diff --git a/.github/renovate/groups.json5 b/.github/renovate/groups.json5 index c88d7013c3..725e440de8 100644 --- a/.github/renovate/groups.json5 +++ b/.github/renovate/groups.json5 @@ -21,16 +21,6 @@ }, separateMinorPatch: true, }, - { - description: ["Dragonfly Operator Group"], - groupName: "Dragonfly Operator", - matchPackagePatterns: ["dragonfly(?:db)?.operator"], - matchDatasources: ["docker", "github-releases"], - group: { - commitMessageTopic: "{{{groupName}}} group", - }, - separateMinorPatch: true, - }, { description: ["Flux Group"], groupName: "Flux", diff --git a/kubernetes/apps/databases/dragonfly/app/helmrelease.yaml b/kubernetes/apps/databases/dragonfly/app/helmrelease.yaml deleted file mode 100644 index 17a2932f04..0000000000 --- a/kubernetes/apps/databases/dragonfly/app/helmrelease.yaml +++ /dev/null @@ -1,95 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app dragonfly-operator -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - dragonfly-operator: - containers: - app: - image: - repository: ghcr.io/dragonflydb/operator - tag: v1.1.8@sha256:5e0ebd5d58066499fb19ea4102531972401f2a6100fc9f4dbc45284c4175de82 - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=:8080 - command: - - /manager - probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /healthz - port: &port 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /readyz - port: *port - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - resources: - requests: - cpu: 10m - limits: - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - service: - app: - controller: *app - ports: - http: - port: *port - metrics: - port: 8080 - serviceAccount: - create: true - name: *app - serviceMonitor: - app: - serviceName: *app - endpoints: - - port: metrics - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s diff --git a/kubernetes/apps/databases/dragonfly/app/kustomization.yaml b/kubernetes/apps/databases/dragonfly/app/kustomization.yaml deleted file mode 100644 index 1cc0109831..0000000000 --- a/kubernetes/apps/databases/dragonfly/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # renovate: depName=dragonflydb/dragonfly-operator datasource=github-releases - - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.8/manifests/crd.yaml - - ./helmrelease.yaml - - ./rbac.yaml diff --git a/kubernetes/apps/databases/dragonfly/app/rbac.yaml b/kubernetes/apps/databases/dragonfly/app/rbac.yaml deleted file mode 100644 index cc8a8c4076..0000000000 --- a/kubernetes/apps/databases/dragonfly/app/rbac.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: dragonfly-operator -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["apps"] - resources: ["statefulsets"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["dragonflydb.io"] - resources: ["dragonflies"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["dragonflydb.io"] - resources: ["dragonflies/finalizers"] - verbs: ["update"] - - apiGroups: ["dragonflydb.io"] - resources: ["dragonflies/status"] - verbs: ["get", "patch", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: dragonfly-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: dragonfly-operator -subjects: - - kind: ServiceAccount - name: dragonfly-operator - namespace: databases diff --git a/kubernetes/apps/databases/dragonfly/cluster/cluster.yaml b/kubernetes/apps/databases/dragonfly/cluster/cluster.yaml deleted file mode 100644 index 65616d1c1f..0000000000 --- a/kubernetes/apps/databases/dragonfly/cluster/cluster.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: dragonflydb.io/v1alpha1 -kind: Dragonfly -metadata: - name: dragonfly -spec: - image: ghcr.io/dragonflydb/dragonfly:v1.25.4 - replicas: 3 - args: - - --maxmemory=$(MAX_MEMORY)Mi - - --proactor_threads=2 - - --cluster_mode=emulated - - --lock_on_hashtags - env: - - name: MAX_MEMORY - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: 1Mi - resources: - requests: - cpu: 100m - limits: - memory: 512Mi diff --git a/kubernetes/apps/databases/dragonfly/cluster/kustomization.yaml b/kubernetes/apps/databases/dragonfly/cluster/kustomization.yaml deleted file mode 100644 index 9f07f9f61e..0000000000 --- a/kubernetes/apps/databases/dragonfly/cluster/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./cluster.yaml - - ./podmonitor.yaml diff --git a/kubernetes/apps/databases/dragonfly/cluster/podmonitor.yaml b/kubernetes/apps/databases/dragonfly/cluster/podmonitor.yaml deleted file mode 100644 index 042ffa0b0d..0000000000 --- a/kubernetes/apps/databases/dragonfly/cluster/podmonitor.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: dragonfly -spec: - selector: - matchLabels: - app: dragonfly - podTargetLabels: - - app - podMetricsEndpoints: - - port: admin diff --git a/kubernetes/apps/databases/dragonfly/ks.yaml b/kubernetes/apps/databases/dragonfly/ks.yaml deleted file mode 100644 index d9944595b7..0000000000 --- a/kubernetes/apps/databases/dragonfly/ks.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app dragonfly - namespace: flux-system -spec: - targetNamespace: databases - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/databases/dragonfly/app - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app dragonfly-cluster - namespace: flux-system -spec: - targetNamespace: databases - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: dragonfly - path: ./kubernetes/apps/databases/dragonfly/cluster - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/databases/kustomization.yaml b/kubernetes/apps/databases/kustomization.yaml index afd6621451..b06f62174f 100644 --- a/kubernetes/apps/databases/kustomization.yaml +++ b/kubernetes/apps/databases/kustomization.yaml @@ -4,5 +4,4 @@ kind: Kustomization resources: - ./namespace.yaml - ./cloudnative-pg/ks.yaml - - ./dragonfly/ks.yaml - ./emqx/ks.yaml diff --git a/kubernetes/apps/home/kustomization.yaml b/kubernetes/apps/home/kustomization.yaml index 2a9938a680..52498cd58d 100644 --- a/kubernetes/apps/home/kustomization.yaml +++ b/kubernetes/apps/home/kustomization.yaml @@ -7,7 +7,5 @@ resources: - ./go2rtc/ks.yaml - ./hajimari/ks.yaml - ./home-assistant/ks.yaml - - ./miniflux/ks.yaml - - ./node-red/ks.yaml - ./thelounge/ks.yaml - ./zigbee2mqtt/ks.yaml diff --git a/kubernetes/apps/home/miniflux/app/externalsecret.yaml b/kubernetes/apps/home/miniflux/app/externalsecret.yaml deleted file mode 100644 index 3c608c5152..0000000000 --- a/kubernetes/apps/home/miniflux/app/externalsecret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: miniflux -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: miniflux-secret - template: - engineVersion: v2 - data: - ADMIN_USERNAME: "{{ .MINIFLUX_ADMIN_USERNAME }}" - ADMIN_PASSWORD: "{{ .MINIFLUX_ADMIN_PASSWORD }}" - DATABASE_URL: |- - postgres://{{ .MINIFLUX_POSTGRES_USER }}:{{ .MINIFLUX_POSTGRES_PASS }}@postgres-rw.databases.svc.cluster.local/miniflux?sslmode=disable - OAUTH2_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}" - INIT_POSTGRES_DBNAME: miniflux - INIT_POSTGRES_HOST: postgres-rw.databases.svc.cluster.local - INIT_POSTGRES_USER: "{{ .MINIFLUX_POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .MINIFLUX_POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: miniflux - - extract: - key: cloudnative-pg diff --git a/kubernetes/apps/home/miniflux/app/helmrelease.yaml b/kubernetes/apps/home/miniflux/app/helmrelease.yaml deleted file mode 100644 index c98539b8ea..0000000000 --- a/kubernetes/apps/home/miniflux/app/helmrelease.yaml +++ /dev/null @@ -1,119 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app