ${clusterToken} + machine: + ca: + crt: ${machineCert} + key: ${machineCertKey} + certSANs: + - ${clusterEndpointIP} + - cluster01.${domainName} + install: + extraKernelArgs: + - talos.logging.kernel=udp://10.75.45.102:6050/ + kubelet: + extraArgs: + feature-gates: MixedProtocolLBService=true,EphemeralContainers=True + rotate-server-certificates: "true" + nodeIP: + validSubnets: + - 10.75.40.0/24 + logging: + destinations: + - endpoint: udp://10.75.45.102:6051/ + format: json_lines + network: + extraHostEntries: + - aliases: + - cluster01.${domainName} + ip: ${clusterEndpointIP} + sysctls: + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "1048576" + registries: + mirrors: + docker.io: + endpoints: + - http://nas01.dfw.56k.sh:5000 + time: + disabled: false + servers: + - 10.75.0.1 + token: ${machineToken} diff --git a/talos/talenv.sops.yaml b/talos/talenv.sops.yaml new file mode 100644 index 00000000..58c5aa56 --- /dev/null +++ b/talos/talenv.sops.yaml @@ -0,0 +1,35 @@ +aescbcEncryptionKey: P/MN4GtATMywosP6Fp2PN3LO+iPwO3IITp8MljUqjr0= +clusterCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRZmUxSHBvM2FZVGx3U21oSXFqMmdIVEFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXlNRFl6TURBNU1qSXlNMW9YRFRNeU1EWXlOekE1TWpJeQpNMW93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCT3drejdHZk1IT0pKRWhGaVU2aTRyM2hZVHRPRE0yUFF4U0J2c3hMdFZvR3d4b1RyUDRsSkFMRlprTkkKbnJkeGlFUU84dXZJcFJYOVVZYkM2QXRoV3VLallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVDQnBuN3RGL0FMZDVwb0tEZTUyeHlVVjVzNTB3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU9LYWl3ZUMKdDdTRU1WcVlKdUFaQzdIUzNJdEVsemdVQnBpTy9ua1p1N3FjQWlBUDdpNStlLytvTUwxREdheG0vVTZDeUUwQwpGMXEwdmNRUXA2Z2RFWTJEQ1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +clusterCertKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUZiSkpJN2V2SnM1RGtzRmdrT2RsNm41YWFubFRYTllxRzFUOHd1ZDVmRWhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFN0NUUHNaOHdjNGtrU0VXSlRxTGl2ZUZoTzA0TXpZOURGSUcrekV1MVdnYkRHaE9zL2lVawpBc1ZtUTBpZXQzR0lSQTd5NjhpbEZmMVJoc0xvQzJGYTRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +clusterSecret: 8yEQkETnaCHyIvSsksNtlCjXdbJt1ott1lsDPBvvOZY= +clusterToken: k78vy8.r2ijtnv6duoqju74 +etcdCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNPZ0F3SUJBZ0lRRTJjVlBFbFk5dlJleGFqdFZGdm0vVEFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEl5TURZek1EQTVNakl5TTFvWERUTXlNRFl5TnpBNU1qSXlNMW93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkxxS0s0dXJoR1RCCjRxQnRVUjkzQUt0TkRKcXFOZ3AxZ3BEcVg5OEVwTlVKM0dhYnlRS3gwU3hMTStYdG03WU1xaWI3aDZIblRBaUsKQ1hFaTJuUC94M0tqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVUm40bmNML080WDF1CmRyVVE0cnJvN1RLWFlKc3dDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWhBSkgyWjJIVlhmR3JEdHZsdUp6ZEdRazEKRkFpYkNQY0N0eWJDZUQrNi9LQktBaUFYZlcvU2RnWDVaU0lLTC9JQjhZWHM4STdKODR3SFpLY1k5VDRIZm0rUgpsUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +etcdCertKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5aa0NvTUxqdkhyZW5jTk5sQUtYVUFDM2lBblJrSVF4ek81Y3NkYW4wajVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFdW9vcmk2dUVaTUhpb0cxUkgzY0FxMDBNbXFvMkNuV0NrT3BmM3dTazFRbmNacHZKQXJIUgpMRXN6NWUyYnRneXFKdnVIb2VkTUNJb0pjU0xhYy8vSGNnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +k8sAggregatorCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYakNDQVFXZ0F3SUJBZ0lRSXFVZ3IzLzZRd0NwQUpXSmI0d1ZrekFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJeU1EWXpNREE1TWpJeU0xb1hEVE15TURZeU56QTVNakl5TTFvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCUHdkTjRsQ2hqdW9jSFJ0WW1iRWxNOERoYU5tczE3cUREZ2tVVTc5L2J3a3d3RlZYRmV1CnhqczhHRU41VDdtbG1jTHU1TFlIQkViaVZnR1E5aE5saGthallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVhK3c5L3pMZjdOc0tJTHA1alRiZlZPbUMrRDB3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnClJwTmJJS0YvM2ZlakV5N2ltcFFHSU9pU3VLbGFDcXdndk9DQS84dGRBUmtDSUg4U1N1YS8vOCs2RERJZGl1bTIKQXFTRkNPY1ZvZkR6UFpDeklIdktUcWx4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +k8sAggregatorCertKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUVzbTUwK3QxbGlFUUFEWXdXdXJQZnZEbDZwNFExbTdsS3BQUCtLL0tPaDVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFL0IwM2lVS0dPNmh3ZEcxaVpzU1V6d09GbzJhelh1b01PQ1JSVHYzOXZDVERBVlZjVjY3RwpPendZUTNsUHVhV1p3dTdrdGdjRVJ1SldBWkQyRTJXR1JnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +k8sServiceAccountKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFtcE1nTThJazBtSjRybXYvWlJJWERJQklyNDlwTm9zbVptaU9WY01HaDhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSGM5aFU4MWhMd1AzUEYzdy95VWp6VkNPbGJ1bEFPcmZmeFRLNDh0YlAvcGZBMTc3cktmdApNZ05rSnBJbkU3bVNjVVozZStRSGdydTdBV240SmtGdW1RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +machineCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBbFNzUVAxLzQ4RmM0cDBYaysrZitLakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qSXdOak13TURreU1qSXpXaGNOTXpJd05qSTNNRGt5TWpJeldqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU1zOVJxT3BaaTZUcWEySHZhTnBDUDNTVlNuMkMySlh5aldmCnpQNGhqbmtobzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkluS0V1VFZVekl0aERZVgpzZmcrNXdXdzZTcDJNQVVHQXl0bGNBTkJBTDFEQjhPRFplNndyVUUyOGFyQXI3dkpSYldlckRKVTU2QUl0TXhMClpmYld6bGhtY0xtTmZFYmFFTTd6VzA0R1gwYXlWTFp4d2xDYWcxYmI5QXJvaWdJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +machineCertKey: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRzVLQWhGYWNsRFl4c092S1F0bEpoanRXUU1lbHhSRjBuRitER0xxcXVvcwotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K +machineToken: 20da6q.97akf48jafdu9cck +domainName: dfw.56k.sh +clusterEndpointIP: 10.75.40.10 +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3amVhQU00UEZNS3dnVVJZ + Q3haNUpibk9NVm1mYmJIMnNKWVUzT1A3NTFjCktLZlRjWnBzSjloWWRLZVpZS0gx + bFpnbWpVR0FiRE1CQTNaMytha0J4d0EKLS0tIGVUWXI4NzRtM0NIN2JoeE9SOUEx + dlRHRmMzejN6UEVIc3phZHZmUHRwb0kK0KU0+eVXSWHFc1mybSfZam24oMcxUnQH + N35S5iGoI1pzh7fQ9P1RcLZZupdOR3po4BzVzaRmiNNCwPMSCbkuYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-30T09:36:26Z" + mac: ENC[] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3