scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-10-31 01:47:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: cleanup of remodelling

Browse Source 
move remodel folder down to root and delete old unused manifests
This commit is contained in:
Vegard Hagen
2024-07-21 20:38:35 +02:00
parent f1797c94ec
commit 207b1892bf
447 changed files with 477 additions and 6122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
README.md
View File

@@ -1,22 +1,34 @@
<div align="center"> <div align="center">
<img src="https://raw.githubusercontent.com/vehagn/homelab/main/docs/assets/kubernetes.svg" width="144px" alt="Kubernetes logo"/> # 🪨 Homelab 🏡
# 🪨 Kubernetes Homelab 🏡 Repository for home infrastructure and [Kubernetes](https://kubernetes.io/) cluster
using [GitOps](https://en.wikipedia.org/wiki/DevOps) practices.
Held together using [Proxmox VE](https://www.proxmox.com/en/proxmox-virtual-environment),
[OpenTofu](https://opentofu.org/), [Talos](https://talos.dev), [Kubernetes](https://kubernetes.io/),
[Argo CD](https://argoproj.github.io/cd/) and copious amounts of [YAML](https://yaml.org/).
</div> </div>
--- ---
## 📝 Overview ## 📖 Overview
This is the [IaC](https://en.wikipedia.org/wiki/Infrastructure_as_code) configuration for my homelab. This repository hosts the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code))
It's mainly powered by [Kubernetes](https://kubernetes.io/) and I do my best to adhere to GitOps practices. configuration for my homelab.
To organise all the configuration I've opted for an approach using Kustomized Helm with Argo CD which I've explained in The Homelab is backed by [Proxmox VE](https://www.proxmox.com/en/proxmox-virtual-environment) hypervisor nodes with VMs
more detail [here](https://blog.stonegarden.dev/articles/2023/09/argocd-kustomize-with-helm/). bootstrapped using [OpenTofu](https://opentofu.org/)/[Terraform](https://www.terraform.io/).
I try to journal my adventures and exploits on my [blog](https://blog.stonegarden.dev) which is hosted by this repo. Most of the services run on [Talos](https://www.talos.dev/) flavoured [Kubernetes](https://kubernetes.io/),
though I'm also running a [TrueNAS](https://www.truenas.com/) VM for storage
and [Home Assistant](https://www.home-assistant.io/) VM for home automation.
To organise all the configuration I've opted for an approach using Kustomized Helm
with [Argo CD](https://argoproj.github.io/cd/) which I've explained in more
detail [in this article](https://blog.stonegarden.dev/articles/2023/09/argocd-kustomize-with-helm/).
I journal my homelab journey over at my self-hosted [blog](https://blog.stonegarden.dev).
## 🧑‍💻 Getting Started ## 🧑‍💻 Getting Started
@@ -30,53 +42,68 @@ I've also written an article on how to get started
with [Kubernetes on Proxmox](https://blog.stonegarden.dev/articles/2024/03/proxmox-k8s-with-cilium/) if virtualisation with [Kubernetes on Proxmox](https://blog.stonegarden.dev/articles/2024/03/proxmox-k8s-with-cilium/) if virtualisation
is more your thing. is more your thing.
A third option is the [Quickstart](docs/QUICKSTART.md) in the docs-folder. I'm currently working on an article on how to bootstrap your own Talos-cluster using this repo.
I also have a ["mini-cluster" repo](https://gitlab.com/vehagn/mini-homelab) which might be easier to start understanding
over at GitLab.
## ⚙️ Core Components ## ⚙️ Core Components
* [Proxmox VE](https://www.proxmox.com/en/proxmox-virtual-environment): Server management and KVM hypervisor.
* [OpenTofu](https://opentofu.org/): Open source infrastructure as code tool.
* [Cilium](https://cilium.io/): eBPF-based Networking, Observability, Security.
* [Argo CD](https://argo-cd.readthedocs.io/en/stable/): Declarative, GitOps continuous delivery tool for Kubernetes. * [Argo CD](https://argo-cd.readthedocs.io/en/stable/): Declarative, GitOps continuous delivery tool for Kubernetes.
* [Cert-manager](https://cert-manager.io/): Cloud native certificate management. * [Cert-manager](https://cert-manager.io/): Cloud native certificate management.
* [Cilium](https://cilium.io/): eBPF-based Networking, Observability, Security.
* [OpenTofu](https://opentofu.org/): The open source infrastructure as code tool.
* [Sealed-secrets](https://github.com/bitnami-labs/sealed-secrets): Encrypt your Secret into a SealedSecret, which is * [Sealed-secrets](https://github.com/bitnami-labs/sealed-secrets): Encrypt your Secret into a SealedSecret, which is
safe to store - even inside a public repository. safe to store - even inside a public repository.
## 📂 Folder Structure ## 🗃️ Folder Structure
* `apps`: Different applications that I run in the cluster. ```shell
* `charts`: Tailor made Helm charts for this cluster. .
* `docs`: Supplementary documentation. ├── 📂 docs # Documentation
* `infra`: Configuration for core infrastructure components ├── 📂 k8s # Kubernetes manifests
* `machines`: OpenTofu/Terraform configuration. Each sub folder is a physical machine. │ ├── 📂 apps # Applications on
* `sets`: Holds Argo CD Applications that points to the `apps` and `infra` folders for automatic Git-syncing. │ ├── 📂 infra # Infrastructure components
│ └── 📂 sets # Bootstrapping ApplicationSets
└── 📂 tofu # Tofu configuration
├── 📂 home-assistant # Home Assistant VM
└── 📂 kubernetes # Kubernetes VM configuration
├── 📂 bootstrap # Kubernetes bootstrap config
└── 📂 talos # Talos configuration
```
## 🖥️ Hardware ## 🖥️ Hardware
| Name | Device | CPU | RAM | Storage | Purpose | | Name | Device | CPU | RAM | Storage | Purpose |
|--------|---------------------------|-----------------|----------------|------------|---------| |--------|---------------------------|-----------------|----------------|------------------|-------------------|
| Gauss | Dell Precision Tower 5810 | Xeon E5-1650 v3 | 64 GB DDR4 ECC | 14 TiB HDD | - | | Abel | CWWK 6 LAN Port | Intel i3-N305 | 32 GB DDR5 | - | Control-plane |
| Euclid | ASUS ExpertCenter PN42 | Intel N100 | 32 GB DDR4 | - | - | | Euclid | ASUS ExpertCenter PN42 | Intel N100 | 32 GB DDR4 | - | Control-plane |
| Cantor | ASUS PRIME N100I-D D4 | Intel N100 | 32 GB DDR4 | 5x8TB HDD RaidZ2 | NAS/Control-plane |
| Gauss | Dell Precision Tower 5810 | Xeon E5-1650 v3 | 64 GB DDR4 ECC | 14 TB HDD | Compute |
## 🏗️ Work in Progress ## 🏗️ Work in Progress
- [ ] Set up AdGuard Home
- [ ] Clean up DNS config - [ ] Clean up DNS config
- [ ] Renovate for automatic updates - [ ] Renovate for automatic updates
- [x] Build a NAS for storage
- [ ] Template Gauss
- [ ] Replace Pi Hole with AdGuard Home
- [x] Use iGPU on Euclid for video transcoding
- [x] Replace Traefik with Cilium Ingress Controller
- [ ] Cilium mTLS & SPIFFE/SPIRE
## 👷‍ Future Projects ## 👷‍ Future Projects
- [x] Use Talos instead of Debian for Kubernetes - [ ] External DNS
- [ ] Keycloak for auth - [ ] Keycloak for auth
- [ ] Implement NetBird
- [ ] OPNSense/pfSense
- [ ] Use BGP instead of ARP
- [ ] Dynamic Resource Allocation for GPU - [ ] Dynamic Resource Allocation for GPU
- [ ] Local LLM - [ ] Local LLM
- [ ] pfSense - [ ] Cilium mTLS & SPIFFE/SPIRE
- [ ] Use NetBird or Tailscale
- [ ] Use BGP instead of ARP ##
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/proxmox-logo-stacked-inverted-color.svg#gh-dark-mode-only" width="80px" alt="Proxmox logo"/>
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/proxmox-logo-stacked-color.svg#gh-light-mode-only" width="80px" alt="Proxmox logo"/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/tofu-on-dark.svg#gh-dark-mode-only" width="68px" alt="OpenTofu logo"/>
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/tofu-on-light.svg#gh-light-mode-only" width="68px" alt="OpenTofu logo"/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/talos-logo.svg" width="64px" alt="Kubernetes logo"/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<img src="https://raw.githubusercontent.com/vehagn/homelab/remodel/docs/assets/kubernetes-logo.svg" width="68px" alt="Kubernetes logo"/>

34
apps/application-set.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: applications
namespace: argocd
labels:
dev.stonegarden: application
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: apps/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: applications
source:
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true

32
apps/delta/app-deltahouse.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: deltahouse
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
labels:
dev.stonegarden: delta
spec:
project: delta
source:
repoURL: https://github.com/vehagn/deltahouse-deployment
path: '.'