miniflux -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - miniflux: - replicas: 2 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/buroa/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: miniflux-secret - containers: - app: - image: - repository: ghcr.io/miniflux/miniflux - tag: 2.2.3-distroless@sha256:6b778e125817592cf67b7eaf4a2fbb7a269d59ea82c82bfaae0c7daee4bc4ef6 - env: - BASE_URL: https://{{ .Release.Name }}.ktwo.io - CREATE_ADMIN: 1 - LOG_DATE_TIME: 1 - METRICS_ALLOWED_NETWORKS: 10.244.0.0/16 - METRICS_COLLECTOR: 1 - OAUTH2_CLIENT_ID: miniflux - OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://auth.ktwo.io - OAUTH2_PROVIDER: oidc - OAUTH2_REDIRECT_URL: https://{{ .Release.Name }}.ktwo.io/oauth2/oidc/callback - OAUTH2_USER_CREATION: 1 - POLLING_FREQUENCY: 15 - POLLING_SCHEDULER: entry_frequency - PORT: &port 80 - RUN_MIGRATIONS: 1 - envFrom: *envFrom - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: &path /healthcheck - port: *port - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - resources: - requests: - cpu: 10m - limits: - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - ingress: - app: - className: internal - annotations: - gatus.io/path: *path - hajimari.io/icon: mdi:rss - hosts: - - host: &host "{{ .Release.Name }}.ktwo.io" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - service: - app: - controller: *app - ports: - http: - port: 80 - serviceMonitor: - app: - serviceName: *app - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s diff --git a/kubernetes/apps/home/miniflux/ks.yaml b/kubernetes/apps/home/miniflux/ks.yaml deleted file mode 100644 index 63f9ca8617..0000000000 --- a/kubernetes/apps/home/miniflux/ks.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app miniflux - namespace: flux-system -spec: - targetNamespace: home - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cloudnative-pg-cluster - - name: external-secrets-stores - path: ./kubernetes/apps/home/miniflux/app - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/home/node-red/app/externalsecret.yaml b/kubernetes/apps/home/node-red/app/externalsecret.yaml deleted file mode 100644 index 98a7e292f1..0000000000 --- a/kubernetes/apps/home/node-red/app/externalsecret.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: node-red -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: node-red-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - NODE_RED_CREDENTIAL_SECRET: "{{ .NODE_RED_CREDENTIAL_SECRET }}" - NODE_RED_OAUTH_CLIENT_SECRET: "{{ .NODE_RED_OAUTH_CLIENT_SECRET }}" - dataFrom: - - extract: - key: node-red diff --git a/kubernetes/apps/home/node-red/app/helmrelease.yaml b/kubernetes/apps/home/node-red/app/helmrelease.yaml deleted file mode 100644 index c727cb37ac..0000000000 --- a/kubernetes/apps/home/node-red/app/helmrelease.yaml +++ /dev/null @@ -1,103 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app node-red -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - node-red: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/nodered/node-red - tag: 4.0.5@sha256:4053e9a39c64ddcf384d0eef616f6d33207a812cdb659dcc852ff7240e9f79fb - env: - NODE_RED_OAUTH_ISSUER_URL: https://auth.ktwo.io - NODE_RED_OAUTH_AUTH_URL: https://auth.ktwo.io/api/oidc/authorization - NODE_RED_OAUTH_CALLBACK_URL: https://nr.ktwo.io/auth/strategy/callback - NODE_RED_OAUTH_TOKEN_URL: http://authelia.security.svc.cluster.local:9091/api/oidc/token - NODE_RED_OAUTH_USER_URL: http://authelia.security.svc.cluster.local:9091/api/oidc/userinfo - TZ: ${TIMEZONE} - envFrom: - - secretRef: - name: node-red-secret - probes: - liveness: - enabled: true - readiness: - enabled: true - resources: - requests: - cpu: 10m - limits: - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - ingress: - app: - className: internal - annotations: - hajimari.io/icon: cib:node-red - hajimari.io/url: https://nr.ktwo.io - hosts: - - host: &host "{{ .Release.Name }}.ktwo.io" - paths: &paths - - path: / - service: - identifier: app - port: http - - host: &customHost nr.ktwo.io - paths: *paths - tls: - - hosts: - - *host - - *customHost - persistence: - data: - existingClaim: *app - settings: - type: configMap - name: node-red-configmap - globalMounts: - - path: /data/settings.js - subPath: settings.js - readOnly: true - tmp: - type: emptyDir - service: - app: - controller: *app - ports: - http: - port: 1880 diff --git a/kubernetes/apps/home/node-red/app/kustomization.yaml b/kubernetes/apps/home/node-red/app/kustomization.yaml deleted file mode 100644 index f97b7692b2..0000000000 --- a/kubernetes/apps/home/node-red/app/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml - - ./volsync.yaml -configMapGenerator: - - name: node-red-configmap - files: - - ./resources/settings.js -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/home/node-red/app/resources/settings.js b/kubernetes/apps/home/node-red/app/resources/settings.js deleted file mode 100644 index 62a935591a..0000000000 --- a/kubernetes/apps/home/node-red/app/resources/settings.js +++ /dev/null @@ -1,85 +0,0 @@ -module.exports = { - flowFile: "flows.json", - credentialSecret: process.env.NODE_RED_CREDENTIAL_SECRET, - flowFilePretty: true, - - adminAuth: { - type: "strategy", - strategy: { - name: "openidconnect", - autoLogin: true, - label: "Sign in", - icon: "fa-cloud", - strategy: require("passport-openidconnect").Strategy, - options: { - issuer: process.env.NODE_RED_OAUTH_ISSUER_URL, - authorizationURL: process.env.NODE_RED_OAUTH_AUTH_URL, - tokenURL: process.env.NODE_RED_OAUTH_TOKEN_URL, - userInfoURL: process.env.NODE_RED_OAUTH_USER_URL, - clientID: "nodered", - clientSecret: process.env.NODE_RED_OAUTH_CLIENT_SECRET, - callbackURL: process.env.NODE_RED_OAUTH_CALLBACK_URL, - scope: ["email", "profile", "openid"], - proxy: true, - verify: function (issuer, profile, done) { - done(null, profile); - }, - }, - }, - users: [{ username: "steven", permissions: ["*"] }], - }, - - uiPort: process.env.PORT || 1880, - - diagnostics: { - enabled: true, - ui: true, - }, - - runtimeState: { - enabled: false, - ui: false, - }, - - logging: { - console: { - level: "info", - metrics: false, - audit: false, - }, - }, - - contextStorage: { - default: { - module: "localfilesystem", - }, - }, - - exportGlobalContextKeys: false, - - externalModules: {}, - - editorTheme: { - tours: false, - - projects: { - enabled: false, - workflow: { - mode: "manual", - }, - }, - - codeEditor: { - lib: "monaco", - options: {}, - }, - }, - - functionExternalModules: true, - functionGlobalContext: {}, - - debugMaxLength: 1000, - - mqttReconnectTime: 15000, - serialReconnectTime: 15000, -}; diff --git a/kubernetes/apps/home/node-red/app/volsync.yaml b/kubernetes/apps/home/node-red/app/volsync.yaml deleted file mode 100644 index 50d1ae0dd8..0000000000 --- a/kubernetes/apps/home/node-red/app/volsync.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: node-red-restic -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: node-red-restic-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/node-red" - RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" - AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" - AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" - dataFrom: - - extract: - key: volsync-restic-template ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: node-red -spec: - accessModes: ["ReadWriteOnce"] - dataSourceRef: - kind: ReplicationDestination - apiGroup: volsync.backube - name: node-red - resources: - requests: - storage: 1Gi - storageClassName: ceph-block ---- -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationDestination -metadata: - name: node-red -spec: - trigger: - manual: restore-once - restic: - repository: node-red-restic-secret - copyMethod: Snapshot - accessModes: ["ReadWriteOnce"] - storageClassName: ceph-block - volumeSnapshotClassName: csi-ceph-block - cacheAccessModes: ["ReadWriteOnce"] - cacheCapacity: 8Gi - cacheStorageClassName: openebs-hostpath - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - capacity: 1Gi # must match the PersistentVolumeClaim `.resources.requests.storage` size above ---- -apiVersion: volsync.backube/v1alpha1 -kind: ReplicationSource -metadata: - name: node-red -spec: - sourcePVC: node-red - trigger: - schedule: "15 */8 * * *" - restic: - pruneIntervalDays: 7 - repository: node-red-restic-secret - copyMethod: Snapshot - accessModes: ["ReadWriteOnce"] - storageClassName: ceph-block - volumeSnapshotClassName: csi-ceph-block - cacheAccessModes: ["ReadWriteOnce"] - cacheCapacity: 8Gi - cacheStorageClassName: openebs-hostpath - moverSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - retain: - hourly: 24 - daily: 7 - weekly: 5 diff --git a/kubernetes/apps/home/node-red/ks.yaml b/kubernetes/apps/home/node-red/ks.yaml deleted file mode 100644 index 8a339e5bc5..0000000000 --- a/kubernetes/apps/home/node-red/ks.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app node-red - namespace: flux-system -spec: - targetNamespace: home - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: volsync - - name: rook-ceph-cluster - - name: external-secrets-stores - path: ./kubernetes/apps/home/node-red/app - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml b/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml index 7b7af013ad..8543486546 100644 --- a/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/descheduler/app/helmrelease.yaml @@ -38,7 +38,7 @@ spec: - name: LowNodeUtilization args: targetThresholds: - pods: 70 + pods: 60 thresholds: pods: 50 - name: RemoveDuplicates diff --git a/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml b/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml index 9e19fc1aa1..96a542f9ed 100644 --- a/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml +++ b/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml @@ -13,25 +13,8 @@ spec: template: engineVersion: v2 data: - # Grafana Admin admin-user: "{{ .GRAFANA_ADMIN_USER }}" admin-password: "{{ .GRAFANA_ADMIN_PASS }}" - # Grafana - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" - GF_DATABASE_NAME: &dbName grafana - GF_DATABASE_HOST: postgres-rw.databases.svc.cluster.local:5432 - GF_DATABASE_USER: &dbUser "{{ .GRAFANA_DATABASE_USER }}" - GF_DATABASE_PASSWORD: &dbPass "{{ .GRAFANA_DATABASE_PASSWORD }}" - GF_DATABASE_SSL_MODE: disable - GF_DATABASE_TYPE: postgres - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: postgres-rw.databases.svc.cluster.local - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: grafana diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 05332ffe07..698eacd616 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -22,71 +22,28 @@ spec: strategy: rollback retries: 3 values: - extraInitContainers: - - name: init-db - image: ghcr.io/buroa/postgres-init:16 - envFrom: - - secretRef: - name: &secret grafana-secret - replicas: 3 + deploymentStrategy: + type: Recreate + admin: + existingSecret: grafana-secret env: - GF_AUTH_GENERIC_OAUTH_TOKEN_URL: http://authelia.security.svc.cluster.local:9091/api/oidc/token - GF_AUTH_GENERIC_OAUTH_API_URL: http://authelia.security.svc.cluster.local:9091/api/oidc/userinfo - GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.ktwo.io/api/oidc/authorization - GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana GF_DATE_FORMATS_USE_BROWSER_LOCALE: true GF_EXPLORE_ENABLED: true - GF_FEATURE_TOGGLES_ENABLE: publicDashboards - GF_LOG_MODE: console - GF_NEWS_NEWS_FEED_ENABLED: false - GF_PANELS_DISABLE_SANITIZE_HTML: true GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel - GF_SECURITY_ANGULAR_SUPPORT_ENABLED: true # Ref: https://grafana.com/docs/grafana/latest/developers/angular_deprecation - GF_SECURITY_COOKIE_SAMESITE: grafana + GF_SECURITY_ANGULAR_SUPPORT_ENABLED: true GF_SERVER_ROOT_URL: https://{{ .Release.Name }}.ktwo.io - envFromSecrets: - - name: *secret grafana.ini: analytics: check_for_updates: false check_for_plugin_updates: false reporting_enabled: false - auth: - oauth_auto_login: true - oauth_allow_insecure_email_lookup: true # Ref: https://github.com/grafana/grafana/issues/70203 - signout_redirect_url: https://auth.ktwo.io/logout - auth.basic: - enabled: true auth.anonymous: - enabled: false - auth.generic_oauth: enabled: true - name: Authelia - icon: signin - scopes: openid profile email groups - empty_scopes: false - login_attribute_path: preferred_username - groups_attribute_path: groups - name_attribute_path: name - use_pkce: true - auth.generic_oauth.group_mapping: org_id: 1 - role_attribute_path: | - contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'people') && 'Viewer' - admin: - existingSecret: *secret - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: default - orgId: 1 - folder: "" - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default + org_name: Main Org. + org_role: Viewer + news: + news_feed_enabled: false datasources: datasources.yaml: apiVersion: 1 @@ -106,17 +63,29 @@ spec: type: loki uid: loki access: proxy - url: http://loki-gateway.monitoring.svc.cluster.local + url: http://loki-headless.monitoring.svc.cluster.local:3100 jsonData: maxLines: 250 - name: Prometheus type: prometheus uid: prometheus access: proxy - url: http://thanos-query-frontend.monitoring.svc.cluster.local:10902 + url: http://prometheus-operated.monitoring.svc.cluster.local:9090 jsonData: - prometheusType: Thanos + timeInterval: 1m isDefault: true + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: default + orgId: 1 + folder: "" + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default dashboards: default: apc-ups: @@ -156,9 +125,6 @@ spec: datasource: - name: DS_PROMETHEUS value: Prometheus - dragonfly: - url: https://raw.githubusercontent.com/dragonflydb/dragonfly/main/tools/local/monitoring/grafana/provisioning/dashboards/dashboard.json - datasource: Prometheus emqx-authentication: url: https://raw.githubusercontent.com/emqx/emqx-exporter/main/grafana-dashboard/template/emqx-5/authentication.json datasource: Prometheus @@ -294,33 +260,6 @@ spec: datasource: - name: DS_PROMETHEUS value: Prometheus - thanos-bucket-replicate: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json - datasource: Prometheus - thanos-compact: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json - datasource: Prometheus - thanos-overview: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json - datasource: Prometheus - thanos-query: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json - datasource: Prometheus - thanos-query-frontend: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json - datasource: Prometheus - thanos-receieve: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json - datasource: Prometheus - thanos-rule: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json - datasource: Prometheus - thanos-sidecar: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json - datasource: Prometheus - thanos-store: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json - datasource: Prometheus unifi-insights: # renovate: depName="UniFi-Poller: Client Insights - Prometheus" gnetId: 11315 diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/monitoring/grafana/ks.yaml index e4c072ad15..d453fedae6 100644 --- a/kubernetes/apps/monitoring/grafana/ks.yaml +++ b/kubernetes/apps/monitoring/grafana/ks.yaml @@ -10,7 +10,6 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: cloudnative-pg-cluster - name: external-secrets-stores path: ./kubernetes/apps/monitoring/grafana/app prune: true diff --git a/kubernetes/apps/monitoring/kromgo/app/helmrelease.yaml b/kubernetes/apps/monitoring/kromgo/app/helmrelease.yaml index d7e6e776a1..64247e2dc1 100644 --- a/kubernetes/apps/monitoring/kromgo/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kromgo/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: repository: ghcr.io/kashalls/kromgo tag: v0.4.2@sha256:89eab1c6604d8ef79fb0e7340620d6559ef296cc469c4eabf22598bbaf93ff42 env: - PROMETHEUS_URL: http://thanos-query-frontend.monitoring.svc.cluster.local:10902 + PROMETHEUS_URL: http://prometheus-operated.monitoring.svc.cluster.local:9090 HEALTH_PORT: &healthPort 8888 SERVER_PORT: &port 8080 probes: diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 92e0343d39..fab5d5bc09 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -42,14 +42,13 @@ spec: - hosts: - *host alertmanagerSpec: - replicas: 3 useExistingSecret: true configSecret: alertmanager-secret externalUrl: https://am.ktwo.io storage: volumeClaimTemplate: spec: - storageClassName: openebs-hostpath + storageClassName: ceph-block resources: requests: storage: 1Gi @@ -84,16 +83,8 @@ spec: tls: - hosts: - *host - thanosService: - enabled: true - thanosServiceMonitor: - enabled: true prometheusSpec: - podMetadata: - annotations: - secret.reloader.stakater.com/reload: &secret thanos-objstore-config - replicas: 3 - replicaExternalLabelName: __replica__ + scrapeInterval: 1m # Must match interval in Grafana Helm chart ruleSelectorNilUsesHelmValues: false serviceMonitorSelectorNilUsesHelmValues: false podMonitorSelectorNilUsesHelmValues: false @@ -106,15 +97,8 @@ spec: - memory-snapshot-on-shutdown - new-service-discovery-manager externalUrl: https://prometheus.ktwo.io - thanos: - image: quay.io/thanos/thanos:${THANOS_VERSION} - version: ${THANOS_VERSION#v} - objectStorageConfig: - existingSecret: - name: *secret - key: config - retention: 2d - retentionSize: 15GB + retention: 14d + retentionSize: 50GB resources: requests: cpu: 100m @@ -123,10 +107,10 @@ spec: storageSpec: volumeClaimTemplate: spec: - storageClassName: openebs-hostpath + storageClassName: ceph-block resources: requests: - storage: 20Gi + storage: 50Gi prometheus-node-exporter: fullnameOverride: node-exporter prometheus: &prometheus @@ -150,3 +134,24 @@ spec: grafana: enabled: false forceDeployDashboards: true + additionalPrometheusRulesMap: + dockerhub-rules: + groups: + - name: dockerhub + rules: + - alert: DockerhubRateLimitRisk + annotations: + summary: Kubernetes cluster Dockerhub rate limit risk + expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100 + labels: + severity: critical + oom-rules: + groups: + - name: oom + rules: + - alert: OomKilled + annotations: + summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes. + expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1 + labels: + severity: critical diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml index f3f0c8c8f5..276090530f 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml @@ -10,7 +10,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: openebs + - name: rook-ceph-cluster - name: external-secrets-stores path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app prune: true @@ -21,10 +21,6 @@ spec: interval: 30m retryInterval: 1m timeout: 15m - postBuild: - substitute: - # renovate: depName=quay.io/thanos/thanos datasource=docker - THANOS_VERSION: v0.37.0 --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/kubernetes/apps/monitoring/kustomization.yaml b/kubernetes/apps/monitoring/kustomization.yaml index e495bc9596..2cf5c5cb08 100644 --- a/kubernetes/apps/monitoring/kustomization.yaml +++ b/kubernetes/apps/monitoring/kustomization.yaml @@ -7,9 +7,8 @@ resources: - ./grafana/ks.yaml - ./karma/ks.yaml - ./kromgo/ks.yaml + - ./kube-prometheus-stack/ks.yaml - ./loki/ks.yaml - - ./thanos/ks.yaml + - ./promtail/ks.yaml - ./unpoller/ks.yaml - - ./kube-prometheus-stack/ks.yaml - - ./vector/ks.yaml - ./exporters diff --git a/kubernetes/apps/monitoring/loki/app/helmrelease.yaml b/kubernetes/apps/monitoring/loki/app/helmrelease.yaml index 95bbe7c651..9f7b19d8fd 100644 --- a/kubernetes/apps/monitoring/loki/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/loki/app/helmrelease.yaml @@ -25,80 +25,56 @@ spec: strategy: rollback retries: 3 values: - deploymentMode: SimpleScalable + deploymentMode: SingleBinary loki: - podAnnotations: - configmap.reloader.stakater.com/reload: &cephBucket loki-ceph-bucket - secret.reloader.stakater.com/reload: *cephBucket + auth_enabled: false + analytics: + reporting_enabled: false + server: + log_level: info + commonConfig: + replication_factor: 1 + compactor: + working_directory: /var/loki/compactor/retention + delete_request_store: filesystem + retention_enabled: true ingester: chunk_encoding: snappy storage: - type: s3 - s3: - s3ForcePathStyle: true - insecure: true + type: filesystem schemaConfig: configs: - from: "2024-04-01" # quote store: tsdb - object_store: s3 + object_store: filesystem schema: v13 index: prefix: loki_index_ period: 24h - structuredConfig: - auth_enabled: false - server: - log_level: info - http_listen_port: 3100 - grpc_listen_port: 9095 - grpc_server_max_recv_msg_size: 8388608 - grpc_server_max_send_msg_size: 8388608 - limits_config: - ingestion_burst_size_mb: 128 - ingestion_rate_mb: 64 - max_query_parallelism: 100 - per_stream_rate_limit: 64M - per_stream_rate_limit_burst: 128M - reject_old_samples: true - reject_old_samples_max_age: 168h - retention_period: 30d - shard_streams: - enabled: true - split_queries_by_interval: 1h - query_scheduler: - max_outstanding_requests_per_tenant: 4096 - frontend: - max_outstanding_per_tenant: 4096 - ruler: - enable_api: true - enable_alertmanager_v2: true - alertmanager_url: http://alertmanager-operated.monitoring.svc.cluster.local:9093 - storage: - type: local - local: - directory: /rules - rule_path: /rules/fake - analytics: - reporting_enabled: false - backend: - replicas: 3 + limits_config: + retention_period: 14d + singleBinary: + replicas: 1 persistence: - size: 20Gi - storageClass: openebs-hostpath + enabled: true + storageClass: ceph-block + size: 50Gi gateway: - replicas: 3 - image: - registry: ghcr.io + replicas: 0 + backend: + replicas: 0 read: - replicas: 3 + replicas: 0 write: - replicas: 3 - persistence: - size: 20Gi - storageClass: openebs-hostpath + replicas: 0 + chunksCache: + enabled: false + resultsCache: + enabled: false lokiCanary: enabled: false + test: + enabled: false sidecar: image: repository: ghcr.io/kiwigrid/k8s-sidecar @@ -106,26 +82,3 @@ spec: rules: searchNamespace: ALL folder: /rules/fake - test: - enabled: false - valuesFrom: - - kind: ConfigMap - targetPath: loki.storage.bucketNames.chunks - name: *cephBucket - valuesKey: BUCKET_NAME - - kind: ConfigMap - targetPath: loki.storage.s3.endpoint - name: *cephBucket - valuesKey: BUCKET_HOST - - kind: ConfigMap - targetPath: loki.storage.s3.region - name: *cephBucket - valuesKey: BUCKET_REGION - - kind: Secret - targetPath: loki.storage.s3.accessKeyId - name: *cephBucket - valuesKey: AWS_ACCESS_KEY_ID - - kind: Secret - targetPath: loki.storage.s3.secretAccessKey - name: *cephBucket - valuesKey: AWS_SECRET_ACCESS_KEY diff --git a/kubernetes/apps/monitoring/loki/app/kustomization.yaml b/kubernetes/apps/monitoring/loki/app/kustomization.yaml index d3c7d0dc2b..5dd7baca73 100644 --- a/kubernetes/apps/monitoring/loki/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/loki/app/kustomization.yaml @@ -3,4 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - - ./objectbucketclaim.yaml diff --git a/kubernetes/apps/monitoring/loki/app/objectbucketclaim.yaml b/kubernetes/apps/monitoring/loki/app/objectbucketclaim.yaml deleted file mode 100644 index 85f0d78975..0000000000 --- a/kubernetes/apps/monitoring/loki/app/objectbucketclaim.