targetRevision: HEAD
destination:
namespace: delta
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
---
apiVersion: v1
kind: Namespace
metadata:
name: delta
---
apiVersion: v1
kind: Namespace
metadata:
name: delta-test

9
apps/delta/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
dev.stonegarden: app-management
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- app-deltahouse.yaml

20
apps/delta/project.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: delta
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'delta'
server: '*'
- namespace: 'delta-test'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

38
apps/media/application-set.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: media
namespace: argocd
labels:
dev.stonegarden: media
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: apps/media/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: media
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: '{{ path.basename }}'
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

18
apps/media/arr/auth-secret.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: traefik-forward-auth-secrets
namespace: arr
spec:
encryptedData:
google-client-id: AgBTsGnax+ubxU061n6dIPuChyKUIbjal3N3gF0DdJRvU1THqIS7SUsjofxea6PXL7TbrH6QkToowEAawASI1//zsvawWo6QTf1SzRdo2CCPbpWgMCnL0jn+dn3cTcbI1vt8lOQMUq3CEV/b8GWOFVWCbXXQ6nuD1Vo+MIZo2TMlBblYu34dlCei/XYf/eIpTmVctw5G6gu494KO/a/FUx4ex+5a5oTLI0Y82U1f6wyJ61yPUeddJHztI5gWlrgGI46f8i4wff1DaAvwGwO/fInxZdx1zPL9Udx+8IKHfh94zbQnBpk806cgIhh0BpFeEMb7W7IgoWHndMeDqQQqeg9i8wxh8ED5qvjNtjBI6D4H3bGa4FM2l7DXOc13r68h7kpjj33ZRRmvnabmL7S2/Bifx+x0A5iSVUgWXp72j34u8Bm/1BbBUEbWUYcAOxm37tLVgKX1phsP1epolMO93MKuNv4AY34uPHiwsCz/vUCzp03b2N9Mb+mjnclCrVLDEMoBkF/AJtB574i3pKgDZGCfGnFfD1g6T3p3c2yz8yXhRhV0hlsKaeqoENiy2jW84jLYrK+hjJdU1qW6xFGfAdTt3HFlwqb3HFSPD7q+L9axmnd59v1/jlQKA7eynDp8Mgp+xdmyNaZJ6nxD+Qh9XWtH+2vRzJh6zzxbnN/Sfqyq/GVXU5Ouf+bDIgztodY+L32HxCxdHyTePjDatBFqR8hU3StNHnaShFdWR43CYlvW9ncpmpntuEd7gQIv4zQGggoxBxcy6NE67q9Ybl+SAygj0Op9ZPlCiYw=
google-client-secret: AgA8aFNep5CkFzh6new1bg7qI3R4HYpgBAre0iS1J+w63fspi4Rd2AOkoiXrEz8P2kuzMDneIAQb2YdrOGOFU8EzguS6dkd+/pex+2RU0gOw7/58rTDvqKjaK/m/WxdQoWA0BreOerSXZefL0PkJtF5g2q7hHcSG8bIyHnizba6u2719JYuUzO7VnT1SBJdkkEoGpb7NaxfpmMnRGBlrxcKrMBLCjhhweVjFgw9nhaUVmbGupikabq3mCKNDeYePRnv6YMTQ9pDhStoT/1CEEQJ+9rPQRHOa+sTsIPeb0MxdQ5X5argspCLvnT8fkN1KHtwQI+stgT2ePgm/eKotEAYngWRMu3AbkgqCtNlkRfhbMpvq50IpuixYkwfHkGTz06RmOLQUkLJdQGzDRnSoyzKChvwLm1HriNDbvfVey8YlbQdrXeAL5muUXAodced1FQWHZFJLR3kvRY3owsBpO4BXkRJ5ZjLJMILakcE3EBV+O/PQqJmuMNvVCo5UNelqFHlloecf9r87bUVO/MffZhJ53S92FLGSIKHtQLVf0+7skbA4U6SyQV+GeH5wM1ozQ8K9P1Aw37aPgQjowmsa4DVdS9YWuSLaJectYrYOCdoCoMkCUbYHoJ3J3dne+EcxUEFSAMSChBrHHuaIjKFdnHMmCvBMIl5hhX6Y2Xy5dBG+omXW3ii6RoIWCEsSQZk9Q3KVULoBOZOoeT+/Czm+KoN9uvohOkNytegz0Lc+9+y4XbRqrw==
secret: AgBJZpCeCkfsD3B+3tUmcr8SOuDE2WdaOM7CJxCauXne5+0Hif31d0/0BJ53r28KE+RSTEZ6PuzAKFsmPKPzGQhBV9zEFUxbnPFh9NoevzYed1l2aT1ciWvUWt5AhukLVA5c7VqoqQ6LyPhGVeEHurG1txrdQiYviX06tGjO8RxNM5/mZHubZ5ovdnaGNN3FW6QkJFbg6eNKDPthKT9QDrkBSVtGjRWUBpS92ET15/D3XTTb4Di+3rlCHJr2wSw6w07Kbe5haGbnBdjxBbhGcwKL2FLNeLBqj8N455t+5UmDrO6HDyJupoyaFXYKpdFkD9dp+lhOgz2FDz9leL21JQVizSsp6hIOXJgKgoiJNeH+vTurW5sos2Xz+kVf6e0fSp9yAW0MNls4ARmavNkqx7kGytWH16jclm39ftyyZDfMcQN77Lkz++C3eLxP+3PLA1/iulqmRABU5SDQH90VWiNfxlkhn97sKqdVvGDcZfuccBghJvuEnixy1ewVYksPARF5Fot5SrUKSJaXvnIRIRQW7/nDqXM37STxsqyyECZkVtBQXQ+kMGepy1VNqwYU66pCtKl/GSF+zkwVDWmXjACZTcbAEW3/j5VkjnNmIEeHstd0wTLwrI2iHA74Wk5jm5AY/oAlFv5p7Pq1YLQdgwU1iLvJsC2gEoO3ZPizfy/f2AarNvxnSwAalg+hMwclYndN8EdPrmSpqAGV2qc=
template:
metadata:
annotations:
sealedsecrets.bitnami.com/managed: "true"
name: traefik-forward-auth-secrets
namespace: arr
type: Opaque

33
apps/media/arr/common-values.yaml
View File

@@ -1,33 +0,0 @@
namespace: arr
env:
- name: PUID
valueFrom:
configMapKeyRef:
name: common-env
key: PUID
- name: PGID
valueFrom:
configMapKeyRef:
name: common-env
key: PGID
- name: UMASK
valueFrom:
configMapKeyRef:
name: common-env
key: UMASK
- name: TZ
valueFrom:
configMapKeyRef:
name: common-env
key: TZ
additionalVolumes:
- name: data
mountPath: /app/data
value:
hostPath:
path: /disk/data
additionalLabels:
app.kubernetes.io/part-of: arr
auth:
enabled: true
create: false

108
apps/media/arr/kustomization.yaml
View File

@@ -1,108 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: arr
commonLabels:
app.kubernetes.io/part-of: arr
app.kubernetes.io/managed-by: argocd
#resources:
# - auth-secret.yaml
#
#configMapGenerator:
# - name: common-env
# literals:
# - PUID="1000"
# - PGID="1000"
# - UMASK="002"
# - TZ="Europe/Oslo"
#
#helmGlobals:
# chartHome: ../../../charts
#
#helmCharts:
# - name: application
# releaseName: auth
# valuesFile: common-values.yaml
# valuesInline:
# name: auth
# namespace: arr
# authOnly: true
# auth:
# cookieDomain: stonegarden.dev
# whitelist:
# - veghag@gmail.com
# - name: application
# releaseName: lidarr
# valuesFile: common-values.yaml
# valuesInline:
# name: lidarr
# image:
# name: lscr.io/linuxserver/lidarr
# hostVolumes:
# - name: lidarr-config
# hostPath: /disk/etc/lidarr
# mountPath: /config
# service:
# containerPort: 8686
# - name: application
# releaseName: prowlarr
# valuesFile: common-values.yaml
# valuesInline:
# name: prowlarr
# image:
# name: lscr.io/linuxserver/prowlarr
# hostVolumes:
# - name: prowlarr-config
# hostPath: /disk/etc/prowlarr
# mountPath: /config
# additionalVolumes: []
# service:
# containerPort: 9696
# - name: application
# releaseName: radarr
# valuesFile: common-values.yaml
# valuesInline:
# name: radarr
# image:
# name: lscr.io/linuxserver/radarr
# hostVolumes:
# - name: radarr-config
# hostPath: /disk/etc/radarr
# mountPath: /config
# service:
# containerPort: 7878
# - name: application
# releaseName: sonarr
# valuesFile: common-values.yaml
# valuesInline:
# name: sonarr
# image:
# name: lscr.io/linuxserver/sonarr
# hostVolumes:
# - name: sonarr-config
# hostPath: /disk/etc/sonarr
# mountPath: /config
# service:
# containerPort: 8989
# - name: application
# releaseName: torrent
# valuesFile: common-values.yaml
# valuesInline:
# name: torrent
# image:
# name: ghcr.io/hotio/qbittorrent
# tag: release-4.6.2
# hostVolumes:
# - name: torrent-config
# hostPath: /disk/etc/qbittorrent
# mountPath: /config
# service:
# type: LoadBalancer
# containerPort: 8080
# additionalPorts:
# - name: tcp
# protocol: TCP
# containerPort: 11011
# - name: udp
# protocol: UDP
# containerPort: 11011

47
apps/media/jellyfin/deployment.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: jellyfin
name: jellyfin
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
spec:
containers:
- name: jellyfin
image: lscr.io/linuxserver/jellyfin:latest
imagePullPolicy: Always
envFrom:
- configMapRef:
name: jellyfin-env
ports:
- name: http
containerPort: 8096
resources:
requests:
cpu: 2000m
memory: 6Gi
limits:
cpu: 10000m
memory: 12Gi
# nvidia.com/gpu: "1"
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
volumes:
- name: config
persistentVolumeClaim:
claimName: jellyfin-config-pvc
- name: media
persistentVolumeClaim:
claimName: jellyfin-media-pvc

45
apps/media/jellyfin/euclid-jellyfin.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: euclid-jellyfin
namespace: jellyfin
labels:
kubernetes.io/service-name: euclid-jellyfin
endpointslice.kubernetes.io/managed-by: cluster-admins
addressType: IPv4
ports:
- name: http
protocol: TCP
port: 8096
endpoints:
- addresses:
- 192.168.1.228
conditions: # https://github.com/argoproj/argo-cd/issues/15554
ready: true
---
apiVersion: v1
kind: Service
metadata:
name: euclid-jellyfin
namespace: jellyfin
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8096