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: loki-ceph-bucket -spec: - bucketName: loki - storageClassName: ceph-bucket diff --git a/kubernetes/apps/monitoring/loki/ks.yaml b/kubernetes/apps/monitoring/loki/ks.yaml index fcdeb58954..f507ea0569 100644 --- a/kubernetes/apps/monitoring/loki/ks.yaml +++ b/kubernetes/apps/monitoring/loki/ks.yaml @@ -10,7 +10,6 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: openebs - name: rook-ceph-cluster path: ./kubernetes/apps/monitoring/loki/app prune: true diff --git a/kubernetes/apps/monitoring/promtail/app/helmrelease.yaml b/kubernetes/apps/monitoring/promtail/app/helmrelease.yaml new file mode 100644 index 0000000000..f24316a5c8 --- /dev/null +++ b/kubernetes/apps/monitoring/promtail/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: promtail +spec: + interval: 30m + chart: + spec: + chart: promtail + version: 6.16.6 + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: promtail + config: + clients: + - url: http://loki-headless.monitoring.svc.cluster.local:3100/loki/api/v1/push + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/home/miniflux/app/kustomization.yaml b/kubernetes/apps/monitoring/promtail/app/kustomization.yaml similarity index 79% rename from kubernetes/apps/home/miniflux/app/kustomization.yaml rename to kubernetes/apps/monitoring/promtail/app/kustomization.yaml index 2708f09eed..5dd7baca73 100644 --- a/kubernetes/apps/home/miniflux/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/promtail/app/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/security/glauth/ks.yaml b/kubernetes/apps/monitoring/promtail/ks.yaml similarity index 68% rename from kubernetes/apps/security/glauth/ks.yaml rename to kubernetes/apps/monitoring/promtail/ks.yaml index 2ba21643fd..a49d5658a5 100644 --- a/kubernetes/apps/security/glauth/ks.yaml +++ b/kubernetes/apps/monitoring/promtail/ks.yaml @@ -2,16 +2,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app glauth + name: &app promtail namespace: flux-system spec: - targetNamespace: security + targetNamespace: monitoring commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - path: ./kubernetes/apps/security/glauth/app + path: ./kubernetes/apps/monitoring/promtail/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml deleted file mode 100644 index b6d573a053..0000000000 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ /dev/null @@ -1,128 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: thanos -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: thanos - version: 1.19.0 - sourceRef: - kind: HelmRepository - name: stevehipwell - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - objstoreConfig: - value: - type: s3 - config: - insecure: true - additionalEndpoints: - - dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.monitoring.svc.cluster.local - additionalReplicaLabels: - - __replica__ - serviceMonitor: - enabled: true - compact: - enabled: true - extraArgs: - - --compact.concurrency=4 - - --delete-delay=30m - - --retention.resolution-raw=14d - - --retention.resolution-5m=30d - - --retention.resolution-1h=60d - persistence: &persistence - enabled: true - storageClass: openebs-hostpath - size: 15Gi - query: - replicas: 3 - extraArgs: - - --alert.query-url=https://thanos.ktwo.io - queryFrontend: - enabled: true - replicas: 3 - extraArgs: - - --query-range.response-cache-config=$(THANOS_CACHE_CONFIG) - extraEnv: &extraEnv - - name: THANOS_CACHE_CONFIG - valueFrom: - configMapKeyRef: - name: &configMap thanos-cache-configmap - key: cache.yaml - ingress: - enabled: true - ingressClassName: internal - annotations: - hajimari.io/appName: Thanos - hajimari.io/icon: material-symbols:health-metrics - hosts: - - &host thanos.ktwo.io - tls: - - hosts: - - *host - podAnnotations: &podAnnotations - configmap.reloader.stakater.com/reload: *configMap - rule: - enabled: true - replicas: 3 - extraArgs: - - --web.prefix-header=X-Forwarded-Prefix - alertmanagersConfig: - value: |- - alertmanagers: - - api_version: v2 - static_configs: - - dnssrv+_http-web._tcp.alertmanager-operated.monitoring.svc.cluster.local - rules: - value: |- - groups: - - name: PrometheusWatcher - rules: - - alert: PrometheusDown - annotations: - summary: A Prometheus has disappeared from Prometheus target discovery - expr: absent(up{job="kube-prometheus-stack-prometheus"}) - for: 5m - labels: - severity: critical - persistence: *persistence - storeGateway: - replicas: 3 - extraArgs: - - --index-cache.config=$(THANOS_CACHE_CONFIG) - extraEnv: *extraEnv - persistence: *persistence - podAnnotations: *podAnnotations - valuesFrom: - - kind: ConfigMap - targetPath: objstoreConfig.value.config.bucket - name: thanos-ceph-bucket - valuesKey: BUCKET_NAME - - kind: ConfigMap - targetPath: objstoreConfig.value.config.endpoint - name: thanos-ceph-bucket - valuesKey: BUCKET_HOST - - kind: ConfigMap - targetPath: objstoreConfig.value.config.region - name: thanos-ceph-bucket - valuesKey: BUCKET_REGION - - kind: Secret - targetPath: objstoreConfig.value.config.access_key - name: thanos-ceph-bucket - valuesKey: AWS_ACCESS_KEY_ID - - kind: Secret - targetPath: objstoreConfig.value.config.secret_key - name: thanos-ceph-bucket - valuesKey: AWS_SECRET_ACCESS_KEY diff --git a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml deleted file mode 100644 index 0944670ae1..0000000000 --- a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./objectbucketclaim.yaml -configMapGenerator: - - name: thanos-cache-configmap - files: - - ./resources/cache.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml b/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml deleted file mode 100644 index 32a75cd2e1..0000000000 --- a/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: thanos-ceph-bucket -spec: - bucketName: thanos - storageClassName: ceph-bucket diff --git a/kubernetes/apps/monitoring/thanos/app/resources/cache.yaml b/kubernetes/apps/monitoring/thanos/app/resources/cache.yaml deleted file mode 100644 index a93426c4d6..0000000000 --- a/kubernetes/apps/monitoring/thanos/app/resources/cache.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -type: REDIS -config: - addr: dragonfly.databases.svc.cluster.local:6379 - db: 1 diff --git a/kubernetes/apps/monitoring/thanos/ks.yaml b/kubernetes/apps/monitoring/thanos/ks.yaml deleted file mode 100644 index 1fddefc689..0000000000 --- a/kubernetes/apps/monitoring/thanos/ks.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app thanos - namespace: flux-system -spec: - targetNamespace: monitoring - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: openebs - - name: dragonfly-cluster - - name: rook-ceph-cluster - path: ./kubernetes/apps/monitoring/thanos/app - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/kubernetes/apps/monitoring/vector/agent/helmrelease.yaml b/kubernetes/apps/monitoring/vector/agent/helmrelease.yaml deleted file mode 100644 index f820bced4c..0000000000 --- a/kubernetes/apps/monitoring/vector/agent/helmrelease.yaml +++ /dev/null @@ -1,100 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app vector-agent -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - vector-agent: - type: daemonset - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/timberio/vector - tag: 0.43.0-debian@sha256:034947f8b7ea3c974ccec3481da6005dc67291c0b7c0fbf7df6275abe32d9cca - args: - - --config - - /etc/vector/vector.yaml - env: - PROCFS_ROOT: /host/proc - SYSFS_ROOT: /host/sys - VECTOR_SELF_NODE_NAME: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - VECTOR_SELF_POD_NAME: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - VECTOR_SELF_POD_NAMESPACE: - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - securityContext: - privileged: true - persistence: - config: - type: configMap - name: vector-agent-configmap - globalMounts: - - path: /etc/vector/vector.yaml - subPath: vector.yaml - readOnly: true - data: - type: emptyDir - globalMounts: - - path: /vector-data-dir - procfs: - type: hostPath - hostPath: /proc - hostPathType: Directory - globalMounts: - - path: /host/proc - readOnly: true - sysfs: - type: hostPath - hostPath: /sys - hostPathType: Directory - globalMounts: - - path: /host/sys - readOnly: true - var-log: - type: hostPath - hostPath: /var/log - hostPathType: Directory - globalMounts: - - readOnly: true - var-lib: - type: hostPath - hostPath: /var/lib - hostPathType: Directory - globalMounts: - - readOnly: true - serviceAccount: - create: true - name: *app diff --git a/kubernetes/apps/monitoring/vector/agent/kustomization.yaml b/kubernetes/apps/monitoring/vector/agent/kustomization.yaml deleted file mode 100644 index 60f68e95ca..0000000000 --- a/kubernetes/apps/monitoring/vector/agent/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./rbac.yaml -configMapGenerator: - - name: vector-agent-configmap - files: - - ./resources/vector.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/monitoring/vector/agent/rbac.yaml b/kubernetes/apps/monitoring/vector/agent/rbac.yaml deleted file mode 100644 index 5d8a2039f7..0000000000 --- a/kubernetes/apps/monitoring/vector/agent/rbac.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: vector-agent -rules: - - apiGroups: [""] - resources: ["namespaces", "nodes", "pods"] - verbs: ["list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vector-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: vector-agent -subjects: - - kind: ServiceAccount - name: vector-agent - namespace: monitoring diff --git a/kubernetes/apps/monitoring/vector/agent/resources/vector.yaml b/kubernetes/apps/monitoring/vector/agent/resources/vector.yaml deleted file mode 100644 index af28e22b28..0000000000 --- a/kubernetes/apps/monitoring/vector/agent/resources/vector.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -data_dir: /vector-data-dir - -sources: - kubernetes_logs: - type: kubernetes_logs - use_apiserver_cache: true - pod_annotation_fields: - container_image: container_image - container_name: container_name - pod_annotations: pod_annotations - pod_labels: pod_labels - pod_name: pod_name - -sinks: - kubernetes: - type: vector - inputs: - - kubernetes_logs - address: vector-aggregator.monitoring.svc.cluster.local:6000 - compression: true - version: "2" diff --git a/kubernetes/apps/monitoring/vector/aggregator/helmrelease.yaml b/kubernetes/apps/monitoring/vector/aggregator/helmrelease.yaml deleted file mode 100644 index ee3867cd08..0000000000 --- a/kubernetes/apps/monitoring/vector/aggregator/helmrelease.yaml +++ /dev/null @@ -1,88 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app vector-aggregator -spec: - interval: 30m - timeout: 15m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - vector-aggregator: - replicas: 2 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/timberio/vector - tag: 0.43.0-debian@sha256:034947f8b7ea3c974ccec3481da6005dc67291c0b7c0fbf7df6275abe32d9cca - args: - - --config - - /etc/vector/vector.yaml - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /health - port: &port 8686 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - persistence: - config: - type: configMap - name: vector-aggregator-configmap - globalMounts: - - path: /etc/vector/vector.yaml - subPath: vector.yaml - readOnly: true - data: - type: emptyDir - globalMounts: - - path: /vector-data-dir - service: - app: - controller: *app - type: LoadBalancer - annotations: - external-dns.alpha.kubernetes.io/hostname: vector.ktwo.io - lbipam.cilium.io/ips: ${NET_SERVICES_VECTOR_IP} - ports: - http: - port: *port - kubernetes: - port: 6000 - taloskernel: - port: 6001 - protocol: UDP - talosservice: - port: 6002 - protocol: UDP - unifikernel: - port: 6003 - protocol: UDP - serviceAccount: - create: true - name: *app diff --git a/kubernetes/apps/monitoring/vector/aggregator/kustomization.yaml b/kubernetes/apps/monitoring/vector/aggregator/kustomization.yaml deleted file mode 100644 index f01d9ffd0c..0000000000 --- a/kubernetes/apps/monitoring/vector/aggregator/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml -configMapGenerator: - - name: vector-aggregator-configmap - files: - - ./resources/vector.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/monitoring/vector/aggregator/resources/vector.yaml b/kubernetes/apps/monitoring/vector/aggregator/resources/vector.yaml deleted file mode 100644 index c29048c52b..0000000000 --- a/kubernetes/apps/monitoring/vector/aggregator/resources/vector.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -data_dir: /vector-data-dir - -api: - enabled: true - address: 0.0.0.0:8686 - -sources: - kubernetes_logs: - address: 0.0.0.0:6000 - type: vector - version: "2" - - talos_kernel_logs: - address: 0.0.0.0:6001 - type: socket - mode: udp - max_length: 102400 - decoding: - codec: json - host_key: __host - - talos_service_logs: - address: 0.0.0.0:6002 - type: socket - mode: udp - max_length: 102400 - decoding: - codec: json - host_key: __host - - unifi_kernel_logs: - address: 0.0.0.0:6003 - type: syslog - mode: udp - max_length: 102400 - -transforms: - kubernetes_transform: - type: remap - inputs: - - kubernetes_logs - source: |- - .custom_app_name = .pod_labels."app.kubernetes.io/name" || .pod_labels.app || .pod_labels."k8s-app" || "unknown" - - talos_kernel_transform: - type: remap - inputs: - - talos_kernel_logs - source: |- - r1 = replace!(.__host, "192.168.10.10", "m0") - r2 = replace(r1, "192.168.10.11", "m1") - r3 = replace(r2, "192.168.10.12", "m2") - .node = r3 - - talos_service_transform: - type: remap - inputs: - - talos_service_logs - source: |- - r1 = replace!(.