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: euclid-jellyfin
namespace: jellyfin
spec:
entryPoints:
- websecure
routes:
- match: Host(`jf-euclid.stonegarden.dev`)
kind: Rule
services:
- name: euclid-jellyfin
port: 80

18
apps/media/jellyfin/http-route.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: jellyfin
spec:
parentRefs:
- name: stonegarden
namespace: gateway
hostnames:
- "jellyfin.stonegarden.dev"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: jellyfin
port: 8096

14
apps/media/jellyfin/ingress-route.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: jellyfin
namespace: jellyfin
spec:
entryPoints:
- websecure
routes:
- match: Host(`jellyfin.stonegarden.dev`)
kind: Rule
services:
- name: jellyfin
port: 8096

24
apps/media/jellyfin/kustomization.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: jellyfin
commonLabels:
app: jellyfin
configMapGenerator:
- name: jellyfin-env
literals:
- PUID="1000"
- PGID="1000"
- UMASK="002"
- TZ="Europe/Oslo"
resources:
- pv-jellyfin-config.yaml
- pvc-jellyfin-config.yaml
- pv-jellyfin-media.yaml
- pvc-jellyfin-media.yaml
- service.yaml
- deployment.yaml
- http-route.yaml
- euclid-jellyfin.yaml
# - ingress-route.yaml

22
apps/media/jellyfin/pv-jellyfin-config.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-config-pv
spec:
capacity:
storage: 64Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: jellyfin-config-sc
local:
path: /disk/etc/jellyfin
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

22
apps/media/jellyfin/pv-jellyfin-media.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-media-pv
spec:
capacity:
storage: 12Ti
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: jellyfin-media-sc
local:
path: /disk/data/media
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

12
apps/media/jellyfin/pvc-jellyfin-config.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-config-pvc
namespace: jellyfin
spec:
storageClassName: jellyfin-config-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi

12
apps/media/jellyfin/pvc-jellyfin-media.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-media-pvc
namespace: jellyfin
spec:
storageClassName: jellyfin-media-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 12Ti

11
apps/media/jellyfin/service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: jellyfin
namespace: jellyfin
spec:
selector:
app: jellyfin
ports:
- name: web
port: 8096

41
apps/media/plex/deployment.yaml
View File

@@ -1,41 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: plex
spec:
replicas: 1
selector:
matchLabels:
app: plex
template:
spec:
containers:
- name: plex
image: lscr.io/linuxserver/plex
imagePullPolicy: Always
resources:
requests:
cpu: 2000m
memory: 6Gi
limits:
cpu: 10000m
memory: 12Gi
# nvidia.com/gpu: "1"
envFrom:
- configMapRef:
name: plex-env
ports:
- name: http
containerPort: 32400
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /app/data
volumes:
- name: config
persistentVolumeClaim:
claimName: plex-config-pvc
- name: media
persistentVolumeClaim:
claimName: plex-media-pvc

18
apps/media/plex/http-route.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: plex-http-route
spec:
parentRefs:
- name: stonegarden
namespace: gateway
hostnames:
- "plex.stonegarden.dev"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: plex
port: 80

13
apps/media/plex/ingress.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-plex
spec:
entryPoints:
- websecure
routes:
- match: Host(`plex.stonegarden.dev`)
kind: Rule
services:
- name: plex
port: 80

23
apps/media/plex/kustomization.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: plex
commonLabels:
app: plex
configMapGenerator:
- name: plex-env
literals:
- PUID="1000"
- PGID="1000"
- UMASK="002"
- TZ="Europe/Oslo"
resources:
- pv-plex-config.yaml
- pvc-plex-config.yaml
- pv-plex-media.yaml
- pvc-plex-media.yaml
- service.yaml
- deployment.yaml
- ingress.yaml
# - http-route.yaml

22
apps/media/plex/pv-plex-config.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: plex-config-pv
spec:
capacity:
storage: 64Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: plex-config-sc
local:
path: /disk/etc/plex
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

22
apps/media/plex/pv-plex-media.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: plex-media-pv
spec:
capacity:
storage: 12Ti
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: plex-media-sc
local:
path: /disk/data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

12
apps/media/plex/pvc-plex-config.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-config-pvc
namespace: plex
spec:
storageClassName: plex-config-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi

12
apps/media/plex/pvc-plex-media.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-media-pvc
namespace: plex
spec:
storageClassName: plex-media-sc
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 12Ti

17
apps/media/plex/service.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: plex
annotations:
io.cilium/lb-ipam-ips: 192.168.1.132
spec:
selector:
app: plex
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 32400
- name: direct
port: 32400
targetPort: 32400

22
apps/media/project.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: media
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'arr'
server: '*'
- namespace: 'jellyfin'
server: '*'
- namespace: 'plex'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

16
apps/project.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: applications
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

38
apps/public/application-set.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: public
namespace: argocd
labels:
dev.stonegarden: application
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: apps/public/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: public
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: public
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: '{{ path.basename }}'
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

19
apps/public/blog/http-route.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: blog
namespace: blog
spec:
parentRefs:
- name: stonegarden
namespace: gateway
hostnames:
- "blog.stonegarden.dev"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: blog
port: 80

17
apps/public/blog/kustomization.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: blog
commonLabels:
app.kubernetes.io/managed-by: argocd
resources:
- remark42
- http-route.yaml
helmGlobals:
chartHome: ../../../charts
helmCharts:
- name: application
releaseName: blog
valuesFile: values.yaml

3
apps/public/blog/remark42/config/env-remark42
View File

@@ -1,3 +0,0 @@
TIME_ZONE=Europe/Oslo
REMARK_URL=https://remark42.stonegarden.dev
SITE=stonegarden.dev

53
apps/public/blog/remark42/deployment.yaml
View File

@@ -1,53 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: remark42
namespace: blog
labels:
app: remark42
spec:
replicas: 1
selector:
matchLabels:
app: remark42
strategy:
type: Recreate
template:
metadata:
namespace: remark42
labels:
app: remark42
spec:
containers:
- name: remark42
image: umputun/remark42:v1.12.1
ports:
- name: http
containerPort: 8080
envFrom:
- secretRef:
name: remark42-secret
- secretRef:
name: remark42-github
- secretRef:
name: remark42-google
- configMapRef:
name: remark42-env
volumeMounts:
- name: remark42
mountPath: /srv/var
securityContext:
readOnlyRootFilesystem: false
resources:
requests:
cpu: 100m
memory: 25Mi
limits:
cpu: 500m
memory: 256Mi
securityContext: {}
volumes:
- name: remark42
persistentVolumeClaim:
claimName: remark42

14
apps/public/blog/remark42/ingress-route.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: remark42
namespace: blog
spec:
entryPoints:
- websecure
routes:
- match: Host(`remark42.stonegarden.dev`)
kind: Rule
services:
- name: remark42
port: 80

21
apps/public/blog/remark42/kustomization.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/managed-by: argocd
configMapGenerator:
- name: remark42-env
envs:
- config/env-remark42
resources:
- deployment.yaml
- http-route.yaml
- pv.yaml
- pvc.yaml
- secret-github.yaml
- secret-google.yaml
- secret-remark42.yaml
- service.yaml
- ingress-route.yaml

24
apps/public/blog/remark42/pv.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: remark42
labels:
app: remark42
spec:
capacity:
storage: 512Mi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: remark42-storage
local:
path: /disk/etc/blog/remark42
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

14
apps/public/blog/remark42/pvc.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: remark42
namespace: blog
labels:
app: remark42
spec:
storageClassName: remark42-storage
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi

15
apps/public/blog/remark42/secret-github.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: remark42-github
namespace: blog
spec:
template:
metadata:
name: remark42-github
namespace: blog
type: Opaque
encryptedData:
AUTH_GITHUB_CID: AgBGyofz/RnFBApbUgPWwjFVqMp8MDrawEcxn2JUkNx625Tc4TPyVDE178SXs8fAHJ86R8RRuugRZnhDmN9h3Hr58mZe6oLuNQNJ0akh0fh16cAVzDLtsIL9bvD17kiAk6JUC7nkiQWWjAse/7VdpX8lD8yGfDT8Oub8rV5VBKs2mapAbNbom5X3m6bGnL+sT1ABC+W5d7IjdnNTAp6UlVxOjzXgIcgOI7SVcgJaf+8fe6YgM7NUeb90bi7HHYCSrXODOjFM+kXTdAxLYn0PlqqDgQQy3m1V3H8X0baw4RIfwBNkTbmu8jxizKofbKymqRqeQ3ag5X+RlBxRs4uBoUFgV8qDtBeHQI2sGNRSqR1F5cj2YltrcNsNdjlInaSlYm3MVjSYK/sMElO6dRny7cJzZIxzb+dmrCgL+B4sXC54Cs409YLFmSM1kMzQfs/Xi6TFZBUvjVQYDcOQt5vsjvJARtEN5EY8Z084PQXfLtHIj/Mj4vTZIC4JpqtPlpwY4+bKFXIIgqEqsR+8n0GT497GM4I6m522ghIDt+u6aZrlRqfATep+Nt257oopF9dN9gHLf1pvJtpTk9U5hvOIjPrPr97U/P8XDAs87dM7UYCwmsV9Dhxec09CdnTa6G7c2Z38D5OrEO+qRn+dLRqLgiQRvqWUsWvl2FndlUAL7TYhDgh8N1uvHzffkSzpU3RHY2Xcb//VMlY1WVhq7Yw0W/qNiZVoyA==
AUTH_GITHUB_CSEC: AgCnADuhmn+omIFEQKbUWjrFqNBvjKqN/VaApcPriq6Q2jP0ZlYTSKc1kZhkdq2ru0WjwU3D9R4vgeLaA4JaxVICBefOLtAFsTVkr/U1rBuWBtlrzOL+KKk4JAuw0tRWwff/Y5fXhZ19LBGgrRLAJkaoijQ036ihLy6etTyxAoPm7ibZoEHr78TA/UicVZGtDBMhUg61UTRIYYdwbN9Mjqsg76gZFLQP9R/k2OgEIjwroStE+ERtt5tUloy3VkGcAglQ6+oGO2hrNEuuF+w8+oGRAAYyx9TkfXBn9sOso0gAikXFzr7q5nKK7698TvGk2+ytZUgysUNlRQl8Zyx23naWrbyfamgYnzAji3njUuGGYIA48bh7SeGMU8vxofb2ZLMbccwJ9Lp7p/t1L1Bf2YzNMEp7lVp66F/uU0j5Qh95WKgSp/0NF0b2iIXF5trZplSanMg1BJ4gU06zRsschDdhhrtt/e0V7MuKv8H5NnS2j6dcuQTr/ojJaVkHdNa/h8ev5SqZFoZBSB0eLgipsy9MJ48j0iLoCz0n54MQHR7wdaxPcaDkZJW3ZQYPojsunZI+3AgfZ5NZ+VEauxl1X7kjB1bHYntnb0s8+MWoqxVY/yd8X2BSazW6zIvLEn+rt5pvQDFnFnUG8YKg8Pf6lPMrhMkLNEe1Xatubm7UySo4eNA3FlIjjAsJqYKYdpLmUD8TFaodMbgp1hi5oiRk8Aqh61TZqp5FD/WVLacKOgvImMzxAbElCK2t

14
apps/public/blog/remark42/secret-google.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: remark42-google
namespace: blog
spec:
template:
metadata:
name: remark42-google
namespace: blog
type: Opaque
encryptedData:
AUTH_GOOGLE_CID: AgBfum5+D9fP0g3dcoytnKRQf9eXMT9uUV997opD7QfxH68juE52Z5D1Q9oFWAm9/avQ8I6tql14gJwILeRJNW476gv4G4f0irBvL9RRq5Wwr/Val0SKZSJ+Bkx/QeRPNywVuIAFUL3syL+rsEAo1qVHi7Bb9Fp0hmnY52OIr68geg/m2Vx1nZ5IF03LSKc5Xlu0LDzBCa7ePFm1pkPIBTwX9bJQuu6ccJuV3ZdMjlhVbV6zcfYAWJOQkLB6TFTaEScCr7PQbqx3YqqcbXI6FNnKfjvd2FCMufONJFN6Oy2+vvordvXO5Pqu7Gped5otTmvJKc2Q7ZitNgw9t+qkVV7JpTT8PtJyg3uss9PgdoksSIEYs0xyb2YChm23tID1E+qvmSitMCJx6TAR/6Bgj7Jhc7ZBJEp9mpLr7o5PGuCqrBToTGNgO8gcz0bmZlv4CNymEXSCgd+nFma/INaKwUkD+LQo5gbXrz6zzn8vUfjlzSIzCuEN7YKBbBFjguVKZmTa/+TuTwc5qWOOFvKoFQOPTn7XedJykkmfzDdQf+f/pytN4KAhOS8mtvA9Ufh52QPluF2gAPFXVe6jmaJ/uywQ5b9RHcHcXl74gn09Bi2Z4sArUB4cW84a0Pvn5q6bgCKyHDNMNp2SNWmzQ66oNWbz+L5UemMfNfagFn6JdBXBE7FDox5kfGzM4xPmbuaDsmALaVpBbwy46qa3vVNTSNOkJ7MpavJvTKgLPWk6AWkUvDOTVgJItQqXK5gdPcJnivVHVr8CF4b5BNqs72KWelpPnwLBgcztMhY=
AUTH_GOOGLE_CSEC: AgADfQNXSwFNW06QIIeMIcmn0lbTVM4hekWKae9AxeJtcNI4lCcvyibCYLh+Wzv5jCOJexSFI32w9y5rgzKdEBpGiz2u4XZP+Kq7bWsVA5rYYZYX4lhJYPoUVSvOMWWWmD/8ww09ZuOhbyPtUJoTIWkKbsxEvVBfgqw3qEyDYR6mb3ITLs5AaOFTtrRP0A7tDDv6C794fljmtL0B8nwcztPJY74wMWg763Q+AB1t27N1wiWZWOwWhfTvLbm0jrJg3JqMI6Dp+0sINVtmdmTFoQI7gRe2Zar4/2Z+yQJTn8X/Yuq+3aKVOs5FoGbQRNsDnakftLmRUVGjIFXsVnjbZ0CTy2L2+YhfwVp7SVQk/PlOLIfaC7newMCpKLc5dpRbnY4WAVFWmYLdgzn3XsUgDFR8IQNhDTEcZsGzOaqR1X/L4vRuR7SLF0N2TBwHt8kTBvFATlLP2LYgcZ5MjBX3ol/sywQRp4pdkKSyGxt/YYOfqIOuIxNakLcDwLSM0e+PgYKrwQJw19nwBANfxyXcy5+FvkYilT0tnUMXPNgr5UasBqTyU2SdLvewJQud7vA5raaPfpGQi8E+voRJwQwuu+B06u0yg9nnkbGNFQwTB+4ZWgNWTL+xejWK/zkJ2pBLXlHO8iJxx9hYZcY7s/wsZeazbqeN3Xct86uISYEfHYzjs3Ye0nSEsEMyll7llbFkINUpDO+5hKsELpzo3AKZNs/rkK7t8Y8qlBI8GgPsynlpKGjfjA==

15
apps/public/blog/remark42/secret-remark42.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: remark42-secret
namespace: blog
spec:
template:
metadata:
name: remark42-secret
namespace: blog
type: Opaque
encryptedData:
ADMIN_SHARED_ID: AgAyuD99CFgz3xy04N1g6GU5W3eJA051OaIQarjHwL553l9xrf2o3JG7hBbP6BAvZ9qqKwtfCUawvvSA2Ey/YGLn8KODsjYvvDS/r0tmulObxK9nYKI5KWdOHIGr8LCm3PROJWdvECBnkr+uzYJWpdVo4oqGvkz8gPsX8fJJ3i/GpQEgqMR8wzEH1kGyM/JjDqS9du6ysU/sVVVJxp69Dx2sA5gHMziDarEp3v5bFFgLCRQ++1FAxVEnn7CCPnAYwHz2yiTZ0CnOb2dB0KM4wzq6WgCijG/Le0BudH5pwe7jNctuIIjgX03Yq6xlitxYCIn5khMCBXQQiD1z3ZwPWdVbdrKbZ6ZgKVITYZup3O/g7vP7jB9VaLGUL/L4KCV65Z4aMDL58w65YMETU31MJSw1CJQwwZ9Naaad/hbedjQzkO7wRNHf/gCa1x2D8z1VjeCzVstmCmC2+EqZl7j6jYRQ5c/gE778ZMBJJQ/RxyEBVv26wzdnkQJeULQw0Tr7bzGF8rPrqUoe3vWXFlLggp9zXqIzv53DrJgpQqWFwni4UGpoBn/zcyic4ryvFCNATQSsi0LXN//3ce3EU6RF1ozp7l3mBmJUBCCcNIGpyEI/HqIUv9fZpGauXW3hYggzaP3p7XQyyWxe/aNbC8sTFG8JfdbzsSbmgqJT/d3No8r7jmRKxXVL45xlQU0PXDiwOZhVObO2fXxbnzZsJxPrjq3vPsFJH8uDwj7J/KedwrOHTvRBMUqcIxXjhsn/0rHmUj9xR4aEkqDpk80TV/2Bj2IwcfPsg0Ih1mhfdF2gFF3VF5/YbNk5mxboe4BUUXYilw==
SECRET: AgBzdv+yZb3CKbRCfG/Ju3E/VoAGMxQ+IPCjEDjENhxp2OOPm2H6Ua02M9KWFALbtT+py5gIat6oxVb3EcbdbEDWxx2XNolpA25Ab4mZzvmM92FXd1tSNAw1pj00Kq0ftF5Rwd91Cynlqi4nAc5kA4WlhgtSNEcoZpCpye5lc4JW7+SMg3NzrQFgzjGdwTQlw2zdQgKNROTloLb/xaJi/m0PahLtpDgejwMAi0zoBU4ydE8zbOXcC0lvb3N2cFYjk7pCIiVES5SJnWKaYSxUcaZhT5L4ulv8HyjHhhmI5Zgb0sweGjuANwuI1kDPlUhu60mZL6j7upr+TPiayDH4tZ7eXjnqJ3AF4HeBJJruN9NGB6Tmg18qgYp26rwYwfgnVUXFMZuJWrQHDoNJIRno1Jkq1n/843BigMIFU92afQEvLxvCREqjQ2k388MYimQQj/x+M1BUQXOk6fhTSf+QYDm5eRiSCiUw93X4QVHEutNcRSfmTFq5XqEvmd8+VWhmuU4Ua7bPUiM+19ELrBWeW8pWo4DhG2O+zWmx1vKmNRCwA8/F3JHya8KdL9QlrgpSkwK5v6tNT+wz6ZjRX+8dZuE73b7YOqA8SAw2UfLGyCc0IXT/3KhFlriqFrtbTknC0EH0yPOd+YBj17y8MydkSRCUIDJJDmItRa0md4wRErlsV1oL+lFdhgoFsjTU7QpZBC7lT/iPlgJjUdABmTQ1ezEY01ldgKiA7yi33ebnVgnpbxsLfGs5GAdj

13
apps/public/blog/remark42/service.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: remark42
namespace: blog
spec:
selector:
app: remark42
ports:
- name: http
protocol: TCP
port: 80
targetPort: http

14
apps/public/blog/values.yaml
View File

@@ -1,14 +0,0 @@
name: blog
image:
name: registry.gitlab.com/vehagn/blog
env:
- name: SERVER_LOG_LEVEL
value: warn
- name: TZ
value: Europe/Oslo
service:
containerPort: 80
ingressRoute:
create: false
auth:
enabled: false

20
apps/public/project.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: public
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'blog'
server: '*'
- namespace: 'stonegarden'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

19
apps/public/stonegarden/deployment.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: stonegarden
namespace: stonegarden
spec:
replicas: 1
selector:
matchLabels:
app: stonegarden
template:
spec:
containers:
- name: stonegarden
image: registry.gitlab.com/vehagn/stonegarden:latest
imagePullPolicy: Always
ports:
- name: web
containerPort: 3000

14
apps/public/stonegarden/ingress-route.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: stonegarden
namespace: stonegarden
spec:
entryPoints:
- websecure
routes:
- match: Host(`stonegarden.dev`)
kind: Rule
services:
- name: stonegarden
port: 3000

12
apps/public/stonegarden/kustomization.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: stonegarden
resources:
- ns.yaml
- service.yaml
- deployment.yaml
- http-route.yaml
# - ingress-route.yaml

12
apps/public/stonegarden/service.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: stonegarden
namespace: stonegarden
spec:
type: ClusterIP
ports:
- name: web
port: 3000
selector:
app: stonegarden

38
apps/test/application-set.yaml
View File

@@ -1,38 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: test
namespace: argocd
labels:
dev.stonegarden: test
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: apps/test/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: test
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: test
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: '{{ path.basename }}'
syncPolicy:
automated:
selfHeal: false
prune: true
syncOptions:
- CreateNamespace=true

7
apps/test/cuda-test/kustomization.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/managed-by: argocd
resources:
- pod.yaml

13
apps/test/cuda-test/pod.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: cuda-vectoradd
namespace: cuda-test
spec:
restartPolicy: Never #OnFailure
containers:
- name: cuda-vectoradd
image: "nvcr.io/nvidia/k8s/cuda-sample:vectoradd-cuda11.7.1-ubuntu20.04"
# resources:
# limits:
# nvidia.com/gpu: "1"

10
apps/test/kustomization.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
dev.stonegarden: app-management
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

22
apps/test/project.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: test
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'cuda-test'
server: '*'
- namespace: 'whoami'
server: '*'
- namespace: 'test-apps'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

27
apps/test/test-apps/app1.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app1
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: test
source:
repoURL: https://github.com/vehagn/homelab
path: charts/application
helm:
values: |-
name: app1
replicas: 3
valueFiles:
- ../../apps/test/test-apps/common-values.yaml
destination:
namespace: test-apps
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

29
apps/test/test-apps/app2.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app2
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: test
sources:
- repoURL: https://github.com/vehagn/homelab
path: charts/application
helm:
parameters:
- name: name
value: app2
valueFiles:
- $values/apps/test/test-apps/common-values.yaml
- repoURL: https://github.com/vehagn/homelab
ref: values
destination:
namespace: test-apps
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

29
apps/test/test-apps/app3.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app3
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: test
sources:
- repoURL: https://github.com/vehagn/homelab
path: charts/application
helm:
parameters:
- name: name
value: app3
valueFiles:
- $values/apps/test/test-apps/common-values.yaml
- repoURL: https://github.com/vehagn/homelab
ref: values
destination:
namespace: test-apps
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

15
apps/test/test-apps/auth-secret.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: traefik-forward-auth-secrets
namespace: test-apps
spec:
template:
metadata:
name: traefik-forward-auth-secrets
namespace: test-apps
type: Opaque
encryptedData:
google-client-id: AgCLNh+hqwvz7fXIJkhRRU1xAWcctnYH4NNTSEiFe4P1waIp8/rp06XUw3dBzazX37bkBuObJHf3RfgIg4J0NQjjuh0kZ35LOxdu3iJteXsHmZKFZBsFpr8nQp2nve4qFpA9I+0/ZlgYRroIBktoL3v76TjdbdyI9pu37wBHRX2vBNoDxT1uMrygGN0ZmIfK9d63Cba6CM0mnWyPWye1+0n4P9tqNTFE3sE8gaAZYouff0qOCJDCBNLOC1Ji7gRRAsITqRs5xbp3zmcLj8xjqp1Llc0Mq+yBchromDF5SCTpnncO2O4K5rVTuFSZM6Bpp9Se1n21dd0L5wT/ghj4uqX4brb6XvxcT5+ssanC4bBww9wK/eTSfYrRfbjBWzildMmaghIrMnAHIcQc3FXTgE+cT841Z2fC9ZsijkV8yvVoj5PRZixu0Z5JwREyegJAJGFyMEFUyjyR6U1gKVlhDoFPGQmJ14HxiIZ00XqHkEHj7OojZjga4ZlzAZ2ds+tqPy2Va3Kd7y8nGO0R7O4leK+m1vik7iWddVQNSENRswTdESds/SdsJ0+z9dtseiaQTxWcVF2JcBFDOYbFZm9W1soSTlw6wpJF+mjMaV1k62SxV/0rF+WVaDxhKXcTnVJg1TlFiuOiHdEc/gHrdzo9yDOjTtda+to5YofqS6LWOxZXTZVIAcWXcF/mRNzSZxlJwnASjQ7HJFLpU4S/592dgI2W+PKG1MuaLANrxRmJVgGQF6X35K6t9PzMlmWlwB7kur5/PkKhCLSWIQcpS+9JqYGS21Cmd92yacw=
google-client-secret: AgB7LWzyNdo9dQ+k1d3clj5JNZ1HCU9czRAbnNiGrHgRXwqnDqVgkVoZE3nb+0n7ZQpVr2LRkYJ82kLQ5qNV5Da2bk+0u8nPOYQPjujqZSwumcmXAPZIs7WvVAEoOlufppIgFfuIumrvX1H12Xg9et3r1ayypodqDIVVUu6KgyNtuwzEKm2Yrl6UFoxYbv3as1KijOtAY9THyGRn3pXN53Vos94wzqa5v2gPZIh9ZVYX4bNIJK4j7BLnbETihqpSz2MYmgASf9QfeHMuaxJHq3+nmhS/Oa2huR7Y1CmPVCoPh6WEdiTcE8HPxl5Fp32HGVRaRs4Co/Z/o3QVEXIbmbOoMPnNDbMGtwRUUw0woyMGKpXCr5cLrkKbU1ZVXYGiz2JJwXXedAFmL/lUUUAGkI4sj2sbuHdbXtO+hNtE8K0h+H0HeXApN0m+ts7aKQfIVs9CdK2Ez5wq6k8M3z7APRTYhCXHyjxiHU3LveHahaifFoIetLSUf7WpoTw4qhtdlgnQXEKOot+xV4WdiHWq1PjmS91Wo9al1RPMK+r8eHjSz076S+sRbP3/fzJTFppF/4s5e+6AybobDo08KLRZfO7+q5eaym1I/AmoNl/7EkS7S4LDljHemx1s3bsvW2ropZiGMVfdAGhIz5bSHxHjMZmXYwZmZqWhYWykrFvnm5VJYuOV3410IPAToDx4hgflDqsMRkL+Qm96ZA2lt4Hy74Bj1LKQ6CF+rahTEMmzED3R4mKcaw==
secret: AgCWqoG6xWgWxGmHJPgCAkJoXL27EHyU22giP9lrqXLy/FSdQMJpxY2g/o9Eb/c8rhAHU3tT6vQ3PSP9EzHqLdp6v085XricKQmqZfa9yLYgV65jJJLelIZKbkCE6YAWKlGmsIPd7jskexSdufKboAMjih8y0cF7w0ubnxZVvLAVQT1zU4c/7yQObDFFJ0Le++lPc8eTZphopPjellsx9i19tDQa/5PvexiAbOw740Mq6GKQxZtTJVwpkW6jZ+cc5vGRQp39FP/RiisCyK7wcUGuLW6c8vt8EWiHnsPfImcNaC/DkQFJhsM5w6mHXeZ99uniVauh77jwPm5bR3eT4Qj6NfBOrE4uMaIiwIakt/W+X/AdW4trvajo31uGIr3jdi/csEJmsOGX02/YKyZvDWKkgJMyW2+YwAJwQdzQhXQe0yhSxHfIIbAYIiTSUCTlOS+EgGF80uUWXQzl6WqXW+99CtjgR6fm26si+ZgLpuR5h+75SwmkASgdPb4MnEwCE72of79Ow25weVX68Mbe8HR7GJzQvtMFriRA+TvkHrHHpi2gqVxR68olMyrBdsj774IFV6Vtc5K3sMsWZcdpOIXkaNf7w2ns26PCe7QuZuFnav3i2gW5v3rKCQ+jhazTN3v4mojB5/+smTzrjPZrwU+7e+AsWreIUo/k+4Jk8lsk2WEWlHVtMAu7iojLnfF0ep+Zh5at

8
apps/test/test-apps/auth-values.yaml
View File

@@ -1,8 +0,0 @@
name: auth
namespace: test-apps
authOnly: true
auth:
cookieDomain: stonegarden.dev
whitelist:
- veghag@gmail.com
- wiredmatrices@gmail.com

26
apps/test/test-apps/auth.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: auth
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: test
sources:
- repoURL: https://github.com/vehagn/homelab
path: charts/application
helm:
valueFiles:
- $values/apps/test/test-apps/auth-values.yaml
- repoURL: https://github.com/vehagn/homelab
ref: values
destination:
namespace: test-apps
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

9
apps/test/test-apps/common-values.yaml
View File

@@ -1,9 +0,0 @@
name: app
namespace: test-apps
image:
name: containous/whoami
service:
containerPort: 80
auth:
enabled: true
create: false

12
apps/test/test-apps/kustomization.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/managed-by: argocd
app.kubernetes.io/part-of: test
resources:
- auth-secret.yaml
- app1.yaml
- app2.yaml
- app3.yaml
- auth.yaml

18
apps/test/whoami/http-route.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-http-route
spec:
parentRefs:
- name: stonegarden
namespace: gateway
hostnames:
- "gateway.stonegarden.dev"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: whoami
port: 80

29
apps/test/whoami/ingress-route.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami-ingress-route
labels:
app: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth-whoami.stonegarden.dev`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: traefik-forward-auth
- match: Host(`whoami.stonegarden.dev`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
- match: Host(`whoami-ingress-route.stonegarden.dev`)
kind: Rule
services:
- name: whoami
port: 80

17
apps/test/whoami/ingress.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami-ingress
namespace: whoami
spec:
rules:
- host: whoami-ingress.stonegarden.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80

10
apps/test/whoami/kustomization.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: whoami
resources:
# - ingress.yaml
# - ingress-route.yaml
- http-route.yaml
- traefik-forward-auth
- whoami

18
apps/test/whoami/traefik-forward-auth/auth-secret.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: traefik-forward-auth-secrets
namespace: whoami
spec:
encryptedData:
google-client-id: AgChcwoghJUslRQrRJTm6hJoiecNl2zlFmJOl49h4gYUoWukyt83ATU30Hw/kyyJ7Chw/Yg9I8Q8/YkI2GbuUjhrndb+7227+X9nerU4cA2lhnPQo27qU61silOoYCfmkDzUfCrLN00zNOHiM3VXOKZms+QOcsWZ7c/nF1Dc5E+eC7DRGgvKwhIrqViSJcms/EFTtzDJKh5WX9knJpg1Wq5FS0b0SMxXW4SjvMGaaeWAJAhZX80NKJUuwHA8STZJ2L3rAwEX3AsVk1+I7VWWvr1MNoPZY8OO76ovuLb++044VU/57uQXw4XG8R7aJF0PaXsrllVx7Qn2MWIBSgDfKJbYKh9J0RFZazZtfLWiVL2rYVtR6ANmOyGKfewdmDonQOTFOIJAn63c1KBICPm4v+xbEI5ic79bG6fG1WwloAY8IBwIPBNzGd7BJ4h1RtjUbty62agr+prX2Gl3ASPFzVnCer1v/e3VqUuQ04yRNYGt0syw1502oAQo+5aCTRG6IRTalNoDgnRFHr8W2cOpMIUL/naWlj6+50yPX+IwAAJ3CFKqPQKMTe/CotodD8oU3dT8ifO0SnNeTYlwo1QHsWhlNUS5kUqGiynEjZzm+Z9hnA7mnImKJRQrA74GNyxl08lUxBU6iySHjqgU/e3w6vWKeQRZCBYs3YTiLWOqes5IPl2Z+xc/dqR2+DRnMw1X7isyIxYXXuWNfkDxJVJcYCN/1oKmk70NBHM3Ux5Uhh3inFLB6uEMOenmr/keB814ReYFozuSVkMo6Rxm1830/Cy5IAA6MeaS8LM=
google-client-secret: AgAsPVQjP7z7p/6pRCY5dGRtPbLzl0T9PkVt3bYaT1DLx0717nvAiiG9cL3YkKEJJgUWXDIsl17d62ZJ61T0RPpnkab9WUAYzvuxajqpA9aeqwUGNFQe3p2YxLJGs14IFpj4bahzbceFr/w0zhu9KU45o4k7vc/xClQtvAPb1WVCYKEonDnKMOBzeQ/vCF0RRFkCXdhvOeNCOs3XKquFy0i4E1StitgN03WiNq/kZuBNnpwp0n/Cmlm+C5GiXypAvt/BW+/+QPLet9ws023uK1ouoTgartpdhtYP0ZHkOnfQDzkds1OP3AyNU+wD1S3jWBRWdc7vnyaJPBP1R8sMoVgW2tBn1XpRpQlu2KEVKP/Xt/ok1vr7hhqbNPh3sESSZxEo6GST8+qf/5w1ot5jIxq1AIiSCmqtzaI4oERc1CWD3XDMkll0G7K649hSneiJHV9riwBwhh3kTcRMMrPBd+VOXfxpXSrE4l8uczgQKhbDRHb9mE9nAO8I6TKxm1apTtzJ/EeaOYBlBtb9Pcct/nla57tdrRF5J+R4tmfZ+wiX0pQceHWOge4Hs36ci8gbAp6zUawdbTRSrMd2IS7xhUn/CsNhDuX74CHb/XwNFXa24ztDWkbZwnZxq7XtCa9Lj70WwyQ/UATvhvYtaL+gFFw11tKSWtUpM7k8LJmtsGtkb8Zz6IDAgk6OgWrRXcm/E+ohMXDsdwYTm3AkcD1+H9qJ7nH1SIXDuktAF59U84xYOOa5Zg==
secret: AgBRVl6Ye+pIZt1X8bca2+8KxSAgTBa4usXynuTRJLymYA1PzSBcNvKjxgcp/ywzZOAX30u4KclxNcYEKzJIDqjcJMc0+RkntPj8z7gqpWizmHAN/tQQtW1n/4HrheOteo7dI3GRHi3B1aQAjxt0zexFdtwUN5aLXeTwyq5pJNSqrKksJz4nzlU8Yfxf8C2bDlZIJHzCFwtR89sVWm5F0U6E2s6+24tI/LJWVBIWLLR5/fmB0gm99N+ByW8uFf4c44bCDhRHwRXJBiZ59/DrqlPJqP1aboN6yxL3M7FBylJs+QP6qrdM2N/8gx6yVQAxYN/gIFKlIuVCwZ+mjjicgvQFRk1Nu7GGVkfN9zOgMyArlC4/MySJBTOWLhF2RZvpaFEx48ga4sIsfDqFC8/55cVNvvwF4mMpu+CvrRHH/+fzdTug9B/Fkn0Y+2f7WGNL8o/1S8DiduWMUU6JBf/C8gAp8bZntrCs74rBI0gdPqmGcG1bnwj/fovyz+AmEpVmL3BTGiuP7XSID3oVxnP0X5iqoNwZ13CRmwScZMUEQurX7AQ40shVHAMpGoMt4LCHXRlZFWSKLfRWpMyP7uVLLnDQnu+oy94SG1abOCZEBCM8esxtOjRPuyEEjftDkPlWp8zhtjGORK1yxALhgeCVg30WVOKfMjJCjc4lpDOxIYLcO2Y6MaQZPYgO0ebYusXDkgd5wQVFcQMo+uN3ExKbTA==
template:
metadata:
annotations:
sealedsecrets.bitnami.com/managed: "true"
name: traefik-forward-auth-secrets
namespace: whoami
type: Opaque

5
apps/test/whoami/traefik-forward-auth/configs/traefik-forward-auth.ini
View File

@@ -1,5 +0,0 @@
cookie-name = "_whoami_auth"
log-level = "error"
cookie-domain = "stonegarden.dev"
auth-host = "auth-whoami.stonegarden.dev"
domain = "gmail.com"

54
apps/test/whoami/traefik-forward-auth/deployment.yaml
View File

@@ -1,54 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
imagePullPolicy: Always
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets

15
apps/test/whoami/traefik-forward-auth/kustomization.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: traefik-forward-auth
resources:
- auth-secret.yaml
- service.yaml
- deployment.yaml
- middleware.yaml
configMapGenerator:
- name: configs
files:
- configs/traefik-forward-auth.ini

10
apps/test/whoami/traefik-forward-auth/middleware.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true

11
apps/test/whoami/traefik-forward-auth/service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181

18
apps/test/whoami/whoami/deployment.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
imagePullPolicy: Always
name: whoami

8
apps/test/whoami/whoami/kustomization.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: whoami
resources:
- service.yaml
- deployment.yaml

11
apps/test/whoami/whoami/service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

36
apps/utility/application-set.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: utility
namespace: argocd
labels:
dev.stonegarden: utility
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: apps/utility/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: utility
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: utility
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: '{{ path.basename }}'
syncPolicy:
automated:
selfHeal: true
prune: true

18
apps/utility/haos/endpoint-slice.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: home-assistant
namespace: haos
labels:
kubernetes.io/service-name: home-assistant
endpointslice.kubernetes.io/managed-by: cluster-admins
addressType: IPv4
ports:
- name: http
protocol: TCP
port: 8123
endpoints:
- addresses:
- 192.168.1.27
conditions: # https://github.com/argoproj/argo-cd/issues/15554
ready: true

14
apps/utility/haos/ingress-route.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: home-assistant
namespace: haos
spec:
entryPoints:
- websecure
routes:
- match: Host(`haos.stonegarden.dev`)
kind: Rule
services:
- name: home-assistant
port: 8123

9
apps/utility/haos/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- svc.yaml
- endpoint-slice.yaml
- http-route.yaml
# - ingress-route.yaml

25
apps/utility/home-assistant.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: home-assistant
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
labels:
dev.stonegarden: home-assistant
spec:
project: utility
source:
repoURL: https://github.com/vehagn/home-assistant
path: deployment
targetRevision: HEAD
destination:
namespace: home-assistant
name: in-cluster
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

11
apps/utility/kustomization.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
dev.stonegarden: app-management
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml
# - home-assistant.yaml

20
apps/utility/project.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: utility
namespace: argocd
spec:
sourceNamespaces:
- '*'
sourceRepos:
- 'https://github.com/vehagn/*'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'haos'
server: '*'
- namespace: 'proxmox'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

18
apps/utility/proxmox/endpoint-slice.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: proxmox-euclid
namespace: proxmox
labels:
kubernetes.io/service-name: proxmox-euclid
endpointslice.kubernetes.io/managed-by: cluster-admins
addressType: IPv4
ports:
- name: https
protocol: TCP
port: 8006
endpoints:
- addresses:
- 192.168.1.42
conditions: # https://github.com/argoproj/argo-cd/issues/15554
ready: true

8
apps/utility/proxmox/kustomization.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- svc.yaml
- endpoint-slice.yaml
- tls-route.yaml

4
apps/utility/proxmox/ns.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: proxmox

11
apps/utility/proxmox/svc.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: proxmox-euclid
namespace: proxmox
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 8006

15
apps/utility/proxmox/tls-route.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: euclid
namespace: proxmox
spec:
parentRefs:
- name: proxmox-euclid
namespace: gateway
hostnames:
- "proxmox.euclid.stonegarden.dev"
rules:
- backendRefs:
- name: proxmox-euclid
port: 443

23
charts/application/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
charts/application/Chart.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v2
name: application
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

61
charts/application/templates/_helpers.tpl
View File

@@ -1,61 +0,0 @@
{{/*
Common labels
*/}}
{{- define "common.labels" -}}
app.kubernetes.io/name: {{ .Values.name }}
{{- with .Values.additionalLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "common.annotations" -}}
{{- with .Values.annotations }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Returns string "true" or empty which will be evaluated to boolean false
*/}}
{{- define "deployment.create" -}}
{{- if not .Values.authOnly }}
{{- true }}
{{- end }}
{{- end }}
{{/*
Returns string "true" or empty which will be evaluated to boolean false
*/}}
{{- define "service.create" -}}
{{- if and .Values.service.create (include "deployment.create" .) }}
{{- true }}
{{- end }}
{{- end }}
{{/*
Returns string "true" or empty which will be evaluated to boolean false
*/}}
{{- define "ingressRoute.create" -}}
{{- if and .Values.ingressRoute.create (or .Values.authOnly (include "service.create" .)) }}
{{- true }}
{{- end }}
{{- end }}
{{/*
Returns string "true" or empty which will be evaluated to boolean false
*/}}
{{- define "auth.create" -}}
{{- if or .Values.authOnly (and .Values.auth.enabled .Values.auth.create (include "ingressRoute.create" .)) }}
{{- true }}
{{- end }}
{{- end }}
{{/*
Return default auth host or custom value if set
*/}}
{{- define "auth.host" -}}
{{ .Values.auth.host | default (print "auth-" .Values.namespace "." .Values.auth.cookieDomain ) }}
{{- end }}

60
charts/application/templates/application/deployment.yaml
View File

@@ -1,60 +0,0 @@
{{- if include "deployment.create" . }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.name }}
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: {{ .Values.name }}
template:
metadata:
labels:
app: {{ .Values.name }}
spec:
volumes:
{{- range .Values.hostVolumes }}
- name: {{ .name }}
hostPath:
path: {{ .hostPath }}
{{- end }}
{{- range .Values.additionalVolumes }}
- name: {{ .name }}
{{- toYaml .value | nindent 10 }}
{{- end }}
containers:
- name: {{ .Values.name }}
image: {{ .Values.image.name }}:{{ .Values.image.tag | default "latest" }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
{{- range .Values.hostVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
{{- end }}
{{- range .Values.additionalVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
{{- end }}
env:
{{- toYaml .Values.env | nindent 12 }}
{{- with .Values.additionalEnv }}
{{ . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.service.containerPort }}
protocol: TCP
{{- range .Values.service.additionalPorts }}
- name: {{ .name }}
containerPort: {{ .containerPort }}
protocol: {{ .protocol | default "TCP" }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}

26
charts/application/templates/application/service.yaml
View File

@@ -1,26 +0,0 @@
{{- if include "service.create" .}}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.name }}
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- name: http
port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
{{- range .Values.service.additionalPorts }}
- name: {{ .name }}
port: {{ .port | default .containerPort }}
targetPort: {{ .name }}
protocol: {{ .protocol | default "TCP" }}
{{- end }}
selector:
app: {{ .Values.name }}
{{- end }}

33
charts/application/templates/ingress-route.yaml
View File

@@ -1,33 +0,0 @@
{{- if include "ingressRoute.create" . }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ .Values.name }}
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
spec:
entryPoints:
- websecure
routes:
{{- if include "service.create" . }}
- match: Host(`{{ .Values.name }}.stonegarden.dev`)
kind: Rule
services:
- name: {{ .Values.name }}
port: 80
{{- if .Values.auth.enabled }}
middlewares:
- name: traefik-forward-auth
{{- end }}
{{- end }}
{{- if include "auth.create" . }}
- match: Host(`{{ include "auth.host" . }}`)
kind: Rule
services:
- name: traefik-forward-auth
port: {{ .Values.auth.port }}
middlewares:
- name: traefik-forward-auth
{{- end }}
{{- end }}

27
charts/application/templates/traefik-forward-auth/config-map.yaml
View File

@@ -1,27 +0,0 @@
{{- if include "auth.create" . }}
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-forward-auth
namespace: {{ .Values.namespace }}
labels:
app: traefik-forward-auth
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
data:
traefik-forward-auth.ini: |-
cookie-name = {{ .Values.auth.cookieName | default (print "_" .Values.namespace "_auth") | quote }}
cookie-domain = {{ .Values.auth.cookieDomain | quote }}
auth-host = {{ include "auth.host" . | quote }}
log-level = {{ .Values.auth.logLevel | quote }}
{{- range .Values.auth.domains }}
domain = {{ . | quote }}
{{- end }}
{{- range .Values.auth.whitelist }}
whitelist = {{ . | quote }}
{{- end }}
{{- range $key, $val := .Values.auth.extraConfig -}}
{{ $key | nindent 4 }} = {{ $val | quote }}
{{- end }}
{{- end }}

61
charts/application/templates/traefik-forward-auth/deployment.yaml
View File

@@ -1,61 +0,0 @@
{{- if include "auth.create" . }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
imagePullPolicy: Always
name: traefik-forward-auth
ports:
- name: auth
containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: config
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: config
configMap:
name: traefik-forward-auth
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets
{{- end }}

17
charts/application/templates/traefik-forward-auth/middleware.yaml
View File

@@ -1,17 +0,0 @@
{{- if include "auth.create" . }}
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
spec:
forwardAuth:
address: "http://traefik-forward-auth.{{ .Values.namespace }}.svc.cluster.local:{{ .Values.auth.port }}"
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true
{{- end }}

19
charts/application/templates/traefik-forward-auth/service.yaml
View File

@@ -1,19 +0,0 @@
{{- if include "auth.create" . }}
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
namespace: {{ .Values.namespace }}
labels:
{{- include "common.labels" . | nindent 4 }}
annotations:
{{- include "common.annotations" . | nindent 4 }}
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth
port: {{ .Values.auth.port }}
targetPort: auth
{{- end }}

66
charts/application/values.yaml
View File

@@ -1,66 +0,0 @@
name: name
namespace: namespace
# Skip deployment and only do auth
authOnly: false
image:
name: image
tag: latest
pullPolicy: Always
replicas: 1
service:
create: true
type: ClusterIP
port: 80
containerPort: 8080
additionalPorts: []
# - name: ""
# protocol: TCP
# containerPort: ""
# port: ""
ingressRoute:
create: true
env: []
additionalEnv: []
hostVolumes: []
#- name: volume-name
# hostPath: /host/path
# mountPath: /container/path
additionalVolumes:
#- name: volume-name
# mountPath: /container/path
# value: {}
additionalLabels: {}
annotations: {}
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
auth:
# Enable authentication with traefik-forward-auth
enabled: true
# Create traefik-forward-auth deployment
# Set to "false" to reuse a different deployment in the same namespace
create: true
port: 4181
cookieName: ""
cookieDomain: ""
host: ""
domains: {}
whitelist: {}
logLevel: error
extraConfig: {}

338
docs/QUICKSTART.md
View File

@@ -1,338 +0,0 @@
# Quickstart using kubeadm
## Debian 12 Bookworm
Enable `sudo` for the user
```shell
~$ su -
~# usermod -aG sudo <user>
~# apt install sudo
~# exit
~$ exit
```
Enable `ssh` on server
```shell
sudo apt install openssh-server
```
On client
```shell
ssh-copy-id <user>@<ip>
```
Harden `ssh` server
```shell
echo "PermitRootLogin no" | sudo tee /etc/ssh/sshd_config.d/01-disable-root-login.conf
echo "PasswordAuthentication no" | sudo tee /etc/ssh/sshd_config.d/02-disable-password-auth.conf
echo "ChallengeResponseAuthentication no" | sudo tee /etc/ssh/sshd_config.d/03-disable-challenge-response-auth.conf
echo "UsePAM no" | sudo tee /etc/ssh/sshd_config.d/04-disable-pam.conf
sudo systemctl reload ssh
```
## Install prerequisites
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
Install cert tools
```shell
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl gpg
```
Add key and kubernetes repo
```shell
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
```
Install kubelet, kubeadm and kubectl
```shell
sudo apt update
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
```
Kubelet ≥ 1.26 requires containerd ≥ 1.6.0.
```shell
sudo apt install -y runc containerd
```
## Config
### Disable swap
Disable swap for kubelet to work properly
```shell
sudo swapoff -a
```
Comment out swap in `/etc/fstab` to disable swap on boot
```shell
sudo sed -e '/swap/ s/^#*/#/' -i /etc/fstab
```
### Forwarding IPv4 and letting iptables see bridged traffic
https://kubernetes.io/docs/setup/production-environment/container-runtimes/#install-and-configure-prerequisites
```shell
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
```
```shell
sudo modprobe overlay
sudo modprobe br_netfilter
```
Persist `sysctl` params across reboot
```shell
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
```
Apply `sysctl` params without reboot
```shell
sudo sysctl --system
```
### Containerd CGroups
Generate default config
```shell
containerd config default | sudo tee /etc/containerd/config.toml
```
https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd-systemd
Configure the `systemd` cgroup driver for containerd
```shell
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
```
Restart containerd
```shell
sudo systemctl restart containerd
```
## Initialise cluster
We are going to use cilium in place of kube-proxy
https://docs.cilium.io/en/v1.12/gettingstarted/kubeproxy-free/
```shell
sudo kubeadm init --skip-phases=addon/kube-proxy
```
## Set up kubectl
https://kubernetes.io/docs/tasks/tools/
```shell
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
```
For remote kubectl copy the config file to local machine
```shell
scp <USER>@<IP>:/home/veh/.kube/config ~/.kube/config
```
## (Optional) Remove taint for single node use
Get taints on nodes
```shell
kubectl get nodes -o json | jq '.items[].spec.taints'
```
Remove taint on master node to allow scheduling of all deployments
```shell
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
```
## Install Cilium as CNI (Container Network Interface)
To bootstrap the cluster we can install Cilium using its namesake CLI.
For Linux this can be done by running
```shell
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
```
See the [Cilium official docs](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) for more options.
Next we install Cilium in Kube proxy replacement mode and enable L2 announcements to reply to ARP requests.
To not run into rate limiting while doing L2 announcements we also increase the k8s rate limits.
```shell
cilium install \
--set kubeProxyReplacement=true \
--set l2announcements.enabled=true \
--set externalIPs.enabled=true \
--set k8sClientRateLimit.qps=50 \
--set k8sClientRateLimit.burst=100
```
See [this blog post](https://blog.stonegarden.dev/articles/2023/12/migrating-from-metallb-to-cilium/#l2-announcements)
for more details.
Validate install
```shell
cilium status
```
## Cilium LB IPAM
For [Cilium to act as a load balancer](https://docs.cilium.io/en/stable/network/lb-ipam/) and start assigning IPs
to `LoadBalancer` `Service` resources we need to create a `CiliumLoadBalancerIPPool` with a valid pool.
Edit the cidr range to fit your network before applying it
```shell
kubectl apply -f infra/cilium/ip-pool.yaml
```
Next create a `CiliumL2AnnouncementPolicy` to announce the assigned IPs.
Leaving the `interfaces` field empty announces on all interfaces.
```shell
kubectl apply -f infra/cilium/announce.yaml
```
## Sealed Secrets
Used to create encrypted secrets
```shell
kubectl apply -k infra/sealed-secrets
```
Be sure to store the generated sealed secret key in a safe place!
```shell
kubectl -n kube-system get secrets
```
*NB!*: There will be errors if you use my sealed secrets as you (hopefully) don't have the decryption key
## Gateway API
```shell
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml
```
## Cert-manager
```shell
kubectl kustomize --enable-helm infra/cert-manager | kubectl apply -f -
```
## Traefik
Change the `io.cilium/lb-ipam-ips` annotation in `infra/traefik/values.yaml` to a valid IP address for your network.
Install Traefik
```shell
kubectl kustomize --enable-helm infra/traefik | kubectl apply -f -
```
## Port forward Traefik
Port forward Traefik ports in router from 8000 to 80 for http and 4443 to 443 for https.
IP can be found with `kubectl get svc` (it should be the same as the one you gave in the annotation).
# Test-application (Optional)
Deploy a test-application by editing the manifests in `apps/test/whoami` and apply them
```shell
kubectl apply -k apps/test/whoami
```
An unsecured test-application `whoami` should be available at [https://test.${DOMAIN}](https://test.${DOMAIN}).
If you configured `apps/test/whoami/traefik-forward-auth` correctly a secured version should be available
at [https://whoami.${DOMAIN}](https://whoami.${DOMAIN}).
## Argo CD
[ArgoCD](https://argo-cd.readthedocs.io/en/stable/getting_started/) is used to bootstrap the rest of the cluster.
The cluster uses a combination of Helm and Kustomize to configure infrastructure and applications.
For more details read [this blog post](https://blog.stonegarden.dev/articles/2023/09/argocd-kustomize-with-helm/)
```shell
kubectl kustomize --enable-helm infra/argocd | kubectl apply -f -
```
Get ArgoCD initial secret by running
```shell
kubectl -n argocd get secrets argocd-initial-admin-secret -o json | jq -r .data.password | base64 -d
```
## Kubernetes Dashboard
An OIDC (traefik-forward-auth)
protected [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) can be
deployed using
```shell
kubectl apply -k infra/dashboard
```
Create a token
```shell
kubectl -n kubernetes-dashboard create token admin-user
```
## ApplicationSets
*NB!*: This will not work before you've changed all the domain names and IP addresses.
Once you've tested everything get the ball rolling with
```shell
kubectl apply -k sets
```
## Cleanup
```shell
kubectl drain gauss --delete-emptydir-data --force --ignore-daemonsets
sudo kubeadm reset
sudo iptables -F && sudo iptables -t nat -F && sudo iptables -t mangle -F && sudo iptables -X
```

0
docs/assets/kubernetes.svg → docs/assets/kubernetes-logo.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

Some files were not shown because too many files have changed in this diff Show More