__host, "192.168.10.10", "m0") - r2 = replace(r1, "192.168.10.11", "m1") - r3 = replace(r2, "192.168.10.12", "m2") - .node = r3 - - unifi_kernel_transform: - type: remap - inputs: - - unifi_kernel_logs - source: |- - .timestamp = now() - -sinks: - kubernetes: - type: loki - inputs: - - kubernetes_transform - endpoint: http://loki-gateway.monitoring.svc.cluster.local - encoding: - codec: json - batch: - max_bytes: 524288 - out_of_order_action: rewrite_timestamp - remove_label_fields: true - remove_timestamp: true - labels: - app: "{{ custom_app_name }}" - container: "{{ container_name }}" - namespace: "{{ kubernetes.pod_namespace }}" - node: "{{ kubernetes.pod_node_name }}" - - talos_kernel: - type: loki - inputs: - - talos_kernel_transform - endpoint: http://loki-gateway.monitoring.svc.cluster.local - encoding: - codec: json - except_fields: - - __host - batch: - max_bytes: 524288 - out_of_order_action: rewrite_timestamp - labels: - node: "{{ node }}" - facility: "{{ facility }}" - namespace: "talos:kernel" - - talos_service: - type: loki - inputs: - - talos_service_transform - endpoint: http://loki-gateway.monitoring.svc.cluster.local - encoding: - codec: json - except_fields: - - __host - batch: - max_bytes: 524288 - out_of_order_action: rewrite_timestamp - labels: - node: "{{ node }}" - talos_service: '{{ "talos-service" }}' - namespace: "talos:service" - - unifi_kernel: - type: loki - inputs: - - unifi_kernel_transform - endpoint: http://loki-gateway.monitoring.svc.cluster.local - encoding: - codec: json - batch: - max_bytes: 524288 - out_of_order_action: rewrite_timestamp - labels: - node: "{{ host }}" - facility: "{{ facility }}" - namespace: "unifi:kernel" diff --git a/kubernetes/apps/monitoring/vector/ks.yaml b/kubernetes/apps/monitoring/vector/ks.yaml deleted file mode 100644 index b98786301e..0000000000 --- a/kubernetes/apps/monitoring/vector/ks.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app vector-aggregator - namespace: flux-system -spec: - targetNamespace: monitoring - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: loki - path: ./kubernetes/apps/monitoring/vector/aggregator - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app vector-agent - namespace: flux-system -spec: - targetNamespace: monitoring - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: vector-aggregator - path: ./kubernetes/apps/monitoring/vector/agent - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index f074dc7bb4..b2ca8d4b91 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -55,7 +55,7 @@ spec: enabled: true urlPrefix: / ssl: false - prometheusEndpoint: http://thanos-query-frontend.monitoring.svc.cluster.local:10902 + prometheusEndpoint: http://prometheus-operated.monitoring.svc.cluster.local:9090 mgr: modules: - name: pg_autoscaler diff --git a/kubernetes/apps/security/authelia/app/externalsecret.yaml b/kubernetes/apps/security/authelia/app/externalsecret.yaml deleted file mode 100644 index eaaa1867d1..0000000000 --- a/kubernetes/apps/security/authelia/app/externalsecret.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: authelia -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: authelia-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - # Authelia - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .GLAUTH_SEARCH_PASSWORD }}" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY }}" - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET }}" - AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}" - AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}" - AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia - AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres-rw.databases.svc.cluster.local - AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}" - AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" - # OIDC Apps - GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" - MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}" - NODE_RED_OAUTH_CLIENT_SECRET: "{{ .NODE_RED_OAUTH_CLIENT_SECRET }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: authelia - - extract: - key: cloudnative-pg - - extract: - key: glauth - - extract: - key: grafana - - extract: - key: miniflux - - extract: - key: node-red diff --git a/kubernetes/apps/security/authelia/app/helmrelease.yaml b/kubernetes/apps/security/authelia/app/helmrelease.yaml deleted file mode 100644 index 0d6f167b14..0000000000 --- a/kubernetes/apps/security/authelia/app/helmrelease.yaml +++ /dev/null @@ -1,131 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app authelia -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - authelia: - replicas: 2 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/buroa/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: authelia-secret - containers: - app: - image: - repository: ghcr.io/authelia/authelia - tag: 4.38.17@sha256:bd0b56ab682ecdf994cc66bbbf75e3ab437a3e4aea4c707eeea0c2fca6cf945e - env: - AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:9091 - AUTHELIA_SERVER_DISABLE_HEALTHCHECK: true - AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080 - AUTHELIA_TELEMETRY_METRICS_ENABLED: true - AUTHELIA_THEME: dark - X_AUTHELIA_CONFIG: /config/configuration.yml - X_AUTHELIA_CONFIG_FILTERS: expand-env - envFrom: *envFrom - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: &path /api/health - port: &port 9091 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - resources: - requests: - cpu: 10m - limits: - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - ingress: - app: - className: internal - annotations: - gatus.io/path: *path - hajimari.io/icon: mdi:shield-account - hajimari.io/url: https://auth.ktwo.io - nginx.ingress.kubernetes.io/configuration-snippet: | - add_header Cache-Control "no-store"; - add_header Pragma "no-cache"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - hosts: - - host: &host "{{ .Release.Name }}.ktwo.io" - paths: &paths - - path: / - service: - identifier: app - port: http - - host: &customHost auth.ktwo.io - paths: *paths - tls: - - hosts: - - *host - - *customHost - persistence: - config: - type: configMap - name: authelia-configmap - globalMounts: - - path: /config/configuration.yml - subPath: configuration.yml - readOnly: true - service: - app: - controller: *app - ports: - http: - port: *port - metrics: - port: 8080 - serviceMonitor: - app: - serviceName: *app - endpoints: - - port: metrics - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s diff --git a/kubernetes/apps/security/authelia/app/kustomization.yaml b/kubernetes/apps/security/authelia/app/kustomization.yaml deleted file mode 100644 index 01f74d8253..0000000000 --- a/kubernetes/apps/security/authelia/app/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml -configMapGenerator: - - name: authelia-configmap - files: - - ./resources/configuration.yml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/security/authelia/app/resources/configuration.yml b/kubernetes/apps/security/authelia/app/resources/configuration.yml deleted file mode 100644 index ae4ee9079e..0000000000 --- a/kubernetes/apps/security/authelia/app/resources/configuration.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -access_control: - default_policy: two_factor - networks: - - name: internal - networks: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - -authentication_backend: - ldap: - address: ldap://glauth.security.svc.cluster.local:389 - implementation: custom - timeout: 5s - start_tls: false - base_dn: dc=home,dc=arpa - additional_users_dn: ou=people,ou=users - users_filter: (&({username_attribute}={input})(objectClass=posixAccount)) - additional_groups_dn: ou=users - groups_filter: (&(uniqueMember={dn})(objectClass=posixGroup)) - user: cn=search,ou=svcaccts,ou=users,dc=home,dc=arpa - attributes: - username: uid - display_name: givenName - group_name: ou - mail: mail - member_of: memberOf - password_reset: - disable: true - refresh_interval: 1m - -duo_api: - disable: true - -identity_providers: - oidc: - cors: - endpoints: - - authorization - - token - - revocation - - introspection - allowed_origins_from_client_redirect_uris: true - clients: - - client_name: Grafana - client_id: grafana - client_secret: $${GRAFANA_OAUTH_CLIENT_SECRET} - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 1y - scopes: - - openid - - profile - - groups - - email - redirect_uris: - - https://grafana.ktwo.io/login/generic_oauth - userinfo_signed_response_alg: none - - - client_name: Miniflux - client_id: miniflux - client_secret: $${MINIFLUX_OAUTH_CLIENT_SECRET} - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 1y - scopes: - - openid - - profile - - groups - - email - redirect_uris: - - https://miniflux.ktwo.io/oauth2/oidc/callback - userinfo_signed_response_alg: none - - - client_name: Node-RED - client_id: nodered - client_secret: $${NODE_RED_OAUTH_CLIENT_SECRET} - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 1y - scopes: - - openid - - profile - - groups - - email - redirect_uris: - - https://nr.ktwo.io/auth/strategy/callback - userinfo_signed_response_alg: none - token_endpoint_auth_method: client_secret_post - -notifier: - disable_startup_check: true - smtp: - address: smtp://smtp-relay.networking.svc.cluster.local:25 - sender: Authelia - disable_require_tls: true - -session: - same_site: lax - inactivity: 5m - expiration: 1h - remember_me: 1M - cookies: - - name: k_session - domain: ktwo.io - authelia_url: https://auth.ktwo.io - default_redirection_url: https://ktwo.io - redis: - database_index: 3 - host: dragonfly.databases.svc.cluster.local - -totp: - disable: false - issuer: authelia.com - -webauthn: - disable: false - display_name: Authelia - attestation_conveyance_preference: indirect - user_verification: discouraged - timeout: 60s diff --git a/kubernetes/apps/security/authelia/ks.yaml b/kubernetes/apps/security/authelia/ks.yaml deleted file mode 100644 index 8c39b9270f..0000000000 --- a/kubernetes/apps/security/authelia/ks.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app authelia - namespace: flux-system -spec: - targetNamespace: security - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: glauth - - name: dragonfly-cluster - - name: cloudnative-pg-cluster - - name: external-secrets-stores - path: ./kubernetes/apps/security/authelia/app - prune: true - sourceRef: - kind: GitRepository - name: k8s-gitops - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/security/glauth/app/externalsecret.yaml b/kubernetes/apps/security/glauth/app/externalsecret.yaml deleted file mode 100644 index 2ad255bb36..0000000000 --- a/kubernetes/apps/security/glauth/app/externalsecret.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: glauth -spec: - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: glauth-secret - creationPolicy: Owner - template: - templateFrom: - - configMap: - name: glauth-config-tpl - items: - - key: groups.toml - - key: server.toml - - key: users.toml - dataFrom: - - extract: - key: glauth diff --git a/kubernetes/apps/security/glauth/app/helmrelease.yaml b/kubernetes/apps/security/glauth/app/helmrelease.yaml deleted file mode 100644 index fa353c8c31..0000000000 --- a/kubernetes/apps/security/glauth/app/helmrelease.yaml +++ /dev/null @@ -1,100 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app glauth -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - glauth: - replicas: 2 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/glauth/glauth - tag: v2.3.2@sha256:1656842d8d202cdb53de9eb753963a66a49eb6a180e8ade0602548e64b4f6877 - command: - - /app/glauth - args: - - -c - - /config - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: / - port: &port 5555 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes - resources: - requests: - cpu: 10m - limits: - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - persistence: - config: - type: secret - name: glauth-secret - globalMounts: - - path: /config/groups.toml - subPath: groups.toml - readOnly: true - - path: /config/server.toml - subPath: server.toml - readOnly: true - - path: /config/users.toml - subPath: users.toml - readOnly: true - service: - app: - controller: *app - ports: - http: - port: *port - ldap: - port: 389 - serviceMonitor: - app: - serviceName: *app - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s diff --git a/kubernetes/apps/security/glauth/app/kustomization.yaml b/kubernetes/apps/security/glauth/app/kustomization.yaml deleted file mode 100644 index def6910e04..0000000000 --- a/kubernetes/apps/security/glauth/app/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml -configMapGenerator: - - name: glauth-config-tpl - files: - - ./resources/groups.toml - - ./resources/server.toml - - ./resources/users.toml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/security/glauth/app/resources/groups.toml b/kubernetes/apps/security/glauth/app/resources/groups.toml deleted file mode 100644 index 7c01216adb..0000000000 --- a/kubernetes/apps/security/glauth/app/resources/groups.toml +++ /dev/null @@ -1,11 +0,0 @@ -[[groups]] - name = "svcaccts" - gidnumber = 6500 - -[[groups]] - name = "admins" - gidnumber = 6501 - -[[groups]] - name = "people" - gidnumber = 6502 diff --git a/kubernetes/apps/security/glauth/app/resources/server.toml b/kubernetes/apps/security/glauth/app/resources/server.toml deleted file mode 100644 index 5efd6ba16e..0000000000 --- a/kubernetes/apps/security/glauth/app/resources/server.toml +++ /dev/null @@ -1,15 +0,0 @@ -[api] - enabled = true - tls = false - listen = "0.0.0.0:5555" - -[backend] - datastore = "config" - baseDN = "dc=home,dc=arpa" - -[ldap] - enabled = true - listen = "0.0.0.0:389" - -[ldaps] - enabled = false diff --git a/kubernetes/apps/security/glauth/app/resources/users.toml b/kubernetes/apps/security/glauth/app/resources/users.toml deleted file mode 100644 index 21cbac38d1..0000000000 --- a/kubernetes/apps/security/glauth/app/resources/users.toml +++ /dev/null @@ -1,18 +0,0 @@ -[[users]] - name = "search" - uidnumber = 5000 - primarygroup = 6500 - passbcrypt = "{{ .GLAUTH_SEARCH_PASSWORD_BCRYPT }}" - [[users.capabilities]] - action = "search" - object = "*" - -[[users]] - name = "steven" - mail = "{{ .GLAUTH_STEVEN_EMAIL }}" - givenname = "Steven" - sn = "Kreitzer" - uidnumber = 5001 - primarygroup = 6502 - othergroups = [ 6501 ] - passbcrypt = "{{ .GLAUTH_STEVEN_PASSWORD_BCRYPT }}" diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml index 65f2123360..274f356bb7 100644 --- a/kubernetes/apps/security/kustomization.yaml +++ b/kubernetes/apps/security/kustomization.yaml @@ -3,7 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./authelia/ks.yaml - ./external-secrets/ks.yaml - - ./glauth/ks.yaml - ./onepassword-connect/ks.yaml diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index 94bbf9af43..354156eb9b 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -21,7 +21,6 @@ data: NET_IOT_GATEWAY_IP: 192.168.30.1 # Services - NET_SERVICES_VECTOR_IP: 192.168.20.2 NET_SERVICES_QBITTORRENT_IP: 192.168.20.3 NET_SERVICES_INGRESS_IP_EXT: 192.168.20.80 NET_SERVICES_INGRESS_IP_INT: 192.168.20.81 diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 6215b76345..1a2382a6bc 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -211,7 +211,6 @@ controlPlane: - mitigations=off - net.ifnames=0 - security=none - - talos.logging.kernel=udp://vector.ktwo.io:6001/ systemExtensions: officialExtensions: @@ -290,14 +289,6 @@ controlPlane: enabled: true port: 7445 - # Enable logging - - |- - machine: - logging: - destinations: - - endpoint: udp://vector.ktwo.io:6002 - format: json_lines - # Force nameserver - |- machine: