From 739eb3ced4aab3a08b06badf449ca4da183d5d67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Schneider?= <56670304+soerenschneider@users.noreply.github.com> Date: Thu, 12 Sep 2024 22:33:41 +0200 Subject: [PATCH] init --- .github/dependabot.yml | 11 + .github/workflows/diagrams.yaml | 36 ++ .github/workflows/lint.yaml | 30 + .github/workflows/pr.yaml | 29 + .github/workflows/security-scanners.yaml | 31 + .gitignore | 7 + .kube-linter.yaml | 4 + .pre-commit-config.yaml | 7 + .trivyignore.yaml | 39 ++ .yamllint.yaml | 6 + Makefile | 10 + apps/acmevault/deployment.yaml | 82 +++ apps/acmevault/kustomization.yaml | 6 + apps/acmevault/networkpolicy.yaml | 42 ++ .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + .../components/pvc/actualbudget-pvc.yaml | 11 + .../components/pvc/kustomization.yaml | 16 + apps/actualbudget/deployment.yaml | 71 +++ apps/actualbudget/kustomization.yaml | 7 + apps/actualbudget/networkpolicy.yaml | 9 + apps/actualbudget/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../taskwarrior/cert-certificate.yaml | 19 + .../components/taskwarrior/cert-issuer.yaml | 29 + .../components/taskwarrior/kustomization.yaml | 84 +++ .../upsert-secret-aether-taskwarrior.sh | 21 + apps/aether/deployment.yaml | 88 +++ apps/aether/kustomization.yaml | 7 + apps/aether/networkpolicy.yaml | 24 + apps/aether/service.yaml | 11 + apps/aether/upsert-secret-aether.sh | 40 ++ apps/aether/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + apps/anki/components/istio/kustomization.yaml | 23 + apps/anki/components/pvc/anki-pvc.yaml | 12 + apps/anki/components/pvc/kustomization.yaml | 16 + apps/anki/deployment.yaml | 68 +++ apps/anki/kustomization.yaml | 7 + apps/anki/networkpolicy.yaml | 12 + apps/anki/service.yaml | 11 + apps/anki/upsert-secret-anki.sh | 22 + apps/anki/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + apps/argocd/kustomization.yaml | 5 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + .../components/oidc/kustomization.yaml | 24 + .../oidc/upsert-secret-bookstack-oidc.sh | 23 + apps/bookstack/deployment.yaml | 124 ++++ apps/bookstack/kustomization.yaml | 12 + apps/bookstack/networkpolicy.yaml | 9 + apps/bookstack/service.yaml | 11 + apps/bookstack/upsert-secret-bookstack.sh | 27 + apps/bookstack/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/kustomization.yaml | 30 + .../oidc/oauth2-proxy-deployment.yaml | 43 ++ .../components/oidc/oauth2-proxy.properties | 6 + .../upsert-secret-changedetection-oidc.sh | 27 + .../components/playwright/kustomization.yaml | 17 + .../playwright/playwright-deployment.yaml | 89 +++ .../playwright/playwright-networkpolicy.yaml | 19 + .../playwright/playwright-service.yaml | 11 + .../components/pvc/changedetection-pvc.yaml | 11 + .../components/pvc/kustomization.yaml | 16 + .../components/restic-pvc/kustomization.yaml | 63 ++ ...psert-secret-changedetection-restic-pvc.sh | 30 + apps/changedetection/deployment.yaml | 80 +++ apps/changedetection/kustomization.yaml | 7 + apps/changedetection/networkpolicy.yaml | 16 + apps/changedetection/service.yaml | 11 + apps/changedetection/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + apps/consul/consul.hcl | 10 + apps/consul/kustomization.yaml | 11 + apps/consul/networkpolicy.yaml | 8 + apps/consul/service.yaml | 11 + apps/consul/sts.yaml | 91 +++ apps/consul/upsert-secret-bookstack.sh | 27 + apps/consul/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/pvc/cr-pvc.yaml | 11 + .../components/pvc/kustomization.yaml | 16 + apps/container-registry/config.yml | 14 + apps/container-registry/deployment.yaml | 82 +++ apps/container-registry/kustomization.yaml | 10 + apps/container-registry/networkpolicy.yaml | 26 + apps/container-registry/service.yaml | 12 + apps/container-registry/upsert-secrets.sh | 3 + .../custom-config/kustomization.yaml | 23 + apps/device-stalker/deployment.yaml | 80 +++ apps/device-stalker/kustomization.yaml | 5 + .../components/config/kustomization.yaml | 24 + apps/domain-exporter/deployment.yaml | 69 +++ apps/domain-exporter/kustomization.yaml | 7 + apps/domain-exporter/networkpolicy.yaml | 20 + apps/domain-exporter/service.yaml | 11 + apps/domain-exporter/upsert-secrets.sh | 3 + .../aws-credentials/kustomization.yaml | 13 + .../upsert-secret-dyndns-aws-credentials.sh | 24 + .../aws-endpoints/kustomization.yaml | 13 + .../upsert-secret-dyndns-aws-endpoints.sh | 29 + .../components/keypair/kustomization.yaml | 19 + .../keypair/upsert-secret-dyndns-keypair.sh | 20 + apps/dyndns/client/deployment.yaml | 69 +++ apps/dyndns/client/kustomization.yaml | 12 + apps/dyndns/client/networkpolicy.yaml | 21 + apps/dyndns/client/upsert-secrets.sh | 3 + .../aws-credentials/kustomization.yaml | 13 + .../upsert-secret-dyndns-aws-credentials.sh | 24 + .../components/aws-sqs/kustomization.yaml | 13 + .../upsert-secret-dyndns-aws-sqs-url.sh | 25 + apps/dyndns/server/deployment.yaml | 68 +++ apps/dyndns/server/kustomization.yaml | 11 + apps/dyndns/server/networkpolicy.yaml | 21 + apps/dyndns/server/upsert-secrets.sh | 3 + apps/firefly/firefly-deployment.yaml | 90 +++ apps/firefly/firefly-service.yaml | 11 + apps/firefly/kustomization.yaml | 9 + apps/firefly/networkpolicy.yaml | 57 ++ apps/firefly/redis-deployment.yaml | 56 ++ apps/firefly/redis-service.yaml | 11 + apps/firefly/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../gatus/components/istio/kustomization.yaml | 19 + .../components/postgres/kustomization.yaml | 11 + .../postgres/postgres-deployment.yaml | 104 ++++ .../components/postgres/postgres-service.yaml | 13 + .../upsert-secret-miniflux-postgres.sh | 27 + apps/gatus/deployment.yaml | 91 +++ apps/gatus/kustomization.yaml | 7 + apps/gatus/networkpolicy.yaml | 20 + apps/gatus/service.yaml | 11 + apps/gatus/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../postgres-pvc/kustomization.yaml | 5 + .../components/postgres-pvc/postgres-pvc.yaml | 11 + .../components/postgres/kustomization.yaml | 7 + .../postgres/postgres-deployment.yaml | 116 ++++ .../postgres/postgres-networkpolicy.yaml | 21 + .../components/postgres/postgres-service.yaml | 13 + .../upsert-secret-ghostfolio-postgres.sh | 24 + .../components/redis/kustomization.yaml | 7 + .../components/redis/redis-deployment.yaml | 56 ++ .../components/redis/redis-networkpolicy.yaml | 21 + .../components/redis/redis-service.yaml | 11 + .../components/upsert-secret-ghostfolio.sh | 26 + apps/ghostfolio/deployment.yaml | 82 +++ apps/ghostfolio/kustomization.yaml | 7 + apps/ghostfolio/networkpolicy.yaml | 37 ++ apps/ghostfolio/service.yaml | 11 + apps/ghostfolio/upsert-secrets.sh | 3 + .../components/pvc/git-repo-pvc.yaml | 12 + .../components/pvc/kustomization.yaml | 16 + apps/git-repo-backup/cronjob.yaml | 58 ++ apps/git-repo-backup/kustomization.yaml | 5 + apps/git-repo-backup/upsert-secrets.sh | 3 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 27 + .../gitea/components/istio/kustomization.yaml | 5 + apps/gitea/components/pvc/gitea-pvc.yaml | 11 + apps/gitea/components/pvc/kustomization.yaml | 16 + apps/gitea/deployment.yaml | 88 +++ apps/gitea/kustomization.yaml | 6 + apps/gitea/service.yaml | 22 + apps/gitea/upsert-secrets.sh | 3 + .../database-mariadb/kustomization.yaml | 21 + .../upsert-secret-grafana-database-mariadb.sh | 24 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/grafana.properties | 7 + .../components/oidc/kustomization.yaml | 8 + .../oidc/upsert-secret-grafana-oidc.sh | 23 + apps/grafana/deployment.yaml | 90 +++ apps/grafana/grafana.properties | 9 + apps/grafana/kustomization.yaml | 11 + apps/grafana/networkpolicy.yaml | 62 ++ apps/grafana/service.yaml | 11 + apps/grafana/upsert-secret-grafana.sh | 25 + apps/grafana/upsert-secrets.sh | 3 + .../config-secrets/kustomization.yaml | 20 + .../istio/istio-virtualservice.yaml | 19 + apps/hass/components/istio/kustomization.yaml | 19 + apps/hass/components/pvc/hass-pvc.yaml | 11 + apps/hass/components/pvc/kustomization.yaml | 16 + .../components/restic-pvc/kustomization.yaml | 63 ++ .../upsert-secret-hass-restic-pvc.sh | 30 + apps/hass/deployment.yaml | 81 +++ apps/hass/kustomization.yaml | 6 + apps/hass/networkpolicy.yaml | 20 + apps/hass/service.yaml | 11 + .../database-mariadb/kustomization.yaml | 20 + ...upsert-secret-hedgedoc-database-mariadb.sh | 24 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + .../components/minio/kustomization.yaml | 10 + .../minio/upsert-secret-hedgedoc-minio.sh | 24 + apps/hedgedoc/deployment.yaml | 68 +++ apps/hedgedoc/kustomization.yaml | 11 + apps/hedgedoc/networkpolicy.yaml | 34 ++ apps/hedgedoc/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + apps/hermes/deployment.yaml | 74 +++ apps/hermes/kustomization.yaml | 7 + apps/hermes/networkpolicy.yaml | 45 ++ apps/hermes/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../homer/components/istio/kustomization.yaml | 5 + apps/homer/deployment.yaml | 65 +++ apps/homer/kustomization.yaml | 7 + apps/homer/networkpolicy.yaml | 32 ++ apps/homer/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/kustomization.yaml | 19 + .../components/oidc/oauth2-proxy.properties | 8 + .../httpbin/components/oidc/oauth2-proxy.yaml | 42 ++ .../oidc/upsert-secret-httpbin-oidc.sh | 27 + apps/httpbin/deployment.yaml | 65 +++ apps/httpbin/kustomization.yaml | 7 + apps/httpbin/networkpolicy.yaml | 16 + apps/httpbin/service.yaml | 11 + apps/httpbin/upsert-secrets.sh | 3 + apps/imapfilter/imapfilter.yaml | 55 ++ apps/imapfilter/kustomization.yaml | 6 + apps/imapfilter/networkpolicy.yaml | 32 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../components/pgvector/kustomization.yaml | 7 + .../components/pgvector/postgres-pvc.yaml | 11 + .../components/pgvector/postgres-service.yaml | 13 + .../components/pgvector/postgres-sts.yaml | 95 +++ apps/immich/components/pvc/kustomization.yaml | 26 + apps/immich/components/pvc/pvc.yaml | 11 + .../restic-postgres/kustomization.yaml | 53 ++ .../upsert-secret-immich-restic-postgres.sh | 29 + .../components/restic-pvc/kustomization.yaml | 63 ++ .../upsert-secret-immich-restic-pvc.sh | 30 + .../immich-machinelearning-deployment.yaml | 110 ++++ .../immich-machinelearning-service.yaml | 15 + apps/immich/immich-server-deployment.yaml | 100 ++++ apps/immich/immich-server-service.yaml | 15 + apps/immich/immich.properties | 8 + apps/immich/kustomization.yaml | 14 + apps/immich/redis-deployment.yaml | 70 +++ apps/immich/redis-service.yaml | 12 + apps/immich/upsert-secret-immich.sh | 23 + apps/immich/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../components/pvc-config/jellyfin-pvc.yaml | 12 + .../components/pvc-config/kustomization.yaml | 16 + .../storage-healthcheck/healthcheck.sh | 8 + .../storage-healthcheck/kustomization.yaml | 34 ++ apps/jellyfin/kustomization.yaml | 6 + apps/jellyfin/service.yaml | 11 + apps/jellyfin/statefulset.yaml | 93 +++ .../components/db-mariadb/kustomization.yaml | 40 ++ .../upsert-secret-keycloak-db-mariadb.sh | 24 + .../components/istio-proxy/kustomization.yaml | 26 + .../istio/istio-virtualservice.yaml | 27 + .../components/istio/kustomization.yaml | 19 + apps/keycloak/deployment.yaml | 81 +++ apps/keycloak/keycloak.properties | 3 + apps/keycloak/kustomization.yaml | 11 + apps/keycloak/networkpolicy.yaml | 37 ++ apps/keycloak/service.yaml | 14 + apps/keycloak/upsert-secret-keycloak.sh | 24 + apps/keycloak/upsert-secrets.sh | 3 + .../cp-istio-virtualservice-nowildcards.yaml | 45 ++ .../cp-require-labels.yaml | 40 ++ .../cp-require-pod-requests-limits.yaml | 47 ++ .../cp-require-ro-rootfs.yaml | 42 ++ .../kustomization.yaml | 8 + apps/kyverno/helm-fan-out.sh | 27 + apps/kyverno/kustomization.yaml | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/kustomization.yaml | 45 ++ .../components/oidc/linkding.properties | 2 + .../components/oidc/oauth2-proxy.properties | 8 + .../components/oidc/oauth2-proxy.yaml | 42 ++ .../oidc/upsert-secert-oauth2-proxy.sh | 27 + .../postgres-pvc/kustomization.yaml | 16 + .../components/postgres-pvc/postgres-pvc.yaml | 11 + .../components/postgres/kustomization.yaml | 30 + .../components/postgres/linkding.properties | 3 + .../postgres/postgres-deployment.yaml | 113 ++++ .../postgres/postgres-networkpolicy.yaml | 21 + .../components/postgres/postgres-service.yaml | 13 + .../upsert-secret-linkding-postgres.sh | 24 + .../restic-postgres/kustomization.yaml | 53 ++ .../upsert-secret-linkding-restic-postgres.sh | 30 + apps/linkding/deployment.yaml | 101 ++++ apps/linkding/kustomization.yaml | 11 + apps/linkding/linkding.properties | 1 + apps/linkding/networkpolicy.yaml | 30 + apps/linkding/service.yaml | 11 + apps/linkding/upsert-secret-linkding.sh | 24 + apps/linkding/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + apps/loki/components/istio/kustomization.yaml | 5 + .../components/monolith/kustomization.yaml | 15 + .../loki/components/monolith/loki-config.yaml | 58 ++ apps/loki/components/pvc/kustomization.yaml | 16 + apps/loki/components/pvc/loki-pvc.yaml | 11 + apps/loki/deployment.yaml | 98 ++++ apps/loki/kustomization.yaml | 7 + apps/loki/networkpolicy.yaml | 69 +++ apps/loki/service.yaml | 13 + .../istio/istio-virtualservice.yaml | 39 ++ .../components/istio/kustomization.yaml | 19 + .../components/pvc/kustomization.yaml | 16 + apps/mariadb-galera/components/pvc/pvc.yaml | 11 + .../restic-mariadb/kustomization.yaml | 23 + .../upsert-secret-restic-mariadb.sh | 33 ++ .../components/tls-wsrep/cert-wsrep.yaml | 18 + .../components/tls-wsrep/cm-sst-cnf.yaml | 12 + .../components/tls-wsrep/issuer.yaml | 29 + .../components/tls-wsrep/kustomization.yaml | 42 ++ .../components/tls/cert-certificate.yaml | 20 + .../components/tls/kustomization.yaml | 36 ++ apps/mariadb-galera/kustomization.yaml | 10 + apps/mariadb-galera/mariadb.properties | 4 + apps/mariadb-galera/service.yaml | 22 + apps/mariadb-galera/statefulset.yaml | 96 ++++ apps/mariadb-galera/upsert-secret-mariadb.sh | 28 + apps/mariadb/service.yaml | 12 + apps/mariadb/statefulset.yaml | 70 +++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/mealie-pvc/kustomization.yaml | 16 + .../components/mealie-pvc/mealie-pvc.yaml | 11 + .../mealie/components/oidc/kustomization.yaml | 20 + .../oidc/upsert-secret-mealie-oidc.sh | 23 + .../postgres-pvc/kustomization.yaml | 5 + .../components/postgres-pvc/postgres-pvc.yaml | 11 + .../components/postgres/kustomization.yaml | 14 + .../components/postgres/mealie.properties | 0 .../postgres/postgres-deployment.yaml | 114 ++++ .../components/postgres/postgres-service.yaml | 13 + .../postgres/upsert-secret-mealie-postgres.sh | 24 + .../restic-postgres/kustomization.yaml | 53 ++ .../upsert-secret-mealie-restic-postgres.sh | 30 + .../components/restic-pvc/kustomization.yaml | 66 +++ .../upsert-secret-mealie-restic-pvc.sh | 30 + apps/mealie/deployment.yaml | 98 ++++ apps/mealie/kustomization.yaml | 10 + apps/mealie/mealie.properties | 1 + apps/mealie/networkpolicy.yaml | 23 + apps/mealie/service.yaml | 14 + apps/mealie/upsert-secret-mealie.sh | 22 + apps/mealie/upsert-secrets.sh | 3 + apps/media/build-radarr-apikey.sh | 22 + .../postgres-pvc/kustomization.yaml | 16 + .../components/postgres-pvc/postgres-pvc.yaml | 12 + .../components/postgres/kustomization.yaml | 6 + .../postgres/postgres-deployment.yaml | 108 ++++ .../components/postgres/postgres-service.yaml | 13 + .../postgres/upsert-secret-media-postgres.sh | 24 + .../istio-virtualservice.yaml | 19 + .../reverse-proxy-istio/kustomization.yaml | 5 + .../reverse-proxy-oidc/kustomization.yaml | 19 + .../oauth2-proxy.properties | 7 + .../reverse-proxy-oidc/oauth2-proxy.yaml | 42 ++ .../upsert-secret-media-reverse-proxy-oidc.sh | 27 + .../reverse-proxy/kustomization.yaml | 10 + .../media/components/reverse-proxy/nginx.conf | 72 +++ .../reverse-proxy-deployment.yaml | 90 +++ .../reverse-proxy/reverse-proxy-service.yaml | 12 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/postgres/kustomization.yaml | 38 ++ .../postgres/patch-initcontainer.yaml | 32 ++ .../upsert-secret-media-lidarr-postgres.sh | 24 + .../reverse-proxy/kustomization.yaml | 23 + apps/media/lidarr/deployment.yaml | 111 ++++ apps/media/lidarr/kustomization.yaml | 7 + apps/media/lidarr/networkpolicy.yaml | 36 ++ apps/media/lidarr/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/postgres/kustomization.yaml | 41 ++ .../postgres/patch-initcontainer.yaml | 32 ++ .../upsert-secret-media-prowlarr-postgres.sh | 24 + .../reverse-proxy/kustomization.yaml | 23 + apps/media/prowlarr/deployment.yaml | 111 ++++ apps/media/prowlarr/kustomization.yaml | 7 + apps/media/prowlarr/networkpolicy.yaml | 32 ++ apps/media/prowlarr/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/postgres/kustomization.yaml | 33 ++ .../postgres/patch-initcontainer.yaml | 32 ++ .../upsert-secret-media-radarr-postgres.sh | 24 + .../reverse-proxy/kustomization.yaml | 23 + apps/media/radarr/deployment.yaml | 113 ++++ apps/media/radarr/kustomization.yaml | 7 + apps/media/radarr/networkpolicy.yaml | 36 ++ apps/media/radarr/service.yaml | 11 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/postgres/kustomization.yaml | 38 ++ .../postgres/patch-initcontainer.yaml | 32 ++ .../upsert-secret-media-sonarr-postgres.sh | 24 + .../reverse-proxy/kustomization.yaml | 23 + apps/media/sonarr/deployment.yaml | 113 ++++ apps/media/sonarr/kustomization.yaml | 7 + apps/media/sonarr/networkpolicy.yaml | 36 ++ apps/media/sonarr/service.yaml | 11 + apps/media/upsert-secret-smb.sh | 27 + apps/media/upsert-secrets.sh | 3 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/pvc/kustomization.yaml | 16 + .../microbin/components/pvc/microbin-pvc.yaml | 11 + .../components/restic-pvc/kustomization.yaml | 66 +++ .../upsert-secret-microbin-restic-pvc.sh | 30 + apps/microbin/deployment.yaml | 67 +++ apps/microbin/kustomization.yaml | 11 + apps/microbin/microbin.properties | 211 +++++++ apps/microbin/networkpolicy.yaml | 22 + apps/microbin/service.yaml | 11 + apps/microbin/upsert-secret-microbin.sh | 24 + apps/microbin/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/kustomization.yaml | 21 + .../oidc/upsert-secret-miniflux-oidc.sh | 23 + .../postgres-pvc/kustomization.yaml | 5 + .../components/postgres-pvc/postgres-pvc.yaml | 11 + .../components/postgres/kustomization.yaml | 6 + .../postgres/postgres-deployment.yaml | 108 ++++ .../components/postgres/postgres-service.yaml | 13 + .../upsert-secret-miniflux-postgres.sh | 27 + apps/miniflux/deployment.yaml | 94 +++ apps/miniflux/kustomization.yaml | 11 + apps/miniflux/miniflux.properties | 2 + apps/miniflux/networkpolicy.yaml | 58 ++ apps/miniflux/service.yaml | 11 + apps/miniflux/upsert-secret-miniflux.sh | 28 + apps/miniflux/upsert-secrets.sh | 3 + apps/minio-mirror/cronjob.yaml | 67 +++ apps/minio-mirror/kustomization.yaml | 5 + .../istio/istio-destinationrule-console.yaml | 13 + .../istio/istio-destinationrule.yaml | 13 + .../istio/istio-virtualservice-console.yaml | 20 + .../istio/istio-virtualservice.yaml | 20 + .../minio/components/istio/kustomization.yaml | 42 ++ .../components/istio/minio-certificate.yaml | 16 + apps/minio/components/pvc/kustomization.yaml | 16 + apps/minio/components/pvc/minio-pvc.yaml | 11 + apps/minio/deployment.yaml | 113 ++++ apps/minio/kustomization.yaml | 10 + apps/minio/service.yaml | 15 + apps/minio/upsert-secret-minio.sh | 24 + apps/minio/upsert-secrets.sh | 3 + .../cluster-istio/istio-virtualservice.yaml | 18 + .../cluster-istio/kustomization.yaml | 19 + .../cluster-tls/cluster-tls-config.yaml | 12 + .../components/cluster-tls/kustomization.yaml | 16 + .../components/cluster-tls/patch.yaml | 28 + .../components/config/kustomization.yaml | 24 + .../alertmanager/components/config/patch.yaml | 17 + .../upsert-secret-alertmanager-config.sh | 19 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../reverse-proxy/kustomization.yaml | 31 + apps/monitoring/alertmanager/deployment.yaml | 106 ++++ .../alertmanager/kustomization.yaml | 7 + .../alertmanager/networkpolicy.yaml | 28 + apps/monitoring/alertmanager/service.yaml | 17 + .../custom-config/kustomization.yaml | 23 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../reverse-proxy/kustomization.yaml | 27 + .../tls-client-cert/kustomization.yaml | 20 + .../blackbox_exporter/deployment.yaml | 100 ++++ .../blackbox_exporter/kustomization.yaml | 7 + .../blackbox_exporter/networkpolicy.yaml | 19 + .../monitoring/blackbox_exporter/service.yaml | 11 + .../istio-virtualservice.yaml | 19 + .../reverse-proxy-istio/kustomization.yaml | 5 + .../reverse-proxy-oidc/kustomization.yaml | 19 + .../oauth2-proxy.properties | 6 + .../reverse-proxy-oidc/oauth2-proxy.yaml | 42 ++ ...rt-secret-monitoring-reverse-proxy-oidc.sh | 27 + .../reverse-proxy/kustomization.yaml | 10 + .../components/reverse-proxy/nginx.conf | 100 ++++ .../reverse-proxy-deployment.yaml | 79 +++ .../reverse-proxy/reverse-proxy-service.yaml | 12 + .../tls-client-cert/certificate.yaml | 16 + .../components/tls-client-cert/issuer.yaml | 29 + .../tls-client-cert/kustomization.yaml | 6 + .../istio/istio-virtualservice.yaml | 19 + .../karma/components/istio/kustomization.yaml | 5 + .../reverse-proxy/kustomization.yaml | 19 + apps/monitoring/karma/deployment.yaml | 106 ++++ apps/monitoring/karma/kustomization.yaml | 6 + apps/monitoring/karma/service.yaml | 14 + .../components/rbac/cluster-role-binding.yaml | 16 + .../components/rbac/cluster-role.yaml | 120 ++++ .../components/rbac/kustomization.yaml | 6 + .../kube-state-metrics/deployment.yaml | 85 +++ .../kube-state-metrics/kustomization.yaml | 8 + .../kube-state-metrics/networkpolicy.yaml | 26 + .../kube-state-metrics/service-account.yaml | 9 + .../kube-state-metrics/service.yaml | 19 + apps/monitoring/namespace.yml | 5 + .../components/config/kustomization.yaml | 24 + .../config/upsert-secret-prometheus-config.sh | 19 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/deployment.yaml | 42 ++ .../components/oidc/kustomization.yaml | 19 + .../components/oidc/oauth2-proxy.properties | 6 + .../oidc/upsert-secret-prometheus-oidc.sh | 20 + .../components/rbac/clusterrole-binding.yaml | 13 + .../components/rbac/clusterrole.yaml | 20 + .../components/rbac/kustomization.yaml | 6 + .../reverse-proxy/kustomization.yaml | 27 + .../tls-client-cert/kustomization.yaml | 20 + apps/monitoring/prometheus/deployment.yaml | 112 ++++ apps/monitoring/prometheus/kustomization.yaml | 8 + apps/monitoring/prometheus/networkpolicy.yaml | 22 + apps/monitoring/prometheus/service.yaml | 12 + .../monitoring/prometheus/serviceaccount.yaml | 6 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../reverse-proxy/kustomization.yaml | 27 + apps/monitoring/pushgateway/deployment.yaml | 102 ++++ .../monitoring/pushgateway/kustomization.yaml | 6 + .../monitoring/pushgateway/networkpolicy.yaml | 12 + apps/monitoring/pushgateway/service.yaml | 11 + apps/monitoring/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../victoriametrics/deployment.yaml | 111 ++++ .../victoriametrics/kustomization.yaml | 7 + .../victoriametrics/networkpolicy.yaml | 61 ++ apps/monitoring/victoriametrics/service.yaml | 12 + .../kustomization.yaml | 23 + .../patch-initcontainer.yaml | 28 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../tls-client-cert/kustomization.yaml | 25 + apps/monitoring/vmalert/deployment.yaml | 79 +++ apps/monitoring/vmalert/kustomization.yaml | 6 + apps/monitoring/vmalert/networkpolicy.yaml | 22 + .../istio/istio-virtualservice.yaml | 25 + .../components/istio/kustomization.yaml | 5 + .../mosquitto/components/tls/certificate.yaml | 14 + .../components/tls/configmap-ca.yaml | 43 ++ .../components/tls/kustomization.yaml | 38 ++ apps/mosquitto/components/tls/mosquitto.conf | 16 + apps/mosquitto/components/tls/upsert-ca.sh | 9 + apps/mosquitto/deployment.yaml | 74 +++ apps/mosquitto/kustomization.yaml | 10 + apps/mosquitto/mosquitto.conf | 9 + apps/mosquitto/service.yaml | 15 + .../components/configfile/kustomization.yaml | 23 + ...psert-secret-mysqld-exporter-configfile.sh | 19 + apps/mysqld-exporter/deployment.yaml | 60 ++ apps/mysqld-exporter/kustomization.yaml | 5 + .../upsert-secret-mysqld-exporter.sh | 22 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/oidc/kustomization.yaml | 8 + .../components/pvc/kustomization.yaml | 16 + .../components/pvc/navidrome-data-pvc.yaml | 11 + .../components/restic-pvc/kustomization.yaml | 63 ++ .../upsert-secret-navidrome-restic-pvc.sh | 30 + apps/navidrome/deployment.yaml | 86 +++ apps/navidrome/kustomization.yaml | 14 + apps/navidrome/networkpolicy.yaml | 19 + apps/navidrome/service.yaml | 12 + apps/navidrome/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../components/mariadb/kustomization.yaml | 11 + .../components/mariadb/mariadb-service.yaml | 13 + .../components/mariadb/mariadb-sts.yaml | 70 +++ .../components/mariadb/nextcloud.properties | 8 + .../components/pvc/kustomization.yaml | 16 + apps/nextcloud/components/pvc/pvc.yaml | 11 + apps/nextcloud/deployment.yaml | 174 ++++++ apps/nextcloud/kustomization.yaml | 13 + apps/nextcloud/nextcloud.properties | 6 + apps/nextcloud/nginx.conf | 180 ++++++ apps/nextcloud/service.yaml | 16 + apps/nextcloud/upsert-secret-nextcloud.sh | 28 + apps/nextcloud/upsert-secrets.sh | 3 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../components/mariadb/kustomization.yaml | 11 + .../components/mariadb/mariadb-service.yaml | 13 + .../components/mariadb/mariadb-sts.yaml | 101 ++++ .../components/mariadb/onlyoffice.properties | 4 + .../upsert-secret-onlyoffice-mariadb.sh | 24 + .../components/rabbitmq/00-rabbitmq.conf | 2 + .../components/rabbitmq/kustomization.yaml | 14 + .../components/rabbitmq/onlyoffice.properties | 1 + .../rabbitmq/rabbitmq-amqp-service.yaml | 11 + .../components/rabbitmq/statefulset.yaml | 94 +++ .../upsert-secret-onlyoffice-mariadb.sh | 24 + .../components/redis/kustomization.yaml | 11 + .../components/redis/onlyoffice.properties | 2 + .../components/redis/redis-deployment.yaml | 68 +++ .../components/redis/redis-service.yaml | 12 + .../redis/upsert-secret-onlyoffice-mariadb.sh | 24 + apps/onlyoffice/kustomization.yaml | 10 + apps/onlyoffice/onlyoffice-deployment.yaml | 106 ++++ apps/onlyoffice/onlyoffice-service.yaml | 16 + apps/onlyoffice/onlyoffice.properties | 1 + apps/onlyoffice/upsert-secrets.sh | 3 + .../database-mariadb/kustomization.yaml | 11 + ...t-secret-paperless-ngx-database-mariadb.sh | 24 + .../components/istio-proxy/kustomization.yaml | 10 + .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 5 + .../components/oidc/kustomization.yaml | 30 + .../oidc/oauth2-proxy-deployment.yaml | 42 ++ .../components/oidc/oauth2-proxy.properties | 7 + .../components/oidc/paperless.properties | 4 + .../oidc/upsert-secret-paperless-ngx-oidc.sh | 27 + .../components/pvc/kustomization.yaml | 23 + .../pvc/paperless-pvc-consumption.yaml | 11 + .../components/pvc/paperless-pvc-storage.yaml | 11 + .../components/restic-pvc/kustomization.yaml | 66 +++ .../upsert-secret-paperless-ngx-restic-pvc.sh | 30 + .../components/tika/gotenberg-deployment.yaml | 80 +++ .../components/tika/gotenberg-service.yaml | 13 + .../components/tika/kustomization.yaml | 13 + .../components/tika/paperless.properties | 3 + .../components/tika/tika-deployment.yaml | 86 +++ .../components/tika/tika-service.yaml | 13 + apps/paperless-ngx/kustomization.yaml | 14 + apps/paperless-ngx/networkpolicy.yaml | 77 +++ ...erless-ngx-cm-fixed-entrypoint-script.yaml | 20 + .../paperless-ngx-deployment.yaml | 105 ++++ apps/paperless-ngx/paperless-ngx-service.yaml | 11 + apps/paperless-ngx/paperless.properties | 9 + apps/paperless-ngx/redis-deployment.yaml | 68 +++ apps/paperless-ngx/redis-service.yaml | 12 + .../upsert-secret-paperless-ngx.sh | 30 + apps/paperless-ngx/upsert-secrets.sh | 3 + apps/pydio/deployment.yaml | 83 +++ apps/pydio/namespace.yaml | 7 + apps/pydio/pv.yaml | 21 + apps/pydio/pvc.yaml | 12 + apps/pydio/service.yaml | 13 + apps/pydio/upsert-secrets.sh | 3 + apps/pydio/virtualservice.yaml | 19 + apps/rabbitmq/00-rabbitmq.conf | 2 + .../components/cluster-tls/certificate.yaml | 19 + .../cluster-tls/inter_node_tls.config | 17 + .../components/cluster-tls/issuer.yaml | 29 + .../components/cluster-tls/kustomization.yaml | 38 ++ .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 27 + .../components/istio/kustomization.yaml | 23 + .../components/tls-server-cert/10-ssl.conf | 4 + .../tls-server-cert/cert-certificate.yaml | 18 + .../tls-server-cert/kustomization.yaml | 26 + apps/rabbitmq/kustomization.yaml | 11 + apps/rabbitmq/rabbitmq-amqp-service.yaml | 11 + .../rabbitmq/rabbitmq-management-service.yaml | 11 + apps/rabbitmq/statefulset.yaml | 94 +++ apps/rabbitmq/upsert-secrets.sh | 3 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 23 + .../components/pvc/kustomization.yaml | 16 + .../radicale/components/pvc/radicale-pvc.yaml | 11 + .../components/restic-pvc/kustomization.yaml | 64 +++ .../upsert-secret-radicale-restic-pvc.sh | 30 + apps/radicale/deployment.yaml | 63 ++ apps/radicale/kustomization.yaml | 7 + apps/radicale/networkpolicy.yaml | 14 + apps/radicale/service.yaml | 11 + apps/radicale/upsert-secret-radicale.sh | 22 + apps/radicale/upsert-secrets.sh | 3 + .../components/rbac/clusterrole-binding.yaml | 15 + .../reloader/components/rbac/clusterrole.yaml | 61 ++ .../components/rbac/kustomization.yaml | 6 + apps/reloader/deployment.yaml | 77 +++ apps/reloader/kustomization.yaml | 7 + apps/reloader/networkpolicy.yaml | 22 + apps/reloader/serviceaccount.yaml | 8 + apps/reloader/upsert-secrets.sh | 3 + .../components/pvc/kustomization.yaml | 16 + .../components/pvc/renovate-pvc.yaml | 11 + apps/renovatebot/cronjob.yaml | 59 ++ apps/renovatebot/kustomization.yaml | 5 + apps/renovatebot/upsert-secret-renovate.sh | 30 + apps/renovatebot/upsert-secrets.sh | 3 + .../components/ha/kustomization.yaml | 25 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + apps/stirling-pdf/deployment.yaml | 110 ++++ apps/stirling-pdf/kustomization.yaml | 7 + apps/stirling-pdf/networkpolicy.yaml | 16 + apps/stirling-pdf/service.yaml | 11 + apps/stirling-pdf/upsert-secrets.sh | 3 + .../components/ha/kustomization.yaml | 25 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + apps/string-is/deployment.yaml | 57 ++ apps/string-is/kustomization.yaml | 7 + apps/string-is/networkpolicy.yaml | 16 + apps/string-is/service.yaml | 11 + apps/string-is/upsert-secrets.sh | 3 + apps/synapse/deployment.yaml | 82 +++ apps/synapse/kustomization.yaml | 6 + apps/synapse/service.yaml | 17 + .../istio/istio-virtualservice.yaml | 18 + .../taskd/components/istio/kustomization.yaml | 19 + apps/taskd/components/pvc/kustomization.yaml | 19 + apps/taskd/components/pvc/taskd-pvc.yaml | 11 + .../components/restic-pvc/kustomization.yaml | 67 +++ .../upsert-secret-taskd-restic-pvc.sh | 30 + .../components/tls/cert-certificate.yaml | 18 + apps/taskd/components/tls/cert-issuer.yaml | 29 + apps/taskd/components/tls/kustomization.yaml | 22 + apps/taskd/deployment.yaml | 82 +++ apps/taskd/kustomization.yaml | 11 + apps/taskd/networkpolicy.yaml | 16 + apps/taskd/service.yaml | 12 + apps/taskd/taskd.properties | 11 + apps/taskd/upsert-secrets.sh | 3 + .../istio-virtualservice.yaml | 19 + .../fileserver-istio/kustomization.yaml | 5 + .../fileserver/fileserver-deployment.yaml | 77 +++ .../fileserver/fileserver-service.yaml | 12 + .../components/fileserver/kustomization.yaml | 6 + .../metube-istio/istio-virtualservice.yaml | 19 + .../metube-istio/kustomization.yaml | 5 + apps/vcr/components/metube/kustomization.yaml | 6 + .../components/metube/metube-deployment.yaml | 83 +++ .../vcr/components/metube/metube-service.yaml | 12 + .../components/yt-dlp-pvc/kustomization.yaml | 15 + apps/vcr/components/yt-dlp-pvc/pvc.yaml | 11 + apps/vcr/kustomization.yaml | 5 + apps/vcr/yt-dlp-cronjob.yaml | 50 ++ apps/vector/agent.yaml | 28 + apps/vector/daemonset.yaml | 105 ++++ apps/vector/kustomization.yaml | 11 + apps/vector/networkpolicy.yaml | 51 ++ apps/vector/rbac.yaml | 41 ++ apps/vector/sa.yaml | 10 + .../components/database-mariadb/ca-bundle.crt | 31 + .../database-mariadb/kustomization.yaml | 43 ++ .../upsert-secret-vikunja-database-mariadb.sh | 24 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + .../components/redis/kustomization.yaml | 29 + .../components/redis/networkpolicy.yaml | 19 + .../components/redis/redis-deployment.yaml | 68 +++ .../components/redis/redis-service.yaml | 12 + apps/vikunja/deployment.yaml | 80 +++ apps/vikunja/kustomization.yaml | 14 + apps/vikunja/networkpolicy.yaml | 16 + apps/vikunja/service.yaml | 11 + apps/vikunja/upsert-secret-vikunja.sh | 22 + apps/vikunja/upsert-secrets.sh | 3 + apps/whoogle/components/ha/kustomization.yaml | 25 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../istio/istio-virtualservice.yaml | 19 + .../components/istio/kustomization.yaml | 19 + apps/whoogle/deployment.yaml | 63 ++ apps/whoogle/kustomization.yaml | 7 + apps/whoogle/networkpolicy.yaml | 15 + apps/whoogle/service.yaml | 11 + apps/yaade/components/ha/kustomization.yaml | 25 + .../components/istio-proxy/kustomization.yaml | 41 ++ .../yaade/components/istio/kustomization.yaml | 5 + .../components/istio/virtualservice.yaml | 19 + apps/yaade/deployment.yaml | 74 +++ apps/yaade/kustomization.yaml | 6 + apps/yaade/service.yaml | 11 + .../common/acmevault/acmevault-config.yaml | 39 ++ clusters/common/acmevault/kustomization.yaml | 17 + clusters/common/aether/.taskrc | 35 ++ clusters/common/aether/aether-config.yaml | 33 ++ clusters/common/aether/kustomization.yaml | 32 ++ .../upsert-secret-aether-taskwarrior.sh | 1 + .../common/aether/upsert-secret-aether.sh | 1 + .../common/dyndns/server/kustomization.yaml | 12 + .../common/mariadb-cluster/configmap-ca.yaml | 76 +++ .../common/mariadb-cluster/kustomization.yaml | 75 +++ clusters/common/mariadb-cluster/upsert-ca.sh | 9 + .../mariadb-cluster/upsert-secret-mariadb.sh | 1 + .../upsert-secret-mysqld-exporter.sh | 1 + .../upsert-secret-restic-mariadb.sh | 1 + clusters/common/media/kustomization.yaml | 13 + .../common/media/lidarr/kustomization.yaml | 67 +++ .../common/media/lidarr/networkpolicy.yaml | 38 ++ .../common/media/prowlarr/kustomization.yaml | 67 +++ .../common/media/prowlarr/networkpolicy.yaml | 40 ++ .../common/media/radarr/kustomization.yaml | 67 +++ .../common/media/radarr/networkpolicy.yaml | 38 ++ .../common/media/sonarr/kustomization.yaml | 67 +++ .../common/media/sonarr/networkpolicy.yaml | 48 ++ .../renovatebot/github/kustomization.yaml | 39 ++ .../renovatebot/github/renovate.properties | 8 + .../github/upsert-secret-renovate.sh | 1 + .../renovatebot/gitlab/kustomization.yaml | 36 ++ .../renovatebot/gitlab/renovate.properties | 8 + .../gitlab/upsert-secret-renovate.sh | 1 + .../common/renovatebot/kustomization.yaml | 8 + clusters/common/renovatebot/namespace.yaml | 7 + clusters/common/taskd/configmap-ca.yaml | 42 ++ clusters/common/taskd/kustomization.yaml | 26 + clusters/common/taskd/upsert-ca.sh | 9 + clusters/common/taskd/upsert-secrets.sh | 3 + clusters/common/vcr/kustomization.yaml | 12 + .../sportschau-saturday/kustomization.yaml | 32 ++ .../vcr/sportschau-sunday/kustomization.yaml | 32 ++ .../cert-manager/clusterissuer.yaml | 26 + .../cert-manager/kustomization.yaml | 18 + .../sops-secret-route53-credentials.yaml | 29 + .../cert-manager/upsert-secrets.sh | 3 + .../ghostfolio/kustomization.yaml | 22 + .../rs.soeren.cloud/ghostfolio/namespace.yaml | 7 + .../ghostfolio/postgres-data-pv.yaml | 21 + .../upsert-secret-ghostfolio-postgres.sh | 1 + .../ghostfolio/upsert-secrets.sh | 3 + .../grafana/grafana.properties | 6 + .../grafana/kustomization.yaml | 26 + .../rs.soeren.cloud/grafana/namespace.yaml | 7 + .../grafana/sops-secret-grafana.yaml | 52 ++ .../upsert-secret-grafana-database-mariadb.sh | 1 + .../grafana/upsert-secret-grafana-oidc.sh | 1 + .../grafana/upsert-secret-grafana.sh | 1 + .../rs.soeren.cloud/grafana/upsert-secrets.sh | 3 + .../httpbin/kustomization.yaml | 18 + .../rs.soeren.cloud/httpbin/namespace.yaml | 7 + .../rs.soeren.cloud/infra/kustomization.yaml | 8 + .../infra/local-storageclass.yaml | 7 + .../rs.soeren.cloud/istio/certificate.yaml | 15 + clusters/rs.soeren.cloud/istio/gateway.yaml | 36 ++ .../jellyfin/kustomization.yaml | 31 + .../rs.soeren.cloud/jellyfin/namespace.yaml | 7 + .../rs.soeren.cloud/jellyfin/pv-config.yaml | 24 + .../jellyfin/sops-secret-grafana.yaml | 52 ++ .../minio-mirror/kustomization.yaml | 12 + .../minio-mirror/namespace.yaml | 7 + .../minio-mirror/upsert-secrets.sh | 3 + .../rs.soeren.cloud/minio/kustomization.yaml | 46 ++ clusters/rs.soeren.cloud/minio/minio-pv.yaml | 23 + clusters/rs.soeren.cloud/minio/namespace.yaml | 7 + .../minio/upsert-secret-minio.sh | 1 + .../monitoring/kustomization.yaml | 6 + .../rs.soeren.cloud/monitoring/namespace.yaml | 8 + .../victoriametrics/kustomization.yaml | 7 + .../victoriametrics/virtualservice.yaml | 19 + .../navidrome/kustomization.yaml | 37 ++ .../rs.soeren.cloud/navidrome/namespace.yaml | 7 + .../navidrome/navidrome-data-pv.yaml | 21 + .../rabbitmq/kustomization.yaml | 9 + .../rs.soeren.cloud/rabbitmq/namespace.yaml | 8 + .../rabbitmq-amqp-virtualservice.yaml | 19 + .../rabbitmq-management-virtualservice.yaml | 19 + .../stirling-pdf/kustomization.yaml | 18 + .../stirling-pdf/namespace.yaml | 8 + .../string-is/kustomization.yaml | 19 + .../rs.soeren.cloud/string-is/namespace.yaml | 8 + clusters/svc.dd.soeren.cloud/.sops.yaml | 5 + .../acmevault/kustomization.yaml | 17 + .../acmevault/namespace.yaml | 7 + .../actualbudget/actualbudget-pv.yaml | 21 + .../actualbudget/kustomization.yaml | 31 + .../actualbudget/namespace.yaml | 7 + .../aether/kustomization.yaml | 36 ++ .../svc.dd.soeren.cloud/aether/namespace.yaml | 7 + .../sops-secret-aether-taskwarrior.yaml | 52 ++ .../aether/sops-secret-aether.yaml | 60 ++ .../upsert-secret-aether-taskwarrior.sh | 1 + .../aether/upsert-secret-aether.sh | 1 + .../svc.dd.soeren.cloud/anki/anki-pv.yaml | 24 + .../anki/kustomization.yaml | 18 + .../svc.dd.soeren.cloud/anki/namespace.yaml | 7 + .../anki/sops-secret-anki.yaml | 52 ++ .../anki/upsert-secret-anki.sh | 1 + clusters/svc.dd.soeren.cloud/argocd/app.yaml | 20 + .../argocd/kustomization.yaml | 44 ++ .../svc.dd.soeren.cloud/argocd/namespace.yaml | 7 + .../bookstack/kustomization.yaml | 28 + .../bookstack/namespace.yaml | 7 + .../bookstack/sops-secret-bookstack-oidc.yaml | 53 ++ .../bookstack/sops-secret-bookstack.yaml | 54 ++ .../bookstack/upsert-secret-bookstack-oidc.sh | 1 + .../bookstack/upsert-secret-bookstack.sh | 1 + .../changedetection/changedetection-pv.yaml | 24 + .../changedetection/kustomization.yaml | 32 ++ .../changedetection/namespace.yaml | 7 + .../sops-secret-changedetection-oidc.yaml | 55 ++ .../upsert-secret-changedetection-oidc.sh | 1 + .../container-registry/kustomization.yaml | 9 + .../container-registry/namespace.yaml | 7 + .../device-stalker/config.yaml | 33 ++ .../device-stalker/kustomization.yaml | 13 + .../device-stalker/namespace.yaml | 7 + .../dyndns/client/kustomization.yaml | 31 + ...-secret-dyndns-client-aws-credentials.yaml | 53 ++ ...ps-secret-dyndns-client-aws-endpoints.yaml | 54 ++ .../sops-secret-dyndns-client-keypair.yaml | 52 ++ .../upsert-secret-dyndns-aws-credentials.sh | 1 + .../upsert-secret-dyndns-aws-endpoints.sh | 1 + .../client/upsert-secret-dyndns-keypair.sh | 1 + .../dyndns/kustomization.yaml | 8 + .../svc.dd.soeren.cloud/dyndns/namespace.yaml | 7 + .../dyndns/server/kustomization.yaml | 18 + ...-secret-dyndns-server-aws-credentials.yaml | 53 ++ .../sops-secret-dyndns-server-aws-sqs.yaml | 52 ++ .../upsert-secret-dyndns-aws-credentials.sh | 1 + .../upsert-secret-dyndns-aws-sqs-url.sh | 1 + .../external-dns/kustomization.yaml | 26 + .../external-dns/namespace.yaml | 7 + .../sops-secret-route53-credentials.yaml | 53 ++ .../upsert-secret-external-dns.sh | 1 + .../gatus/kustomization.yaml | 18 + .../svc.dd.soeren.cloud/gatus/namespace.yaml | 7 + .../git-repo-backup/config.yaml | 17 + .../git-repo-backup/git-repo-backup-pv.yaml | 25 + .../git-repo-backup/kustomization.yaml | 9 + .../git-repo-backup/namespace.yaml | 5 + .../gitea/kustomization.yaml | 9 + .../svc.dd.soeren.cloud/gitea/namespace.yaml | 7 + .../grafana/grafana.properties | 6 + .../grafana/kustomization.yaml | 28 + .../grafana/namespace.yaml | 7 + .../sops-secret-grafana-database-mariadb.yaml | 53 ++ .../grafana/sops-secret-grafana-oidc.yaml | 53 ++ .../grafana/sops-secret-grafana.yaml | 52 ++ .../upsert-secret-grafana-database-mariadb.sh | 1 + .../grafana/upsert-secret-grafana-oidc.sh | 1 + .../grafana/upsert-secret-grafana.sh | 1 + .../hass/hass-networkpolicy.yaml | 22 + .../svc.dd.soeren.cloud/hass/hass-pv.yaml | 24 + .../hass/kustomization.yaml | 35 ++ .../svc.dd.soeren.cloud/hass/namespace.yaml | 7 + .../sops-secret-ghcr-docker-registry.yaml | 53 ++ .../hass/sops-secret-hass-secrets.yaml | 52 ++ .../hass/upsert-ghcr-secret.sh | 10 + clusters/svc.dd.soeren.cloud/hass/upsert.sh | 20 + .../hedgedoc/kustomization.yaml | 27 + .../hedgedoc/namespace.yaml | 7 + ...sops-secret-hedgedoc-database-mariadb.yaml | 53 ++ ...upsert-secret-hedgedoc-database-mariadb.sh | 1 + clusters/svc.dd.soeren.cloud/homer/config.yml | 256 +++++++++ .../homer/kustomization.yaml | 13 + .../svc.dd.soeren.cloud/homer/namespace.yaml | 7 + .../httpbin/kustomization.yaml | 18 + .../httpbin/namespace.yaml | 7 + .../svc.dd.soeren.cloud/immich/immich-pv.yaml | 21 + .../immich/kustomization.yaml | 27 + .../svc.dd.soeren.cloud/immich/namespace.yaml | 7 + .../immich/postgres-pv.yaml | 24 + .../immich/sops-secret-immich.yaml | 54 ++ .../sops-secret-restic-immich-data.yaml | 56 ++ .../sops-secret-restic-immich-postgres.yaml | 56 ++ .../upsert-secret-immich-restic-postgres.sh | 1 + .../immich/upsert-secret-immich-restic-pvc.sh | 1 + .../immich/upsert-secret-immich.sh | 1 + .../infra/storage/kustomization.yaml | 8 + .../infra/vault-auth/kustomization.yaml | 5 + .../istio/certificate.yaml | 15 + .../svc.dd.soeren.cloud/istio/gateway.yaml | 96 ++++ .../keycloak/keycloak.properties | 4 + .../keycloak/kustomization.yaml | 37 ++ .../keycloak/namespace.yaml | 7 + .../sops-secret-keycloak-db-mariadb.yaml | 53 ++ .../keycloak/sops-secret-keycloak.yaml | 53 ++ .../upsert-secret-keycloak-db-mariadb.sh | 1 + .../keycloak/upsert-secret-keycloak.sh | 1 + .../linkding/kustomization.yaml | 36 ++ .../linkding/namespace.yaml | 7 + .../linkding/postgres-pv.yaml | 24 + .../linkding/sops-secret-linkding.yaml | 55 ++ .../linkding/sops-secret-oauth2-proxy.yaml | 56 ++ .../upsert-secret-linkding-postgres.sh | 1 + .../upsert-secret-linkding-restic-postgres.sh | 1 + .../linkding/upsert-secret-linkding.sh | 1 + .../loki/kustomization.yaml | 21 + .../svc.dd.soeren.cloud/loki/loki-pv.yaml | 24 + .../svc.dd.soeren.cloud/loki/namespace.yaml | 7 + .../mariadb/kustomization.yaml | 66 +++ .../mariadb/mariadb-pv.yaml | 24 + .../mariadb/namespace.yaml | 7 + ...-secret-mariadb-galera-restic-mariadb.yaml | 57 ++ .../mariadb/sops-secret-mariadb-galera.yaml | 55 ++ .../mariadb/sops-secret-mysqld-exporter.yaml | 52 ++ .../mariadb/upsert-secret-mariadb.sh | 1 + .../mariadb/upsert-secret-mysqld-exporter.sh | 1 + .../mariadb/upsert-secret-restic-mariadb.sh | 1 + .../mealie/kustomization.yaml | 46 ++ .../svc.dd.soeren.cloud/mealie/mealie-pv.yaml | 24 + .../svc.dd.soeren.cloud/mealie/namespace.yaml | 8 + .../mealie/postgres-pv.yaml | 24 + .../mealie/sops-secret-mealie-postgres.yaml | 53 ++ .../sops-secret-mealie-restic-postgres.yaml | 56 ++ .../mealie/sops-secret-mealie.yaml | 52 ++ .../mealie/upsert-secret-mealie-oidc.sh | 1 + .../mealie/upsert-secret-mealie-postgres.sh | 1 + .../upsert-secret-mealie-restic-postgres.sh | 1 + .../mealie/upsert-secret-mealie-restic-pvc.sh | 1 + .../mealie/upsert-secret-mealie.sh | 1 + .../media/jellyfin/kustomization.yaml | 36 ++ .../media/jellyfin/pv.yaml | 21 + .../media/kustomization.yaml | 89 +++ .../media/lidarr/kustomization.yaml | 8 + .../upsert-secret-media-lidarr-postgres.sh | 1 + .../svc.dd.soeren.cloud/media/namespace.yaml | 7 + .../media/nas-media-pv.yaml | 28 + .../media/nas-media-pvc.yaml | 13 + .../media/postgres-pv.yaml | 24 + .../media/prowlarr/kustomization.yaml | 8 + .../upsert-secret-media-prowlarr-postgres.sh | 1 + .../media/radarr/kustomization.yaml | 8 + .../upsert-secret-media-radarr-postgres.sh | 1 + .../media/sonarr/kustomization.yaml | 8 + .../upsert-secret-media-sonarr-postgres.sh | 1 + ...sops-secret-media-components-postgres.yaml | 53 ++ ...t-media-components-reverse-proxy-oidc.yaml | 55 ++ .../sops-secret-media-lidarr-postgres.yaml | 53 ++ .../sops-secret-media-prowlarr-postgres.yaml | 53 ++ .../sops-secret-media-radarr-postgres.yaml | 53 ++ .../sops-secret-media-sonarr-postgres.yaml | 53 ++ .../media/upsert-secret-media-postgres.sh | 1 + .../upsert-secret-media-reverse-proxy-oidc.sh | 1 + .../metallb/advertisment.yaml | 9 + .../metallb/kustomization.yaml | 23 + .../svc.dd.soeren.cloud/metallb/pool.yaml | 9 + .../microbin/kustomization.yaml | 27 + .../microbin/microbin-pv.yaml | 26 + .../microbin/namespace.yaml | 7 + .../microbin/sops-secret-microbin.yaml | 53 ++ .../microbin/upsert-secret-microbin.sh | 1 + .../minio/kustomization.yaml | 68 +++ .../svc.dd.soeren.cloud/minio/minio-pv.yaml | 26 + .../svc.dd.soeren.cloud/minio/namespace.yaml | 7 + .../minio/upsert-secret-minio.sh | 1 + .../alertmanager-config-sops.yaml | 116 ++++ .../alertmanager/kustomization.yaml | 38 ++ .../sops-secret-alertmanager-config.yaml | 52 ++ .../upsert-secret-alertmanager-config.sh | 1 + .../monitoring/blackbox-exporter/config.yaml | 40 ++ .../blackbox-exporter/kustomization.yaml | 14 + .../monitoring/karma/karma.yaml | 67 +++ .../monitoring/karma/kustomization.yaml | 20 + .../monitoring/karma/networkpolicy.yaml | 60 ++ .../kube-state-metrics/kustomization.yaml | 8 + .../monitoring/kustomization.yaml | 33 ++ .../monitoring/namespace.yaml | 7 + .../monitoring/prometheus/kustomization.yaml | 12 + .../prometheus/prometheus-config-sops.yaml | 543 ++++++++++++++++++ ...s-secret-monitoring-prometheus-config.yaml | 52 ++ .../upsert-secret-prometheus-config.sh | 1 + .../monitoring/pushgateway/kustomization.yaml | 8 + .../monitoring/vmalert/kustomization.yaml | 20 + .../mosquitto/kustomization.yaml | 30 + .../mosquitto/namespace.yaml | 7 + .../nextcloud/kustomization.yaml | 27 + .../nextcloud/namespace.yaml | 7 + .../nextcloud/nextcloud.properties | 6 + .../svc.dd.soeren.cloud/nextcloud/pv.yaml | 24 + .../nextcloud/sops-secret-nextcloud.yaml | 55 ++ .../nextcloud/upsert-secret-nextcloud.sh | 1 + .../paperless-ngx/kustomization.yaml | 40 ++ .../paperless-ngx/namespace.yaml | 7 + .../paperless-ngx/pv-consumption.yaml | 24 + .../paperless-ngx/pv-storage.yaml | 24 + .../sops-secret-oauth2-proxy.yaml | 56 ++ .../paperless-ngx/sops-secret-paperless.yaml | 57 ++ .../paperless-ngx/sops-secret-restic.yaml | 56 ++ .../upsert-secret-paperless-ngx-oidc.sh | 1 + .../upsert-secret-paperless-ngx.sh | 1 + .../rabbitmq/20-cluster.conf | 2 + .../rabbitmq/kustomization.yaml | 52 ++ .../rabbitmq/namespace.yaml | 7 + .../radicale/config-cm.yaml | 50 ++ .../radicale/kustomization.yaml | 62 ++ .../radicale/namespace.yaml | 7 + clusters/svc.dd.soeren.cloud/radicale/pv.yaml | 24 + .../sops-secret-radicale-restic-pvc.yaml | 56 ++ .../radicale/sops-secret-radicale.yaml | 53 ++ .../upsert-secret-radicale-restic-pvc.sh | 1 + .../radicale/upsert-secret-radicale.sh | 1 + .../reloader/kustomization.yaml | 7 + .../reloader/namespace.yaml | 8 + .../renovatebot/kustomization.yaml | 28 + .../renovatebot/sops-secret-renovate.yaml | 54 ++ .../taskd/kustomization.yaml | 38 ++ .../svc.dd.soeren.cloud/taskd/namespace.yaml | 7 + clusters/svc.dd.soeren.cloud/taskd/pv.yaml | 24 + .../taskd/sops-secret-taskd-restic-pvc.yaml | 56 ++ .../taskd/upsert-secret-taskd-restic-pvc.sh | 1 + .../vcr/kustomization.yaml | 25 + .../svc.dd.soeren.cloud/vcr/namespace.yaml | 7 + clusters/svc.dd.soeren.cloud/vcr/pv.yaml | 24 + .../vector/kustomization.yaml | 12 + .../svc.dd.soeren.cloud/vector/namespace.yaml | 5 + .../svc.dd.soeren.cloud/vector/sinks.yaml | 18 + .../vikunja/kustomization.yaml | 30 + .../vikunja/namespace.yaml | 7 + .../sops-secret-vikunja-database-mariadb.yaml | 53 ++ .../upsert-secret-vikunja-database-mariadb.sh | 1 + .../vikunja/upsert-secret-vikunja.sh | 1 + .../whoogle/kustomization.yaml | 19 + .../whoogle/namespace.yaml | 7 + .../yaade/kustomization.yaml | 8 + .../svc.dd.soeren.cloud/yaade/namespace.yaml | 8 + clusters/svc.ez.soeren.cloud/.sops.yaml | 5 + .../acmevault/kustomization.yaml | 17 + .../acmevault/namespace.yaml | 7 + .../aether/kustomization.yaml | 36 ++ .../svc.ez.soeren.cloud/aether/namespace.yaml | 7 + .../aether/sops-secret-aether.yaml | 61 ++ .../aether/sops-secret-taskd-credentials.yaml | 53 ++ .../aether/upsert-secrets.sh | 3 + .../cert-manager/clusterissuer.yaml | 26 + .../cert-manager/kustomization.yaml | 19 + .../sops-secret-route53-credentials.yaml | 29 + .../cert-manager/upsert-secrets.sh | 21 + .../consul/kustomization.yaml | 18 + .../svc.ez.soeren.cloud/consul/namespace.yaml | 9 + .../container-registry/config.yaml | 9 + .../container-registry/kustomization.yaml | 19 + .../container-registry/namespace.yaml | 7 + .../container-registry/networkpolicy.yaml | 30 + .../device-stalker/config.yaml | 11 + .../device-stalker/kustomization.yaml | 13 + .../device-stalker/namespace.yaml | 7 + .../domain-exporter/config.yaml | 4 + .../domain-exporter/kustomization.yaml | 13 + .../domain-exporter/namespace.yaml | 7 + .../dyndns/dyndns-client/kustomization.yaml | 31 + ...-secret-dyndns-client-aws-credentials.yaml | 53 ++ ...ps-secret-dyndns-client-aws-endpoints.yaml | 54 ++ .../sops-secret-dyndns-client-keypair.yaml | 52 ++ .../upsert-secret-dyndns-aws-credentials.sh | 1 + .../upsert-secret-dyndns-aws-endpoints.sh | 1 + .../upsert-secret-dyndns-keypair.sh | 1 + .../dyndns/dyndns-server/kustomization.yaml | 18 + ...-secret-dyndns-server-aws-credentials.yaml | 53 ++ .../sops-secret-dyndns-server-aws-sqs.yaml | 52 ++ .../upsert-secret-dyndns-aws-credentials.sh | 1 + .../upsert-secret-dyndns-aws-sqs-url.sh | 1 + .../dyndns/kustomization.yaml | 8 + .../svc.ez.soeren.cloud/dyndns/namespace.yaml | 7 + .../external-dns/kustomization.yaml | 26 + .../external-dns/namespace.yaml | 7 + .../sops-secret-route53-credentials.yaml | 29 + .../upsert-secret-external-dns.sh | 1 + .../grafana/grafana.properties | 6 + .../grafana/kustomization.yaml | 28 + .../grafana/namespace.yaml | 9 + .../sops-secret-grafana-database-mariadb.yaml | 53 ++ .../grafana/sops-secret-grafana-oidc.yaml | 53 ++ .../grafana/sops-secret-grafana.yaml | 52 ++ .../upsert-secret-grafana-database-mariadb.sh | 1 + .../grafana/upsert-secret-grafana-oidc.sh | 1 + .../grafana/upsert-secret-grafana.sh | 1 + .../grafana/virtualservice.yaml | 19 + .../httpbin/kustomization.yaml | 18 + .../httpbin/namespace.yaml | 7 + .../imapfilter/kustomization.yaml | 7 + .../imapfilter/namespace.yaml | 7 + .../soeren/imapfilter-config-sops.lua | 34 ++ .../imapfilter/soeren/kustomization.yaml | 32 ++ .../soeren/sops-secret-imapfilter-config.yaml | 52 ++ .../istio/certificate.yaml | 15 + .../svc.ez.soeren.cloud/istio/gateway.yaml | 45 ++ .../keycloak/keycloak.properties | 4 + .../keycloak/kustomization.yaml | 36 ++ .../keycloak/namespace.yaml | 7 + .../sops-secret-keycloak-db-mariadb.yaml | 53 ++ .../keycloak/sops-secret-keycloak.yaml | 53 ++ .../upsert-secret-keycloak-db-mariadb.sh | 1 + .../keycloak/upsert-secret-keycloak.sh | 1 + ...p-istio-virtualservice-correct-domain.yaml | 40 ++ .../kyverno/kustomization.yaml | 7 + .../kyverno/namespace.yaml | 7 + .../loki/kustomization.yaml | 21 + .../svc.ez.soeren.cloud/loki/loki-pv.yaml | 24 + .../svc.ez.soeren.cloud/loki/namespace.yaml | 7 + .../metallb/advertisment.yaml | 9 + .../metallb/kustomization.yaml | 33 ++ .../svc.ez.soeren.cloud/metallb/pool.yaml | 9 + .../microbin/kustomization.yaml | 26 + .../microbin/microbin-pv.yaml | 26 + .../microbin/namespace.yaml | 7 + .../microbin/sops-secret-microbin.yaml | 32 ++ .../microbin/upsert-secret-microbin.sh | 1 + .../microbin/upsert-secrets.sh | 24 + .../alertmanager-config-sops.yaml | 116 ++++ .../alertmanager/kustomization.yaml | 35 ++ .../sops-secret-alertmanager-config.yaml | 52 ++ .../upsert-secret-alertmanager-config.sh | 1 + .../monitoring/blackbox-exporter/config.yaml | 40 ++ .../blackbox-exporter/kustomization.yaml | 14 + .../monitoring/karma/karma.yaml | 68 +++ .../monitoring/karma/kustomization.yaml | 20 + .../monitoring/karma/networkpolicy.yaml | 60 ++ .../kube-state-metrics/kustomization.yaml | 8 + .../monitoring/kustomization.yaml | 33 ++ .../monitoring/namespace.yaml | 7 + .../monitoring/prometheus/kustomization.yaml | 12 + .../prometheus/prometheus-config-sops.yaml | 449 +++++++++++++++ ...s-secret-monitoring-prometheus-config.yaml | 52 ++ .../upsert-secret-prometheus-config.sh | 1 + .../monitoring/prometheus/upsert-secrets.sh | 24 + .../monitoring/pushgateway/kustomization.yaml | 8 + .../monitoring/vmalert/kustomization.yaml | 20 + .../mosquitto/kustomization.yaml | 30 + .../mosquitto/namespace.yaml | 7 + .../rabbitmq/20-cluster.conf | 2 + .../rabbitmq/kustomization.yaml | 36 ++ .../rabbitmq/namespace.yaml | 7 + .../reloader/kustomization.yaml | 7 + .../reloader/namespace.yaml | 8 + .../renovatebot/kustomization.yaml | 28 + .../renovatebot/sops-secret-renovate.yaml | 30 + .../svc.ez.soeren.cloud/synapse/config.yaml | 11 + .../synapse/kustomization.yaml | 9 + .../synapse/namespace.yaml | 7 + .../synapse/virtualservice.yaml | 20 + .../vcr/kustomization.yaml | 25 + .../svc.ez.soeren.cloud/vcr/namespace.yaml | 7 + clusters/svc.ez.soeren.cloud/vcr/pv.yaml | 24 + .../vector/kustomization.yaml | 12 + .../svc.ez.soeren.cloud/vector/namespace.yaml | 5 + .../svc.ez.soeren.cloud/vector/sinks.yaml | 18 + clusters/svc.pt.soeren.cloud/.sops.yaml | 5 + .../acmevault/kustomization.yaml | 17 + .../acmevault/namespace.yaml | 7 + .../cert-manager/clusterissuer.yaml | 26 + .../cert-manager/kustomization.yaml | 19 + .../sops-secret-route53-credentials.yaml | 29 + .../cert-manager/upsert-secrets.sh | 21 + .../istio/certificate.yaml | 15 + .../svc.pt.soeren.cloud/istio/gateway.yaml | 27 + .../keycloak/keycloak.properties | 7 + .../keycloak/kustomization.yaml | 35 ++ .../keycloak/namespace.yaml | 7 + .../keycloak/sops-secret-keycloak.yaml | 32 ++ .../keycloak/upsert-secret-keycloak.sh | 1 + .../keycloak/upsert-secrets.sh | 28 + .../svc.pt.soeren.cloud/loki/configmap.yaml | 66 +++ .../loki/kustomization.yaml | 22 + .../svc.pt.soeren.cloud/loki/namespace.yaml | 7 + clusters/svc.pt.soeren.cloud/loki/pv.yaml | 21 + clusters/svc.pt.soeren.cloud/loki/pvc.yaml | 13 + .../loki/virtualservice.yaml | 19 + .../metallb/advertisment-pt.yaml | 9 + .../metallb/kustomization.yaml | 33 ++ .../svc.pt.soeren.cloud/metallb/pool-pt.yaml | 10 + .../microbin/kustomization.yaml | 32 ++ .../microbin/local-volume.yaml | 24 + .../microbin/microbin.properties | 211 +++++++ .../microbin/namespace.yaml | 7 + .../svc.pt.soeren.cloud/microbin/pvc.yaml | 13 + .../microbin/sops-secret-credentials.yaml | 32 ++ .../microbin/upsert-secret-microbin.sh | 1 + .../microbin/upsert-secrets.sh | 28 + .../microbin/virtualservice.yaml | 20 + .../reloader/kustomization.yaml | 7 + .../reloader/namespace.yaml | 8 + .../renovatebot/github/kustomization.yaml | 42 ++ .../renovatebot/github/renovate.properties | 8 + .../github/upsert-secret-renovate.sh | 1 + .../renovatebot/gitlab/kustomization.yaml | 39 ++ .../renovatebot/gitlab/renovate.properties | 8 + .../gitlab/upsert-secret-renovate.sh | 1 + .../renovatebot/kustomization.yaml | 9 + .../renovatebot/namespace.yaml | 7 + .../renovatebot/sops-secret-tokens.yaml | 30 + .../renovatebot/upsert-secrets.sh | 27 + .../vault-auth/kustomization.yaml | 6 + .../svc.pt.soeren.cloud/vector/configmap.yaml | 52 ++ .../vector/kustomization.yaml | 8 + .../svc.pt.soeren.cloud/vector/namespace.yaml | 5 + .../clusterissuer.yaml | 26 + .../kustomization.yaml | 14 + .../upsert-secret-cert-manager.sh | 23 + .../recursive-dns/kustomization.yaml | 14 + infra/cert-manager/kustomization.yaml | 17 + infra/cert-manager/upsert-secrets.sh | 3 + .../csi-smb/components/k0s/kustomization.yaml | 50 ++ infra/csi-smb/kustomization.yaml | 10 + .../components/aws/kustomization.yaml | 27 + .../aws/upsert-secret-external-dns.sh | 25 + .../components/common/kustomization.yaml | 23 + .../components/istio/kustomization.yaml | 23 + infra/external-dns/kustomization.yaml | 19 + infra/external-dns/upsert-secrets.sh | 3 + infra/external-secrets/vault.yaml | 16 + .../kustomization.yaml | 14 + infra/local-storageclass/kustomization.yaml | 5 + .../local-storageclass.yaml | 7 + infra/metallb/kustomization.yaml | 31 + infra/priority/kustomization.yaml | 14 + infra/priority/pc-00001-best-effort.yaml | 8 + infra/priority/pc-01000-dev-low-prio.yaml | 8 + infra/priority/pc-01500-dev-default-prio.yaml | 8 + infra/priority/pc-02000-dev-high-prio.yaml | 8 + infra/priority/pc-02500-default-prio.yaml | 8 + infra/priority/pc-03000-prod-low-prio.yaml | 8 + .../priority/pc-04000-prod-default-prio.yaml | 8 + infra/priority/pc-05000-prod-high-prio.yaml | 8 + infra/priority/pc-10000-batch-high-prio.yaml | 8 + infra/priority/pc-20000-system.yaml | 8 + infra/restic-mariadb/kustomization.yaml | 7 + .../restic-mariadb-backup-cronjob.yaml | 62 ++ .../restic-mariadb-networkpolicy.yaml | 13 + .../restic-mariadb-prune-cronjob.yaml | 69 +++ .../upsert-secret-restic-mariadb.sh | 30 + infra/restic-postgres/kustomization.yaml | 7 + .../restic-postgres-backup-cronjob.yaml | 72 +++ .../restic-postgres-networkpolicy.yaml | 13 + .../restic-postgres-prune-cronjob.yaml | 64 +++ .../upsert-secret-mealie-restic-postgres.sh | 30 + infra/restic-pvc/kustomization.yaml | 7 + .../restic-pvc/restic-pvc-backup-cronjob.yaml | 68 +++ .../restic-pvc/restic-pvc-networkpolicy.yaml | 13 + .../restic-pvc/restic-pvc-prune-cronjob.yaml | 62 ++ .../upsert-secret-radicale-restic-pvc.sh | 30 + infra/vault-auth/cluster-role-binding.yaml | 14 + infra/vault-auth/kustomization.yaml | 8 + infra/vault-auth/namespace.yaml | 5 + .../vault-auth/service-account-token-sec.yaml | 9 + infra/vault-auth/service-account.yaml | 6 + renovate.json | 53 ++ trivy.yaml | 18 + 1349 files changed, 34910 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/diagrams.yaml create mode 100644 .github/workflows/lint.yaml create mode 100644 .github/workflows/pr.yaml create mode 100644 .github/workflows/security-scanners.yaml create mode 100644 .gitignore create mode 100644 .kube-linter.yaml create mode 100644 .pre-commit-config.yaml create mode 100644 .trivyignore.yaml create mode 100644 .yamllint.yaml create mode 100644 Makefile create mode 100644 apps/acmevault/deployment.yaml create mode 100644 apps/acmevault/kustomization.yaml create mode 100644 apps/acmevault/networkpolicy.yaml create mode 100644 apps/actualbudget/components/istio-proxy/kustomization.yaml create mode 100644 apps/actualbudget/components/istio/istio-virtualservice.yaml create mode 100644 apps/actualbudget/components/istio/kustomization.yaml create mode 100644 apps/actualbudget/components/pvc/actualbudget-pvc.yaml create mode 100644 apps/actualbudget/components/pvc/kustomization.yaml create mode 100644 apps/actualbudget/deployment.yaml create mode 100644 apps/actualbudget/kustomization.yaml create mode 100644 apps/actualbudget/networkpolicy.yaml create mode 100644 apps/actualbudget/service.yaml create mode 100644 apps/aether/components/istio/istio-virtualservice.yaml create mode 100644 apps/aether/components/istio/kustomization.yaml create mode 100644 apps/aether/components/taskwarrior/cert-certificate.yaml create mode 100644 apps/aether/components/taskwarrior/cert-issuer.yaml create mode 100644 apps/aether/components/taskwarrior/kustomization.yaml create mode 100755 apps/aether/components/taskwarrior/upsert-secret-aether-taskwarrior.sh create mode 100644 apps/aether/deployment.yaml create mode 100644 apps/aether/kustomization.yaml create mode 100644 apps/aether/networkpolicy.yaml create mode 100644 apps/aether/service.yaml create mode 100755 apps/aether/upsert-secret-aether.sh create mode 100755 apps/aether/upsert-secrets.sh create mode 100644 apps/anki/components/istio/istio-virtualservice.yaml create mode 100644 apps/anki/components/istio/kustomization.yaml create mode 100644 apps/anki/components/pvc/anki-pvc.yaml create mode 100644 apps/anki/components/pvc/kustomization.yaml create mode 100644 apps/anki/deployment.yaml create mode 100644 apps/anki/kustomization.yaml create mode 100644 apps/anki/networkpolicy.yaml create mode 100644 apps/anki/service.yaml create mode 100755 apps/anki/upsert-secret-anki.sh create mode 100755 apps/anki/upsert-secrets.sh create mode 100644 apps/argocd/components/istio/istio-virtualservice.yaml create mode 100644 apps/argocd/components/istio/kustomization.yaml create mode 100644 apps/argocd/kustomization.yaml create mode 100644 apps/bookstack/components/istio/istio-virtualservice.yaml create mode 100644 apps/bookstack/components/istio/kustomization.yaml create mode 100644 apps/bookstack/components/oidc/kustomization.yaml create mode 100755 apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh create mode 100644 apps/bookstack/deployment.yaml create mode 100644 apps/bookstack/kustomization.yaml create mode 100644 apps/bookstack/networkpolicy.yaml create mode 100644 apps/bookstack/service.yaml create mode 100755 apps/bookstack/upsert-secret-bookstack.sh create mode 100755 apps/bookstack/upsert-secrets.sh create mode 100644 apps/changedetection/components/istio/istio-virtualservice.yaml create mode 100644 apps/changedetection/components/istio/kustomization.yaml create mode 100644 apps/changedetection/components/oidc/kustomization.yaml create mode 100644 apps/changedetection/components/oidc/oauth2-proxy-deployment.yaml create mode 100644 apps/changedetection/components/oidc/oauth2-proxy.properties create mode 100755 apps/changedetection/components/oidc/upsert-secret-changedetection-oidc.sh create mode 100644 apps/changedetection/components/playwright/kustomization.yaml create mode 100644 apps/changedetection/components/playwright/playwright-deployment.yaml create mode 100644 apps/changedetection/components/playwright/playwright-networkpolicy.yaml create mode 100644 apps/changedetection/components/playwright/playwright-service.yaml create mode 100644 apps/changedetection/components/pvc/changedetection-pvc.yaml create mode 100644 apps/changedetection/components/pvc/kustomization.yaml create mode 100644 apps/changedetection/components/restic-pvc/kustomization.yaml create mode 100755 apps/changedetection/components/restic-pvc/upsert-secret-changedetection-restic-pvc.sh create mode 100644 apps/changedetection/deployment.yaml create mode 100644 apps/changedetection/kustomization.yaml create mode 100644 apps/changedetection/networkpolicy.yaml create mode 100644 apps/changedetection/service.yaml create mode 100755 apps/changedetection/upsert-secrets.sh create mode 100644 apps/consul/components/istio/istio-virtualservice.yaml create mode 100644 apps/consul/components/istio/kustomization.yaml create mode 100644 apps/consul/consul.hcl create mode 100644 apps/consul/kustomization.yaml create mode 100644 apps/consul/networkpolicy.yaml create mode 100644 apps/consul/service.yaml create mode 100644 apps/consul/sts.yaml create mode 100755 apps/consul/upsert-secret-bookstack.sh create mode 100755 apps/consul/upsert-secrets.sh create mode 100644 apps/container-registry/components/istio/istio-virtualservice.yaml create mode 100644 apps/container-registry/components/istio/kustomization.yaml create mode 100644 apps/container-registry/components/pvc/cr-pvc.yaml create mode 100644 apps/container-registry/components/pvc/kustomization.yaml create mode 100644 apps/container-registry/config.yml create mode 100644 apps/container-registry/deployment.yaml create mode 100644 apps/container-registry/kustomization.yaml create mode 100644 apps/container-registry/networkpolicy.yaml create mode 100644 apps/container-registry/service.yaml create mode 100755 apps/container-registry/upsert-secrets.sh create mode 100644 apps/device-stalker/components/custom-config/kustomization.yaml create mode 100644 apps/device-stalker/deployment.yaml create mode 100644 apps/device-stalker/kustomization.yaml create mode 100644 apps/domain-exporter/components/config/kustomization.yaml create mode 100644 apps/domain-exporter/deployment.yaml create mode 100644 apps/domain-exporter/kustomization.yaml create mode 100644 apps/domain-exporter/networkpolicy.yaml create mode 100644 apps/domain-exporter/service.yaml create mode 100755 apps/domain-exporter/upsert-secrets.sh create mode 100644 apps/dyndns/client/components/aws-credentials/kustomization.yaml create mode 100755 apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh create mode 100644 apps/dyndns/client/components/aws-endpoints/kustomization.yaml create mode 100644 apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh create mode 100644 apps/dyndns/client/components/keypair/kustomization.yaml create mode 100755 apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh create mode 100644 apps/dyndns/client/deployment.yaml create mode 100644 apps/dyndns/client/kustomization.yaml create mode 100644 apps/dyndns/client/networkpolicy.yaml create mode 100755 apps/dyndns/client/upsert-secrets.sh create mode 100644 apps/dyndns/server/components/aws-credentials/kustomization.yaml create mode 100755 apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh create mode 100644 apps/dyndns/server/components/aws-sqs/kustomization.yaml create mode 100755 apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh create mode 100644 apps/dyndns/server/deployment.yaml create mode 100644 apps/dyndns/server/kustomization.yaml create mode 100644 apps/dyndns/server/networkpolicy.yaml create mode 100755 apps/dyndns/server/upsert-secrets.sh create mode 100644 apps/firefly/firefly-deployment.yaml create mode 100644 apps/firefly/firefly-service.yaml create mode 100644 apps/firefly/kustomization.yaml create mode 100644 apps/firefly/networkpolicy.yaml create mode 100644 apps/firefly/redis-deployment.yaml create mode 100644 apps/firefly/redis-service.yaml create mode 100755 apps/firefly/upsert-secrets.sh create mode 100644 apps/gatus/components/istio/istio-virtualservice.yaml create mode 100644 apps/gatus/components/istio/kustomization.yaml create mode 100644 apps/gatus/components/postgres/kustomization.yaml create mode 100644 apps/gatus/components/postgres/postgres-deployment.yaml create mode 100644 apps/gatus/components/postgres/postgres-service.yaml create mode 100755 apps/gatus/components/postgres/upsert-secret-miniflux-postgres.sh create mode 100644 apps/gatus/deployment.yaml create mode 100644 apps/gatus/kustomization.yaml create mode 100644 apps/gatus/networkpolicy.yaml create mode 100644 apps/gatus/service.yaml create mode 100755 apps/gatus/upsert-secrets.sh create mode 100644 apps/ghostfolio/components/istio/istio-virtualservice.yaml create mode 100644 apps/ghostfolio/components/istio/kustomization.yaml create mode 100644 apps/ghostfolio/components/postgres-pvc/kustomization.yaml create mode 100644 apps/ghostfolio/components/postgres-pvc/postgres-pvc.yaml create mode 100644 apps/ghostfolio/components/postgres/kustomization.yaml create mode 100644 apps/ghostfolio/components/postgres/postgres-deployment.yaml create mode 100644 apps/ghostfolio/components/postgres/postgres-networkpolicy.yaml create mode 100644 apps/ghostfolio/components/postgres/postgres-service.yaml create mode 100755 apps/ghostfolio/components/postgres/upsert-secret-ghostfolio-postgres.sh create mode 100644 apps/ghostfolio/components/redis/kustomization.yaml create mode 100644 apps/ghostfolio/components/redis/redis-deployment.yaml create mode 100644 apps/ghostfolio/components/redis/redis-networkpolicy.yaml create mode 100644 apps/ghostfolio/components/redis/redis-service.yaml create mode 100755 apps/ghostfolio/components/upsert-secret-ghostfolio.sh create mode 100644 apps/ghostfolio/deployment.yaml create mode 100644 apps/ghostfolio/kustomization.yaml create mode 100644 apps/ghostfolio/networkpolicy.yaml create mode 100644 apps/ghostfolio/service.yaml create mode 100755 apps/ghostfolio/upsert-secrets.sh create mode 100644 apps/git-repo-backup/components/pvc/git-repo-pvc.yaml create mode 100644 apps/git-repo-backup/components/pvc/kustomization.yaml create mode 100644 apps/git-repo-backup/cronjob.yaml create mode 100644 apps/git-repo-backup/kustomization.yaml create mode 100755 apps/git-repo-backup/upsert-secrets.sh create mode 100644 apps/gitea/components/istio-proxy/kustomization.yaml create mode 100644 apps/gitea/components/istio/istio-virtualservice.yaml create mode 100644 apps/gitea/components/istio/kustomization.yaml create mode 100644 apps/gitea/components/pvc/gitea-pvc.yaml create mode 100644 apps/gitea/components/pvc/kustomization.yaml create mode 100644 apps/gitea/deployment.yaml create mode 100644 apps/gitea/kustomization.yaml create mode 100644 apps/gitea/service.yaml create mode 100755 apps/gitea/upsert-secrets.sh create mode 100644 apps/grafana/components/database-mariadb/kustomization.yaml create mode 100755 apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh create mode 100644 apps/grafana/components/istio/istio-virtualservice.yaml create mode 100644 apps/grafana/components/istio/kustomization.yaml create mode 100644 apps/grafana/components/oidc/grafana.properties create mode 100644 apps/grafana/components/oidc/kustomization.yaml create mode 100755 apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh create mode 100644 apps/grafana/deployment.yaml create mode 100644 apps/grafana/grafana.properties create mode 100644 apps/grafana/kustomization.yaml create mode 100644 apps/grafana/networkpolicy.yaml create mode 100644 apps/grafana/service.yaml create mode 100755 apps/grafana/upsert-secret-grafana.sh create mode 100755 apps/grafana/upsert-secrets.sh create mode 100644 apps/hass/components/config-secrets/kustomization.yaml create mode 100644 apps/hass/components/istio/istio-virtualservice.yaml create mode 100644 apps/hass/components/istio/kustomization.yaml create mode 100644 apps/hass/components/pvc/hass-pvc.yaml create mode 100644 apps/hass/components/pvc/kustomization.yaml create mode 100644 apps/hass/components/restic-pvc/kustomization.yaml create mode 100755 apps/hass/components/restic-pvc/upsert-secret-hass-restic-pvc.sh create mode 100644 apps/hass/deployment.yaml create mode 100644 apps/hass/kustomization.yaml create mode 100644 apps/hass/networkpolicy.yaml create mode 100644 apps/hass/service.yaml create mode 100644 apps/hedgedoc/components/database-mariadb/kustomization.yaml create mode 100755 apps/hedgedoc/components/database-mariadb/upsert-secret-hedgedoc-database-mariadb.sh create mode 100644 apps/hedgedoc/components/istio-proxy/kustomization.yaml create mode 100644 apps/hedgedoc/components/istio/istio-virtualservice.yaml create mode 100644 apps/hedgedoc/components/istio/kustomization.yaml create mode 100644 apps/hedgedoc/components/minio/kustomization.yaml create mode 100755 apps/hedgedoc/components/minio/upsert-secret-hedgedoc-minio.sh create mode 100644 apps/hedgedoc/deployment.yaml create mode 100644 apps/hedgedoc/kustomization.yaml create mode 100644 apps/hedgedoc/networkpolicy.yaml create mode 100644 apps/hedgedoc/service.yaml create mode 100644 apps/hermes/components/istio/istio-virtualservice.yaml create mode 100644 apps/hermes/components/istio/kustomization.yaml create mode 100644 apps/hermes/deployment.yaml create mode 100644 apps/hermes/kustomization.yaml create mode 100644 apps/hermes/networkpolicy.yaml create mode 100644 apps/hermes/service.yaml create mode 100644 apps/homer/components/istio/istio-virtualservice.yaml create mode 100644 apps/homer/components/istio/kustomization.yaml create mode 100644 apps/homer/deployment.yaml create mode 100644 apps/homer/kustomization.yaml create mode 100644 apps/homer/networkpolicy.yaml create mode 100644 apps/homer/service.yaml create mode 100644 apps/httpbin/components/istio/istio-virtualservice.yaml create mode 100644 apps/httpbin/components/istio/kustomization.yaml create mode 100644 apps/httpbin/components/oidc/kustomization.yaml create mode 100644 apps/httpbin/components/oidc/oauth2-proxy.properties create mode 100644 apps/httpbin/components/oidc/oauth2-proxy.yaml create mode 100755 apps/httpbin/components/oidc/upsert-secret-httpbin-oidc.sh create mode 100644 apps/httpbin/deployment.yaml create mode 100644 apps/httpbin/kustomization.yaml create mode 100644 apps/httpbin/networkpolicy.yaml create mode 100644 apps/httpbin/service.yaml create mode 100755 apps/httpbin/upsert-secrets.sh create mode 100644 apps/imapfilter/imapfilter.yaml create mode 100644 apps/imapfilter/kustomization.yaml create mode 100644 apps/imapfilter/networkpolicy.yaml create mode 100644 apps/immich/components/istio/istio-virtualservice.yaml create mode 100644 apps/immich/components/istio/kustomization.yaml create mode 100644 apps/immich/components/pgvector/kustomization.yaml create mode 100644 apps/immich/components/pgvector/postgres-pvc.yaml create mode 100644 apps/immich/components/pgvector/postgres-service.yaml create mode 100644 apps/immich/components/pgvector/postgres-sts.yaml create mode 100644 apps/immich/components/pvc/kustomization.yaml create mode 100644 apps/immich/components/pvc/pvc.yaml create mode 100644 apps/immich/components/restic-postgres/kustomization.yaml create mode 100755 apps/immich/components/restic-postgres/upsert-secret-immich-restic-postgres.sh create mode 100644 apps/immich/components/restic-pvc/kustomization.yaml create mode 100755 apps/immich/components/restic-pvc/upsert-secret-immich-restic-pvc.sh create mode 100644 apps/immich/immich-machinelearning-deployment.yaml create mode 100644 apps/immich/immich-machinelearning-service.yaml create mode 100644 apps/immich/immich-server-deployment.yaml create mode 100644 apps/immich/immich-server-service.yaml create mode 100644 apps/immich/immich.properties create mode 100644 apps/immich/kustomization.yaml create mode 100644 apps/immich/redis-deployment.yaml create mode 100644 apps/immich/redis-service.yaml create mode 100755 apps/immich/upsert-secret-immich.sh create mode 100755 apps/immich/upsert-secrets.sh create mode 100644 apps/jellyfin/components/istio/istio-virtualservice.yaml create mode 100644 apps/jellyfin/components/istio/kustomization.yaml create mode 100644 apps/jellyfin/components/pvc-config/jellyfin-pvc.yaml create mode 100644 apps/jellyfin/components/pvc-config/kustomization.yaml create mode 100644 apps/jellyfin/components/storage-healthcheck/healthcheck.sh create mode 100644 apps/jellyfin/components/storage-healthcheck/kustomization.yaml create mode 100644 apps/jellyfin/kustomization.yaml create mode 100644 apps/jellyfin/service.yaml create mode 100644 apps/jellyfin/statefulset.yaml create mode 100644 apps/keycloak/components/db-mariadb/kustomization.yaml create mode 100755 apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh create mode 100644 apps/keycloak/components/istio-proxy/kustomization.yaml create mode 100644 apps/keycloak/components/istio/istio-virtualservice.yaml create mode 100644 apps/keycloak/components/istio/kustomization.yaml create mode 100644 apps/keycloak/deployment.yaml create mode 100644 apps/keycloak/keycloak.properties create mode 100644 apps/keycloak/kustomization.yaml create mode 100644 apps/keycloak/networkpolicy.yaml create mode 100644 apps/keycloak/service.yaml create mode 100755 apps/keycloak/upsert-secret-keycloak.sh create mode 100755 apps/keycloak/upsert-secrets.sh create mode 100644 apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml create mode 100644 apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml create mode 100644 apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml create mode 100644 apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml create mode 100644 apps/kyverno/components/default-clusterpolicies/kustomization.yaml create mode 100755 apps/kyverno/helm-fan-out.sh create mode 100644 apps/kyverno/kustomization.yaml create mode 100644 apps/linkding/components/istio/istio-virtualservice.yaml create mode 100644 apps/linkding/components/istio/kustomization.yaml create mode 100644 apps/linkding/components/oidc/kustomization.yaml create mode 100644 apps/linkding/components/oidc/linkding.properties create mode 100644 apps/linkding/components/oidc/oauth2-proxy.properties create mode 100644 apps/linkding/components/oidc/oauth2-proxy.yaml create mode 100644 apps/linkding/components/oidc/upsert-secert-oauth2-proxy.sh create mode 100644 apps/linkding/components/postgres-pvc/kustomization.yaml create mode 100644 apps/linkding/components/postgres-pvc/postgres-pvc.yaml create mode 100644 apps/linkding/components/postgres/kustomization.yaml create mode 100644 apps/linkding/components/postgres/linkding.properties create mode 100644 apps/linkding/components/postgres/postgres-deployment.yaml create mode 100644 apps/linkding/components/postgres/postgres-networkpolicy.yaml create mode 100644 apps/linkding/components/postgres/postgres-service.yaml create mode 100755 apps/linkding/components/postgres/upsert-secret-linkding-postgres.sh create mode 100644 apps/linkding/components/restic-postgres/kustomization.yaml create mode 100755 apps/linkding/components/restic-postgres/upsert-secret-linkding-restic-postgres.sh create mode 100644 apps/linkding/deployment.yaml create mode 100644 apps/linkding/kustomization.yaml create mode 100644 apps/linkding/linkding.properties create mode 100644 apps/linkding/networkpolicy.yaml create mode 100644 apps/linkding/service.yaml create mode 100755 apps/linkding/upsert-secret-linkding.sh create mode 100755 apps/linkding/upsert-secrets.sh create mode 100644 apps/loki/components/istio/istio-virtualservice.yaml create mode 100644 apps/loki/components/istio/kustomization.yaml create mode 100644 apps/loki/components/monolith/kustomization.yaml create mode 100644 apps/loki/components/monolith/loki-config.yaml create mode 100644 apps/loki/components/pvc/kustomization.yaml create mode 100644 apps/loki/components/pvc/loki-pvc.yaml create mode 100644 apps/loki/deployment.yaml create mode 100644 apps/loki/kustomization.yaml create mode 100644 apps/loki/networkpolicy.yaml create mode 100644 apps/loki/service.yaml create mode 100644 apps/mariadb-galera/components/istio/istio-virtualservice.yaml create mode 100644 apps/mariadb-galera/components/istio/kustomization.yaml create mode 100644 apps/mariadb-galera/components/pvc/kustomization.yaml create mode 100644 apps/mariadb-galera/components/pvc/pvc.yaml create mode 100644 apps/mariadb-galera/components/restic-mariadb/kustomization.yaml create mode 100755 apps/mariadb-galera/components/restic-mariadb/upsert-secret-restic-mariadb.sh create mode 100644 apps/mariadb-galera/components/tls-wsrep/cert-wsrep.yaml create mode 100644 apps/mariadb-galera/components/tls-wsrep/cm-sst-cnf.yaml create mode 100644 apps/mariadb-galera/components/tls-wsrep/issuer.yaml create mode 100644 apps/mariadb-galera/components/tls-wsrep/kustomization.yaml create mode 100644 apps/mariadb-galera/components/tls/cert-certificate.yaml create mode 100644 apps/mariadb-galera/components/tls/kustomization.yaml create mode 100644 apps/mariadb-galera/kustomization.yaml create mode 100644 apps/mariadb-galera/mariadb.properties create mode 100644 apps/mariadb-galera/service.yaml create mode 100644 apps/mariadb-galera/statefulset.yaml create mode 100755 apps/mariadb-galera/upsert-secret-mariadb.sh create mode 100644 apps/mariadb/service.yaml create mode 100644 apps/mariadb/statefulset.yaml create mode 100644 apps/mealie/components/istio/istio-virtualservice.yaml create mode 100644 apps/mealie/components/istio/kustomization.yaml create mode 100644 apps/mealie/components/mealie-pvc/kustomization.yaml create mode 100644 apps/mealie/components/mealie-pvc/mealie-pvc.yaml create mode 100644 apps/mealie/components/oidc/kustomization.yaml create mode 100755 apps/mealie/components/oidc/upsert-secret-mealie-oidc.sh create mode 100644 apps/mealie/components/postgres-pvc/kustomization.yaml create mode 100644 apps/mealie/components/postgres-pvc/postgres-pvc.yaml create mode 100644 apps/mealie/components/postgres/kustomization.yaml create mode 100644 apps/mealie/components/postgres/mealie.properties create mode 100644 apps/mealie/components/postgres/postgres-deployment.yaml create mode 100644 apps/mealie/components/postgres/postgres-service.yaml create mode 100755 apps/mealie/components/postgres/upsert-secret-mealie-postgres.sh create mode 100644 apps/mealie/components/restic-postgres/kustomization.yaml create mode 100755 apps/mealie/components/restic-postgres/upsert-secret-mealie-restic-postgres.sh create mode 100644 apps/mealie/components/restic-pvc/kustomization.yaml create mode 100755 apps/mealie/components/restic-pvc/upsert-secret-mealie-restic-pvc.sh create mode 100644 apps/mealie/deployment.yaml create mode 100644 apps/mealie/kustomization.yaml create mode 100644 apps/mealie/mealie.properties create mode 100644 apps/mealie/networkpolicy.yaml create mode 100644 apps/mealie/service.yaml create mode 100755 apps/mealie/upsert-secret-mealie.sh create mode 100755 apps/mealie/upsert-secrets.sh create mode 100755 apps/media/build-radarr-apikey.sh create mode 100644 apps/media/components/postgres-pvc/kustomization.yaml create mode 100644 apps/media/components/postgres-pvc/postgres-pvc.yaml create mode 100644 apps/media/components/postgres/kustomization.yaml create mode 100644 apps/media/components/postgres/postgres-deployment.yaml create mode 100644 apps/media/components/postgres/postgres-service.yaml create mode 100755 apps/media/components/postgres/upsert-secret-media-postgres.sh create mode 100644 apps/media/components/reverse-proxy-istio/istio-virtualservice.yaml create mode 100644 apps/media/components/reverse-proxy-istio/kustomization.yaml create mode 100644 apps/media/components/reverse-proxy-oidc/kustomization.yaml create mode 100644 apps/media/components/reverse-proxy-oidc/oauth2-proxy.properties create mode 100644 apps/media/components/reverse-proxy-oidc/oauth2-proxy.yaml create mode 100755 apps/media/components/reverse-proxy-oidc/upsert-secret-media-reverse-proxy-oidc.sh create mode 100644 apps/media/components/reverse-proxy/kustomization.yaml create mode 100644 apps/media/components/reverse-proxy/nginx.conf create mode 100644 apps/media/components/reverse-proxy/reverse-proxy-deployment.yaml create mode 100644 apps/media/components/reverse-proxy/reverse-proxy-service.yaml create mode 100644 apps/media/lidarr/components/istio/istio-virtualservice.yaml create mode 100644 apps/media/lidarr/components/istio/kustomization.yaml create mode 100644 apps/media/lidarr/components/postgres/kustomization.yaml create mode 100644 apps/media/lidarr/components/postgres/patch-initcontainer.yaml create mode 100755 apps/media/lidarr/components/postgres/upsert-secret-media-lidarr-postgres.sh create mode 100644 apps/media/lidarr/components/reverse-proxy/kustomization.yaml create mode 100644 apps/media/lidarr/deployment.yaml create mode 100644 apps/media/lidarr/kustomization.yaml create mode 100644 apps/media/lidarr/networkpolicy.yaml create mode 100644 apps/media/lidarr/service.yaml create mode 100644 apps/media/prowlarr/components/istio/istio-virtualservice.yaml create mode 100644 apps/media/prowlarr/components/istio/kustomization.yaml create mode 100644 apps/media/prowlarr/components/postgres/kustomization.yaml create mode 100644 apps/media/prowlarr/components/postgres/patch-initcontainer.yaml create mode 100755 apps/media/prowlarr/components/postgres/upsert-secret-media-prowlarr-postgres.sh create mode 100644 apps/media/prowlarr/components/reverse-proxy/kustomization.yaml create mode 100644 apps/media/prowlarr/deployment.yaml create mode 100644 apps/media/prowlarr/kustomization.yaml create mode 100644 apps/media/prowlarr/networkpolicy.yaml create mode 100644 apps/media/prowlarr/service.yaml create mode 100644 apps/media/radarr/components/istio/istio-virtualservice.yaml create mode 100644 apps/media/radarr/components/istio/kustomization.yaml create mode 100644 apps/media/radarr/components/postgres/kustomization.yaml create mode 100644 apps/media/radarr/components/postgres/patch-initcontainer.yaml create mode 100755 apps/media/radarr/components/postgres/upsert-secret-media-radarr-postgres.sh create mode 100644 apps/media/radarr/components/reverse-proxy/kustomization.yaml create mode 100644 apps/media/radarr/deployment.yaml create mode 100644 apps/media/radarr/kustomization.yaml create mode 100644 apps/media/radarr/networkpolicy.yaml create mode 100644 apps/media/radarr/service.yaml create mode 100644 apps/media/sonarr/components/istio/istio-virtualservice.yaml create mode 100644 apps/media/sonarr/components/istio/kustomization.yaml create mode 100644 apps/media/sonarr/components/postgres/kustomization.yaml create mode 100644 apps/media/sonarr/components/postgres/patch-initcontainer.yaml create mode 100755 apps/media/sonarr/components/postgres/upsert-secret-media-sonarr-postgres.sh create mode 100644 apps/media/sonarr/components/reverse-proxy/kustomization.yaml create mode 100644 apps/media/sonarr/deployment.yaml create mode 100644 apps/media/sonarr/kustomization.yaml create mode 100644 apps/media/sonarr/networkpolicy.yaml create mode 100644 apps/media/sonarr/service.yaml create mode 100755 apps/media/upsert-secret-smb.sh create mode 100755 apps/media/upsert-secrets.sh create mode 100644 apps/microbin/components/istio-proxy/kustomization.yaml create mode 100644 apps/microbin/components/istio/istio-virtualservice.yaml create mode 100644 apps/microbin/components/istio/kustomization.yaml create mode 100644 apps/microbin/components/pvc/kustomization.yaml create mode 100644 apps/microbin/components/pvc/microbin-pvc.yaml create mode 100644 apps/microbin/components/restic-pvc/kustomization.yaml create mode 100755 apps/microbin/components/restic-pvc/upsert-secret-microbin-restic-pvc.sh create mode 100644 apps/microbin/deployment.yaml create mode 100644 apps/microbin/kustomization.yaml create mode 100644 apps/microbin/microbin.properties create mode 100644 apps/microbin/networkpolicy.yaml create mode 100644 apps/microbin/service.yaml create mode 100755 apps/microbin/upsert-secret-microbin.sh create mode 100755 apps/microbin/upsert-secrets.sh create mode 100644 apps/miniflux/components/istio/istio-virtualservice.yaml create mode 100644 apps/miniflux/components/istio/kustomization.yaml create mode 100644 apps/miniflux/components/oidc/kustomization.yaml create mode 100755 apps/miniflux/components/oidc/upsert-secret-miniflux-oidc.sh create mode 100644 apps/miniflux/components/postgres-pvc/kustomization.yaml create mode 100644 apps/miniflux/components/postgres-pvc/postgres-pvc.yaml create mode 100644 apps/miniflux/components/postgres/kustomization.yaml create mode 100644 apps/miniflux/components/postgres/postgres-deployment.yaml create mode 100644 apps/miniflux/components/postgres/postgres-service.yaml create mode 100755 apps/miniflux/components/postgres/upsert-secret-miniflux-postgres.sh create mode 100644 apps/miniflux/deployment.yaml create mode 100644 apps/miniflux/kustomization.yaml create mode 100644 apps/miniflux/miniflux.properties create mode 100644 apps/miniflux/networkpolicy.yaml create mode 100644 apps/miniflux/service.yaml create mode 100755 apps/miniflux/upsert-secret-miniflux.sh create mode 100755 apps/miniflux/upsert-secrets.sh create mode 100644 apps/minio-mirror/cronjob.yaml create mode 100644 apps/minio-mirror/kustomization.yaml create mode 100644 apps/minio/components/istio/istio-destinationrule-console.yaml create mode 100644 apps/minio/components/istio/istio-destinationrule.yaml create mode 100644 apps/minio/components/istio/istio-virtualservice-console.yaml create mode 100644 apps/minio/components/istio/istio-virtualservice.yaml create mode 100644 apps/minio/components/istio/kustomization.yaml create mode 100644 apps/minio/components/istio/minio-certificate.yaml create mode 100644 apps/minio/components/pvc/kustomization.yaml create mode 100644 apps/minio/components/pvc/minio-pvc.yaml create mode 100644 apps/minio/deployment.yaml create mode 100644 apps/minio/kustomization.yaml create mode 100644 apps/minio/service.yaml create mode 100755 apps/minio/upsert-secret-minio.sh create mode 100755 apps/minio/upsert-secrets.sh create mode 100644 apps/monitoring/alertmanager/components/cluster-istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/alertmanager/components/cluster-istio/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/components/cluster-tls/cluster-tls-config.yaml create mode 100644 apps/monitoring/alertmanager/components/cluster-tls/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/components/cluster-tls/patch.yaml create mode 100644 apps/monitoring/alertmanager/components/config/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/components/config/patch.yaml create mode 100755 apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh create mode 100644 apps/monitoring/alertmanager/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/alertmanager/components/istio/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/deployment.yaml create mode 100644 apps/monitoring/alertmanager/kustomization.yaml create mode 100644 apps/monitoring/alertmanager/networkpolicy.yaml create mode 100644 apps/monitoring/alertmanager/service.yaml create mode 100644 apps/monitoring/blackbox_exporter/components/custom-config/kustomization.yaml create mode 100644 apps/monitoring/blackbox_exporter/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/blackbox_exporter/components/istio/kustomization.yaml create mode 100644 apps/monitoring/blackbox_exporter/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/blackbox_exporter/components/tls-client-cert/kustomization.yaml create mode 100644 apps/monitoring/blackbox_exporter/deployment.yaml create mode 100644 apps/monitoring/blackbox_exporter/kustomization.yaml create mode 100644 apps/monitoring/blackbox_exporter/networkpolicy.yaml create mode 100644 apps/monitoring/blackbox_exporter/service.yaml create mode 100644 apps/monitoring/components/reverse-proxy-istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/components/reverse-proxy-istio/kustomization.yaml create mode 100644 apps/monitoring/components/reverse-proxy-oidc/kustomization.yaml create mode 100644 apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.properties create mode 100644 apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.yaml create mode 100755 apps/monitoring/components/reverse-proxy-oidc/upsert-secret-monitoring-reverse-proxy-oidc.sh create mode 100644 apps/monitoring/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/components/reverse-proxy/nginx.conf create mode 100644 apps/monitoring/components/reverse-proxy/reverse-proxy-deployment.yaml create mode 100644 apps/monitoring/components/reverse-proxy/reverse-proxy-service.yaml create mode 100644 apps/monitoring/components/tls-client-cert/certificate.yaml create mode 100644 apps/monitoring/components/tls-client-cert/issuer.yaml create mode 100644 apps/monitoring/components/tls-client-cert/kustomization.yaml create mode 100644 apps/monitoring/karma/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/karma/components/istio/kustomization.yaml create mode 100644 apps/monitoring/karma/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/karma/deployment.yaml create mode 100644 apps/monitoring/karma/kustomization.yaml create mode 100644 apps/monitoring/karma/service.yaml create mode 100644 apps/monitoring/kube-state-metrics/components/rbac/cluster-role-binding.yaml create mode 100644 apps/monitoring/kube-state-metrics/components/rbac/cluster-role.yaml create mode 100644 apps/monitoring/kube-state-metrics/components/rbac/kustomization.yaml create mode 100644 apps/monitoring/kube-state-metrics/deployment.yaml create mode 100644 apps/monitoring/kube-state-metrics/kustomization.yaml create mode 100644 apps/monitoring/kube-state-metrics/networkpolicy.yaml create mode 100644 apps/monitoring/kube-state-metrics/service-account.yaml create mode 100644 apps/monitoring/kube-state-metrics/service.yaml create mode 100644 apps/monitoring/namespace.yml create mode 100644 apps/monitoring/prometheus/components/config/kustomization.yaml create mode 100755 apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh create mode 100644 apps/monitoring/prometheus/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/prometheus/components/istio/kustomization.yaml create mode 100644 apps/monitoring/prometheus/components/oidc/deployment.yaml create mode 100644 apps/monitoring/prometheus/components/oidc/kustomization.yaml create mode 100644 apps/monitoring/prometheus/components/oidc/oauth2-proxy.properties create mode 100755 apps/monitoring/prometheus/components/oidc/upsert-secret-prometheus-oidc.sh create mode 100644 apps/monitoring/prometheus/components/rbac/clusterrole-binding.yaml create mode 100644 apps/monitoring/prometheus/components/rbac/clusterrole.yaml create mode 100644 apps/monitoring/prometheus/components/rbac/kustomization.yaml create mode 100644 apps/monitoring/prometheus/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/prometheus/components/tls-client-cert/kustomization.yaml create mode 100644 apps/monitoring/prometheus/deployment.yaml create mode 100644 apps/monitoring/prometheus/kustomization.yaml create mode 100644 apps/monitoring/prometheus/networkpolicy.yaml create mode 100644 apps/monitoring/prometheus/service.yaml create mode 100644 apps/monitoring/prometheus/serviceaccount.yaml create mode 100644 apps/monitoring/pushgateway/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/pushgateway/components/istio/kustomization.yaml create mode 100644 apps/monitoring/pushgateway/components/reverse-proxy/kustomization.yaml create mode 100644 apps/monitoring/pushgateway/deployment.yaml create mode 100644 apps/monitoring/pushgateway/kustomization.yaml create mode 100644 apps/monitoring/pushgateway/networkpolicy.yaml create mode 100644 apps/monitoring/pushgateway/service.yaml create mode 100755 apps/monitoring/upsert-secrets.sh create mode 100644 apps/monitoring/victoriametrics/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/victoriametrics/components/istio/kustomization.yaml create mode 100644 apps/monitoring/victoriametrics/deployment.yaml create mode 100644 apps/monitoring/victoriametrics/kustomization.yaml create mode 100644 apps/monitoring/victoriametrics/networkpolicy.yaml create mode 100644 apps/monitoring/victoriametrics/service.yaml create mode 100644 apps/monitoring/vmalert/components/initcontainer-seed-rules/kustomization.yaml create mode 100644 apps/monitoring/vmalert/components/initcontainer-seed-rules/patch-initcontainer.yaml create mode 100644 apps/monitoring/vmalert/components/istio/istio-virtualservice.yaml create mode 100644 apps/monitoring/vmalert/components/istio/kustomization.yaml create mode 100644 apps/monitoring/vmalert/components/tls-client-cert/kustomization.yaml create mode 100644 apps/monitoring/vmalert/deployment.yaml create mode 100644 apps/monitoring/vmalert/kustomization.yaml create mode 100644 apps/monitoring/vmalert/networkpolicy.yaml create mode 100644 apps/mosquitto/components/istio/istio-virtualservice.yaml create mode 100644 apps/mosquitto/components/istio/kustomization.yaml create mode 100644 apps/mosquitto/components/tls/certificate.yaml create mode 100644 apps/mosquitto/components/tls/configmap-ca.yaml create mode 100644 apps/mosquitto/components/tls/kustomization.yaml create mode 100644 apps/mosquitto/components/tls/mosquitto.conf create mode 100755 apps/mosquitto/components/tls/upsert-ca.sh create mode 100644 apps/mosquitto/deployment.yaml create mode 100644 apps/mosquitto/kustomization.yaml create mode 100644 apps/mosquitto/mosquitto.conf create mode 100644 apps/mosquitto/service.yaml create mode 100644 apps/mysqld-exporter/components/configfile/kustomization.yaml create mode 100755 apps/mysqld-exporter/components/configfile/upsert-secret-mysqld-exporter-configfile.sh create mode 100644 apps/mysqld-exporter/deployment.yaml create mode 100644 apps/mysqld-exporter/kustomization.yaml create mode 100755 apps/mysqld-exporter/upsert-secret-mysqld-exporter.sh create mode 100644 apps/navidrome/components/istio/istio-virtualservice.yaml create mode 100644 apps/navidrome/components/istio/kustomization.yaml create mode 100644 apps/navidrome/components/oidc/kustomization.yaml create mode 100644 apps/navidrome/components/pvc/kustomization.yaml create mode 100644 apps/navidrome/components/pvc/navidrome-data-pvc.yaml create mode 100644 apps/navidrome/components/restic-pvc/kustomization.yaml create mode 100755 apps/navidrome/components/restic-pvc/upsert-secret-navidrome-restic-pvc.sh create mode 100644 apps/navidrome/deployment.yaml create mode 100644 apps/navidrome/kustomization.yaml create mode 100644 apps/navidrome/networkpolicy.yaml create mode 100644 apps/navidrome/service.yaml create mode 100755 apps/navidrome/upsert-secrets.sh create mode 100644 apps/nextcloud/components/istio/istio-virtualservice.yaml create mode 100644 apps/nextcloud/components/istio/kustomization.yaml create mode 100644 apps/nextcloud/components/mariadb/kustomization.yaml create mode 100644 apps/nextcloud/components/mariadb/mariadb-service.yaml create mode 100644 apps/nextcloud/components/mariadb/mariadb-sts.yaml create mode 100644 apps/nextcloud/components/mariadb/nextcloud.properties create mode 100644 apps/nextcloud/components/pvc/kustomization.yaml create mode 100644 apps/nextcloud/components/pvc/pvc.yaml create mode 100644 apps/nextcloud/deployment.yaml create mode 100644 apps/nextcloud/kustomization.yaml create mode 100644 apps/nextcloud/nextcloud.properties create mode 100644 apps/nextcloud/nginx.conf create mode 100644 apps/nextcloud/service.yaml create mode 100755 apps/nextcloud/upsert-secret-nextcloud.sh create mode 100755 apps/nextcloud/upsert-secrets.sh create mode 100644 apps/onlyoffice/components/istio/istio-virtualservice.yaml create mode 100644 apps/onlyoffice/components/istio/kustomization.yaml create mode 100644 apps/onlyoffice/components/mariadb/kustomization.yaml create mode 100644 apps/onlyoffice/components/mariadb/mariadb-service.yaml create mode 100644 apps/onlyoffice/components/mariadb/mariadb-sts.yaml create mode 100644 apps/onlyoffice/components/mariadb/onlyoffice.properties create mode 100755 apps/onlyoffice/components/mariadb/upsert-secret-onlyoffice-mariadb.sh create mode 100644 apps/onlyoffice/components/rabbitmq/00-rabbitmq.conf create mode 100644 apps/onlyoffice/components/rabbitmq/kustomization.yaml create mode 100644 apps/onlyoffice/components/rabbitmq/onlyoffice.properties create mode 100644 apps/onlyoffice/components/rabbitmq/rabbitmq-amqp-service.yaml create mode 100644 apps/onlyoffice/components/rabbitmq/statefulset.yaml create mode 100755 apps/onlyoffice/components/rabbitmq/upsert-secret-onlyoffice-mariadb.sh create mode 100644 apps/onlyoffice/components/redis/kustomization.yaml create mode 100644 apps/onlyoffice/components/redis/onlyoffice.properties create mode 100644 apps/onlyoffice/components/redis/redis-deployment.yaml create mode 100644 apps/onlyoffice/components/redis/redis-service.yaml create mode 100755 apps/onlyoffice/components/redis/upsert-secret-onlyoffice-mariadb.sh create mode 100644 apps/onlyoffice/kustomization.yaml create mode 100644 apps/onlyoffice/onlyoffice-deployment.yaml create mode 100644 apps/onlyoffice/onlyoffice-service.yaml create mode 100644 apps/onlyoffice/onlyoffice.properties create mode 100755 apps/onlyoffice/upsert-secrets.sh create mode 100644 apps/paperless-ngx/components/database-mariadb/kustomization.yaml create mode 100755 apps/paperless-ngx/components/database-mariadb/upsert-secret-paperless-ngx-database-mariadb.sh create mode 100644 apps/paperless-ngx/components/istio-proxy/kustomization.yaml create mode 100644 apps/paperless-ngx/components/istio/istio-virtualservice.yaml create mode 100644 apps/paperless-ngx/components/istio/kustomization.yaml create mode 100644 apps/paperless-ngx/components/oidc/kustomization.yaml create mode 100644 apps/paperless-ngx/components/oidc/oauth2-proxy-deployment.yaml create mode 100644 apps/paperless-ngx/components/oidc/oauth2-proxy.properties create mode 100644 apps/paperless-ngx/components/oidc/paperless.properties create mode 100755 apps/paperless-ngx/components/oidc/upsert-secret-paperless-ngx-oidc.sh create mode 100644 apps/paperless-ngx/components/pvc/kustomization.yaml create mode 100644 apps/paperless-ngx/components/pvc/paperless-pvc-consumption.yaml create mode 100644 apps/paperless-ngx/components/pvc/paperless-pvc-storage.yaml create mode 100644 apps/paperless-ngx/components/restic-pvc/kustomization.yaml create mode 100755 apps/paperless-ngx/components/restic-pvc/upsert-secret-paperless-ngx-restic-pvc.sh create mode 100644 apps/paperless-ngx/components/tika/gotenberg-deployment.yaml create mode 100644 apps/paperless-ngx/components/tika/gotenberg-service.yaml create mode 100644 apps/paperless-ngx/components/tika/kustomization.yaml create mode 100644 apps/paperless-ngx/components/tika/paperless.properties create mode 100644 apps/paperless-ngx/components/tika/tika-deployment.yaml create mode 100644 apps/paperless-ngx/components/tika/tika-service.yaml create mode 100644 apps/paperless-ngx/kustomization.yaml create mode 100644 apps/paperless-ngx/networkpolicy.yaml create mode 100644 apps/paperless-ngx/paperless-ngx-cm-fixed-entrypoint-script.yaml create mode 100644 apps/paperless-ngx/paperless-ngx-deployment.yaml create mode 100644 apps/paperless-ngx/paperless-ngx-service.yaml create mode 100644 apps/paperless-ngx/paperless.properties create mode 100644 apps/paperless-ngx/redis-deployment.yaml create mode 100644 apps/paperless-ngx/redis-service.yaml create mode 100755 apps/paperless-ngx/upsert-secret-paperless-ngx.sh create mode 100755 apps/paperless-ngx/upsert-secrets.sh create mode 100644 apps/pydio/deployment.yaml create mode 100644 apps/pydio/namespace.yaml create mode 100644 apps/pydio/pv.yaml create mode 100644 apps/pydio/pvc.yaml create mode 100644 apps/pydio/service.yaml create mode 100755 apps/pydio/upsert-secrets.sh create mode 100644 apps/pydio/virtualservice.yaml create mode 100644 apps/rabbitmq/00-rabbitmq.conf create mode 100644 apps/rabbitmq/components/cluster-tls/certificate.yaml create mode 100644 apps/rabbitmq/components/cluster-tls/inter_node_tls.config create mode 100644 apps/rabbitmq/components/cluster-tls/issuer.yaml create mode 100644 apps/rabbitmq/components/cluster-tls/kustomization.yaml create mode 100644 apps/rabbitmq/components/istio-proxy/kustomization.yaml create mode 100644 apps/rabbitmq/components/istio/istio-virtualservice.yaml create mode 100644 apps/rabbitmq/components/istio/kustomization.yaml create mode 100644 apps/rabbitmq/components/tls-server-cert/10-ssl.conf create mode 100644 apps/rabbitmq/components/tls-server-cert/cert-certificate.yaml create mode 100644 apps/rabbitmq/components/tls-server-cert/kustomization.yaml create mode 100644 apps/rabbitmq/kustomization.yaml create mode 100644 apps/rabbitmq/rabbitmq-amqp-service.yaml create mode 100644 apps/rabbitmq/rabbitmq-management-service.yaml create mode 100644 apps/rabbitmq/statefulset.yaml create mode 100755 apps/rabbitmq/upsert-secrets.sh create mode 100644 apps/radicale/components/istio-proxy/kustomization.yaml create mode 100644 apps/radicale/components/istio/istio-virtualservice.yaml create mode 100644 apps/radicale/components/istio/kustomization.yaml create mode 100644 apps/radicale/components/pvc/kustomization.yaml create mode 100644 apps/radicale/components/pvc/radicale-pvc.yaml create mode 100644 apps/radicale/components/restic-pvc/kustomization.yaml create mode 100755 apps/radicale/components/restic-pvc/upsert-secret-radicale-restic-pvc.sh create mode 100644 apps/radicale/deployment.yaml create mode 100644 apps/radicale/kustomization.yaml create mode 100644 apps/radicale/networkpolicy.yaml create mode 100644 apps/radicale/service.yaml create mode 100755 apps/radicale/upsert-secret-radicale.sh create mode 100755 apps/radicale/upsert-secrets.sh create mode 100644 apps/reloader/components/rbac/clusterrole-binding.yaml create mode 100644 apps/reloader/components/rbac/clusterrole.yaml create mode 100644 apps/reloader/components/rbac/kustomization.yaml create mode 100644 apps/reloader/deployment.yaml create mode 100644 apps/reloader/kustomization.yaml create mode 100644 apps/reloader/networkpolicy.yaml create mode 100644 apps/reloader/serviceaccount.yaml create mode 100755 apps/reloader/upsert-secrets.sh create mode 100644 apps/renovatebot/components/pvc/kustomization.yaml create mode 100644 apps/renovatebot/components/pvc/renovate-pvc.yaml create mode 100644 apps/renovatebot/cronjob.yaml create mode 100644 apps/renovatebot/kustomization.yaml create mode 100755 apps/renovatebot/upsert-secret-renovate.sh create mode 100755 apps/renovatebot/upsert-secrets.sh create mode 100644 apps/stirling-pdf/components/ha/kustomization.yaml create mode 100644 apps/stirling-pdf/components/istio-proxy/kustomization.yaml create mode 100644 apps/stirling-pdf/components/istio/istio-virtualservice.yaml create mode 100644 apps/stirling-pdf/components/istio/kustomization.yaml create mode 100644 apps/stirling-pdf/deployment.yaml create mode 100644 apps/stirling-pdf/kustomization.yaml create mode 100644 apps/stirling-pdf/networkpolicy.yaml create mode 100644 apps/stirling-pdf/service.yaml create mode 100755 apps/stirling-pdf/upsert-secrets.sh create mode 100644 apps/string-is/components/ha/kustomization.yaml create mode 100644 apps/string-is/components/istio-proxy/kustomization.yaml create mode 100644 apps/string-is/components/istio/istio-virtualservice.yaml create mode 100644 apps/string-is/components/istio/kustomization.yaml create mode 100644 apps/string-is/deployment.yaml create mode 100644 apps/string-is/kustomization.yaml create mode 100644 apps/string-is/networkpolicy.yaml create mode 100644 apps/string-is/service.yaml create mode 100755 apps/string-is/upsert-secrets.sh create mode 100644 apps/synapse/deployment.yaml create mode 100644 apps/synapse/kustomization.yaml create mode 100644 apps/synapse/service.yaml create mode 100644 apps/taskd/components/istio/istio-virtualservice.yaml create mode 100644 apps/taskd/components/istio/kustomization.yaml create mode 100644 apps/taskd/components/pvc/kustomization.yaml create mode 100644 apps/taskd/components/pvc/taskd-pvc.yaml create mode 100644 apps/taskd/components/restic-pvc/kustomization.yaml create mode 100755 apps/taskd/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh create mode 100644 apps/taskd/components/tls/cert-certificate.yaml create mode 100644 apps/taskd/components/tls/cert-issuer.yaml create mode 100644 apps/taskd/components/tls/kustomization.yaml create mode 100644 apps/taskd/deployment.yaml create mode 100644 apps/taskd/kustomization.yaml create mode 100644 apps/taskd/networkpolicy.yaml create mode 100644 apps/taskd/service.yaml create mode 100644 apps/taskd/taskd.properties create mode 100755 apps/taskd/upsert-secrets.sh create mode 100644 apps/vcr/components/fileserver-istio/istio-virtualservice.yaml create mode 100644 apps/vcr/components/fileserver-istio/kustomization.yaml create mode 100644 apps/vcr/components/fileserver/fileserver-deployment.yaml create mode 100644 apps/vcr/components/fileserver/fileserver-service.yaml create mode 100644 apps/vcr/components/fileserver/kustomization.yaml create mode 100644 apps/vcr/components/metube-istio/istio-virtualservice.yaml create mode 100644 apps/vcr/components/metube-istio/kustomization.yaml create mode 100644 apps/vcr/components/metube/kustomization.yaml create mode 100644 apps/vcr/components/metube/metube-deployment.yaml create mode 100644 apps/vcr/components/metube/metube-service.yaml create mode 100644 apps/vcr/components/yt-dlp-pvc/kustomization.yaml create mode 100644 apps/vcr/components/yt-dlp-pvc/pvc.yaml create mode 100644 apps/vcr/kustomization.yaml create mode 100644 apps/vcr/yt-dlp-cronjob.yaml create mode 100644 apps/vector/agent.yaml create mode 100644 apps/vector/daemonset.yaml create mode 100644 apps/vector/kustomization.yaml create mode 100644 apps/vector/networkpolicy.yaml create mode 100644 apps/vector/rbac.yaml create mode 100644 apps/vector/sa.yaml create mode 100644 apps/vikunja/components/database-mariadb/ca-bundle.crt create mode 100644 apps/vikunja/components/database-mariadb/kustomization.yaml create mode 100755 apps/vikunja/components/database-mariadb/upsert-secret-vikunja-database-mariadb.sh create mode 100644 apps/vikunja/components/istio-proxy/kustomization.yaml create mode 100644 apps/vikunja/components/istio/istio-virtualservice.yaml create mode 100644 apps/vikunja/components/istio/kustomization.yaml create mode 100644 apps/vikunja/components/redis/kustomization.yaml create mode 100644 apps/vikunja/components/redis/networkpolicy.yaml create mode 100644 apps/vikunja/components/redis/redis-deployment.yaml create mode 100644 apps/vikunja/components/redis/redis-service.yaml create mode 100644 apps/vikunja/deployment.yaml create mode 100644 apps/vikunja/kustomization.yaml create mode 100644 apps/vikunja/networkpolicy.yaml create mode 100644 apps/vikunja/service.yaml create mode 100755 apps/vikunja/upsert-secret-vikunja.sh create mode 100755 apps/vikunja/upsert-secrets.sh create mode 100644 apps/whoogle/components/ha/kustomization.yaml create mode 100644 apps/whoogle/components/istio-proxy/kustomization.yaml create mode 100644 apps/whoogle/components/istio/istio-virtualservice.yaml create mode 100644 apps/whoogle/components/istio/kustomization.yaml create mode 100644 apps/whoogle/deployment.yaml create mode 100644 apps/whoogle/kustomization.yaml create mode 100644 apps/whoogle/networkpolicy.yaml create mode 100644 apps/whoogle/service.yaml create mode 100644 apps/yaade/components/ha/kustomization.yaml create mode 100644 apps/yaade/components/istio-proxy/kustomization.yaml create mode 100644 apps/yaade/components/istio/kustomization.yaml create mode 100644 apps/yaade/components/istio/virtualservice.yaml create mode 100644 apps/yaade/deployment.yaml create mode 100644 apps/yaade/kustomization.yaml create mode 100644 apps/yaade/service.yaml create mode 100644 clusters/common/acmevault/acmevault-config.yaml create mode 100644 clusters/common/acmevault/kustomization.yaml create mode 100644 clusters/common/aether/.taskrc create mode 100644 clusters/common/aether/aether-config.yaml create mode 100644 clusters/common/aether/kustomization.yaml create mode 120000 clusters/common/aether/upsert-secret-aether-taskwarrior.sh create mode 120000 clusters/common/aether/upsert-secret-aether.sh create mode 100644 clusters/common/dyndns/server/kustomization.yaml create mode 100644 clusters/common/mariadb-cluster/configmap-ca.yaml create mode 100644 clusters/common/mariadb-cluster/kustomization.yaml create mode 100644 clusters/common/mariadb-cluster/upsert-ca.sh create mode 120000 clusters/common/mariadb-cluster/upsert-secret-mariadb.sh create mode 120000 clusters/common/mariadb-cluster/upsert-secret-mysqld-exporter.sh create mode 120000 clusters/common/mariadb-cluster/upsert-secret-restic-mariadb.sh create mode 100644 clusters/common/media/kustomization.yaml create mode 100644 clusters/common/media/lidarr/kustomization.yaml create mode 100644 clusters/common/media/lidarr/networkpolicy.yaml create mode 100644 clusters/common/media/prowlarr/kustomization.yaml create mode 100644 clusters/common/media/prowlarr/networkpolicy.yaml create mode 100644 clusters/common/media/radarr/kustomization.yaml create mode 100644 clusters/common/media/radarr/networkpolicy.yaml create mode 100644 clusters/common/media/sonarr/kustomization.yaml create mode 100644 clusters/common/media/sonarr/networkpolicy.yaml create mode 100644 clusters/common/renovatebot/github/kustomization.yaml create mode 100644 clusters/common/renovatebot/github/renovate.properties create mode 120000 clusters/common/renovatebot/github/upsert-secret-renovate.sh create mode 100644 clusters/common/renovatebot/gitlab/kustomization.yaml create mode 100644 clusters/common/renovatebot/gitlab/renovate.properties create mode 120000 clusters/common/renovatebot/gitlab/upsert-secret-renovate.sh create mode 100644 clusters/common/renovatebot/kustomization.yaml create mode 100644 clusters/common/renovatebot/namespace.yaml create mode 100644 clusters/common/taskd/configmap-ca.yaml create mode 100644 clusters/common/taskd/kustomization.yaml create mode 100644 clusters/common/taskd/upsert-ca.sh create mode 100755 clusters/common/taskd/upsert-secrets.sh create mode 100644 clusters/common/vcr/kustomization.yaml create mode 100644 clusters/common/vcr/sportschau-saturday/kustomization.yaml create mode 100644 clusters/common/vcr/sportschau-sunday/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/cert-manager/clusterissuer.yaml create mode 100644 clusters/rs.soeren.cloud/cert-manager/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml create mode 100755 clusters/rs.soeren.cloud/cert-manager/upsert-secrets.sh create mode 100644 clusters/rs.soeren.cloud/ghostfolio/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/ghostfolio/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/ghostfolio/postgres-data-pv.yaml create mode 120000 clusters/rs.soeren.cloud/ghostfolio/upsert-secret-ghostfolio-postgres.sh create mode 100755 clusters/rs.soeren.cloud/ghostfolio/upsert-secrets.sh create mode 100644 clusters/rs.soeren.cloud/grafana/grafana.properties create mode 100644 clusters/rs.soeren.cloud/grafana/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/grafana/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/grafana/sops-secret-grafana.yaml create mode 120000 clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh create mode 120000 clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh create mode 120000 clusters/rs.soeren.cloud/grafana/upsert-secret-grafana.sh create mode 100755 clusters/rs.soeren.cloud/grafana/upsert-secrets.sh create mode 100644 clusters/rs.soeren.cloud/httpbin/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/httpbin/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/infra/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/infra/local-storageclass.yaml create mode 100644 clusters/rs.soeren.cloud/istio/certificate.yaml create mode 100644 clusters/rs.soeren.cloud/istio/gateway.yaml create mode 100644 clusters/rs.soeren.cloud/jellyfin/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/jellyfin/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/jellyfin/pv-config.yaml create mode 100644 clusters/rs.soeren.cloud/jellyfin/sops-secret-grafana.yaml create mode 100644 clusters/rs.soeren.cloud/minio-mirror/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/minio-mirror/namespace.yaml create mode 100755 clusters/rs.soeren.cloud/minio-mirror/upsert-secrets.sh create mode 100644 clusters/rs.soeren.cloud/minio/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/minio/minio-pv.yaml create mode 100644 clusters/rs.soeren.cloud/minio/namespace.yaml create mode 120000 clusters/rs.soeren.cloud/minio/upsert-secret-minio.sh create mode 100644 clusters/rs.soeren.cloud/monitoring/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/monitoring/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/monitoring/victoriametrics/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/monitoring/victoriametrics/virtualservice.yaml create mode 100644 clusters/rs.soeren.cloud/navidrome/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/navidrome/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/navidrome/navidrome-data-pv.yaml create mode 100644 clusters/rs.soeren.cloud/rabbitmq/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/rabbitmq/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/rabbitmq/rabbitmq-amqp-virtualservice.yaml create mode 100644 clusters/rs.soeren.cloud/rabbitmq/rabbitmq-management-virtualservice.yaml create mode 100644 clusters/rs.soeren.cloud/stirling-pdf/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/stirling-pdf/namespace.yaml create mode 100644 clusters/rs.soeren.cloud/string-is/kustomization.yaml create mode 100644 clusters/rs.soeren.cloud/string-is/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/.sops.yaml create mode 100644 clusters/svc.dd.soeren.cloud/acmevault/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/acmevault/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/actualbudget/actualbudget-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/actualbudget/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/actualbudget/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/aether/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/aether/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/aether/sops-secret-aether-taskwarrior.yaml create mode 100644 clusters/svc.dd.soeren.cloud/aether/sops-secret-aether.yaml create mode 120000 clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether-taskwarrior.sh create mode 120000 clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether.sh create mode 100644 clusters/svc.dd.soeren.cloud/anki/anki-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/anki/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/anki/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/anki/sops-secret-anki.yaml create mode 120000 clusters/svc.dd.soeren.cloud/anki/upsert-secret-anki.sh create mode 100644 clusters/svc.dd.soeren.cloud/argocd/app.yaml create mode 100644 clusters/svc.dd.soeren.cloud/argocd/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/argocd/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/bookstack/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/bookstack/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack-oidc.yaml create mode 100644 clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack.yaml create mode 120000 clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack-oidc.sh create mode 120000 clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack.sh create mode 100644 clusters/svc.dd.soeren.cloud/changedetection/changedetection-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/changedetection/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/changedetection/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/changedetection/sops-secret-changedetection-oidc.yaml create mode 120000 clusters/svc.dd.soeren.cloud/changedetection/upsert-secret-changedetection-oidc.sh create mode 100644 clusters/svc.dd.soeren.cloud/container-registry/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/container-registry/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/device-stalker/config.yaml create mode 100644 clusters/svc.dd.soeren.cloud/device-stalker/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/device-stalker/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/client/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-credentials.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-endpoints.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-keypair.yaml create mode 120000 clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-credentials.sh create mode 120000 clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-endpoints.sh create mode 120000 clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-keypair.sh create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/server/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-credentials.yaml create mode 100644 clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-sqs.yaml create mode 120000 clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-credentials.sh create mode 120000 clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-sqs-url.sh create mode 100644 clusters/svc.dd.soeren.cloud/external-dns/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/external-dns/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml create mode 120000 clusters/svc.dd.soeren.cloud/external-dns/upsert-secret-external-dns.sh create mode 100644 clusters/svc.dd.soeren.cloud/gatus/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/gatus/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/git-repo-backup/config.yaml create mode 100644 clusters/svc.dd.soeren.cloud/git-repo-backup/git-repo-backup-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/git-repo-backup/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/git-repo-backup/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/gitea/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/gitea/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/grafana/grafana.properties create mode 100644 clusters/svc.dd.soeren.cloud/grafana/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/grafana/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml create mode 100644 clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml create mode 100644 clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana.yaml create mode 120000 clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh create mode 120000 clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh create mode 120000 clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana.sh create mode 100644 clusters/svc.dd.soeren.cloud/hass/hass-networkpolicy.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hass/hass-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hass/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hass/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hass/sops-secret-ghcr-docker-registry.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hass/sops-secret-hass-secrets.yaml create mode 100755 clusters/svc.dd.soeren.cloud/hass/upsert-ghcr-secret.sh create mode 100755 clusters/svc.dd.soeren.cloud/hass/upsert.sh create mode 100644 clusters/svc.dd.soeren.cloud/hedgedoc/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hedgedoc/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/hedgedoc/sops-secret-hedgedoc-database-mariadb.yaml create mode 120000 clusters/svc.dd.soeren.cloud/hedgedoc/upsert-secret-hedgedoc-database-mariadb.sh create mode 100644 clusters/svc.dd.soeren.cloud/homer/config.yml create mode 100644 clusters/svc.dd.soeren.cloud/homer/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/homer/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/httpbin/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/httpbin/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/immich-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/postgres-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/sops-secret-immich.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-data.yaml create mode 100644 clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-postgres.yaml create mode 120000 clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-pvc.sh create mode 120000 clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich.sh create mode 100644 clusters/svc.dd.soeren.cloud/infra/storage/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/infra/vault-auth/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/istio/certificate.yaml create mode 100644 clusters/svc.dd.soeren.cloud/istio/gateway.yaml create mode 100644 clusters/svc.dd.soeren.cloud/keycloak/keycloak.properties create mode 100644 clusters/svc.dd.soeren.cloud/keycloak/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/keycloak/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml create mode 100644 clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak.yaml create mode 120000 clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh create mode 120000 clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak.sh create mode 100644 clusters/svc.dd.soeren.cloud/linkding/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/linkding/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/linkding/postgres-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/linkding/sops-secret-linkding.yaml create mode 100644 clusters/svc.dd.soeren.cloud/linkding/sops-secret-oauth2-proxy.yaml create mode 120000 clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-restic-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding.sh create mode 100644 clusters/svc.dd.soeren.cloud/loki/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/loki/loki-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/loki/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/mariadb-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera-restic-mariadb.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mysqld-exporter.yaml create mode 120000 clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mariadb.sh create mode 120000 clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mysqld-exporter.sh create mode 120000 clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-restic-mariadb.sh create mode 100644 clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/mealie-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/postgres-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-restic-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie.yaml create mode 120000 clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-oidc.sh create mode 120000 clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-pvc.sh create mode 120000 clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie.sh create mode 100644 clusters/svc.dd.soeren.cloud/media/jellyfin/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/jellyfin/pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/lidarr/kustomization.yaml create mode 120000 clusters/svc.dd.soeren.cloud/media/lidarr/upsert-secret-media-lidarr-postgres.sh create mode 100644 clusters/svc.dd.soeren.cloud/media/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/nas-media-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/nas-media-pvc.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/postgres-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/prowlarr/kustomization.yaml create mode 120000 clusters/svc.dd.soeren.cloud/media/prowlarr/upsert-secret-media-prowlarr-postgres.sh create mode 100644 clusters/svc.dd.soeren.cloud/media/radarr/kustomization.yaml create mode 120000 clusters/svc.dd.soeren.cloud/media/radarr/upsert-secret-media-radarr-postgres.sh create mode 100644 clusters/svc.dd.soeren.cloud/media/sonarr/kustomization.yaml create mode 120000 clusters/svc.dd.soeren.cloud/media/sonarr/upsert-secret-media-sonarr-postgres.sh create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-reverse-proxy-oidc.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-lidarr-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-prowlarr-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-radarr-postgres.yaml create mode 100644 clusters/svc.dd.soeren.cloud/media/sops-secret-media-sonarr-postgres.yaml create mode 120000 clusters/svc.dd.soeren.cloud/media/upsert-secret-media-postgres.sh create mode 120000 clusters/svc.dd.soeren.cloud/media/upsert-secret-media-reverse-proxy-oidc.sh create mode 100644 clusters/svc.dd.soeren.cloud/metallb/advertisment.yaml create mode 100644 clusters/svc.dd.soeren.cloud/metallb/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/metallb/pool.yaml create mode 100644 clusters/svc.dd.soeren.cloud/microbin/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/microbin/microbin-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/microbin/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/microbin/sops-secret-microbin.yaml create mode 120000 clusters/svc.dd.soeren.cloud/microbin/upsert-secret-microbin.sh create mode 100644 clusters/svc.dd.soeren.cloud/minio/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/minio/minio-pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/minio/namespace.yaml create mode 120000 clusters/svc.dd.soeren.cloud/minio/upsert-secret-minio.sh create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/alertmanager/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml create mode 120000 clusters/svc.dd.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/karma/karma.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/karma/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/karma/networkpolicy.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/prometheus/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml create mode 120000 clusters/svc.dd.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mosquitto/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/mosquitto/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/nextcloud/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/nextcloud/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/nextcloud/nextcloud.properties create mode 100644 clusters/svc.dd.soeren.cloud/nextcloud/pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/nextcloud/sops-secret-nextcloud.yaml create mode 120000 clusters/svc.dd.soeren.cloud/nextcloud/upsert-secret-nextcloud.sh create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/pv-consumption.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/pv-storage.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-oauth2-proxy.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-paperless.yaml create mode 100644 clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-restic.yaml create mode 120000 clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx-oidc.sh create mode 120000 clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx.sh create mode 100644 clusters/svc.dd.soeren.cloud/rabbitmq/20-cluster.conf create mode 100644 clusters/svc.dd.soeren.cloud/rabbitmq/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/rabbitmq/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/config-cm.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale-restic-pvc.yaml create mode 100644 clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale.yaml create mode 120000 clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale-restic-pvc.sh create mode 120000 clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale.sh create mode 100644 clusters/svc.dd.soeren.cloud/reloader/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/reloader/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/renovatebot/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/renovatebot/sops-secret-renovate.yaml create mode 100644 clusters/svc.dd.soeren.cloud/taskd/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/taskd/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/taskd/pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/taskd/sops-secret-taskd-restic-pvc.yaml create mode 120000 clusters/svc.dd.soeren.cloud/taskd/upsert-secret-taskd-restic-pvc.sh create mode 100644 clusters/svc.dd.soeren.cloud/vcr/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vcr/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vcr/pv.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vector/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vector/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vector/sinks.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vikunja/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vikunja/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/vikunja/sops-secret-vikunja-database-mariadb.yaml create mode 120000 clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja-database-mariadb.sh create mode 120000 clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja.sh create mode 100644 clusters/svc.dd.soeren.cloud/whoogle/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/whoogle/namespace.yaml create mode 100644 clusters/svc.dd.soeren.cloud/yaade/kustomization.yaml create mode 100644 clusters/svc.dd.soeren.cloud/yaade/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/.sops.yaml create mode 100644 clusters/svc.ez.soeren.cloud/acmevault/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/acmevault/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/aether/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/aether/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/aether/sops-secret-aether.yaml create mode 100644 clusters/svc.ez.soeren.cloud/aether/sops-secret-taskd-credentials.yaml create mode 100755 clusters/svc.ez.soeren.cloud/aether/upsert-secrets.sh create mode 100644 clusters/svc.ez.soeren.cloud/cert-manager/clusterissuer.yaml create mode 100644 clusters/svc.ez.soeren.cloud/cert-manager/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml create mode 100755 clusters/svc.ez.soeren.cloud/cert-manager/upsert-secrets.sh create mode 100644 clusters/svc.ez.soeren.cloud/consul/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/consul/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/container-registry/config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/container-registry/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/container-registry/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/container-registry/networkpolicy.yaml create mode 100644 clusters/svc.ez.soeren.cloud/device-stalker/config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/device-stalker/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/device-stalker/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/domain-exporter/config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/domain-exporter/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/domain-exporter/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-credentials.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-endpoints.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-keypair.yaml create mode 120000 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-credentials.sh create mode 120000 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-endpoints.sh create mode 120000 clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-keypair.sh create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-credentials.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-sqs.yaml create mode 120000 clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-credentials.sh create mode 120000 clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-sqs-url.sh create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/dyndns/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/external-dns/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/external-dns/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml create mode 120000 clusters/svc.ez.soeren.cloud/external-dns/upsert-secret-external-dns.sh create mode 100644 clusters/svc.ez.soeren.cloud/grafana/grafana.properties create mode 100644 clusters/svc.ez.soeren.cloud/grafana/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/grafana/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml create mode 100644 clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml create mode 100644 clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana.yaml create mode 120000 clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh create mode 120000 clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh create mode 120000 clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana.sh create mode 100644 clusters/svc.ez.soeren.cloud/grafana/virtualservice.yaml create mode 100644 clusters/svc.ez.soeren.cloud/httpbin/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/httpbin/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/imapfilter/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/imapfilter/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/imapfilter/soeren/imapfilter-config-sops.lua create mode 100644 clusters/svc.ez.soeren.cloud/imapfilter/soeren/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/imapfilter/soeren/sops-secret-imapfilter-config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/istio/certificate.yaml create mode 100644 clusters/svc.ez.soeren.cloud/istio/gateway.yaml create mode 100644 clusters/svc.ez.soeren.cloud/keycloak/keycloak.properties create mode 100644 clusters/svc.ez.soeren.cloud/keycloak/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/keycloak/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml create mode 100644 clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak.yaml create mode 120000 clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh create mode 120000 clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak.sh create mode 100644 clusters/svc.ez.soeren.cloud/kyverno/cp-istio-virtualservice-correct-domain.yaml create mode 100644 clusters/svc.ez.soeren.cloud/kyverno/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/kyverno/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/loki/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/loki/loki-pv.yaml create mode 100644 clusters/svc.ez.soeren.cloud/loki/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/metallb/advertisment.yaml create mode 100644 clusters/svc.ez.soeren.cloud/metallb/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/metallb/pool.yaml create mode 100644 clusters/svc.ez.soeren.cloud/microbin/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/microbin/microbin-pv.yaml create mode 100644 clusters/svc.ez.soeren.cloud/microbin/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/microbin/sops-secret-microbin.yaml create mode 120000 clusters/svc.ez.soeren.cloud/microbin/upsert-secret-microbin.sh create mode 100755 clusters/svc.ez.soeren.cloud/microbin/upsert-secrets.sh create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/alertmanager/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml create mode 120000 clusters/svc.ez.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/karma/karma.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/karma/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/karma/networkpolicy.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/prometheus/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml create mode 120000 clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh create mode 100755 clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secrets.sh create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/pushgateway/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/monitoring/vmalert/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/mosquitto/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/mosquitto/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/rabbitmq/20-cluster.conf create mode 100644 clusters/svc.ez.soeren.cloud/rabbitmq/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/rabbitmq/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/reloader/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/reloader/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/renovatebot/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/renovatebot/sops-secret-renovate.yaml create mode 100644 clusters/svc.ez.soeren.cloud/synapse/config.yaml create mode 100644 clusters/svc.ez.soeren.cloud/synapse/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/synapse/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/synapse/virtualservice.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vcr/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vcr/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vcr/pv.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vector/kustomization.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vector/namespace.yaml create mode 100644 clusters/svc.ez.soeren.cloud/vector/sinks.yaml create mode 100644 clusters/svc.pt.soeren.cloud/.sops.yaml create mode 100644 clusters/svc.pt.soeren.cloud/acmevault/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/acmevault/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/cert-manager/clusterissuer.yaml create mode 100644 clusters/svc.pt.soeren.cloud/cert-manager/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml create mode 100755 clusters/svc.pt.soeren.cloud/cert-manager/upsert-secrets.sh create mode 100644 clusters/svc.pt.soeren.cloud/istio/certificate.yaml create mode 100644 clusters/svc.pt.soeren.cloud/istio/gateway.yaml create mode 100644 clusters/svc.pt.soeren.cloud/keycloak/keycloak.properties create mode 100644 clusters/svc.pt.soeren.cloud/keycloak/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/keycloak/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/keycloak/sops-secret-keycloak.yaml create mode 120000 clusters/svc.pt.soeren.cloud/keycloak/upsert-secret-keycloak.sh create mode 100755 clusters/svc.pt.soeren.cloud/keycloak/upsert-secrets.sh create mode 100644 clusters/svc.pt.soeren.cloud/loki/configmap.yaml create mode 100644 clusters/svc.pt.soeren.cloud/loki/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/loki/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/loki/pv.yaml create mode 100644 clusters/svc.pt.soeren.cloud/loki/pvc.yaml create mode 100644 clusters/svc.pt.soeren.cloud/loki/virtualservice.yaml create mode 100644 clusters/svc.pt.soeren.cloud/metallb/advertisment-pt.yaml create mode 100644 clusters/svc.pt.soeren.cloud/metallb/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/metallb/pool-pt.yaml create mode 100644 clusters/svc.pt.soeren.cloud/microbin/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/microbin/local-volume.yaml create mode 100644 clusters/svc.pt.soeren.cloud/microbin/microbin.properties create mode 100644 clusters/svc.pt.soeren.cloud/microbin/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/microbin/pvc.yaml create mode 100644 clusters/svc.pt.soeren.cloud/microbin/sops-secret-credentials.yaml create mode 120000 clusters/svc.pt.soeren.cloud/microbin/upsert-secret-microbin.sh create mode 100755 clusters/svc.pt.soeren.cloud/microbin/upsert-secrets.sh create mode 100644 clusters/svc.pt.soeren.cloud/microbin/virtualservice.yaml create mode 100644 clusters/svc.pt.soeren.cloud/reloader/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/reloader/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/github/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/github/renovate.properties create mode 120000 clusters/svc.pt.soeren.cloud/renovatebot/github/upsert-secret-renovate.sh create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/gitlab/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/gitlab/renovate.properties create mode 120000 clusters/svc.pt.soeren.cloud/renovatebot/gitlab/upsert-secret-renovate.sh create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/namespace.yaml create mode 100644 clusters/svc.pt.soeren.cloud/renovatebot/sops-secret-tokens.yaml create mode 100755 clusters/svc.pt.soeren.cloud/renovatebot/upsert-secrets.sh create mode 100644 clusters/svc.pt.soeren.cloud/vault-auth/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/vector/configmap.yaml create mode 100644 clusters/svc.pt.soeren.cloud/vector/kustomization.yaml create mode 100644 clusters/svc.pt.soeren.cloud/vector/namespace.yaml create mode 100644 infra/cert-manager/components/letsencrypt-clusterissuer/clusterissuer.yaml create mode 100644 infra/cert-manager/components/letsencrypt-clusterissuer/kustomization.yaml create mode 100755 infra/cert-manager/components/letsencrypt-clusterissuer/upsert-secret-cert-manager.sh create mode 100644 infra/cert-manager/components/recursive-dns/kustomization.yaml create mode 100644 infra/cert-manager/kustomization.yaml create mode 100755 infra/cert-manager/upsert-secrets.sh create mode 100644 infra/csi-smb/components/k0s/kustomization.yaml create mode 100644 infra/csi-smb/kustomization.yaml create mode 100644 infra/external-dns/components/aws/kustomization.yaml create mode 100755 infra/external-dns/components/aws/upsert-secret-external-dns.sh create mode 100644 infra/external-dns/components/common/kustomization.yaml create mode 100644 infra/external-dns/components/istio/kustomization.yaml create mode 100644 infra/external-dns/kustomization.yaml create mode 100755 infra/external-dns/upsert-secrets.sh create mode 100644 infra/external-secrets/vault.yaml create mode 100644 infra/local-storageclass/components/mark-default-storageclass/kustomization.yaml create mode 100644 infra/local-storageclass/kustomization.yaml create mode 100644 infra/local-storageclass/local-storageclass.yaml create mode 100644 infra/metallb/kustomization.yaml create mode 100644 infra/priority/kustomization.yaml create mode 100644 infra/priority/pc-00001-best-effort.yaml create mode 100644 infra/priority/pc-01000-dev-low-prio.yaml create mode 100644 infra/priority/pc-01500-dev-default-prio.yaml create mode 100644 infra/priority/pc-02000-dev-high-prio.yaml create mode 100644 infra/priority/pc-02500-default-prio.yaml create mode 100644 infra/priority/pc-03000-prod-low-prio.yaml create mode 100644 infra/priority/pc-04000-prod-default-prio.yaml create mode 100644 infra/priority/pc-05000-prod-high-prio.yaml create mode 100644 infra/priority/pc-10000-batch-high-prio.yaml create mode 100644 infra/priority/pc-20000-system.yaml create mode 100644 infra/restic-mariadb/kustomization.yaml create mode 100644 infra/restic-mariadb/restic-mariadb-backup-cronjob.yaml create mode 100644 infra/restic-mariadb/restic-mariadb-networkpolicy.yaml create mode 100644 infra/restic-mariadb/restic-mariadb-prune-cronjob.yaml create mode 100755 infra/restic-mariadb/upsert-secret-restic-mariadb.sh create mode 100644 infra/restic-postgres/kustomization.yaml create mode 100644 infra/restic-postgres/restic-postgres-backup-cronjob.yaml create mode 100644 infra/restic-postgres/restic-postgres-networkpolicy.yaml create mode 100644 infra/restic-postgres/restic-postgres-prune-cronjob.yaml create mode 100755 infra/restic-postgres/upsert-secret-mealie-restic-postgres.sh create mode 100644 infra/restic-pvc/kustomization.yaml create mode 100644 infra/restic-pvc/restic-pvc-backup-cronjob.yaml create mode 100644 infra/restic-pvc/restic-pvc-networkpolicy.yaml create mode 100644 infra/restic-pvc/restic-pvc-prune-cronjob.yaml create mode 100755 infra/restic-pvc/upsert-secret-radicale-restic-pvc.sh create mode 100644 infra/vault-auth/cluster-role-binding.yaml create mode 100644 infra/vault-auth/kustomization.yaml create mode 100644 infra/vault-auth/namespace.yaml create mode 100644 infra/vault-auth/service-account-token-sec.yaml create mode 100644 infra/vault-auth/service-account.yaml create mode 100644 renovate.json create mode 100644 trivy.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a3b5772 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +--- +version: 2 +updates: + - package-ecosystem: "terraform" + directory: "/contrib/terraform/" + schedule: + interval: "daily" + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/diagrams.yaml b/.github/workflows/diagrams.yaml new file mode 100644 index 0000000..e685fe8 --- /dev/null +++ b/.github/workflows/diagrams.yaml @@ -0,0 +1,36 @@ +--- +name: Render Diagrams + +on: + push: + paths: + - '**.d2' + +jobs: + render: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up D2 + run: | + curl -fsSL https://d2lang.com/install.sh | sh -s -- + + - name: Run make generate + run: make diagrams + + - name: Check for differences + run: | + if [[ -n $(git status --porcelain) ]]; then + echo "Changes in diagrams detected" + git status + git diff + git config --global user.name 'diagrambot' + git config --global user.email 'diagrambot@domain.tld' + git commit -am "Automated diagram" + git push + else + echo "No changes detected" + fi diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..5bef760 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,30 @@ +--- +name: "lint" +on: + push: + branches: + - "master" + - "main" + pull_request: {} + workflow_dispatch: {} +jobs: + kube-linter: + runs-on: "ubuntu-latest" + steps: + - uses: "actions/checkout@v4" + - name: "Scan yamls" + id: "kube-lint-scan" + uses: "stackrox/kube-linter-action@v1" + with: + directory: "apps" + config: ".kube-linter.yaml" + yamllint: + runs-on: "ubuntu-latest" + steps: + - uses: "actions/checkout@v4" + - name: "Install yamllint" + run: | + pip install yamllint + - name: "Run yamllint" + run: | + yamllint . diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 0000000..c95cae2 --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,29 @@ +--- +name: Pull Request Action +on: + push: + branches: + - updates +jobs: + create-pull-request: + runs-on: ubuntu-latest + steps: + - name: Create Pull Request + uses: actions/github-script@v7.0.1 + with: + script: | + try { + const { repo, owner } = context.repo; + const result = await github.rest.pulls.create({ + title: '[Auto-generated] Update Container Image', + owner, + repo, + head: '${{ github.ref_name }}', + base: 'main', + body: [ + '${{ github.event.head_commit.message }}' + ].join('\n') + }); + } catch(err) { + console.log(err); + } diff --git a/.github/workflows/security-scanners.yaml b/.github/workflows/security-scanners.yaml new file mode 100644 index 0000000..dbbb8ee --- /dev/null +++ b/.github/workflows/security-scanners.yaml @@ -0,0 +1,31 @@ +--- +name: "security-scanners" +on: + push: + branches: + - "master" + - "main" + pull_request: {} + workflow_dispatch: {} +jobs: + trivy: + name: "trivy" + runs-on: "ubuntu-latest" + steps: + - uses: "actions/checkout@v4" + - name: "Run Trivy vulnerability scanner in fs mode" + uses: "aquasecurity/trivy-action@master" + with: + scan-type: "fs" + scan-ref: "." + trivy-config: "trivy.yaml" + gitleaks: + name: "gitleaks" + runs-on: "ubuntu-latest" + steps: + - uses: "actions/checkout@v4" + with: + fetch-depth: 0 + - uses: "gitleaks/gitleaks-action@v2" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d0f19fa --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +**/.terraform/* +*.tfstate +*.tfstate.* +*secret*.y*ml +!sops-*.y*ml +*.swp +/.idea diff --git a/.kube-linter.yaml b/.kube-linter.yaml new file mode 100644 index 0000000..b0cd400 --- /dev/null +++ b/.kube-linter.yaml @@ -0,0 +1,4 @@ +--- +checks: + exclude: + - "unset-cpu-requirements" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..5f52758 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,7 @@ +--- +repos: + - repo: https://github.com/soerenschneider/pre-commit-hooks + rev: v1.5.1 + hooks: + - id: yamllint + - id: gitleaks diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..e31e9d6 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,39 @@ +--- +misconfigurations: + - id: "AVD-KSV-0011" + - id: "AVD-KSV-0012" + paths: + - "apps/vector/daemonset.yaml" + - id: "AVD-KSV-0014" + paths: + - "apps/keycloak/deployment.yaml" + - id: "AVD-KSV-0020" + paths: + - "apps/vector/daemonset.yaml" + - "apps/**/postgres-deployment.yaml" + - "apps/immich/components/pgvector/postgres-sts.yaml" + - "apps/paperless-ngx/paperless-ngx-deployment.yaml" + - "apps/keycloak/deployment.yaml" # errors if not running as 1000 + - id: "AVD-KSV-0021" + paths: + - "apps/vector/daemonset.yaml" + - "apps/**/postgres-deployment.yaml" + - "apps/paperless-ngx/paperless-ngx-deployment.yaml" + - "apps/immich/components/pgvector/postgres-sts.yaml" + - "apps/keycloak/deployment.yaml" # errors if not running as 1000 + - id: "AVD-KSV-0023" + paths: + - "apps/vector/daemonset.yaml" + - id: "AVD-KSV-0048" + paths: + - "apps/reloader/components/rbac/clusterrole.yaml" + - id: "AVD-KSV-0041" + paths: + - "apps/reloader/components/rbac/clusterrole.yaml" + - id: "AVD-KSV-0109" + paths: + - "clusters/common/taskd/configmap-ca.yaml" + - id: "AVD-KSV-01010" + paths: + - "**/taskwarrior-configmap.yaml" # false positive + - "apps/mariadb-galera/components/tls-wsrep/cm-sst-cnf.yaml" # false positive diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 0000000..3609754 --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,6 @@ +--- +extends: default +rules: + line-length: disable +ignore: + - "*sops*.yaml" diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..92eb85e --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +.PHONY: diagrams +diagrams: + find diagrams -iname '*.d2' -print0 | xargs -0 -I {} d2 "{}" + +pre-commit-init: + pre-commit install + pre-commit install --hook-type commit-msg + +pre-commit-update: + pre-commit autoupdate diff --git a/apps/acmevault/deployment.yaml b/apps/acmevault/deployment.yaml new file mode 100644 index 0000000..0bc2285 --- /dev/null +++ b/apps/acmevault/deployment.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: acmevault + labels: + app: acmevault + app.kubernetes.io/name: acmevault + app.kubernetes.io/instance: acmevault-prod + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: acmevault + template: + metadata: + labels: + app: acmevault + app.kubernetes.io/name: acmevault + app.kubernetes.io/instance: acmevault-prod + annotations: + prometheus.io/port: "9191" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: acmevault + image: "ghcr.io/soerenschneider/acmevault:1.14.0" + imagePullPolicy: "IfNotPresent" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + command: + - "/acmevault" + - "-config" + - "/config/acmevault-config.yaml" + ports: + - containerPort: 9191 + name: "metrics" + env: + - name: "AWS_REGION" + value: "us-east-1" + resources: + requests: + memory: "32Mi" + cpu: "5m" + limits: + memory: "128Mi" + volumeMounts: + - name: "config-volume" + mountPath: "/config" + volumes: + - name: "config-volume" + configMap: + name: "config" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "NotIn" + values: + - "fast" diff --git a/apps/acmevault/kustomization.yaml b/apps/acmevault/kustomization.yaml new file mode 100644 index 0000000..5aeecdf --- /dev/null +++ b/apps/acmevault/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "networkpolicy.yaml" diff --git a/apps/acmevault/networkpolicy.yaml b/apps/acmevault/networkpolicy.yaml new file mode 100644 index 0000000..61e57f1 --- /dev/null +++ b/apps/acmevault/networkpolicy.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: acmevault +spec: + podSelector: + matchLabels: + app: acmevault + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + egress: + - ports: + - port: 443 + protocol: TCP + - port: 8200 + protocol: TCP + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP diff --git a/apps/actualbudget/components/istio-proxy/kustomization.yaml b/apps/actualbudget/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..c07d959 --- /dev/null +++ b/apps/actualbudget/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/actualbudget/components/istio/istio-virtualservice.yaml b/apps/actualbudget/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..438d719 --- /dev/null +++ b/apps/actualbudget/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "actualbudget" +spec: + hosts: + - "actualbudget" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "actualbudget" + port: + number: 80 diff --git a/apps/actualbudget/components/istio/kustomization.yaml b/apps/actualbudget/components/istio/kustomization.yaml new file mode 100644 index 0000000..0d74827 --- /dev/null +++ b/apps/actualbudget/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "actualbudget" + patch: |- + - op: add + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "actualbudget" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/actualbudget/components/pvc/actualbudget-pvc.yaml b/apps/actualbudget/components/pvc/actualbudget-pvc.yaml new file mode 100644 index 0000000..19891cc --- /dev/null +++ b/apps/actualbudget/components/pvc/actualbudget-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: "PersistentVolumeClaim" +apiVersion: "v1" +metadata: + name: "actualbudget" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "1Gi" diff --git a/apps/actualbudget/components/pvc/kustomization.yaml b/apps/actualbudget/components/pvc/kustomization.yaml new file mode 100644 index 0000000..d2605bb --- /dev/null +++ b/apps/actualbudget/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "actualbudget-pvc.yaml" +patches: + - target: + kind: "Deployment" + name: "actualbudget" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "actualbudget" diff --git a/apps/actualbudget/deployment.yaml b/apps/actualbudget/deployment.yaml new file mode 100644 index 0000000..c06d2a7 --- /dev/null +++ b/apps/actualbudget/deployment.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "actualbudget" + labels: + app: "actualbudget" + app.kubernetes.io/name: "actualbudget" + app.kubernetes.io/instance: "actualbudget-prod" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "actualbudget" + template: + metadata: + labels: + app: "actualbudget" + app.kubernetes.io/name: "actualbudget" + app.kubernetes.io/instance: "actualbudget-prod" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "actualbudget" + image: "docker.io/actualbudget/actual-server:24.5.0-alpine@sha256:2474bdbcd6a3888b5c0f68216ad9490cb7f5183caf173eddf967b9e77ad1ba8a" + imagePullPolicy: "IfNotPresent" + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + env: + - name: "DEBUG" + value: "actual:config" + ports: + - containerPort: 5006 + name: "actualbudget" + readinessProbe: + httpGet: + port: "actualbudget" + path: "/health" + livenessProbe: + httpGet: + port: "actualbudget" + path: "/health" + resources: + requests: + memory: "128Mi" + cpu: "5m" + limits: + memory: "1Gi" + volumeMounts: + - name: "storage" + mountPath: "/data" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/actualbudget/kustomization.yaml b/apps/actualbudget/kustomization.yaml new file mode 100644 index 0000000..0ddf3ab --- /dev/null +++ b/apps/actualbudget/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "service.yaml" + - "networkpolicy.yaml" diff --git a/apps/actualbudget/networkpolicy.yaml b/apps/actualbudget/networkpolicy.yaml new file mode 100644 index 0000000..75e8c85 --- /dev/null +++ b/apps/actualbudget/networkpolicy.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "actualbudget" +spec: + podSelector: {} + egress: [] + ingress: [] diff --git a/apps/actualbudget/service.yaml b/apps/actualbudget/service.yaml new file mode 100644 index 0000000..cc7ba0c --- /dev/null +++ b/apps/actualbudget/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "actualbudget" +spec: + ports: + - port: 80 + targetPort: "actualbudget" + selector: + app.kubernetes.io/name: "actualbudget" diff --git a/apps/aether/components/istio/istio-virtualservice.yaml b/apps/aether/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..14be31c --- /dev/null +++ b/apps/aether/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: aether +spec: + hosts: + - aether + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: aether + port: + number: 80 diff --git a/apps/aether/components/istio/kustomization.yaml b/apps/aether/components/istio/kustomization.yaml new file mode 100644 index 0000000..7510e39 --- /dev/null +++ b/apps/aether/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "aether" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/aether/components/taskwarrior/cert-certificate.yaml b/apps/aether/components/taskwarrior/cert-certificate.yaml new file mode 100644 index 0000000..e5ecf67 --- /dev/null +++ b/apps/aether/components/taskwarrior/cert-certificate.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: aether +spec: + secretName: aether-cert + duration: 2160h + renewBefore: 360h + commonName: aether.svc.dd.soeren.cloud + dnsNames: + - aether.svc.dd.soeren.cloud + issuerRef: + name: vault-issuer + kind: Issuer + group: cert-manager.io + privateKey: + algorithm: RSA + size: 3072 diff --git a/apps/aether/components/taskwarrior/cert-issuer.yaml b/apps/aether/components/taskwarrior/cert-issuer.yaml new file mode 100644 index 0000000..759d4b2 --- /dev/null +++ b/apps/aether/components/taskwarrior/cert-issuer.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-issuer +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-issuer-sa + annotations: + kubernetes.io/service-account.name: vault-issuer +type: kubernetes.io/service-account-token +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: vault-issuer +spec: + vault: + path: pki/im_task/sign/aether + server: https://vault.ha.soeren.cloud + auth: + kubernetes: + role: "aether" + mountPath: /v1/auth/svc.dd.soeren.cloud + secretRef: + name: vault-issuer-sa + key: token diff --git a/apps/aether/components/taskwarrior/kustomization.yaml b/apps/aether/components/taskwarrior/kustomization.yaml new file mode 100644 index 0000000..8057766 --- /dev/null +++ b/apps/aether/components/taskwarrior/kustomization.yaml @@ -0,0 +1,84 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - cert-issuer.yaml + - cert-certificate.yaml +patches: + - target: + kind: Deployment + name: aether + patch: |- + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: config-task + mountPath: "/home/aether/.taskrc" + subPath: ".taskrc" + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: secret-taskd-credentials + mountPath: "/home/aether/.taskd_credentials" + subPath: "taskd_credentials" + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: task-data + mountPath: "/task-data" + - op: add + path: /spec/template/spec/volumes/- + value: + name: config-task + configMap: + name: taskrc + - op: add + path: /spec/template/spec/volumes/- + value: + name: secret-task-keypair + secret: + secretName: aether-cert + - op: add + path: "/spec/template/spec/volumes/-" + value: + name: "task-data" + emptyDir: + sizeLimit: "512Mi" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "secret-taskd-credentials" + secret: + secretName: "aether-taskwarrior" + - op: "add" + path: "/spec/template/spec/containers/-" + value: + name: "task-sync" + image: "ghcr.io/soerenschneider/task-syncer:main-20240211152232" + imagePullPolicy: "IfNotPresent" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: 64Mi + cpu: 5m + limits: + cpu: 512m + memory: 256Mi + volumeMounts: + - name: config-task + mountPath: "/home/tasksyncer/.taskrc" + subPath: ".taskrc" + - name: secret-task-keypair + mountPath: "/certs" + - name: task-data + mountPath: "/task-data" + - name: secret-taskd-credentials + mountPath: "/home/tasksyncer/.taskd_credentials" + subPath: "taskd_credentials" diff --git a/apps/aether/components/taskwarrior/upsert-secret-aether-taskwarrior.sh b/apps/aether/components/taskwarrior/upsert-secret-aether-taskwarrior.sh new file mode 100755 index 0000000..561b41e --- /dev/null +++ b/apps/aether/components/taskwarrior/upsert-secret-aether-taskwarrior.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +SECRET_VALUE="$(pass show configs/task-taskserver)" +taskd_credentials="taskd.credentials=${SECRET_VALUE}" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=taskd_credentials="${taskd_credentials}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/aether/deployment.yaml b/apps/aether/deployment.yaml new file mode 100644 index 0000000..597407b --- /dev/null +++ b/apps/aether/deployment.yaml @@ -0,0 +1,88 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aether + labels: + app.kubernetes.io/name: aether + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: aether + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: aether + app.kubernetes.io/name: aether + app.kubernetes.io/component: aether + app.kubernetes.io/part-of: aether + annotations: + prometheus.io/port: "9723" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: aether + image: ghcr.io/soerenschneider/aether:1.0.0 + imagePullPolicy: IfNotPresent + command: + - "/aether" + - "-config" + - "/config/aether-config.yaml" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: 64Mi + cpu: 5m + limits: + memory: 256Mi + ports: + - containerPort: 8080 + name: aether + - containerPort: 9723 + name: metrics + envFrom: + - configMapRef: + name: aether-config + volumeMounts: + - name: config-volume + mountPath: "/config" + volumes: + - name: config-volume + configMap: + name: aether-config + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "NotIn" + values: + - "fast" diff --git a/apps/aether/kustomization.yaml b/apps/aether/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/aether/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/aether/networkpolicy.yaml b/apps/aether/networkpolicy.yaml new file mode 100644 index 0000000..49bdccd --- /dev/null +++ b/apps/aether/networkpolicy.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: aether +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: aether + from: [] + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/aether/service.yaml b/apps/aether/service.yaml new file mode 100644 index 0000000..21ac368 --- /dev/null +++ b/apps/aether/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: aether +spec: + ports: + - port: 80 + targetPort: aether + selector: + app.kubernetes.io/name: aether diff --git a/apps/aether/upsert-secret-aether.sh b/apps/aether/upsert-secret-aether.sh new file mode 100755 index 0000000..4fa60f7 --- /dev/null +++ b/apps/aether/upsert-secret-aether.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +CALDAV_USER="soeren" +CALDAV_PASSWORD="$(pass infra/selfhosted/dav/radicale/soeren)" + +CARDDAV_USER="${CALDAV_USER}" +CARDDAV_PASSWORD="${CALDAV_PASSWORD}" + +WEATHER_APIKEY="$(pass keys/apikeys/openweathermap | grep ^apikey | cut -d' ' -f2)" + +EMAIL_VALUES="$(pass email/send-only/aether)" +EMAIL_FROM=$(echo "${EMAIL_VALUES}" | grep ^EMAIL_FROM= | cut -d'=' -f2) +EMAIL_PASSWORD=$(echo "${EMAIL_VALUES}" | grep ^EMAIL_PASSWORD= | cut -d'=' -f2) +EMAIL_TO=$(echo "${EMAIL_VALUES}" | grep ^EMAIL_TO= | cut -d'=' -f2) +EMAIL_USERNAME=$(echo "${EMAIL_VALUES}" | grep ^EMAIL_USERNAME= | cut -d'=' -f2) + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=caldav_user="${CALDAV_USER}" \ + --from-literal=caldav_password="${CALDAV_PASSWORD}" \ + --from-literal=carddav_user="${CARDDAV_USER}" \ + --from-literal=carddav_password="${CARDDAV_PASSWORD}" \ + --from-literal=weather_apikey="${WEATHER_APIKEY}" \ + --from-literal=email_from="${EMAIL_FROM}" \ + --from-literal=email_password="${EMAIL_PASSWORD}" \ + --from-literal=email_to="${EMAIL_TO}" \ + --from-literal=email_username="${EMAIL_USERNAME}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/aether/upsert-secrets.sh b/apps/aether/upsert-secrets.sh new file mode 100755 index 0000000..48d2f38 --- /dev/null +++ b/apps/aether/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" \ No newline at end of file diff --git a/apps/anki/components/istio/istio-virtualservice.yaml b/apps/anki/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..f671fee --- /dev/null +++ b/apps/anki/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: anki +spec: + hosts: + - anki + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: anki + port: + number: 80 diff --git a/apps/anki/components/istio/kustomization.yaml b/apps/anki/components/istio/kustomization.yaml new file mode 100644 index 0000000..51d4389 --- /dev/null +++ b/apps/anki/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "anki" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "anki" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/anki/components/pvc/anki-pvc.yaml b/apps/anki/components/pvc/anki-pvc.yaml new file mode 100644 index 0000000..62b62b0 --- /dev/null +++ b/apps/anki/components/pvc/anki-pvc.yaml @@ -0,0 +1,12 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: anki + namespace: anki +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/anki/components/pvc/kustomization.yaml b/apps/anki/components/pvc/kustomization.yaml new file mode 100644 index 0000000..e6a1fe8 --- /dev/null +++ b/apps/anki/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - anki-pvc.yaml +patches: + - target: + kind: Deployment + name: anki + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: anki diff --git a/apps/anki/deployment.yaml b/apps/anki/deployment.yaml new file mode 100644 index 0000000..25cd89a --- /dev/null +++ b/apps/anki/deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: anki + labels: + app.kubernetes.io/name: anki + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: anki + template: + metadata: + labels: + app: anki + app.kubernetes.io/name: anki + app.kubernetes.io/instance: anki-prod + app.kubernetes.io/component: sync-server + spec: + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: anki + image: ghcr.io/luckyturtledev/anki:24.06.2 + ports: + - containerPort: 8080 + name: anki + env: + - name: SNAFU_RAW_ERROR_MESSAGES + value: "1" + - name: SYNC_BASE + value: /data + envFrom: + - secretRef: + name: anki + optional: true + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: + limits: + memory: "256Mi" + requests: + cpu: "5m" + memory: "32Mi" + volumeMounts: + - name: storage + mountPath: /data + volumes: + - name: storage + emptyDir: + sizeLimit: 1Gi diff --git a/apps/anki/kustomization.yaml b/apps/anki/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/anki/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/anki/networkpolicy.yaml b/apps/anki/networkpolicy.yaml new file mode 100644 index 0000000..7fb1b25 --- /dev/null +++ b/apps/anki/networkpolicy.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "anki" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + egress: [] + ingress: [] diff --git a/apps/anki/service.yaml b/apps/anki/service.yaml new file mode 100644 index 0000000..e13a21f --- /dev/null +++ b/apps/anki/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: anki +spec: + ports: + - port: 80 + targetPort: anki + selector: + app.kubernetes.io/name: anki diff --git a/apps/anki/upsert-secret-anki.sh b/apps/anki/upsert-secret-anki.sh new file mode 100755 index 0000000..8c2959a --- /dev/null +++ b/apps/anki/upsert-secret-anki.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +SYNC_USER1="$(echo "$OUTPUT" | grep -e "^SYNC_USER1=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=SYNC_USER1="${SYNC_USER1}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/anki/upsert-secrets.sh b/apps/anki/upsert-secrets.sh new file mode 100755 index 0000000..48d2f38 --- /dev/null +++ b/apps/anki/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" \ No newline at end of file diff --git a/apps/argocd/components/istio/istio-virtualservice.yaml b/apps/argocd/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..cb0c4a9 --- /dev/null +++ b/apps/argocd/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "argocd" +spec: + hosts: + - "argocd" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "argocd-server" + port: + number: 80 diff --git a/apps/argocd/components/istio/kustomization.yaml b/apps/argocd/components/istio/kustomization.yaml new file mode 100644 index 0000000..9b20062 --- /dev/null +++ b/apps/argocd/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" diff --git a/apps/argocd/kustomization.yaml b/apps/argocd/kustomization.yaml new file mode 100644 index 0000000..4db8b70 --- /dev/null +++ b/apps/argocd/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://raw.githubusercontent.com/argoproj/argo-cd/v2.11.3/manifests/install.yaml diff --git a/apps/bookstack/components/istio/istio-virtualservice.yaml b/apps/bookstack/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..2bdc460 --- /dev/null +++ b/apps/bookstack/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "bookstack" +spec: + hosts: + - "bookstack" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "bookstack" + port: + number: 80 diff --git a/apps/bookstack/components/istio/kustomization.yaml b/apps/bookstack/components/istio/kustomization.yaml new file mode 100644 index 0000000..af8e9fe --- /dev/null +++ b/apps/bookstack/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "bookstack" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "bookstack" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/bookstack/components/oidc/kustomization.yaml b/apps/bookstack/components/oidc/kustomization.yaml new file mode 100644 index 0000000..37325d9 --- /dev/null +++ b/apps/bookstack/components/oidc/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +configMapGenerator: + - name: "bookstack-config" + behavior: "merge" + literals: + - "AUTH_METHOD=oidc" + - "AUTH_AUTO_INITIATE=false" + - "OIDC_ISSUER_DISCOVER=true" + - "OIDC_DISPLAY_NAME_CLAIMS=preferred_username" + - "OIDC_DUMP_USER_DETAILS=false" + - "OIDC_USER_TO_GROUPS=true" + - "OIDC_GROUPS_CLAIM=resource_access.bookstack.roles" +patches: + - target: + kind: "Deployment" + name: "bookstack" + patch: | + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "bookstack-oidc" diff --git a/apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh b/apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh new file mode 100755 index 0000000..1929512 --- /dev/null +++ b/apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OIDC_CLIENT_ID="bookstack" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OIDC_CLIENT_ID}"'"]') +OIDC_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OIDC_CLIENT_ID="${OIDC_CLIENT_ID}" \ + --from-literal=OIDC_CLIENT_SECRET="${OIDC_CLIENT_SECRET}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/bookstack/deployment.yaml b/apps/bookstack/deployment.yaml new file mode 100644 index 0000000..d378456 --- /dev/null +++ b/apps/bookstack/deployment.yaml @@ -0,0 +1,124 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bookstack + labels: + app.kubernetes.io/name: bookstack + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: bookstack + template: + metadata: + labels: + app: bookstack + app.kubernetes.io/name: bookstack + app.kubernetes.io/instance: bookstack-prod + app.kubernetes.io/component: bookstack + spec: + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainers: + # https://stackoverflow.com/questions/38483837/please-provide-a-valid-cache-path-error-in-laravel + - name: init + image: solidnerd/bookstack:24.5.2 + imagePullPolicy: IfNotPresent + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + resources: + limits: + memory: "256Mi" + requests: + cpu: "5m" + memory: "16Mi" + volumeMounts: + - mountPath: "/var/www/bookstack/storage/" + name: "storage" + command: + - "sh" + - "-c" + - "mkdir -v -p /var/www/bookstack/storage/framework/sessions /var/www/bookstack/storage/framework/views /var/www/bookstack/storage/framework/cache/data /var/www/bookstack/storage/uploads/images /var/www/bookstack/storage/uploads/files /var/www/bookstack/storage/logs" + containers: + - name: "bookstack" + image: "solidnerd/bookstack:24.5.2" + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 8080 + name: "bookstack" + envFrom: + - configMapRef: + name: "bookstack-config" + - secretRef: + name: "bookstack" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + livenessProbe: + httpGet: + path: "/status" + port: "bookstack" + initialDelaySeconds: 15 + readinessProbe: + httpGet: + path: "/status" + port: "bookstack" + initialDelaySeconds: 5 + startupProbe: + httpGet: + path: "/status" + port: bookstack + failureThreshold: 60 + periodSeconds: 10 + resources: + limits: + memory: "256Mi" + requests: + cpu: "5m" + memory: "32Mi" + volumeMounts: + - name: storage + mountPath: /var/www/bookstack/storage/ + - name: data + mountPath: /data + - name: run + mountPath: /var/run + - name: tmp + mountPath: /tmp + volumes: + - name: data + emptyDir: + sizeLimit: 1Gi + - name: storage + emptyDir: + sizeLimit: 1Gi + - name: tmp + emptyDir: + sizeLimit: 50M + - name: run + emptyDir: + sizeLimit: 5M diff --git a/apps/bookstack/kustomization.yaml b/apps/bookstack/kustomization.yaml new file mode 100644 index 0000000..9edd1ac --- /dev/null +++ b/apps/bookstack/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: bookstack-config + literals: + - DB_DATABASE=bookstack + - MYSQL_ATTR_SSL_CA=/etc/ssl/certs/ca-certificates.crt diff --git a/apps/bookstack/networkpolicy.yaml b/apps/bookstack/networkpolicy.yaml new file mode 100644 index 0000000..389fc33 --- /dev/null +++ b/apps/bookstack/networkpolicy.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: bookstack +spec: + podSelector: {} + egress: [] + ingress: [] diff --git a/apps/bookstack/service.yaml b/apps/bookstack/service.yaml new file mode 100644 index 0000000..21e6627 --- /dev/null +++ b/apps/bookstack/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: bookstack +spec: + ports: + - port: 80 + targetPort: bookstack + selector: + app.kubernetes.io/name: bookstack diff --git a/apps/bookstack/upsert-secret-bookstack.sh b/apps/bookstack/upsert-secret-bookstack.sh new file mode 100755 index 0000000..75dc869 --- /dev/null +++ b/apps/bookstack/upsert-secret-bookstack.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +# php artisan key:generate +APP_KEY="$(echo "$OUTPUT" | grep -e "^APP_KEY=" | cut -d'=' -f2)" +DB_USERNAME="$(echo "$OUTPUT" | grep -e "^DB_USERNAME=" | cut -d'=' -f2)" +DB_PASSWORD="$(echo "$OUTPUT" | grep -e "^DB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=APP_KEY="${APP_KEY}" \ + --from-literal=DB_USERNAME="${DB_USERNAME}" \ + --from-literal=DB_PASSWORD="${DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/bookstack/upsert-secrets.sh b/apps/bookstack/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/bookstack/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/changedetection/components/istio/istio-virtualservice.yaml b/apps/changedetection/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..c9f4ffe --- /dev/null +++ b/apps/changedetection/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "changedetection" +spec: + hosts: + - "changedetection" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "changedetection" + port: + number: 80 diff --git a/apps/changedetection/components/istio/kustomization.yaml b/apps/changedetection/components/istio/kustomization.yaml new file mode 100644 index 0000000..cb6f41f --- /dev/null +++ b/apps/changedetection/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "changedetection" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/changedetection/components/oidc/kustomization.yaml b/apps/changedetection/components/oidc/kustomization.yaml new file mode 100644 index 0000000..a93e4a2 --- /dev/null +++ b/apps/changedetection/components/oidc/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "changedetection" + path: "oauth2-proxy-deployment.yaml" + - target: + kind: "Service" + name: "changedetection" + patch: | + - op: "replace" + path: "/spec/ports/0/targetPort" + value: "oauth2-proxy" + - target: + kind: "NetworkPolicy" + name: "changedetection" + patch: |- + - op: replace + path: "/spec/ingress/0/ports" + value: + - protocol: "TCP" + port: "oauth2-proxy" +configMapGenerator: + - name: "oauth2-proxy" + options: + disableNameSuffixHash: true + envs: + - "oauth2-proxy.properties" diff --git a/apps/changedetection/components/oidc/oauth2-proxy-deployment.yaml b/apps/changedetection/components/oidc/oauth2-proxy-deployment.yaml new file mode 100644 index 0000000..9fb6e50 --- /dev/null +++ b/apps/changedetection/components/oidc/oauth2-proxy-deployment.yaml @@ -0,0 +1,43 @@ +--- +- op: "add" + path: "/spec/template/spec/containers/-" + value: + name: "oauth2-proxy" + image: "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0" + envFrom: + - configMapRef: + name: "oauth2-proxy" + - secretRef: + name: "changedetection-oidc" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: "/ping" + port: "oauth2-proxy" + initialDelaySeconds: 5 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: "/ping" + port: "oauth2-proxy" + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: "oauth2-proxy" diff --git a/apps/changedetection/components/oidc/oauth2-proxy.properties b/apps/changedetection/components/oidc/oauth2-proxy.properties new file mode 100644 index 0000000..d577453 --- /dev/null +++ b/apps/changedetection/components/oidc/oauth2-proxy.properties @@ -0,0 +1,6 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:5000 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- diff --git a/apps/changedetection/components/oidc/upsert-secret-changedetection-oidc.sh b/apps/changedetection/components/oidc/upsert-secret-changedetection-oidc.sh new file mode 100755 index 0000000..dbe23f9 --- /dev/null +++ b/apps/changedetection/components/oidc/upsert-secret-changedetection-oidc.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="changedetection" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo $TF_VALUE | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/changedetection/components/playwright/kustomization.yaml b/apps/changedetection/components/playwright/kustomization.yaml new file mode 100644 index 0000000..be400b1 --- /dev/null +++ b/apps/changedetection/components/playwright/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - playwright-deployment.yaml + - playwright-networkpolicy.yaml + - playwright-service.yaml +patches: + - target: + kind: Deployment + name: changedetection + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PLAYWRIGHT_DRIVER_URL + value: ws://playwright:3000/?stealth=1&--disable-web-security=true diff --git a/apps/changedetection/components/playwright/playwright-deployment.yaml b/apps/changedetection/components/playwright/playwright-deployment.yaml new file mode 100644 index 0000000..3b329c4 --- /dev/null +++ b/apps/changedetection/components/playwright/playwright-deployment.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: playwright + name: playwright +spec: + replicas: 1 + selector: + matchLabels: + app: playwright + template: + metadata: + labels: + app: playwright + app.kubernetes.io/name: playwright + app.kubernetes.io/instance: playwright-prod + app.kubernetes.io/component: playwright + app.kubernetes.io/part-of: changedetection + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: browserless/chrome:1.61.1-chrome-stable + imagePullPolicy: IfNotPresent + name: playwright + ports: + - containerPort: 3000 + name: playwright + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "196Mi" + cpu: "10m" + limits: + memory: "768Mi" + env: + - name: PUID + value: "65532" + - name: GUID + value: "65532" + - name: DEFAULT_USER_DATA_DIR + value: /tmp/userdata + - name: DEFAULT_BLOCK_ADS + value: "true" + - name: MAX_CONCURRENT_SESSIONS + value: "15" + - name: XDG_CONFIG_HOME + value: /tmp/.chromium + - name: XDG_CACHE_HOME + value: /tmp/.chromium + volumeMounts: + - name: local + mountPath: /.local + - name: tmp + mountPath: /tmp + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: cpu_speed + operator: In + values: + - fast + volumes: + - name: local + emptyDir: + sizeLimit: 2Gi + - name: tmp + emptyDir: + sizeLimit: 5Mi diff --git a/apps/changedetection/components/playwright/playwright-networkpolicy.yaml b/apps/changedetection/components/playwright/playwright-networkpolicy.yaml new file mode 100644 index 0000000..549cf88 --- /dev/null +++ b/apps/changedetection/components/playwright/playwright-networkpolicy.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "playwright" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "playwright" + policyTypes: + - Ingress + ingress: + - ports: + - protocol: "TCP" + port: "playwright" + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "changedetection" diff --git a/apps/changedetection/components/playwright/playwright-service.yaml b/apps/changedetection/components/playwright/playwright-service.yaml new file mode 100644 index 0000000..3a62e2e --- /dev/null +++ b/apps/changedetection/components/playwright/playwright-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: playwright +spec: + ports: + - port: 3000 + targetPort: playwright + selector: + app: playwright diff --git a/apps/changedetection/components/pvc/changedetection-pvc.yaml b/apps/changedetection/components/pvc/changedetection-pvc.yaml new file mode 100644 index 0000000..a52d1f4 --- /dev/null +++ b/apps/changedetection/components/pvc/changedetection-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: changedetection +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/changedetection/components/pvc/kustomization.yaml b/apps/changedetection/components/pvc/kustomization.yaml new file mode 100644 index 0000000..22ddb25 --- /dev/null +++ b/apps/changedetection/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - changedetection-pvc.yaml +patches: + - target: + kind: Deployment + name: changedetection + patch: | + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: changedetection diff --git a/apps/changedetection/components/restic-pvc/kustomization.yaml b/apps/changedetection/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..d5d16ec --- /dev/null +++ b/apps/changedetection/components/restic-pvc/kustomization.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "changedetection-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/data" + - "RESTIC_BACKUP_ID=changedetection" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "changedetection" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 65532 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 65532 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 65532 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 65532 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 65532 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "changedetection-restic-pvc" + - secretRef: + name: "changedetection-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "changedetection" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "changedetection" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "changedetection-restic-pvc" + - secretRef: + name: "changedetection-restic-pvc" diff --git a/apps/changedetection/components/restic-pvc/upsert-secret-changedetection-restic-pvc.sh b/apps/changedetection/components/restic-pvc/upsert-secret-changedetection-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/changedetection/components/restic-pvc/upsert-secret-changedetection-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/changedetection/deployment.yaml b/apps/changedetection/deployment.yaml new file mode 100644 index 0000000..ebd0114 --- /dev/null +++ b/apps/changedetection/deployment.yaml @@ -0,0 +1,80 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + labels: + app: "changedetection" + name: "changedetection" +spec: + replicas: 1 + selector: + matchLabels: + app: "changedetection" + template: + metadata: + labels: + app: "changedetection" + app.kubernetes.io/name: "changedetection" + app.kubernetes.io/instance: "changedetection-prod" + app.kubernetes.io/component: "changedetection" + app.kubernetes.io/part-of: "changedetection" + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "ghcr.io/dgtlmoon/changedetection.io:0.45.23" + imagePullPolicy: "IfNotPresent" + name: "changedetection" + ports: + - containerPort: 5000 + name: "changedetection" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "196Mi" + cpu: "10m" + limits: + memory: "384Mi" + env: + - name: "PUID" + value: "65532" + - name: "GUID" + value: "65532" + volumeMounts: + - name: "storage" + mountPath: "/datastore" + - name: "tmp" + mountPath: "/tmp" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "NotIn" + values: + - "fast" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "200Mi" + - name: "tmp" + emptyDir: + sizeLimit: "5Mi" diff --git a/apps/changedetection/kustomization.yaml b/apps/changedetection/kustomization.yaml new file mode 100644 index 0000000..eb6025a --- /dev/null +++ b/apps/changedetection/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "service.yaml" + - "deployment.yaml" + - "networkpolicy.yaml" diff --git a/apps/changedetection/networkpolicy.yaml b/apps/changedetection/networkpolicy.yaml new file mode 100644 index 0000000..acec2c6 --- /dev/null +++ b/apps/changedetection/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "changedetection" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "changedetection" + policyTypes: + - Ingress + ingress: + - ports: + - protocol: "TCP" + port: "changedetection" + from: [] diff --git a/apps/changedetection/service.yaml b/apps/changedetection/service.yaml new file mode 100644 index 0000000..0065073 --- /dev/null +++ b/apps/changedetection/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "changedetection" +spec: + ports: + - port: 80 + targetPort: "changedetection" + selector: + app: "changedetection" diff --git a/apps/changedetection/upsert-secrets.sh b/apps/changedetection/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/changedetection/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/consul/components/istio/istio-virtualservice.yaml b/apps/consul/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..66ca5c8 --- /dev/null +++ b/apps/consul/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "consul" +spec: + hosts: + - "consul" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "consul" + port: + number: 80 diff --git a/apps/consul/components/istio/kustomization.yaml b/apps/consul/components/istio/kustomization.yaml new file mode 100644 index 0000000..fc074c2 --- /dev/null +++ b/apps/consul/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "consul" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "consul" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/consul/consul.hcl b/apps/consul/consul.hcl new file mode 100644 index 0000000..1cd818a --- /dev/null +++ b/apps/consul/consul.hcl @@ -0,0 +1,10 @@ +datacenter = "dd" +data_dir = "/consul" +log_level = "INFO" +node_name = "foobar" +server = true +client_addr = "0.0.0.0" +ui_config{ + enabled = true +} +bootstrap_expect = 1 diff --git a/apps/consul/kustomization.yaml b/apps/consul/kustomization.yaml new file mode 100644 index 0000000..3c02ffe --- /dev/null +++ b/apps/consul/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - sts.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: consul-config + files: + - consul.hcl diff --git a/apps/consul/networkpolicy.yaml b/apps/consul/networkpolicy.yaml new file mode 100644 index 0000000..4dd07ce --- /dev/null +++ b/apps/consul/networkpolicy.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: consul +spec: + podSelector: {} + ingress: [] diff --git a/apps/consul/service.yaml b/apps/consul/service.yaml new file mode 100644 index 0000000..6fef2f0 --- /dev/null +++ b/apps/consul/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: consul +spec: + ports: + - port: 80 + targetPort: consul + selector: + app.kubernetes.io/name: consul diff --git a/apps/consul/sts.yaml b/apps/consul/sts.yaml new file mode 100644 index 0000000..220ee90 --- /dev/null +++ b/apps/consul/sts.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: consul + labels: + app.kubernetes.io/name: consul + annotations: + reloader.stakater.com/auto: "true" +spec: + serviceName: consul + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: consul + template: + metadata: + labels: + app: consul + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul-prod + app.kubernetes.io/component: consul + spec: + securityContext: + runAsUser: 15344 + runAsGroup: 15344 + fsGroup: 15344 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: "consul" + image: "hashicorp/consul:1.19.1" + imagePullPolicy: "IfNotPresent" + command: + - consul + - agent + - -config-file=/config/consul.hcl + ports: + - containerPort: 8500 + name: "consul" + env: + - name: "CONSUL_DISABLE_PERM_MGMT" + value: "" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 15344 + runAsGroup: 15344 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + livenessProbe: + tcpSocket: + port: "consul" + initialDelaySeconds: 15 + readinessProbe: + tcpSocket: + port: "consul" + initialDelaySeconds: 5 + resources: + limits: + memory: "256Mi" + requests: + cpu: "5m" + memory: "32Mi" + volumeMounts: + - name: storage + mountPath: /consul + - name: run + mountPath: /var/run + - name: tmp + mountPath: /tmp + - name: config + mountPath: /config + readOnly: true + volumes: + - name: storage + emptyDir: + sizeLimit: 1Gi + - name: tmp + emptyDir: + sizeLimit: 50M + - name: run + emptyDir: + sizeLimit: 5M + - name: config + configMap: + name: consul-config diff --git a/apps/consul/upsert-secret-bookstack.sh b/apps/consul/upsert-secret-bookstack.sh new file mode 100755 index 0000000..75dc869 --- /dev/null +++ b/apps/consul/upsert-secret-bookstack.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +# php artisan key:generate +APP_KEY="$(echo "$OUTPUT" | grep -e "^APP_KEY=" | cut -d'=' -f2)" +DB_USERNAME="$(echo "$OUTPUT" | grep -e "^DB_USERNAME=" | cut -d'=' -f2)" +DB_PASSWORD="$(echo "$OUTPUT" | grep -e "^DB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=APP_KEY="${APP_KEY}" \ + --from-literal=DB_USERNAME="${DB_USERNAME}" \ + --from-literal=DB_PASSWORD="${DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/consul/upsert-secrets.sh b/apps/consul/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/consul/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/container-registry/components/istio/istio-virtualservice.yaml b/apps/container-registry/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..edf6421 --- /dev/null +++ b/apps/container-registry/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: container-registry +spec: + hosts: + - cr + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: container-registry + port: + number: 80 diff --git a/apps/container-registry/components/istio/kustomization.yaml b/apps/container-registry/components/istio/kustomization.yaml new file mode 100644 index 0000000..5b89eae --- /dev/null +++ b/apps/container-registry/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "container-registry" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/container-registry/components/pvc/cr-pvc.yaml b/apps/container-registry/components/pvc/cr-pvc.yaml new file mode 100644 index 0000000..90140fa --- /dev/null +++ b/apps/container-registry/components/pvc/cr-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: container-registry +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/apps/container-registry/components/pvc/kustomization.yaml b/apps/container-registry/components/pvc/kustomization.yaml new file mode 100644 index 0000000..22ba92f --- /dev/null +++ b/apps/container-registry/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - cr-pvc.yaml +patches: + - target: + kind: Deployment + name: container-registry + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: container-registry diff --git a/apps/container-registry/config.yml b/apps/container-registry/config.yml new file mode 100644 index 0000000..acf551e --- /dev/null +++ b/apps/container-registry/config.yml @@ -0,0 +1,14 @@ +--- +version: 0.1 +http: + addr: 0.0.0.0:5000 + draintimeout: 60s + debug: + addr: 0.0.0.0:5001 + prometheus: + enabled: true + path: /metrics +storage: + filesystem: + rootdirectory: /var/lib/registry + maxthreads: 100 diff --git a/apps/container-registry/deployment.yaml b/apps/container-registry/deployment.yaml new file mode 100644 index 0000000..cec84e5 --- /dev/null +++ b/apps/container-registry/deployment.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: container-registry + labels: + app.kubernetes.io/name: container-registry +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: container-registry + template: + metadata: + labels: + app: container-registry + app.kubernetes.io/name: container-registry + app.kubernetes.io/instance: container-registry-prod + app.kubernetes.io/component: registry + app.kubernetes.io/part-of: container-registry + annotations: + prometheus.io/port: "5001" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 45454 + runAsGroup: 45454 + fsGroup: 45454 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: registry + image: registry:2.8.3 + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 45454 + runAsGroup: 45454 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 5000 + name: registry + - containerPort: 5001 + name: debug + envFrom: + - configMapRef: + name: config + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: "25m" + memory: 512Mi + readinessProbe: + httpGet: + path: /metrics + port: debug + livenessProbe: + httpGet: + path: /metrics + port: debug + volumeMounts: + - name: storage + mountPath: /var/lib/registry + - name: config-volume + mountPath: /etc/docker/registry + volumes: + - name: storage + emptyDir: + sizeLimit: 5Gi + - name: config-volume + configMap: + defaultMode: 420 + name: config diff --git a/apps/container-registry/kustomization.yaml b/apps/container-registry/kustomization.yaml new file mode 100644 index 0000000..f9dfbc9 --- /dev/null +++ b/apps/container-registry/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: config + files: + - config.yml diff --git a/apps/container-registry/networkpolicy.yaml b/apps/container-registry/networkpolicy.yaml new file mode 100644 index 0000000..2922427 --- /dev/null +++ b/apps/container-registry/networkpolicy.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "container-registry" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "registry" + from: [] + - ports: + - protocol: "TCP" + port: "metrics" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app: "prometheus" + egress: [] diff --git a/apps/container-registry/service.yaml b/apps/container-registry/service.yaml new file mode 100644 index 0000000..b012dc2 --- /dev/null +++ b/apps/container-registry/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: container-registry +spec: + selector: + app.kubernetes.io/name: container-registry + ports: + - protocol: TCP + port: 80 + targetPort: registry diff --git a/apps/container-registry/upsert-secrets.sh b/apps/container-registry/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/container-registry/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/device-stalker/components/custom-config/kustomization.yaml b/apps/device-stalker/components/custom-config/kustomization.yaml new file mode 100644 index 0000000..f33016e --- /dev/null +++ b/apps/device-stalker/components/custom-config/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: device-stalker + patch: |- + - op: add + path: "/spec/template/spec/containers/0/args/-" + value: "--config=/etc/config/config.yaml" + - op: add + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "device-stalker-config-volume" + mountPath: "/etc/config/" + - op: add + path: "/spec/template/spec/volumes/-" + value: + name: device-stalker-config-volume + configMap: + defaultMode: 420 + name: device-stalker-config diff --git a/apps/device-stalker/deployment.yaml b/apps/device-stalker/deployment.yaml new file mode 100644 index 0000000..7a3e52e --- /dev/null +++ b/apps/device-stalker/deployment.yaml @@ -0,0 +1,80 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: device-stalker + labels: + app: device-stalker + annotations: + ignore-check.kube-linter.io/unsafe-sysctls: "device-stalker needs sysctl parameters to perform ICMP as non-root user" +spec: + replicas: 1 + selector: + matchLabels: + app: "device-stalker" + template: + metadata: + labels: + app: "device-stalker" + app.kubernetes.io/name: device-stalker + app.kubernetes.io/instance: device-stalker-prod + app.kubernetes.io/component: device-stalker + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "9224" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 47454 + runAsGroup: 47454 + fsGroup: 47454 + runAsNonRoot: true + sysctls: + - name: "net.ipv4.ping_group_range" + value: "0 2147483647" + seccompProfile: + type: RuntimeDefault + containers: + - name: "device-stalker" + image: "ghcr.io/soerenschneider/device-stalker:1.0.0" + imagePullPolicy: "IfNotPresent" + args: [] + env: + - name: "DEVICE_STALKER_PINGER_PRIVILEGED" + value: "false" + - name: "DEVICE_STALKER_METRICS_ADDR" + value: "0.0.0.0:9224" + ports: + - containerPort: 9224 + name: "metrics" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 47454 + runAsGroup: 47454 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + cpu: "5m" + memory: "32Mi" + limits: + cpu: "100m" + memory: "128Mi" + volumeMounts: [] + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: cpu_speed + operator: In + values: + - slow + volumes: [] diff --git a/apps/device-stalker/kustomization.yaml b/apps/device-stalker/kustomization.yaml new file mode 100644 index 0000000..9d88b3a --- /dev/null +++ b/apps/device-stalker/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml diff --git a/apps/domain-exporter/components/config/kustomization.yaml b/apps/domain-exporter/components/config/kustomization.yaml new file mode 100644 index 0000000..669a714 --- /dev/null +++ b/apps/domain-exporter/components/config/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: domain-exporter + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: + "--config=/config.yaml" + - op: replace + path: /spec/template/spec/containers/0/volumeMounts + value: + - name: config + mountPath: /config.yaml + subPath: config.yaml + - op: replace + path: /spec/template/spec/volumes + value: + - name: config + configMap: + name: domain-exporter-config diff --git a/apps/domain-exporter/deployment.yaml b/apps/domain-exporter/deployment.yaml new file mode 100644 index 0000000..9f91798 --- /dev/null +++ b/apps/domain-exporter/deployment.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: domain-exporter + labels: + app.kubernetes.io/name: domain-exporter + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: domain-exporter + template: + metadata: + labels: + app: domain-exporter + app.kubernetes.io/name: domain-exporter + app.kubernetes.io/instance: domain-exporter-prod + app.kubernetes.io/component: domain-exporter + annotations: + prometheus.io/port: "9222" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 17238 + runAsGroup: 17238 + fsGroup: 17238 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: domain-exporter + image: caarlos0/domain_exporter:v1.23.0 + imagePullPolicy: IfNotPresent + args: + - "--logFormat=json" + - "--cache=6h" + ports: + - containerPort: 9222 + name: domain-exporter + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 17238 + runAsGroup: 17238 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + livenessProbe: + httpGet: + path: "/" + port: "domain-exporter" + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: "/" + port: "domain-exporter" + initialDelaySeconds: 1 + resources: + limits: + memory: "256Mi" + requests: + cpu: "5m" + memory: "32Mi" diff --git a/apps/domain-exporter/kustomization.yaml b/apps/domain-exporter/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/domain-exporter/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/domain-exporter/networkpolicy.yaml b/apps/domain-exporter/networkpolicy.yaml new file mode 100644 index 0000000..b31c5e6 --- /dev/null +++ b/apps/domain-exporter/networkpolicy.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: domain-exporter +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: domain-exporter + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/domain-exporter/service.yaml b/apps/domain-exporter/service.yaml new file mode 100644 index 0000000..cc1b757 --- /dev/null +++ b/apps/domain-exporter/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: domain-exporter +spec: + ports: + - port: 80 + targetPort: domain-exporter + selector: + app.kubernetes.io/name: domain-exporter diff --git a/apps/domain-exporter/upsert-secrets.sh b/apps/domain-exporter/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/domain-exporter/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/dyndns/client/components/aws-credentials/kustomization.yaml b/apps/dyndns/client/components/aws-credentials/kustomization.yaml new file mode 100644 index 0000000..2ae8742 --- /dev/null +++ b/apps/dyndns/client/components/aws-credentials/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "dyndns-client" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "dyndns-client-aws-credentials" diff --git a/apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh b/apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh new file mode 100755 index 0000000..163b2cf --- /dev/null +++ b/apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +AWS_ACCESS_KEY_ID="$(echo "$OUTPUT" | grep -e "^AWS_ACCESS_KEY_ID=" | cut -d'=' -f2)" +AWS_SECRET_ACCESS_KEY="$(echo "$OUTPUT" | grep -e "^AWS_SECRET_ACCESS_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/dyndns/client/components/aws-endpoints/kustomization.yaml b/apps/dyndns/client/components/aws-endpoints/kustomization.yaml new file mode 100644 index 0000000..39c402f --- /dev/null +++ b/apps/dyndns/client/components/aws-endpoints/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "dyndns-client" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "dyndns-client-aws-endpoints" diff --git a/apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh b/apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh new file mode 100644 index 0000000..623f6c0 --- /dev/null +++ b/apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +# manually overriden +K8S_PASS_PATH="infra/dyndns/common/prod/aws-endpoints" + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DYNDNS_SQS_QUEUE="$(echo "$OUTPUT" | grep -e "^DYNDNS_SQS_QUEUE=" | cut -d'=' -f2)" +DYNDNS_HTTP_RESOLVER_PREFERRED_URLS="$(echo "$OUTPUT" | grep -e "^DYNDNS_HTTP_RESOLVER_PREFERRED_URLS=" | cut -d'=' -f2)" +DYNDNS_HTTP_DISPATCHER_CONF="$(echo "$OUTPUT" | grep -e "^DYNDNS_HTTP_DISPATCHER_CONF=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DYNDNS_SQS_QUEUE="${DYNDNS_SQS_QUEUE}" \ + --from-literal=DYNDNS_HTTP_RESOLVER_PREFERRED_URLS="${DYNDNS_HTTP_RESOLVER_PREFERRED_URLS}" \ + --from-literal=DYNDNS_HTTP_DISPATCHER_CONF="${DYNDNS_HTTP_DISPATCHER_CONF}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/dyndns/client/components/keypair/kustomization.yaml b/apps/dyndns/client/components/keypair/kustomization.yaml new file mode 100644 index 0000000..e374ad4 --- /dev/null +++ b/apps/dyndns/client/components/keypair/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "dyndns-client" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "keypair" + secret: + secretName: "dyndns-client-keypair" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "keypair" + mountPath: "/etc/dyndns/" diff --git a/apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh b/apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh new file mode 100755 index 0000000..7671854 --- /dev/null +++ b/apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +SECRET_DATA=$(pass ${K8S_PASS_PATH}) + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=keypair.json="${SECRET_DATA}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/dyndns/client/deployment.yaml b/apps/dyndns/client/deployment.yaml new file mode 100644 index 0000000..92dcdde --- /dev/null +++ b/apps/dyndns/client/deployment.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "dyndns-client" + labels: + app: "dyndns-client" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "dyndns-client" + strategy: {} + template: + metadata: + labels: + app: dyndns-client + app.kubernetes.io/name: dyndns + app.kubernetes.io/instance: dyndns + app.kubernetes.io/component: client + app.kubernetes.io/part-of: dyndns + annotations: + prometheus.io/port: "9191" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 41454 + runAsGroup: 41454 + fsGroup: 41454 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: "ghcr.io/soerenschneider/dyndns-client:1.19.0" + imagePullPolicy: "IfNotPresent" + name: "dyndns-client" + ports: + - containerPort: 9191 + name: "metrics" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 41454 + runAsGroup: 41454 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + memory: "32Mi" + cpu: "10m" + limits: + memory: "64Mi" + env: + - name: "DYNDNS_CLIENT_ID" + valueFrom: + fieldRef: + fieldPath: "metadata.name" + envFrom: + - configMapRef: + name: "dyndns-client-config" + volumeMounts: [] + volumes: [] diff --git a/apps/dyndns/client/kustomization.yaml b/apps/dyndns/client/kustomization.yaml new file mode 100644 index 0000000..c0859b5 --- /dev/null +++ b/apps/dyndns/client/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "dyndns-client-config" + literals: + - "DYNDNS_METRICS_LISTEN=:9191" + - "DYNDNS_KEYPAIR_PATH=/etc/dyndns/keypair.json" + - "DYNDNS_BROKERS=mqtt://mosquitto.mosquitto:1883" diff --git a/apps/dyndns/client/networkpolicy.yaml b/apps/dyndns/client/networkpolicy.yaml new file mode 100644 index 0000000..e0dfc81 --- /dev/null +++ b/apps/dyndns/client/networkpolicy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "dyndns-client" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "dyndns" + app.kubernetes.io/component: "client" + ingress: + - ports: + - protocol: "TCP" + port: "metrics" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/dyndns/client/upsert-secrets.sh b/apps/dyndns/client/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/dyndns/client/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/dyndns/server/components/aws-credentials/kustomization.yaml b/apps/dyndns/server/components/aws-credentials/kustomization.yaml new file mode 100644 index 0000000..01c05aa --- /dev/null +++ b/apps/dyndns/server/components/aws-credentials/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "dyndns-server" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "dyndns-server-aws-credentials" diff --git a/apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh b/apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh new file mode 100755 index 0000000..163b2cf --- /dev/null +++ b/apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +AWS_ACCESS_KEY_ID="$(echo "$OUTPUT" | grep -e "^AWS_ACCESS_KEY_ID=" | cut -d'=' -f2)" +AWS_SECRET_ACCESS_KEY="$(echo "$OUTPUT" | grep -e "^AWS_SECRET_ACCESS_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/dyndns/server/components/aws-sqs/kustomization.yaml b/apps/dyndns/server/components/aws-sqs/kustomization.yaml new file mode 100644 index 0000000..8612687 --- /dev/null +++ b/apps/dyndns/server/components/aws-sqs/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "dyndns-server" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "dyndns-server-aws-sqs" diff --git a/apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh b/apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh new file mode 100755 index 0000000..c09fcbe --- /dev/null +++ b/apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +# manually overriden +K8S_PASS_PATH="infra/dyndns/common/prod/aws-endpoints" + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DYNDNS_SQS_QUEUE="$(echo "$OUTPUT" | grep -e "^DYNDNS_SQS_QUEUE=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DYNDNS_SQS_QUEUE="${DYNDNS_SQS_QUEUE}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/dyndns/server/deployment.yaml b/apps/dyndns/server/deployment.yaml new file mode 100644 index 0000000..2a78e12 --- /dev/null +++ b/apps/dyndns/server/deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dyndns-server + labels: + app.kubernetes.io/name: dyndns + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: dyndns-server + template: + metadata: + labels: + app: dyndns-server + app.kubernetes.io/name: dyndns + app.kubernetes.io/instance: dyndns + app.kubernetes.io/component: server + app.kubernetes.io/part-of: dyndns + annotations: + prometheus.io/port: "9191" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 51734 + runAsGroup: 51734 + fsGroup: 51734 + seccompProfile: + type: RuntimeDefault + containers: + - image: ghcr.io/soerenschneider/dyndns-server:1.19.0 + imagePullPolicy: IfNotPresent + name: dyndns-server + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 51734 + runAsGroup: 51734 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 9191 + name: metrics + resources: + requests: + memory: "32Mi" + cpu: "10m" + limits: + memory: "64Mi" + env: + - name: "DYNDNS_CLIENT_ID" + valueFrom: + fieldRef: + fieldPath: "metadata.name" + envFrom: + - configMapRef: + name: "dyndns-server-config" + - secretRef: + name: "dyndns-server-aws" + optional: true diff --git a/apps/dyndns/server/kustomization.yaml b/apps/dyndns/server/kustomization.yaml new file mode 100644 index 0000000..d4e481c --- /dev/null +++ b/apps/dyndns/server/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "dyndns-server-config" + literals: + - "DYNDNS_BROKERS=mqtt://mosquitto.mosquitto:1883" + - "DYNDNS_METRICS_LISTEN=:9191" diff --git a/apps/dyndns/server/networkpolicy.yaml b/apps/dyndns/server/networkpolicy.yaml new file mode 100644 index 0000000..a9b2ee9 --- /dev/null +++ b/apps/dyndns/server/networkpolicy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "dyndns-server" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "dyndns" + app.kubernetes.io/component: "server" + ingress: + - ports: + - protocol: "TCP" + port: "metrics" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/dyndns/server/upsert-secrets.sh b/apps/dyndns/server/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/dyndns/server/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/firefly/firefly-deployment.yaml b/apps/firefly/firefly-deployment.yaml new file mode 100644 index 0000000..36de08f --- /dev/null +++ b/apps/firefly/firefly-deployment.yaml @@ -0,0 +1,90 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: firefly + labels: + app.kubernetes.io/name: firefly + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: firefly + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: firefly + app.kubernetes.io/instance: firefly-prod + app.kubernetes.io/component: server + app.kubernetes.io/part-of: firefly + annotations: + prometheus.io/port: "3000" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: fireflyiii/core:version-6.1.10 + imagePullPolicy: IfNotPresent + name: firefly + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65535 + runAsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "DEFAULT_LANGUAGE" + value: en_US + - name: CACHE_DRIVER + value: redis + - name: SESSION_DRIVER + value: redis + - name: REDIS_HOST + value: redis + - name: REDIS_PORT + value: "6379" + resources: + requests: + memory: "196Mi" + cpu: "50m" + limits: + memory: "384Mi" + ports: + - containerPort: 8080 + name: firefly + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-www-html-storage + mountPath: /var/www/html/storage + - name: var-run + mountPath: /var/run + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: tmp + emptyDir: + sizeLimit: 50Mi + - name: var-www-html-storage + emptyDir: + sizeLimit: 50Mi + - name: var-run + emptyDir: + sizeLimit: 5Mi diff --git a/apps/firefly/firefly-service.yaml b/apps/firefly/firefly-service.yaml new file mode 100644 index 0000000..ad82541 --- /dev/null +++ b/apps/firefly/firefly-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: firefly +spec: + ports: + - port: 80 + targetPort: firefly + selector: + app.kubernetes.io/name: firefly diff --git a/apps/firefly/kustomization.yaml b/apps/firefly/kustomization.yaml new file mode 100644 index 0000000..e1e76db --- /dev/null +++ b/apps/firefly/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - networkpolicy.yaml + - firefly-deployment.yaml + - firefly-service.yaml + - redis-deployment.yaml + - redis-service.yaml diff --git a/apps/firefly/networkpolicy.yaml b/apps/firefly/networkpolicy.yaml new file mode 100644 index 0000000..561b701 --- /dev/null +++ b/apps/firefly/networkpolicy.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-namespace-traffic +spec: + podSelector: {} # Selects all pods in the same namespace + policyTypes: + - Egress + - Ingress + egress: + - to: + - podSelector: {} # Allows traffic to all pods in the same namespace + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 3306 + protocol: TCP + - port: 3307 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + ingress: + - ports: + - protocol: TCP + port: redis + from: + - podSelector: + matchLabels: + app: firefly + - ports: + - protocol: TCP + port: firefly + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway diff --git a/apps/firefly/redis-deployment.yaml b/apps/firefly/redis-deployment.yaml new file mode 100644 index 0000000..e92a66b --- /dev/null +++ b/apps/firefly/redis-deployment.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis + labels: + app.kubernetes.io/name: redis +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + template: + metadata: + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: firefly-prod + app.kubernetes.io/component: cache + app.kubernetes.io/part-of: firefly + spec: + securityContext: + runAsUser: 11734 + runAsGroup: 11734 + fsGroup: 11734 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: redis + image: docker.io/library/redis:7.2.5-alpine + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 11734 + runAsGroup: 11734 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 6379 + name: redis + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + volumeMounts: + - name: redis-data + mountPath: /data + volumes: + - name: redis-data + emptyDir: {} diff --git a/apps/firefly/redis-service.yaml b/apps/firefly/redis-service.yaml new file mode 100644 index 0000000..cc056e2 --- /dev/null +++ b/apps/firefly/redis-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: redis +spec: + ports: + - port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis diff --git a/apps/firefly/upsert-secrets.sh b/apps/firefly/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/firefly/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/gatus/components/istio/istio-virtualservice.yaml b/apps/gatus/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..4c5910a --- /dev/null +++ b/apps/gatus/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: gatus +spec: + hosts: + - gatus + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: gatus + port: + number: 80 diff --git a/apps/gatus/components/istio/kustomization.yaml b/apps/gatus/components/istio/kustomization.yaml new file mode 100644 index 0000000..297bab3 --- /dev/null +++ b/apps/gatus/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "gatus" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/gatus/components/postgres/kustomization.yaml b/apps/gatus/components/postgres/kustomization.yaml new file mode 100644 index 0000000..6094d3e --- /dev/null +++ b/apps/gatus/components/postgres/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-service.yaml +configMapGenerator: + - name: gatus-postgres + literals: + - "POSTGRES_DB=gatus" + - "PGDATA=/data/pgdata" diff --git a/apps/gatus/components/postgres/postgres-deployment.yaml b/apps/gatus/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..0e2e5b6 --- /dev/null +++ b/apps/gatus/components/postgres/postgres-deployment.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + app.kubernetes.io/name: postgres + app.kubernetes.io/component: database + app.kubernetes.io/instance: gatus-prod + app.kubernetes.io/part-of: gatus + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - gatus + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: postgres + image: postgres:16.3 + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + envFrom: + - configMapRef: + name: "gatus-postgres" + - secretRef: + name: "gatus-postgres" + ports: + - containerPort: 5432 + name: "postgres" + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U gatus + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U gatus + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run + - name: storage + mountPath: /data + volumes: + - name: tmp + emptyDir: + sizeLimit: 5Mi + - name: var-run + emptyDir: + sizeLimit: 5Mi + - name: storage + persistentVolumeClaim: + claimName: gatus-postgres diff --git a/apps/gatus/components/postgres/postgres-service.yaml b/apps/gatus/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/gatus/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/gatus/components/postgres/upsert-secret-miniflux-postgres.sh b/apps/gatus/components/postgres/upsert-secret-miniflux-postgres.sh new file mode 100755 index 0000000..209544c --- /dev/null +++ b/apps/gatus/components/postgres/upsert-secret-miniflux-postgres.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" + +echo "Upserting app=${K8S_APP}, cluster=${K8S_CLUSTER_NAME}, pass path=${K8S_PASS_PATH}" + +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/gatus/deployment.yaml b/apps/gatus/deployment.yaml new file mode 100644 index 0000000..8341140 --- /dev/null +++ b/apps/gatus/deployment.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gatus + labels: + app.kubernetes.io/name: gatus + annotations: + reloader.stakater.com/auto: "true" + ignore-check.kube-linter.io/unsafe-sysctls: "gatus needs sysctl parameters to perform ICMP as non-root user" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: gatus + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: gatus + app.kubernetes.io/name: gatus + app.kubernetes.io/instance: gatus-prod + app.kubernetes.io/component: gatus + app.kubernetes.io/part-of: gatus + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 47234 + runAsGroup: 47234 + fsGroup: 47234 + runAsNonRoot: true + sysctls: + - name: "net.ipv4.ping_group_range" + value: "0 2147483647" + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "twinproduction/gatus:v5.11.0" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + runAsUser: 47234 + runAsGroup: 47234 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + imagePullPolicy: IfNotPresent + name: gatus + resources: + requests: + memory: 196Mi + cpu: 20m + limits: + memory: 384Mi + ports: + - containerPort: 8080 + name: gatus + livenessProbe: + httpGet: + path: /health + port: gatus + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /health + port: gatus + initialDelaySeconds: 5 + startupProbe: + httpGet: + path: /health + port: gatus + failureThreshold: 60 + periodSeconds: 10 + volumeMounts: + - name: storage + mountPath: /var/lib/gatus + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: storage + emptyDir: {} diff --git a/apps/gatus/kustomization.yaml b/apps/gatus/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/gatus/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/gatus/networkpolicy.yaml b/apps/gatus/networkpolicy.yaml new file mode 100644 index 0000000..615fb93 --- /dev/null +++ b/apps/gatus/networkpolicy.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "gatus" +spec: + podSelector: {} + policyTypes: + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "gatus" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/gatus/service.yaml b/apps/gatus/service.yaml new file mode 100644 index 0000000..0309b86 --- /dev/null +++ b/apps/gatus/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: gatus +spec: + ports: + - port: 80 + targetPort: gatus + selector: + app.kubernetes.io/name: gatus diff --git a/apps/gatus/upsert-secrets.sh b/apps/gatus/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/gatus/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/ghostfolio/components/istio/istio-virtualservice.yaml b/apps/ghostfolio/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..b944de3 --- /dev/null +++ b/apps/ghostfolio/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ghostfolio +spec: + hosts: + - ghostfolio + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: ghostfolio + port: + number: 80 diff --git a/apps/ghostfolio/components/istio/kustomization.yaml b/apps/ghostfolio/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/ghostfolio/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/ghostfolio/components/postgres-pvc/kustomization.yaml b/apps/ghostfolio/components/postgres-pvc/kustomization.yaml new file mode 100644 index 0000000..86962ed --- /dev/null +++ b/apps/ghostfolio/components/postgres-pvc/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-pvc.yaml diff --git a/apps/ghostfolio/components/postgres-pvc/postgres-pvc.yaml b/apps/ghostfolio/components/postgres-pvc/postgres-pvc.yaml new file mode 100644 index 0000000..9ecd109 --- /dev/null +++ b/apps/ghostfolio/components/postgres-pvc/postgres-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ghostfolio-postgres +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/ghostfolio/components/postgres/kustomization.yaml b/apps/ghostfolio/components/postgres/kustomization.yaml new file mode 100644 index 0000000..b45abca --- /dev/null +++ b/apps/ghostfolio/components/postgres/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-networkpolicy.yaml + - postgres-service.yaml diff --git a/apps/ghostfolio/components/postgres/postgres-deployment.yaml b/apps/ghostfolio/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..605811e --- /dev/null +++ b/apps/ghostfolio/components/postgres/postgres-deployment.yaml @@ -0,0 +1,116 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "postgres" +spec: + replicas: 1 + selector: + matchLabels: + app: "postgres" + template: + metadata: + labels: + app: "postgres" + app.kubernetes.io/name: "postgres" + app.kubernetes.io/instance: "ghostfolio-postgres-prod" + app.kubernetes.io/component: "database" + app.kubernetes.io/part-of: "ghostfolio" + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app" + operator: "In" + values: + - "ghostfolio" + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "postgres" + image: "postgres:16.3" + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: "POSTGRES_DB" + value: "ghostfolio" + - name: "POSTGRES_USER" + valueFrom: + secretKeyRef: + name: "ghostfolio" + key: "POSTGRES_USER" + - name: "POSTGRES_PASSWORD" + valueFrom: + secretKeyRef: + name: "ghostfolio" + key: "POSTGRES_PASSWORD" + - name: "PGDATA" + value: "/data/pgdata" + ports: + - containerPort: 5432 + name: "postgres" + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - "/bin/sh" + - "-c" + - "exec pg_isready -U ghostfolio" + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - "/bin/sh" + - "-c" + - "exec pg_isready -U ghostfolio" + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: "storage" + mountPath: "/data" + - name: "tmp" + mountPath: "/tmp" + - name: "var-run" + mountPath: "/var/run" + volumes: + - name: "storage" + persistentVolumeClaim: + claimName: "ghostfolio-postgres" + - name: "tmp" + emptyDir: + sizeLimit: "5Mi" + - name: "var-run" + emptyDir: + sizeLimit: "5Mi" diff --git a/apps/ghostfolio/components/postgres/postgres-networkpolicy.yaml b/apps/ghostfolio/components/postgres/postgres-networkpolicy.yaml new file mode 100644 index 0000000..456a42b --- /dev/null +++ b/apps/ghostfolio/components/postgres/postgres-networkpolicy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "postgres" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "postgres" + policyTypes: + - "Egress" + - "Ingress" + egress: [] + ingress: + - ports: + - protocol: "TCP" + port: "postgres" + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "ghostfolio" diff --git a/apps/ghostfolio/components/postgres/postgres-service.yaml b/apps/ghostfolio/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..68913f3 --- /dev/null +++ b/apps/ghostfolio/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "postgres" +spec: + selector: + app: "postgres" + ports: + - protocol: "TCP" + port: 5432 + targetPort: "postgres" + type: "ClusterIP" diff --git a/apps/ghostfolio/components/postgres/upsert-secret-ghostfolio-postgres.sh b/apps/ghostfolio/components/postgres/upsert-secret-ghostfolio-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/ghostfolio/components/postgres/upsert-secret-ghostfolio-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/ghostfolio/components/redis/kustomization.yaml b/apps/ghostfolio/components/redis/kustomization.yaml new file mode 100644 index 0000000..b7453da --- /dev/null +++ b/apps/ghostfolio/components/redis/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - redis-deployment.yaml + - redis-service.yaml + - redis-networkpolicy.yaml diff --git a/apps/ghostfolio/components/redis/redis-deployment.yaml b/apps/ghostfolio/components/redis/redis-deployment.yaml new file mode 100644 index 0000000..ea061cb --- /dev/null +++ b/apps/ghostfolio/components/redis/redis-deployment.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis + labels: + app.kubernetes.io/name: redis +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + template: + metadata: + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: ghostfolio-prod + app.kubernetes.io/component: cache + app.kubernetes.io/part-of: ghostfolio + spec: + securityContext: + runAsUser: 47274 + runAsGroup: 47274 + fsGroup: 47274 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: redis + image: docker.io/library/redis:7.2.5-alpine + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 47274 + runAsGroup: 47274 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 6379 + name: redis + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + volumeMounts: + - name: redis-data + mountPath: /data + volumes: + - name: redis-data + emptyDir: {} diff --git a/apps/ghostfolio/components/redis/redis-networkpolicy.yaml b/apps/ghostfolio/components/redis/redis-networkpolicy.yaml new file mode 100644 index 0000000..48d1082 --- /dev/null +++ b/apps/ghostfolio/components/redis/redis-networkpolicy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "redis" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "redis" + policyTypes: + - Egress + - Ingress + egress: [] + ingress: + - ports: + - protocol: "TCP" + port: "redis" + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "ghostfolio" diff --git a/apps/ghostfolio/components/redis/redis-service.yaml b/apps/ghostfolio/components/redis/redis-service.yaml new file mode 100644 index 0000000..cc056e2 --- /dev/null +++ b/apps/ghostfolio/components/redis/redis-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: redis +spec: + ports: + - port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis diff --git a/apps/ghostfolio/components/upsert-secret-ghostfolio.sh b/apps/ghostfolio/components/upsert-secret-ghostfolio.sh new file mode 100755 index 0000000..ad91c78 --- /dev/null +++ b/apps/ghostfolio/components/upsert-secret-ghostfolio.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DATABASE_URL="$(echo "$OUTPUT" | grep -e "^DATABASE_URL=" | cut -d'=' -f2)" +JWT_SECRET_KEY="$(echo "$OUTPUT" | grep -e "^JWT_SECRET_KEY=" | cut -d'=' -f2)" +SECRET_KEY="$(echo "$OUTPUT" | grep -e "^SECRET_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DATABASE_URL="${DATABASE_URL}" \ + --from-literal=JWT_SECRET_KEY="${JWT_SECRET_KEY}" \ + --from-literal=SECRET_KEY="${SECRET_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/ghostfolio/deployment.yaml b/apps/ghostfolio/deployment.yaml new file mode 100644 index 0000000..bfcadeb --- /dev/null +++ b/apps/ghostfolio/deployment.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ghostfolio + labels: + app.kubernetes.io/name: ghostfolio + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ghostfolio + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: ghostfolio + app.kubernetes.io/name: ghostfolio + app.kubernetes.io/instance: ghostfolio-prod + app.kubernetes.io/component: server + app.kubernetes.io/part-of: ghostfolio + annotations: + prometheus.io/port: "3333" + prometheus.io/scrape: "true" + spec: + # do not create env variables that clash with ghostfolio's expected env vars + enableServiceLinks: false + securityContext: + runAsUser: 27712 + runAsGroup: 27712 + fsGroup: 27712 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: docker.io/ghostfolio/ghostfolio:2.91.0 + imagePullPolicy: IfNotPresent + name: ghostfolio + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 27712 + runAsGroup: 27712 + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + env: + - name: NODE_ENV + value: prod + - name: REDIS_HOST + value: redis + - name: REDIS_PORT + value: "6379" + envFrom: + - secretRef: + name: ghostfolio + resources: + requests: + memory: "256Mi" + cpu: "50m" + limits: + memory: "512Mi" + ports: + - containerPort: 3333 + name: ghostfolio + volumeMounts: + - name: tmp + mountPath: /tmp + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: tmp + emptyDir: + sizeLimit: 1Gi diff --git a/apps/ghostfolio/kustomization.yaml b/apps/ghostfolio/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/ghostfolio/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/ghostfolio/networkpolicy.yaml b/apps/ghostfolio/networkpolicy.yaml new file mode 100644 index 0000000..e65062a --- /dev/null +++ b/apps/ghostfolio/networkpolicy.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "ghostfolio" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "ghostfolio" + policyTypes: + - Egress + - Ingress + egress: + - to: + - podSelector: {} + ports: + - protocol: "TCP" + port: 5432 + - protocol: "TCP" + port: 6379 + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + ingress: + - ports: + - protocol: "TCP" + port: "ghostfolio" + from: [] diff --git a/apps/ghostfolio/service.yaml b/apps/ghostfolio/service.yaml new file mode 100644 index 0000000..eb8a313 --- /dev/null +++ b/apps/ghostfolio/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: ghostfolio +spec: + selector: + app.kubernetes.io/name: ghostfolio + ports: + - port: 80 + targetPort: ghostfolio diff --git a/apps/ghostfolio/upsert-secrets.sh b/apps/ghostfolio/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/ghostfolio/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/git-repo-backup/components/pvc/git-repo-pvc.yaml b/apps/git-repo-backup/components/pvc/git-repo-pvc.yaml new file mode 100644 index 0000000..a91e972 --- /dev/null +++ b/apps/git-repo-backup/components/pvc/git-repo-pvc.yaml @@ -0,0 +1,12 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: git-repo-backup + namespace: git-repo-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/apps/git-repo-backup/components/pvc/kustomization.yaml b/apps/git-repo-backup/components/pvc/kustomization.yaml new file mode 100644 index 0000000..251329b --- /dev/null +++ b/apps/git-repo-backup/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - git-repo-pvc.yaml +patches: + - target: + kind: CronJob + name: git-repo-backup + patch: |- + - op: replace + path: /spec/jobTemplate/spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: git-repo-backup diff --git a/apps/git-repo-backup/cronjob.yaml b/apps/git-repo-backup/cronjob.yaml new file mode 100644 index 0000000..5bbe58f --- /dev/null +++ b/apps/git-repo-backup/cronjob.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: git-repo-backup +spec: + schedule: "@daily" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + securityContext: + runAsUser: 27274 + runAsGroup: 27274 + fsGroup: 27274 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: ghcr.io/soerenschneider/git-repo-backup:1.3.5 + name: git-repo-backup + args: + - "-c" + - "/conf/config.json" + - "-d" + - "/repos" + securityContext: + runAsNonRoot: true + runAsUser: 27274 + runAsGroup: 27274 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + volumeMounts: + - name: config-volume + mountPath: "/conf" + - name: storage + mountPath: /repos/ + resources: + requests: + memory: 196Mi + cpu: 10m + limits: + memory: 512Mi + restartPolicy: Never + volumes: + - name: storage + emptyDir: + sizeLimit: 5Gi + - name: config-volume + configMap: + name: config diff --git a/apps/git-repo-backup/kustomization.yaml b/apps/git-repo-backup/kustomization.yaml new file mode 100644 index 0000000..d536ce3 --- /dev/null +++ b/apps/git-repo-backup/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cronjob.yaml diff --git a/apps/git-repo-backup/upsert-secrets.sh b/apps/git-repo-backup/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/git-repo-backup/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/gitea/components/istio-proxy/kustomization.yaml b/apps/gitea/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..9c0069e --- /dev/null +++ b/apps/gitea/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/gitea/components/istio/istio-virtualservice.yaml b/apps/gitea/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..a10879a --- /dev/null +++ b/apps/gitea/components/istio/istio-virtualservice.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: gitea +spec: + hosts: + - gitea + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: gitea + port: + number: 80 + tcp: + - match: + - port: 22 + route: + - destination: + host: gitea + port: + number: 2222 diff --git a/apps/gitea/components/istio/kustomization.yaml b/apps/gitea/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/gitea/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/gitea/components/pvc/gitea-pvc.yaml b/apps/gitea/components/pvc/gitea-pvc.yaml new file mode 100644 index 0000000..2437c24 --- /dev/null +++ b/apps/gitea/components/pvc/gitea-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: gitea +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/apps/gitea/components/pvc/kustomization.yaml b/apps/gitea/components/pvc/kustomization.yaml new file mode 100644 index 0000000..f1d80df --- /dev/null +++ b/apps/gitea/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - gitea-pvc.yaml +patches: + - target: + kind: Deployment + name: gitea + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: container-registry diff --git a/apps/gitea/deployment.yaml b/apps/gitea/deployment.yaml new file mode 100644 index 0000000..6d4cc6d --- /dev/null +++ b/apps/gitea/deployment.yaml @@ -0,0 +1,88 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea + labels: + app.kubernetes.io/name: gitea +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: gitea + template: + metadata: + labels: + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea-prod + app.kubernetes.io/component: gitea + app.kubernetes.io/part-of: gitea + spec: + securityContext: + runAsUser: 32322 + runAsGroup: 32322 + fsGroup: 32322 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: gitea + image: gitea/gitea:1.21.11-rootless + ports: + - containerPort: 3000 + name: gitea-http + - containerPort: 2222 + name: gitea-ssh + securityContext: + runAsNonRoot: true + runAsUser: 32322 + runAsGroup: 32322 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + env: + - name: USER_UID + value: "32322" + - name: USER_GID + value: "32322" + resources: + limits: + memory: "2Gi" + requests: + cpu: "50m" + memory: "256Mi" + livenessProbe: + httpGet: + path: /api/healthz + port: gitea-http + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/healthz + port: gitea-http + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - name: storage + mountPath: /var/lib/gitea + - name: etc + mountPath: /etc/gitea + - name: tmp + mountPath: /tmp/gitea + volumes: + - name: storage + emptyDir: + sizeLimit: 5Gi + - name: etc + emptyDir: + sizeLimit: 500Mi + - name: tmp + emptyDir: + sizeLimit: 500Mi diff --git a/apps/gitea/kustomization.yaml b/apps/gitea/kustomization.yaml new file mode 100644 index 0000000..356c305 --- /dev/null +++ b/apps/gitea/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml diff --git a/apps/gitea/service.yaml b/apps/gitea/service.yaml new file mode 100644 index 0000000..1f5667f --- /dev/null +++ b/apps/gitea/service.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea +spec: + ports: + - port: 80 + targetPort: gitea-http + selector: + app.kubernetes.io/name: gitea +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea-ssh +spec: + ports: + - port: 22 + targetPort: gitea + selector: + app.kubernetes.io/name: gitea diff --git a/apps/gitea/upsert-secrets.sh b/apps/gitea/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/gitea/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/grafana/components/database-mariadb/kustomization.yaml b/apps/grafana/components/database-mariadb/kustomization.yaml new file mode 100644 index 0000000..02ca933 --- /dev/null +++ b/apps/grafana/components/database-mariadb/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: grafana-config + behavior: merge + literals: + - "GF_DATABASE_NAME=grafana" + - "GF_DATABASE_TYPE=mysql" + - "GF_DATABASE_SSL_MODE=true" + - "GF_DATABASE_CA_CERT_PATH=/etc/ssl/certs/ca-certificates.crt" +patches: + - target: + kind: "Deployment" + name: "grafana" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "grafana-database-mariadb" diff --git a/apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh b/apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh new file mode 100755 index 0000000..fab7ffa --- /dev/null +++ b/apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +GF_DATABASE_USER="$(echo "$OUTPUT" | grep -e "^GF_DATABASE_USER=" | cut -d'=' -f2)" +GF_DATABASE_PASSWORD="$(echo "$OUTPUT" | grep -e "^GF_DATABASE_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=GF_DATABASE_USER="${GF_DATABASE_USER}" \ + --from-literal=GF_DATABASE_PASSWORD="${GF_DATABASE_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/grafana/components/istio/istio-virtualservice.yaml b/apps/grafana/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..068f99e --- /dev/null +++ b/apps/grafana/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana +spec: + hosts: + - grafana + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: grafana + port: + number: 80 diff --git a/apps/grafana/components/istio/kustomization.yaml b/apps/grafana/components/istio/kustomization.yaml new file mode 100644 index 0000000..edc5878 --- /dev/null +++ b/apps/grafana/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "grafana" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/grafana/components/oidc/grafana.properties b/apps/grafana/components/oidc/grafana.properties new file mode 100644 index 0000000..e069497 --- /dev/null +++ b/apps/grafana/components/oidc/grafana.properties @@ -0,0 +1,7 @@ +GF_AUTH_GENERIC_OAUTH_ENABLED=true +GF_AUTH_GENERIC_OAUTH_NAME=keycloak +GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true +GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles +GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email +GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=username +GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer' \ No newline at end of file diff --git a/apps/grafana/components/oidc/kustomization.yaml b/apps/grafana/components/oidc/kustomization.yaml new file mode 100644 index 0000000..7559e79 --- /dev/null +++ b/apps/grafana/components/oidc/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: grafana-config + behavior: merge + envs: + - grafana.properties diff --git a/apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh b/apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh new file mode 100755 index 0000000..807854c --- /dev/null +++ b/apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +GF_AUTH_GENERIC_OAUTH_CLIENT_ID="grafana" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${GF_AUTH_GENERIC_OAUTH_CLIENT_ID}"'"]') +GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_ID="${GF_AUTH_GENERIC_OAUTH_CLIENT_ID}" \ + --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/grafana/deployment.yaml b/apps/grafana/deployment.yaml new file mode 100644 index 0000000..bf22ab2 --- /dev/null +++ b/apps/grafana/deployment.yaml @@ -0,0 +1,90 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "grafana" + labels: + app.kubernetes.io/name: "grafana" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "grafana" + strategy: + type: "RollingUpdate" + template: + metadata: + labels: + app: "grafana" + app.kubernetes.io/name: "grafana" + app.kubernetes.io/instance: "grafana-prod" + app.kubernetes.io/component: "grafana" + app.kubernetes.io/part-of: "grafana" + annotations: + prometheus.io/port: "3000" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 47242 + runAsGroup: 47242 + fsGroup: 47242 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "grafana/grafana:11.1.0" + name: "grafana" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 47242 + runAsGroup: 47242 + runAsNonRoot: true + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + imagePullPolicy: "IfNotPresent" + envFrom: + - configMapRef: + name: "grafana-config" + - secretRef: + name: "grafana" + optional: true + resources: + requests: + memory: "196Mi" + cpu: "20m" + limits: + memory: "384Mi" + ports: + - containerPort: 3000 + name: "grafana" + livenessProbe: + httpGet: + path: "/api/health" + port: "grafana" + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: "/api/health" + port: "grafana" + initialDelaySeconds: 5 + startupProbe: + httpGet: + path: "/api/health" + port: "grafana" + failureThreshold: 60 + periodSeconds: 10 + volumeMounts: + - name: "storage" + mountPath: "/var/lib/grafana" + volumes: + - name: "storage" + emptyDir: {} diff --git a/apps/grafana/grafana.properties b/apps/grafana/grafana.properties new file mode 100644 index 0000000..f06b67d --- /dev/null +++ b/apps/grafana/grafana.properties @@ -0,0 +1,9 @@ +GF_ANALYTICS_ENABLED=false +GF_ANALYTICS_REPORTING_ENABLED=false +GF_ANALYTICS_CHECK_FOR_UPDATES=false +GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES=false +GF_ANALYTICS_FEEDBACK_LINKS_ENABLED=false + +GF_NEWS_NEWS_FEED_ENABLED=false +GF_DATE_FORMATS_DEFAULT_TIMEZONE=Europe/Berlin +GF_DATE_FORMATS_DEFAULT_WEEK_START=monday \ No newline at end of file diff --git a/apps/grafana/kustomization.yaml b/apps/grafana/kustomization.yaml new file mode 100644 index 0000000..69f829d --- /dev/null +++ b/apps/grafana/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: grafana-config + envs: + - grafana.properties diff --git a/apps/grafana/networkpolicy.yaml b/apps/grafana/networkpolicy.yaml new file mode 100644 index 0000000..13b9e15 --- /dev/null +++ b/apps/grafana/networkpolicy.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: grafana +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: grafana + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 3306 + protocol: TCP + - port: 3307 + protocol: TCP + - port: 443 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + name: loki + podSelector: {} + ports: + - port: 3100 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + name: keycloak + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak diff --git a/apps/grafana/service.yaml b/apps/grafana/service.yaml new file mode 100644 index 0000000..2464329 --- /dev/null +++ b/apps/grafana/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: grafana +spec: + ports: + - port: 80 + targetPort: grafana + selector: + app.kubernetes.io/name: grafana diff --git a/apps/grafana/upsert-secret-grafana.sh b/apps/grafana/upsert-secret-grafana.sh new file mode 100755 index 0000000..e9d0dfb --- /dev/null +++ b/apps/grafana/upsert-secret-grafana.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" + +if [[ -f _override.sh ]]; then + source _override.sh +fi +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) +GF_SECURITY_ADMIN_PASSWORD="$(echo "$OUTPUT" | grep -e "^GF_SECURITY_ADMIN_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=GF_SECURITY_ADMIN_PASSWORD="${GF_SECURITY_ADMIN_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/grafana/upsert-secrets.sh b/apps/grafana/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/grafana/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/hass/components/config-secrets/kustomization.yaml b/apps/hass/components/config-secrets/kustomization.yaml new file mode 100644 index 0000000..e9c9e17 --- /dev/null +++ b/apps/hass/components/config-secrets/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "hass" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "secrets" + secret: + secretName: "hass-secrets" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "secrets" + mountPath: "/config/secrets.yaml" + subPath: "secrets.yaml" diff --git a/apps/hass/components/istio/istio-virtualservice.yaml b/apps/hass/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..1b4b139 --- /dev/null +++ b/apps/hass/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: hass +spec: + hosts: + - hass + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: hass + port: + number: 80 diff --git a/apps/hass/components/istio/kustomization.yaml b/apps/hass/components/istio/kustomization.yaml new file mode 100644 index 0000000..5744f60 --- /dev/null +++ b/apps/hass/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "hass" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/hass/components/pvc/hass-pvc.yaml b/apps/hass/components/pvc/hass-pvc.yaml new file mode 100644 index 0000000..444352e --- /dev/null +++ b/apps/hass/components/pvc/hass-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "hass" +spec: + accessModes: + - "ReadWriteMany" + resources: + requests: + storage: "3Gi" diff --git a/apps/hass/components/pvc/kustomization.yaml b/apps/hass/components/pvc/kustomization.yaml new file mode 100644 index 0000000..3d40d71 --- /dev/null +++ b/apps/hass/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "hass-pvc.yaml" +patches: + - target: + kind: "Deployment" + name: "hass" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "config" + persistentVolumeClaim: + claimName: "hass" diff --git a/apps/hass/components/restic-pvc/kustomization.yaml b/apps/hass/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..80e1290 --- /dev/null +++ b/apps/hass/components/restic-pvc/kustomization.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "hass-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/data" + - "RESTIC_BACKUP_ID=hass" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "hass" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "hass-restic-pvc" + - secretRef: + name: "hass-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "hass" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "hass" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "hass-restic-pvc" + - secretRef: + name: "hass-restic-pvc" diff --git a/apps/hass/components/restic-pvc/upsert-secret-hass-restic-pvc.sh b/apps/hass/components/restic-pvc/upsert-secret-hass-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/hass/components/restic-pvc/upsert-secret-hass-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/hass/deployment.yaml b/apps/hass/deployment.yaml new file mode 100644 index 0000000..b1204b5 --- /dev/null +++ b/apps/hass/deployment.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hass + labels: + app.kubernetes.io/name: hass + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: hass + template: + metadata: + labels: + app: hass + app.kubernetes.io/name: hass + app.kubernetes.io/component: hass + app.kubernetes.io/part-of: hass + spec: + securityContext: + runAsUser: 48123 + runAsGroup: 48123 + fsGroup: 48123 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: "homeassistant/home-assistant:2024.5.4" + imagePullPolicy: "IfNotPresent" + command: + - "/usr/local/bin/hass" + - "--config=/config" + - "--log-file=/dev/null" + workingDir: "/config" + name: "hass" + ports: + - containerPort: 8123 + name: "hass" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 48123 + runAsGroup: 48123 + privileged: false + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: "/manifest.json" + port: "hass" + livenessProbe: + httpGet: + path: "/manifest.json" + port: "hass" + initialDelaySeconds: 10 + periodSeconds: 3 + volumeMounts: + - name: "config" + mountPath: "/config" + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "config" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "5Mi" diff --git a/apps/hass/kustomization.yaml b/apps/hass/kustomization.yaml new file mode 100644 index 0000000..6899093 --- /dev/null +++ b/apps/hass/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service.yaml + - deployment.yaml diff --git a/apps/hass/networkpolicy.yaml b/apps/hass/networkpolicy.yaml new file mode 100644 index 0000000..541f032 --- /dev/null +++ b/apps/hass/networkpolicy.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "hass" +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: "hass" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/hass/service.yaml b/apps/hass/service.yaml new file mode 100644 index 0000000..75f4be3 --- /dev/null +++ b/apps/hass/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: hass +spec: + ports: + - port: 80 + targetPort: hass + selector: + app.kubernetes.io/name: hass diff --git a/apps/hedgedoc/components/database-mariadb/kustomization.yaml b/apps/hedgedoc/components/database-mariadb/kustomization.yaml new file mode 100644 index 0000000..71797be --- /dev/null +++ b/apps/hedgedoc/components/database-mariadb/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +configMapGenerator: + - name: "hedgedoc-config" + behavior: "merge" + literals: + - "CMD_DB_DIALECT=mariadb" + - "CMD_DB_DATABASE=hedgedoc" + - "CMD_DB_PORT=3306" +patches: + - target: + kind: "Deployment" + name: "hedgedoc" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "hedgedoc-database-mariadb" diff --git a/apps/hedgedoc/components/database-mariadb/upsert-secret-hedgedoc-database-mariadb.sh b/apps/hedgedoc/components/database-mariadb/upsert-secret-hedgedoc-database-mariadb.sh new file mode 100755 index 0000000..b69dc75 --- /dev/null +++ b/apps/hedgedoc/components/database-mariadb/upsert-secret-hedgedoc-database-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +CMD_DB_USERNAME="$(echo "$OUTPUT" | grep -e "^CMD_DB_USERNAME=" | cut -d'=' -f2)" +CMD_DB_PASSWORD="$(echo "$OUTPUT" | grep -e "^CMD_DB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=CMD_DB_USERNAME="${CMD_DB_USERNAME}" \ + --from-literal=CMD_DB_PASSWORD="${CMD_DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/hedgedoc/components/istio-proxy/kustomization.yaml b/apps/hedgedoc/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..9c0069e --- /dev/null +++ b/apps/hedgedoc/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/hedgedoc/components/istio/istio-virtualservice.yaml b/apps/hedgedoc/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..c66480f --- /dev/null +++ b/apps/hedgedoc/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "hedgedoc" +spec: + hosts: + - "hedgedoc" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "hedgedoc" + port: + number: 80 diff --git a/apps/hedgedoc/components/istio/kustomization.yaml b/apps/hedgedoc/components/istio/kustomization.yaml new file mode 100644 index 0000000..bdc2a34 --- /dev/null +++ b/apps/hedgedoc/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "hedgedoc" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "hedgedoc" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/hedgedoc/components/minio/kustomization.yaml b/apps/hedgedoc/components/minio/kustomization.yaml new file mode 100644 index 0000000..5fa51fe --- /dev/null +++ b/apps/hedgedoc/components/minio/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +configMapGenerator: + - name: "hedgedoc" + behavior: "merge" + literals: + - "CMD_IMAGE_UPLOAD_TYPE=minio" + - "CMD_MINIO_PORT=443" + - "CMD_MINIO_SECURE=true" diff --git a/apps/hedgedoc/components/minio/upsert-secret-hedgedoc-minio.sh b/apps/hedgedoc/components/minio/upsert-secret-hedgedoc-minio.sh new file mode 100755 index 0000000..463e16b --- /dev/null +++ b/apps/hedgedoc/components/minio/upsert-secret-hedgedoc-minio.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +CMD_MINIO_ACCESS_KEY="$(echo "$OUTPUT" | grep -e "^CMD_MINIO_ACCESS_KEY=" | cut -d'=' -f2)" +CMD_MINIO_SECRET_KEY="$(echo "$OUTPUT" | grep -e "^CMD_MINIO_SECRET_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=CMD_MINIO_ACCESS_KEY="${CMD_MINIO_ACCESS_KEY}" \ + --from-literal=CMD_MINIO_SECRET_KEY="${CMD_MINIO_SECRET_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/hedgedoc/deployment.yaml b/apps/hedgedoc/deployment.yaml new file mode 100644 index 0000000..ea7313e --- /dev/null +++ b/apps/hedgedoc/deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "hedgedoc" + labels: + app.kubernetes.io/name: "hedgedoc" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "hedgedoc" + strategy: + type: "RollingUpdate" + template: + metadata: + labels: + app: "hedgedoc" + app.kubernetes.io/name: "hedgedoc" + app.kubernetes.io/component: "hedgedoc" + app.kubernetes.io/part-of: "hedgedoc" + spec: + securityContext: + runAsUser: 17248 + runAsGroup: 17248 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "hedgedoc" + image: "quay.io/hedgedoc/hedgedoc:1.9.9" + imagePullPolicy: "IfNotPresent" + securityContext: + runAsNonRoot: true + runAsUser: 17248 + runAsGroup: 17248 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + privileged: false + capabilities: + drop: + - "ALL" + env: + - name: "NODE_ENV" + value: "production" + resources: + requests: + memory: "128Mi" + cpu: "5m" + limits: + memory: "768Mi" + ports: + - containerPort: 3000 + name: "hedgedoc" + envFrom: + - configMapRef: + name: "hedgedoc-config" + volumeMounts: + - name: "config-volume" + mountPath: "/config" + volumes: + - name: "config-volume" + configMap: + name: "hedgedoc-config" diff --git a/apps/hedgedoc/kustomization.yaml b/apps/hedgedoc/kustomization.yaml new file mode 100644 index 0000000..7c2741a --- /dev/null +++ b/apps/hedgedoc/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "service.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "hedgedoc-config" + literals: + - "CMD_IMAGE_UPLOAD_TYPE=filesystem" diff --git a/apps/hedgedoc/networkpolicy.yaml b/apps/hedgedoc/networkpolicy.yaml new file mode 100644 index 0000000..41c8f19 --- /dev/null +++ b/apps/hedgedoc/networkpolicy.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hedgedoc +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - port: 3306 + endPort: 3307 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns diff --git a/apps/hedgedoc/service.yaml b/apps/hedgedoc/service.yaml new file mode 100644 index 0000000..f177fe0 --- /dev/null +++ b/apps/hedgedoc/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "hedgedoc" +spec: + ports: + - port: 80 + targetPort: "hedgedoc" + selector: + app.kubernetes.io/name: "hedgedoc" diff --git a/apps/hermes/components/istio/istio-virtualservice.yaml b/apps/hermes/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..ae75faa --- /dev/null +++ b/apps/hermes/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: hermes +spec: + hosts: + - hermes + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: hermes + port: + number: 80 diff --git a/apps/hermes/components/istio/kustomization.yaml b/apps/hermes/components/istio/kustomization.yaml new file mode 100644 index 0000000..c51ab94 --- /dev/null +++ b/apps/hermes/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: NetworkPolicy + name: hermes + patch: |- + - op: "replace" + path: "/spec/ingress/-" + value: + ports: + - protocol: TCP + port: hermes + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway diff --git a/apps/hermes/deployment.yaml b/apps/hermes/deployment.yaml new file mode 100644 index 0000000..15e4c43 --- /dev/null +++ b/apps/hermes/deployment.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hermes + labels: + app.kubernetes.io/name: hermes + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: hermes + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: hermes + app.kubernetes.io/name: hermes + app.kubernetes.io/component: hermes + app.kubernetes.io/part-of: hermes + annotations: + prometheus.io/port: "9223" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 32325 + runAsGroup: 32325 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: "hermes" + image: "ghcr.io/soerenschneider/hermes:1.0.1" + imagePullPolicy: "IfNotPresent" + command: + - "/hermes" + - "-config" + - "/config/hermes-config.yaml" + securityContext: + runAsNonRoot: true + runAsUser: 32325 + runAsGroup: 32325 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + privileged: false + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "256Mi" + ports: + - containerPort: 8080 + name: "hermes" + - containerPort: 9723 + name: "metrics" + envFrom: + - configMapRef: + name: "hermes-config" + volumeMounts: + - name: "config-volume" + mountPath: "/config" + volumes: + - name: "config-volume" + configMap: + name: "hermes-config" diff --git a/apps/hermes/kustomization.yaml b/apps/hermes/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/hermes/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/hermes/networkpolicy.yaml b/apps/hermes/networkpolicy.yaml new file mode 100644 index 0000000..c5e2394 --- /dev/null +++ b/apps/hermes/networkpolicy.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hermes +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - port: 443 + protocol: TCP + - port: 25 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns diff --git a/apps/hermes/service.yaml b/apps/hermes/service.yaml new file mode 100644 index 0000000..af3fe9b --- /dev/null +++ b/apps/hermes/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: hermes +spec: + ports: + - port: 80 + targetPort: hermes + selector: + app.kubernetes.io/name: hermes diff --git a/apps/homer/components/istio/istio-virtualservice.yaml b/apps/homer/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..55a2751 --- /dev/null +++ b/apps/homer/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: homer +spec: + hosts: + - homer + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: homer + port: + number: 80 diff --git a/apps/homer/components/istio/kustomization.yaml b/apps/homer/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/homer/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/homer/deployment.yaml b/apps/homer/deployment.yaml new file mode 100644 index 0000000..0a28f75 --- /dev/null +++ b/apps/homer/deployment.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: homer + labels: + app.kubernetes.io/name: homer + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: homer + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: homer + app.kubernetes.io/name: homer + app.kubernetes.io/component: homer + app.kubernetes.io/part-of: homer + spec: + securityContext: + runAsUser: 34234 + runAsGroup: 34234 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: homer + image: b4bz/homer:v23.10.1 + imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 34234 + runAsGroup: 34234 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + resources: + requests: + memory: 64Mi + cpu: 5m + limits: + memory: 256Mi + ports: + - containerPort: 8080 + name: homer + volumeMounts: + - name: config-volume + mountPath: "/www/assets" + volumes: + - name: config-volume + configMap: + name: homer-config + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway diff --git a/apps/homer/kustomization.yaml b/apps/homer/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/homer/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/homer/networkpolicy.yaml b/apps/homer/networkpolicy.yaml new file mode 100644 index 0000000..391965a --- /dev/null +++ b/apps/homer/networkpolicy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: homer +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: homer + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: [] diff --git a/apps/homer/service.yaml b/apps/homer/service.yaml new file mode 100644 index 0000000..b4237d4 --- /dev/null +++ b/apps/homer/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: homer +spec: + ports: + - port: 80 + targetPort: homer + selector: + app.kubernetes.io/name: homer diff --git a/apps/httpbin/components/istio/istio-virtualservice.yaml b/apps/httpbin/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..d1fdcfb --- /dev/null +++ b/apps/httpbin/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: httpbin +spec: + hosts: + - httpbin + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: httpbin + port: + number: 80 diff --git a/apps/httpbin/components/istio/kustomization.yaml b/apps/httpbin/components/istio/kustomization.yaml new file mode 100644 index 0000000..071af5d --- /dev/null +++ b/apps/httpbin/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "httpbin" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/httpbin/components/oidc/kustomization.yaml b/apps/httpbin/components/oidc/kustomization.yaml new file mode 100644 index 0000000..55fdb00 --- /dev/null +++ b/apps/httpbin/components/oidc/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Deployment" + name: "httpbin" + path: "oauth2-proxy.yaml" + - target: + kind: "Service" + name: "httpbin" + patch: | + - op: "replace" + path: "/spec/ports/0/targetPort" + value: "oauth2-proxy" +configMapGenerator: + - name: "oauth2-proxy" + envs: + - "oauth2-proxy.properties" diff --git a/apps/httpbin/components/oidc/oauth2-proxy.properties b/apps/httpbin/components/oidc/oauth2-proxy.properties new file mode 100644 index 0000000..59aeb37 --- /dev/null +++ b/apps/httpbin/components/oidc/oauth2-proxy.properties @@ -0,0 +1,8 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_EMAIL_DOMAINS=* +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:8080 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- +OAUTH2_PROXY_OIDC_ISSUER_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm diff --git a/apps/httpbin/components/oidc/oauth2-proxy.yaml b/apps/httpbin/components/oidc/oauth2-proxy.yaml new file mode 100644 index 0000000..6ff1184 --- /dev/null +++ b/apps/httpbin/components/oidc/oauth2-proxy.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: httpbin-components-oidc + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 4 + timeoutSeconds: 2 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/httpbin/components/oidc/upsert-secret-httpbin-oidc.sh b/apps/httpbin/components/oidc/upsert-secret-httpbin-oidc.sh new file mode 100755 index 0000000..9fb7699 --- /dev/null +++ b/apps/httpbin/components/oidc/upsert-secret-httpbin-oidc.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="httpbin" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/httpbin/deployment.yaml b/apps/httpbin/deployment.yaml new file mode 100644 index 0000000..c55019e --- /dev/null +++ b/apps/httpbin/deployment.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin + labels: + app.kubernetes.io/name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: httpbin + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: httpbin + app.kubernetes.io/name: httpbin + app.kubernetes.io/component: httpbin + app.kubernetes.io/part-of: httpbin + spec: + securityContext: + runAsUser: 45346 + runAsGroup: 45346 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: httpbin + image: mccutchen/go-httpbin:v2.14.0 + imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 45346 + runAsGroup: 45346 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: 32Mi + cpu: 1m + limits: + memory: 256Mi + ports: + - containerPort: 8080 + name: httpbin + livenessProbe: + httpGet: + path: /status/200 + port: httpbin + readinessProbe: + httpGet: + path: /status/200 + port: httpbin + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway diff --git a/apps/httpbin/kustomization.yaml b/apps/httpbin/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/httpbin/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/httpbin/networkpolicy.yaml b/apps/httpbin/networkpolicy.yaml new file mode 100644 index 0000000..cbab1b7 --- /dev/null +++ b/apps/httpbin/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: httpbin +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: [] + ingress: + - ports: + - protocol: TCP + port: httpbin + from: [] diff --git a/apps/httpbin/service.yaml b/apps/httpbin/service.yaml new file mode 100644 index 0000000..dbf19dc --- /dev/null +++ b/apps/httpbin/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin +spec: + ports: + - port: 80 + targetPort: httpbin + selector: + app.kubernetes.io/name: httpbin diff --git a/apps/httpbin/upsert-secrets.sh b/apps/httpbin/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/httpbin/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/imapfilter/imapfilter.yaml b/apps/imapfilter/imapfilter.yaml new file mode 100644 index 0000000..26a2a02 --- /dev/null +++ b/apps/imapfilter/imapfilter.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: "imapfilter" +spec: + timeZone: "Europe/Berlin" + schedule: "*/5 * * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + backoffLimit: 0 + template: + spec: + restartPolicy: "Never" + securityContext: + runAsUser: 27701 + runAsGroup: 27701 + fsGroup: 27701 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "imapfilter" + image: "ghcr.io/soerenschneider/imapfilter:main-20240403180046" + imagePullPolicy: "IfNotPresent" + workingDir: "/tmp" + args: [] + env: + - name: "HOME" + value: "/tmp" + securityContext: + runAsUser: 27701 + runAsGroup: 27701 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "1Gi" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/apps/imapfilter/kustomization.yaml b/apps/imapfilter/kustomization.yaml new file mode 100644 index 0000000..40b5211 --- /dev/null +++ b/apps/imapfilter/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - imapfilter.yaml + - networkpolicy.yaml diff --git a/apps/imapfilter/networkpolicy.yaml b/apps/imapfilter/networkpolicy.yaml new file mode 100644 index 0000000..db026ab --- /dev/null +++ b/apps/imapfilter/networkpolicy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "imapfilter" +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - ports: + - protocol: "TCP" + port: 143 + - protocol: "TCP" + port: 993 + to: + - ipBlock: + cidr: "0.0.0.0/0" + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + ingress: [] diff --git a/apps/immich/components/istio/istio-virtualservice.yaml b/apps/immich/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..8657999 --- /dev/null +++ b/apps/immich/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: immich +spec: + hosts: + - immich.localhost + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: "immich-server" + port: + number: 80 diff --git a/apps/immich/components/istio/kustomization.yaml b/apps/immich/components/istio/kustomization.yaml new file mode 100644 index 0000000..9b20062 --- /dev/null +++ b/apps/immich/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" diff --git a/apps/immich/components/pgvector/kustomization.yaml b/apps/immich/components/pgvector/kustomization.yaml new file mode 100644 index 0000000..ab647f1 --- /dev/null +++ b/apps/immich/components/pgvector/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-sts.yaml + - postgres-pvc.yaml + - postgres-service.yaml diff --git a/apps/immich/components/pgvector/postgres-pvc.yaml b/apps/immich/components/pgvector/postgres-pvc.yaml new file mode 100644 index 0000000..98bf10f --- /dev/null +++ b/apps/immich/components/pgvector/postgres-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich-postgres +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/apps/immich/components/pgvector/postgres-service.yaml b/apps/immich/components/pgvector/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/immich/components/pgvector/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/immich/components/pgvector/postgres-sts.yaml b/apps/immich/components/pgvector/postgres-sts.yaml new file mode 100644 index 0000000..493819d --- /dev/null +++ b/apps/immich/components/pgvector/postgres-sts.yaml @@ -0,0 +1,95 @@ +--- +apiVersion: apps/v1 +kind: "StatefulSet" +metadata: + name: "postgres" +spec: + serviceName: "postgres" + replicas: 1 + selector: + matchLabels: + app: "postgres" + template: + metadata: + labels: + app: "postgres" + spec: + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "postgres" + image: "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0" + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: "POSTGRES_DB" + value: "immich" + - name: "POSTGRES_USER" + value: "immich" + - name: "POSTGRES_PASSWORD" + value: "immich" + - name: "PGDATA" + value: "/data/pgdata" + - name: "POSTGRES_INITDB_ARGS" + value: '--data-checksums' + ports: + - containerPort: 5432 + name: "postgres" + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U immich + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U immich + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run + - name: storage + mountPath: /data + volumes: + - name: "tmp" + emptyDir: + sizeLimit: "512Mi" + - name: "var-run" + emptyDir: + sizeLimit: "50Mi" + - name: "storage" + persistentVolumeClaim: + claimName: "immich-postgres" diff --git a/apps/immich/components/pvc/kustomization.yaml b/apps/immich/components/pvc/kustomization.yaml new file mode 100644 index 0000000..cfa090e --- /dev/null +++ b/apps/immich/components/pvc/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - "pvc.yaml" +patches: + - target: + kind: "Deployment" + name: "immich-server" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "immich" + - target: + kind: "Deployment" + name: "immich-microservice" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "immich" diff --git a/apps/immich/components/pvc/pvc.yaml b/apps/immich/components/pvc/pvc.yaml new file mode 100644 index 0000000..0ac8805 --- /dev/null +++ b/apps/immich/components/pvc/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "immich" +spec: + accessModes: + - "ReadWriteMany" + resources: + requests: + storage: "75Gi" diff --git a/apps/immich/components/restic-postgres/kustomization.yaml b/apps/immich/components/restic-postgres/kustomization.yaml new file mode 100644 index 0000000..9679eb9 --- /dev/null +++ b/apps/immich/components/restic-postgres/kustomization.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-postgres +configMapGenerator: + - name: "immich-restic-postgres" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_BACKUP_ID=immich-postgres" + - "POSTGRES_SERVER=postgres" +patches: + - target: + kind: "CronJob" + name: "restic-postgres-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "immich" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/valueFrom/configMapKeyRef/name" + value: "immich-restic-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/1/valueFrom/secretKeyRef/name" + value: "immich-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "immich-restic-postgres" + - secretRef: + name: "immich-restic-postgres" + - secretRef: + name: "immich-postgres" + - target: + kind: "CronJob" + name: "restic-postgres-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "immich" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "immich-restic-postgres" + - secretRef: + name: "immich-restic-postgres" diff --git a/apps/immich/components/restic-postgres/upsert-secret-immich-restic-postgres.sh b/apps/immich/components/restic-postgres/upsert-secret-immich-restic-postgres.sh new file mode 100755 index 0000000..381cfba --- /dev/null +++ b/apps/immich/components/restic-postgres/upsert-secret-immich-restic-postgres.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID=immich-postgres +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/immich/components/restic-pvc/kustomization.yaml b/apps/immich/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..330a5cf --- /dev/null +++ b/apps/immich/components/restic-pvc/kustomization.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "immich-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/data" + - "RESTIC_BACKUP_ID=immich" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "immich" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 8123 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "immich-restic-pvc" + - secretRef: + name: "immich-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "immich" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "immich" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "immich-restic-pvc" + - secretRef: + name: "immich-restic-pvc" diff --git a/apps/immich/components/restic-pvc/upsert-secret-immich-restic-pvc.sh b/apps/immich/components/restic-pvc/upsert-secret-immich-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/immich/components/restic-pvc/upsert-secret-immich-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/immich/immich-machinelearning-deployment.yaml b/apps/immich/immich-machinelearning-deployment.yaml new file mode 100644 index 0000000..ca79cf6 --- /dev/null +++ b/apps/immich/immich-machinelearning-deployment.yaml @@ -0,0 +1,110 @@ +--- +kind: "Deployment" +apiVersion: "apps/v1" +metadata: + name: "immich-machine-learning" + labels: + app: "immich-machine-learning" +spec: + selector: + matchLabels: + app: "immich-machine-learning" + template: + metadata: + labels: + app: "immich-machine-learning" + app.kubernetes.io/name: "immich-machine-learning" + app.kubernetes.io/component: "machine-learning" + app.kubernetes.io/instance: "immich-prod" + app.kubernetes.io/part-of: "immich" + spec: + securityContext: + runAsUser: 25001 + runAsGroup: 25001 + fsGroup: 25001 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "immich-machine-learning" + image: "ghcr.io/immich-app/immich-machine-learning:v1.106.4" + securityContext: + runAsUser: 25001 + runAsGroup: 25001 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + privileged: false + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3003 + name: "immich-ml" + env: + - name: "NODE_ENV" + value: "production" + - name: "MPLCONFIGDIR" + value: "/tmp/matplotlib" + livenessProbe: + failureThreshold: 3 + httpGet: + path: "/ping" + port: "immich-ml" + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: "/ping" + port: "immich-ml" + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + resources: + requests: + memory: "512Mi" + cpu: "100m" + limits: + memory: "6Gi" + cpu: "4" + volumeMounts: + - name: "storage" + mountPath: "/data" + - name: "cache" + mountPath: "/cache" + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "cache" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "5Gi" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "immich" + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "fast" diff --git a/apps/immich/immich-machinelearning-service.yaml b/apps/immich/immich-machinelearning-service.yaml new file mode 100644 index 0000000..827ed09 --- /dev/null +++ b/apps/immich/immich-machinelearning-service.yaml @@ -0,0 +1,15 @@ +--- +kind: "Service" +apiVersion: "v1" +metadata: + name: "immich-machine-learning" + labels: + app: "immich-machine-learning" +spec: + type: "ClusterIP" + selector: + app: "immich-machine-learning" + ports: + - port: 3003 + targetPort: "immich-ml" + protocol: "TCP" diff --git a/apps/immich/immich-server-deployment.yaml b/apps/immich/immich-server-deployment.yaml new file mode 100644 index 0000000..0f368c4 --- /dev/null +++ b/apps/immich/immich-server-deployment.yaml @@ -0,0 +1,100 @@ +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: immich-server + labels: + app: immich-server +spec: + selector: + matchLabels: + app: immich-server + template: + metadata: + labels: + app: immich-server + app.kubernetes.io/name: immich-server + app.kubernetes.io/component: server + app.kubernetes.io/instance: immich-prod + app.kubernetes.io/part-of: immich + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "immich" + topologyKey: "kubernetes.io/hostname" + securityContext: + fsGroup: 25001 + runAsUser: 25001 + runAsGroup: 25001 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "immich-server" + image: "ghcr.io/immich-app/immich-server:v1.106.4" + env: + - name: "NODE_ENV" + value: "production" + envFrom: + - configMapRef: + name: "immich" + - secretRef: + name: "immich" + optional: true + securityContext: + runAsUser: 25001 + runAsGroup: 25001 + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3001 + name: "immich-server" + livenessProbe: + failureThreshold: 3 + httpGet: + path: "/server-info/ping" + port: "immich-server" + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: "/server-info/ping" + port: "immich-server" + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "2Gi" + cpu: "4" + volumeMounts: + - name: "storage" + mountPath: "/data" + - name: "geocoding-dump" + mountPath: "/usr/src/app/.reverse-geocoding-dump" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "geocoding-dump" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/immich/immich-server-service.yaml b/apps/immich/immich-server-service.yaml new file mode 100644 index 0000000..7dc51b9 --- /dev/null +++ b/apps/immich/immich-server-service.yaml @@ -0,0 +1,15 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: "immich-server" + labels: + app: "immich-server" +spec: + type: "ClusterIP" + selector: + app: "immich-server" + ports: + - port: 80 + targetPort: "immich-server" + protocol: TCP diff --git a/apps/immich/immich.properties b/apps/immich/immich.properties new file mode 100644 index 0000000..0f05144 --- /dev/null +++ b/apps/immich/immich.properties @@ -0,0 +1,8 @@ +UPLOAD_LOCATION=./library +TZ=Europe/Berlin +DB_HOSTNAME=postgres +DB_DATABASE_NAME=immich +DB_PORT=5432 +REDIS_HOSTNAME=redis +REDIS_PORT=6379 +IMMICH_MEDIA_LOCATION=/data \ No newline at end of file diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml new file mode 100644 index 0000000..79be39d --- /dev/null +++ b/apps/immich/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - immich-server-deployment.yaml + - immich-server-service.yaml + - immich-machinelearning-deployment.yaml + - immich-machinelearning-service.yaml + - redis-deployment.yaml + - redis-service.yaml +configMapGenerator: + - name: immich + envs: + - immich.properties diff --git a/apps/immich/redis-deployment.yaml b/apps/immich/redis-deployment.yaml new file mode 100644 index 0000000..740f35c --- /dev/null +++ b/apps/immich/redis-deployment.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "redis" +spec: + replicas: 1 + selector: + matchLabels: + app: "redis" + component: "immich" + template: + metadata: + labels: + app: "redis" + component: "immich" + app.kubernetes.io/name: "redis" + app.kubernetes.io/component: "cache" + app.kubernetes.io/instance: "immich-prod" + app.kubernetes.io/part-of: "immich" + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "immich" + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "redis" + image: "docker.io/library/redis:7.2.5-alpine" + ports: + - containerPort: 6379 + name: "redis" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "48Mi" + cpu: "15m" + limits: + memory: "196Mi" + volumeMounts: + - name: "storage" + mountPath: "/data" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/immich/redis-service.yaml b/apps/immich/redis-service.yaml new file mode 100644 index 0000000..e7d8218 --- /dev/null +++ b/apps/immich/redis-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "redis" +spec: + selector: + app: "redis" + ports: + - protocol: "TCP" + port: 6379 + targetPort: "redis" diff --git a/apps/immich/upsert-secret-immich.sh b/apps/immich/upsert-secret-immich.sh new file mode 100755 index 0000000..120e199 --- /dev/null +++ b/apps/immich/upsert-secret-immich.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### +OUTPUT=$(pass ${PASS_PATH}) + +DB_USERNAME="$(echo "$OUTPUT" | grep -e "^DB_USERNAME=" | cut -d'=' -f2)" +DB_PASSWORD="$(echo "$OUTPUT" | grep -e "^DB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DB_USERNAME="${DB_USERNAME}" \ + --from-literal=DB_PASSWORD="${DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/immich/upsert-secrets.sh b/apps/immich/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/immich/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/jellyfin/components/istio/istio-virtualservice.yaml b/apps/jellyfin/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..eaf2ae3 --- /dev/null +++ b/apps/jellyfin/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: jellyfin +spec: + hosts: + - jellyfin + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: jellyfin + port: + number: 80 diff --git a/apps/jellyfin/components/istio/kustomization.yaml b/apps/jellyfin/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/jellyfin/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/jellyfin/components/pvc-config/jellyfin-pvc.yaml b/apps/jellyfin/components/pvc-config/jellyfin-pvc.yaml new file mode 100644 index 0000000..9b151a3 --- /dev/null +++ b/apps/jellyfin/components/pvc-config/jellyfin-pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-config +spec: + accessModes: + - ReadWriteOnce + volumeName: jellyfin-config + resources: + requests: + storage: 1Gi diff --git a/apps/jellyfin/components/pvc-config/kustomization.yaml b/apps/jellyfin/components/pvc-config/kustomization.yaml new file mode 100644 index 0000000..7f7483e --- /dev/null +++ b/apps/jellyfin/components/pvc-config/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - jellyfin-pvc.yaml +patches: + - target: + kind: StatefulSet + name: jellyfin + patch: | + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: config + persistentVolumeClaim: + claimName: jellyfin-config diff --git a/apps/jellyfin/components/storage-healthcheck/healthcheck.sh b/apps/jellyfin/components/storage-healthcheck/healthcheck.sh new file mode 100644 index 0000000..4ba834a --- /dev/null +++ b/apps/jellyfin/components/storage-healthcheck/healthcheck.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +curl -sf http://localhost:8096/health || exit 1 + +if [ -z "$(ls -A "/media")" ]; then + echo "Directory is empty. Exiting with failure." + exit 1 +fi diff --git a/apps/jellyfin/components/storage-healthcheck/kustomization.yaml b/apps/jellyfin/components/storage-healthcheck/kustomization.yaml new file mode 100644 index 0000000..7404d62 --- /dev/null +++ b/apps/jellyfin/components/storage-healthcheck/kustomization.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: healthcheck + files: + - healthcheck.sh +patches: + - target: + kind: StatefulSet + name: jellyfin + patch: | + + - op: add + path: /spec/template/spec/volumes/- + value: + name: healthcheck + configMap: + name: healthcheck + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: healthcheck + mountPath: /healthcheck.sh + subPath: "healthcheck.sh" + - op: replace + path: /spec/template/spec/containers/0/livenessProbe + value: + exec: + command: + - sh + - /healthcheck.sh + initialDelaySeconds: 15 + periodSeconds: 60 diff --git a/apps/jellyfin/kustomization.yaml b/apps/jellyfin/kustomization.yaml new file mode 100644 index 0000000..7ff9a18 --- /dev/null +++ b/apps/jellyfin/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - statefulset.yaml + - service.yaml diff --git a/apps/jellyfin/service.yaml b/apps/jellyfin/service.yaml new file mode 100644 index 0000000..46b762b --- /dev/null +++ b/apps/jellyfin/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: jellyfin +spec: + ports: + - port: 80 + targetPort: jellyfin + selector: + app: jellyfin diff --git a/apps/jellyfin/statefulset.yaml b/apps/jellyfin/statefulset.yaml new file mode 100644 index 0000000..bf20815 --- /dev/null +++ b/apps/jellyfin/statefulset.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: jellyfin + labels: + app.kubernetes.io/name: jellyfin + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: jellyfin + serviceName: jellyfin + template: + metadata: + labels: + app: jellyfin + app.kubernetes.io/name: jellyfin + app.kubernetes.io/instance: jellyfin-prod + app.kubernetes.io/component: jellyfin + app.kubernetes.io/part-of: jellyfin + spec: + securityContext: + runAsUser: 45538 + runAsGroup: 45538 + fsGroup: 45538 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: "jellyfin/jellyfin:10.9.11" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 45538 + runAsGroup: 45538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + imagePullPolicy: IfNotPresent + name: jellyfin + env: + - name: "COMPlus_EnableDiagnostics" + value: "0" + - name: "JELLYFIN_DATA_DIR" + value: "/config" + - name: "JELLYFIN_CACHE_DIR" + value: "/cache" + resources: + requests: + memory: 512Mi + cpu: 200m + limits: + memory: 2048Mi + ports: + - containerPort: 8096 + name: jellyfin + livenessProbe: + httpGet: + path: /health + port: jellyfin + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /health + port: jellyfin + initialDelaySeconds: 5 + volumeMounts: + - name: config + mountPath: /config + - name: cache + mountPath: /cache + - name: media + readOnly: true + mountPath: /media + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: config + emptyDir: {} + - name: cache + emptyDir: {} + - name: media + emptyDir: {} diff --git a/apps/keycloak/components/db-mariadb/kustomization.yaml b/apps/keycloak/components/db-mariadb/kustomization.yaml new file mode 100644 index 0000000..b874b5b --- /dev/null +++ b/apps/keycloak/components/db-mariadb/kustomization.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Deployment" + name: "keycloak" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "keycloak-db-mariadb" + - target: + kind: "NetworkPolicy" + name: "keycloak" + patch: |- + - op: add + path: "/spec/egress/-" + value: + ports: + - protocol: "TCP" + port: 3306 + endPort: 3307 + to: + - ipBlock: + cidr: 192.168.0.0/16 + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" +configMapGenerator: + - name: "keycloak" + behavior: "merge" + literals: + - "KC_DB_URL_DATABASE=keycloak" + - "KC_DB_URL_PORT=3306" + - "KC_DB=mariadb" diff --git a/apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh b/apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh new file mode 100755 index 0000000..f8735d6 --- /dev/null +++ b/apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +KC_DB_USERNAME="$(echo "$OUTPUT" | grep -e "^KC_DB_USERNAME=" | cut -d'=' -f2)" +KC_DB_PASSWORD="$(echo "$OUTPUT" | grep -e "^KC_DB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=KC_DB_USERNAME="${KC_DB_USERNAME}" \ + --from-literal=KC_DB_PASSWORD="${KC_DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/keycloak/components/istio-proxy/kustomization.yaml b/apps/keycloak/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..0236d59 --- /dev/null +++ b/apps/keycloak/components/istio-proxy/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/keycloak/components/istio/istio-virtualservice.yaml b/apps/keycloak/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..213cf5b --- /dev/null +++ b/apps/keycloak/components/istio/istio-virtualservice.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: keycloak +spec: + hosts: + - keycloak + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: /metrics + route: + - destination: + host: nonexistent.svc.cluster.local + port: + number: 80 + - match: + - uri: + prefix: / + route: + - destination: + host: keycloak + port: + number: 80 diff --git a/apps/keycloak/components/istio/kustomization.yaml b/apps/keycloak/components/istio/kustomization.yaml new file mode 100644 index 0000000..1cf9fac --- /dev/null +++ b/apps/keycloak/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "keycloak" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/keycloak/deployment.yaml b/apps/keycloak/deployment.yaml new file mode 100644 index 0000000..33a3955 --- /dev/null +++ b/apps/keycloak/deployment.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "keycloak" + labels: + app.kubernetes.io/name: "keycloak" + app.kubernetes.io/instance: "keycloak-prod" + app.kubernetes.io/component: "server" + annotations: + reloader.stakater.com/auto: "true" + ignore-check.kube-linter.io/no-read-only-root-fs: "TODO: Fix keycloak to allow readonly root fs" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "keycloak" + template: + metadata: + labels: + app: "keycloak" + app.kubernetes.io/name: "keycloak" + app.kubernetes.io/instance: "keycloak-prod" + app.kubernetes.io/component: "server" + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "keycloak" + image: "quay.io/keycloak/keycloak:25.0.1" + args: ["start"] + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + envFrom: + - configMapRef: + name: "keycloak" + - secretRef: + name: "keycloak" + ports: + - name: "keycloak" + containerPort: 8080 + - name: "management" + containerPort: 9000 + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "768Mi" + startupProbe: + httpGet: + path: "/health" + port: "management" + failureThreshold: 60 + periodSeconds: 10 + readinessProbe: + httpGet: + path: "/health" + port: "management" + initialDelaySeconds: 5 + livenessProbe: + httpGet: + path: "/health" + port: "management" diff --git a/apps/keycloak/keycloak.properties b/apps/keycloak/keycloak.properties new file mode 100644 index 0000000..c6468b4 --- /dev/null +++ b/apps/keycloak/keycloak.properties @@ -0,0 +1,3 @@ +KC_PROXY=edge +KC_HEALTH_ENABLED=true +KC_METRICS_ENABLED=true \ No newline at end of file diff --git a/apps/keycloak/kustomization.yaml b/apps/keycloak/kustomization.yaml new file mode 100644 index 0000000..ac5d36d --- /dev/null +++ b/apps/keycloak/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml +configMapGenerator: + - name: keycloak + envs: + - keycloak.properties diff --git a/apps/keycloak/networkpolicy.yaml b/apps/keycloak/networkpolicy.yaml new file mode 100644 index 0000000..9a32b4c --- /dev/null +++ b/apps/keycloak/networkpolicy.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "keycloak" +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - ports: + - protocol: "TCP" + port: "keycloak" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/keycloak/service.yaml b/apps/keycloak/service.yaml new file mode 100644 index 0000000..5cf308f --- /dev/null +++ b/apps/keycloak/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: keycloak + labels: + app: keycloak +spec: + ports: + - name: http + port: 80 + targetPort: keycloak + selector: + app.kubernetes.io/name: keycloak diff --git a/apps/keycloak/upsert-secret-keycloak.sh b/apps/keycloak/upsert-secret-keycloak.sh new file mode 100755 index 0000000..6b5369c --- /dev/null +++ b/apps/keycloak/upsert-secret-keycloak.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +KEYCLOAK_ADMIN="$(echo "$OUTPUT" | grep -e "^KEYCLOAK_ADMIN=" | cut -d'=' -f2)" +KEYCLOAK_ADMIN_PASSWORD="$(echo "$OUTPUT" | grep -e "^KEYCLOAK_ADMIN_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=KEYCLOAK_ADMIN="${KEYCLOAK_ADMIN}" \ + --from-literal=KEYCLOAK_ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/keycloak/upsert-secrets.sh b/apps/keycloak/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/keycloak/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml new file mode 100644 index 0000000..6a5f939 --- /dev/null +++ b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-virtual-service-wildcard + annotations: + policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.4 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: VirtualService + policies.kyverno.io/description: >- + Virtual Services optionally accept a wildcard as an alternative + to precise matching. In some cases, this may be too permissive as it + would direct unintended traffic to the given resource. This + policy enforces that any Virtual Service host does not contain a wildcard + character and allows for more governance when a single mesh deployment + model is used. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: block-virtual-service-wildcard + match: + any: + - resources: + kinds: + - VirtualService + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: AnyIn + value: ["CREATE", "UPDATE"] + validate: + message: "Wildcards are not permitted as hosts." + foreach: + - list: "request.object.spec.hosts" + deny: + conditions: + any: + - key: "{{ contains(element, '*') }}" + operator: Equals + value: true diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml new file mode 100644 index 0000000..b4c5905 --- /dev/null +++ b/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + policies.kyverno.io/title: Require Labels + policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Label + policies.kyverno.io/description: >- + Define and use labels that identify semantic attributes of your application or Deployment. + A common set of labels allows tools to work collaboratively, describing objects in a common manner that + all tools can understand. The recommended labels describe applications in a way that can be + queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-for-labels + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - resources: + namespaces: + - external-dns + - kube-system + - metallb-system + - flux-system + validate: + message: "The label `app.kubernetes.io/name` is required." + pattern: + metadata: + labels: + app.kubernetes.io/name: "?*" diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml new file mode 100644 index 0000000..83c518d --- /dev/null +++ b/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-requests-limits + annotations: + policies.kyverno.io/title: Require Limits and Requests + policies.kyverno.io/category: Best Practices, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + As application workloads share cluster resources, it is important to limit resources + requested and consumed by each Pod. It is recommended to require resource requests and + limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, + defaults will automatically be applied to each Pod based on the LimitRange configuration. + This policy validates that all containers have something specified for memory and CPU + requests and memory limits. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - resources: + namespaces: + - kube-system + - external-dns + - cert-manager + - flux-system + validate: + message: "CPU and memory resource requests and limits are required." + pattern: + spec: + containers: + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml new file mode 100644 index 0000000..cc89242 --- /dev/null +++ b/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ro-rootfs + annotations: + policies.kyverno.io/title: Require Read-Only Root Filesystem + policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + A read-only root file system helps to enforce an immutable infrastructure strategy; + the container only needs to write on the mounted volume that persists the state. + An immutable root filesystem can also prevent malicious binaries from writing to the + host system. This policy validates that containers define a securityContext + with `readOnlyRootFilesystem: true`. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-readOnlyRootFilesystem + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - resources: + namespaces: + - external-dns + - cert-manager + - kube-system + - flux-system + validate: + message: "Root filesystem must be read-only." + pattern: + spec: + containers: + - securityContext: + readOnlyRootFilesystem: true diff --git a/apps/kyverno/components/default-clusterpolicies/kustomization.yaml b/apps/kyverno/components/default-clusterpolicies/kustomization.yaml new file mode 100644 index 0000000..e9f7cfb --- /dev/null +++ b/apps/kyverno/components/default-clusterpolicies/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - cp-istio-virtualservice-nowildcards.yaml + - cp-require-labels.yaml + - cp-require-pod-requests-limits.yaml + - cp-require-ro-rootfs.yaml diff --git a/apps/kyverno/helm-fan-out.sh b/apps/kyverno/helm-fan-out.sh new file mode 100755 index 0000000..c98224d --- /dev/null +++ b/apps/kyverno/helm-fan-out.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# Based on https://github.com/helm/helm/issues/4680#issuecomment-613201032 +# +# helm-fan-out + +if [ -z "$1" ]; then + echo "Please provide an output directory" + exit 1 +fi + +awk -vout="$1" -F": " ' + $0~/^# Source: / { + file=out"/"$2; + if (!(file in filemap)) { + filemap[file] = 1 + print "Creating "file; + system ("mkdir -p $(dirname "file")"); + print "---" >> file; + } + } + $0!~/^# Source: / { + if ($0!~/^---$/) { + if (file) { + print $0 >> file; + } + } + }' diff --git a/apps/kyverno/kustomization.yaml b/apps/kyverno/kustomization.yaml new file mode 100644 index 0000000..0129cb3 --- /dev/null +++ b/apps/kyverno/kustomization.yaml @@ -0,0 +1,3 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/apps/linkding/components/istio/istio-virtualservice.yaml b/apps/linkding/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..95bcda6 --- /dev/null +++ b/apps/linkding/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: linkding +spec: + hosts: + - linkding + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: linkding + port: + number: 80 diff --git a/apps/linkding/components/istio/kustomization.yaml b/apps/linkding/components/istio/kustomization.yaml new file mode 100644 index 0000000..8ed3c0e --- /dev/null +++ b/apps/linkding/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "linkding" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/linkding/components/oidc/kustomization.yaml b/apps/linkding/components/oidc/kustomization.yaml new file mode 100644 index 0000000..8372092 --- /dev/null +++ b/apps/linkding/components/oidc/kustomization.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: linkding + behavior: merge + envs: + - linkding.properties + - name: oauth2-proxy + behavior: merge + envs: + - oauth2-proxy.properties +patches: + - target: + kind: "Deployment" + name: "linkding" + path: "oauth2-proxy.yaml" + - target: + kind: "Service" + name: "linkding" + patch: | + - op: "replace" + path: "/spec/ports/0/targetPort" + value: "oauth2-proxy" + - target: + kind: "Deployment" + name: "oauth2-proxy" + patch: |- + - op: add + path: /spec/template/spec/containers/0/env + value: + - name: LD_SUPERUSER_NAME + valueFrom: + secretKeyRef: + name: "linkding" + key: "LD_SUPERUSER_NAME" + - target: + kind: "NetworkPolicy" + name: "linkding" + patch: |- + - op: replace + path: "/spec/ingress/0/ports" + value: + - protocol: "TCP" + port: "oauth2-proxy" diff --git a/apps/linkding/components/oidc/linkding.properties b/apps/linkding/components/oidc/linkding.properties new file mode 100644 index 0000000..bbed50d --- /dev/null +++ b/apps/linkding/components/oidc/linkding.properties @@ -0,0 +1,2 @@ +LD_ENABLE_AUTH_PROXY=True +LD_AUTH_PROXY_USERNAME_HEADER=HTTP_X_FORWARDED_PREFERRED_USERNAME \ No newline at end of file diff --git a/apps/linkding/components/oidc/oauth2-proxy.properties b/apps/linkding/components/oidc/oauth2-proxy.properties new file mode 100644 index 0000000..ad687b4 --- /dev/null +++ b/apps/linkding/components/oidc/oauth2-proxy.properties @@ -0,0 +1,8 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_EMAIL_DOMAINS=* +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:9090 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- +OAUTH2_PROXY_SKIP_AUTH_ROUTES=^/api/ \ No newline at end of file diff --git a/apps/linkding/components/oidc/oauth2-proxy.yaml b/apps/linkding/components/oidc/oauth2-proxy.yaml new file mode 100644 index 0000000..1a7b5d6 --- /dev/null +++ b/apps/linkding/components/oidc/oauth2-proxy.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 4 + timeoutSeconds: 2 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/linkding/components/oidc/upsert-secert-oauth2-proxy.sh b/apps/linkding/components/oidc/upsert-secert-oauth2-proxy.sh new file mode 100644 index 0000000..213921a --- /dev/null +++ b/apps/linkding/components/oidc/upsert-secert-oauth2-proxy.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="${NAMESPACE}" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/linkding/components/postgres-pvc/kustomization.yaml b/apps/linkding/components/postgres-pvc/kustomization.yaml new file mode 100644 index 0000000..5619251 --- /dev/null +++ b/apps/linkding/components/postgres-pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-pvc.yaml +patches: + - target: + kind: Deployment + name: postgres + patch: |- + - op: replace + path: "/spec/template/spec/volumes/0" + value: + name: storage + persistentVolumeClaim: + claimName: linkding-postgres diff --git a/apps/linkding/components/postgres-pvc/postgres-pvc.yaml b/apps/linkding/components/postgres-pvc/postgres-pvc.yaml new file mode 100644 index 0000000..a522e82 --- /dev/null +++ b/apps/linkding/components/postgres-pvc/postgres-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: linkding-postgres +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/linkding/components/postgres/kustomization.yaml b/apps/linkding/components/postgres/kustomization.yaml new file mode 100644 index 0000000..3d39b64 --- /dev/null +++ b/apps/linkding/components/postgres/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-networkpolicy.yaml + - postgres-service.yaml +configMapGenerator: + - name: linkding + behavior: merge + envs: + - linkding.properties +patches: + - target: + kind: Deployment + name: linkding + patch: |- + - op: add + path: /spec/template/spec/containers/0/env + value: + - name: LD_DB_USER + valueFrom: + secretKeyRef: + name: linkding + key: POSTGRES_USER + - name: LD_DB_PASSWORD + valueFrom: + secretKeyRef: + name: linkding + key: POSTGRES_PASSWORD diff --git a/apps/linkding/components/postgres/linkding.properties b/apps/linkding/components/postgres/linkding.properties new file mode 100644 index 0000000..b3aa87e --- /dev/null +++ b/apps/linkding/components/postgres/linkding.properties @@ -0,0 +1,3 @@ +LD_DB_ENGINE=postgres +LD_DB_HOST=postgres +LD_DB_DATABASE=linkding diff --git a/apps/linkding/components/postgres/postgres-deployment.yaml b/apps/linkding/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..4409436 --- /dev/null +++ b/apps/linkding/components/postgres/postgres-deployment.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + app.kubernetes.io/name: postgres + app.kubernetes.io/instance: linkding-postgres-prod + app.kubernetes.io/component: postgres + app.kubernetes.io/part-of: linkding + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "linkding" + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: postgres + image: postgres:16.3 + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: POSTGRES_DB + value: linkding + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: linkding + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: linkding + key: POSTGRES_PASSWORD + - name: PGDATA + value: /data/pgdata + ports: + - containerPort: 5432 + name: postgres + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U linkding + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U linkding + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run + - name: storage + mountPath: /data + volumes: + - name: storage + emptyDir: {} + - name: tmp + emptyDir: + sizeLimit: 5Mi + - name: var-run + emptyDir: + sizeLimit: 5Mi diff --git a/apps/linkding/components/postgres/postgres-networkpolicy.yaml b/apps/linkding/components/postgres/postgres-networkpolicy.yaml new file mode 100644 index 0000000..1970090 --- /dev/null +++ b/apps/linkding/components/postgres/postgres-networkpolicy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "postgres" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "postgres" + policyTypes: + - Egress + - Ingress + egress: [] + ingress: + - ports: + - protocol: "TCP" + port: "postgres" + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "linkding" diff --git a/apps/linkding/components/postgres/postgres-service.yaml b/apps/linkding/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/linkding/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/linkding/components/postgres/upsert-secret-linkding-postgres.sh b/apps/linkding/components/postgres/upsert-secret-linkding-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/linkding/components/postgres/upsert-secret-linkding-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/linkding/components/restic-postgres/kustomization.yaml b/apps/linkding/components/restic-postgres/kustomization.yaml new file mode 100644 index 0000000..6a3bd05 --- /dev/null +++ b/apps/linkding/components/restic-postgres/kustomization.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-postgres +configMapGenerator: + - name: "linkding-restic-postgres" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_BACKUP_ID=linkding-postgres" + - "POSTGRES_SERVER=postgres" +patches: + - target: + kind: "CronJob" + name: "restic-postgres-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "linkding" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/valueFrom/configMapKeyRef/name" + value: "linkding-restic-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/1/valueFrom/secretKeyRef/name" + value: "linkding-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "linkding-restic-postgres" + - secretRef: + name: "linkding-restic-postgres" + - secretRef: + name: "linkding-postgres" + - target: + kind: "CronJob" + name: "restic-postgres-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "linkding" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "linkding-restic-postgres" + - secretRef: + name: "linkding-restic-postgres" diff --git a/apps/linkding/components/restic-postgres/upsert-secret-linkding-restic-postgres.sh b/apps/linkding/components/restic-postgres/upsert-secret-linkding-restic-postgres.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/linkding/components/restic-postgres/upsert-secret-linkding-restic-postgres.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/linkding/deployment.yaml b/apps/linkding/deployment.yaml new file mode 100644 index 0000000..e2beaa1 --- /dev/null +++ b/apps/linkding/deployment.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: linkding + labels: + app.kubernetes.io/name: linkding + app: linkding + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: linkding + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: "linkding" + app.kubernetes.io/name: "linkding" + app.kubernetes.io/instance: "linkding-prod" + app.kubernetes.io/component: "linkding" + app.kubernetes.io/part-of: "linkding" + spec: + securityContext: + runAsUser: 32525 + runAsGroup: 32525 + fsGroup: 32525 + seccompProfile: + type: RuntimeDefault + containers: + - name: "linkding" + image: "sissbruecker/linkding:1.31.0" + imagePullPolicy: "IfNotPresent" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 32525 + runAsGroup: 32525 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - ALL + resources: + requests: + memory: "196Mi" + cpu: 5m + limits: + memory: "384Mi" + ports: + - containerPort: 9090 + name: "linkding" + startupProbe: + httpGet: + path: "/health" + port: "linkding" + failureThreshold: 60 + periodSeconds: 10 + readinessProbe: + httpGet: + path: "/health" + port: "linkding" + initialDelaySeconds: 5 + livenessProbe: + httpGet: + path: "/health" + port: "linkding" + volumeMounts: + - name: "storage" + mountPath: "/etc/linkding/data" + - name: "tmp" + mountPath: "/tmp" + - mountPath: "/etc/linkding/secretkey.txt" + name: "django-secret-key" + subPath: "secretkey.txt" + readOnly: true + envFrom: + - configMapRef: + name: "linkding" + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: storage + emptyDir: + sizeLimit: 200Mi + - name: tmp + emptyDir: + sizeLimit: 5Mi + - name: django-secret-key + secret: + secretName: linkding + items: + - key: SECRET_KEY + path: secretkey.txt diff --git a/apps/linkding/kustomization.yaml b/apps/linkding/kustomization.yaml new file mode 100644 index 0000000..84b1252 --- /dev/null +++ b/apps/linkding/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: linkding + envs: + - linkding.properties diff --git a/apps/linkding/linkding.properties b/apps/linkding/linkding.properties new file mode 100644 index 0000000..fed156a --- /dev/null +++ b/apps/linkding/linkding.properties @@ -0,0 +1 @@ +LD_HOST_DATA_DIR=/data/linkding \ No newline at end of file diff --git a/apps/linkding/networkpolicy.yaml b/apps/linkding/networkpolicy.yaml new file mode 100644 index 0000000..df53030 --- /dev/null +++ b/apps/linkding/networkpolicy.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: linkding +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "linkding" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: "TCP" + port: "linkding" + from: [] + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: "postgres" + ports: + - protocol: "TCP" + port: 5432 + - to: + - ipBlock: + cidr: "0.0.0.0/0" + except: + - "192.168.0.0/16" diff --git a/apps/linkding/service.yaml b/apps/linkding/service.yaml new file mode 100644 index 0000000..5413085 --- /dev/null +++ b/apps/linkding/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: linkding +spec: + ports: + - port: 80 + targetPort: linkding + selector: + app.kubernetes.io/name: linkding diff --git a/apps/linkding/upsert-secret-linkding.sh b/apps/linkding/upsert-secret-linkding.sh new file mode 100755 index 0000000..15290be --- /dev/null +++ b/apps/linkding/upsert-secret-linkding.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +LD_SUPERUSER_NAME="$(echo "$OUTPUT" | grep -e "^SUPERUSER_NAME=" | cut -d'=' -f2)" +SECRET_KEY="$(echo "$OUTPUT" | grep -e "^SECRET_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=LD_SUPERUSER_NAME="${LD_SUPERUSER_NAME}" \ + --from-literal=SECRET_KEY="${SECRET_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/linkding/upsert-secrets.sh b/apps/linkding/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/linkding/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/loki/components/istio/istio-virtualservice.yaml b/apps/loki/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..12f0399 --- /dev/null +++ b/apps/loki/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: loki +spec: + hosts: + - loki + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: loki + port: + number: 3100 diff --git a/apps/loki/components/istio/kustomization.yaml b/apps/loki/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/loki/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/loki/components/monolith/kustomization.yaml b/apps/loki/components/monolith/kustomization.yaml new file mode 100644 index 0000000..5bcb54b --- /dev/null +++ b/apps/loki/components/monolith/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: loki-config + files: + - loki-config.yaml +patches: + - target: + kind: Deployment + name: loki + patch: |- + - op: add + path: "/spec/template/spec/containers/0/args/-" + value: "-config.file=/etc/loki/loki-config.yaml" diff --git a/apps/loki/components/monolith/loki-config.yaml b/apps/loki/components/monolith/loki-config.yaml new file mode 100644 index 0000000..1855f4e --- /dev/null +++ b/apps/loki/components/monolith/loki-config.yaml @@ -0,0 +1,58 @@ +--- +auth_enabled: true +query_scheduler: + max_outstanding_requests_per_tenant: 4096 +common: + compactor_address: 'loki' + path_prefix: /var/loki + replication_factor: 1 + storage: + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules +frontend: + scheduler_address: "" + max_outstanding_per_tenant: 4096 +frontend_worker: + scheduler_address: "" +index_gateway: + mode: ring +limits_config: + max_query_parallelism: 32 + max_cache_freshness_per_query: 10m + reject_old_samples: true + reject_old_samples_max_age: 168h + split_queries_by_interval: 15m + retention_period: 744h + retention_stream: + - selector: '{namespace="dev"}' + priority: 1 + period: 24h +memberlist: + join_members: + - loki-memberlist +query_range: + parallelise_shardable_queries: true + align_queries_with_step: true +schema_config: + configs: + - from: "2023-01-05" + index: + period: 24h + prefix: index_ + object_store: filesystem + schema: v12 + store: tsdb +server: + grpc_listen_port: 9095 + http_listen_port: 3100 +storage_config: + hedging: + at: 250ms + max_per_second: 20 + up_to: 3 + tsdb_shipper: + active_index_directory: /var/loki/tsdb-index + cache_location: /var/loki/tsdb-cache +tracing: + enabled: false diff --git a/apps/loki/components/pvc/kustomization.yaml b/apps/loki/components/pvc/kustomization.yaml new file mode 100644 index 0000000..b3139b2 --- /dev/null +++ b/apps/loki/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - loki-pvc.yaml +patches: + - target: + kind: Deployment + name: loki + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: loki diff --git a/apps/loki/components/pvc/loki-pvc.yaml b/apps/loki/components/pvc/loki-pvc.yaml new file mode 100644 index 0000000..2936a24 --- /dev/null +++ b/apps/loki/components/pvc/loki-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: loki +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/apps/loki/deployment.yaml b/apps/loki/deployment.yaml new file mode 100644 index 0000000..f1ef9a5 --- /dev/null +++ b/apps/loki/deployment.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loki + labels: + app.kubernetes.io/name: loki + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: loki + template: + metadata: + labels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki-prod + app.kubernetes.io/component: loki + app.kubernetes.io/part-of: loki + annotations: + prometheus.io/port: "3100" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: "loki" + image: "grafana/loki:3.0.0" + args: [] + ports: + - name: "loki" + containerPort: 3100 + protocol: "TCP" + - name: "grpc" + containerPort: 9095 + protocol: "TCP" + - name: "memberlist" + containerPort: 7946 + protocol: TCP + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + readinessProbe: + httpGet: + path: "/ready" + port: "loki" + initialDelaySeconds: 10 + timeoutSeconds: 1 + livenessProbe: + httpGet: + path: "/ready" + port: "loki" + initialDelaySeconds: 30 + timeoutSeconds: 1 + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "1024Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/loki" + - name: "loki-config" + mountPath: "/etc/loki" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "5Gi" + - name: "loki-config" + configMap: + name: "loki-config" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "fast" diff --git a/apps/loki/kustomization.yaml b/apps/loki/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/loki/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/loki/networkpolicy.yaml b/apps/loki/networkpolicy.yaml new file mode 100644 index 0000000..652f988 --- /dev/null +++ b/apps/loki/networkpolicy.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: loki +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: loki + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: vector + podSelector: + matchLabels: + app.kubernetes.io/name: vector + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: grafana + podSelector: + matchLabels: + app.kubernetes.io/name: grafana + egress: + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 5432 + protocol: TCP + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + name: keycloak + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak diff --git a/apps/loki/service.yaml b/apps/loki/service.yaml new file mode 100644 index 0000000..03d871c --- /dev/null +++ b/apps/loki/service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "loki" +spec: + selector: + app.kubernetes.io/name: "loki" + ports: + - protocol: TCP + port: 3100 + targetPort: "loki" + type: ClusterIP diff --git a/apps/mariadb-galera/components/istio/istio-virtualservice.yaml b/apps/mariadb-galera/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..df3e2e4 --- /dev/null +++ b/apps/mariadb-galera/components/istio/istio-virtualservice.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "mariadb" +spec: + hosts: + - "mariadb" + gateways: + - "istio-system/gateway" + tcp: + - match: + - port: 3306 + route: + - destination: + host: "mariadb" + port: + number: 3306 + - match: + - port: 4567 + route: + - destination: + host: "mariadb" + port: + number: 4567 + - match: + - port: 4568 + route: + - destination: + host: "mariadb" + port: + number: 4568 + - match: + - port: 4444 + route: + - destination: + host: "mariadb" + port: + number: 4444 diff --git a/apps/mariadb-galera/components/istio/kustomization.yaml b/apps/mariadb-galera/components/istio/kustomization.yaml new file mode 100644 index 0000000..4a6670f --- /dev/null +++ b/apps/mariadb-galera/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "taskd" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/mariadb-galera/components/pvc/kustomization.yaml b/apps/mariadb-galera/components/pvc/kustomization.yaml new file mode 100644 index 0000000..15838ac --- /dev/null +++ b/apps/mariadb-galera/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml +patches: + - target: + kind: Deployment + name: mariadb + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: mariadb diff --git a/apps/mariadb-galera/components/pvc/pvc.yaml b/apps/mariadb-galera/components/pvc/pvc.yaml new file mode 100644 index 0000000..15dfead --- /dev/null +++ b/apps/mariadb-galera/components/pvc/pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mariadb +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/apps/mariadb-galera/components/restic-mariadb/kustomization.yaml b/apps/mariadb-galera/components/restic-mariadb/kustomization.yaml new file mode 100644 index 0000000..54b847c --- /dev/null +++ b/apps/mariadb-galera/components/restic-mariadb/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-mariadb +patches: + - target: + kind: "CronJob" + name: "restic-mariadb-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mariadb-cluster" + - target: + kind: "CronJob" + name: "restic-mariadb-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mariadb-cluster" diff --git a/apps/mariadb-galera/components/restic-mariadb/upsert-secret-restic-mariadb.sh b/apps/mariadb-galera/components/restic-mariadb/upsert-secret-restic-mariadb.sh new file mode 100755 index 0000000..ec376aa --- /dev/null +++ b/apps/mariadb-galera/components/restic-mariadb/upsert-secret-restic-mariadb.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +AWS_ACCESS_KEY_ID="$(echo "$OUTPUT" | grep -e "^AWS_ACCESS_KEY_ID=" | cut -d'=' -f2)" +AWS_SECRET_ACCESS_KEY="$(echo "$OUTPUT" | grep -e "^AWS_SECRET_ACCESS_KEY=" | cut -d'=' -f2)" +RESTIC_PASSWORD="$(echo "$OUTPUT" | grep -e "^RESTIC_PASSWORD=" | cut -d'=' -f2)" +MARIADB_USER="$(echo "$OUTPUT" | grep -e "^MARIADB_USER=" | cut -d'=' -f2)" +MARIADB_PASSWORD="$(echo "$OUTPUT" | grep -e "^MARIADB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --from-literal=MARIADB_USER="${MARIADB_USER}" \ + --from-literal=MARIADB_PASSWORD="${MARIADB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/mariadb-galera/components/tls-wsrep/cert-wsrep.yaml b/apps/mariadb-galera/components/tls-wsrep/cert-wsrep.yaml new file mode 100644 index 0000000..9d387e1 --- /dev/null +++ b/apps/mariadb-galera/components/tls-wsrep/cert-wsrep.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "mariadb-wsrep" +spec: + secretName: "mariadb-wsrep-cert" + duration: "2160h" + renewBefore: "360h" + commonName: "this is not a valid name" + dnsNames: [] + issuerRef: + name: "vault-issuer" + kind: "Issuer" + group: "cert-manager.io" + privateKey: + algorithm: "RSA" + size: 4096 diff --git a/apps/mariadb-galera/components/tls-wsrep/cm-sst-cnf.yaml b/apps/mariadb-galera/components/tls-wsrep/cm-sst-cnf.yaml new file mode 100644 index 0000000..2950850 --- /dev/null +++ b/apps/mariadb-galera/components/tls-wsrep/cm-sst-cnf.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "ConfigMap" +metadata: + name: "mariadb-sst-conf" +data: + sst.cnf: | + [sst] + encrypt=4 + tkey=/tls/wsrep-tls.key + tcert=/tls/wsrep-tls.crt + tca=/tls/wsrep-ca.crt diff --git a/apps/mariadb-galera/components/tls-wsrep/issuer.yaml b/apps/mariadb-galera/components/tls-wsrep/issuer.yaml new file mode 100644 index 0000000..3584263 --- /dev/null +++ b/apps/mariadb-galera/components/tls-wsrep/issuer.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "vault-issuer" +--- +apiVersion: "v1" +kind: "Secret" +metadata: + name: "vault-issuer-sa" + annotations: + kubernetes.io/service-account.name: "vault-issuer" +type: "kubernetes.io/service-account-token" +--- +apiVersion: "cert-manager.io/v1" +kind: "Issuer" +metadata: + name: "vault-issuer" +spec: + vault: + path: "pki/im_srn/sign/mariadb" + server: "https://vault.ha.soeren.cloud" + auth: + kubernetes: + role: "mariadb" + mountPath: "/v1/auth/svc.dd.soeren.cloud" + secretRef: + name: "vault-issuer-sa" + key: "token" diff --git a/apps/mariadb-galera/components/tls-wsrep/kustomization.yaml b/apps/mariadb-galera/components/tls-wsrep/kustomization.yaml new file mode 100644 index 0000000..3ee0a27 --- /dev/null +++ b/apps/mariadb-galera/components/tls-wsrep/kustomization.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - cert-wsrep.yaml + - issuer.yaml + - cm-sst-cnf.yaml +patches: + - target: + kind: "StatefulSet" + name: "mariadb" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "sst-conf" + configMap: + name: "mariadb-sst-conf" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "sst-conf" + mountPath: "/opt/bitnami/mariadb/conf/bitnami/my_custom.cnf" + subPath: "sst.cnf" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "wsrep-cert" + secret: + secretName: "mariadb-wsrep-cert" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "wsrep-cert" + mountPath: "/tls/wsrep-tls.crt" + subPath: "tls.crt" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "wsrep-cert" + mountPath: "/tls/wsrep-tls.key" + subPath: "tls.key" diff --git a/apps/mariadb-galera/components/tls/cert-certificate.yaml b/apps/mariadb-galera/components/tls/cert-certificate.yaml new file mode 100644 index 0000000..30058a4 --- /dev/null +++ b/apps/mariadb-galera/components/tls/cert-certificate.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "mariadb" + annotations: + cert-manager.io/issuer-ca-secret-name: letsencrypt-ca +spec: + secretName: "mariadb-cert" + duration: "2160h" + renewBefore: "720h" + commonName: "this is not a valid name" + dnsNames: [] + issuerRef: + name: "letsencrypt-dns-prod" + kind: "ClusterIssuer" + group: "cert-manager.io" + privateKey: + algorithm: "RSA" + size: 4096 diff --git a/apps/mariadb-galera/components/tls/kustomization.yaml b/apps/mariadb-galera/components/tls/kustomization.yaml new file mode 100644 index 0000000..b151176 --- /dev/null +++ b/apps/mariadb-galera/components/tls/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "cert-certificate.yaml" +configMapGenerator: + - name: "mariadb-galera" + behavior: "merge" + literals: + - "MARIADB_ENABLE_TLS=yes" + - "MARIADB_TLS_CERT_FILE=/tls/tls.crt" + - "MARIADB_TLS_KEY_FILE=/tls/tls.key" + - "MARIADB_TLS_CA_FILE=/tls/tls-ca.crt" +patches: + - target: + kind: "StatefulSet" + name: "mariadb" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "cert" + secret: + secretName: "mariadb-cert" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "cert" + mountPath: "/tls/tls.crt" + subPath: "tls.crt" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "cert" + mountPath: "/tls/tls.key" + subPath: "tls.key" diff --git a/apps/mariadb-galera/kustomization.yaml b/apps/mariadb-galera/kustomization.yaml new file mode 100644 index 0000000..1eaadec --- /dev/null +++ b/apps/mariadb-galera/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "statefulset.yaml" + - "service.yaml" +configMapGenerator: + - name: "mariadb-galera" + envs: + - "mariadb.properties" diff --git a/apps/mariadb-galera/mariadb.properties b/apps/mariadb-galera/mariadb.properties new file mode 100644 index 0000000..72de663 --- /dev/null +++ b/apps/mariadb-galera/mariadb.properties @@ -0,0 +1,4 @@ +MARIADB_GALERA_CLUSTER_NAME=prd +MARIADB_CHARACTER_SET=utf8mb4 +MARIADB_COLLATE=utf8mb4_unicode_520_ci +TZ=UTC diff --git a/apps/mariadb-galera/service.yaml b/apps/mariadb-galera/service.yaml new file mode 100644 index 0000000..166c81b --- /dev/null +++ b/apps/mariadb-galera/service.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "mariadb" +spec: + selector: + app: "mariadb" + ports: + - protocol: "TCP" + name: mariadb + port: 3306 + targetPort: "mariadb" + - protocol: "TCP" + name: iss + port: 4568 + targetPort: "iss" + - protocol: "TCP" + name: sst + port: 4444 + targetPort: "sst" + type: "ClusterIP" diff --git a/apps/mariadb-galera/statefulset.yaml b/apps/mariadb-galera/statefulset.yaml new file mode 100644 index 0000000..2b9c94b --- /dev/null +++ b/apps/mariadb-galera/statefulset.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: "apps/v1" +kind: "StatefulSet" +metadata: + name: "mariadb" +spec: + serviceName: "mariadb" + replicas: 1 + selector: + matchLabels: + app: "mariadb" + template: + metadata: + labels: + app: "mariadb" + spec: + terminationGracePeriodSeconds: 180 + securityContext: + runAsUser: 45538 + runAsGroup: 45538 + fsGroup: 45538 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "mariadb" + image: "bitnami/mariadb-galera:11.3.2" + envFrom: + - configMapRef: + name: "mariadb-galera" + - secretRef: + name: "mariadb-galera" + optional: true + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 45538 + runAsGroup: 45538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3306 + name: "mariadb" + - containerPort: 4567 + protocol: "TCP" + name: "replicate-tcp" + - containerPort: 4567 + protocol: "UDP" + name: "replicate-udp" + - containerPort: 4568 + name: "iss" + - containerPort: 4444 + name: "sst" + livenessProbe: + periodSeconds: 15 + timeoutSeconds: 3 + failureThreshold: 2 + tcpSocket: + port: "mariadb" + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + volumeMounts: + - name: "storage" + mountPath: "/bitnami/mariadb" + - name: "tmp" + mountPath: "/tmp" + - name: "run" + mountPath: "/run/mysqld" + - name: "opt" + mountPath: "/opt/bitnami/mariadb/conf" + - name: "opt-tmp" + mountPath: "/opt/bitnami/mariadb/tmp" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "50Mi" + - name: "opt" + emptyDir: + sizeLimit: "50Mi" + - name: "opt-tmp" + emptyDir: {} + - name: "run" + emptyDir: + sizeLimit: "5Mi" diff --git a/apps/mariadb-galera/upsert-secret-mariadb.sh b/apps/mariadb-galera/upsert-secret-mariadb.sh new file mode 100755 index 0000000..d7b0ff0 --- /dev/null +++ b/apps/mariadb-galera/upsert-secret-mariadb.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +#OUTPUT=$(pass ${K8S_PASS_PATH}) + +MARIADB_GALERA_MARIABACKUP_USER=backup +MARIADB_GALERA_MARIABACKUP_PASSWORD=blablabla +MARIADB_REPLICATION_USER=replication +MARIADB_REPLICATION_PASSWORD=replication + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=MARIADB_GALERA_MARIABACKUP_USER="${MARIADB_GALERA_MARIABACKUP_USER}" \ + --from-literal=MARIADB_GALERA_MARIABACKUP_PASSWORD="${MARIADB_GALERA_MARIABACKUP_PASSWORD}" \ + --from-literal=MARIADB_REPLICATION_USER="${MARIADB_REPLICATION_USER}" \ + --from-literal=MARIADB_REPLICATION_PASSWORD="${MARIADB_REPLICATION_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/mariadb/service.yaml b/apps/mariadb/service.yaml new file mode 100644 index 0000000..9129672 --- /dev/null +++ b/apps/mariadb/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "mariadb" +spec: + selector: + app: "mariadb" + ports: + - protocol: "TCP" + port: 3306 + targetPort: "mariadb" diff --git a/apps/mariadb/statefulset.yaml b/apps/mariadb/statefulset.yaml new file mode 100644 index 0000000..b1e9280 --- /dev/null +++ b/apps/mariadb/statefulset.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: apps/v1 +kind: "StatefulSet" +metadata: + name: "mariadb" +spec: + serviceName: "mariadb" + replicas: 1 + selector: + matchLabels: + app: "mariadb" + template: + metadata: + labels: + app: "mariadb" + spec: + securityContext: + runAsUser: 45538 + runAsGroup: 45538 + fsGroup: 45538 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "mariadb" + image: "mariadb:11.4.2" + envFrom: + - configMapRef: + name: "mariadb" + - secretRef: + name: "mariadb" + optional: true + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 45538 + runAsGroup: 45538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3306 + name: "mariadb" + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/lib/mysql" + - name: "tmp" + mountPath: "/tmp" + - name: "run" + mountPath: "/run/mysqld" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "50Mi" + - name: "run" + emptyDir: + sizeLimit: "50Mi" diff --git a/apps/mealie/components/istio/istio-virtualservice.yaml b/apps/mealie/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..d5cb002 --- /dev/null +++ b/apps/mealie/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mealie +spec: + hosts: + - mealie + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: mealie + port: + number: 80 diff --git a/apps/mealie/components/istio/kustomization.yaml b/apps/mealie/components/istio/kustomization.yaml new file mode 100644 index 0000000..6c9a372 --- /dev/null +++ b/apps/mealie/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "mealie" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/mealie/components/mealie-pvc/kustomization.yaml b/apps/mealie/components/mealie-pvc/kustomization.yaml new file mode 100644 index 0000000..ab82dbb --- /dev/null +++ b/apps/mealie/components/mealie-pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "mealie-pvc.yaml" +patches: + - target: + kind: "Deployment" + name: "mealie" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "mealie" diff --git a/apps/mealie/components/mealie-pvc/mealie-pvc.yaml b/apps/mealie/components/mealie-pvc/mealie-pvc.yaml new file mode 100644 index 0000000..175bd9a --- /dev/null +++ b/apps/mealie/components/mealie-pvc/mealie-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: "PersistentVolumeClaim" +apiVersion: "v1" +metadata: + name: "mealie" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "5Gi" diff --git a/apps/mealie/components/oidc/kustomization.yaml b/apps/mealie/components/oidc/kustomization.yaml new file mode 100644 index 0000000..179bc65 --- /dev/null +++ b/apps/mealie/components/oidc/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: "mealie-oidc" # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + behavior: merge + literals: + - "OIDC_AUTH_ENABLED=true" + - "OIDC_CLIENT_ID=mealie" + - "OIDC_AUTO_REDIRECT=false" +patches: + - target: + kind: "Deployment" + name: "mealie" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + configMapRef: + name: "mealie-oidc" diff --git a/apps/mealie/components/oidc/upsert-secret-mealie-oidc.sh b/apps/mealie/components/oidc/upsert-secret-mealie-oidc.sh new file mode 100755 index 0000000..e25a7ff --- /dev/null +++ b/apps/mealie/components/oidc/upsert-secret-mealie-oidc.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OIDC_CLIENT_ID=mealie +TF_VALUE=$(terraform -chdir="$(git rev-parse --show-toplevel)/../tf-keycloak" output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OIDC_CLIENT_ID="${OIDC_CLIENT_ID}" \ + --from-literal=OAUTH2_CLIENT_SECRET="${OAUTH2_CLIENT_SECRET}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/mealie/components/postgres-pvc/kustomization.yaml b/apps/mealie/components/postgres-pvc/kustomization.yaml new file mode 100644 index 0000000..0548724 --- /dev/null +++ b/apps/mealie/components/postgres-pvc/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "postgres-pvc.yaml" diff --git a/apps/mealie/components/postgres-pvc/postgres-pvc.yaml b/apps/mealie/components/postgres-pvc/postgres-pvc.yaml new file mode 100644 index 0000000..2c78182 --- /dev/null +++ b/apps/mealie/components/postgres-pvc/postgres-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "mealie-postgres" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "1Gi" diff --git a/apps/mealie/components/postgres/kustomization.yaml b/apps/mealie/components/postgres/kustomization.yaml new file mode 100644 index 0000000..debca07 --- /dev/null +++ b/apps/mealie/components/postgres/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-service.yaml +configMapGenerator: + - name: mealie + behavior: merge + literals: + - "DB_ENGINE=postgres" + - "POSTGRES_PORT=5432" + - "POSTGRES_SERVER=postgres" + - "POSTGRES_DB=mealie" diff --git a/apps/mealie/components/postgres/mealie.properties b/apps/mealie/components/postgres/mealie.properties new file mode 100644 index 0000000..e69de29 diff --git a/apps/mealie/components/postgres/postgres-deployment.yaml b/apps/mealie/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..754dc0a --- /dev/null +++ b/apps/mealie/components/postgres/postgres-deployment.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + app.kubernetes.io/name: postgres + app.kubernetes.io/component: database + app.kubernetes.io/instance: mealie-prod + app.kubernetes.io/part-of: mealie + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "mealie" + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: postgres + image: postgres:16.3 + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: "POSTGRES_DB" + value: "mealie" + - name: "POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "mealie-postgres" + - name: "POSTGRES_PASSWORD" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "mealie-postgres" + - name: "PGDATA" + value: "/data/pgdata" + ports: + - containerPort: 5432 + name: "postgres" + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U mealie + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U mealie + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run + - name: storage + mountPath: /data + volumes: + - name: tmp + emptyDir: + sizeLimit: 5Mi + - name: var-run + emptyDir: + sizeLimit: 5Mi + - name: storage + persistentVolumeClaim: + claimName: mealie-postgres diff --git a/apps/mealie/components/postgres/postgres-service.yaml b/apps/mealie/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/mealie/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/mealie/components/postgres/upsert-secret-mealie-postgres.sh b/apps/mealie/components/postgres/upsert-secret-mealie-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/mealie/components/postgres/upsert-secret-mealie-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/mealie/components/restic-postgres/kustomization.yaml b/apps/mealie/components/restic-postgres/kustomization.yaml new file mode 100644 index 0000000..c941cad --- /dev/null +++ b/apps/mealie/components/restic-postgres/kustomization.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-postgres +configMapGenerator: + - name: "mealie-restic-postgres" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_BACKUP_ID=mealie-postgres" + - "POSTGRES_SERVER=postgres" +patches: + - target: + kind: "CronJob" + name: "restic-postgres-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mealie" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/0/valueFrom/configMapKeyRef/name" + value: "mealie-restic-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/1/valueFrom/secretKeyRef/name" + value: "mealie-postgres" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mealie-restic-postgres" + - secretRef: + name: "mealie-restic-postgres" + - secretRef: + name: "mealie-postgres" + - target: + kind: "CronJob" + name: "restic-postgres-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mealie" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mealie-restic-postgres" + - secretRef: + name: "mealie-restic-postgres" diff --git a/apps/mealie/components/restic-postgres/upsert-secret-mealie-restic-postgres.sh b/apps/mealie/components/restic-postgres/upsert-secret-mealie-restic-postgres.sh new file mode 100755 index 0000000..584990f --- /dev/null +++ b/apps/mealie/components/restic-postgres/upsert-secret-mealie-restic-postgres.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="mealie-postgres" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/mealie/components/restic-pvc/kustomization.yaml b/apps/mealie/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..0b6ec99 --- /dev/null +++ b/apps/mealie/components/restic-pvc/kustomization.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "mealie-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/app/data" + - "RESTIC_BACKUP_ID=mealie-data" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mealie" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mealie-restic-pvc" + - secretRef: + name: "mealie-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "mealie" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/0/mountPath" + value: "/app/data" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mealie" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mealie-restic-pvc" + - secretRef: + name: "mealie-restic-pvc" diff --git a/apps/mealie/components/restic-pvc/upsert-secret-mealie-restic-pvc.sh b/apps/mealie/components/restic-pvc/upsert-secret-mealie-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/mealie/components/restic-pvc/upsert-secret-mealie-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/mealie/deployment.yaml b/apps/mealie/deployment.yaml new file mode 100644 index 0000000..d4023ce --- /dev/null +++ b/apps/mealie/deployment.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "mealie" + labels: + app: "mealie" + app.kubernetes.io/instance: "mealie" +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: "RollingUpdate" + selector: + matchLabels: + app: "mealie" + app.kubernetes.io/instance: "mealie-prod" + template: + metadata: + labels: + app: "mealie" + app.kubernetes.io/name: "mealie" + app.kubernetes.io/instance: "mealie-prod" + app.kubernetes.io/component: "mealie" + app.kubernetes.io/part-of: "mealie" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 45911 + runAsGroup: 45911 + fsGroup: 45911 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: mealie + image: "ghcr.io/mealie-recipes/mealie:v1.8.0" + imagePullPolicy: IfNotPresent + env: + - name: "TZ" + value: "Europe/Berlin" + - name: "ALLOW_SIGNUP" + value: "false" + ports: + - name: "mealie" + containerPort: 9000 + protocol: "TCP" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 45911 + runAsGroup: 45911 + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + envFrom: + - secretRef: + name: "mealie" + optional: true + - configMapRef: + name: "mealie" + resources: + requests: + memory: "196Mi" + cpu: "20m" + limits: + memory: "768Mi" + livenessProbe: + tcpSocket: + port: 9000 + initialDelaySeconds: 0 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 9000 + initialDelaySeconds: 0 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 10 + startupProbe: + tcpSocket: + port: 9000 + initialDelaySeconds: 0 + failureThreshold: 30 + timeoutSeconds: 1 + periodSeconds: 5 + volumeMounts: + - name: "storage" + mountPath: "/app/data/" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "5Gi" diff --git a/apps/mealie/kustomization.yaml b/apps/mealie/kustomization.yaml new file mode 100644 index 0000000..2b01a85 --- /dev/null +++ b/apps/mealie/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: mealie + envs: + - mealie.properties diff --git a/apps/mealie/mealie.properties b/apps/mealie/mealie.properties new file mode 100644 index 0000000..85a8466 --- /dev/null +++ b/apps/mealie/mealie.properties @@ -0,0 +1 @@ +ALLOW_SIGNUP=false \ No newline at end of file diff --git a/apps/mealie/networkpolicy.yaml b/apps/mealie/networkpolicy.yaml new file mode 100644 index 0000000..3711244 --- /dev/null +++ b/apps/mealie/networkpolicy.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "mealie" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "mealie" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: "mealie" + from: [] + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/apps/mealie/service.yaml b/apps/mealie/service.yaml new file mode 100644 index 0000000..0995630 --- /dev/null +++ b/apps/mealie/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: mealie + labels: + app: mealie +spec: + type: ClusterIP + selector: + app: mealie + ports: + - port: 80 + targetPort: mealie diff --git a/apps/mealie/upsert-secret-mealie.sh b/apps/mealie/upsert-secret-mealie.sh new file mode 100755 index 0000000..6bda797 --- /dev/null +++ b/apps/mealie/upsert-secret-mealie.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +SECRET_KEY="$(echo "$OUTPUT" | grep -e "^SECRET_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=SECRET_KEY="${SECRET_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/mealie/upsert-secrets.sh b/apps/mealie/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/mealie/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/media/build-radarr-apikey.sh b/apps/media/build-radarr-apikey.sh new file mode 100755 index 0000000..3b517bb --- /dev/null +++ b/apps/media/build-radarr-apikey.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +echo "Enter radarr apikey" +read -s APIKEY + +if [[ -z "${APIKEY}" ]]; then + echo "Empty apikey given" + exit 1 +fi + +set -o pipefail +set -eu + +K8S_SECRET_NAME="radarr-apikey" +K8S_SECRET_FILE_NAME="radarr-secret-apikey.yaml" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=apikey="${APIKEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/media/components/postgres-pvc/kustomization.yaml b/apps/media/components/postgres-pvc/kustomization.yaml new file mode 100644 index 0000000..20c6e59 --- /dev/null +++ b/apps/media/components/postgres-pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-pvc.yaml +patches: + - target: + kind: Deployment + name: postgres + patch: |- + - op: replace + path: "/spec/template/spec/volumes/0" + value: + name: storage + persistentVolumeClaim: + claimName: media-postgres diff --git a/apps/media/components/postgres-pvc/postgres-pvc.yaml b/apps/media/components/postgres-pvc/postgres-pvc.yaml new file mode 100644 index 0000000..2756bd0 --- /dev/null +++ b/apps/media/components/postgres-pvc/postgres-pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: media-postgres +spec: + accessModes: + - ReadWriteOnce + volumeName: media-postgres + resources: + requests: + storage: 1Gi diff --git a/apps/media/components/postgres/kustomization.yaml b/apps/media/components/postgres/kustomization.yaml new file mode 100644 index 0000000..65d7a61 --- /dev/null +++ b/apps/media/components/postgres/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-service.yaml diff --git a/apps/media/components/postgres/postgres-deployment.yaml b/apps/media/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..a7ec195 --- /dev/null +++ b/apps/media/components/postgres/postgres-deployment.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + containers: + - name: postgres + image: postgres:16.3 + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: "POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + optional: true + - name: "POSTGRES_PASSWORD" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-components-postgres" + - name: "PGDATA" + value: "/data/pgdata" + ports: + - containerPort: 5432 + name: "postgres" + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U postgres + initialDelaySeconds: 15 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U postgres + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: "storage" + mountPath: "/data" + - name: "tmp" + mountPath: "/tmp" + - name: "var-run" + mountPath: "/var/run" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: In + values: + - "media" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: {} + - name: "tmp" + emptyDir: + sizeLimit: "5Mi" + - name: "var-run" + emptyDir: + sizeLimit: "5Mi" diff --git a/apps/media/components/postgres/postgres-service.yaml b/apps/media/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/media/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/media/components/postgres/upsert-secret-media-postgres.sh b/apps/media/components/postgres/upsert-secret-media-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/media/components/postgres/upsert-secret-media-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/components/reverse-proxy-istio/istio-virtualservice.yaml b/apps/media/components/reverse-proxy-istio/istio-virtualservice.yaml new file mode 100644 index 0000000..035033e --- /dev/null +++ b/apps/media/components/reverse-proxy-istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: media +spec: + hosts: + - media + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: reverse-proxy + port: + number: 80 diff --git a/apps/media/components/reverse-proxy-istio/kustomization.yaml b/apps/media/components/reverse-proxy-istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/media/components/reverse-proxy-istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/media/components/reverse-proxy-oidc/kustomization.yaml b/apps/media/components/reverse-proxy-oidc/kustomization.yaml new file mode 100644 index 0000000..3b1d1be --- /dev/null +++ b/apps/media/components/reverse-proxy-oidc/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: oauth2-proxy + envs: + - oauth2-proxy.properties +patches: + - target: + kind: Deployment + name: reverse-proxy + path: oauth2-proxy.yaml + - target: + kind: Service + name: reverse-proxy + patch: | + - op: replace + path: /spec/ports/0/targetPort + value: "oauth2-proxy" diff --git a/apps/media/components/reverse-proxy-oidc/oauth2-proxy.properties b/apps/media/components/reverse-proxy-oidc/oauth2-proxy.properties new file mode 100644 index 0000000..c089047 --- /dev/null +++ b/apps/media/components/reverse-proxy-oidc/oauth2-proxy.properties @@ -0,0 +1,7 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:8080 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- +OAUTH2_PROXY_OIDC_ISSUER_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm diff --git a/apps/media/components/reverse-proxy-oidc/oauth2-proxy.yaml b/apps/media/components/reverse-proxy-oidc/oauth2-proxy.yaml new file mode 100644 index 0000000..4adca2f --- /dev/null +++ b/apps/media/components/reverse-proxy-oidc/oauth2-proxy.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: media-components-reverse-proxy-oidc + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 4 + timeoutSeconds: 2 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/media/components/reverse-proxy-oidc/upsert-secret-media-reverse-proxy-oidc.sh b/apps/media/components/reverse-proxy-oidc/upsert-secret-media-reverse-proxy-oidc.sh new file mode 100755 index 0000000..4f3516f --- /dev/null +++ b/apps/media/components/reverse-proxy-oidc/upsert-secret-media-reverse-proxy-oidc.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="media" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/media/components/reverse-proxy/kustomization.yaml b/apps/media/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..3b970e0 --- /dev/null +++ b/apps/media/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - reverse-proxy-deployment.yaml + - reverse-proxy-service.yaml +configMapGenerator: + - name: nginx-config + files: + - nginx.conf diff --git a/apps/media/components/reverse-proxy/nginx.conf b/apps/media/components/reverse-proxy/nginx.conf new file mode 100644 index 0000000..a995bcd --- /dev/null +++ b/apps/media/components/reverse-proxy/nginx.conf @@ -0,0 +1,72 @@ +worker_processes 1; +events { + worker_connections 1024; +} +http { + server { + listen 8080; + + # security settings + server_tokens off; + client_body_buffer_size 1k; + client_header_buffer_size 1k; + client_max_body_size 1k; + large_client_header_buffers 2 1k; + + location /sonarr { + proxy_pass http://sonarr; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + proxy_redirect off; + } + + location /radarr { + proxy_pass http://radarr; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + proxy_redirect off; + } + + location /prowlarr { + proxy_pass http://prowlarr; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + proxy_redirect off; + } + + location /lidarr { + proxy_pass http://lidarr; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + proxy_redirect off; + } + + location = /health { + access_log off; + add_header 'Content-Type' 'application/json'; + return 200 '{"status":"UP"}'; + } + + # Add more location blocks for other services if needed + location / { + # Default behavior if no specific location matches + return 404; + } + } +} \ No newline at end of file diff --git a/apps/media/components/reverse-proxy/reverse-proxy-deployment.yaml b/apps/media/components/reverse-proxy/reverse-proxy-deployment.yaml new file mode 100644 index 0000000..aaf362d --- /dev/null +++ b/apps/media/components/reverse-proxy/reverse-proxy-deployment.yaml @@ -0,0 +1,90 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reverse-proxy + labels: + app.kubernetes.io/name: reverse-proxy + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: reverse-proxy + template: + metadata: + labels: + app.kubernetes.io/name: reverse-proxy + app.kubernetes.io/instance: media-prod + app.kubernetes.io/component: reverse-proxy + app: reverse-proxy + spec: + securityContext: + runAsUser: 23453 + runAsGroup: 23453 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx + image: nginx:1.27.0-alpine + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + privileged: false + runAsUser: 23453 + runAsGroup: 23453 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + port: nginx + path: "/health" + readinessProbe: + httpGet: + port: nginx + path: "/health" + resources: + requests: + cpu: 5m + memory: 16Mi + limits: + memory: 128Mi + ports: + - containerPort: 8080 + name: nginx + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: cache + mountPath: /var/cache/nginx + - name: run + mountPath: /var/run + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - media + topologyKey: "kubernetes.io/hostname" + volumes: + - name: nginx-config + configMap: + name: nginx-config + - name: cache + emptyDir: + sizeLimit: 5Mi + - name: run + emptyDir: + sizeLimit: 5Mi diff --git a/apps/media/components/reverse-proxy/reverse-proxy-service.yaml b/apps/media/components/reverse-proxy/reverse-proxy-service.yaml new file mode 100644 index 0000000..76a904d --- /dev/null +++ b/apps/media/components/reverse-proxy/reverse-proxy-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: reverse-proxy +spec: + selector: + app: reverse-proxy + ports: + - protocol: TCP + port: 80 + targetPort: 80 diff --git a/apps/media/lidarr/components/istio/istio-virtualservice.yaml b/apps/media/lidarr/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..015f974 --- /dev/null +++ b/apps/media/lidarr/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: "lidarr" +spec: + hosts: + - "lidarr" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "lidarr" + port: + number: 80 diff --git a/apps/media/lidarr/components/istio/kustomization.yaml b/apps/media/lidarr/components/istio/kustomization.yaml new file mode 100644 index 0000000..ed0620a --- /dev/null +++ b/apps/media/lidarr/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "lidarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/media/lidarr/components/postgres/kustomization.yaml b/apps/media/lidarr/components/postgres/kustomization.yaml new file mode 100644 index 0000000..74759f4 --- /dev/null +++ b/apps/media/lidarr/components/postgres/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: lidarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_MAIN_DB + value: lidarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: media-lidarr-postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: media-lidarr-postgres + - target: + kind: Deployment + name: lidarr + path: patch-initcontainer.yaml diff --git a/apps/media/lidarr/components/postgres/patch-initcontainer.yaml b/apps/media/lidarr/components/postgres/patch-initcontainer.yaml new file mode 100644 index 0000000..f33674f --- /dev/null +++ b/apps/media/lidarr/components/postgres/patch-initcontainer.yaml @@ -0,0 +1,32 @@ +--- +- op: "replace" + path: "/spec/template/spec/initContainers" + value: + - name: "init" + image: "ghcr.io/onedr0p/postgres-init:16" + env: + - name: "INIT_POSTGRES_HOST" + value: "postgres" + - name: "INIT_POSTGRES_DBNAME" + value: "lidarr" + - name: "INIT_POSTGRES_SUPER_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + optional: true + - name: "INIT_POSTGRES_SUPER_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-components-postgres" + - name: "INIT_POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-lidarr-postgres" + - name: "INIT_POSTGRES_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-lidarr-postgres" diff --git a/apps/media/lidarr/components/postgres/upsert-secret-media-lidarr-postgres.sh b/apps/media/lidarr/components/postgres/upsert-secret-media-lidarr-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/media/lidarr/components/postgres/upsert-secret-media-lidarr-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/lidarr/components/reverse-proxy/kustomization.yaml b/apps/media/lidarr/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..eb152d7 --- /dev/null +++ b/apps/media/lidarr/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: lidarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: "LIDARR__URL_BASE" + value: "/lidarr" + - target: + kind: NetworkPolicy + name: "lidarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/media/lidarr/deployment.yaml b/apps/media/lidarr/deployment.yaml new file mode 100644 index 0000000..ed953b3 --- /dev/null +++ b/apps/media/lidarr/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: lidarr + labels: + app: lidarr + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: lidarr + template: + metadata: + labels: + app: lidarr + app.kubernetes.io/name: lidarr + app.kubernetes.io/instance: media-prod + app.kubernetes.io/component: lidarr + app.kubernetes.io/part-of: arr + spec: + securityContext: + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + fsGroup: 20568 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "ghcr.io/onedr0p/lidarr:2.2.5" + imagePullPolicy: "IfNotPresent" + name: "lidarr" + ports: + - containerPort: 8686 + name: "lidarr" + securityContext: + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "512Mi" + cpu: "10m" + limits: + memory: "768Mi" + readinessProbe: + httpGet: + path: "/ping" + port: "lidarr" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: "/ping" + port: "lidarr" + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + env: + - name: "COMPlus_EnableDiagnostics" + value: "0" + - name: "PUSHOVER_DEBUG" + value: "false" + - name: "TZ" + value: "Europe/Berlin" + volumeMounts: + - name: "storage" + mountPath: "/config" + - name: "tmp" + mountPath: "/tmp" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 5 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "slow" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "media" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "512Mi" + - name: "tmp" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/media/lidarr/kustomization.yaml b/apps/media/lidarr/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/media/lidarr/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/media/lidarr/networkpolicy.yaml b/apps/media/lidarr/networkpolicy.yaml new file mode 100644 index 0000000..01a1dab --- /dev/null +++ b/apps/media/lidarr/networkpolicy.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "lidarr" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "lidarr" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: "TCP" + port: "lidarr" + from: [] + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: "prowlarr" + ports: + - protocol: "TCP" + port: 9696 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 diff --git a/apps/media/lidarr/service.yaml b/apps/media/lidarr/service.yaml new file mode 100644 index 0000000..4b75909 --- /dev/null +++ b/apps/media/lidarr/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: lidarr +spec: + ports: + - port: 80 + targetPort: lidarr + selector: + app.kubernetes.io/name: lidarr diff --git a/apps/media/prowlarr/components/istio/istio-virtualservice.yaml b/apps/media/prowlarr/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..cae05b0 --- /dev/null +++ b/apps/media/prowlarr/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: "prowlarr" +spec: + hosts: + - "prowlarr" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "prowlarr" + port: + number: 80 diff --git a/apps/media/prowlarr/components/istio/kustomization.yaml b/apps/media/prowlarr/components/istio/kustomization.yaml new file mode 100644 index 0000000..e7adb13 --- /dev/null +++ b/apps/media/prowlarr/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "prowlarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/media/prowlarr/components/postgres/kustomization.yaml b/apps/media/prowlarr/components/postgres/kustomization.yaml new file mode 100644 index 0000000..a4e05d7 --- /dev/null +++ b/apps/media/prowlarr/components/postgres/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: prowlarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_MAIN_DB + value: prowlarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: media-prowlarr-postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: media-prowlarr-postgres + - op: replace + path: /spec/template/spec/initContainers + value: + - target: + kind: Deployment + name: prowlarr + path: patch-initcontainer.yaml diff --git a/apps/media/prowlarr/components/postgres/patch-initcontainer.yaml b/apps/media/prowlarr/components/postgres/patch-initcontainer.yaml new file mode 100644 index 0000000..2b54963 --- /dev/null +++ b/apps/media/prowlarr/components/postgres/patch-initcontainer.yaml @@ -0,0 +1,32 @@ +--- +- op: replace + path: /spec/template/spec/initContainers + value: + - name: init + image: ghcr.io/onedr0p/postgres-init:16 + env: + - name: INIT_POSTGRES_HOST + value: postgres + - name: INIT_POSTGRES_DBNAME + value: prowlarr + - name: "INIT_POSTGRES_SUPER_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + optional: true + - name: INIT_POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: media-components-postgres + - name: INIT_POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: media-prowlarr-postgres + - name: INIT_POSTGRES_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: media-prowlarr-postgres diff --git a/apps/media/prowlarr/components/postgres/upsert-secret-media-prowlarr-postgres.sh b/apps/media/prowlarr/components/postgres/upsert-secret-media-prowlarr-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/media/prowlarr/components/postgres/upsert-secret-media-prowlarr-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/prowlarr/components/reverse-proxy/kustomization.yaml b/apps/media/prowlarr/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..6541af9 --- /dev/null +++ b/apps/media/prowlarr/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: "prowlarr" + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__URL_BASE + value: /prowlarr + - target: + kind: NetworkPolicy + name: "prowlarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/media/prowlarr/deployment.yaml b/apps/media/prowlarr/deployment.yaml new file mode 100644 index 0000000..61a25ad --- /dev/null +++ b/apps/media/prowlarr/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "prowlarr" + labels: + app.kubernetes.io/name: "prowlarr" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "prowlarr" + strategy: + type: "Recreate" + template: + metadata: + labels: + app: "prowlarr" + app.kubernetes.io/name: "prowlarr" + app.kubernetes.io/instance: "media-prod" + app.kubernetes.io/component: "prowlarr" + app.kubernetes.io/part-of: "arr" + spec: + securityContext: + fsGroup: 20568 + runAsUser: 20568 + runAsGroup: 20568 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "ghcr.io/onedr0p/prowlarr:1.17.2" + imagePullPolicy: "IfNotPresent" + name: "prowlarr" + ports: + - containerPort: 9696 + name: "prowlarr" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "196Mi" + cpu: "10m" + limits: + memory: "384Mi" + readinessProbe: + httpGet: + path: "/ping" + port: "prowlarr" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: "/ping" + port: "prowlarr" + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + env: + - name: "COMPlus_EnableDiagnostics" + value: "0" + - name: "TZ" + value: "UTC" + volumeMounts: + - name: "storage" + mountPath: "/config" + - name: "tmp" + mountPath: "/tmp" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 5 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "slow" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "media" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "512Mi" + - name: "tmp" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/media/prowlarr/kustomization.yaml b/apps/media/prowlarr/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/media/prowlarr/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/media/prowlarr/networkpolicy.yaml b/apps/media/prowlarr/networkpolicy.yaml new file mode 100644 index 0000000..ef39242 --- /dev/null +++ b/apps/media/prowlarr/networkpolicy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "prowlarr" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "prowlarr" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: prowlarr + from: + - podSelector: + matchLabels: + app.kubernetes.io/part-of: "arr" + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 diff --git a/apps/media/prowlarr/service.yaml b/apps/media/prowlarr/service.yaml new file mode 100644 index 0000000..d7af19a --- /dev/null +++ b/apps/media/prowlarr/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: prowlarr +spec: + ports: + - port: 80 + targetPort: prowlarr + selector: + app.kubernetes.io/name: prowlarr diff --git a/apps/media/radarr/components/istio/istio-virtualservice.yaml b/apps/media/radarr/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..e3356a0 --- /dev/null +++ b/apps/media/radarr/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: "radarr" +spec: + hosts: + - "radarr" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "radarr" + port: + number: 80 diff --git a/apps/media/radarr/components/istio/kustomization.yaml b/apps/media/radarr/components/istio/kustomization.yaml new file mode 100644 index 0000000..267e16e --- /dev/null +++ b/apps/media/radarr/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "radarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/media/radarr/components/postgres/kustomization.yaml b/apps/media/radarr/components/postgres/kustomization.yaml new file mode 100644 index 0000000..b95abcf --- /dev/null +++ b/apps/media/radarr/components/postgres/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: radarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: "RADARR__POSTGRES_MAIN_DB" + value: "radarr" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: "RADARR__POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-radarr-postgres" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: "RADARR__POSTGRES_PASSWORD" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-radarr-postgres" + - target: + kind: Deployment + name: radarr + path: patch-initcontainer.yaml diff --git a/apps/media/radarr/components/postgres/patch-initcontainer.yaml b/apps/media/radarr/components/postgres/patch-initcontainer.yaml new file mode 100644 index 0000000..6ca3446 --- /dev/null +++ b/apps/media/radarr/components/postgres/patch-initcontainer.yaml @@ -0,0 +1,32 @@ +--- +- op: replace + path: /spec/template/spec/initContainers + value: + - name: "init" + image: "ghcr.io/onedr0p/postgres-init:16" + env: + - name: "INIT_POSTGRES_HOST" + value: "postgres" + - name: "INIT_POSTGRES_DBNAME" + value: "radarr" + - name: "INIT_POSTGRES_SUPER_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + optional: true + - name: "INIT_POSTGRES_SUPER_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-components-postgres" + - name: "INIT_POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-radarr-postgres" + - name: "INIT_POSTGRES_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-radarr-postgres" diff --git a/apps/media/radarr/components/postgres/upsert-secret-media-radarr-postgres.sh b/apps/media/radarr/components/postgres/upsert-secret-media-radarr-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/media/radarr/components/postgres/upsert-secret-media-radarr-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/radarr/components/reverse-proxy/kustomization.yaml b/apps/media/radarr/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..9f4c0d0 --- /dev/null +++ b/apps/media/radarr/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: "radarr" + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: "RADARR__URL_BASE" + value: "/radarr" + - target: + kind: NetworkPolicy + name: "radarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/media/radarr/deployment.yaml b/apps/media/radarr/deployment.yaml new file mode 100644 index 0000000..0d1cd1b --- /dev/null +++ b/apps/media/radarr/deployment.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: radarr + labels: + app: radarr + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: radarr + strategy: + type: Recreate + template: + metadata: + labels: + app: radarr + app.kubernetes.io/name: radarr + app.kubernetes.io/instance: media-prod + app.kubernetes.io/component: radarr + app.kubernetes.io/part-of: arr + spec: + securityContext: + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + fsGroup: 20568 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "ghcr.io/onedr0p/radarr:5.4.6.8723" + imagePullPolicy: "IfNotPresent" + name: "radarr" + ports: + - containerPort: 7878 + name: "radarr" + securityContext: + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + privileged: false + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "128Mi" + cpu: "10m" + limits: + memory: "768Mi" + readinessProbe: + httpGet: + path: "/ping" + port: "radarr" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: "/ping" + port: "radarr" + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + env: + - name: "COMPlus_EnableDiagnostics" + value: "0" + - name: "PUSHOVER_DEBUG" + value: "false" + - name: "TZ" + value: "Europe/Berlin" + volumeMounts: + - name: "storage" + mountPath: "/config" + - name: "tmp" + mountPath: "/tmp" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 5 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "slow" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "media" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "512Mi" + - name: "tmp" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/media/radarr/kustomization.yaml b/apps/media/radarr/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/media/radarr/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/media/radarr/networkpolicy.yaml b/apps/media/radarr/networkpolicy.yaml new file mode 100644 index 0000000..de61019 --- /dev/null +++ b/apps/media/radarr/networkpolicy.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "radarr" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "radarr" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: "radarr" + from: [] + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: "prowlarr" + ports: + - protocol: "TCP" + port: 9696 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 diff --git a/apps/media/radarr/service.yaml b/apps/media/radarr/service.yaml new file mode 100644 index 0000000..f1c1bf0 --- /dev/null +++ b/apps/media/radarr/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: radarr +spec: + ports: + - port: 80 + targetPort: radarr + selector: + app.kubernetes.io/name: radarr diff --git a/apps/media/sonarr/components/istio/istio-virtualservice.yaml b/apps/media/sonarr/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..88fb099 --- /dev/null +++ b/apps/media/sonarr/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: "sonarr" +spec: + hosts: + - "sonarr" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "sonarr" + port: + number: 80 diff --git a/apps/media/sonarr/components/istio/kustomization.yaml b/apps/media/sonarr/components/istio/kustomization.yaml new file mode 100644 index 0000000..fe2826e --- /dev/null +++ b/apps/media/sonarr/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "sonarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/media/sonarr/components/postgres/kustomization.yaml b/apps/media/sonarr/components/postgres/kustomization.yaml new file mode 100644 index 0000000..0243048 --- /dev/null +++ b/apps/media/sonarr/components/postgres/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: sonarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_MAIN_DB + value: sonarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: media-sonarr-postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: media-sonarr-postgres + - target: + kind: Deployment + name: sonarr + path: patch-initcontainer.yaml diff --git a/apps/media/sonarr/components/postgres/patch-initcontainer.yaml b/apps/media/sonarr/components/postgres/patch-initcontainer.yaml new file mode 100644 index 0000000..400e70b --- /dev/null +++ b/apps/media/sonarr/components/postgres/patch-initcontainer.yaml @@ -0,0 +1,32 @@ +--- +- op: replace + path: /spec/template/spec/initContainers + value: + - name: "init" + image: "ghcr.io/onedr0p/postgres-init:16" + env: + - name: "INIT_POSTGRES_HOST" + value: "postgres" + - name: "INIT_POSTGRES_DBNAME" + value: "sonarr" + - name: "INIT_POSTGRES_SUPER_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + optional: true + - name: "INIT_POSTGRES_SUPER_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-components-postgres" + - name: "INIT_POSTGRES_USER" + valueFrom: + secretKeyRef: + key: "POSTGRES_USER" + name: "media-components-postgres" + - name: "INIT_POSTGRES_PASS" + valueFrom: + secretKeyRef: + key: "POSTGRES_PASSWORD" + name: "media-components-postgres" diff --git a/apps/media/sonarr/components/postgres/upsert-secret-media-sonarr-postgres.sh b/apps/media/sonarr/components/postgres/upsert-secret-media-sonarr-postgres.sh new file mode 100755 index 0000000..3b84280 --- /dev/null +++ b/apps/media/sonarr/components/postgres/upsert-secret-media-sonarr-postgres.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/sonarr/components/reverse-proxy/kustomization.yaml b/apps/media/sonarr/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..956bf39 --- /dev/null +++ b/apps/media/sonarr/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: "sonarr" + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__URL_BASE + value: /sonarr + - target: + kind: NetworkPolicy + name: "sonarr" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/media/sonarr/deployment.yaml b/apps/media/sonarr/deployment.yaml new file mode 100644 index 0000000..6136e60 --- /dev/null +++ b/apps/media/sonarr/deployment.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sonarr + labels: + app: sonarr + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: sonarr + strategy: + type: Recreate + template: + metadata: + labels: + app: sonarr + app.kubernetes.io/name: sonarr + app.kubernetes.io/instance: media-prod + app.kubernetes.io/component: sonarr + app.kubernetes.io/part-of: arr + spec: + securityContext: + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + fsGroup: 20568 + seccompProfile: + type: RuntimeDefault + containers: + - image: "ghcr.io/onedr0p/sonarr:4.0.4.1491" + imagePullPolicy: "IfNotPresent" + name: "sonarr" + ports: + - containerPort: 8989 + name: "sonarr" + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 20568 + runAsGroup: 20568 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "128Mi" + cpu: "10m" + limits: + memory: "768Mi" + readinessProbe: + httpGet: + path: "/ping" + port: "sonarr" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: "/ping" + port: "sonarr" + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + env: + - name: "COMPlus_EnableDiagnostics" + value: "0" + - name: "PUSHOVER_DEBUG" + value: "false" + - name: "TZ" + value: "Europe/Berlin" + volumeMounts: + - name: "storage" + mountPath: "/config" + - name: "tmp" + mountPath: "/tmp" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 5 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "slow" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "media" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "512Mi" + - name: "tmp" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/media/sonarr/kustomization.yaml b/apps/media/sonarr/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/media/sonarr/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/media/sonarr/networkpolicy.yaml b/apps/media/sonarr/networkpolicy.yaml new file mode 100644 index 0000000..354f6bf --- /dev/null +++ b/apps/media/sonarr/networkpolicy.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "sonarr" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "sonarr" + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: "sonarr" + from: [] + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: "prowlarr" + ports: + - protocol: "TCP" + port: 9696 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 diff --git a/apps/media/sonarr/service.yaml b/apps/media/sonarr/service.yaml new file mode 100644 index 0000000..49ecafc --- /dev/null +++ b/apps/media/sonarr/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: sonarr +spec: + ports: + - port: 80 + targetPort: sonarr + selector: + app.kubernetes.io/name: sonarr diff --git a/apps/media/upsert-secret-smb.sh b/apps/media/upsert-secret-smb.sh new file mode 100755 index 0000000..864b2cb --- /dev/null +++ b/apps/media/upsert-secret-smb.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +CLUSTER_NAME="$(git rev-parse --show-prefix | awk -F'/' '{print $2}')" +NAMESPACE="$(basename $(pwd))" + +############################################################################## +############################################################################## + +K8S_SECRET_NAME="smbcreds" +K8S_SECRET_FILE_NAME="sops-secret-${K8S_SECRET_NAME}.yaml" + +K8S_PASS_PATH="infra/selfhosted/k8s/${CLUSTER_NAME}/media-${K8S_SECRET_NAME}" +OUTPUT=$(pass ${K8S_PASS_PATH}) + +SMB_USERNAME="$(echo "$OUTPUT" | grep -e "^SMB_USERNAME=" | cut -d'=' -f2)" +SMB_PASSWORD="$(echo "$OUTPUT" | grep -e "^SMB_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=username="${SMB_USERNAME}" \ + --from-literal=password="${SMB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/media/upsert-secrets.sh b/apps/media/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/media/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/microbin/components/istio-proxy/kustomization.yaml b/apps/microbin/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..f54e124 --- /dev/null +++ b/apps/microbin/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/microbin/components/istio/istio-virtualservice.yaml b/apps/microbin/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..5c41cf0 --- /dev/null +++ b/apps/microbin/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: microbin +spec: + hosts: + - microbin + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: microbin + port: + number: 80 diff --git a/apps/microbin/components/istio/kustomization.yaml b/apps/microbin/components/istio/kustomization.yaml new file mode 100644 index 0000000..cb8e4c9 --- /dev/null +++ b/apps/microbin/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "microbin" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/microbin/components/pvc/kustomization.yaml b/apps/microbin/components/pvc/kustomization.yaml new file mode 100644 index 0000000..34b26bb --- /dev/null +++ b/apps/microbin/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - microbin-pvc.yaml +patches: + - target: + kind: Deployment + name: microbin + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: microbin diff --git a/apps/microbin/components/pvc/microbin-pvc.yaml b/apps/microbin/components/pvc/microbin-pvc.yaml new file mode 100644 index 0000000..62a3680 --- /dev/null +++ b/apps/microbin/components/pvc/microbin-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: microbin +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/apps/microbin/components/restic-pvc/kustomization.yaml b/apps/microbin/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..2570a6a --- /dev/null +++ b/apps/microbin/components/restic-pvc/kustomization.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "microbin-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/app/microbin_data" + - "RESTIC_BACKUP_ID=microbin" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "microbin" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 911 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "microbin-restic-pvc" + - secretRef: + name: "microbin-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "microbin" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/0/mountPath" + value: "/app/microbin_data" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "microbin" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "microbin-restic-pvc" + - secretRef: + name: "microbin-restic-pvc" diff --git a/apps/microbin/components/restic-pvc/upsert-secret-microbin-restic-pvc.sh b/apps/microbin/components/restic-pvc/upsert-secret-microbin-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/microbin/components/restic-pvc/upsert-secret-microbin-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/microbin/deployment.yaml b/apps/microbin/deployment.yaml new file mode 100644 index 0000000..58b11ca --- /dev/null +++ b/apps/microbin/deployment.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: microbin + labels: + app.kubernetes.io/name: microbin + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: microbin + template: + metadata: + labels: + app: microbin + app.kubernetes.io/name: microbin + app.kubernetes.io/instance: microbin-prod + app.kubernetes.io/component: microbin + app.kubernetes.io/part-of: microbin + spec: + securityContext: + runAsNonRoot: true + runAsUser: 34525 + runAsGroup: 34525 + fsGroup: 34525 + seccompProfile: + type: RuntimeDefault + containers: + - name: microbin + image: danielszabo99/microbin:2.0.4 + ports: + - containerPort: 8080 + name: microbin + securityContext: + runAsNonRoot: true + runAsUser: 34525 + runAsGroup: 34525 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "32Mi" + cpu: "10m" + limits: + memory: "128Mi" + volumeMounts: + - name: "storage" + mountPath: "/app/microbin_data" + envFrom: + - configMapRef: + name: "microbin-config" + - secretRef: + name: "microbin" + optional: true + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/microbin/kustomization.yaml b/apps/microbin/kustomization.yaml new file mode 100644 index 0000000..f5bf855 --- /dev/null +++ b/apps/microbin/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - networkpolicy.yaml + - deployment.yaml + - service.yaml +configMapGenerator: + - name: microbin-config + envs: + - microbin.properties diff --git a/apps/microbin/microbin.properties b/apps/microbin/microbin.properties new file mode 100644 index 0000000..5e15dbc --- /dev/null +++ b/apps/microbin/microbin.properties @@ -0,0 +1,211 @@ +# Require username for HTTP Basic Authentication when +# visiting the service. If basic auth username is set but +# basic auth password is not, just leave the password field +# empty when logging in. You can also just go to +# https://username:password@yourserver.net or +# https://username@yourserver.net if password is not set +# instead of typing into the password +# Default value: unset +#MICROBIN_BASIC_AUTH_USERNAME= + +# Require password for HTTP Basic Authentication when +# visiting the service. Will not have any affect unless +# basic auth username is also set. If basic auth username is +# set but basic auth password is not, just leave the +# password field empty when logging in. You can also just go +# to https://username:password@yourserver.net or +# https://username@yourserver.net if password is not set +# instead of typing into the password prompt. +# Default value: unset +#MICROBIN_BASIC_AUTH_PASSWORD= + +# Enables administrator interface at yourserver.com/admin/ +# if set, disables it if unset. If admin username is set but +# admin password is not, just leave the password field empty +# when logging in. +# Default value: admin +#MICROBIN_ADMIN_USERNAME=admin + +# Enables administrator interface at yourserver.com/admin/ +# if set, disables it if unset. Will not have any affect +# unless admin username is also set. If admin username is +# set but admin password is not, just leave the password +# field empty when logging in. +# Default value: m1cr0b1n +#MICROBIN_ADMIN_PASSWORD=m1cr0b1n + +# Enables editable pastas. You will still be able to make +# finalised pastas but there will be an extra checkbox to +# make your new pasta editable from the pasta list or the +# pasta view page. +# Default value: true +MICROBIN_EDITABLE=true + +# Replaces the default footer text with your own. If you +# want to hide the footer, use the hide footer option instead. +# Note that you can also embed HTML here, so you may want to escape +# '<', '>' and so on. +#MICROBIN_FOOTER_TEXT= + +# Hides the navigation bar on every page. +# Default value: false +MICROBIN_HIDE_HEADER=false + +# Hides the footer on every page. +# Default value: false +MICROBIN_HIDE_FOOTER=true + +# Hides the MicroBin logo from the navigation bar on every +# page. +# Default value: false +MICROBIN_HIDE_LOGO=false + +# Disables the /pastalist endpoint, essentially making all +# pastas private. +# Default value: false +MICROBIN_NO_LISTING=false + +# Enables syntax highlighting support. When creating a new +# pasta, a new dropdown selector will be added where you can +# select your pasta's syntax, or just leave it empty for no +# highlighting. +MICROBIN_HIGHLIGHTSYNTAX=true + +# Sets the port for the server will be listening on. +# Default value: 8080 +MICROBIN_PORT=8080 + +# Sets the bind address for the server will be listening on. +# Both ipv4 and ipv6 are supported. Default value: 0.0.0.0". +MICROBIN_BIND=0.0.0.0 + +# Enables private pastas. Adds a new checkbox to make your +# pasta private, which then won't show up on the pastalist +# page. With the URL to your pasta, it will still be +# accessible. +# Default value: true +MICROBIN_PRIVATE=true + +# DEPRECATED: Will be removed soon. If you want to change styling (incl. removal), use custom CSS variable instead. +# Disables main CSS styling, just uses a few in-line +# stylings for the layout. With this option you will lose +# dark-mode support. +MICROBIN_PURE_HTML=false + +# Sets the name of the directory where MicroBin creates +# its database and stores attachments. +# Default value: microbin_data +MICROBIN_DATA_DIR=microbin_data + +# Enables storing pasta data (not attachments and files) in +# a JSON file instead of the SQLite database. +MICROBIN_JSON_DB=false + +# Add the given public path prefix to all urls. This allows +# you to host MicroBin behind a reverse proxy on a subpath. +# Note that MicroBin itself still expects all routes to be +# as without this option, and thus is unsuited if you are +# running MicroBin directly. Default value: unset. +MICROBIN_PUBLIC_PATH=https://bin.svc.dd.soeren.cloud + +# Sets a shortened path to use when the user copies URL from +# the application. This will also use shorter endpoints, +# such as /p/ instead if /pasta/. +#MICROBIN_SHORT_PATH: + +# The password required for uploading, if read-only mode is enabled +# Default value: unset +# MICROBIN_UPLOADER_PASSWORD= + +# If set to true, authentication required for uploading +# Default value: false +MICROBIN_READONLY=false + +# Enables showing read count on pasta pages. +MICROBIN_SHOW_READ_STATS=true + +# Adds your title of choice to the +# navigation bar. +#MICROBIN_TITLE= + +# Number of workers MicroBin is allowed to have. Increase +# this to the number of CPU cores you have if you want to go +# beast mode, but for personal use one worker is enough. +MICROBIN_THREADS=1 + +# Sets the garbage collector time limit. Pastas not accessed +# for N days are removed even if they are set to never +# expire. +MICROBIN_GC_DAYS=90 + +# Enables or disables the Burn after function +MICROBIN_ENABLE_BURN_AFTER=true + +# Sets the default burn after setting on the main screen. +MICROBIN_DEFAULT_BURN_AFTER=0 + +# Changes the maximum width of the UI from 720 pixels to +# 1080 pixels. +MICROBIN_WIDE=false + +# Enables generating QR codes for pastas. Requires +# the public path to also be set. +MICROBIN_QR=true + +# Toggles Never expiry settings for pastas. Default +MICROBIN_ETERNAL_PASTA=false + +# Enables Read-only uploads. These are unlisted and +# unencrypted, but can be viewed without password if you +# have the URL. Editing and removing requires password. +MICROBIN_ENABLE_READONLY=true + +# Sets the default expiry time setting on the main screen. +MICROBIN_DEFAULT_EXPIRY=24hour + +# Disables and hides the file upload option in the UI. +MICROBIN_NO_FILE_UPLOAD=false + +# Replaced the built-in water.css stylesheet with the URL +# you provide. Default value: unset. +#MICROBIN_CUSTOM_CSS= + +# Use short hash strings in the URLs instead of animal names +# to make URLs shorter. Does not change the underlying data +# stored, just how pastas are recalled. +MICROBIN_HASH_IDS=false + +# Enables server-side encryption. This will add private +# privacy level, where the user sends plain unencrypted data +# (still secure, because you use HTTPS, right?), but the +# server sees everything that the user submits, therefore +# the user does not have complete and absolute protection. +MICROBIN_ENCRYPTION_CLIENT_SIDE=true + +# Enables client-side encryption. This will add the secret +# privacy level where the user's browser encrypts all data +# with JavaScript before sending it over to MicroBin, which +# encrypt the data once again on server side. +MICROBIN_ENCRYPTION_SERVER_SIDE=true + +# Limit the maximum file size users can upload without +# encryption. +MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB=256 + +# Limit the maximum file size users can upload with +# encryption (more strain on your server than without +# encryption, so the limit should be lower. Secrets tend to +# be tiny files usually anyways.) +MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB=2048 + +# Disables the feature that checks for available updates +# when opening the admin screen. +MICROBIN_DISABLE_UPDATE_CHECKING=true + +# Disables telemetry if set to true. +# Telemetry includes your configuration and helps development. +# It does not include any sensitive data. +MICROBIN_DISABLE_TELEMETRY=true + +# Enables listing your server in the public MicroBin server list. +MICROBIN_LIST_SERVER=false diff --git a/apps/microbin/networkpolicy.yaml b/apps/microbin/networkpolicy.yaml new file mode 100644 index 0000000..4f89b70 --- /dev/null +++ b/apps/microbin/networkpolicy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: microbin +spec: + podSelector: {} + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: microbin + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + egress: [] diff --git a/apps/microbin/service.yaml b/apps/microbin/service.yaml new file mode 100644 index 0000000..e402802 --- /dev/null +++ b/apps/microbin/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: microbin +spec: + ports: + - port: 80 + targetPort: microbin + selector: + app.kubernetes.io/name: microbin diff --git a/apps/microbin/upsert-secret-microbin.sh b/apps/microbin/upsert-secret-microbin.sh new file mode 100755 index 0000000..931f153 --- /dev/null +++ b/apps/microbin/upsert-secret-microbin.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +MICROBIN_ADMIN="$(echo "$OUTPUT" | grep -e "^MICROBIN_ADMIN=" | cut -d'=' -f2)" +MICROBIN_ADMIN_PASS="$(echo "$OUTPUT" | grep -e "^MICROBIN_ADMIN_PASS=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=MICROBIN_ADMIN_USERNAME="${MICROBIN_ADMIN}" \ + --from-literal=MICROBIN_ADMIN_PASSWORD="${MICROBIN_ADMIN_PASS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/microbin/upsert-secrets.sh b/apps/microbin/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/microbin/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/miniflux/components/istio/istio-virtualservice.yaml b/apps/miniflux/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..d1cab89 --- /dev/null +++ b/apps/miniflux/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: miniflux +spec: + hosts: + - miniflux + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: miniflux + port: + number: 80 diff --git a/apps/miniflux/components/istio/kustomization.yaml b/apps/miniflux/components/istio/kustomization.yaml new file mode 100644 index 0000000..ca66d18 --- /dev/null +++ b/apps/miniflux/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "miniflux" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/miniflux/components/oidc/kustomization.yaml b/apps/miniflux/components/oidc/kustomization.yaml new file mode 100644 index 0000000..06e2c51 --- /dev/null +++ b/apps/miniflux/components/oidc/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: miniflux + patch: |- + - op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretMapRef: + name: miniflux-oidc +configMapGenerator: + - name: miniflux + behavior: merge + literals: + - OAUTH2_USER_CREATION=0 + - OAUTH2_PROVIDER=oidc + - OAUTH2_REDIRECT_URL=https://miniflux.svc.pt.soeren.cloud/oauth2/oidc/callback + - OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://keycloak.svc.pt.soeren.cloud/realms/myrealm diff --git a/apps/miniflux/components/oidc/upsert-secret-miniflux-oidc.sh b/apps/miniflux/components/oidc/upsert-secret-miniflux-oidc.sh new file mode 100755 index 0000000..0eadee9 --- /dev/null +++ b/apps/miniflux/components/oidc/upsert-secret-miniflux-oidc.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +TF_VALUE=$(terraform -chdir="$(git rev-parse --show-toplevel)/../tf-keycloak" output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_CLIENT_ID=miniflux +OAUTH2_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_CLIENT_ID="${OAUTH2_CLIENT_ID}" \ + --from-literal=OAUTH2_CLIENT_SECRET="${OAUTH2_CLIENT_SECRET}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/miniflux/components/postgres-pvc/kustomization.yaml b/apps/miniflux/components/postgres-pvc/kustomization.yaml new file mode 100644 index 0000000..86962ed --- /dev/null +++ b/apps/miniflux/components/postgres-pvc/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-pvc.yaml diff --git a/apps/miniflux/components/postgres-pvc/postgres-pvc.yaml b/apps/miniflux/components/postgres-pvc/postgres-pvc.yaml new file mode 100644 index 0000000..32475f6 --- /dev/null +++ b/apps/miniflux/components/postgres-pvc/postgres-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mealie-postgres +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/miniflux/components/postgres/kustomization.yaml b/apps/miniflux/components/postgres/kustomization.yaml new file mode 100644 index 0000000..65d7a61 --- /dev/null +++ b/apps/miniflux/components/postgres/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - postgres-deployment.yaml + - postgres-service.yaml diff --git a/apps/miniflux/components/postgres/postgres-deployment.yaml b/apps/miniflux/components/postgres/postgres-deployment.yaml new file mode 100644 index 0000000..2b6c60c --- /dev/null +++ b/apps/miniflux/components/postgres/postgres-deployment.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + app.kubernetes.io/name: postgres + app.kubernetes.io/component: database + app.kubernetes.io/instance: miniflux-prod + app.kubernetes.io/part-of: miniflux + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "miniflux" + topologyKey: "kubernetes.io/hostname" + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: postgres + image: postgres:16.3 + securityContext: + runAsUser: 999 + runAsGroup: 999 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ALL] + lifecycle: + preStop: + exec: + command: + - "/usr/local/bin/pg_ctl stop -D /var/lib/postgresql/data -w -t 60 -m fast" + env: + - name: POSTGRES_DB + value: miniflux + - name: PGDATA + value: /data/pgdata + envFrom: + - secretRef: + name: miniflux-postgres + ports: + - containerPort: 5432 + name: postgres + resources: + limits: + memory: "1Gi" + cpu: "500m" + requests: + memory: "256Mi" + cpu: "50m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U miniflux + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U miniflux + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-run + mountPath: /var/run + - name: storage + mountPath: /data + volumes: + - name: tmp + emptyDir: + sizeLimit: 5Mi + - name: var-run + emptyDir: + sizeLimit: 5Mi + - name: storage + persistentVolumeClaim: + claimName: miniflux-postgres diff --git a/apps/miniflux/components/postgres/postgres-service.yaml b/apps/miniflux/components/postgres/postgres-service.yaml new file mode 100644 index 0000000..df8d662 --- /dev/null +++ b/apps/miniflux/components/postgres/postgres-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: postgres +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: ClusterIP diff --git a/apps/miniflux/components/postgres/upsert-secret-miniflux-postgres.sh b/apps/miniflux/components/postgres/upsert-secret-miniflux-postgres.sh new file mode 100755 index 0000000..209544c --- /dev/null +++ b/apps/miniflux/components/postgres/upsert-secret-miniflux-postgres.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" + +echo "Upserting app=${K8S_APP}, cluster=${K8S_CLUSTER_NAME}, pass path=${K8S_PASS_PATH}" + +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +POSTGRES_USER="$(echo "$OUTPUT" | grep -e "^POSTGRES_USER=" | cut -d'=' -f2)" +POSTGRES_PASSWORD="$(echo "$OUTPUT" | grep -e "^POSTGRES_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=POSTGRES_USER="${POSTGRES_USER}" \ + --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/miniflux/deployment.yaml b/apps/miniflux/deployment.yaml new file mode 100644 index 0000000..effb9fd --- /dev/null +++ b/apps/miniflux/deployment.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: miniflux + labels: + app.kubernetes.io/name: miniflux + app.kubernetes.io/instance: miniflux-prod + app.kubernetes.io/component: server + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: miniflux + template: + metadata: + labels: + app: "miniflux" + app.kubernetes.io/name: "miniflux" + app.kubernetes.io/instance: "miniflux-prod" + app.kubernetes.io/component: "miniflux" + app.kubernetes.io/part-of: "miniflux" + annotations: + prometheus.io/port: "3333" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault + containers: + - image: "miniflux/miniflux:2.1.3" + imagePullPolicy: "IfNotPresent" + name: "miniflux" + ports: + - containerPort: 3333 + name: "miniflux" + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + startupProbe: + httpGet: + path: "/healthcheck" + port: "miniflux" + failureThreshold: 60 + periodSeconds: 10 + readinessProbe: + httpGet: + path: "/healthcheck" + port: "miniflux" + initialDelaySeconds: 1 + timeoutSeconds: 10 + livenessProbe: + httpGet: + path: "/healthcheck" + port: "miniflux" + timeoutSeconds: 10 + initialDelaySeconds: 15 + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + env: + - name: LISTEN_ADDR + value: ":3333" + - name: METRICS_ALLOWED_NETWORKS + value: "10.0.0.0/8" + - name: METRICS_COLLECTOR + value: "1" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 20 + preference: + matchExpressions: + - key: cpu_speed + operator: NotIn + values: + - fast diff --git a/apps/miniflux/kustomization.yaml b/apps/miniflux/kustomization.yaml new file mode 100644 index 0000000..a73d637 --- /dev/null +++ b/apps/miniflux/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: miniflux + files: + - miniflux.properties diff --git a/apps/miniflux/miniflux.properties b/apps/miniflux/miniflux.properties new file mode 100644 index 0000000..f8514e7 --- /dev/null +++ b/apps/miniflux/miniflux.properties @@ -0,0 +1,2 @@ +RUN_MIGRATIONS=1 +CREATE_ADMIN=1 diff --git a/apps/miniflux/networkpolicy.yaml b/apps/miniflux/networkpolicy.yaml new file mode 100644 index 0000000..4cadc6d --- /dev/null +++ b/apps/miniflux/networkpolicy.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: miniflux +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: miniflux + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 5432 + protocol: TCP + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + name: keycloak + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak diff --git a/apps/miniflux/service.yaml b/apps/miniflux/service.yaml new file mode 100644 index 0000000..a8ad1c7 --- /dev/null +++ b/apps/miniflux/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: miniflux +spec: + ports: + - port: 80 + targetPort: miniflux + selector: + app.kubernetes.io/name: miniflux diff --git a/apps/miniflux/upsert-secret-miniflux.sh b/apps/miniflux/upsert-secret-miniflux.sh new file mode 100755 index 0000000..dd53b77 --- /dev/null +++ b/apps/miniflux/upsert-secret-miniflux.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +ADMIN_USERNAME="$(echo "$OUTPUT" | grep -e "^ADMIN_USERNAME=" | cut -d'=' -f2)" +ADMIN_PASSWORD="$(echo "$OUTPUT" | grep -e "^ADMIN_PASSWORD=" | cut -d'=' -f2)" + +DATABASE_URL= + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --namespace="${K8S_NAMESPACE}" \ + --from-literal=ADMIN_USERNAME="${ADMIN_USERNAME}" \ + --from-literal=ADMIN_PASSWORD="${ADMIN_PASSWORD}" \ + --from-literal=DATABASE_URL="${DATABASE_URL}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/miniflux/upsert-secrets.sh b/apps/miniflux/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/miniflux/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/minio-mirror/cronjob.yaml b/apps/minio-mirror/cronjob.yaml new file mode 100644 index 0000000..949194f --- /dev/null +++ b/apps/minio-mirror/cronjob.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: minio-mirror +spec: + timeZone: Europe/Berlin + schedule: "0 */6 * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + securityContext: + runAsUser: 45343 + runAsGroup: 45343 + fsGroup: 45343 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: minio-client + # renovate: datasource=github-releases depName=minio/minio versioning="regex:^RELEASE\\.(?\\d{4})-(?\\d{2})-(?\\d{2})" + image: quay.io/minio/minio:RELEASE.2024-06-13T22-53-53Z + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + args: + - | + set -eu + sleep 5 + mc alias set source "${SOURCE_SERVER}" "${SOURCE_USER}" "${SOURCE_PASSWORD}" + mc alias set dest "${DEST_SERVER}" "${DEST_USER}" "${DEST_PASSWORD}" + mc mirror source/restic-backups-dd dest/restic-backups-dd + envFrom: + - configMapRef: + name: minio-mirror + - secretRef: + name: minio-mirror + securityContext: + runAsUser: 45343 + runAsGroup: 45343 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "1Gi" + volumeMounts: + - mountPath: /tmp + name: tmp + volumes: + - name: tmp + emptyDir: + sizeLimit: 64Mi diff --git a/apps/minio-mirror/kustomization.yaml b/apps/minio-mirror/kustomization.yaml new file mode 100644 index 0000000..d536ce3 --- /dev/null +++ b/apps/minio-mirror/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cronjob.yaml diff --git a/apps/minio/components/istio/istio-destinationrule-console.yaml b/apps/minio/components/istio/istio-destinationrule-console.yaml new file mode 100644 index 0000000..f33221b --- /dev/null +++ b/apps/minio/components/istio/istio-destinationrule-console.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: minio-console +spec: + host: minio-console.rs.soeren.cloud + trafficPolicy: + portLevelSettings: + - port: + number: 443 + loadBalancer: + simple: LEAST_CONN diff --git a/apps/minio/components/istio/istio-destinationrule.yaml b/apps/minio/components/istio/istio-destinationrule.yaml new file mode 100644 index 0000000..2155055 --- /dev/null +++ b/apps/minio/components/istio/istio-destinationrule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: minio +spec: + host: minio.rs.soeren.cloud + trafficPolicy: + portLevelSettings: + - port: + number: 443 + loadBalancer: + simple: LEAST_CONN diff --git a/apps/minio/components/istio/istio-virtualservice-console.yaml b/apps/minio/components/istio/istio-virtualservice-console.yaml new file mode 100644 index 0000000..c93e08c --- /dev/null +++ b/apps/minio/components/istio/istio-virtualservice-console.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: minio-console +spec: + hosts: + - minio-console.rs.soeren.cloud + gateways: + - istio-system/gateway + tls: + - match: + - port: 443 + sniHosts: + - minio-console.rs.soeren.cloud + route: + - destination: + host: minio + port: + number: 9001 diff --git a/apps/minio/components/istio/istio-virtualservice.yaml b/apps/minio/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..4af9f41 --- /dev/null +++ b/apps/minio/components/istio/istio-virtualservice.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: minio +spec: + hosts: + - minio.rs.soeren.cloud + gateways: + - istio-system/gateway + tls: + - match: + - port: 443 + sniHosts: + - minio.rs.soeren.cloud + route: + - destination: + host: minio + port: + number: 9000 diff --git a/apps/minio/components/istio/kustomization.yaml b/apps/minio/components/istio/kustomization.yaml new file mode 100644 index 0000000..cd3ffec --- /dev/null +++ b/apps/minio/components/istio/kustomization.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-destinationrule.yaml + - istio-destinationrule-console.yaml + - istio-virtualservice.yaml + - istio-virtualservice-console.yaml + - minio-certificate.yaml +patches: + - target: + kind: Deployment + name: minio + patch: |- + - op: add + path: /spec/template/spec/containers/0/livenessProbe/httpGet/scheme + value: HTTPS + - op: add + path: /spec/template/spec/containers/0/readinessProbe/httpGet/scheme + value: HTTPS + - op: add + path: /spec/template/spec/volumes/- + value: + name: tls-volume + secret: + secretName: minio-cert + items: + - key: tls.crt + path: public.crt + - key: tls.key + path: private.key + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: tls-volume + mountPath: /tls + readOnly: true + - op: add + path: /spec/template/spec/containers/0/args + value: + - "--certs-dir" + - "/tls" diff --git a/apps/minio/components/istio/minio-certificate.yaml b/apps/minio/components/istio/minio-certificate.yaml new file mode 100644 index 0000000..178c1df --- /dev/null +++ b/apps/minio/components/istio/minio-certificate.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio +spec: + secretName: minio-cert + duration: 2160h + renewBefore: 360h + commonName: minio.rs.soeren.cloud + dnsNames: + - minio.rs.soeren.cloud + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + group: cert-manager.io diff --git a/apps/minio/components/pvc/kustomization.yaml b/apps/minio/components/pvc/kustomization.yaml new file mode 100644 index 0000000..9a4e720 --- /dev/null +++ b/apps/minio/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - minio-pvc.yaml +patches: + - target: + kind: StatefulSet + name: minio + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: minio diff --git a/apps/minio/components/pvc/minio-pvc.yaml b/apps/minio/components/pvc/minio-pvc.yaml new file mode 100644 index 0000000..40f8a1f --- /dev/null +++ b/apps/minio/components/pvc/minio-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: minio +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/apps/minio/deployment.yaml b/apps/minio/deployment.yaml new file mode 100644 index 0000000..4063ee7 --- /dev/null +++ b/apps/minio/deployment.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-prod + app.kubernetes.io/component: server + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: minio + template: + metadata: + labels: + app: minio + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-prod + app.kubernetes.io/component: minio + app.kubernetes.io/part-of: minio + annotations: + prometheus.io/port_1: "9000" + prometheus.io/scrape_1: "true" + prometheus.io/path_1: "minio/v2/metrics/bucket" + prometheus.io/port_2: "9000" + prometheus.io/scrape_2: "true" + prometheus.io/path_2: "minio/v2/metrics/node" + spec: + securityContext: + runAsUser: 53731 + runAsGroup: 53731 + fsGroup: 53731 + seccompProfile: + type: RuntimeDefault + containers: + # renovate: datasource=github-releases depName=minio/minio versioning="regex:^RELEASE\\.(?\\d{4})-(?\\d{2})-(?\\d{2})" + - image: "quay.io/minio/minio:RELEASE.2024-06-13T22-53-53Z" + imagePullPolicy: IfNotPresent + name: minio + command: + - minio + - server + - --console-address=:9001 + ports: + - containerPort: 9000 + name: minio-api + - containerPort: 9001 + name: minio-console + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 53731 + runAsGroup: 53731 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "100m" + memory: "512Mi" + livenessProbe: + httpGet: + path: "/minio/health/live" + port: "minio-api" + readinessProbe: + httpGet: + path: "/minio/health/ready" + port: "minio-api" + envFrom: + - configMapRef: + name: "minio-config" + - secretRef: + name: "minio-config" + optional: true + env: + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: public + volumeMounts: + - name: storage + mountPath: /data + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - minio + topologyKey: location + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 20 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "fast" + volumes: + - name: "storage" + emptyDir: {} diff --git a/apps/minio/kustomization.yaml b/apps/minio/kustomization.yaml new file mode 100644 index 0000000..dc591e4 --- /dev/null +++ b/apps/minio/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: minio-config + literals: + - MINIO_VOLUMES=/data diff --git a/apps/minio/service.yaml b/apps/minio/service.yaml new file mode 100644 index 0000000..e7a5594 --- /dev/null +++ b/apps/minio/service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: minio +spec: + ports: + - port: 9000 + targetPort: minio-api + name: minio + - port: 9001 + targetPort: minio-console + name: minio-console + selector: + app.kubernetes.io/name: minio diff --git a/apps/minio/upsert-secret-minio.sh b/apps/minio/upsert-secret-minio.sh new file mode 100755 index 0000000..72b32fd --- /dev/null +++ b/apps/minio/upsert-secret-minio.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +MINIO_ROOT_USER="$(echo "$OUTPUT" | grep -e "^MINIO_ROOT_USER=" | cut -d'=' -f2)" +MINIO_ROOT_PASSWORD="$(echo "$OUTPUT" | grep -e "^MINIO_ROOT_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=MINIO_ROOT_USER="${MINIO_ROOT_USER}" \ + --from-literal=MINIO_ROOT_PASSWORD="${MINIO_ROOT_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/minio/upsert-secrets.sh b/apps/minio/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/minio/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/monitoring/alertmanager/components/cluster-istio/istio-virtualservice.yaml b/apps/monitoring/alertmanager/components/cluster-istio/istio-virtualservice.yaml new file mode 100644 index 0000000..9456ab3 --- /dev/null +++ b/apps/monitoring/alertmanager/components/cluster-istio/istio-virtualservice.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "alertmanager-cluster" +spec: + hosts: + - "alertmanager" + gateways: + - "istio-system/gateway" + tcp: + - match: + - port: 9094 + route: + - destination: + host: "alertmanager" + port: + number: 9094 diff --git a/apps/monitoring/alertmanager/components/cluster-istio/kustomization.yaml b/apps/monitoring/alertmanager/components/cluster-istio/kustomization.yaml new file mode 100644 index 0000000..6b9b521 --- /dev/null +++ b/apps/monitoring/alertmanager/components/cluster-istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "alertmanager" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/monitoring/alertmanager/components/cluster-tls/cluster-tls-config.yaml b/apps/monitoring/alertmanager/components/cluster-tls/cluster-tls-config.yaml new file mode 100644 index 0000000..2a0308c --- /dev/null +++ b/apps/monitoring/alertmanager/components/cluster-tls/cluster-tls-config.yaml @@ -0,0 +1,12 @@ +--- +tls_server_config: + cert_file: /tls/tls.crt + key_file: /tls/tls.key + client_auth_type: "RequireAndVerifyClientCert" + client_ca_file: /tls/ca.crt + +tls_client_config: + cert_file: /tls/tls.crt + key_file: /tls/tls.key + ca_file: /tls/ca.crt + insecure_skip_verify: true diff --git a/apps/monitoring/alertmanager/components/cluster-tls/kustomization.yaml b/apps/monitoring/alertmanager/components/cluster-tls/kustomization.yaml new file mode 100644 index 0000000..f1d83b0 --- /dev/null +++ b/apps/monitoring/alertmanager/components/cluster-tls/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: alertmanager + path: patch.yaml + - target: + kind: Statefulset + name: alertmanager + path: patch.yaml +configMapGenerator: + - name: alertmanager-cluster-tls-config + files: + - cluster-tls-config.yaml diff --git a/apps/monitoring/alertmanager/components/cluster-tls/patch.yaml b/apps/monitoring/alertmanager/components/cluster-tls/patch.yaml new file mode 100644 index 0000000..2b6ff63 --- /dev/null +++ b/apps/monitoring/alertmanager/components/cluster-tls/patch.yaml @@ -0,0 +1,28 @@ +--- +- op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "certs" + secret: + secretName: "prometheus-cert" +- op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "certs" + mountPath: "/tls" + readOnly: true +- op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "cluster-tls-config" + configMap: + name: "alertmanager-cluster-tls-config" +- op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "cluster-tls-config" + mountPath: "/etc/alertmanager/cluster-tls-config.yaml" + subPath: "cluster-tls-config.yaml" +- op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--cluster.tls-config=/etc/alertmanager/cluster-tls-config.yaml" diff --git a/apps/monitoring/alertmanager/components/config/kustomization.yaml b/apps/monitoring/alertmanager/components/config/kustomization.yaml new file mode 100644 index 0000000..4c84f3f --- /dev/null +++ b/apps/monitoring/alertmanager/components/config/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: alertmanager + patch: |- + - op: add + path: "/spec/template/spec/containers/0/args/-" + value: "--config.file=/etc/config/alertmanager.yaml" + - op: add + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "alertmanager-config" + readOnly: true + mountPath: "/etc/config/" + - op: add + path: "/spec/template/spec/volumes/-" + value: + name: "alertmanager-config" + secret: + defaultMode: 420 + secretName: alertmanager-config diff --git a/apps/monitoring/alertmanager/components/config/patch.yaml b/apps/monitoring/alertmanager/components/config/patch.yaml new file mode 100644 index 0000000..897ecec --- /dev/null +++ b/apps/monitoring/alertmanager/components/config/patch.yaml @@ -0,0 +1,17 @@ +--- +- op: add + path: "/spec/template/spec/containers/0/args/-" + value: "--config.file=/etc/config/alertmanager.yaml" +- op: add + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "alertmanager-config" + readOnly: true + mountPath: "/etc/config/" +- op: add + path: "/spec/template/spec/volumes/-" + value: + name: "alertmanager-config" + secret: + defaultMode: 420 + secretName: alertmanager-config diff --git a/apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh b/apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh new file mode 100755 index 0000000..f9e2159 --- /dev/null +++ b/apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +sops -d alertmanager-config-sops.yaml | \ + kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-file=alertmanager.yaml=/dev/stdin \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/monitoring/alertmanager/components/istio/istio-virtualservice.yaml b/apps/monitoring/alertmanager/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..e720feb --- /dev/null +++ b/apps/monitoring/alertmanager/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "alertmanager" +spec: + hosts: + - "alertmanager" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "alertmanager" + port: + number: 80 diff --git a/apps/monitoring/alertmanager/components/istio/kustomization.yaml b/apps/monitoring/alertmanager/components/istio/kustomization.yaml new file mode 100644 index 0000000..6b9b521 --- /dev/null +++ b/apps/monitoring/alertmanager/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "alertmanager" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/monitoring/alertmanager/components/reverse-proxy/kustomization.yaml b/apps/monitoring/alertmanager/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..bd2efd8 --- /dev/null +++ b/apps/monitoring/alertmanager/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: alertmanager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.route-prefix=/" + - target: + kind: StatefulSet + name: alertmanager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.route-prefix=/" + - target: + kind: NetworkPolicy + name: "alertmanager" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/monitoring/alertmanager/deployment.yaml b/apps/monitoring/alertmanager/deployment.yaml new file mode 100644 index 0000000..8d64c9a --- /dev/null +++ b/apps/monitoring/alertmanager/deployment.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: alertmanager + labels: + app.kubernetes.io/name: alertmanager + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: alertmanager + template: + metadata: + labels: + app: alertmanager + app.kubernetes.io/name: alertmanager + app.kubernetes.io/component: alertmanager + app.kubernetes.io/instance: alertmanager-prod + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "9093" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 44443 + runAsGroup: 44443 + fsGroup: 44443 + seccompProfile: + type: RuntimeDefault + containers: + - name: alertmanager + image: quay.io/prometheus/alertmanager:v0.27.0 + imagePullPolicy: IfNotPresent + args: + - --storage.path=/data + - --log.level=info + securityContext: + runAsNonRoot: true + runAsUser: 44443 + runAsGroup: 44443 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 9093 + name: "alertmanager" + - containerPort: 9094 + name: "am-cluster" + livenessProbe: + failureThreshold: 10 + httpGet: + path: "/-/healthy" + port: "alertmanager" + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 10 + httpGet: + path: "/-/ready" + port: "alertmanager" + initialDelaySeconds: 3 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + volumeMounts: + - name: "storage" + mountPath: "/data" + resources: + requests: + cpu: "10m" + memory: "50Mi" + limits: + memory: "96Mi" + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - alertmanager + topologyKey: location + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 5 + preference: + matchExpressions: + - key: cpu_speed + operator: In + values: + - slow + volumes: + - name: storage + emptyDir: + sizeLimit: 100Mi diff --git a/apps/monitoring/alertmanager/kustomization.yaml b/apps/monitoring/alertmanager/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/monitoring/alertmanager/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/monitoring/alertmanager/networkpolicy.yaml b/apps/monitoring/alertmanager/networkpolicy.yaml new file mode 100644 index 0000000..d839b07 --- /dev/null +++ b/apps/monitoring/alertmanager/networkpolicy.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: alertmanager +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9093 + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "karma" + - podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" + - podSelector: + matchLabels: + app.kubernetes.io/name: "vmalert" + - ports: + - protocol: TCP + port: 9094 diff --git a/apps/monitoring/alertmanager/service.yaml b/apps/monitoring/alertmanager/service.yaml new file mode 100644 index 0000000..1285c55 --- /dev/null +++ b/apps/monitoring/alertmanager/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "alertmanager" +spec: + ports: + - port: 80 + protocol: "TCP" + targetPort: "alertmanager" + name: "alertmanager" + - port: 9094 + protocol: "TCP" + targetPort: "am-cluster" + name: "am-cluster" + selector: + app.kubernetes.io/name: "alertmanager" diff --git a/apps/monitoring/blackbox_exporter/components/custom-config/kustomization.yaml b/apps/monitoring/blackbox_exporter/components/custom-config/kustomization.yaml new file mode 100644 index 0000000..5cbfde5 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/components/custom-config/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: blackbox-exporter + patch: |- + - op: add + path: "/spec/template/spec/containers/0/args/-" + value: "--config.file=/etc/config/config.yaml" + - op: add + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "blackbox-exporter-config-volume" + mountPath: "/etc/config/" + - op: add + path: "/spec/template/spec/volumes/-" + value: + name: blackbox-exporter-config-volume + configMap: + defaultMode: 420 + name: blackbox-exporter-config diff --git a/apps/monitoring/blackbox_exporter/components/istio/istio-virtualservice.yaml b/apps/monitoring/blackbox_exporter/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..bfc1e26 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: blackbox-exporter +spec: + hosts: + - blackbox-exporter + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: blackbox-exporter + port: + number: 80 diff --git a/apps/monitoring/blackbox_exporter/components/istio/kustomization.yaml b/apps/monitoring/blackbox_exporter/components/istio/kustomization.yaml new file mode 100644 index 0000000..1e3eeb4 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "blackbox-exporter" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/monitoring/blackbox_exporter/components/reverse-proxy/kustomization.yaml b/apps/monitoring/blackbox_exporter/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..692c9aa --- /dev/null +++ b/apps/monitoring/blackbox_exporter/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: blackbox-exporter + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.external-url=/blackbox-exporter" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.route-prefix=/" + - target: + kind: "NetworkPolicy" + name: "blackbox-exporter" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/monitoring/blackbox_exporter/components/tls-client-cert/kustomization.yaml b/apps/monitoring/blackbox_exporter/components/tls-client-cert/kustomization.yaml new file mode 100644 index 0000000..9934a20 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/components/tls-client-cert/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: blackbox-exporter + patch: | + - op: add + path: /spec/template/spec/volumes/- + value: + name: certs + secret: + secretName: prometheus-cert + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: certs + mountPath: /certs + readOnly: true diff --git a/apps/monitoring/blackbox_exporter/deployment.yaml b/apps/monitoring/blackbox_exporter/deployment.yaml new file mode 100644 index 0000000..c84302f --- /dev/null +++ b/apps/monitoring/blackbox_exporter/deployment.yaml @@ -0,0 +1,100 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: blackbox-exporter + labels: + app: blackbox-exporter + annotations: + ignore-check.kube-linter.io/unsafe-sysctls: "Blackbox exporter needs sysctl parameters to perform ICMP as non-root user" +spec: + replicas: 1 + selector: + matchLabels: + app: "blackbox-exporter" + template: + metadata: + labels: + app: "blackbox-exporter" + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/instance: blackbox-exporter-prod + app.kubernetes.io/component: blackbox-exporter + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "9115" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 49172 + runAsGroup: 49172 + fsGroup: 49172 + runAsNonRoot: true + sysctls: + - name: "net.ipv4.ping_group_range" + value: "0 2147483647" + seccompProfile: + type: RuntimeDefault + containers: + - name: "blackbox-exporter" + image: "docker.io/prom/blackbox-exporter:v0.25.0" + imagePullPolicy: "IfNotPresent" + args: [] + ports: + - containerPort: 9115 + name: "blackbox" + securityContext: + runAsNonRoot: true + runAsUser: 49172 + runAsGroup: 49172 + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + memory: "128Mi" + livenessProbe: + failureThreshold: 3 + httpGet: + path: "/-/healthy" + port: "blackbox" + scheme: "HTTP" + initialDelaySeconds: 30 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: "/-/ready" + port: "blackbox" + scheme: "HTTP" + initialDelaySeconds: 0 + successThreshold: 1 + timeoutSeconds: 4 + volumeMounts: [] + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: "location" + operator: "NotIn" + values: + - "ez" + - weight: 10 + preference: + matchExpressions: + - key: "cpu_speed" + operator: "In" + values: + - "slow" + volumes: [] diff --git a/apps/monitoring/blackbox_exporter/kustomization.yaml b/apps/monitoring/blackbox_exporter/kustomization.yaml new file mode 100644 index 0000000..3686d34 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/monitoring/blackbox_exporter/networkpolicy.yaml b/apps/monitoring/blackbox_exporter/networkpolicy.yaml new file mode 100644 index 0000000..7c65dfc --- /dev/null +++ b/apps/monitoring/blackbox_exporter/networkpolicy.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: blackbox-exporter +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: blackbox-exporter + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: blackbox + from: + - podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/monitoring/blackbox_exporter/service.yaml b/apps/monitoring/blackbox_exporter/service.yaml new file mode 100644 index 0000000..c7513b7 --- /dev/null +++ b/apps/monitoring/blackbox_exporter/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: "blackbox-exporter" +spec: + selector: + app: "blackbox-exporter" + ports: + - port: 80 + targetPort: "blackbox" diff --git a/apps/monitoring/components/reverse-proxy-istio/istio-virtualservice.yaml b/apps/monitoring/components/reverse-proxy-istio/istio-virtualservice.yaml new file mode 100644 index 0000000..aa08d89 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: monitoring-reverse-proxy +spec: + hosts: + - monitoring + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: reverse-proxy + port: + number: 80 diff --git a/apps/monitoring/components/reverse-proxy-istio/kustomization.yaml b/apps/monitoring/components/reverse-proxy-istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/monitoring/components/reverse-proxy-oidc/kustomization.yaml b/apps/monitoring/components/reverse-proxy-oidc/kustomization.yaml new file mode 100644 index 0000000..2a16aeb --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-oidc/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: oauth2-proxy + envs: + - oauth2-proxy.properties +patches: + - target: + kind: Deployment + name: reverse-proxy + path: oauth2-proxy.yaml + - target: + kind: Service + name: reverse-proxy + patch: | + - op: replace + path: /spec/ports/0/targetPort + value: 4180 diff --git a/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.properties b/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.properties new file mode 100644 index 0000000..662f37a --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.properties @@ -0,0 +1,6 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:8080 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- diff --git a/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.yaml b/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.yaml new file mode 100644 index 0000000..1a7b5d6 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-oidc/oauth2-proxy.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 4 + timeoutSeconds: 2 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/monitoring/components/reverse-proxy-oidc/upsert-secret-monitoring-reverse-proxy-oidc.sh b/apps/monitoring/components/reverse-proxy-oidc/upsert-secret-monitoring-reverse-proxy-oidc.sh new file mode 100755 index 0000000..5832255 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy-oidc/upsert-secret-monitoring-reverse-proxy-oidc.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="monitoring" +TF_VALUE=$(terraform -chdir=../../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/monitoring/components/reverse-proxy/kustomization.yaml b/apps/monitoring/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..3b970e0 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - reverse-proxy-deployment.yaml + - reverse-proxy-service.yaml +configMapGenerator: + - name: nginx-config + files: + - nginx.conf diff --git a/apps/monitoring/components/reverse-proxy/nginx.conf b/apps/monitoring/components/reverse-proxy/nginx.conf new file mode 100644 index 0000000..69e516c --- /dev/null +++ b/apps/monitoring/components/reverse-proxy/nginx.conf @@ -0,0 +1,100 @@ + worker_processes 1; + events { + worker_connections 1024; + } + + http { + server { + listen 8080; + absolute_redirect off; + port_in_redirect off; + + # security settings + server_tokens off; + client_body_buffer_size 1k; + client_header_buffer_size 1k; + client_max_body_size 1k; + large_client_header_buffers 2 1k; + + location /alertmanager { + rewrite ^(/alertmanager)$ $1/ permanent; + } + + location /alertmanager/ { + proxy_pass http://alertmanager; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + rewrite ^/alertmanager/(.*)$ /$1 break; + } + + location /blackbox-exporter { + rewrite ^(/blackbox-exporter)$ $1/ permanent; + } + + location /blackbox-exporter/ { + proxy_pass http://blackbox-exporter; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + rewrite ^/blackbox-exporter/(.*)$ /$1 break; + } + + location /prometheus { + rewrite ^(/prometheus)$ $1/ permanent; + } + + location /prometheus/ { + proxy_pass http://prometheus; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + rewrite ^/prometheus/(.*)$ /$1 break; + } + + location /karma { + proxy_pass http://karma; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + proxy_redirect off; + } + + location /pushgateway { + rewrite ^(/pushgateway)$ $1/ permanent; + } + + location /pushgateway/ { + proxy_pass http://pushgateway; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 1s; + proxy_read_timeout 3s; + rewrite ^/pushgateway/(.*)$ /$1 break; + } + + location = /health { + access_log off; + add_header 'Content-Type' 'application/json'; + return 200 '{"status":"UP"}'; + } + + location / { + return 404; + } + } + } \ No newline at end of file diff --git a/apps/monitoring/components/reverse-proxy/reverse-proxy-deployment.yaml b/apps/monitoring/components/reverse-proxy/reverse-proxy-deployment.yaml new file mode 100644 index 0000000..78806f4 --- /dev/null +++ b/apps/monitoring/components/reverse-proxy/reverse-proxy-deployment.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reverse-proxy + labels: + app.kubernetes.io/name: reverse-proxy + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: reverse-proxy + template: + metadata: + labels: + app.kubernetes.io/name: reverse-proxy + app.kubernetes.io/instance: media-prod + app.kubernetes.io/component: reverse-proxy + app.kubernetes.io/part-of: monitoring + app: reverse-proxy + spec: + securityContext: + runAsUser: 23453 + runAsGroup: 23453 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: nginx + image: nginx:1.27.0-alpine + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + privileged: false + runAsUser: 23453 + runAsGroup: 23453 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + port: nginx + path: "/health" + readinessProbe: + httpGet: + port: nginx + path: "/health" + resources: + requests: + cpu: 5m + memory: 16Mi + limits: + memory: 128Mi + ports: + - containerPort: 8080 + name: nginx + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: cache + mountPath: /var/cache/nginx + - name: run + mountPath: /var/run + volumes: + - name: nginx-config + configMap: + name: nginx-config + - name: cache + emptyDir: + sizeLimit: 5Mi + - name: run + emptyDir: + sizeLimit: 5Mi diff --git a/apps/monitoring/components/reverse-proxy/reverse-proxy-service.yaml b/apps/monitoring/components/reverse-proxy/reverse-proxy-service.yaml new file mode 100644 index 0000000..aacbc3e --- /dev/null +++ b/apps/monitoring/components/reverse-proxy/reverse-proxy-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: reverse-proxy +spec: + selector: + app: reverse-proxy + ports: + - protocol: TCP + port: 80 + targetPort: nginx diff --git a/apps/monitoring/components/tls-client-cert/certificate.yaml b/apps/monitoring/components/tls-client-cert/certificate.yaml new file mode 100644 index 0000000..31e8056 --- /dev/null +++ b/apps/monitoring/components/tls-client-cert/certificate.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "prometheus" +spec: + secretName: "prometheus-cert" + duration: "2160h" + renewBefore: "360h" + commonName: "prometheus.svc.soeren.cloud" + dnsNames: + - "prometheus.svc.soeren.cloud" + issuerRef: + name: "vault-issuer" + kind: "Issuer" + group: "cert-manager.io" diff --git a/apps/monitoring/components/tls-client-cert/issuer.yaml b/apps/monitoring/components/tls-client-cert/issuer.yaml new file mode 100644 index 0000000..a446deb --- /dev/null +++ b/apps/monitoring/components/tls-client-cert/issuer.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "vault-issuer" +--- +apiVersion: "v1" +kind: "Secret" +metadata: + name: "vault-issuer-sa" + annotations: + kubernetes.io/service-account.name: "vault-issuer" +type: "kubernetes.io/service-account-token" +--- +apiVersion: "cert-manager.io/v1" +kind: "Issuer" +metadata: + name: "vault-issuer" +spec: + vault: + path: "pki/im_srn/sign/certmanager" + server: "https://vault.ha.soeren.cloud" + auth: + kubernetes: + role: "certmanager" + mountPath: "/v1/auth/svc.dd.soeren.cloud" + secretRef: + name: "vault-issuer-sa" + key: "token" diff --git a/apps/monitoring/components/tls-client-cert/kustomization.yaml b/apps/monitoring/components/tls-client-cert/kustomization.yaml new file mode 100644 index 0000000..95e8db4 --- /dev/null +++ b/apps/monitoring/components/tls-client-cert/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - certificate.yaml + - issuer.yaml diff --git a/apps/monitoring/karma/components/istio/istio-virtualservice.yaml b/apps/monitoring/karma/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..1235059 --- /dev/null +++ b/apps/monitoring/karma/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: karma +spec: + hosts: + - karma + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: karma + port: + number: 80 diff --git a/apps/monitoring/karma/components/istio/kustomization.yaml b/apps/monitoring/karma/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/monitoring/karma/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/monitoring/karma/components/reverse-proxy/kustomization.yaml b/apps/monitoring/karma/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..bc0c2f8 --- /dev/null +++ b/apps/monitoring/karma/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: karma + patch: |- + - op: replace + path: "/spec/template/spec/containers/0/readinessProbe/httpGet/path" + value: "/karma/health" + - op: replace + path: "/spec/template/spec/containers/0/livenessProbe/httpGet/path" + value: "/karma/health" + - op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: "LISTEN_PREFIX" + value: "/karma" diff --git a/apps/monitoring/karma/deployment.yaml b/apps/monitoring/karma/deployment.yaml new file mode 100644 index 0000000..443408e --- /dev/null +++ b/apps/monitoring/karma/deployment.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: karma + labels: + app.kubernetes.io/name: karma + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app.kubernetes.io/name: karma + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: karma + app.kubernetes.io/name: karma + app.kubernetes.io/instance: karma-prod + app.kubernetes.io/component: karma + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "8000" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - image: ghcr.io/prymitive/karma:v0.120 + imagePullPolicy: IfNotPresent + name: karma + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + privileged: false + runAsUser: 65535 + runAsGroup: 65535 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: 64Mi + cpu: 10m + limits: + memory: 256Mi + ports: + - containerPort: 8000 + name: karma + livenessProbe: + httpGet: + path: /health + port: karma + initialDelaySeconds: 120 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: health + port: karma + initialDelaySeconds: 1 + env: + - name: CONFIG_FILE + value: /conf/karma.yaml + volumeMounts: + - name: config + mountPath: /conf + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: config + configMap: + name: karma-config + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "monitoring" + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 20 + preference: + matchExpressions: + - key: cpu_speed + operator: NotIn + values: + - fast diff --git a/apps/monitoring/karma/kustomization.yaml b/apps/monitoring/karma/kustomization.yaml new file mode 100644 index 0000000..356c305 --- /dev/null +++ b/apps/monitoring/karma/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml diff --git a/apps/monitoring/karma/service.yaml b/apps/monitoring/karma/service.yaml new file mode 100644 index 0000000..13d918e --- /dev/null +++ b/apps/monitoring/karma/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: karma + labels: + app: karma +spec: + ports: + - port: 80 + protocol: TCP + targetPort: karma + selector: + app.kubernetes.io/name: karma diff --git a/apps/monitoring/kube-state-metrics/components/rbac/cluster-role-binding.yaml b/apps/monitoring/kube-state-metrics/components/rbac/cluster-role-binding.yaml new file mode 100644 index 0000000..98297e8 --- /dev/null +++ b/apps/monitoring/kube-state-metrics/components/rbac/cluster-role-binding.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: + - kind: ServiceAccount + name: kube-state-metrics + namespace: kube-system diff --git a/apps/monitoring/kube-state-metrics/components/rbac/cluster-role.yaml b/apps/monitoring/kube-state-metrics/components/rbac/cluster-role.yaml new file mode 100644 index 0000000..b55f5a8 --- /dev/null +++ b/apps/monitoring/kube-state-metrics/components/rbac/cluster-role.yaml @@ -0,0 +1,120 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/version: 2.6.0 + name: kube-state-metrics +rules: + - apiGroups: + - "" + resources: + - configmaps + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingresses + verbs: + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - list + - watch diff --git a/apps/monitoring/kube-state-metrics/components/rbac/kustomization.yaml b/apps/monitoring/kube-state-metrics/components/rbac/kustomization.yaml new file mode 100644 index 0000000..99cf22c --- /dev/null +++ b/apps/monitoring/kube-state-metrics/components/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - cluster-role.yaml + - cluster-role-binding.yaml diff --git a/apps/monitoring/kube-state-metrics/deployment.yaml b/apps/monitoring/kube-state-metrics/deployment.yaml new file mode 100644 index 0000000..e1fc6de --- /dev/null +++ b/apps/monitoring/kube-state-metrics/deployment.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + name: kube-state-metrics +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-state-metrics + template: + metadata: + labels: + app: kube-state-metrics + app.kubernetes.io/name: kube-state-metrics + app.kubernetes.io/component: exporter + app.kubernetes.io/instance: kube-state-metrics-prod + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + spec: + automountServiceAccountToken: true + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.12.0" + name: "kube-state-metrics" + ports: + - containerPort: 8080 + name: "metrics" + - containerPort: 8081 + name: "telemetry" + livenessProbe: + httpGet: + path: "/healthz" + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: "/" + port: 8081 + initialDelaySeconds: 5 + timeoutSeconds: 5 + resources: + requests: + cpu: 25m + memory: 32Mi + limits: + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - "ALL" + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: "kube-state-metrics" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "monitoring" + topologyKey: "kubernetes.io/hostname" diff --git a/apps/monitoring/kube-state-metrics/kustomization.yaml b/apps/monitoring/kube-state-metrics/kustomization.yaml new file mode 100644 index 0000000..f7c05f4 --- /dev/null +++ b/apps/monitoring/kube-state-metrics/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service-account.yaml + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/apps/monitoring/kube-state-metrics/networkpolicy.yaml b/apps/monitoring/kube-state-metrics/networkpolicy.yaml new file mode 100644 index 0000000..2f3b66f --- /dev/null +++ b/apps/monitoring/kube-state-metrics/networkpolicy.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "kube-state-metrics" +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: "kube-state-metrics" + policyTypes: + - "Ingress" + - "Egress" + ingress: + - ports: + - protocol: "TCP" + port: "metrics" + - protocol: "TCP" + port: "telemetry" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" + egress: [] diff --git a/apps/monitoring/kube-state-metrics/service-account.yaml b/apps/monitoring/kube-state-metrics/service-account.yaml new file mode 100644 index 0000000..8f54427 --- /dev/null +++ b/apps/monitoring/kube-state-metrics/service-account.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + name: kube-state-metrics diff --git a/apps/monitoring/kube-state-metrics/service.yaml b/apps/monitoring/kube-state-metrics/service.yaml new file mode 100644 index 0000000..c4e2476 --- /dev/null +++ b/apps/monitoring/kube-state-metrics/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: exporter + app.kubernetes.io/name: kube-state-metrics + name: kube-state-metrics +spec: + clusterIP: None + ports: + - name: http-metrics + port: 8080 + targetPort: http-metrics + - name: telemetry + port: 8081 + targetPort: telemetry + selector: + app.kubernetes.io/name: kube-state-metrics diff --git a/apps/monitoring/namespace.yml b/apps/monitoring/namespace.yml new file mode 100644 index 0000000..ff7ae1b --- /dev/null +++ b/apps/monitoring/namespace.yml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring diff --git a/apps/monitoring/prometheus/components/config/kustomization.yaml b/apps/monitoring/prometheus/components/config/kustomization.yaml new file mode 100644 index 0000000..c502847 --- /dev/null +++ b/apps/monitoring/prometheus/components/config/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "prometheus" + patch: |- + - op: add + path: "/spec/template/spec/containers/0/args/-" + value: "--config.file=/etc/config/prometheus.yaml" + - op: add + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "prometheus-config" + readOnly: true + mountPath: "/etc/config/" + - op: add + path: "/spec/template/spec/volumes/-" + value: + name: "prometheus-config" + secret: + defaultMode: 420 + secretName: "monitoring-prometheus-config" diff --git a/apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh b/apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh new file mode 100755 index 0000000..c5d7652 --- /dev/null +++ b/apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +sops -d prometheus-config-sops.yaml | \ + kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-file=prometheus.yaml=/dev/stdin \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/monitoring/prometheus/components/istio/istio-virtualservice.yaml b/apps/monitoring/prometheus/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..7d73afb --- /dev/null +++ b/apps/monitoring/prometheus/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: prometheus +spec: + hosts: + - prometheus + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: prometheus + port: + number: 80 diff --git a/apps/monitoring/prometheus/components/istio/kustomization.yaml b/apps/monitoring/prometheus/components/istio/kustomization.yaml new file mode 100644 index 0000000..b14a00b --- /dev/null +++ b/apps/monitoring/prometheus/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: NetworkPolicy + name: prometheus + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway diff --git a/apps/monitoring/prometheus/components/oidc/deployment.yaml b/apps/monitoring/prometheus/components/oidc/deployment.yaml new file mode 100644 index 0000000..18e06a0 --- /dev/null +++ b/apps/monitoring/prometheus/components/oidc/deployment.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 5 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/monitoring/prometheus/components/oidc/kustomization.yaml b/apps/monitoring/prometheus/components/oidc/kustomization.yaml new file mode 100644 index 0000000..8ab33f8 --- /dev/null +++ b/apps/monitoring/prometheus/components/oidc/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: prometheus + path: deployment.yaml + - target: + kind: Service + name: prometheus + patch: | + - op: replace + path: /spec/ports/0/targetPort + value: 4180 +configMapGenerator: + - name: oauth2-proxy + envs: + - oauth2-proxy.properties diff --git a/apps/monitoring/prometheus/components/oidc/oauth2-proxy.properties b/apps/monitoring/prometheus/components/oidc/oauth2-proxy.properties new file mode 100644 index 0000000..fa9eba8 --- /dev/null +++ b/apps/monitoring/prometheus/components/oidc/oauth2-proxy.properties @@ -0,0 +1,6 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:9090 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- diff --git a/apps/monitoring/prometheus/components/oidc/upsert-secret-prometheus-oidc.sh b/apps/monitoring/prometheus/components/oidc/upsert-secret-prometheus-oidc.sh new file mode 100755 index 0000000..1f9c704 --- /dev/null +++ b/apps/monitoring/prometheus/components/oidc/upsert-secret-prometheus-oidc.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +OAUTH2_PROXY_CLIENT_ID="prometheus" +TF_VALUE=$(terraform -chdir=../../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/monitoring/prometheus/components/rbac/clusterrole-binding.yaml b/apps/monitoring/prometheus/components/rbac/clusterrole-binding.yaml new file mode 100644 index 0000000..dc03421 --- /dev/null +++ b/apps/monitoring/prometheus/components/rbac/clusterrole-binding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: monitoring diff --git a/apps/monitoring/prometheus/components/rbac/clusterrole.yaml b/apps/monitoring/prometheus/components/rbac/clusterrole.yaml new file mode 100644 index 0000000..8011740 --- /dev/null +++ b/apps/monitoring/prometheus/components/rbac/clusterrole.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus +rules: + - apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] + - apiGroups: + - extensions + resources: + - ingresses + verbs: ["get", "list", "watch"] + - nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/apps/monitoring/prometheus/components/rbac/kustomization.yaml b/apps/monitoring/prometheus/components/rbac/kustomization.yaml new file mode 100644 index 0000000..88dfb78 --- /dev/null +++ b/apps/monitoring/prometheus/components/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - clusterrole.yaml + - clusterrole-binding.yaml diff --git a/apps/monitoring/prometheus/components/reverse-proxy/kustomization.yaml b/apps/monitoring/prometheus/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..419773c --- /dev/null +++ b/apps/monitoring/prometheus/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: prometheus + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.external-url=/prometheus" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.route-prefix=/" + - target: + kind: NetworkPolicy + name: prometheus + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "reverse-proxy" diff --git a/apps/monitoring/prometheus/components/tls-client-cert/kustomization.yaml b/apps/monitoring/prometheus/components/tls-client-cert/kustomization.yaml new file mode 100644 index 0000000..41cd429 --- /dev/null +++ b/apps/monitoring/prometheus/components/tls-client-cert/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: prometheus + patch: | + - op: add + path: /spec/template/spec/volumes/- + value: + name: certs + secret: + secretName: prometheus-cert + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: certs + mountPath: /certs + readOnly: true diff --git a/apps/monitoring/prometheus/deployment.yaml b/apps/monitoring/prometheus/deployment.yaml new file mode 100644 index 0000000..24f31cf --- /dev/null +++ b/apps/monitoring/prometheus/deployment.yaml @@ -0,0 +1,112 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + namespace: monitoring + labels: + app.kubernetes.io/name: prometheus + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: prometheus + template: + metadata: + labels: + app: prometheus + app.kubernetes.io/name: prometheus + app.kubernetes.io/instance: prometheus-prod + app.kubernetes.io/component: prometheus + app.kubernetes.io/part-of: monitoring + spec: + serviceAccountName: prometheus + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: prometheus + image: quay.io/prometheus/prometheus:v2.52.0 + args: + - "--storage.tsdb.retention.time=24h" + - "--storage.tsdb.path=/prometheus/" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ports: + - containerPort: 9090 + name: prometheus + resources: + requests: + cpu: 50m + memory: 512Mi + limits: + memory: 1280Mi + livenessProbe: + failureThreshold: 3 + httpGet: + path: /-/healthy + port: prometheus + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /-/ready + port: prometheus + scheme: HTTP + initialDelaySeconds: 5 + successThreshold: 1 + timeoutSeconds: 4 + volumeMounts: + - name: storage + mountPath: /prometheus/ + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "monitoring" + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: location + operator: NotIn + values: + - ez + - weight: 10 + preference: + matchExpressions: + - key: cpu_speed + operator: NotIn + values: + - slow + volumes: + - name: storage + emptyDir: {} diff --git a/apps/monitoring/prometheus/kustomization.yaml b/apps/monitoring/prometheus/kustomization.yaml new file mode 100644 index 0000000..80c09e2 --- /dev/null +++ b/apps/monitoring/prometheus/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - serviceaccount.yaml + - networkpolicy.yaml diff --git a/apps/monitoring/prometheus/networkpolicy.yaml b/apps/monitoring/prometheus/networkpolicy.yaml new file mode 100644 index 0000000..16329c4 --- /dev/null +++ b/apps/monitoring/prometheus/networkpolicy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: prometheus +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: prometheus + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: prometheus + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: vmalert diff --git a/apps/monitoring/prometheus/service.yaml b/apps/monitoring/prometheus/service.yaml new file mode 100644 index 0000000..c276dc4 --- /dev/null +++ b/apps/monitoring/prometheus/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: monitoring +spec: + selector: + app: prometheus + ports: + - port: 80 + targetPort: prometheus diff --git a/apps/monitoring/prometheus/serviceaccount.yaml b/apps/monitoring/prometheus/serviceaccount.yaml new file mode 100644 index 0000000..d854a82 --- /dev/null +++ b/apps/monitoring/prometheus/serviceaccount.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: monitoring diff --git a/apps/monitoring/pushgateway/components/istio/istio-virtualservice.yaml b/apps/monitoring/pushgateway/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..2182f43 --- /dev/null +++ b/apps/monitoring/pushgateway/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: pushgateway +spec: + hosts: + - pushgateway + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: pushgateway + port: + number: 80 diff --git a/apps/monitoring/pushgateway/components/istio/kustomization.yaml b/apps/monitoring/pushgateway/components/istio/kustomization.yaml new file mode 100644 index 0000000..0d17621 --- /dev/null +++ b/apps/monitoring/pushgateway/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "pushgateway" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/monitoring/pushgateway/components/reverse-proxy/kustomization.yaml b/apps/monitoring/pushgateway/components/reverse-proxy/kustomization.yaml new file mode 100644 index 0000000..5eb7867 --- /dev/null +++ b/apps/monitoring/pushgateway/components/reverse-proxy/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: pushgateway + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.external-url=/pushgateway" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.route-prefix=/" + - target: + kind: NetworkPolicy + name: pushgateway + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + istio: "reverse-proxy" diff --git a/apps/monitoring/pushgateway/deployment.yaml b/apps/monitoring/pushgateway/deployment.yaml new file mode 100644 index 0000000..27a89c4 --- /dev/null +++ b/apps/monitoring/pushgateway/deployment.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pushgateway + labels: + app.kubernetes.io/name: pushgateway +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: pushgateway + template: + metadata: + labels: + app: pushgateway + app.kubernetes.io/name: pushgateway + app.kubernetes.io/component: pushgateway + app.kubernetes.io/instance: pushgateway-prod + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "9091" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: pushgateway + image: quay.io/prometheus/pushgateway:v1.9.0 + args: [] + ports: + - containerPort: 9091 + name: pushgateway + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + memory: 128Mi + livenessProbe: + failureThreshold: 3 + httpGet: + path: /-/healthy + port: pushgateway + scheme: HTTP + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /-/ready + port: pushgateway + scheme: HTTP + initialDelaySeconds: 5 + successThreshold: 1 + timeoutSeconds: 4 + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "monitoring" + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: location + operator: NotIn + values: + - ez + - weight: 10 + preference: + matchExpressions: + - key: cpu_speed + operator: In + values: + - slow diff --git a/apps/monitoring/pushgateway/kustomization.yaml b/apps/monitoring/pushgateway/kustomization.yaml new file mode 100644 index 0000000..356c305 --- /dev/null +++ b/apps/monitoring/pushgateway/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml diff --git a/apps/monitoring/pushgateway/networkpolicy.yaml b/apps/monitoring/pushgateway/networkpolicy.yaml new file mode 100644 index 0000000..ed75127 --- /dev/null +++ b/apps/monitoring/pushgateway/networkpolicy.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: pushgateway +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: pushgateway + policyTypes: + - Egress + egress: [] diff --git a/apps/monitoring/pushgateway/service.yaml b/apps/monitoring/pushgateway/service.yaml new file mode 100644 index 0000000..bfa300d --- /dev/null +++ b/apps/monitoring/pushgateway/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: pushgateway +spec: + selector: + app.kubernetes.io/name: pushgateway + ports: + - port: 80 + targetPort: pushgateway diff --git a/apps/monitoring/upsert-secrets.sh b/apps/monitoring/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/monitoring/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/monitoring/victoriametrics/components/istio/istio-virtualservice.yaml b/apps/monitoring/victoriametrics/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..2182f43 --- /dev/null +++ b/apps/monitoring/victoriametrics/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: pushgateway +spec: + hosts: + - pushgateway + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: pushgateway + port: + number: 80 diff --git a/apps/monitoring/victoriametrics/components/istio/kustomization.yaml b/apps/monitoring/victoriametrics/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/monitoring/victoriametrics/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/monitoring/victoriametrics/deployment.yaml b/apps/monitoring/victoriametrics/deployment.yaml new file mode 100644 index 0000000..817568a --- /dev/null +++ b/apps/monitoring/victoriametrics/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: victoriametrics + namespace: monitoring + labels: + app: victoriametrics + app.kubernetes.io/name: victoriametrics + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: victoriametrics + app.kubernetes.io/name: victoriametrics + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: victoriametrics + app.kubernetes.io/name: victoriametrics + app.kubernetes.io/instance: victoriametrics-prod + app.kubernetes.io/component: victoriametrics + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "8880" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: victoriametrics + image: victoriametrics/victoria-metrics:v1.101.0 + imagePullPolicy: IfNotPresent + args: + - "--storageDataPath=/storage" + - "--httpListenAddr=:8428" + - "--retentionPeriod=6" + ports: + - containerPort: 8428 + name: "victoriametrics" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65532 + runAsGroup: 65532 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "256Mi" + cpu: "10m" + limits: + memory: "512Mi" + livenessProbe: + httpGet: + path: "/-/healthy" + port: "victoriametrics" + readinessProbe: + httpGet: + path: "/-/ready" + port: "victoriametrics" + volumeMounts: + - name: "storage" + mountPath: "/storage" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "monitoring" + topologyKey: "kubernetes.io/hostname" + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: "location" + operator: "NotIn" + values: + - "ez" + - weight: 10 + preference: + matchExpressions: + - key: cpu_speed + operator: NotIn + values: + - slow + volumes: + - name: storage + emptyDir: {} diff --git a/apps/monitoring/victoriametrics/kustomization.yaml b/apps/monitoring/victoriametrics/kustomization.yaml new file mode 100644 index 0000000..521d11d --- /dev/null +++ b/apps/monitoring/victoriametrics/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml + - service.yaml diff --git a/apps/monitoring/victoriametrics/networkpolicy.yaml b/apps/monitoring/victoriametrics/networkpolicy.yaml new file mode 100644 index 0000000..c6da63c --- /dev/null +++ b/apps/monitoring/victoriametrics/networkpolicy.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert + namespace: monitoring +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: vmalert + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - ipBlock: + cidr: 192.168.0.0/16 + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - port: 9093 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP diff --git a/apps/monitoring/victoriametrics/service.yaml b/apps/monitoring/victoriametrics/service.yaml new file mode 100644 index 0000000..de34d47 --- /dev/null +++ b/apps/monitoring/victoriametrics/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: victoriametrics + namespace: monitoring +spec: + selector: + app: victoriametrics + ports: + - port: 80 + targetPort: victoriametrics diff --git a/apps/monitoring/vmalert/components/initcontainer-seed-rules/kustomization.yaml b/apps/monitoring/vmalert/components/initcontainer-seed-rules/kustomization.yaml new file mode 100644 index 0000000..a511765 --- /dev/null +++ b/apps/monitoring/vmalert/components/initcontainer-seed-rules/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: vmalert + path: patch-initcontainer.yaml + - target: + kind: Deployment + name: vmalert + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "rules" + emptyDir: + sizeLimit: "100Mi" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "rules" + mountPath: "/rules" diff --git a/apps/monitoring/vmalert/components/initcontainer-seed-rules/patch-initcontainer.yaml b/apps/monitoring/vmalert/components/initcontainer-seed-rules/patch-initcontainer.yaml new file mode 100644 index 0000000..0352dc8 --- /dev/null +++ b/apps/monitoring/vmalert/components/initcontainer-seed-rules/patch-initcontainer.yaml @@ -0,0 +1,28 @@ +--- +- op: "add" + path: "/spec/template/spec/initContainers" + value: + - name: "seed" + image: "ghcr.io/soerenschneider/alerting-rules:main-20240403210327" + imagePullPolicy: "IfNotPresent" + command: ["rsync", "-vr", "/rules/", "/rules-dest/"] + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "512Mi" + volumeMounts: + - name: "rules" + mountPath: "/rules-dest" diff --git a/apps/monitoring/vmalert/components/istio/istio-virtualservice.yaml b/apps/monitoring/vmalert/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..67e2eef --- /dev/null +++ b/apps/monitoring/vmalert/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: vmalert +spec: + hosts: + - vmalert + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: vmalert + port: + number: 80 diff --git a/apps/monitoring/vmalert/components/istio/kustomization.yaml b/apps/monitoring/vmalert/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/monitoring/vmalert/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/monitoring/vmalert/components/tls-client-cert/kustomization.yaml b/apps/monitoring/vmalert/components/tls-client-cert/kustomization.yaml new file mode 100644 index 0000000..ef4f279 --- /dev/null +++ b/apps/monitoring/vmalert/components/tls-client-cert/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: vmalert + patch: | + - op: add + path: /spec/template/spec/volumes/- + value: + name: certs + secret: + secretName: prometheus-cert + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: certs + mountPath: /certs + readOnly: true + - op: add + path: "/spec/template/spec/containers/0/args" + value: + - "-notifier.tlsCertFile=/etc/tls/tls.crt" + - "-notifier.tlsKeyFile=/etc/tls/tls.key" diff --git a/apps/monitoring/vmalert/deployment.yaml b/apps/monitoring/vmalert/deployment.yaml new file mode 100644 index 0000000..e96a56f --- /dev/null +++ b/apps/monitoring/vmalert/deployment.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vmalert + namespace: monitoring + labels: + app: vmalert + app.kubernetes.io/name: vmalert + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: vmalert + app.kubernetes.io/name: vmalert + template: + metadata: + labels: + app: vmalert + app.kubernetes.io/name: vmalert + app.kubernetes.io/instance: vmalert-prod + app.kubernetes.io/component: vmalert + app.kubernetes.io/part-of: monitoring + annotations: + prometheus.io/port: "8880" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: vmalert + image: victoriametrics/vmalert:v1.101.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8880 + name: metrics + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 65532 + runAsGroup: 65532 + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "16Mi" + cpu: "10m" + limits: + memory: "256Mi" + livenessProbe: + httpGet: + path: /health + port: metrics + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /health + port: metrics + initialDelaySeconds: 5 + volumeMounts: [] + volumes: [] + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate diff --git a/apps/monitoring/vmalert/kustomization.yaml b/apps/monitoring/vmalert/kustomization.yaml new file mode 100644 index 0000000..47da746 --- /dev/null +++ b/apps/monitoring/vmalert/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - networkpolicy.yaml diff --git a/apps/monitoring/vmalert/networkpolicy.yaml b/apps/monitoring/vmalert/networkpolicy.yaml new file mode 100644 index 0000000..dbf6640 --- /dev/null +++ b/apps/monitoring/vmalert/networkpolicy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: vmalert + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/apps/mosquitto/components/istio/istio-virtualservice.yaml b/apps/mosquitto/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..48ea346 --- /dev/null +++ b/apps/mosquitto/components/istio/istio-virtualservice.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mosquitto +spec: + hosts: + - mqtt + gateways: + - istio-system/gateway + tcp: + - match: + - port: 1883 + route: + - destination: + host: mosquitto + port: + number: 1883 + - match: + - port: 8883 + route: + - destination: + host: mosquitto + port: + number: 8883 diff --git a/apps/mosquitto/components/istio/kustomization.yaml b/apps/mosquitto/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/mosquitto/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/mosquitto/components/tls/certificate.yaml b/apps/mosquitto/components/tls/certificate.yaml new file mode 100644 index 0000000..bbd171d --- /dev/null +++ b/apps/mosquitto/components/tls/certificate.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "mosquitto" +spec: + secretName: "mosquitto-cert" + commonName: "mqtt.svc.dd.soeren.cloud" + dnsNames: + - "mqtt.svc.dd.soeren.cloud" + issuerRef: + name: "letsencrypt-dns-prod" + kind: "ClusterIssuer" + group: "cert-manager.io" diff --git a/apps/mosquitto/components/tls/configmap-ca.yaml b/apps/mosquitto/components/tls/configmap-ca.yaml new file mode 100644 index 0000000..ad8dff6 --- /dev/null +++ b/apps/mosquitto/components/tls/configmap-ca.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIGAzCCA+ugAwIBAgIUX9iV01SIxHtrqREaEkmJL3T7UgowDQYJKoZIhvcNAQEL + BQAwKDENMAsGA1UEChMEc29yZzEXMBUGA1UEAxMOc3JuLmltIHJvb3QgY2EwHhcN + MjMxMjEwMTU0MDA5WhcNMjUxMjA5MTU0MDM5WjBWMRUwEwYDVQQKEwxzcm4uaW1w + ZXJpdW0xDTALBgNVBAsTBHNvcmcxLjAsBgNVBAMTJXNvZXJlbi5jbG91ZCBJbnRl + cm1lZGlhdGUgQ2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK + AoICAQDWBL7D1iz1b+0Gy89J8y/SuHZ7JdZSDwHh0v8pK7qxaJ2qRT4z5HBk02Eb + gcWnmNVWx9AZZwD6uXSE+y1RDT46XQrP/B1iKaTAcozxeutqa0X7rxXi5TRgBJ+/ + YORR/wTK7Qbq6gFUYIMNOG/h3LMinvBmcxjaE+tqbvGhZBVfSloIqN3l7ZJT2vIi + lK/nYQ8ZwKMCesHbwxE31AqSpM+JSjIAFfABBPauFAqNz2LFLeYELBkakdfbKjSL + pbrdzy3/VXOZ7qGXhyiNTCGN269MZMARnstrQSYwC5vHOGXKxQOKPTULgIEeII2/ + 4wLxK+DqP38DxhcAyjjjTB1aoSYgc3vcMUYVEM3C25gL4D5IFX6Utc+i1CcSuiCN + 9wsK4ayM+C0mOk7EP0j9en5+jp2TD3MobRXEWJ/Mm/ElGImydNibZoKGmWJ0V+Du + K/3wHXZZHjywaPsEPfm1ZBz51GGhQDcJNsGT0joEae/8iplFIkISVjsJIQPV3zpn + EV7c8659bStAKe4v4XGZViCmNmyqZF/cjmBb1OpsIbngKuLn4GJIyhnbr6/EFdys + VYBejTeVpJwk45e4Rb6YViFrZ1rZvC1mvMrOKb++XjtkvON2TiyFmmcyM/N8/ZEg + QolY6YSXKL/lTmaa3klNoDC8vyhFheD0AkSE0+fzef/7lJsk1wIDAQABo4H2MIHz + MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR4m3/u + F7fC8W59iJ3/oAUUR4+GdDAfBgNVHSMEGDAWgBTP61UQZUx3Ebv5fRvAlqF0v70r + XTBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAKGMGh0dHBzOi8vdmF1bHQuaGEu + c29lcmVuLmNsb3VkL3YxL3BraV9yb290X3Nybi9jYTBCBgNVHR8EOzA5MDegNaAz + hjFodHRwczovL3ZhdWx0LmhhLnNvZXJlbi5jbG91ZC92MS9wa2lfcm9vdF9zcm4v + Y3JsMA0GCSqGSIb3DQEBCwUAA4ICAQAGVBDAVm6u0Db3mR7grJ75pcXHkeQHc1Xy + Mf9y8ZEEuUQaUxk/67t4zAybFJJ0MIqNIvLj8vo0XHZtvtefSuGxWdYM59ThHKnz + 4BXGIMwGxxYBPAbOJ8h0uXHdu76QVrfGdzN0ic0JKzLjFucUZVMpRWvaGLRsgrGC + 7bd2p66VBUrL9/S3rsU61PwKagYu1ko7CqRjAzQGeYLBkWbuH4DeZMiJUUyug7PA + cneiznbVLynQJ8W9q9Ms0+zbenlnw7VbOjv1IBiUVuce4fmubSPSGXo38F9KDfPL + EdEnDN0NnChtNE/a/BghzLeyCsRA0h+Q+wyRCv32Jb5FoTsDua/aWhn4dqCLViUx + 6JJ5VMAj3pBppuhf/PuJX/JucAD1QzZsEPIH0qoGX19zfiAEQcTwNfyoo7GXOyUR + l5kPeRdA30aBhVA09hyPBdHnWEskenRBr9O7ME17DLT55iOGs1vd0DBRIfcViQTu + tvOaEYl/8Wv7DcZdG2iT6PFGygsr3nXVISKZL/wBixWquTRJrejcNNbje3ZZtLdY + zaA/ZrCBShsNK1gBOp54PgcCPvQwLfn0kK4cZHQ3cKuflFiy50H6qAOwsQr191nE + H93/wTNMIyHg8DQjYa3NGBARaSv6s32TS4S7xIPHhCJLdwjIYi/e5oiYB16WLpoy + plaUXnCo4Q== + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + creationTimestamp: null + name: srn-ca diff --git a/apps/mosquitto/components/tls/kustomization.yaml b/apps/mosquitto/components/tls/kustomization.yaml new file mode 100644 index 0000000..5695de6 --- /dev/null +++ b/apps/mosquitto/components/tls/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - certificate.yaml + - configmap-ca.yaml +configMapGenerator: + - name: mosquitto-config + behavior: replace + files: + - mosquitto.conf +patches: + - target: + kind: "Deployment" + name: "mosquitto" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "mosquitto-cert" + mountPath: "/tls" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "mosquitto-cert" + secret: + secretName: "mosquitto-cert" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "ca" + mountPath: "/ca" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "ca" + configMap: + name: "srn-ca" diff --git a/apps/mosquitto/components/tls/mosquitto.conf b/apps/mosquitto/components/tls/mosquitto.conf new file mode 100644 index 0000000..0336fd4 --- /dev/null +++ b/apps/mosquitto/components/tls/mosquitto.conf @@ -0,0 +1,16 @@ +log_type error warning information +per_listener_settings true + +listener 1883 +max_connections 768 +allow_anonymous true + +listener 8883 +tls_version tlsv1.3 +allow_anonymous true + +require_certificate false +use_identity_as_username false +cafile /ca/ca.crt +certfile /tls/tls.crt +keyfile /tls/tls.key diff --git a/apps/mosquitto/components/tls/upsert-ca.sh b/apps/mosquitto/components/tls/upsert-ca.sh new file mode 100755 index 0000000..61227e7 --- /dev/null +++ b/apps/mosquitto/components/tls/upsert-ca.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +CONFIGMAP_NAME="srn-ca" +CONFIGMAP_KEY="ca.crt" +CONFIGMAP_FILE="configmap-ca.yaml" +DEFAULT_PKI_URL="pki/im_srn" + +curl -s "${VAULT_ADDR}/v1/${DEFAULT_PKI_URL}/ca/pem" | \ + kubectl create configmap "${CONFIGMAP_NAME}" --from-file="${CONFIGMAP_KEY}"=/dev/stdin --dry-run=client -o yaml > "${CONFIGMAP_FILE}" diff --git a/apps/mosquitto/deployment.yaml b/apps/mosquitto/deployment.yaml new file mode 100644 index 0000000..e8882e7 --- /dev/null +++ b/apps/mosquitto/deployment.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "mosquitto" + labels: + app.kubernetes.io/name: "mosquitto" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "mosquitto" + strategy: + type: "RollingUpdate" + template: + metadata: + labels: + app: "mosquitto" + app.kubernetes.io/name: "mosquitto" + app.kubernetes.io/component: "mosquitto" + app.kubernetes.io/instance: "mosquitto-prod" + app.kubernetes.io/part-of: "mosquitto" + spec: + securityContext: + runAsUser: 47272 + runAsGroup: 47272 + fsGroup: 47272 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "eclipse-mosquitto:2.0.18" + name: "mosquitto" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 47272 + runAsGroup: 47272 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + imagePullPolicy: "IfNotPresent" + resources: + requests: + memory: 32Mi + cpu: 10m + limits: + memory: 384Mi + ports: + - containerPort: 1883 + name: "mosquitto" + - containerPort: 8883 + name: "mosquitto-tls" + livenessProbe: + tcpSocket: + port: 1883 + initialDelaySeconds: 5 + readinessProbe: + tcpSocket: + port: 1883 + initialDelaySeconds: 1 + volumeMounts: + - name: "mosquitto-config" + mountPath: "/mosquitto/config" + volumes: + - name: "mosquitto-config" + configMap: + name: "mosquitto-config" diff --git a/apps/mosquitto/kustomization.yaml b/apps/mosquitto/kustomization.yaml new file mode 100644 index 0000000..df98402 --- /dev/null +++ b/apps/mosquitto/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: mosquitto-config + files: + - mosquitto.conf diff --git a/apps/mosquitto/mosquitto.conf b/apps/mosquitto/mosquitto.conf new file mode 100644 index 0000000..47596b4 --- /dev/null +++ b/apps/mosquitto/mosquitto.conf @@ -0,0 +1,9 @@ +log_type error warning information +per_listener_settings true + +listener 1883 +max_connections 768 +allow_anonymous true + +require_certificate false +use_identity_as_username false diff --git a/apps/mosquitto/service.yaml b/apps/mosquitto/service.yaml new file mode 100644 index 0000000..1b8b9b0 --- /dev/null +++ b/apps/mosquitto/service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: mosquitto +spec: + ports: + - port: 1883 + name: mosquitto + targetPort: mosquitto + - port: 8883 + name: mosquitto-tls + targetPort: mosquitto-tls + selector: + app.kubernetes.io/name: mosquitto diff --git a/apps/mysqld-exporter/components/configfile/kustomization.yaml b/apps/mysqld-exporter/components/configfile/kustomization.yaml new file mode 100644 index 0000000..1873495 --- /dev/null +++ b/apps/mysqld-exporter/components/configfile/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: mysqld-exporter + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--config.my-cnf=/conf/my.cnf" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "conf" + secret: + secretName: "mysqld-exporter-config" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "conf" + mountPath: "/conf" + readOnly: true diff --git a/apps/mysqld-exporter/components/configfile/upsert-secret-mysqld-exporter-configfile.sh b/apps/mysqld-exporter/components/configfile/upsert-secret-mysqld-exporter-configfile.sh new file mode 100755 index 0000000..d1d0112 --- /dev/null +++ b/apps/mysqld-exporter/components/configfile/upsert-secret-mysqld-exporter-configfile.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +sops -d mysqld-exporter-config-sops.cnf | \ + kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-file=my.cnf=/dev/stdin \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/mysqld-exporter/deployment.yaml b/apps/mysqld-exporter/deployment.yaml new file mode 100644 index 0000000..72f8526 --- /dev/null +++ b/apps/mysqld-exporter/deployment.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "mysqld-exporter" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "mysqld-exporter" + template: + metadata: + labels: + app: "mysqld-exporter" + annotations: + prometheus.io/port: "9104" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 40538 + runAsGroup: 40538 + fsGroup: 40538 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "mysqld-exporter" + image: "prom/mysqld-exporter:v0.15.1" + args: + - "--mysqld.address=mariadb:3306" + env: + - name: "MYSQLD_EXPORTER_PASSWORD" + valueFrom: + secretKeyRef: + name: "mysqld-exporter" + key: "MYSQLD_EXPORTER_PASSWORD" + optional: true + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 40538 + runAsGroup: 40538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 9104 + name: "mysqld-exporter" + resources: + limits: + cpu: "100m" + memory: "256Mi" + requests: + cpu: "5m" + memory: "64Mi" diff --git a/apps/mysqld-exporter/kustomization.yaml b/apps/mysqld-exporter/kustomization.yaml new file mode 100644 index 0000000..9d88b3a --- /dev/null +++ b/apps/mysqld-exporter/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml diff --git a/apps/mysqld-exporter/upsert-secret-mysqld-exporter.sh b/apps/mysqld-exporter/upsert-secret-mysqld-exporter.sh new file mode 100755 index 0000000..5ffc485 --- /dev/null +++ b/apps/mysqld-exporter/upsert-secret-mysqld-exporter.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +MYSQLD_EXPORTER_PASSWORD="$(echo "$OUTPUT" | grep -e "^MYSQLD_EXPORTER_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=MYSQLD_EXPORTER_PASSWORD="${MYSQLD_EXPORTER_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/navidrome/components/istio/istio-virtualservice.yaml b/apps/navidrome/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..552021a --- /dev/null +++ b/apps/navidrome/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: navidrome +spec: + hosts: + - navidrome + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: navidrome + port: + number: 80 diff --git a/apps/navidrome/components/istio/kustomization.yaml b/apps/navidrome/components/istio/kustomization.yaml new file mode 100644 index 0000000..d8602fe --- /dev/null +++ b/apps/navidrome/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "navidrome" + patch: |- + - op: add + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/navidrome/components/oidc/kustomization.yaml b/apps/navidrome/components/oidc/kustomization.yaml new file mode 100644 index 0000000..71baf62 --- /dev/null +++ b/apps/navidrome/components/oidc/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: navidrome + behavior: merge + literals: + - ND_REVERSEPROXYUSERHEADER=X-Forwarded-Preferred-Username diff --git a/apps/navidrome/components/pvc/kustomization.yaml b/apps/navidrome/components/pvc/kustomization.yaml new file mode 100644 index 0000000..bdb37da --- /dev/null +++ b/apps/navidrome/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "navidrome-data-pvc.yaml" +patches: + - target: + kind: "Deployment" + name: "navidrome" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "navidrome" diff --git a/apps/navidrome/components/pvc/navidrome-data-pvc.yaml b/apps/navidrome/components/pvc/navidrome-data-pvc.yaml new file mode 100644 index 0000000..b8b4337 --- /dev/null +++ b/apps/navidrome/components/pvc/navidrome-data-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: navidrome-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/navidrome/components/restic-pvc/kustomization.yaml b/apps/navidrome/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..6fa4bbc --- /dev/null +++ b/apps/navidrome/components/restic-pvc/kustomization.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "navidrome-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/data" + - "RESTIC_BACKUP_ID=navidrome" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "navidrome" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "navidrome-restic-pvc" + - secretRef: + name: "navidrome-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "navidrome" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "navidrome" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "navidrome-restic-pvc" + - secretRef: + name: "navidrome-restic-pvc" diff --git a/apps/navidrome/components/restic-pvc/upsert-secret-navidrome-restic-pvc.sh b/apps/navidrome/components/restic-pvc/upsert-secret-navidrome-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/navidrome/components/restic-pvc/upsert-secret-navidrome-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/navidrome/deployment.yaml b/apps/navidrome/deployment.yaml new file mode 100644 index 0000000..cd5ccdb --- /dev/null +++ b/apps/navidrome/deployment.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: navidrome + namespace: navidrome + labels: + app.kubernetes.io/name: navidrome + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: navidrome + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: navidrome + app.kubernetes.io/name: navidrome + app.kubernetes.io/component: navidrome + app.kubernetes.io/instance: navidrome-prod + app.kubernetes.io/part-of: navidrome + annotations: + prometheus.io/port: "4533" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: RuntimeDefault + containers: + - name: navidrome + image: deluan/navidrome:0.52.5 + imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: 256Mi + cpu: 5m + limits: + memory: 512Mi + envFrom: + - configMapRef: + name: navidrome + ports: + - containerPort: 4533 + name: "navidrome" + livenessProbe: + httpGet: + path: "/health" + port: "navidrome" + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: "/health" + port: "navidrome" + initialDelaySeconds: 5 + volumeMounts: + - name: "storage" + mountPath: "/data" + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: storage + emptyDir: + sizeLimit: 5Gi diff --git a/apps/navidrome/kustomization.yaml b/apps/navidrome/kustomization.yaml new file mode 100644 index 0000000..0422eee --- /dev/null +++ b/apps/navidrome/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml + - networkpolicy.yaml +configMapGenerator: + - name: navidrome + literals: + - ND_MUSICFOLDER=/music + - ND_DATAFOLDER=/data + - ND_PROMETHEUS_ENABLED=true + - ND_REVERSEPROXYWHITELIST=10.0.0.0/8 diff --git a/apps/navidrome/networkpolicy.yaml b/apps/navidrome/networkpolicy.yaml new file mode 100644 index 0000000..dd7176b --- /dev/null +++ b/apps/navidrome/networkpolicy.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: "navidrome" +spec: + podSelector: {} + egress: [] + ingress: + - ports: + - protocol: "TCP" + port: "navidrome" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" diff --git a/apps/navidrome/service.yaml b/apps/navidrome/service.yaml new file mode 100644 index 0000000..3532081 --- /dev/null +++ b/apps/navidrome/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: navidrome + namespace: navidrome +spec: + ports: + - port: 80 + targetPort: navidrome + selector: + app: navidrome diff --git a/apps/navidrome/upsert-secrets.sh b/apps/navidrome/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/navidrome/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/nextcloud/components/istio/istio-virtualservice.yaml b/apps/nextcloud/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..77923d1 --- /dev/null +++ b/apps/nextcloud/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: nextcloud +spec: + hosts: + - nextcloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: nextcloud + port: + number: 80 diff --git a/apps/nextcloud/components/istio/kustomization.yaml b/apps/nextcloud/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/nextcloud/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/nextcloud/components/mariadb/kustomization.yaml b/apps/nextcloud/components/mariadb/kustomization.yaml new file mode 100644 index 0000000..d511e01 --- /dev/null +++ b/apps/nextcloud/components/mariadb/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - mariadb-sts.yaml + - mariadb-service.yaml +configMapGenerator: + - name: nextcloud-config + behavior: merge + envs: + - nextcloud.properties diff --git a/apps/nextcloud/components/mariadb/mariadb-service.yaml b/apps/nextcloud/components/mariadb/mariadb-service.yaml new file mode 100644 index 0000000..025d3c9 --- /dev/null +++ b/apps/nextcloud/components/mariadb/mariadb-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: mariadb +spec: + selector: + app: mariadb + ports: + - protocol: TCP + port: 3306 + targetPort: mariadb + type: ClusterIP diff --git a/apps/nextcloud/components/mariadb/mariadb-sts.yaml b/apps/nextcloud/components/mariadb/mariadb-sts.yaml new file mode 100644 index 0000000..b1e9280 --- /dev/null +++ b/apps/nextcloud/components/mariadb/mariadb-sts.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: apps/v1 +kind: "StatefulSet" +metadata: + name: "mariadb" +spec: + serviceName: "mariadb" + replicas: 1 + selector: + matchLabels: + app: "mariadb" + template: + metadata: + labels: + app: "mariadb" + spec: + securityContext: + runAsUser: 45538 + runAsGroup: 45538 + fsGroup: 45538 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "mariadb" + image: "mariadb:11.4.2" + envFrom: + - configMapRef: + name: "mariadb" + - secretRef: + name: "mariadb" + optional: true + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 45538 + runAsGroup: 45538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3306 + name: "mariadb" + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/lib/mysql" + - name: "tmp" + mountPath: "/tmp" + - name: "run" + mountPath: "/run/mysqld" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "50Mi" + - name: "run" + emptyDir: + sizeLimit: "50Mi" diff --git a/apps/nextcloud/components/mariadb/nextcloud.properties b/apps/nextcloud/components/mariadb/nextcloud.properties new file mode 100644 index 0000000..c807b25 --- /dev/null +++ b/apps/nextcloud/components/mariadb/nextcloud.properties @@ -0,0 +1,8 @@ +NC_TRUSTED_DOMAINS=nextcloud.svc.ez.soeren.cloud +MAIL_FROM_ADDRESS=nextcloud@soerensoerensen.de +MAIL_DOMAIN=soerensoerensen.de +SMTP_SECURE=ssl +SMTP_PORT=465 +SMTP_AUTHTYPE=LOGIN +MYSQL_HOST=mariadb +MYSQL_DATABASE=nextcloud diff --git a/apps/nextcloud/components/pvc/kustomization.yaml b/apps/nextcloud/components/pvc/kustomization.yaml new file mode 100644 index 0000000..f6e7bd8 --- /dev/null +++ b/apps/nextcloud/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml +patches: + - target: + kind: Deployment + name: nextcloud + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: nextcloud diff --git a/apps/nextcloud/components/pvc/pvc.yaml b/apps/nextcloud/components/pvc/pvc.yaml new file mode 100644 index 0000000..ba64679 --- /dev/null +++ b/apps/nextcloud/components/pvc/pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: nextcloud +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/apps/nextcloud/deployment.yaml b/apps/nextcloud/deployment.yaml new file mode 100644 index 0000000..41c1234 --- /dev/null +++ b/apps/nextcloud/deployment.yaml @@ -0,0 +1,174 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nextcloud + labels: + app: nextcloud + app.kubernetes.io/name: nextcloud + app.kubernetes.io/instance: nextcloud + app.kubernetes.io/component: app +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app: nextcloud + app.kubernetes.io/name: nextcloud + app.kubernetes.io/instance: nextcloud + app.kubernetes.io/component: app + template: + metadata: + labels: + app: nextcloud + app.kubernetes.io/name: nextcloud + app.kubernetes.io/instance: nextcloud + app.kubernetes.io/component: app + spec: + securityContext: + runAsUser: 22473 + runAsGroup: 22473 + fsGroup: 22473 + seccompProfile: + type: "RuntimeDefault" + initContainers: + - name: init + image: "nextcloud:29.0.1-fpm" + command: ["sh", "-c", "rsync -ar /usr/src/nextcloud/ /dest/html"] + volumeMounts: + - name: "shared-data" + mountPath: "/dest" + resources: + requests: + memory: "32Mi" + cpu: "15m" + limits: + memory: "128Mi" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 22473 + runAsGroup: 22473 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + containers: + - name: "nginx" + image: "nginx:1.27.0-alpine" + ports: + - containerPort: 8080 + name: "nginx" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 22473 + runAsGroup: 22473 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "32Mi" + cpu: "15m" + limits: + memory: "128Mi" + volumeMounts: + - name: "nginx-config" + readOnly: true + mountPath: "/etc/nginx/nginx.conf" + subPath: "nginx.conf" + - name: "nginx-var-cache" + mountPath: "/var/cache/nginx" + - name: "nginx-var-run" + mountPath: "/var/run" + - name: "shared-data" + readOnly: true + mountPath: "/var/www" + - name: "nextcloud" + image: "nextcloud:29.0.1-fpm" + imagePullPolicy: "IfNotPresent" + envFrom: + - configMapRef: + name: "nextcloud-config" + - secretRef: + name: "nextcloud" + optional: true + ports: + - name: "nextcloud" + containerPort: 9000 + protocol: "TCP" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 22473 + runAsGroup: 22473 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: "/status.php" + port: "nextcloud" + httpHeaders: + - name: "Host" + value: "nextcloud" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: "/status.php" + port: "nextcloud" + httpHeaders: + - name: "Host" + value: "nextcloud" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "1024Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/www/html" + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "5Gi" + - name: "tmp" + emptyDir: + sizeLimit: "1Gi" + - name: nginx-config + configMap: + name: nginx-config + - name: "nginx-var-cache" + emptyDir: + sizeLimit: "5Mi" + - name: "nginx-var-run" + emptyDir: + sizeLimit: "5Mi" + - name: "shared-data" + emptyDir: + sizeLimit: "5Gi" diff --git a/apps/nextcloud/kustomization.yaml b/apps/nextcloud/kustomization.yaml new file mode 100644 index 0000000..8eee4ae --- /dev/null +++ b/apps/nextcloud/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: nextcloud-config + envs: + - nextcloud.properties + - name: nginx-config + files: + - nginx.conf diff --git a/apps/nextcloud/nextcloud.properties b/apps/nextcloud/nextcloud.properties new file mode 100644 index 0000000..267bb10 --- /dev/null +++ b/apps/nextcloud/nextcloud.properties @@ -0,0 +1,6 @@ +NC_TRUSTED_DOMAINS=nextcloud.svc.ez.soeren.cloud +MAIL_FROM_ADDRESS=nextcloud@soerensoerensen.de +MAIL_DOMAIN=soerensoerensen.de +SMTP_SECURE=ssl +SMTP_PORT=465 +SMTP_AUTHTYPE=LOGIN diff --git a/apps/nextcloud/nginx.conf b/apps/nextcloud/nginx.conf new file mode 100644 index 0000000..c5e72a4 --- /dev/null +++ b/apps/nextcloud/nginx.conf @@ -0,0 +1,180 @@ +events { + worker_connections 1024; +} + +http { + upstream php-handler { + server 127.0.0.1:9000; + #server unix:/run/php/php8.2-fpm.sock; + } + + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + map $arg_v $asset_immutable { + "" ""; + default ", immutable"; + } + + server { + listen 8080; + listen [::]:8080; + + # Path to the root of your installation + root /var/www/html; + + + # Prevent nginx HTTP Server Detection + server_tokens off; + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # The settings allows you to optimize the HTTP2 bandwidth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tuning hints + client_body_buffer_size 512k; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Set .mjs and .wasm MIME types + # Either include it in the default mime.types list + # and include that list explicitly or add the file extension + # only for Nextcloud like below: + include mime.types; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + # Serve static files + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } + } +} diff --git a/apps/nextcloud/service.yaml b/apps/nextcloud/service.yaml new file mode 100644 index 0000000..e9e3e0c --- /dev/null +++ b/apps/nextcloud/service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nextcloud + labels: + app: nextcloud + app.kubernetes.io/name: nextcloud + app.kubernetes.io/instance: nextcloud +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: "nginx" + selector: + app: nextcloud diff --git a/apps/nextcloud/upsert-secret-nextcloud.sh b/apps/nextcloud/upsert-secret-nextcloud.sh new file mode 100755 index 0000000..866fc43 --- /dev/null +++ b/apps/nextcloud/upsert-secret-nextcloud.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +MYSQL_USER="$(echo "$OUTPUT" | grep -e "^MYSQL_USER=" | cut -d'=' -f2)" +MYSQL_PASSWORD="$(echo "$OUTPUT" | grep -e "^MYSQL_PASSWORD=" | cut -d'=' -f2)" +NEXTCLOUD_ADMIN_USER="$(echo "$OUTPUT" | grep -e "^NEXTCLOUD_ADMIN_USER=" | cut -d'=' -f2)" +NEXTCLOUD_ADMIN_PASSWORD="$(echo "$OUTPUT" | grep -e "^NEXTCLOUD_ADMIN_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=MYSQL_USER="${MYSQL_USER}" \ + --from-literal=MYSQL_PASSWORD="${MYSQL_PASSWORD}" \ + --from-literal=NEXTCLOUD_ADMIN_USER="${NEXTCLOUD_ADMIN_USER}" \ + --from-literal=NEXTCLOUD_ADMIN_PASSWORD="${NEXTCLOUD_ADMIN_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/nextcloud/upsert-secrets.sh b/apps/nextcloud/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/nextcloud/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/onlyoffice/components/istio/istio-virtualservice.yaml b/apps/onlyoffice/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..e5d00f7 --- /dev/null +++ b/apps/onlyoffice/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: onlyoffice +spec: + hosts: + - onlyoffice + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: onlyoffice + port: + number: 80 diff --git a/apps/onlyoffice/components/istio/kustomization.yaml b/apps/onlyoffice/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/onlyoffice/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/onlyoffice/components/mariadb/kustomization.yaml b/apps/onlyoffice/components/mariadb/kustomization.yaml new file mode 100644 index 0000000..950b668 --- /dev/null +++ b/apps/onlyoffice/components/mariadb/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - mariadb-sts.yaml + - mariadb-service.yaml +configMapGenerator: + - name: onlyoffice + behavior: merge + envs: + - onlyoffice.properties diff --git a/apps/onlyoffice/components/mariadb/mariadb-service.yaml b/apps/onlyoffice/components/mariadb/mariadb-service.yaml new file mode 100644 index 0000000..025d3c9 --- /dev/null +++ b/apps/onlyoffice/components/mariadb/mariadb-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: mariadb +spec: + selector: + app: mariadb + ports: + - protocol: TCP + port: 3306 + targetPort: mariadb + type: ClusterIP diff --git a/apps/onlyoffice/components/mariadb/mariadb-sts.yaml b/apps/onlyoffice/components/mariadb/mariadb-sts.yaml new file mode 100644 index 0000000..cca29ea --- /dev/null +++ b/apps/onlyoffice/components/mariadb/mariadb-sts.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mariadb +spec: + serviceName: mariadb + replicas: 1 + selector: + matchLabels: + app: mariadb + template: + metadata: + labels: + app: "mariadb" + app.kubernetes.io/name: "mariadb" + app.kubernetes.io/component: "database" + app.kubernetes.io/instance: "onlyoffice-prod" + app.kubernetes.io/part-of: "onlyoffice" + spec: + securityContext: + runAsUser: 45538 + runAsGroup: 45538 + fsGroup: 45538 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: mariadb + image: mariadb:11.4.2 + env: + - name: MYSQL_ROOT_PASSWORD + value: "onlyoffice" + - name: MYSQL_DATABASE + value: "onlyoffice" + - name: MYSQL_USER + value: "onlyoffice" + - name: MYSQL_PASSWORD + value: "onlyoffice" + ports: + - containerPort: 3306 + name: mariadb + readinessProbe: + exec: + command: + - "healthcheck.sh" + - "--connect" + - "--innodb_initialized" + livenessProbe: + exec: + command: + - "healthcheck.sh" + - "--connect" + - "--innodb_initialized" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 45538 + runAsGroup: 45538 + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/lib/mysql" + - name: "tmp" + mountPath: "/tmp" + - name: "run" + mountPath: "/run/mysqld" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "onlyoffice" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "tmp" + emptyDir: + sizeLimit: "50Mi" + - name: "run" + emptyDir: + sizeLimit: "50Mi" diff --git a/apps/onlyoffice/components/mariadb/onlyoffice.properties b/apps/onlyoffice/components/mariadb/onlyoffice.properties new file mode 100644 index 0000000..1dd7760 --- /dev/null +++ b/apps/onlyoffice/components/mariadb/onlyoffice.properties @@ -0,0 +1,4 @@ +DB_TYPE=mariadb +DB_HOST=mariadb +DB_PORT=3306 +DB_NAME=onlyoffice diff --git a/apps/onlyoffice/components/mariadb/upsert-secret-onlyoffice-mariadb.sh b/apps/onlyoffice/components/mariadb/upsert-secret-onlyoffice-mariadb.sh new file mode 100755 index 0000000..03d349b --- /dev/null +++ b/apps/onlyoffice/components/mariadb/upsert-secret-onlyoffice-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DB_USER="$(echo "$OUTPUT" | grep -e "^DB_USER=" | cut -d'=' -f2)" +DB_PWD="$(echo "$OUTPUT" | grep -e "^DB_PWD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DB_USER="${DB_USER}" \ + --from-literal=DB_PWD="${DB_PWD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/onlyoffice/components/rabbitmq/00-rabbitmq.conf b/apps/onlyoffice/components/rabbitmq/00-rabbitmq.conf new file mode 100644 index 0000000..80aa4a2 --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/00-rabbitmq.conf @@ -0,0 +1,2 @@ +total_memory_available_override_value = 512Mb +log.console = true diff --git a/apps/onlyoffice/components/rabbitmq/kustomization.yaml b/apps/onlyoffice/components/rabbitmq/kustomization.yaml new file mode 100644 index 0000000..dadb1d0 --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - statefulset.yaml + - rabbitmq-amqp-service.yaml +configMapGenerator: + - name: onlyoffice + behavior: merge + envs: + - onlyoffice.properties + - name: rabbitmq-conf + files: + - "00-rabbitmq.conf" diff --git a/apps/onlyoffice/components/rabbitmq/onlyoffice.properties b/apps/onlyoffice/components/rabbitmq/onlyoffice.properties new file mode 100644 index 0000000..b4a4b73 --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/onlyoffice.properties @@ -0,0 +1 @@ +AMQP_URI=amqp://guest:guest@rabbitmq/ diff --git a/apps/onlyoffice/components/rabbitmq/rabbitmq-amqp-service.yaml b/apps/onlyoffice/components/rabbitmq/rabbitmq-amqp-service.yaml new file mode 100644 index 0000000..7156406 --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/rabbitmq-amqp-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "rabbitmq" +spec: + ports: + - port: 5672 + targetPort: "amqp" + selector: + app.kubernetes.io/name: "rabbitmq" diff --git a/apps/onlyoffice/components/rabbitmq/statefulset.yaml b/apps/onlyoffice/components/rabbitmq/statefulset.yaml new file mode 100644 index 0000000..ab4751f --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/statefulset.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: "apps/v1" +kind: "StatefulSet" +metadata: + name: "rabbitmq" + labels: + app.kubernetes.io/name: "rabbitmq" + annotations: + reloader.stakater.com/auto: "true" +spec: + serviceName: "rabbitmq" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "rabbitmq" + template: + metadata: + labels: + app: "rabbitmq" + app.kubernetes.io/name: "rabbitmq" + app.kubernetes.io/component: "rabbitmq" + app.kubernetes.io/instance: "rabbitmq-prod" + app.kubernetes.io/part-of: "rabbitmq" + annotations: + prometheus.io/port: "15692" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 31812 + runAsGroup: 31812 + fsGroup: 31812 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "docker.io/rabbitmq:3.13.3-management-alpine" + name: "rabbitmq" + env: + - name: "RABBITMQ_CONFIG_FILES" + value: "/etc/rabbitmq/conf.d" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 31812 + runAsGroup: 31812 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 4369 + name: "epmd" + - containerPort: 5671 + name: "amqp-tls" + - containerPort: 5672 + name: "amqp" + - containerPort: 25672 + name: "dist" + - containerPort: 15672 + name: "management" + - containerPort: 15692 + name: "metrics" + resources: + requests: + memory: "128Mi" + cpu: "50m" + limits: + memory: "2Gi" + livenessProbe: + periodSeconds: 15 + timeoutSeconds: 3 + failureThreshold: 2 + tcpSocket: + port: 5672 + readinessProbe: + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 6 + tcpSocket: + port: 5672 + volumeMounts: + - name: "storage" + mountPath: "/var/lib/rabbitmq" + - name: "config" + mountPath: "/etc/rabbitmq/conf.d" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "config" + configMap: + name: "rabbitmq-conf" diff --git a/apps/onlyoffice/components/rabbitmq/upsert-secret-onlyoffice-mariadb.sh b/apps/onlyoffice/components/rabbitmq/upsert-secret-onlyoffice-mariadb.sh new file mode 100755 index 0000000..03d349b --- /dev/null +++ b/apps/onlyoffice/components/rabbitmq/upsert-secret-onlyoffice-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DB_USER="$(echo "$OUTPUT" | grep -e "^DB_USER=" | cut -d'=' -f2)" +DB_PWD="$(echo "$OUTPUT" | grep -e "^DB_PWD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DB_USER="${DB_USER}" \ + --from-literal=DB_PWD="${DB_PWD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/onlyoffice/components/redis/kustomization.yaml b/apps/onlyoffice/components/redis/kustomization.yaml new file mode 100644 index 0000000..598e53a --- /dev/null +++ b/apps/onlyoffice/components/redis/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - redis-deployment.yaml + - redis-service.yaml +configMapGenerator: + - name: onlyoffice + behavior: merge + envs: + - onlyoffice.properties diff --git a/apps/onlyoffice/components/redis/onlyoffice.properties b/apps/onlyoffice/components/redis/onlyoffice.properties new file mode 100644 index 0000000..c245c0c --- /dev/null +++ b/apps/onlyoffice/components/redis/onlyoffice.properties @@ -0,0 +1,2 @@ +REDIS_SERVER_HOST=redis +REDIS_SERVER_PORT=6379 diff --git a/apps/onlyoffice/components/redis/redis-deployment.yaml b/apps/onlyoffice/components/redis/redis-deployment.yaml new file mode 100644 index 0000000..6e46551 --- /dev/null +++ b/apps/onlyoffice/components/redis/redis-deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "redis" +spec: + replicas: 1 + selector: + matchLabels: + app: "redis" + template: + metadata: + labels: + app: "redis" + app.kubernetes.io/name: "redis" + app.kubernetes.io/component: "cache" + app.kubernetes.io/instance: "onlyoffice-prod" + app.kubernetes.io/part-of: "onlyoffice" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "redis" + image: "docker.io/library/redis:7.2.5-alpine" + ports: + - containerPort: 6379 + name: "redis" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + volumeMounts: + - name: "storage" + mountPath: "/data" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "onlyoffice" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/onlyoffice/components/redis/redis-service.yaml b/apps/onlyoffice/components/redis/redis-service.yaml new file mode 100644 index 0000000..e7d8218 --- /dev/null +++ b/apps/onlyoffice/components/redis/redis-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "redis" +spec: + selector: + app: "redis" + ports: + - protocol: "TCP" + port: 6379 + targetPort: "redis" diff --git a/apps/onlyoffice/components/redis/upsert-secret-onlyoffice-mariadb.sh b/apps/onlyoffice/components/redis/upsert-secret-onlyoffice-mariadb.sh new file mode 100755 index 0000000..03d349b --- /dev/null +++ b/apps/onlyoffice/components/redis/upsert-secret-onlyoffice-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +DB_USER="$(echo "$OUTPUT" | grep -e "^DB_USER=" | cut -d'=' -f2)" +DB_PWD="$(echo "$OUTPUT" | grep -e "^DB_PWD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=DB_USER="${DB_USER}" \ + --from-literal=DB_PWD="${DB_PWD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/onlyoffice/kustomization.yaml b/apps/onlyoffice/kustomization.yaml new file mode 100644 index 0000000..d6c42ab --- /dev/null +++ b/apps/onlyoffice/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - onlyoffice-deployment.yaml + - onlyoffice-service.yaml +configMapGenerator: + - name: onlyoffice + envs: + - onlyoffice.properties diff --git a/apps/onlyoffice/onlyoffice-deployment.yaml b/apps/onlyoffice/onlyoffice-deployment.yaml new file mode 100644 index 0000000..6342ac4 --- /dev/null +++ b/apps/onlyoffice/onlyoffice-deployment.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: onlyoffice + labels: + app: onlyoffice + app.kubernetes.io/name: onlyoffice + app.kubernetes.io/instance: onlyoffice + app.kubernetes.io/component: app +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app: onlyoffice + app.kubernetes.io/name: "onlyoffice" + app.kubernetes.io/instance: "onlyoffice" + app.kubernetes.io/component: "app" + template: + metadata: + labels: + app: "onlyoffice" + app.kubernetes.io/part-of: "onlyoffice" + app.kubernetes.io/name: "onlyoffice" + app.kubernetes.io/instance: "onlyoffice" + app.kubernetes.io/component: "app" + spec: + securityContext: + runAsUser: 21473 + runAsGroup: 21473 + fsGroup: 21473 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "onlyoffice" + image: "onlyoffice/documentserver:8.0.1" + imagePullPolicy: "IfNotPresent" + envFrom: + - configMapRef: + name: "onlyoffice" + - secretRef: + name: "onlyoffice" + optional: true + ports: + - name: "onlyoffice" + containerPort: 8080 + protocol: "TCP" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 21473 + runAsGroup: 21473 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: "/status.php" + port: "onlyoffice" + httpHeaders: + - name: "Host" + value: "onlyoffice" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: "/status.php" + port: "onlyoffice" + httpHeaders: + - name: "Host" + value: "onlyoffice" + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "1024Mi" + volumeMounts: + - name: "storage" + mountPath: "/var/www/onlyoffice/Data" + - name: "var-run" + mountPath: "/var/run" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "5Gi" + - name: "var-logs" + emptyDir: + sizeLimit: "1Gi" + - name: "var-run" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/onlyoffice/onlyoffice-service.yaml b/apps/onlyoffice/onlyoffice-service.yaml new file mode 100644 index 0000000..033f50a --- /dev/null +++ b/apps/onlyoffice/onlyoffice-service.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: onlyoffice + labels: + app: onlyoffice + app.kubernetes.io/name: onlyoffice + app.kubernetes.io/instance: onlyoffice +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: "onlyoffice" + selector: + app: onlyoffice diff --git a/apps/onlyoffice/onlyoffice.properties b/apps/onlyoffice/onlyoffice.properties new file mode 100644 index 0000000..badc9bd --- /dev/null +++ b/apps/onlyoffice/onlyoffice.properties @@ -0,0 +1 @@ +JWT_ENABLED=true diff --git a/apps/onlyoffice/upsert-secrets.sh b/apps/onlyoffice/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/onlyoffice/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/paperless-ngx/components/database-mariadb/kustomization.yaml b/apps/paperless-ngx/components/database-mariadb/kustomization.yaml new file mode 100644 index 0000000..cb25171 --- /dev/null +++ b/apps/paperless-ngx/components/database-mariadb/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: paperless-config + behavior: merge + literals: + - PAPERLESS_DBENGINE=mariadb + - PAPERLESS_DBPORT=3306 + - PAPERLESS_DBNAME=paperless + - PAPERLESS_DBSSLMODE=VERIFY_IDENTITY diff --git a/apps/paperless-ngx/components/database-mariadb/upsert-secret-paperless-ngx-database-mariadb.sh b/apps/paperless-ngx/components/database-mariadb/upsert-secret-paperless-ngx-database-mariadb.sh new file mode 100755 index 0000000..0da3092 --- /dev/null +++ b/apps/paperless-ngx/components/database-mariadb/upsert-secret-paperless-ngx-database-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +PAPERLESS_DBUSER="$(echo "$OUTPUT" | grep -e "^PAPERLESS_DBUSER=" | cut -d'=' -f2)" +PAPERLESS_DBPASS="$(echo "$OUTPUT" | grep -e "^PAPERLESS_DBPASS=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=PAPERLESS_DBUSER="${PAPERLESS_DBUSER}" \ + --from-literal=PAPERLESS_DBPASS="${PAPERLESS_DBPASS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/paperless-ngx/components/istio-proxy/kustomization.yaml b/apps/paperless-ngx/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..d81b08d --- /dev/null +++ b/apps/paperless-ngx/components/istio-proxy/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" diff --git a/apps/paperless-ngx/components/istio/istio-virtualservice.yaml b/apps/paperless-ngx/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..b24ff2e --- /dev/null +++ b/apps/paperless-ngx/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: paperless-ngx +spec: + hosts: + - paperless-ngx.local + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: paperless-ngx + port: + number: 80 diff --git a/apps/paperless-ngx/components/istio/kustomization.yaml b/apps/paperless-ngx/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/paperless-ngx/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/paperless-ngx/components/oidc/kustomization.yaml b/apps/paperless-ngx/components/oidc/kustomization.yaml new file mode 100644 index 0000000..44e067c --- /dev/null +++ b/apps/paperless-ngx/components/oidc/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +configMapGenerator: + - name: oauth2-proxy + behavior: merge # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + envs: + - oauth2-proxy.properties + - name: paperless-config + behavior: merge + envs: + - paperless.properties +patches: + - target: + kind: Deployment + name: paperless-ngx + path: oauth2-proxy-deployment.yaml + - target: + kind: Service + name: paperless-ngx + patch: | + - op: replace + path: /spec/ports/0/targetPort + value: 4180 + - target: + kind: NetworkPolicy + patch: |- + - op: replace + path: /spec/ingress/0/ports/0/port + value: oauth2-proxy diff --git a/apps/paperless-ngx/components/oidc/oauth2-proxy-deployment.yaml b/apps/paperless-ngx/components/oidc/oauth2-proxy-deployment.yaml new file mode 100644 index 0000000..18e06a0 --- /dev/null +++ b/apps/paperless-ngx/components/oidc/oauth2-proxy-deployment.yaml @@ -0,0 +1,42 @@ +--- +- op: add + path: /spec/template/spec/containers/- + value: + name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + envFrom: + - configMapRef: + name: oauth2-proxy + - secretRef: + name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [all] + runAsUser: 65532 + runAsGroup: 65532 + resources: + requests: + memory: "16Mi" + cpu: "5m" + limits: + memory: "64Mi" + livenessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 5 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /ping + port: oauth2-proxy + initialDelaySeconds: 2 + ports: + - containerPort: 4180 + name: oauth2-proxy diff --git a/apps/paperless-ngx/components/oidc/oauth2-proxy.properties b/apps/paperless-ngx/components/oidc/oauth2-proxy.properties new file mode 100644 index 0000000..79352d2 --- /dev/null +++ b/apps/paperless-ngx/components/oidc/oauth2-proxy.properties @@ -0,0 +1,7 @@ +OAUTH2_PROXY_PROVIDER=keycloak-oidc +OAUTH2_PROXY_EMAIL_DOMAINS=* +OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 +OAUTH2_PROXY_UPSTREAMS=http://localhost:8000 +OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256 +OAUTH2_PROXY_SILENCE_PING_LOGGING=true +OAUTH2_PROXY_FOOTER=- diff --git a/apps/paperless-ngx/components/oidc/paperless.properties b/apps/paperless-ngx/components/oidc/paperless.properties new file mode 100644 index 0000000..a8ce5c3 --- /dev/null +++ b/apps/paperless-ngx/components/oidc/paperless.properties @@ -0,0 +1,4 @@ +PAPERLESS_ENABLE_HTTP_REMOTE_USER=true +PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_FORWARDED_PREFERRED_USERNAME +PAPERLESS_USE_X_FORWARD_HOST=true +PAPERLESS_USE_X_FORWARD_PORT=true \ No newline at end of file diff --git a/apps/paperless-ngx/components/oidc/upsert-secret-paperless-ngx-oidc.sh b/apps/paperless-ngx/components/oidc/upsert-secret-paperless-ngx-oidc.sh new file mode 100755 index 0000000..d9dd309 --- /dev/null +++ b/apps/paperless-ngx/components/oidc/upsert-secret-paperless-ngx-oidc.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OAUTH2_PROXY_CLIENT_ID="paperless-ngx" +TF_VALUE=$(terraform -chdir=../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/paperless-ngx/components/pvc/kustomization.yaml b/apps/paperless-ngx/components/pvc/kustomization.yaml new file mode 100644 index 0000000..4263b94 --- /dev/null +++ b/apps/paperless-ngx/components/pvc/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - paperless-pvc-consumption.yaml + - paperless-pvc-storage.yaml +patches: + - target: + kind: Deployment + name: paperless-ngx + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: paperless-ngx-storage + - op: replace + path: /spec/template/spec/volumes/1 + value: + name: consumption + persistentVolumeClaim: + claimName: paperless-ngx-consumption diff --git a/apps/paperless-ngx/components/pvc/paperless-pvc-consumption.yaml b/apps/paperless-ngx/components/pvc/paperless-pvc-consumption.yaml new file mode 100644 index 0000000..af67700 --- /dev/null +++ b/apps/paperless-ngx/components/pvc/paperless-pvc-consumption.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "paperless-ngx-consumption" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "512Mi" diff --git a/apps/paperless-ngx/components/pvc/paperless-pvc-storage.yaml b/apps/paperless-ngx/components/pvc/paperless-pvc-storage.yaml new file mode 100644 index 0000000..13c56d0 --- /dev/null +++ b/apps/paperless-ngx/components/pvc/paperless-pvc-storage.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "paperless-ngx-storage" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "15Gi" diff --git a/apps/paperless-ngx/components/restic-pvc/kustomization.yaml b/apps/paperless-ngx/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..2f5a525 --- /dev/null +++ b/apps/paperless-ngx/components/restic-pvc/kustomization.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "paperless-ngx-restic-pvc" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/mnt/data" + - "RESTIC_BACKUP_ID=paperless-ngx" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "paperless-ngx" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 1000 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 1000 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 1000 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 1000 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 1000 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "paperless-ngx-restic-pvc" + - secretRef: + name: "paperless-ngx-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "paperless-ngx-storage" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/0/mountPath" + value: "/mnt/data" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "paperless-ngx" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "paperless-ngx-restic-pvc" + - secretRef: + name: "paperless-ngx-restic-pvc" diff --git a/apps/paperless-ngx/components/restic-pvc/upsert-secret-paperless-ngx-restic-pvc.sh b/apps/paperless-ngx/components/restic-pvc/upsert-secret-paperless-ngx-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/paperless-ngx/components/restic-pvc/upsert-secret-paperless-ngx-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/paperless-ngx/components/tika/gotenberg-deployment.yaml b/apps/paperless-ngx/components/tika/gotenberg-deployment.yaml new file mode 100644 index 0000000..90f4911 --- /dev/null +++ b/apps/paperless-ngx/components/tika/gotenberg-deployment.yaml @@ -0,0 +1,80 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gotenberg + namespace: paperless-ngx +spec: + replicas: 1 + selector: + matchLabels: + app: gotenberg + template: + metadata: + labels: + app: gotenberg + app.kubernetes.io/name: gotenberg + app.kubernetes.io/component: gotenberg + app.kubernetes.io/instance: paperless-ngx-prod + app.kubernetes.io/part-of: paperless-ngx + annotations: + prometheus.io/port: "3000" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 36543 + runAsGroup: 36543 + fsGroup: 36543 + seccompProfile: + type: RuntimeDefault + containers: + - name: gotenberg + image: gotenberg/gotenberg:8.7.0 + args: + - gotenberg + - "--log-level=warn" + ports: + - containerPort: 3000 + name: gotenberg + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 36543 + runAsGroup: 36543 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "64Mi" + cpu: "25m" + limits: + memory: "256Mi" + readinessProbe: + httpGet: + path: /health + port: gotenberg + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: gotenberg + initialDelaySeconds: 15 + periodSeconds: 15 + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - paperless-ngx + topologyKey: kubernetes.io/hostname diff --git a/apps/paperless-ngx/components/tika/gotenberg-service.yaml b/apps/paperless-ngx/components/tika/gotenberg-service.yaml new file mode 100644 index 0000000..e6ba601 --- /dev/null +++ b/apps/paperless-ngx/components/tika/gotenberg-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: gotenberg + namespace: paperless-ngx +spec: + selector: + app: gotenberg + ports: + - protocol: TCP + port: 80 + targetPort: gotenberg diff --git a/apps/paperless-ngx/components/tika/kustomization.yaml b/apps/paperless-ngx/components/tika/kustomization.yaml new file mode 100644 index 0000000..b389f03 --- /dev/null +++ b/apps/paperless-ngx/components/tika/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - gotenberg-deployment.yaml + - gotenberg-service.yaml + - tika-deployment.yaml + - tika-service.yaml +configMapGenerator: + - name: paperless-config + behavior: merge + envs: + - paperless.properties diff --git a/apps/paperless-ngx/components/tika/paperless.properties b/apps/paperless-ngx/components/tika/paperless.properties new file mode 100644 index 0000000..504bb21 --- /dev/null +++ b/apps/paperless-ngx/components/tika/paperless.properties @@ -0,0 +1,3 @@ +PAPERLESS_TIKA_ENABLED=true +PAPERLESS_TIKA_ENDPOINT=http://tika +PAPERLESS_TIKA_GOTENBERG_ENDPOINT=http://gotenberg diff --git a/apps/paperless-ngx/components/tika/tika-deployment.yaml b/apps/paperless-ngx/components/tika/tika-deployment.yaml new file mode 100644 index 0000000..40be03c --- /dev/null +++ b/apps/paperless-ngx/components/tika/tika-deployment.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tika + namespace: paperless-ngx +spec: + replicas: 1 + selector: + matchLabels: + app: tika + template: + metadata: + labels: + app: tika + app.kubernetes.io/name: tika + app.kubernetes.io/component: tika + app.kubernetes.io/instance: paperless-ngx-prod + app.kubernetes.io/part-of: paperless-ngx + spec: + securityContext: + runAsUser: 35002 + runAsGroup: 35002 + fsGroup: 35002 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: tika + image: apache/tika:2.9.2.1 + ports: + - containerPort: 9998 + name: tika + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 35002 + runAsGroup: 35002 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "256Mi" + cpu: "25m" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: / + port: tika + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: / + port: tika + initialDelaySeconds: 15 + periodSeconds: 15 + volumeMounts: + - name: tmp + mountPath: /tmp + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - paperless-ngx + topologyKey: kubernetes.io/hostname + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: tmp + emptyDir: + sizeLimit: 50Mi diff --git a/apps/paperless-ngx/components/tika/tika-service.yaml b/apps/paperless-ngx/components/tika/tika-service.yaml new file mode 100644 index 0000000..ec6422b --- /dev/null +++ b/apps/paperless-ngx/components/tika/tika-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: tika + namespace: paperless-ngx +spec: + selector: + app: tika + ports: + - protocol: TCP + port: 80 + targetPort: tika diff --git a/apps/paperless-ngx/kustomization.yaml b/apps/paperless-ngx/kustomization.yaml new file mode 100644 index 0000000..2bee6e4 --- /dev/null +++ b/apps/paperless-ngx/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - networkpolicy.yaml + - paperless-ngx-cm-fixed-entrypoint-script.yaml + - paperless-ngx-deployment.yaml + - paperless-ngx-service.yaml + - redis-service.yaml + - redis-deployment.yaml +configMapGenerator: + - name: paperless-config + envs: + - paperless.properties diff --git a/apps/paperless-ngx/networkpolicy.yaml b/apps/paperless-ngx/networkpolicy.yaml new file mode 100644 index 0000000..07927ee --- /dev/null +++ b/apps/paperless-ngx/networkpolicy.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: paperless-ngx +spec: + podSelector: {} # Selects all pods in the same namespace + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: paperless-ngx + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + - ports: + - protocol: TCP + port: gotenberg + - protocol: TCP + port: redis + - protocol: TCP + port: tika + from: + - podSelector: + matchLabels: + app: paperless-ngx + egress: + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - port: 3306 + protocol: TCP + - port: 3307 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + name: keycloak + - ipBlock: + cidr: 192.168.65.0/24 + - ipBlock: + cidr: 192.168.2.0/24 + - ipBlock: + cidr: 192.168.73.0/24 + ports: + - port: 443 + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP diff --git a/apps/paperless-ngx/paperless-ngx-cm-fixed-entrypoint-script.yaml b/apps/paperless-ngx/paperless-ngx-cm-fixed-entrypoint-script.yaml new file mode 100644 index 0000000..99e10c4 --- /dev/null +++ b/apps/paperless-ngx/paperless-ngx-cm-fixed-entrypoint-script.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: "v1" +kind: "ConfigMap" +metadata: + name: "entrypoint-script" +data: + paperless_cmd.sh: | + #!/usr/bin/env bash + rootless_args=() + if [ "$(id -u)" == "$(id -u paperless)" ]; then + rootless_args=( + --user + paperless + --logfile + /tmp/supervisord.log + --pidfile + /tmp/supervisord.pid + ) + fi + exec /usr/local/bin/supervisord -c /etc/supervisord.conf "${rootless_args[@]}" diff --git a/apps/paperless-ngx/paperless-ngx-deployment.yaml b/apps/paperless-ngx/paperless-ngx-deployment.yaml new file mode 100644 index 0000000..ae1dad9 --- /dev/null +++ b/apps/paperless-ngx/paperless-ngx-deployment.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "paperless-ngx" + labels: + app: "paperless-ngx" + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "paperless-ngx" + template: + metadata: + labels: + app: "paperless-ngx" + app.kubernetes.io/name: "paperless-ngx" + app.kubernetes.io/component: "paperless-ngx" + app.kubernetes.io/instance: "paperless-ngx-prod" + app.kubernetes.io/part-of: "paperless-ngx" + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "paperless-ngx" + image: "ghcr.io/paperless-ngx/paperless-ngx:2.10.2" + imagePullPolicy: "IfNotPresent" + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "1024Mi" + ports: + - containerPort: 8000 + name: "paperless-ngx" + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "USERMAP_UID" + value: "1000" + - name: "USERMAP_GID" + value: "1000" + envFrom: + - configMapRef: + name: "paperless-config" + - secretRef: + name: "paperless" + optional: true + livenessProbe: + httpGet: + path: "/" + port: "paperless-ngx" + initialDelaySeconds: 30 + readinessProbe: + httpGet: + path: "/" + port: "paperless-ngx" + initialDelaySeconds: 5 + startupProbe: + httpGet: + path: "/" + port: "paperless-ngx" + failureThreshold: 60 + periodSeconds: 10 + volumeMounts: + - name: "entrypoint" + mountPath: "/usr/local/bin/paperless_cmd.sh" + subPath: "paperless_cmd.sh" + - name: "storage" + mountPath: "/mnt/data" + - name: "consumption" + mountPath: "/mnt/consume" + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "5Gi" + - name: "consumption" + emptyDir: + sizeLimit: "512Mi" + - name: "tmp" + emptyDir: + sizeLimit: "5Mi" + - name: "entrypoint" + configMap: + name: "entrypoint-script" + defaultMode: 365 diff --git a/apps/paperless-ngx/paperless-ngx-service.yaml b/apps/paperless-ngx/paperless-ngx-service.yaml new file mode 100644 index 0000000..c1dee45 --- /dev/null +++ b/apps/paperless-ngx/paperless-ngx-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "paperless-ngx" +spec: + ports: + - port: 80 + targetPort: "paperless-ngx" + selector: + app: "paperless-ngx" diff --git a/apps/paperless-ngx/paperless.properties b/apps/paperless-ngx/paperless.properties new file mode 100644 index 0000000..bfcc318 --- /dev/null +++ b/apps/paperless-ngx/paperless.properties @@ -0,0 +1,9 @@ +PAPERLESS_REDIS=redis://redis:6379 +PAPERLESS_TIME_ZONE=Europe/Berlin +PAPERLESS_CONSUMPTION_DIR=/mnt/consume +PAPERLESS_DATA_DIR=/mnt/data/data +PAPERLESS_MEDIA_ROOT=/mnt/data/media +PAPERLESS_OCR_LANGUAGE=deu+eng +PAPERLESS_TASK_WORKERS=2 +PAPERLESS_CONVERT_MEMORY_LIMIT=512 +PAPERLESS_ENABLE_UPDATE_CHECK=false \ No newline at end of file diff --git a/apps/paperless-ngx/redis-deployment.yaml b/apps/paperless-ngx/redis-deployment.yaml new file mode 100644 index 0000000..b1dca88 --- /dev/null +++ b/apps/paperless-ngx/redis-deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "redis" +spec: + replicas: 1 + selector: + matchLabels: + app: "redis" + template: + metadata: + labels: + app: "redis" + app.kubernetes.io/name: "redis" + app.kubernetes.io/component: "cache" + app.kubernetes.io/instance: "paperless-ngx-prod" + app.kubernetes.io/part-of: "paperless-ngx" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "redis" + image: "docker.io/library/redis:7.2.5-alpine" + ports: + - containerPort: 6379 + name: "redis" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + volumeMounts: + - name: "storage" + mountPath: "/data" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "paperless-ngx" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/paperless-ngx/redis-service.yaml b/apps/paperless-ngx/redis-service.yaml new file mode 100644 index 0000000..d31f9f9 --- /dev/null +++ b/apps/paperless-ngx/redis-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "redis" +spec: + selector: + app: "redis" + ports: + - protocol: "TCP" + port: 6379 + targetPort: 6379 diff --git a/apps/paperless-ngx/upsert-secret-paperless-ngx.sh b/apps/paperless-ngx/upsert-secret-paperless-ngx.sh new file mode 100755 index 0000000..eceb46f --- /dev/null +++ b/apps/paperless-ngx/upsert-secret-paperless-ngx.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +PAPERLESS_DBUSER="$(echo "$OUTPUT" | grep -e "^PAPERLESS_DBUSER=" | cut -d'=' -f2)" +PAPERLESS_DBPASS="$(echo "$OUTPUT" | grep -e "^PAPERLESS_DBPASS=" | cut -d'=' -f2)" +PAPERLESS_ADMIN_USER="$(echo "$OUTPUT" | grep -e "^PAPERLESS_ADMIN_USER=" | cut -d'=' -f2)" +PAPERLESS_ADMIN_PASSWORD="$(echo "$OUTPUT" | grep -e "^PAPERLESS_ADMIN_PASSWORD=" | cut -d'=' -f2)" +PAPERLESS_SECRET_KEY="$(echo "$OUTPUT" | grep -e "^PAPERLESS_SECRET_KEY=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=PAPERLESS_ADMIN_USER="${PAPERLESS_ADMIN_USER}" \ + --from-literal=PAPERLESS_ADMIN_PASSWORD="${PAPERLESS_ADMIN_PASSWORD}" \ + --from-literal=PAPERLESS_DBUSER="${PAPERLESS_DBUSER}" \ + --from-literal=PAPERLESS_DBPASS="${PAPERLESS_DBPASS}" \ + --from-literal=PAPERLESS_SECRET_KEY="${PAPERLESS_SECRET_KEY}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/paperless-ngx/upsert-secrets.sh b/apps/paperless-ngx/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/paperless-ngx/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/pydio/deployment.yaml b/apps/pydio/deployment.yaml new file mode 100644 index 0000000..90852d9 --- /dev/null +++ b/apps/pydio/deployment.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pydio + labels: + app.kubernetes.io/name: pydio + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: pydio + template: + metadata: + labels: + app.kubernetes.io/name: pydio + app.kubernetes.io/instance: pydio-prod + app.kubernetes.io/component: pydio + app.kubernetes.io/part-of: pydio + annotations: + prometheus.io/port: "3100" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault + containers: + - name: pydio + image: pydio/cells:4.4.0 + ports: + - name: pydio + containerPort: 8080 + protocol: TCP + - name: grpc + containerPort: 33060 + protocol: TCP + env: + - name: CELLS_GRPC_EXTERNAL + value: "33060" + - name: CELLS_LOG_LEVEL + value: production + - name: CELLS_WORKING_DIR + value: /data + - name: CELLS_SITE_EXTERNAL + value: https://pydio.svc.dd.soeren.cloud + - name: CELLS_SITE_NO_TLS + value: "1" + securityContext: + privileged: false + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "512Mi" + cpu: "10m" + limits: + memory: "1024Mi" + volumeMounts: + - name: minio + mountPath: /.minio + - name: storage + mountPath: /data + volumes: + - name: storage + persistentVolumeClaim: + claimName: pydio + - name: minio + emptyDir: + sizeLimit: 5Mi diff --git a/apps/pydio/namespace.yaml b/apps/pydio/namespace.yaml new file mode 100644 index 0000000..463de11 --- /dev/null +++ b/apps/pydio/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: pydio + labels: + name: pydio diff --git a/apps/pydio/pv.yaml b/apps/pydio/pv.yaml new file mode 100644 index 0000000..ab603a7 --- /dev/null +++ b/apps/pydio/pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pydio +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + storageClassName: local-storage + local: + path: /mnt/k8s/pydio + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/apps/pydio/pvc.yaml b/apps/pydio/pvc.yaml new file mode 100644 index 0000000..96bba6d --- /dev/null +++ b/apps/pydio/pvc.yaml @@ -0,0 +1,12 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pydio + namespace: pydio +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Gi diff --git a/apps/pydio/service.yaml b/apps/pydio/service.yaml new file mode 100644 index 0000000..2748867 --- /dev/null +++ b/apps/pydio/service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: pydio +spec: + selector: + app.kubernetes.io/name: pydio + ports: + - protocol: TCP + port: 80 + targetPort: pydio + type: ClusterIP diff --git a/apps/pydio/upsert-secrets.sh b/apps/pydio/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/pydio/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/pydio/virtualservice.yaml b/apps/pydio/virtualservice.yaml new file mode 100644 index 0000000..e7461f8 --- /dev/null +++ b/apps/pydio/virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: pydio +spec: + hosts: + - pydio.svc.dd.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: pydio + port: + number: 80 diff --git a/apps/rabbitmq/00-rabbitmq.conf b/apps/rabbitmq/00-rabbitmq.conf new file mode 100644 index 0000000..047eafd --- /dev/null +++ b/apps/rabbitmq/00-rabbitmq.conf @@ -0,0 +1,2 @@ +total_memory_available_override_value = 2GB +log.console = true diff --git a/apps/rabbitmq/components/cluster-tls/certificate.yaml b/apps/rabbitmq/components/cluster-tls/certificate.yaml new file mode 100644 index 0000000..25597e6 --- /dev/null +++ b/apps/rabbitmq/components/cluster-tls/certificate.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "rabbitmq-cluster-tls" +spec: + secretName: "rabbitmq-cluster-tls-cert" + duration: "2160h" + renewBefore: "360h" + commonName: "rabbitmq.svc.dd.soeren.cloud" + dnsNames: + - "rabbitmq.svc.dd.soeren.cloud" + issuerRef: + name: "vault-issuer" + kind: "Issuer" + group: "cert-manager.io" + privateKey: + algorithm: "RSA" + size: 3072 diff --git a/apps/rabbitmq/components/cluster-tls/inter_node_tls.config b/apps/rabbitmq/components/cluster-tls/inter_node_tls.config new file mode 100644 index 0000000..320d35f --- /dev/null +++ b/apps/rabbitmq/components/cluster-tls/inter_node_tls.config @@ -0,0 +1,17 @@ +[ + {server, [ + {cacertfile, "/tls-cluster/ca_certificate.pem"}, + {certfile, "/tls-cluster/cert.pem"}, + {keyfile, "/tls-cluster/server_key.pem"}, + {secure_renegotiate, true}, + {verify, verify_peer}, + {fail_if_no_peer_cert, true} + ]}, + {client, [ + {cacertfile, "/tls-cluster/ca_certificate.pem"}, + {certfile, "/tls-cluster/client_certificate.pem"}, + {keyfile, "/tls-cluster/client_key.pem"}, + {secure_renegotiate, true}, + {verify, verify_peer} + ]} +]. diff --git a/apps/rabbitmq/components/cluster-tls/issuer.yaml b/apps/rabbitmq/components/cluster-tls/issuer.yaml new file mode 100644 index 0000000..c0aae71 --- /dev/null +++ b/apps/rabbitmq/components/cluster-tls/issuer.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "vault-issuer" +--- +apiVersion: "v1" +kind: "Secret" +metadata: + name: "vault-issuer-sa" + annotations: + kubernetes.io/service-account.name: "vault-issuer" +type: "kubernetes.io/service-account-token" +--- +apiVersion: "cert-manager.io/v1" +kind: "Issuer" +metadata: + name: "vault-issuer" +spec: + vault: + path: "pki/im_srn/sign/rabbitmq" + server: "https://vault.ha.soeren.cloud" + auth: + kubernetes: + role: "rabbitmq" + mountPath: "/v1/auth/svc.dd.soeren.cloud" + secretRef: + name: "vault-issuer-sa" + key: "token" diff --git a/apps/rabbitmq/components/cluster-tls/kustomization.yaml b/apps/rabbitmq/components/cluster-tls/kustomization.yaml new file mode 100644 index 0000000..7681649 --- /dev/null +++ b/apps/rabbitmq/components/cluster-tls/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "certificate.yaml" + - "issuer.yaml" +patches: + - target: + kind: "StatefulSet" + name: "rabbitmq" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "cluster-cert" + secret: + secretName: "rabbitmq-cluster-tls-cert" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "cluster-cert" + mountPath: "/tls-cluster" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "cluster-tls-conf" + configMap: + name: "rabbitmq-cluster-tls-conf" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "cluster-tls-conf" + mountPath: "/etc/rabbitmq/inter_node_tls.config" + subPath: "inter_node_tls.config" +configMapGenerator: + - name: "rabbitmq-cluster-tls-conf" + files: + - "inter_node_tls.config" diff --git a/apps/rabbitmq/components/istio-proxy/kustomization.yaml b/apps/rabbitmq/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..f54e124 --- /dev/null +++ b/apps/rabbitmq/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/rabbitmq/components/istio/istio-virtualservice.yaml b/apps/rabbitmq/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..4b1ed4a --- /dev/null +++ b/apps/rabbitmq/components/istio/istio-virtualservice.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "rabbitmq" +spec: + hosts: + - "rabbitmq" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "rabbitmq-management" + port: + number: 80 + tcp: + - match: + - port: 5671 + route: + - destination: + host: "rabbitmq-amqp" + port: + number: 5671 diff --git a/apps/rabbitmq/components/istio/kustomization.yaml b/apps/rabbitmq/components/istio/kustomization.yaml new file mode 100644 index 0000000..e5d9e4e --- /dev/null +++ b/apps/rabbitmq/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "rabbitmq" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "rabbitmq" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/rabbitmq/components/tls-server-cert/10-ssl.conf b/apps/rabbitmq/components/tls-server-cert/10-ssl.conf new file mode 100644 index 0000000..7ca7668 --- /dev/null +++ b/apps/rabbitmq/components/tls-server-cert/10-ssl.conf @@ -0,0 +1,4 @@ +listeners.ssl.default = 5671 +ssl_options.certfile = /tls/tls.crt +ssl_options.keyfile = /tls/tls.key +ssl_options.verify = verify_none diff --git a/apps/rabbitmq/components/tls-server-cert/cert-certificate.yaml b/apps/rabbitmq/components/tls-server-cert/cert-certificate.yaml new file mode 100644 index 0000000..e8718b5 --- /dev/null +++ b/apps/rabbitmq/components/tls-server-cert/cert-certificate.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "rabbitmq" +spec: + secretName: "rabbitmq-cert" + duration: "2160h" + renewBefore: "360h" + commonName: "this is not a valid name" + dnsNames: [] + issuerRef: + name: "letsencrypt-dns-prod" + kind: "ClusterIssuer" + group: "cert-manager.io" + privateKey: + algorithm: "RSA" + size: 4096 diff --git a/apps/rabbitmq/components/tls-server-cert/kustomization.yaml b/apps/rabbitmq/components/tls-server-cert/kustomization.yaml new file mode 100644 index 0000000..395d482 --- /dev/null +++ b/apps/rabbitmq/components/tls-server-cert/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "cert-certificate.yaml" +patches: + - target: + kind: "StatefulSet" + name: "rabbitmq" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "rabbitmq-cert" + secret: + secretName: "rabbitmq-cert" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "rabbitmq-cert" + mountPath: "/tls" +configMapGenerator: + - name: "rabbitmq-conf" + behavior: "merge" + files: + - "10-ssl.conf" diff --git a/apps/rabbitmq/kustomization.yaml b/apps/rabbitmq/kustomization.yaml new file mode 100644 index 0000000..51eeb2b --- /dev/null +++ b/apps/rabbitmq/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "rabbitmq-management-service.yaml" + - "rabbitmq-amqp-service.yaml" + - "statefulset.yaml" +configMapGenerator: + - name: rabbitmq-conf + files: + - "00-rabbitmq.conf" diff --git a/apps/rabbitmq/rabbitmq-amqp-service.yaml b/apps/rabbitmq/rabbitmq-amqp-service.yaml new file mode 100644 index 0000000..f9b5a26 --- /dev/null +++ b/apps/rabbitmq/rabbitmq-amqp-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "rabbitmq-amqp" +spec: + ports: + - port: 5671 + targetPort: "amqp-tls" + selector: + app.kubernetes.io/name: "rabbitmq" diff --git a/apps/rabbitmq/rabbitmq-management-service.yaml b/apps/rabbitmq/rabbitmq-management-service.yaml new file mode 100644 index 0000000..2d328c9 --- /dev/null +++ b/apps/rabbitmq/rabbitmq-management-service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: rabbitmq-management +spec: + ports: + - port: 80 + targetPort: management + selector: + app.kubernetes.io/name: rabbitmq diff --git a/apps/rabbitmq/statefulset.yaml b/apps/rabbitmq/statefulset.yaml new file mode 100644 index 0000000..3da7bb9 --- /dev/null +++ b/apps/rabbitmq/statefulset.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: "apps/v1" +kind: "StatefulSet" +metadata: + name: "rabbitmq" + labels: + app.kubernetes.io/name: "rabbitmq" + annotations: + reloader.stakater.com/auto: "true" +spec: + serviceName: "rabbitmq" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "rabbitmq" + template: + metadata: + labels: + app: "rabbitmq" + app.kubernetes.io/name: "rabbitmq" + app.kubernetes.io/component: "rabbitmq" + app.kubernetes.io/instance: "rabbitmq-prod" + app.kubernetes.io/part-of: "rabbitmq" + annotations: + prometheus.io/port: "15692" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 31812 + runAsGroup: 31812 + fsGroup: 31812 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "docker.io/rabbitmq:3.13.3-management-alpine" + name: "rabbitmq" + env: + - name: "RABBITMQ_CONFIG_FILES" + value: "/etc/rabbitmq/conf.d" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 31812 + runAsGroup: 31812 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 4369 + name: "epmd" + - containerPort: 5671 + name: "amqp-tls" + - containerPort: 5672 + name: "amqp" + - containerPort: 25672 + name: "dist" + - containerPort: 15672 + name: "management" + - containerPort: 15692 + name: "metrics" + resources: + requests: + memory: "512Mi" + cpu: "50m" + limits: + memory: "2Gi" + livenessProbe: + periodSeconds: 15 + timeoutSeconds: 3 + failureThreshold: 2 + tcpSocket: + port: 5672 + readinessProbe: + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 6 + tcpSocket: + port: 5672 + volumeMounts: + - name: "storage" + mountPath: "/var/lib/rabbitmq" + - name: "config" + mountPath: "/etc/rabbitmq/conf.d" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" + - name: "config" + configMap: + name: "rabbitmq-conf" diff --git a/apps/rabbitmq/upsert-secrets.sh b/apps/rabbitmq/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/rabbitmq/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/radicale/components/istio-proxy/kustomization.yaml b/apps/radicale/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..f54e124 --- /dev/null +++ b/apps/radicale/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/radicale/components/istio/istio-virtualservice.yaml b/apps/radicale/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..2b8753e --- /dev/null +++ b/apps/radicale/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: radicale +spec: + hosts: + - radicale + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: radicale + port: + number: 80 diff --git a/apps/radicale/components/istio/kustomization.yaml b/apps/radicale/components/istio/kustomization.yaml new file mode 100644 index 0000000..ca0e5d3 --- /dev/null +++ b/apps/radicale/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: NetworkPolicy + name: "radicale" + patch: |- + - op: "add" + path: "/spec/ingress/-" + value: + ports: + - protocol: "TCP" + port: "radicale" + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/radicale/components/pvc/kustomization.yaml b/apps/radicale/components/pvc/kustomization.yaml new file mode 100644 index 0000000..8ad5ec9 --- /dev/null +++ b/apps/radicale/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - radicale-pvc.yaml +patches: + - target: + kind: Deployment + name: radicale + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: radicale diff --git a/apps/radicale/components/pvc/radicale-pvc.yaml b/apps/radicale/components/pvc/radicale-pvc.yaml new file mode 100644 index 0000000..d633faa --- /dev/null +++ b/apps/radicale/components/pvc/radicale-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: radicale +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 512Mi diff --git a/apps/radicale/components/restic-pvc/kustomization.yaml b/apps/radicale/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..1514656 --- /dev/null +++ b/apps/radicale/components/restic-pvc/kustomization.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "radicale-restic-pvc" + behavior: merge # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/data" + - "RESTIC_BACKUP_ID=radicale" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "radicale" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 65535 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "radicale-restic-pvc" + - secretRef: + name: "radicale-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "radicale" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "radicale" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "radicale-restic-pvc" + - secretRef: + name: "radicale-restic-pvc" diff --git a/apps/radicale/components/restic-pvc/upsert-secret-radicale-restic-pvc.sh b/apps/radicale/components/restic-pvc/upsert-secret-radicale-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/radicale/components/restic-pvc/upsert-secret-radicale-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/radicale/deployment.yaml b/apps/radicale/deployment.yaml new file mode 100644 index 0000000..f3058cf --- /dev/null +++ b/apps/radicale/deployment.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: radicale + labels: + app.kubernetes.io/name: radicale + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: radicale + template: + metadata: + labels: + app: radicale + app.kubernetes.io/name: radicale + app.kubernetes.io/component: radicale + app.kubernetes.io/instance: radicale-prod + app.kubernetes.io/part-of: radicale + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: RuntimeDefault + containers: + - image: "tomsquest/docker-radicale:3.2.1.0" + name: "radicale" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 5232 + name: "radicale" + env: + - name: "TAKE_FILE_OWNERSHIP" + value: "false" + resources: + requests: + memory: "32Mi" + cpu: "5m" + limits: + memory: "128Mi" + volumeMounts: + - name: "storage" + mountPath: "/data" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/radicale/kustomization.yaml b/apps/radicale/kustomization.yaml new file mode 100644 index 0000000..9a41d1a --- /dev/null +++ b/apps/radicale/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service.yaml + - deployment.yaml + - networkpolicy.yaml diff --git a/apps/radicale/networkpolicy.yaml b/apps/radicale/networkpolicy.yaml new file mode 100644 index 0000000..99e776b --- /dev/null +++ b/apps/radicale/networkpolicy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: radicale +spec: + podSelector: + matchLabels: + app: radicale + policyTypes: + - Egress + - Ingress + ingress: [] + egress: [] diff --git a/apps/radicale/service.yaml b/apps/radicale/service.yaml new file mode 100644 index 0000000..0c8b769 --- /dev/null +++ b/apps/radicale/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: radicale +spec: + ports: + - port: 80 + targetPort: radicale + selector: + app.kubernetes.io/name: radicale diff --git a/apps/radicale/upsert-secret-radicale.sh b/apps/radicale/upsert-secret-radicale.sh new file mode 100755 index 0000000..094a2bd --- /dev/null +++ b/apps/radicale/upsert-secret-radicale.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +RADICALE_USERS="${OUTPUT}" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=RADICALE_USERS="${RADICALE_USERS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/radicale/upsert-secrets.sh b/apps/radicale/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/radicale/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/reloader/components/rbac/clusterrole-binding.yaml b/apps/reloader/components/rbac/clusterrole-binding.yaml new file mode 100644 index 0000000..66e5cee --- /dev/null +++ b/apps/reloader/components/rbac/clusterrole-binding.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "ClusterRoleBinding" +metadata: + labels: + app: "reloader" + name: "reloader-role-binding" +roleRef: + apiGroup: "rbac.authorization.k8s.io" + kind: "ClusterRole" + name: "reloader-role" +subjects: + - kind: "ServiceAccount" + name: "reloader" + namespace: "reloader" diff --git a/apps/reloader/components/rbac/clusterrole.yaml b/apps/reloader/components/rbac/clusterrole.yaml new file mode 100644 index 0000000..c23a97a --- /dev/null +++ b/apps/reloader/components/rbac/clusterrole.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: reloader-role + annotations: + app: "reloader" + labels: + app: reloader + release: "reloader" +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - list + - get + - watch + - apiGroups: + - "apps" + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - patch + - apiGroups: + - "extensions" + resources: + - deployments + - daemonsets + verbs: + - list + - get + - update + - patch + - apiGroups: + - "batch" + resources: + - cronjobs + verbs: + - list + - get + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/apps/reloader/components/rbac/kustomization.yaml b/apps/reloader/components/rbac/kustomization.yaml new file mode 100644 index 0000000..2c2df50 --- /dev/null +++ b/apps/reloader/components/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "clusterrole.yaml" + - "clusterrole-binding.yaml" diff --git a/apps/reloader/deployment.yaml b/apps/reloader/deployment.yaml new file mode 100644 index 0000000..baa14b8 --- /dev/null +++ b/apps/reloader/deployment.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "reloader" + namespace: "reloader" + labels: + app: "reloader" +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: "reloader" + template: + metadata: + labels: + app: "reloader" + app.kubernetes.io/name: "reloader" + app.kubernetes.io/component: "reloader" + app.kubernetes.io/instance: "reloader-prod" + app.kubernetes.io/part-of: "reloader" + annotations: + prometheus.io/port: "9090" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + serviceAccountName: "reloader" + containers: + - image: "ghcr.io/stakater/reloader:v1.0.97" + imagePullPolicy: "IfNotPresent" + name: "reloader" + ports: + - name: "metrics" + containerPort: 9090 + livenessProbe: + httpGet: + path: "/live" + port: "metrics" + timeoutSeconds: 5 + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: "/live" + port: "metrics" + timeoutSeconds: 5 + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 10 + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "32Mi" + cpu: "5m" + limits: + memory: "128Mi" + cpu: "20m" diff --git a/apps/reloader/kustomization.yaml b/apps/reloader/kustomization.yaml new file mode 100644 index 0000000..a0d46a0 --- /dev/null +++ b/apps/reloader/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "serviceaccount.yaml" + - "networkpolicy.yaml" diff --git a/apps/reloader/networkpolicy.yaml b/apps/reloader/networkpolicy.yaml new file mode 100644 index 0000000..eaac05c --- /dev/null +++ b/apps/reloader/networkpolicy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "reloader" +spec: + podSelector: {} + policyTypes: + - "Ingress" + - "Egress" + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "monitoring" + podSelector: + matchLabels: + app.kubernetes.io/name: "prometheus" + ports: + - protocol: "TCP" + port: "metrics" + egress: [] diff --git a/apps/reloader/serviceaccount.yaml b/apps/reloader/serviceaccount.yaml new file mode 100644 index 0000000..c5f0ad9 --- /dev/null +++ b/apps/reloader/serviceaccount.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "reloader" + namespace: "reloader" + labels: + app: "reloader" diff --git a/apps/reloader/upsert-secrets.sh b/apps/reloader/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/reloader/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/renovatebot/components/pvc/kustomization.yaml b/apps/renovatebot/components/pvc/kustomization.yaml new file mode 100644 index 0000000..acb1d51 --- /dev/null +++ b/apps/renovatebot/components/pvc/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - renovate-pvc.yaml +patches: + - target: + kind: "CronJob" + name: "renovate-bot" + patch: |- + - op: replace + path: /spec/jobTemplate/spec/template/spec/volumes/0 + value: + name: "storage" + persistentVolumeClaim: + claimName: "renovate-bot" diff --git a/apps/renovatebot/components/pvc/renovate-pvc.yaml b/apps/renovatebot/components/pvc/renovate-pvc.yaml new file mode 100644 index 0000000..aba8726 --- /dev/null +++ b/apps/renovatebot/components/pvc/renovate-pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: "renovate-bot" +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "15Gi" diff --git a/apps/renovatebot/cronjob.yaml b/apps/renovatebot/cronjob.yaml new file mode 100644 index 0000000..a04db00 --- /dev/null +++ b/apps/renovatebot/cronjob.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: renovate-bot +spec: + schedule: "@daily" + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 2 + activeDeadlineSeconds: 3600 + template: + metadata: + labels: + app: renovate + app.kubernetes.io/name: renovate + app.kubernetes.io/instance: renovate-prod + app.kubernetes.io/component: renovate + app.kubernetes.io/part-of: renovate + spec: + securityContext: + runAsNonRoot: true + runAsUser: 42145 + runAsGroup: 42145 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "renovate/renovate:37.409.1" + name: "renovate" + env: + - name: "RENOVATE_BASE_DIR" + value: "/storage" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + runAsNonRoot: true + runAsUser: 42145 + runAsGroup: 42145 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "256Mi" + cpu: "75m" + limits: + memory: "2Gi" + volumeMounts: + - name: "storage" + mountPath: "/storage" + restartPolicy: Never + volumes: + - name: "storage" + emptyDir: + sizeLimit: 15Gi diff --git a/apps/renovatebot/kustomization.yaml b/apps/renovatebot/kustomization.yaml new file mode 100644 index 0000000..d536ce3 --- /dev/null +++ b/apps/renovatebot/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cronjob.yaml diff --git a/apps/renovatebot/upsert-secret-renovate.sh b/apps/renovatebot/upsert-secret-renovate.sh new file mode 100755 index 0000000..6d52409 --- /dev/null +++ b/apps/renovatebot/upsert-secret-renovate.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +SECRET_DATA=$(pass ${K8S_PASS_PATH}) + +GITHUB_REGISTRY_USERNAME="$(echo "${SECRET_DATA}" | grep -e "^GITHUB_REGISTRY_USERNAME=" | cut -d'=' -f2)" +GITHUB_REGISTRY_TOKEN="$(echo "${SECRET_DATA}" | grep -e "^GITHUB_REGISTRY_TOKEN=" | cut -d'=' -f2)" +GITLAB_TOKEN="$(echo "${SECRET_DATA}" | grep -e "^GITLAB_TOKEN=" | cut -d'=' -f2)" +GITHUB_TOKEN="$(echo "${SECRET_DATA}" | grep -e "^GITHUB_TOKEN=" | cut -d'=' -f2)" + +RENOVATE_HOST_RULES='[{"hostType": "docker","matchHost": "ghcr.io","username": "'"${GITHUB_REGISTRY_USERNAME}"'", "password": "'"${GITHUB_REGISTRY_TOKEN}"'"}]' + +kubectl create secret generic ${K8S_SECRET_NAME} \ + --from-literal=gitlab-token="${GITLAB_TOKEN}" \ + --from-literal=github-token="${GITHUB_TOKEN}" \ + --from-literal=RENOVATE_HOST_RULES="${RENOVATE_HOST_RULES}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin + diff --git a/apps/renovatebot/upsert-secrets.sh b/apps/renovatebot/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/renovatebot/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/stirling-pdf/components/ha/kustomization.yaml b/apps/stirling-pdf/components/ha/kustomization.yaml new file mode 100644 index 0000000..561b8dd --- /dev/null +++ b/apps/stirling-pdf/components/ha/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "stirling-pdf" + patch: |- + - op: "replace" + path: "/spec/replicas" + value: 3 + - op: "/spec/topologySpreadConstraints" + value: + - maxSkew: 1 + topologyKey: "region" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "stirling-pdf" + - maxSkew: 1 + topologyKey: "node" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "stirling-pdf" diff --git a/apps/stirling-pdf/components/istio-proxy/kustomization.yaml b/apps/stirling-pdf/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..f54e124 --- /dev/null +++ b/apps/stirling-pdf/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/stirling-pdf/components/istio/istio-virtualservice.yaml b/apps/stirling-pdf/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..98837c4 --- /dev/null +++ b/apps/stirling-pdf/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "stirling-pdf" +spec: + hosts: + - "stirling-pdf" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "stirling-pdf" + port: + number: 80 diff --git a/apps/stirling-pdf/components/istio/kustomization.yaml b/apps/stirling-pdf/components/istio/kustomization.yaml new file mode 100644 index 0000000..0b65dbc --- /dev/null +++ b/apps/stirling-pdf/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "stirling-pdf" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/stirling-pdf/deployment.yaml b/apps/stirling-pdf/deployment.yaml new file mode 100644 index 0000000..d7265da --- /dev/null +++ b/apps/stirling-pdf/deployment.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "stirling-pdf" + labels: + app.kubernetes.io/name: "stirling-pdf" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "stirling-pdf" + template: + metadata: + labels: + app: "stirling-pdf" + app.kubernetes.io/name: "stirling-pdf" + app.kubernetes.io/component: "stirling-pdf" + app.kubernetes.io/instance: "stirling-pdf-prod" + app.kubernetes.io/part-of: "stirling-pdf" + spec: + securityContext: + runAsUser: 27452 + runAsGroup: 27452 + fsGroup: 27452 + seccompProfile: + type: "RuntimeDefault" + initContainers: + - name: "tesseract" + image: "frooodle/s-pdf:0.26.1" + command: + - "sh" + - "-c" + - "mkdir -p /usr/share/tessdata; cp -rn /usr/share/tessdata-original/* /usr/share/tessdata; if [ -d /usr/share/tesseract-ocr/4.00/tessdata ]; then cp -r /usr/share/tesseract-ocr/4.00/tessdata/* /usr/share/tessdata || true; fi; if [ -d /usr/share/tesseract-ocr/5/tessdata ]; then cp -r /usr/share/tesseract-ocr/5/tessdata/* /usr/share/tessdata || true; fi" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 27452 + runAsGroup: 27452 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "256Mi" + cpu: "5m" + limits: + memory: "512Mi" + volumeMounts: + - mountPath: "/usr/share/tessdata" + name: "tessdata" + containers: + - image: "frooodle/s-pdf:0.26.1" + name: "stirling-pdf" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 27452 + runAsGroup: 27452 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + command: + - "java" + - "-Dfile.encoding=UTF-8" + - "-jar" + - "/app.jar" + ports: + - containerPort: 8080 + name: "stirling-pdf" + readinessProbe: + httpGet: + port: "stirling-pdf" + path: "/actuator/health" + livenessProbe: + httpGet: + port: "stirling-pdf" + path: "/actuator/health" + resources: + requests: + memory: "256Mi" + cpu: "5m" + limits: + memory: "512Mi" + volumeMounts: + - mountPath: "/usr/share/tessdata" + name: "tessdata" + - mountPath: "/logs" + name: "logs" + - mountPath: "/configs" + name: "configs" + - mountPath: "/tmp" + name: "tmp" + volumes: + - name: "tessdata" + emptyDir: {} + - name: "logs" + emptyDir: {} + - name: "configs" + emptyDir: {} + - name: "tmp" + emptyDir: {} diff --git a/apps/stirling-pdf/kustomization.yaml b/apps/stirling-pdf/kustomization.yaml new file mode 100644 index 0000000..9a41d1a --- /dev/null +++ b/apps/stirling-pdf/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service.yaml + - deployment.yaml + - networkpolicy.yaml diff --git a/apps/stirling-pdf/networkpolicy.yaml b/apps/stirling-pdf/networkpolicy.yaml new file mode 100644 index 0000000..e047dc0 --- /dev/null +++ b/apps/stirling-pdf/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: stirling-pdf +spec: + podSelector: {} + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: "TCP" + port: "stirling-pdf" + from: [] + egress: [] diff --git a/apps/stirling-pdf/service.yaml b/apps/stirling-pdf/service.yaml new file mode 100644 index 0000000..6ef0c29 --- /dev/null +++ b/apps/stirling-pdf/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: stirling-pdf +spec: + ports: + - port: 80 + targetPort: stirling-pdf + selector: + app.kubernetes.io/name: stirling-pdf diff --git a/apps/stirling-pdf/upsert-secrets.sh b/apps/stirling-pdf/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/stirling-pdf/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/string-is/components/ha/kustomization.yaml b/apps/string-is/components/ha/kustomization.yaml new file mode 100644 index 0000000..8ac85ab --- /dev/null +++ b/apps/string-is/components/ha/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "string-is" + patch: |- + - op: "replace" + path: "/spec/replicas" + value: 3 + - op: "/spec/topologySpreadConstraints" + value: + - maxSkew: 1 + topologyKey: "region" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "string-is" + - maxSkew: 1 + topologyKey: "node" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "string-is" diff --git a/apps/string-is/components/istio-proxy/kustomization.yaml b/apps/string-is/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..9c0069e --- /dev/null +++ b/apps/string-is/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/string-is/components/istio/istio-virtualservice.yaml b/apps/string-is/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..a5399ee --- /dev/null +++ b/apps/string-is/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "string-is" +spec: + hosts: + - "string-is" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "string-is" + port: + number: 80 diff --git a/apps/string-is/components/istio/kustomization.yaml b/apps/string-is/components/istio/kustomization.yaml new file mode 100644 index 0000000..779a624 --- /dev/null +++ b/apps/string-is/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "string-is" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/string-is/deployment.yaml b/apps/string-is/deployment.yaml new file mode 100644 index 0000000..c60f6ff --- /dev/null +++ b/apps/string-is/deployment.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "string-is" + labels: + app.kubernetes.io/name: "string-is" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "string-is" + template: + metadata: + labels: + app: "string-is" + app.kubernetes.io/name: "string-is" + app.kubernetes.io/component: "string-is" + app.kubernetes.io/instance: "string-is-prod" + app.kubernetes.io/part-of: "string-is" + spec: + securityContext: + runAsUser: 27452 + runAsGroup: 27452 + fsGroup: 27452 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "daveperrett/string-is:v1.37.4" + name: "string-is" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 27452 + runAsGroup: 27452 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + ports: + - containerPort: 3000 + name: "string-is" + readinessProbe: + tcpSocket: + port: "string-is" + livenessProbe: + tcpSocket: + port: "string-is" + resources: + requests: + memory: "32Mi" + cpu: "5m" + limits: + memory: "128Mi" diff --git a/apps/string-is/kustomization.yaml b/apps/string-is/kustomization.yaml new file mode 100644 index 0000000..9a41d1a --- /dev/null +++ b/apps/string-is/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service.yaml + - deployment.yaml + - networkpolicy.yaml diff --git a/apps/string-is/networkpolicy.yaml b/apps/string-is/networkpolicy.yaml new file mode 100644 index 0000000..ef3b5ae --- /dev/null +++ b/apps/string-is/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "string-is" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "string-is" + from: [] + egress: [] diff --git a/apps/string-is/service.yaml b/apps/string-is/service.yaml new file mode 100644 index 0000000..1d2f9d7 --- /dev/null +++ b/apps/string-is/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: string-is +spec: + ports: + - port: 80 + targetPort: string-is + selector: + app.kubernetes.io/name: string-is diff --git a/apps/string-is/upsert-secrets.sh b/apps/string-is/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/string-is/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/synapse/deployment.yaml b/apps/synapse/deployment.yaml new file mode 100644 index 0000000..8f5258e --- /dev/null +++ b/apps/synapse/deployment.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: synapse +spec: + replicas: 1 + selector: + matchLabels: + app: synapse + template: + metadata: + labels: + app: synapse + app.kubernetes.io/name: synapse + app.kubernetes.io/instance: synapse-prod + app.kubernetes.io/component: synapse + app.kubernetes.io/part-of: synapse + spec: + securityContext: + runAsNonRoot: true + runAsUser: 33991 + runAsGroup: 33991 + fsGroup: 33991 + seccompProfile: + type: RuntimeDefault + containers: + - name: synapse + image: matrixdotorg/synapse:v1.105.0 + ports: + - containerPort: 8008 + name: http + - containerPort: 8443 + name: https + env: + - name: SYNAPSE_SERVER_NAME + value: "soeren.cloud" + - name: SYNAPSE_REPORT_STATS + value: "yes" + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "384Mi" + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 2 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 33991 + runAsGroup: 33991 + privileged: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: synapse-data + mountPath: /data + - name: synapse-config + mountPath: /synapse/config + readOnly: true + volumes: + - name: synapse-data + emptyDir: + sizeLimit: 1G + - name: synapse-config + configMap: + name: synapse-config diff --git a/apps/synapse/kustomization.yaml b/apps/synapse/kustomization.yaml new file mode 100644 index 0000000..356c305 --- /dev/null +++ b/apps/synapse/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml diff --git a/apps/synapse/service.yaml b/apps/synapse/service.yaml new file mode 100644 index 0000000..587c5e4 --- /dev/null +++ b/apps/synapse/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: synapse +spec: + selector: + app: synapse + ports: + - protocol: TCP + port: 8008 + targetPort: 8008 + name: http + - protocol: TCP + port: 8448 + targetPort: 8448 + name: https diff --git a/apps/taskd/components/istio/istio-virtualservice.yaml b/apps/taskd/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..4737102 --- /dev/null +++ b/apps/taskd/components/istio/istio-virtualservice.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "taskd" +spec: + hosts: + - "taskd" + gateways: + - "istio-system/gateway" + tcp: + - match: + - port: 53589 + route: + - destination: + host: "taskd" + port: + number: 53589 diff --git a/apps/taskd/components/istio/kustomization.yaml b/apps/taskd/components/istio/kustomization.yaml new file mode 100644 index 0000000..4a6670f --- /dev/null +++ b/apps/taskd/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml +patches: + - target: + kind: "NetworkPolicy" + name: "taskd" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/taskd/components/pvc/kustomization.yaml b/apps/taskd/components/pvc/kustomization.yaml new file mode 100644 index 0000000..b348435 --- /dev/null +++ b/apps/taskd/components/pvc/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - taskd-pvc.yaml +patches: + - target: + kind: Deployment + name: taskd + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: taskd diff --git a/apps/taskd/components/pvc/taskd-pvc.yaml b/apps/taskd/components/pvc/taskd-pvc.yaml new file mode 100644 index 0000000..332b5f6 --- /dev/null +++ b/apps/taskd/components/pvc/taskd-pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: taskd +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps/taskd/components/restic-pvc/kustomization.yaml b/apps/taskd/components/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..bc6dc88 --- /dev/null +++ b/apps/taskd/components/restic-pvc/kustomization.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ../../../../infra/restic-pvc +configMapGenerator: + - name: "taskd-restic-pvc" + behavior: merge # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_TARGETS=/var/taskd" + - "RESTIC_BACKUP_ID=taskd" +patches: + - target: + kind: "CronJob" + name: "restic-pvc-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "taskd" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsUser" + value: 53589 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/runAsGroup" + value: 53589 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/securityContext/fsGroup" + value: 53589 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsUser" + value: 53589 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/securityContext/runAsGroup" + value: 53589 + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "taskd-restic-pvc" + - secretRef: + name: "taskd-restic-pvc" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/volumes/0/persistentVolumeClaim/claimName" + value: "taskd" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/0/mountPath" + value: "/var/taskd" + - target: + kind: "CronJob" + name: "restic-pvc-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "taskd" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "taskd-restic-pvc" + - secretRef: + name: "taskd-restic-pvc" diff --git a/apps/taskd/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh b/apps/taskd/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh new file mode 100755 index 0000000..18b7aa3 --- /dev/null +++ b/apps/taskd/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="${K8S_APP_SUB}" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/apps/taskd/components/tls/cert-certificate.yaml b/apps/taskd/components/tls/cert-certificate.yaml new file mode 100644 index 0000000..9ad6e67 --- /dev/null +++ b/apps/taskd/components/tls/cert-certificate.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "cert-manager.io/v1" +kind: "Certificate" +metadata: + name: "taskd" +spec: + secretName: "taskd-cert" + duration: "2160h" + renewBefore: "360h" + commonName: "this is not a valid name" + dnsNames: [] + issuerRef: + name: "vault-issuer" + kind: "Issuer" + group: "cert-manager.io" + privateKey: + algorithm: "RSA" + size: 3072 diff --git a/apps/taskd/components/tls/cert-issuer.yaml b/apps/taskd/components/tls/cert-issuer.yaml new file mode 100644 index 0000000..27a676c --- /dev/null +++ b/apps/taskd/components/tls/cert-issuer.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-issuer +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-issuer-sa + annotations: + kubernetes.io/service-account.name: vault-issuer +type: kubernetes.io/service-account-token +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: vault-issuer +spec: + vault: + path: pki/im_task/sign/taskd + server: https://vault.ha.soeren.cloud + auth: + kubernetes: + role: "taskd" + mountPath: /v1/auth/svc.dd.soeren.cloud + secretRef: + name: vault-issuer-sa + key: token diff --git a/apps/taskd/components/tls/kustomization.yaml b/apps/taskd/components/tls/kustomization.yaml new file mode 100644 index 0000000..4c45f3d --- /dev/null +++ b/apps/taskd/components/tls/kustomization.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - cert-certificate.yaml + - cert-issuer.yaml +patches: + - target: + kind: Deployment + name: taskd + patch: |- + - op: add + path: /spec/template/spec/volumes/- + value: + name: taskd-cert + secret: + secretName: taskd-cert + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: taskd-cert + mountPath: /pki diff --git a/apps/taskd/deployment.yaml b/apps/taskd/deployment.yaml new file mode 100644 index 0000000..e090d3c --- /dev/null +++ b/apps/taskd/deployment.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: taskd + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: taskd + template: + metadata: + labels: + app: taskd + app.kubernetes.io/name: taskd + app.kubernetes.io/instance: taskd-prod + app.kubernetes.io/component: taskd + app.kubernetes.io/part-of: taskd + spec: + securityContext: + runAsUser: 53589 + runAsGroup: 53589 + fsGroup: 53589 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "taskd" + image: "ghcr.io/soerenschneider/taskd:main-20240211125633" + imagePullPolicy: "IfNotPresent" + workingDir: "/var/taskd" + command: + - "taskd" + - "server" + - "--data" + - "/var/taskd" + ports: + - containerPort: 53589 + name: "taskd" + resources: + requests: + memory: "32Mi" + cpu: "1m" + limits: + memory: "128Mi" + livenessProbe: + tcpSocket: + port: "taskd" + initialDelaySeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + tcpSocket: + port: "taskd" + initialDelaySeconds: 2 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + runAsNonRoot: true + runAsUser: 53589 + runAsGroup: 53589 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + volumeMounts: + - name: "storage" + mountPath: "/var/taskd" + - name: "config" + mountPath: "/var/taskd/config" + subPath: "taskd.properties" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "100Mi" + - name: "config" + configMap: + name: "taskd-config" diff --git a/apps/taskd/kustomization.yaml b/apps/taskd/kustomization.yaml new file mode 100644 index 0000000..f731209 --- /dev/null +++ b/apps/taskd/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "service.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "taskd-config" + files: + - "taskd.properties" diff --git a/apps/taskd/networkpolicy.yaml b/apps/taskd/networkpolicy.yaml new file mode 100644 index 0000000..57cb453 --- /dev/null +++ b/apps/taskd/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "taskd" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "taskd" + from: [] + egress: [] diff --git a/apps/taskd/service.yaml b/apps/taskd/service.yaml new file mode 100644 index 0000000..da11485 --- /dev/null +++ b/apps/taskd/service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "taskd" +spec: + selector: + app: "taskd" + ports: + - protocol: "TCP" + port: 53589 + targetPort: "taskd" diff --git a/apps/taskd/taskd.properties b/apps/taskd/taskd.properties new file mode 100644 index 0000000..f1983cf --- /dev/null +++ b/apps/taskd/taskd.properties @@ -0,0 +1,11 @@ +confirmation=1 +ip.log=on +queue.size=100 +request.limit=1048576 +root=/var/taskd +server=0.0.0.0:53589 +#ciphers=SECURE256:-VERS-ALL:+VERS-TLS1.3 +trust=strict +ca.cert=/ca/ca.crt +server.cert=/pki/tls.crt +server.key=/pki/tls.key diff --git a/apps/taskd/upsert-secrets.sh b/apps/taskd/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/taskd/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/vcr/components/fileserver-istio/istio-virtualservice.yaml b/apps/vcr/components/fileserver-istio/istio-virtualservice.yaml new file mode 100644 index 0000000..030884a --- /dev/null +++ b/apps/vcr/components/fileserver-istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: vcr +spec: + hosts: + - vcr + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: vcr + port: + number: 80 diff --git a/apps/vcr/components/fileserver-istio/kustomization.yaml b/apps/vcr/components/fileserver-istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/vcr/components/fileserver-istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/vcr/components/fileserver/fileserver-deployment.yaml b/apps/vcr/components/fileserver/fileserver-deployment.yaml new file mode 100644 index 0000000..96624f5 --- /dev/null +++ b/apps/vcr/components/fileserver/fileserver-deployment.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aplos +spec: + replicas: 1 + selector: + matchLabels: + app: aplos + template: + metadata: + labels: + app: aplos + app.kubernetes.io/name: aplos + app.kubernetes.io/instance: aplos-prod + app.kubernetes.io/component: aplos + app.kubernetes.io/part-of: vcr + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: aplos + # TODO + image: ghcr.io/soerenschneider/aplos:main + imagePullPolicy: IfNotPresent + env: + - name: "APLOS_ADDR" + value: "0.0.0.0:8080" + - name: "APLOS_DIRECTORY" + value: "/data" + ports: + - containerPort: 8080 + name: "aplos" + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "128Mi" + livenessProbe: + httpGet: + port: "aplos" + path: "/_health" + initialDelaySeconds: 2 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + port: "aplos" + path: "/_health" + initialDelaySeconds: 1 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + capabilities: + drop: + - "ALL" + seccompProfile: + type: "RuntimeDefault" + volumeMounts: + - name: "storage" + readOnly: true + mountPath: "/data" + volumes: + - name: "storage" + persistentVolumeClaim: + readOnly: true + claimName: "vcr" diff --git a/apps/vcr/components/fileserver/fileserver-service.yaml b/apps/vcr/components/fileserver/fileserver-service.yaml new file mode 100644 index 0000000..d4549c3 --- /dev/null +++ b/apps/vcr/components/fileserver/fileserver-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: vcr +spec: + selector: + app: aplos + ports: + - protocol: TCP + port: 80 + targetPort: aplos diff --git a/apps/vcr/components/fileserver/kustomization.yaml b/apps/vcr/components/fileserver/kustomization.yaml new file mode 100644 index 0000000..a18c239 --- /dev/null +++ b/apps/vcr/components/fileserver/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - fileserver-deployment.yaml + - fileserver-service.yaml diff --git a/apps/vcr/components/metube-istio/istio-virtualservice.yaml b/apps/vcr/components/metube-istio/istio-virtualservice.yaml new file mode 100644 index 0000000..fca5f9f --- /dev/null +++ b/apps/vcr/components/metube-istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metube +spec: + hosts: + - metube + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: metube + port: + number: 80 diff --git a/apps/vcr/components/metube-istio/kustomization.yaml b/apps/vcr/components/metube-istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/vcr/components/metube-istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/vcr/components/metube/kustomization.yaml b/apps/vcr/components/metube/kustomization.yaml new file mode 100644 index 0000000..37886e2 --- /dev/null +++ b/apps/vcr/components/metube/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - metube-service.yaml + - metube-deployment.yaml diff --git a/apps/vcr/components/metube/metube-deployment.yaml b/apps/vcr/components/metube/metube-deployment.yaml new file mode 100644 index 0000000..9a85cdd --- /dev/null +++ b/apps/vcr/components/metube/metube-deployment.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metube +spec: + replicas: 1 + selector: + matchLabels: + app: metube + template: + metadata: + labels: + app: metube + app.kubernetes.io/name: metube + app.kubernetes.io/instance: metube-prod + app.kubernetes.io/component: metube + app.kubernetes.io/part-of: vcr + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: metube + image: ghcr.io/alexta69/metube:2024-01-26 + imagePullPolicy: IfNotPresent + env: + - name: UID + value: "65535" + - name: GID + value: "65535" + - name: DOWNLOAD_DIR + value: /data/metube + - name: STATE_DIR + value: /data/metube/.metube + - name: TEMP_DIR + value: /data/metube/.tmp + ports: + - containerPort: 8081 + name: metube + resources: + requests: + memory: "64Mi" + cpu: "10m" + limits: + memory: "512Mi" + livenessProbe: + tcpSocket: + port: metube + initialDelaySeconds: 2 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + tcpSocket: + port: metube + initialDelaySeconds: 1 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65535 + runAsGroup: 65535 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: storage + mountPath: /data + - name: tmp + mountPath: /tmp + volumes: + - name: storage + persistentVolumeClaim: + claimName: vcr + - name: tmp + emptyDir: + sizeLimit: 5Gi diff --git a/apps/vcr/components/metube/metube-service.yaml b/apps/vcr/components/metube/metube-service.yaml new file mode 100644 index 0000000..044382a --- /dev/null +++ b/apps/vcr/components/metube/metube-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: metube +spec: + selector: + app: metube + ports: + - protocol: TCP + port: 80 + targetPort: metube diff --git a/apps/vcr/components/yt-dlp-pvc/kustomization.yaml b/apps/vcr/components/yt-dlp-pvc/kustomization.yaml new file mode 100644 index 0000000..851f43d --- /dev/null +++ b/apps/vcr/components/yt-dlp-pvc/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml +patches: + - target: + kind: CronJob + patch: |- + - op: replace + path: /spec/jobTemplate/spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: vcr diff --git a/apps/vcr/components/yt-dlp-pvc/pvc.yaml b/apps/vcr/components/yt-dlp-pvc/pvc.yaml new file mode 100644 index 0000000..2817582 --- /dev/null +++ b/apps/vcr/components/yt-dlp-pvc/pvc.yaml @@ -0,0 +1,11 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: vcr +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/apps/vcr/kustomization.yaml b/apps/vcr/kustomization.yaml new file mode 100644 index 0000000..ad3ad27 --- /dev/null +++ b/apps/vcr/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - yt-dlp-cronjob.yaml diff --git a/apps/vcr/yt-dlp-cronjob.yaml b/apps/vcr/yt-dlp-cronjob.yaml new file mode 100644 index 0000000..6d0b96f --- /dev/null +++ b/apps/vcr/yt-dlp-cronjob.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: yt-dlp +spec: + timeZone: Europe/Berlin + schedule: "0 18 * * SAT" + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: yt-dlp + image: ghcr.io/soerenschneider/yt-dlp:2024.5.27 + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "1Gi" + volumeMounts: + - name: storage + mountPath: /data + volumes: + - name: storage + emptyDir: {} diff --git a/apps/vector/agent.yaml b/apps/vector/agent.yaml new file mode 100644 index 0000000..811cdeb --- /dev/null +++ b/apps/vector/agent.yaml @@ -0,0 +1,28 @@ +--- +data_dir: /vector-data-dir +sources: + kubernetes_logs: + type: kubernetes_logs + host_metrics: + filesystem: + devices: + excludes: [binfmt_misc] + filesystems: + excludes: [binfmt_misc] + mountPoints: + excludes: ["*/proc/sys/fs/binfmt_misc"] + type: host_metrics + internal_metrics: + type: internal_metrics +transforms: + k8s: + type: remap + inputs: + - kubernetes_logs + source: | + if exists(.kubernetes.pod_labels."app.kubernetes.io/name") { + .app = .kubernetes.pod_labels."app.kubernetes.io/name" + } + if exists(.kubernetes.pod_labels."app.kubernetes.io/instance") { + .instance = .kubernetes.pod_labels."app.kubernetes.io/instance" + } diff --git a/apps/vector/daemonset.yaml b/apps/vector/daemonset.yaml new file mode 100644 index 0000000..779ba4d --- /dev/null +++ b/apps/vector/daemonset.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: "apps/v1" +kind: "DaemonSet" +metadata: + name: "vector" + labels: + app.kubernetes.io/name: "vector" + app.kubernetes.io/instance: "vector" + app.kubernetes.io/component: "Agent" + annotations: + ignore-check.kube-linter.io/run-as-non-root: "Vector needs to run as root in order not to heavily configure nodes" + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app.kubernetes.io/name: "vector" + app.kubernetes.io/instance: "vector" + app.kubernetes.io/component: "Agent" + minReadySeconds: 0 + template: + metadata: + labels: + app: "vector" + app.kubernetes.io/name: "vector" + app.kubernetes.io/instance: "vector" + app.kubernetes.io/component: "Agent" + vector.dev/exclude: "true" + annotations: + prometheus.io/port: "9598" + prometheus.io/scrape: "true" + spec: + serviceAccountName: "vector" + dnsPolicy: "ClusterFirst" + securityContext: + runAsNonRoot: false + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "vector" + image: "timberio/vector:0.40.0-distroless-libc" + imagePullPolicy: "IfNotPresent" + args: + - "--config-dir" + - "/etc/vector/" + env: + - name: "VECTOR_SELF_NODE_NAME" + valueFrom: + fieldRef: + fieldPath: "spec.nodeName" + - name: "VECTOR_SELF_POD_NAME" + valueFrom: + fieldRef: + fieldPath: "metadata.name" + - name: "VECTOR_SELF_POD_NAMESPACE" + valueFrom: + fieldRef: + fieldPath: "metadata.namespace" + - name: "VECTOR_LOG" + value: "info" + ports: + - name: "metrics" + containerPort: 9598 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "384Mi" + cpu: "25m" + limits: + cpu: "1" + memory: "768Mi" + volumeMounts: + - name: "data" + mountPath: "/vector-data-dir" + - name: "vector-config" + mountPath: "/etc/vector/" + readOnly: true + - mountPath: "/var/log/" + name: "var-log" + readOnly: true + - mountPath: "/var/lib" + name: "var-lib" + readOnly: true + terminationGracePeriodSeconds: 60 + volumes: + - name: "vector-config" + projected: + sources: + - configMap: + name: "vector" + - name: data + hostPath: + path: "/var/lib/vector" + - hostPath: + path: "/var/log/" + name: "var-log" + - hostPath: + path: "/var/lib/" + name: "var-lib" diff --git a/apps/vector/kustomization.yaml b/apps/vector/kustomization.yaml new file mode 100644 index 0000000..00e78ee --- /dev/null +++ b/apps/vector/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - daemonset.yaml + - rbac.yaml + - sa.yaml +configMapGenerator: + - name: vector-config + files: + - agent.yaml diff --git a/apps/vector/networkpolicy.yaml b/apps/vector/networkpolicy.yaml new file mode 100644 index 0000000..9c224af --- /dev/null +++ b/apps/vector/networkpolicy.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vector +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: metrics + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - namespaceSelector: + matchLabels: + networking/namespace: kube-system + podSelector: {} + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + - to: + - namespaceSelector: + matchLabels: + name: loki + podSelector: + matchLabels: + app.kubernetes.io/name: loki + ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 3100 + protocol: TCP diff --git a/apps/vector/rbac.yaml b/apps/vector/rbac.yaml new file mode 100644 index 0000000..9e0e3b4 --- /dev/null +++ b/apps/vector/rbac.yaml @@ -0,0 +1,41 @@ +--- +# This file has been generated by `helm template vector vector/vector` from vector/templates/rbac.yaml. Please re-run `make generate-kubernetes-manifests` rather than modifying this file manually. +# Permissions to use Kubernetes API. +# Requires that RBAC authorization is enabled. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vector + labels: + app.kubernetes.io/name: vector + app.kubernetes.io/instance: vector + app.kubernetes.io/component: Agent +rules: + - apiGroups: + - "" + resources: + - namespaces + - nodes + - pods + verbs: + - list + - watch +--- +# This file has been generated by `helm template vector vector/vector` from vector/templates/rbac.yaml. Please re-run `make generate-kubernetes-manifests` rather than modifying this file manually. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vector + labels: + app.kubernetes.io/name: vector + app.kubernetes.io/instance: vector + app.kubernetes.io/component: Agent + app.kubernetes.io/version: "0.34.1-distroless-libc" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vector +subjects: + - kind: ServiceAccount + name: vector + namespace: vector diff --git a/apps/vector/sa.yaml b/apps/vector/sa.yaml new file mode 100644 index 0000000..4d8caab --- /dev/null +++ b/apps/vector/sa.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vector + labels: + app.kubernetes.io/name: vector + app.kubernetes.io/instance: vector + app.kubernetes.io/component: Agent +automountServiceAccountToken: true diff --git a/apps/vikunja/components/database-mariadb/ca-bundle.crt b/apps/vikunja/components/database-mariadb/ca-bundle.crt new file mode 100644 index 0000000..b85c803 --- /dev/null +++ b/apps/vikunja/components/database-mariadb/ca-bundle.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- diff --git a/apps/vikunja/components/database-mariadb/kustomization.yaml b/apps/vikunja/components/database-mariadb/kustomization.yaml new file mode 100644 index 0000000..a7ce4a1 --- /dev/null +++ b/apps/vikunja/components/database-mariadb/kustomization.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +configMapGenerator: + - name: "vikunja" + behavior: "merge" + literals: + - "VIKUNJA_DATABASE_TYPE=mysql" + - name: ca-bundle + files: + - ca-bundle.crt +patches: + - target: + kind: "Deployment" + name: "vikunja" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/envFrom/-" + value: + secretRef: + name: "vikunja-database-mariadb" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "ca-bundle" + mountPath: "/etc/ssl" + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "ca-bundle" + configMap: + name: "ca-bundle" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + ports: + - port: 3306 + protocol: "TCP" + - port: 3307 + protocol: "TCP" diff --git a/apps/vikunja/components/database-mariadb/upsert-secret-vikunja-database-mariadb.sh b/apps/vikunja/components/database-mariadb/upsert-secret-vikunja-database-mariadb.sh new file mode 100755 index 0000000..a3e7e5d --- /dev/null +++ b/apps/vikunja/components/database-mariadb/upsert-secret-vikunja-database-mariadb.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +VIKUNJA_DATABASE_USER="$(echo "$OUTPUT" | grep -e "^VIKUNJA_DATABASE_USER=" | cut -d'=' -f2)" +VIKUNJA_DATABASE_PASSWORD="$(echo "$OUTPUT" | grep -e "^VIKUNJA_DATABASE_PASSWORD=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=VIKUNJA_DATABASE_USER="${VIKUNJA_DATABASE_USER}" \ + --from-literal=VIKUNJA_DATABASE_PASSWORD="${VIKUNJA_DATABASE_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/vikunja/components/istio-proxy/kustomization.yaml b/apps/vikunja/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..f54e124 --- /dev/null +++ b/apps/vikunja/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: add + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: {} + ports: + - port: 15012 + protocol: TCP + - port: 15014 + protocol: TCP diff --git a/apps/vikunja/components/istio/istio-virtualservice.yaml b/apps/vikunja/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..d077e91 --- /dev/null +++ b/apps/vikunja/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "vikunja" +spec: + hosts: + - "vikunja" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "vikunja" + port: + number: 80 diff --git a/apps/vikunja/components/istio/kustomization.yaml b/apps/vikunja/components/istio/kustomization.yaml new file mode 100644 index 0000000..5eedf2a --- /dev/null +++ b/apps/vikunja/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "vikunja" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/vikunja/components/redis/kustomization.yaml b/apps/vikunja/components/redis/kustomization.yaml new file mode 100644 index 0000000..32291da --- /dev/null +++ b/apps/vikunja/components/redis/kustomization.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "redis-deployment.yaml" + - "redis-service.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "vikunja" + behavior: "merge" + literals: + - "VIKUNJA_REDIS_ENABLED=true" + - "VIKUNJA_REDIS_HOST=redis:6379" + - "VIKUNJA_CACHE_ENABLED=true" + - "VIKUNJA_CACHE_TYPE=redis" +patches: + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - podSelector: + matchLabels: + k8s-app: "redis" + ports: + - port: "redis" + protocol: "TCP" diff --git a/apps/vikunja/components/redis/networkpolicy.yaml b/apps/vikunja/components/redis/networkpolicy.yaml new file mode 100644 index 0000000..fb26f5b --- /dev/null +++ b/apps/vikunja/components/redis/networkpolicy.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "redis" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "redis" + from: + - podSelector: + matchLabels: + app: "vikunja" + egress: [] diff --git a/apps/vikunja/components/redis/redis-deployment.yaml b/apps/vikunja/components/redis/redis-deployment.yaml new file mode 100644 index 0000000..ed6f48a --- /dev/null +++ b/apps/vikunja/components/redis/redis-deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "redis" +spec: + replicas: 1 + selector: + matchLabels: + app: "redis" + template: + metadata: + labels: + app: "redis" + app.kubernetes.io/name: "redis" + app.kubernetes.io/component: "cache" + app.kubernetes.io/instance: "vikunja-prod" + app.kubernetes.io/part-of: "vikunja" + spec: + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "redis" + image: "docker.io/library/redis:7.2.5-alpine" + ports: + - containerPort: 6379 + name: "redis" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "48Mi" + cpu: "5m" + limits: + memory: "196Mi" + volumeMounts: + - name: "storage" + mountPath: "/data" + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: "app.kubernetes.io/part-of" + operator: "In" + values: + - "vikunja" + topologyKey: "kubernetes.io/hostname" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/vikunja/components/redis/redis-service.yaml b/apps/vikunja/components/redis/redis-service.yaml new file mode 100644 index 0000000..e7d8218 --- /dev/null +++ b/apps/vikunja/components/redis/redis-service.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "redis" +spec: + selector: + app: "redis" + ports: + - protocol: "TCP" + port: 6379 + targetPort: "redis" diff --git a/apps/vikunja/deployment.yaml b/apps/vikunja/deployment.yaml new file mode 100644 index 0000000..1132560 --- /dev/null +++ b/apps/vikunja/deployment.yaml @@ -0,0 +1,80 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "vikunja" + labels: + app.kubernetes.io/name: "vikunja" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "vikunja" + template: + metadata: + labels: + app: "vikunja" + app.kubernetes.io/name: "vikunja" + app.kubernetes.io/component: "vikunja" + app.kubernetes.io/instance: "vikunja-prod" + app.kubernetes.io/part-of: "vikunja" + spec: + securityContext: + runAsUser: 17452 + runAsGroup: 17452 + fsGroup: 17452 + seccompProfile: + type: "RuntimeDefault" + containers: + - image: "vikunja/vikunja:unstable" + name: "vikunja" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 17452 + runAsGroup: 17452 + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + envFrom: + - configMapRef: + name: "vikunja" + - secretRef: + name: "vikunja" + optional: true + ports: + - containerPort: 3456 + name: "vikunja" + startupProbe: + httpGet: + path: "/health" + port: "vikunja" + failureThreshold: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: "/health" + port: "vikunja" + livenessProbe: + httpGet: + path: "/health" + port: "vikunja" + failureThreshold: 2 + periodSeconds: 15 + resources: + requests: + memory: "32Mi" + cpu: "5m" + limits: + memory: "128Mi" + volumeMounts: + - mountPath: "/data" + name: "storage" + volumes: + - name: "storage" + emptyDir: + sizeLimit: "1Gi" diff --git a/apps/vikunja/kustomization.yaml b/apps/vikunja/kustomization.yaml new file mode 100644 index 0000000..b4c13a2 --- /dev/null +++ b/apps/vikunja/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "service.yaml" + - "deployment.yaml" + - "networkpolicy.yaml" +configMapGenerator: + - name: "vikunja" + literals: + - "VIKUNJA_SERVICE_ENABLELINKSHARING=true" + - "VIKUNJA_SERVICE_TIMEZONE=Europe/Berlin" + - "VIKUNJA_SENTRY_ENABLED=false" + - "VIKUNJA_FILES_BASEPATH=/data" diff --git a/apps/vikunja/networkpolicy.yaml b/apps/vikunja/networkpolicy.yaml new file mode 100644 index 0000000..93ffff3 --- /dev/null +++ b/apps/vikunja/networkpolicy.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "vikunja" +spec: + podSelector: {} + policyTypes: + - "Egress" + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "vikunja" + from: [] + egress: [] diff --git a/apps/vikunja/service.yaml b/apps/vikunja/service.yaml new file mode 100644 index 0000000..3fbca14 --- /dev/null +++ b/apps/vikunja/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "vikunja" +spec: + ports: + - port: 80 + targetPort: "vikunja" + selector: + app.kubernetes.io/name: "vikunja" diff --git a/apps/vikunja/upsert-secret-vikunja.sh b/apps/vikunja/upsert-secret-vikunja.sh new file mode 100755 index 0000000..bf48d74 --- /dev/null +++ b/apps/vikunja/upsert-secret-vikunja.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +OUTPUT=$(pass ${K8S_PASS_PATH}) + +VIKUNJA_SERVICE_JWTSECRET="$(echo "$OUTPUT" | grep -e "^VIKUNJA_SERVICE_JWTSECRET=" | cut -d'=' -f2)" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=PAPERLESS_ADMIN_USER="${VIKUNJA_SERVICE_JWTSECRET}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/apps/vikunja/upsert-secrets.sh b/apps/vikunja/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/apps/vikunja/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/apps/whoogle/components/ha/kustomization.yaml b/apps/whoogle/components/ha/kustomization.yaml new file mode 100644 index 0000000..359745c --- /dev/null +++ b/apps/whoogle/components/ha/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "whoogle" + patch: |- + - op: "replace" + path: "/spec/replicas" + value: 3 + - op: "/spec/topologySpreadConstraints" + value: + - maxSkew: 1 + topologyKey: "region" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "whoogle" + - maxSkew: 1 + topologyKey: "node" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "whoogle" diff --git a/apps/whoogle/components/istio-proxy/kustomization.yaml b/apps/whoogle/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..a081624 --- /dev/null +++ b/apps/whoogle/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: "Namespace" + patch: |- + - op: "add" + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/whoogle/components/istio/istio-virtualservice.yaml b/apps/whoogle/components/istio/istio-virtualservice.yaml new file mode 100644 index 0000000..720d6bd --- /dev/null +++ b/apps/whoogle/components/istio/istio-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "networking.istio.io/v1alpha3" +kind: "VirtualService" +metadata: + name: "whoogle" +spec: + hosts: + - "whoogle" + gateways: + - "istio-system/gateway" + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: "whoogle" + port: + number: 80 diff --git a/apps/whoogle/components/istio/kustomization.yaml b/apps/whoogle/components/istio/kustomization.yaml new file mode 100644 index 0000000..9b41200 --- /dev/null +++ b/apps/whoogle/components/istio/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +resources: + - "istio-virtualservice.yaml" +patches: + - target: + kind: "NetworkPolicy" + name: "whoogle" + patch: |- + - op: "add" + path: "/spec/ingress/0/from/-" + value: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: + matchLabels: + istio: "ingressgateway" diff --git a/apps/whoogle/deployment.yaml b/apps/whoogle/deployment.yaml new file mode 100644 index 0000000..5eb5eec --- /dev/null +++ b/apps/whoogle/deployment.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "whoogle" + labels: + app.kubernetes.io/name: "whoogle" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "whoogle" + strategy: + type: "RollingUpdate" + template: + metadata: + labels: + app: "whoogle" + app.kubernetes.io/name: "whoogle" + app.kubernetes.io/component: "whoogle" + app.kubernetes.io/part-of: "whoogle" + spec: + securityContext: + runAsUser: 45346 + runAsGroup: 45346 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + containers: + - name: "whoogle" + image: "ghcr.io/benbusby/whoogle-search:0.8.4" + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 45346 + runAsGroup: 45346 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + resources: + requests: + memory: "148Mi" + cpu: "10m" + limits: + memory: "256Mi" + ports: + - containerPort: 5000 + name: "whoogle" + volumeMounts: + - name: "tmp" + mountPath: "/whoogle/app/static/build/" + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "location" + whenUnsatisfiable: "ScheduleAnyway" + volumes: + - name: "tmp" + emptyDir: + sizeLimit: "100Mi" diff --git a/apps/whoogle/kustomization.yaml b/apps/whoogle/kustomization.yaml new file mode 100644 index 0000000..0ddf3ab --- /dev/null +++ b/apps/whoogle/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "deployment.yaml" + - "service.yaml" + - "networkpolicy.yaml" diff --git a/apps/whoogle/networkpolicy.yaml b/apps/whoogle/networkpolicy.yaml new file mode 100644 index 0000000..34678eb --- /dev/null +++ b/apps/whoogle/networkpolicy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "whoogle" +spec: + podSelector: {} + policyTypes: + - "Ingress" + ingress: + - ports: + - protocol: "TCP" + port: "whoogle" + from: [] + egress: [] diff --git a/apps/whoogle/service.yaml b/apps/whoogle/service.yaml new file mode 100644 index 0000000..26b1058 --- /dev/null +++ b/apps/whoogle/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "whoogle" +spec: + ports: + - port: 80 + targetPort: "whoogle" + selector: + app.kubernetes.io/name: "whoogle" diff --git a/apps/yaade/components/ha/kustomization.yaml b/apps/yaade/components/ha/kustomization.yaml new file mode 100644 index 0000000..70816a5 --- /dev/null +++ b/apps/yaade/components/ha/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "yaade" + patch: |- + - op: "replace" + path: "/spec/replicas" + value: 3 + - op: "/spec/topologySpreadConstraints" + value: + - maxSkew: 1 + topologyKey: "region" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "yaade" + - maxSkew: 1 + topologyKey: "node" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: "yaade" diff --git a/apps/yaade/components/istio-proxy/kustomization.yaml b/apps/yaade/components/istio-proxy/kustomization.yaml new file mode 100644 index 0000000..b8c0790 --- /dev/null +++ b/apps/yaade/components/istio-proxy/kustomization.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Namespace" + patch: |- + - op: "add" + path: "/metadata/labels/istio-injection" + value: "enabled" + - target: + kind: "NetworkPolicy" + patch: |- + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "kube-system" + podSelector: + matchLabels: + k8s-app: "kube-dns" + ports: + - port: 53 + protocol: "UDP" + - port: 53 + protocol: "TCP" + - op: add + path: "/spec/egress/-" + value: + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: "istio-system" + podSelector: {} + ports: + - port: 15012 + protocol: "TCP" + - port: 15014 + protocol: "TCP" diff --git a/apps/yaade/components/istio/kustomization.yaml b/apps/yaade/components/istio/kustomization.yaml new file mode 100644 index 0000000..5e37d63 --- /dev/null +++ b/apps/yaade/components/istio/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - istio-virtualservice.yaml diff --git a/apps/yaade/components/istio/virtualservice.yaml b/apps/yaade/components/istio/virtualservice.yaml new file mode 100644 index 0000000..4ca8225 --- /dev/null +++ b/apps/yaade/components/istio/virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: yaade +spec: + hosts: + - yaade.svc.dd.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: yaade.yaade.svc.cluster.local + port: + number: 80 diff --git a/apps/yaade/deployment.yaml b/apps/yaade/deployment.yaml new file mode 100644 index 0000000..7ee286c --- /dev/null +++ b/apps/yaade/deployment.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yaade + labels: + app.kubernetes.io/name: yaade +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: yaade + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: yaade + app.kubernetes.io/name: yaade + app.kubernetes.io/component: yaade + app.kubernetes.io/part-of: yaade + spec: + securityContext: + runAsUser: 45346 + runAsGroup: 45346 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: yaade + image: esperotech/yaade@sha256:63488cd72869c55eb64424670a12c6bcc5bfdc8788ee618b0f0f20dc2c36b2dc + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 45346 + runAsGroup: 45346 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + env: + - name: YAADE_ADMIN_USERNAME + value: admin + - name: YAADE_PORT + value: "9339" + resources: + requests: + memory: 32Mi + cpu: 1m + limits: + memory: 256Mi + ports: + - containerPort: 9339 + name: yaade + volumeMounts: + - name: tmp + mountPath: /tmp + - name: storage + mountPath: /app/data + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: location + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: storage + emptyDir: + sizeLimit: 50Mi + - name: tmp + emptyDir: + sizeLimit: 10Mi diff --git a/apps/yaade/kustomization.yaml b/apps/yaade/kustomization.yaml new file mode 100644 index 0000000..356c305 --- /dev/null +++ b/apps/yaade/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - service.yaml diff --git a/apps/yaade/service.yaml b/apps/yaade/service.yaml new file mode 100644 index 0000000..f17973d --- /dev/null +++ b/apps/yaade/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: yaade +spec: + ports: + - port: 80 + targetPort: yaade + selector: + app.kubernetes.io/name: yaade diff --git a/clusters/common/acmevault/acmevault-config.yaml b/clusters/common/acmevault/acmevault-config.yaml new file mode 100644 index 0000000..6f594da --- /dev/null +++ b/clusters/common/acmevault/acmevault-config.yaml @@ -0,0 +1,39 @@ +--- +acmeCustomDnsServers: + - 8.8.8.8 + - 8.8.4.4 +acmeDnsProvider: route53 +domains: + - domain: nas.ez.soeren.cloud + sans: [nas.ha.soeren.cloud] + - domain: nas.dd.soeren.cloud + sans: [nas.ha.soeren.cloud] + - domain: nas.pt.soeren.cloud + sans: [nas.ha.soeren.cloud] + - domain: dbs.ez.soeren.cloud + sans: [dbs.ha.soeren.cloud] + - domain: dbs.dd.soeren.cloud + sans: [dbs.ha.soeren.cloud] + - domain: dbs.pt.soeren.cloud + sans: [dbs.ha.soeren.cloud] + - domain: sauron.ez.soeren.cloud + - domain: sauron.dd.soeren.cloud + - domain: sauron.pt.soeren.cloud + - domain: router.ez.soeren.cloud + sans: [nas-ha.ez.soeren.cloud] + - domain: router.dd.soeren.cloud + sans: [nas-ha.dd.soeren.cloud] + - domain: router.pt.soeren.cloud + sans: [nas-ha.pt.soeren.cloud] + - domain: vserver.ez.soeren.cloud + - domain: vserver.dd.soeren.cloud + - domain: vserver.pt.soeren.cloud +email: acmevault@soerensoerensen.de +metricsAddr: 0.0.0.0:9191 +intervalSeconds: 3660 +vault: + addr: https://vault.ha.soeren.cloud:443 + authMethod: kubernetes + pathPrefix: prod + k8sRoleId: acmevault + k8sMountPath: svc.dd.soeren.cloud diff --git a/clusters/common/acmevault/kustomization.yaml b/clusters/common/acmevault/kustomization.yaml new file mode 100644 index 0000000..b5fcd37 --- /dev/null +++ b/clusters/common/acmevault/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../apps/acmevault +configMapGenerator: + - name: config + files: + - acmevault-config.yaml +patches: + - target: + kind: Deployment + name: acmevault + patch: |- + - op: replace + path: /spec/replicas + value: 1 diff --git a/clusters/common/aether/.taskrc b/clusters/common/aether/.taskrc new file mode 100644 index 0000000..ab74b46 --- /dev/null +++ b/clusters/common/aether/.taskrc @@ -0,0 +1,35 @@ +include /home/tasksyncer/.taskd_credentials + +data.location=/task-data + +taskd.ca=/certs/ca.crt +taskd.certificate=/certs/tls.crt +taskd.key=/certs/tls.key +taskd.server=taskd.svc.dd.soeren.cloud:53589 +taskd.ciphers=SECURE256:-VERS-ALL:+VERS-TLS1.3 + +context.work=+rd or +work +context.private=-rd -work + +search.case.sensitive=no + +report.in.columns = id,description +report.in.description = Inbox +report.in.filter = status:pending limit:page (+in) +report.in.labels = ID,Description + +urgency.user.tag.inbox.coefficient=10 +urgency.user.tag.in.coefficient=10 +urgency.user.tag.someday.coefficient=-15 +urgency.user.tag.next.coefficient=3 +urgency.blocking.coefficient=2 +urgency.uda.priority.L.coefficient=-10 + +uda.reviewed.type=date +uda.reviewed.label=Reviewed + +report._reviewed.description=Tasksh review report. Adjust the filter to your needs. +report._reviewed.columns=uuid +report._reviewed.sort=reviewed+,modified+ +report._reviewed.filter=( reviewed.none: or reviewed.before:now-6days ) and ( +PENDING or +WAITING ) +news.version=2.6.0 \ No newline at end of file diff --git a/clusters/common/aether/aether-config.yaml b/clusters/common/aether/aether-config.yaml new file mode 100644 index 0000000..d40fe5d --- /dev/null +++ b/clusters/common/aether/aether-config.yaml @@ -0,0 +1,33 @@ +--- +datasources: + - endpoint: https://radicale.svc.dd.soeren.cloud + password_file: "/etc/aether-secrets/caldav_password" + type: caldav + username: soeren + - endpoint: https://radicale.svc.dd.soeren.cloud + password_file: "/etc/aether-secrets/carddav_password" + type: carddav + username: soeren + - type: taskwarrior + taskrc_file: "/home/aether/.taskrc" + - apikey_file: "/etc/aether-secrets/weather_apikey" + latitude: '51.2277' + longitude: '6.7735' + type: weather + - cached: true + symbols: + - VGWL.DE + - 22UA.F + type: stocks + - apikey_file: "/etc/aether-secrets/weather_apikey" + latitude: '41.1579' + longitude: '-8.6291' + type: weather +email: + at: 06:00 + from_file: "/etc/aether-secrets/email_from" + host: smtp.strato.de:587 + is_utc: true + password_file: "/etc/aether-secrets/email_password" + recipient_file: "/etc/aether-secrets/email_to" + username_file: "/etc/aether-secrets/email_username" diff --git a/clusters/common/aether/kustomization.yaml b/clusters/common/aether/kustomization.yaml new file mode 100644 index 0000000..9c3aa62 --- /dev/null +++ b/clusters/common/aether/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../apps/aether +configMapGenerator: + - name: aether-config + files: + - aether-config.yaml + - name: taskrc + files: + - .taskrc +patches: + - target: + kind: Deployment + name: aether + patch: |- + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: secrets + readOnly: true + mountPath: "/etc/aether-secrets" + - op: add + path: /spec/template/spec/volumes/- + value: + name: secrets + secret: + secretName: aether +components: + - ../../../apps/aether/components/istio + - ../../../apps/aether/components/taskwarrior diff --git a/clusters/common/aether/upsert-secret-aether-taskwarrior.sh b/clusters/common/aether/upsert-secret-aether-taskwarrior.sh new file mode 120000 index 0000000..bbce13b --- /dev/null +++ b/clusters/common/aether/upsert-secret-aether-taskwarrior.sh @@ -0,0 +1 @@ +../../../apps/aether/components/taskwarrior/upsert-secret-aether-taskwarrior.sh \ No newline at end of file diff --git a/clusters/common/aether/upsert-secret-aether.sh b/clusters/common/aether/upsert-secret-aether.sh new file mode 120000 index 0000000..cc5b78f --- /dev/null +++ b/clusters/common/aether/upsert-secret-aether.sh @@ -0,0 +1 @@ +../../../apps/aether/upsert-secret-aether.sh \ No newline at end of file diff --git a/clusters/common/dyndns/server/kustomization.yaml b/clusters/common/dyndns/server/kustomization.yaml new file mode 100644 index 0000000..9b3b5d9 --- /dev/null +++ b/clusters/common/dyndns/server/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/dyndns/server +configMapGenerator: + - name: dyndns-server-config + behavior: merge + literals: + - "DYNDNS_HOSTED_ZONE_ID=Z08408432FPT8110RNMJ1" + - "DYNDNS_SQS_QUEUE=https://sqs.us-east-1.amazonaws.com/457894857334/dyndns-prod" + - 'DYNDNS_KNOWN_HOSTS={"dd.dc.soeren.cloud":["hU0+O/QDU4tViikho4wLeD+FsrZawh5nDBcKDSQp0uc=","omNT1ZBsWCmN8U0b6Hhws79VDbWHYpitjtD8tV5H/h8="],"ez.dc.soeren.cloud":["TApMohc2KZN+kEhv5XWA88qW5DyHxf3jInv78wx4RLE=","tlJlqk3F6rGZG6j1EN8mraBGjRsMDNlIB8/6cH7WqGo="],"pt.dc.soeren.cloud":["KwpqFiE0KmWCJdHV0MIefX9RiZW4fk3VPL/DdwLtilM=","RHUYdhUZjE1eDoq8viiKlbCZc40lpiNljWE9QLBxlgw="]}' diff --git a/clusters/common/mariadb-cluster/configmap-ca.yaml b/clusters/common/mariadb-cluster/configmap-ca.yaml new file mode 100644 index 0000000..5a6362c --- /dev/null +++ b/clusters/common/mariadb-cluster/configmap-ca.yaml @@ -0,0 +1,76 @@ +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIGAzCCA+ugAwIBAgIUX9iV01SIxHtrqREaEkmJL3T7UgowDQYJKoZIhvcNAQEL + BQAwKDENMAsGA1UEChMEc29yZzEXMBUGA1UEAxMOc3JuLmltIHJvb3QgY2EwHhcN + MjMxMjEwMTU0MDA5WhcNMjUxMjA5MTU0MDM5WjBWMRUwEwYDVQQKEwxzcm4uaW1w + ZXJpdW0xDTALBgNVBAsTBHNvcmcxLjAsBgNVBAMTJXNvZXJlbi5jbG91ZCBJbnRl + cm1lZGlhdGUgQ2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK + AoICAQDWBL7D1iz1b+0Gy89J8y/SuHZ7JdZSDwHh0v8pK7qxaJ2qRT4z5HBk02Eb + gcWnmNVWx9AZZwD6uXSE+y1RDT46XQrP/B1iKaTAcozxeutqa0X7rxXi5TRgBJ+/ + YORR/wTK7Qbq6gFUYIMNOG/h3LMinvBmcxjaE+tqbvGhZBVfSloIqN3l7ZJT2vIi + lK/nYQ8ZwKMCesHbwxE31AqSpM+JSjIAFfABBPauFAqNz2LFLeYELBkakdfbKjSL + pbrdzy3/VXOZ7qGXhyiNTCGN269MZMARnstrQSYwC5vHOGXKxQOKPTULgIEeII2/ + 4wLxK+DqP38DxhcAyjjjTB1aoSYgc3vcMUYVEM3C25gL4D5IFX6Utc+i1CcSuiCN + 9wsK4ayM+C0mOk7EP0j9en5+jp2TD3MobRXEWJ/Mm/ElGImydNibZoKGmWJ0V+Du + K/3wHXZZHjywaPsEPfm1ZBz51GGhQDcJNsGT0joEae/8iplFIkISVjsJIQPV3zpn + EV7c8659bStAKe4v4XGZViCmNmyqZF/cjmBb1OpsIbngKuLn4GJIyhnbr6/EFdys + VYBejTeVpJwk45e4Rb6YViFrZ1rZvC1mvMrOKb++XjtkvON2TiyFmmcyM/N8/ZEg + QolY6YSXKL/lTmaa3klNoDC8vyhFheD0AkSE0+fzef/7lJsk1wIDAQABo4H2MIHz + MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR4m3/u + F7fC8W59iJ3/oAUUR4+GdDAfBgNVHSMEGDAWgBTP61UQZUx3Ebv5fRvAlqF0v70r + XTBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAKGMGh0dHBzOi8vdmF1bHQuaGEu + c29lcmVuLmNsb3VkL3YxL3BraV9yb290X3Nybi9jYTBCBgNVHR8EOzA5MDegNaAz + hjFodHRwczovL3ZhdWx0LmhhLnNvZXJlbi5jbG91ZC92MS9wa2lfcm9vdF9zcm4v + Y3JsMA0GCSqGSIb3DQEBCwUAA4ICAQAGVBDAVm6u0Db3mR7grJ75pcXHkeQHc1Xy + Mf9y8ZEEuUQaUxk/67t4zAybFJJ0MIqNIvLj8vo0XHZtvtefSuGxWdYM59ThHKnz + 4BXGIMwGxxYBPAbOJ8h0uXHdu76QVrfGdzN0ic0JKzLjFucUZVMpRWvaGLRsgrGC + 7bd2p66VBUrL9/S3rsU61PwKagYu1ko7CqRjAzQGeYLBkWbuH4DeZMiJUUyug7PA + cneiznbVLynQJ8W9q9Ms0+zbenlnw7VbOjv1IBiUVuce4fmubSPSGXo38F9KDfPL + EdEnDN0NnChtNE/a/BghzLeyCsRA0h+Q+wyRCv32Jb5FoTsDua/aWhn4dqCLViUx + 6JJ5VMAj3pBppuhf/PuJX/JucAD1QzZsEPIH0qoGX19zfiAEQcTwNfyoo7GXOyUR + l5kPeRdA30aBhVA09hyPBdHnWEskenRBr9O7ME17DLT55iOGs1vd0DBRIfcViQTu + tvOaEYl/8Wv7DcZdG2iT6PFGygsr3nXVISKZL/wBixWquTRJrejcNNbje3ZZtLdY + zaA/ZrCBShsNK1gBOp54PgcCPvQwLfn0kK4cZHQ3cKuflFiy50H6qAOwsQr191nE + H93/wTNMIyHg8DQjYa3NGBARaSv6s32TS4S7xIPHhCJLdwjIYi/e5oiYB16WLpoy + plaUXnCo4Q== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIF1TCCA72gAwIBAgIUPmywCIVMRsWase49HzsCEIbN+kswDQYJKoZIhvcNAQEL + BQAwKDENMAsGA1UEChMEc29yZzEXMBUGA1UEAxMOc3JuLmltIHJvb3QgY2EwHhcN + MjMxMjEwMTUzOTU3WhcNMjYxMjA5MTU0MDE5WjAoMQ0wCwYDVQQKEwRzb3JnMRcw + FQYDVQQDEw5zcm4uaW0gcm9vdCBjYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC + AgoCggIBANcEbwKuPBVKL7xw17S0mWpPOe+iGZGDpz9WeigghxL3/8F4dq2Q+Qpa + vtdK/BoTtZPLqGnL6VNkCI+hqH9OYVR3RIYjQNLj/dajiCrcharXTfAUiBVMPfTA + so9UsZsrg3ssuMIasoIVRaU25HMbQA6eTA4MdJ+RQzIPDx1ZNuohDLQL5J3o+oDX + uzwEV/NU5nAUkOlWLj13+cCtRYDfaRad+LzEiOLVRzRUWNtoGQ6dZT7HoznezN1D + P6lAsR57VqDqUEGgwZkmps4GRr4tQHKgyrnTbhbN6SkMo4FfWF/t1yYCVINFZme0 + 9xKuRJzkCjMmZArKsNtTk4TmYEey2xb9Ii3cRz5uodRxdQfIxncv67b4eKgysiYV + 0fVZ9N+MaSSyx9LT9qbA38Lx+jM5gvnP+qGbH/Wbf1LWRKgdRqPwwNZ+ep0eTRwR + /PhynI26qdykvSXM6a15ecF5zhpwfBEnbe318/Mx6khq2z9C0gonmVLBMIq9Xt8f + BUUQ+28q81dMpDgmwLgOJ2n+/gqGLDzbyqm3QyJdjO8rMW0id4sYsWsL9bmRgBSJ + O5UliP3XG4Bj0HW76MAeexIlwEjZfY5vZZ/MRlPt8hrAf8rudBKejysrawoj96kS + 03HLKMimWu4Subajey0STUEOyIFvBGWbBWzG6zLA2Z31ZEApaCwXAgMBAAGjgfYw + gfMwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM/r + VRBlTHcRu/l9G8CWoXS/vStdMB8GA1UdIwQYMBaAFM/rVRBlTHcRu/l9G8CWoXS/ + vStdMEwGCCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly92YXVsdC5o + YS5zb2VyZW4uY2xvdWQvdjEvcGtpX3Jvb3Rfc3JuL2NhMEIGA1UdHwQ7MDkwN6A1 + oDOGMWh0dHBzOi8vdmF1bHQuaGEuc29lcmVuLmNsb3VkL3YxL3BraV9yb290X3Ny + bi9jcmwwDQYJKoZIhvcNAQELBQADggIBAIO44MZdkYp7zd1iRJ/paHnxdk2WZTrK + IctigOCzyEE6C9vvmY07VD2z9V7OzpWzvjYM4pe9CH9KqQuGHMpbK+VhDFckOKWG + iHE8y6U9i2gZ662TsyNbSOGpFxM/4R3z1Ss2A6Hv+gt+sUKA4iLLBBaKY0HiO4eL + jxcyYP/TNXBtTAolUrTIFfIDhnqJg4P3ymXlgJoAXN/00q47rSV8S7jEXHIGQvXr + liAsaXM20rWNJnUprCqr3000dJAmJKLoeqObmBsebeo82UNam2BNGFMCmxCC3pch + n0GAHX2yG+aqLOb8ZPCfEWqxFpy895C3H2qDx/Cpe5xRQzrxstuWhxWaSaGt0ppv + TC8oEkanv6VuygYoU+9r32NFPzq+oBBzDw27e9rpO683d4NJ0p+RZ/u5z2UpxWeo + CgSKFFrbgDTDtu7Uzopa3EKRMR1MDch02P4jqUnHtYfnUfMKCtwe4sYLiYY0EdVx + mxIzijk+qgjiJAK9kE5697sfq23jJjDKoFiTVkN9j2L7bZd6Mmbo3HA8+bDotHnG + 4zbS0VKM6ttBQE9wzKERlRRyLrzhzT85n6Nz1d8kePlkfbi3sNnjsz4MWp1A0FIG + kDYRT4O1I8WagNbY84mZlngCWnDdOm8vaYNmUhtBshS1CZaUAXrt0figsoxMijXB + OgPYYsxXD/Y+ + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: mariadb-ca diff --git a/clusters/common/mariadb-cluster/kustomization.yaml b/clusters/common/mariadb-cluster/kustomization.yaml new file mode 100644 index 0000000..97e66b1 --- /dev/null +++ b/clusters/common/mariadb-cluster/kustomization.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "../../../apps/mariadb-galera" + - "configmap-ca.yaml" + - "../../../apps/mysqld-exporter" +components: + - "../../../apps/mariadb-galera/components/istio" + - "../../../apps/mariadb-galera/components/restic-mariadb" + - "../../../apps/mariadb-galera/components/pvc" + - "../../../apps/mariadb-galera/components/tls" + - "../../../apps/mariadb-galera/components/tls-wsrep" +configMapGenerator: + - name: "mariadb-galera-restic-mariadb" + literals: + - "RETENTION_DAYS=7" + - "RETENTION_WEEKS=4" + - "RETENTION_MONTHS=6" + - "RESTIC_BACKUP_ID=mariadb-cluster" + - "MARIADB_HOST=mariadb" +patches: + - target: + kind: "StatefulSet" + name: "mariadb" + patch: |- + - op: "add" + path: "/spec/template/spec/volumes/-" + value: + name: "pki-ca" + configMap: + name: "mariadb-ca" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "pki-ca" + mountPath: "/tls/tls-ca.crt" + subPath: "ca.crt" + - op: "add" + path: "/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "pki-ca" + mountPath: "/tls/wsrep-ca.crt" + subPath: "ca.crt" + - target: + kind: "CronJob" + name: "restic-mariadb-backup" + patch: |- + - op: "replace" + path: "/spec/schedule" + value: "5 6 * * *" + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "mariadb-cluster-prod" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mariadb-galera-restic-mariadb" + - secretRef: + name: "mariadb-galera-restic-mariadb" + - target: + kind: "CronJob" + name: "restic-mariadb-prune" + patch: |- + - op: "replace" + path: "/spec/jobTemplate/spec/template/metadata/labels/restic~1name" + value: "linkding" + - op: "replace" + path: "/spec/jobTemplate/spec/template/spec/containers/0/envFrom" + value: + - configMapRef: + name: "mariadb-galera-restic-mariadb" + - secretRef: + name: "mariadb-galera-restic-mariadb" diff --git a/clusters/common/mariadb-cluster/upsert-ca.sh b/clusters/common/mariadb-cluster/upsert-ca.sh new file mode 100644 index 0000000..2184e8e --- /dev/null +++ b/clusters/common/mariadb-cluster/upsert-ca.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +CONFIGMAP_NAME="mariadb-ca" +CONFIGMAP_KEY="ca.crt" +CONFIGMAP_FILE="configmap-ca.yaml" +DEFAULT_PKI_URL="pki/im_srn" + +curl -s "${VAULT_ADDR}/v1/${DEFAULT_PKI_URL}/ca_chain" | \ + kubectl create configmap "${CONFIGMAP_NAME}" --from-file="${CONFIGMAP_KEY}"=/dev/stdin --dry-run=client -o yaml > "${CONFIGMAP_FILE}" diff --git a/clusters/common/mariadb-cluster/upsert-secret-mariadb.sh b/clusters/common/mariadb-cluster/upsert-secret-mariadb.sh new file mode 120000 index 0000000..fb0fecd --- /dev/null +++ b/clusters/common/mariadb-cluster/upsert-secret-mariadb.sh @@ -0,0 +1 @@ +../../../apps/mariadb-galera/upsert-secret-mariadb.sh \ No newline at end of file diff --git a/clusters/common/mariadb-cluster/upsert-secret-mysqld-exporter.sh b/clusters/common/mariadb-cluster/upsert-secret-mysqld-exporter.sh new file mode 120000 index 0000000..ca685de --- /dev/null +++ b/clusters/common/mariadb-cluster/upsert-secret-mysqld-exporter.sh @@ -0,0 +1 @@ +../../../apps/mysqld-exporter/upsert-secret-mysqld-exporter.sh \ No newline at end of file diff --git a/clusters/common/mariadb-cluster/upsert-secret-restic-mariadb.sh b/clusters/common/mariadb-cluster/upsert-secret-restic-mariadb.sh new file mode 120000 index 0000000..020af81 --- /dev/null +++ b/clusters/common/mariadb-cluster/upsert-secret-restic-mariadb.sh @@ -0,0 +1 @@ +../../../apps/mariadb-galera/components/restic-mariadb/upsert-secret-restic-mariadb.sh \ No newline at end of file diff --git a/clusters/common/media/kustomization.yaml b/clusters/common/media/kustomization.yaml new file mode 100644 index 0000000..865d898 --- /dev/null +++ b/clusters/common/media/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - lidarr + - prowlarr + - radarr + - sonarr + - ../../../apps/media/components/postgres/postgres-deployment.yaml + - ../../svc.dd.soeren.cloud/media/postgres-pv.yaml + - ../../../apps/media/components/postgres/postgres-pvc.yaml + - ../../../apps/media/components/postgres/postgres-service.yaml + - ../../../apps/media/components/reverse-proxy-istio/media-virtualservice.yaml diff --git a/clusters/common/media/lidarr/kustomization.yaml b/clusters/common/media/lidarr/kustomization.yaml new file mode 100644 index 0000000..73987ba --- /dev/null +++ b/clusters/common/media/lidarr/kustomization.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/lidarr + - networkpolicy.yaml +patches: + - target: + kind: Deployment + name: lidarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__URL_BASE + value: /lidarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_MAIN_DB + value: lidarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-lidarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: LIDARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-lidarr + - op: replace + path: /spec/template/spec/initContainers + value: + - name: init + image: ghcr.io/onedr0p/postgres-init:16 + env: + - name: INIT_POSTGRES_HOST + value: postgres + - name: INIT_POSTGRES_DBNAME + value: lidarr + - name: INIT_POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres + - name: INIT_POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-lidarr + - name: INIT_POSTGRES_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-lidarr diff --git a/clusters/common/media/lidarr/networkpolicy.yaml b/clusters/common/media/lidarr/networkpolicy.yaml new file mode 100644 index 0000000..2c79bf0 --- /dev/null +++ b/clusters/common/media/lidarr/networkpolicy.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: lidarr +spec: + podSelector: + matchLabels: + app: lidarr + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: lidarr + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: media + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + egress: + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/common/media/prowlarr/kustomization.yaml b/clusters/common/media/prowlarr/kustomization.yaml new file mode 100644 index 0000000..1cdf6a6 --- /dev/null +++ b/clusters/common/media/prowlarr/kustomization.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/prowlarr + - networkpolicy.yaml +patches: + - target: + kind: Deployment + name: prowlarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__URL_BASE + value: /prowlarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_MAIN_DB + value: prowlarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-prowlarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: PROWLARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-prowlarr + - op: replace + path: /spec/template/spec/initContainers + value: + - name: init + image: ghcr.io/onedr0p/postgres-init:16 + env: + - name: INIT_POSTGRES_HOST + value: postgres + - name: INIT_POSTGRES_DBNAME + value: prowlarr + - name: INIT_POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres + - name: INIT_POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-prowlarr + - name: INIT_POSTGRES_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-prowlarr diff --git a/clusters/common/media/prowlarr/networkpolicy.yaml b/clusters/common/media/prowlarr/networkpolicy.yaml new file mode 100644 index 0000000..56d004a --- /dev/null +++ b/clusters/common/media/prowlarr/networkpolicy.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: prowlarr +spec: + podSelector: + matchLabels: + app: prowlarr + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: prowlarr + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: media + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + egress: + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/common/media/radarr/kustomization.yaml b/clusters/common/media/radarr/kustomization.yaml new file mode 100644 index 0000000..e6268a6 --- /dev/null +++ b/clusters/common/media/radarr/kustomization.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/radarr + - networkpolicy.yaml +patches: + - target: + kind: Deployment + name: radarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: RADARR__URL_BASE + value: /radarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: RADARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: RADARR__POSTGRES_MAIN_DB + value: radarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: RADARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-radarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: RADARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-radarr + - op: replace + path: /spec/template/spec/initContainers + value: + - name: init + image: ghcr.io/onedr0p/postgres-init:16 + env: + - name: INIT_POSTGRES_HOST + value: postgres + - name: INIT_POSTGRES_DBNAME + value: radarr + - name: INIT_POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres + - name: INIT_POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-radarr + - name: INIT_POSTGRES_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-radarr diff --git a/clusters/common/media/radarr/networkpolicy.yaml b/clusters/common/media/radarr/networkpolicy.yaml new file mode 100644 index 0000000..a74d1f8 --- /dev/null +++ b/clusters/common/media/radarr/networkpolicy.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: radarr +spec: + podSelector: + matchLabels: + app: radarr + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: radarr + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: media + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + egress: + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/common/media/sonarr/kustomization.yaml b/clusters/common/media/sonarr/kustomization.yaml new file mode 100644 index 0000000..43bc864 --- /dev/null +++ b/clusters/common/media/sonarr/kustomization.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/sonarr + - networkpolicy.yaml +patches: + - target: + kind: Deployment + name: sonarr + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__URL_BASE + value: /sonarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_HOST + value: postgres + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_MAIN_DB + value: sonarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-sonarr + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SONARR__POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-sonarr + - op: add + path: /spec/template/spec/initContainers + value: + - name: init + image: ghcr.io/onedr0p/postgres-init:16 + env: + - name: INIT_POSTGRES_HOST + value: postgres + - name: INIT_POSTGRES_DBNAME + value: sonarr + - name: INIT_POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres + - name: INIT_POSTGRES_USER + valueFrom: + secretKeyRef: + key: POSTGRES_USER + name: postgres-sonarr + - name: INIT_POSTGRES_PASS + valueFrom: + secretKeyRef: + key: POSTGRES_PASSWORD + name: postgres-sonarr diff --git a/clusters/common/media/sonarr/networkpolicy.yaml b/clusters/common/media/sonarr/networkpolicy.yaml new file mode 100644 index 0000000..e0c9744 --- /dev/null +++ b/clusters/common/media/sonarr/networkpolicy.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: sonarr +spec: + podSelector: + matchLabels: + app: sonarr + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: sonarr + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: media + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + egress: + - to: + - ipBlock: + cidr: 192.168.200.5/32 + ports: + - protocol: TCP + port: 9091 + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - protocol: TCP + port: 139 + - protocol: TCP + port: 445 + - protocol: UDP + port: 445 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/common/renovatebot/github/kustomization.yaml b/clusters/common/renovatebot/github/kustomization.yaml new file mode 100644 index 0000000..ac010a6 --- /dev/null +++ b/clusters/common/renovatebot/github/kustomization.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/renovatebot +patches: + - target: + kind: CronJob + name: renovate-bot + patch: |- + - op: replace + path: /metadata/name + value: "renovate-github" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_HOST_RULES" + valueFrom: + secretKeyRef: + name: tokens + key: "RENOVATE_HOST_RULES" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: github-token + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/envFrom + value: + - configMapRef: + name: renovate-github-config +configMapGenerator: + - name: renovate-github-config + behavior: create + envs: + - renovate.properties diff --git a/clusters/common/renovatebot/github/renovate.properties b/clusters/common/renovatebot/github/renovate.properties new file mode 100644 index 0000000..136f856 --- /dev/null +++ b/clusters/common/renovatebot/github/renovate.properties @@ -0,0 +1,8 @@ +RENOVATE_ASSIGNEES=["soerenschneider"] +RENOVATE_PLATFORM=github +RENOVATE_REPOSITORIES=["soerenschneider/playbooks"] +RENOVATE_AUTODISCOVER=false +RENOVATE_PR_CONCURRENT_LIMIT=50 +RENOVATE_BRANCH_CONCURRENT_LIMIT=0 +RENOVATE_PR_HOURLY_LIMIT=0 +LOG_LEVEL=debug diff --git a/clusters/common/renovatebot/github/upsert-secret-renovate.sh b/clusters/common/renovatebot/github/upsert-secret-renovate.sh new file mode 120000 index 0000000..f64f15d --- /dev/null +++ b/clusters/common/renovatebot/github/upsert-secret-renovate.sh @@ -0,0 +1 @@ +../../../../apps/renovatebot/upsert-secret-renovate.sh \ No newline at end of file diff --git a/clusters/common/renovatebot/gitlab/kustomization.yaml b/clusters/common/renovatebot/gitlab/kustomization.yaml new file mode 100644 index 0000000..7ef5dee --- /dev/null +++ b/clusters/common/renovatebot/gitlab/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/renovatebot +patches: + - target: + kind: CronJob + name: renovate-bot + patch: |- + - op: replace + path: /metadata/name + value: "renovate-gitlab" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: gitlab-token + - name: "GITHUB_COM_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: github-token + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/envFrom + value: + - configMapRef: + name: renovate-gitlab-config +configMapGenerator: + - name: renovate-gitlab-config + behavior: create + envs: + - renovate.properties diff --git a/clusters/common/renovatebot/gitlab/renovate.properties b/clusters/common/renovatebot/gitlab/renovate.properties new file mode 100644 index 0000000..0a51230 --- /dev/null +++ b/clusters/common/renovatebot/gitlab/renovate.properties @@ -0,0 +1,8 @@ +RENOVATE_ASSIGNEES=["soerenschneider"] +RENOVATE_PLATFORM=gitlab +RENOVATE_REPOSITORIES=soerenschneider/playbooks +RENOVATE_AUTODISCOVER=false +RENOVATE_PR_CONCURRENT_LIMIT=50 +RENOVATE_BRANCH_CONCURRENT_LIMIT=0 +RENOVATE_PR_HOURLY_LIMIT=0 +LOG_LEVEL=info diff --git a/clusters/common/renovatebot/gitlab/upsert-secret-renovate.sh b/clusters/common/renovatebot/gitlab/upsert-secret-renovate.sh new file mode 120000 index 0000000..f64f15d --- /dev/null +++ b/clusters/common/renovatebot/gitlab/upsert-secret-renovate.sh @@ -0,0 +1 @@ +../../../../apps/renovatebot/upsert-secret-renovate.sh \ No newline at end of file diff --git a/clusters/common/renovatebot/kustomization.yaml b/clusters/common/renovatebot/kustomization.yaml new file mode 100644 index 0000000..ea53a0e --- /dev/null +++ b/clusters/common/renovatebot/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate +resources: + - github + - gitlab + - namespace.yaml diff --git a/clusters/common/renovatebot/namespace.yaml b/clusters/common/renovatebot/namespace.yaml new file mode 100644 index 0000000..35c46b2 --- /dev/null +++ b/clusters/common/renovatebot/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: renovate + labels: + name: renovate diff --git a/clusters/common/taskd/configmap-ca.yaml b/clusters/common/taskd/configmap-ca.yaml new file mode 100644 index 0000000..8584ffd --- /dev/null +++ b/clusters/common/taskd/configmap-ca.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIGBjCCA+6gAwIBAgIUNKqQxJc3nox3OE7QiNHkChxHrWAwDQYJKoZIhvcNAQEL + BQAwLTENMAsGA1UEChMEc29yZzEcMBoGA1UEAxMTdGFzay5zcm4uaW0gcm9vdCBj + YTAeFw0yMzEyMTAxNTQzNDdaFw0yNTEyMDkxNTQ0MTdaMFIxDTALBgNVBAoTBHNv + cmcxEjAQBgNVBAsTCXRhc2sgc29yZzEtMCsGA1UEAxMkdGFzay5zcm4uaW0gSW50 + ZXJtZWRpYXRlIENlcnRpZmljYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC + CgKCAgEAzPvboBfGZPMkzWF0ZIhuXflBQGbPC5HtqY4KfYYyJhQlvaiw0egVPQ02 + oMyiazZLI/xFFNGlPpxxj6UmaQka4Atx6hP5z2Fih/aAHUJEezrIvRqyiB5ymWB8 + Py+qt/x5O/Z/kyWGkp+xOMxHcH5q8USNchhCAjT9kehHMeY7pXc/d9TcHUMV3RWF + +IBAfjV3zpN7DjKjvIA5atITAky1SV1pRJtzPe7RP408TqgsVKXjREx6b8Y8nNBP + nAVxyPfohz6IIpsMrlDIsQMUYJd4vEYPb0ncC0bnBWsgtgLmqJE1/3Sdzr5kOInd + xNkVXiEobOFbaQeOmv0A3BXIf9UP0sto6Ek5pVv/HvogaKvcqb4A1oTJgpVo3mck + VXRbx1dd9X3rd9EHZKWGu4eYPCjDPo5+puEBZjivPim2q3/jfjtUD4tUalSXnyH4 + 3WemLxbj2v7A1jc5TQo6oLtp4cGTStzN1JHOPVkVC0LcfdS5TR5ngF77ZfogfpGZ + MtKoLdPCSy8fRKaBLQHi9lwwiPD8/XKkbbbqUp27X4FPvwpDjlwrra5VgXTo6DaO + /YUUUIrTvy76knk8NP9/exICx6KKbrcRzoCAERsN2cM3aHnmofn39ZNt/w6CZ16C + yZ8XjCOIH7+KCEnoMHWsGJ94qfAFJhEXKECJ71AgRSXkd+83ZCMCAwEAAaOB+DCB + 9TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUfZh2 + W6nbASXJvmof6wTD8BOCH34wHwYDVR0jBBgwFoAUhQt0nTnvrMIxR7brMWdufS4P + bMMwTQYIKwYBBQUHAQEEQTA/MD0GCCsGAQUFBzAChjFodHRwczovL3ZhdWx0Lmhh + LnNvZXJlbi5jbG91ZC92MS9wa2lfcm9vdF90YXNrL2NhMEMGA1UdHwQ8MDowOKA2 + oDSGMmh0dHBzOi8vdmF1bHQuaGEuc29lcmVuLmNsb3VkL3YxL3BraV9yb290X3Rh + c2svY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQANldXWNrJFqX+SJ80SkBEQxokY4TAo + hqZEk3Y0/AWN0agUoQ2/rCyePhhB7+xx06ah1s3JX37qSeLurrgLijf0DB1GlWEN + jFIW46Syy464UV0Nwt6k+wtJ8LjE1CA8jElCPw+k9tSnkrukVURelmrw7tSG0VXc + x7CXsD6FNj0lNKHqNorguiEGQaLKIPy8w82lina8qIv1/UajxSlg2qGMn86jUu5k + pib3ZmeUVIt4VI+7OzodYUt+L1h8q2iM/1Uozqak+rrKFRvrr/hC3cJa66B2B8rC + RwgkhA3t7akjAJV638QMQt1CWs90iy7nWm+W8rsnZSf5/ZZayNbrFIuj73DB/Aip + vpK+kNpRhXAVLPJZ3gkaO+JoShoKjMtxOJL61KJJpidkCtJ5hVqZKk3kYCPH8MTq + 58cSd+a4LpshQmMqzjCzQhIp/GQ0/gUAQtp4M1EyQG9WY3Ze3db8zDr4E0CeIHD8 + vv0KM4X1TbfaglPJJ+8zR2ZYarJHb6uK2ZCXuKQpespszhkEvMNsFnmBRavJawSR + 5Hf2soV1xVPJv2qeHnZPfEqAezyToe5YAtvLX+Y7zV0Id+WD2w+5Ji4tNzMw/075 + glQScwRhajiAKhdvUNm7rGuJN5tG7565Dfz0GP+M2OGegwZC0WZRiRBSXFseBUwD + OqV496GvTYU8pw== + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: taskd-ca diff --git a/clusters/common/taskd/kustomization.yaml b/clusters/common/taskd/kustomization.yaml new file mode 100644 index 0000000..afd0986 --- /dev/null +++ b/clusters/common/taskd/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: taskd +resources: + - ../../../apps/taskd + - configmap-ca.yaml +patches: + - target: + kind: Deployment + name: taskd + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio + - op: add + path: /spec/template/spec/volumes/- + value: + name: "taskd-ca" + configMap: + name: "taskd-ca" + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: "taskd-ca" + mountPath: "/ca" diff --git a/clusters/common/taskd/upsert-ca.sh b/clusters/common/taskd/upsert-ca.sh new file mode 100644 index 0000000..19b91cf --- /dev/null +++ b/clusters/common/taskd/upsert-ca.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +CONFIGMAP_NAME="taskd-ca" +CONFIGMAP_KEY="ca.crt" +CONFIGMAP_FILE="configmap-ca.yaml" +DEFAULT_PKI_URL="pki/im_task" + +curl -s "${VAULT_ADDR}/v1/${DEFAULT_PKI_URL}/ca/pem" | \ + kubectl create configmap "${CONFIGMAP_NAME}" --from-file="${CONFIGMAP_KEY}"=/dev/stdin --dry-run=client -o yaml > "${CONFIGMAP_FILE}" diff --git a/clusters/common/taskd/upsert-secrets.sh b/clusters/common/taskd/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/common/taskd/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/common/vcr/kustomization.yaml b/clusters/common/vcr/kustomization.yaml new file mode 100644 index 0000000..04593a6 --- /dev/null +++ b/clusters/common/vcr/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - sportschau-saturday + - sportschau-sunday +components: + - ../../../apps/vcr/components/fileserver + - ../../../apps/vcr/components/fileserver-istio + - ../../../apps/vcr/components/metube + - ../../../apps/vcr/components/metube-istio + - ../../../apps/vcr/components/yt-dlp-pvc diff --git a/clusters/common/vcr/sportschau-saturday/kustomization.yaml b/clusters/common/vcr/sportschau-saturday/kustomization.yaml new file mode 100644 index 0000000..b058df5 --- /dev/null +++ b/clusters/common/vcr/sportschau-saturday/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/vcr +patches: + - target: + kind: CronJob + patch: |- + - op: replace + path: "/metadata/name" + value: "vcr-sportschau-saturday" + - op: replace + path: "/spec/timeZone" + value: "Europe/Berlin" + - op: replace + path: "/spec/schedule" + value: "0 18 * * SAT" + - op: replace + path: "/spec/jobTemplate/spec/template/spec/containers/0/command" + value: + - timeout + - --preserve-status + - --kill-after=60s + - --signal=SIGINT + - 120m + - yt-dlp + - --merge-output-format=mp4 + - --keep-video + - --output + - "/data/sportschau-%(epoch-3600>%Y%m%d-%H%M%S)s.%(ext)s" + - "https://www.ardmediathek.de/live/Y3JpZDovL2Rhc2Vyc3RlLmRlL2xpdmUvY2xpcC9hYmNhMDdhMy0zNDc2LTQ4NTEtYjE2Mi1mZGU4ZjY0NmQ0YzQ" diff --git a/clusters/common/vcr/sportschau-sunday/kustomization.yaml b/clusters/common/vcr/sportschau-sunday/kustomization.yaml new file mode 100644 index 0000000..7517a79 --- /dev/null +++ b/clusters/common/vcr/sportschau-sunday/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/vcr +patches: + - target: + kind: CronJob + patch: |- + - op: replace + path: "/metadata/name" + value: "vcr-sportschau-sunday" + - op: replace + path: "/spec/timeZone" + value: "Europe/Berlin" + - op: replace + path: "/spec/schedule" + value: "45 21 * * SUN" + - op: replace + path: "/spec/jobTemplate/spec/template/spec/containers/0/command" + value: + - timeout + - --preserve-status + - --kill-after=60s + - --signal=SIGINT + - 30m + - yt-dlp + - --merge-output-format=mp4 + - --keep-video + - --output + - "/data/sportschau-%(epoch-3600>%Y%m%d-%H%M%S)s.%(ext)s" + - "https://www.ardmediathek.de/live/Y3JpZDovL3dkci5kZS9CZWl0cmFnLTNkYTY2NGRlLTE4YzItNDY1MC1hNGZmLTRmNjQxNDcyMDcyYg" diff --git a/clusters/rs.soeren.cloud/cert-manager/clusterissuer.yaml b/clusters/rs.soeren.cloud/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..26304bd --- /dev/null +++ b/clusters/rs.soeren.cloud/cert-manager/clusterissuer.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns-prod + namespace: cert-manager +spec: + acme: + email: letsencrypt@soerensoerensen.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key-route53 + solvers: + - selector: + dnsZones: + - "rs.soeren.cloud" + dns01: + route53: + region: us-east-1 + hostedZoneID: "Z00600761SSFS09T26LE4" + accessKeyIDSecretRef: + name: route53-credentials + key: access-key-id + secretAccessKeySecretRef: + name: route53-credentials + key: access-key-secret diff --git a/clusters/rs.soeren.cloud/cert-manager/kustomization.yaml b/clusters/rs.soeren.cloud/cert-manager/kustomization.yaml new file mode 100644 index 0000000..211341d --- /dev/null +++ b/clusters/rs.soeren.cloud/cert-manager/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../infra/cert-manager + - clusterissuer.yaml +namespace: cert-manager +patches: + - target: + kind: Deployment + name: cert-manager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers-only" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/clusters/rs.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml b/clusters/rs.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml new file mode 100644 index 0000000..58a8db2 --- /dev/null +++ b/clusters/rs.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +data: + access-key-id: ENC[AES256_GCM,data:Wk5e7lMBSW0IpETsZQpGmoOyFLRFsiV+bh+Jhw==,iv:SZRA9V7zZC5yobTm0iEU368hXxeICrDHwELQ+sbbZXE=,tag:yEP2wB6XkzVm/JEE40Rb9Q==,type:str] + access-key-secret: ENC[AES256_GCM,data:yHISrO51KGfYxrUnGF0hozLSgD/h/zmUbXQgCO4gxq+ULrjDKQcZahDRgX5tMcrze3D5uodILB8=,iv:j0AD9wCc55flB1Ht48xiMlSnvb4we7MwWRHnNjMioMU=,tag:Jf/21H8k+2DvVNBQpf3rsQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: route53-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g67vnulzds6lsw4sqvvavxjn0kz0h6u2lnt5znu3yne0xhe6sgss0an4zu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVnJjdTY4aXppK3JpcVRo + YzJubHpXME8vNkJFWExtZDV5SlErc25aNDFVClRjeCt3YW5wajZFc2pWN0RYTW52 + MVlVbEhKamU5OFRIL2ZQSC9veHAvQTgKLS0tIEJXdUtrRGVKQUdpVnE1YzAvME5t + R2Y1d05CWFFvLzJWaHBoOWFVN1NGcEUKYizOpLCS3BTrDT3OkTlp4ma13hUj4Lt4 + xl85l5lemac5bSaw0LHk6aytP7UegGJZsLX3gZlG+n3m+nFM8G9b/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-25T05:43:59Z" + mac: ENC[AES256_GCM,data:YoNPBKhvMZG1ctsumuMFZD4LRDo51rDEm3TWiO+lxMkbG7SZ/C7IdBxNQFF7YEtq9/mU78+on8CKobFTrRvi9GGwhzxwYM8oED+ghBhg3vtsZ+eltJX2yM8LEI/3PT5msNafjPw08xaZs/hr0G9ZKLRvefRgp3wcFai/IobALTg=,iv:bEOAU30acKHhyzAcrDAMkoC9RtiSLmddtqDGqs+XsQs=,tag:rZtAQngaf8FxXxq/b7vI3Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/clusters/rs.soeren.cloud/cert-manager/upsert-secrets.sh b/clusters/rs.soeren.cloud/cert-manager/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/rs.soeren.cloud/cert-manager/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/rs.soeren.cloud/ghostfolio/kustomization.yaml b/clusters/rs.soeren.cloud/ghostfolio/kustomization.yaml new file mode 100644 index 0000000..2e511c2 --- /dev/null +++ b/clusters/rs.soeren.cloud/ghostfolio/kustomization.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: ghostfolio +resources: + - ../../../apps/ghostfolio + - namespace.yaml + - postgres-data-pv.yaml + - sops-secret-ghostfolio.yaml +components: + - ../../../apps/ghostfolio/components/istio + - ../../../apps/ghostfolio/components/postgres + - ../../../apps/ghostfolio/components/redis +patches: + - target: + kind: VirtualService + name: ghostfolio + patch: | + - op: replace + path: /spec/hosts + value: + - ghostfolio.rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/ghostfolio/namespace.yaml b/clusters/rs.soeren.cloud/ghostfolio/namespace.yaml new file mode 100644 index 0000000..9717ddd --- /dev/null +++ b/clusters/rs.soeren.cloud/ghostfolio/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: ghostfolio + labels: + name: ghostfolio diff --git a/clusters/rs.soeren.cloud/ghostfolio/postgres-data-pv.yaml b/clusters/rs.soeren.cloud/ghostfolio/postgres-data-pv.yaml new file mode 100644 index 0000000..d7c57c8 --- /dev/null +++ b/clusters/rs.soeren.cloud/ghostfolio/postgres-data-pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: ghostfolio-postgres +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 1Gi + storageClassName: local-storage + local: + path: /srv/k8s/ghostfolio-postgres + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/ghostfolio/upsert-secret-ghostfolio-postgres.sh b/clusters/rs.soeren.cloud/ghostfolio/upsert-secret-ghostfolio-postgres.sh new file mode 120000 index 0000000..77c9086 --- /dev/null +++ b/clusters/rs.soeren.cloud/ghostfolio/upsert-secret-ghostfolio-postgres.sh @@ -0,0 +1 @@ +../../../apps/ghostfolio/components/postgres/upsert-secret-ghostfolio-postgres.sh \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/ghostfolio/upsert-secrets.sh b/clusters/rs.soeren.cloud/ghostfolio/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/rs.soeren.cloud/ghostfolio/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/rs.soeren.cloud/grafana/grafana.properties b/clusters/rs.soeren.cloud/grafana/grafana.properties new file mode 100644 index 0000000..90a14a7 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/grafana.properties @@ -0,0 +1,6 @@ +GF_SERVER_ROOT_URL=https://grafana.rs.soeren.cloud +GF_DATABASE_HOST=dbs.dd.soeren.cloud:3306 +GF_DATABASE_SERVER_CERT_NAME=dbs.dd.soeren.cloud +GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/auth +GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/token +GF_AUTH_GENERIC_OAUTH_API_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/userinfo \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/grafana/kustomization.yaml b/clusters/rs.soeren.cloud/grafana/kustomization.yaml new file mode 100644 index 0000000..b0d0c66 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: grafana +resources: + - ../../../apps/grafana + - namespace.yaml + - sops-secret-grafana.yaml +components: + - ../../../apps/grafana/components/istio + - ../../../apps/grafana/components/oidc + - ../../../apps/grafana/components/database-mariadb +patches: + - target: + kind: VirtualService + name: grafana + patch: |- + - op: replace + path: /spec/hosts + value: + - grafana.svc.dd.soeren.cloud +configMapGenerator: + - name: grafana-config + behavior: merge + envs: + - grafana.properties diff --git a/clusters/rs.soeren.cloud/grafana/namespace.yaml b/clusters/rs.soeren.cloud/grafana/namespace.yaml new file mode 100644 index 0000000..4dcea77 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: grafana + labels: + name: grafana diff --git a/clusters/rs.soeren.cloud/grafana/sops-secret-grafana.yaml b/clusters/rs.soeren.cloud/grafana/sops-secret-grafana.yaml new file mode 100644 index 0000000..3fab879 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/sops-secret-grafana.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +data: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ENC[AES256_GCM,data:IL17FayWS0Zs7i9j,iv:NjMAphOEGDEJCZ1ipbxk4NAc2gIEaUQBmM1dyQkjsrU=,tag:r4Bbe5BgBKAFfPFML8hdZQ==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:wePdvI+SB/xbiLUQ2DqOJg4wsFfm9LX4mnCCSVFXG3rB/FvJGHFaT+h0Nqs=,iv:zE+bJHsx+rhQmcdj/t0eg4ubi/EzezcTyHrfexDzUR0=,tag:BWwNDPcEsed2m8mSrzSOIw==,type:str] + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:m4YRpYqpAIioR86Z,iv:basA+/jaYn7InDvV5fDaj+w7Hq6WG/3VL+t8y+wt4/Q=,tag:UBWoqLGbFLYOd6tD9ywPuQ==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:+zd0OIBVSe7OJDBY,iv:JhtguZ3cDHhxzXqLZoa/prW+Kmqludhj0QkWpm9gdmA=,tag:mOgkseSgFgaC+Cl4BeCt2A==,type:str] + GF_SECURITY_ADMIN_PASSWORD: ENC[AES256_GCM,data:ou5Wqee+7dxtbsoz,iv:2nDoT7GAo3MYb2cNY21LRVHYEAT+SfukYJx1L7DM5us=,tag:T6039IsOGRbN1thMAzAkKQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana + namespace: grafana +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g67vnulzds6lsw4sqvvavxjn0kz0h6u2lnt5znu3yne0xhe6sgss0an4zu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NmZPZVVEakJNWnJOakJW + MmwvNVpZZERDMEZiS2Uyc3ZibFl0eU4weUZFCmpEdDlNSU9LVHh0cThNaWhFYlMr + VjVhUllkMm1VUkx5ekZiZm1XK1VvbmMKLS0tIG9jQzVCdnFnTXU4dXBuNjZ4OWgv + MjRwempQUkVHMWdsR0ttZlZnTi96WlUK7Y4AjVjiCL+pFabBnTFsR8OaK9HT52S+ + o6iMzaPhBTDy5pGm8QBqcsMw4E9qPnv0mNU4mH5kev29mBwiEyguCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-31T15:15:53Z" + mac: ENC[AES256_GCM,data:7+Mi8iHk9FWCw047l+sG3ncy1bqXzL3K8dkjayJE53sEVj89H4TIArM9dSZnBm8pU4QiAkQGYdQbpL5LSSUxiB4jgqV/rvrsiZvjbuSPFoyJ+BZb8+lG79fmX2wdts2kPnSc0FExMWn1jhMk53CtRSv44p+qV7U+9gTpBOrnI3Y=,iv:QnLl5XHgnpVFjG809rp6SETRe2rCEJgw42z96fUf7t8=,tag:V1yn0lxFkCSAGss224vOjw==,type:str] + pgp: + - created_at: "2023-12-31T15:15:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//cn5L4SSNPTjQIxFwO7pLBj1vh6GTywMUO9LzKeMYZEKa + IZL8B6dgR2SGKKHbMeQFp6J5NpD0w2dMWedo2lze8RhutdLMOQKoeDQJJyM5/8ph + pI2k20tHpAVBQ+Gtb99dxJncAC85rB8Qs0CN5DQVar45zYkLf2RZ7r5r97mJDliO + 79/GEvI+GqKb8iCrDWyOH+UUFKfFm+NYd0hEXCSld7TXObGc1pEO6MpRhNF/fNi4 + SpUBtZWvc4rQ+HbZHuFEfva/qHgrIxak88M0yLGecQEvXbkkgKjmRW6RL4qtiEOs + 0vLdB+UqVuOSDcvYJwADgFm1YLuXfavWfgi2PdM9n/2PxpQTO/8GfmQZVZcO1GdL + xnPv4OEbhIyke5g5GdhIazJ7Dm6onN0KX1nWpLF5DbaN1OkfDSxcq/t2BVQDw1tn + w6EFdZQoqb1rdvCHJT6lv2KStMB/K5nWBpHkIPa9J6Bm064R4pwyL0xM8xJ6BoWg + HJdTVuCJwpUN08gFTfXztT3AJKUAVxLg5bo32rwgs/5XJD1EFVFlpZRUWX8RC3eQ + PaMN7mFbNhIFoiiDGGZlJA2LeNCAoCeW0x2/7XC1ZEQ8DDqfCGitrFZfIVN9l+Sj + nOJgIQqBWUTjCUXf0caVjbj9QKtEBhqJw1l3BInwCf3ewzca8cgjVyrBybm0nMzS + XgFp9+imjBWl0fW1PHdukOMblR/iWChIdYzWIYQou11e8Ply19JsmAMYyh+1VBrw + WvtiIhD4jbotHHyjs3WFqeB7Bl/ldy4QbbAJ4izFJCSaz7rRQZmjcIqsikbIqHc= + =T3Qm + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh new file mode 120000 index 0000000..8c7c8c5 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh new file mode 120000 index 0000000..6491a5e --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana.sh b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana.sh new file mode 120000 index 0000000..5833c2b --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/upsert-secret-grafana.sh @@ -0,0 +1 @@ +../../../apps/grafana/upsert-secret-grafana.sh \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/grafana/upsert-secrets.sh b/clusters/rs.soeren.cloud/grafana/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/rs.soeren.cloud/grafana/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/rs.soeren.cloud/httpbin/kustomization.yaml b/clusters/rs.soeren.cloud/httpbin/kustomization.yaml new file mode 100644 index 0000000..68c8e03 --- /dev/null +++ b/clusters/rs.soeren.cloud/httpbin/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: httpbin +resources: + - ../../../apps/httpbin + - namespace.yaml +components: + - ../../../apps/httpbin/components/istio +patches: + - target: + kind: VirtualService + name: httpbin + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "httpbin.rs.soeren.cloud" diff --git a/clusters/rs.soeren.cloud/httpbin/namespace.yaml b/clusters/rs.soeren.cloud/httpbin/namespace.yaml new file mode 100644 index 0000000..d1525ee --- /dev/null +++ b/clusters/rs.soeren.cloud/httpbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: httpbin + labels: + name: httpbin diff --git a/clusters/rs.soeren.cloud/infra/kustomization.yaml b/clusters/rs.soeren.cloud/infra/kustomization.yaml new file mode 100644 index 0000000..d59501e --- /dev/null +++ b/clusters/rs.soeren.cloud/infra/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../infra/priority + - ../../../infra/local-storageclass +components: + - ../../../infra/local-storageclass/components/mark-default-storageclass diff --git a/clusters/rs.soeren.cloud/infra/local-storageclass.yaml b/clusters/rs.soeren.cloud/infra/local-storageclass.yaml new file mode 100644 index 0000000..f9d1d6a --- /dev/null +++ b/clusters/rs.soeren.cloud/infra/local-storageclass.yaml @@ -0,0 +1,7 @@ +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: local-storage +provisioner: kubernetes.io/no-provisioner +volumeBindingMode: WaitForFirstConsumer diff --git a/clusters/rs.soeren.cloud/istio/certificate.yaml b/clusters/rs.soeren.cloud/istio/certificate.yaml new file mode 100644 index 0000000..9010571 --- /dev/null +++ b/clusters/rs.soeren.cloud/istio/certificate.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-cert + namespace: istio-system +spec: + secretName: ingress-cert + commonName: '*.rs.soeren.cloud' + dnsNames: + - '*.rs.soeren.cloud' + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + group: cert-manager.io diff --git a/clusters/rs.soeren.cloud/istio/gateway.yaml b/clusters/rs.soeren.cloud/istio/gateway.yaml new file mode 100644 index 0000000..ef801f6 --- /dev/null +++ b/clusters/rs.soeren.cloud/istio/gateway.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: ingress-cert + hosts: + - "*" + - port: + number: 443 + name: https-passthrough + protocol: HTTPS + tls: + mode: PASSTHROUGH + hosts: + - minio.rs.soeren.cloud + - minio-console.rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/jellyfin/kustomization.yaml b/clusters/rs.soeren.cloud/jellyfin/kustomization.yaml new file mode 100644 index 0000000..ceb7727 --- /dev/null +++ b/clusters/rs.soeren.cloud/jellyfin/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: jellyfin +resources: + - ../../../apps/jellyfin + - namespace.yaml + - pv-config.yaml +components: + - ../../../apps/jellyfin/components/istio + - ../../../apps/jellyfin/components/pvc-config + - ../../../apps/jellyfin/components/storage-healthcheck +patches: + - target: + kind: VirtualService + name: jellyfin + patch: |- + - op: replace + path: /spec/hosts + value: + - jellyfin.rs.soeren.cloud + - target: + kind: StatefulSet + name: jellyfin + patch: |- + - op: replace + path: /spec/template/spec/volumes/2 + value: + name: media + hostPath: + path: /mnt/media diff --git a/clusters/rs.soeren.cloud/jellyfin/namespace.yaml b/clusters/rs.soeren.cloud/jellyfin/namespace.yaml new file mode 100644 index 0000000..552d54f --- /dev/null +++ b/clusters/rs.soeren.cloud/jellyfin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: jellyfin + labels: + name: jellyfin diff --git a/clusters/rs.soeren.cloud/jellyfin/pv-config.yaml b/clusters/rs.soeren.cloud/jellyfin/pv-config.yaml new file mode 100644 index 0000000..d89de4d --- /dev/null +++ b/clusters/rs.soeren.cloud/jellyfin/pv-config.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "jellyfin-config" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/jellyfin-config" + claimRef: + namespace: "jellyfin" + name: "jellyfin-config" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "rs.soeren.cloud" diff --git a/clusters/rs.soeren.cloud/jellyfin/sops-secret-grafana.yaml b/clusters/rs.soeren.cloud/jellyfin/sops-secret-grafana.yaml new file mode 100644 index 0000000..3fab879 --- /dev/null +++ b/clusters/rs.soeren.cloud/jellyfin/sops-secret-grafana.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +data: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ENC[AES256_GCM,data:IL17FayWS0Zs7i9j,iv:NjMAphOEGDEJCZ1ipbxk4NAc2gIEaUQBmM1dyQkjsrU=,tag:r4Bbe5BgBKAFfPFML8hdZQ==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:wePdvI+SB/xbiLUQ2DqOJg4wsFfm9LX4mnCCSVFXG3rB/FvJGHFaT+h0Nqs=,iv:zE+bJHsx+rhQmcdj/t0eg4ubi/EzezcTyHrfexDzUR0=,tag:BWwNDPcEsed2m8mSrzSOIw==,type:str] + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:m4YRpYqpAIioR86Z,iv:basA+/jaYn7InDvV5fDaj+w7Hq6WG/3VL+t8y+wt4/Q=,tag:UBWoqLGbFLYOd6tD9ywPuQ==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:+zd0OIBVSe7OJDBY,iv:JhtguZ3cDHhxzXqLZoa/prW+Kmqludhj0QkWpm9gdmA=,tag:mOgkseSgFgaC+Cl4BeCt2A==,type:str] + GF_SECURITY_ADMIN_PASSWORD: ENC[AES256_GCM,data:ou5Wqee+7dxtbsoz,iv:2nDoT7GAo3MYb2cNY21LRVHYEAT+SfukYJx1L7DM5us=,tag:T6039IsOGRbN1thMAzAkKQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana + namespace: grafana +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g67vnulzds6lsw4sqvvavxjn0kz0h6u2lnt5znu3yne0xhe6sgss0an4zu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NmZPZVVEakJNWnJOakJW + MmwvNVpZZERDMEZiS2Uyc3ZibFl0eU4weUZFCmpEdDlNSU9LVHh0cThNaWhFYlMr + VjVhUllkMm1VUkx5ekZiZm1XK1VvbmMKLS0tIG9jQzVCdnFnTXU4dXBuNjZ4OWgv + MjRwempQUkVHMWdsR0ttZlZnTi96WlUK7Y4AjVjiCL+pFabBnTFsR8OaK9HT52S+ + o6iMzaPhBTDy5pGm8QBqcsMw4E9qPnv0mNU4mH5kev29mBwiEyguCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-31T15:15:53Z" + mac: ENC[AES256_GCM,data:7+Mi8iHk9FWCw047l+sG3ncy1bqXzL3K8dkjayJE53sEVj89H4TIArM9dSZnBm8pU4QiAkQGYdQbpL5LSSUxiB4jgqV/rvrsiZvjbuSPFoyJ+BZb8+lG79fmX2wdts2kPnSc0FExMWn1jhMk53CtRSv44p+qV7U+9gTpBOrnI3Y=,iv:QnLl5XHgnpVFjG809rp6SETRe2rCEJgw42z96fUf7t8=,tag:V1yn0lxFkCSAGss224vOjw==,type:str] + pgp: + - created_at: "2023-12-31T15:15:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//cn5L4SSNPTjQIxFwO7pLBj1vh6GTywMUO9LzKeMYZEKa + IZL8B6dgR2SGKKHbMeQFp6J5NpD0w2dMWedo2lze8RhutdLMOQKoeDQJJyM5/8ph + pI2k20tHpAVBQ+Gtb99dxJncAC85rB8Qs0CN5DQVar45zYkLf2RZ7r5r97mJDliO + 79/GEvI+GqKb8iCrDWyOH+UUFKfFm+NYd0hEXCSld7TXObGc1pEO6MpRhNF/fNi4 + SpUBtZWvc4rQ+HbZHuFEfva/qHgrIxak88M0yLGecQEvXbkkgKjmRW6RL4qtiEOs + 0vLdB+UqVuOSDcvYJwADgFm1YLuXfavWfgi2PdM9n/2PxpQTO/8GfmQZVZcO1GdL + xnPv4OEbhIyke5g5GdhIazJ7Dm6onN0KX1nWpLF5DbaN1OkfDSxcq/t2BVQDw1tn + w6EFdZQoqb1rdvCHJT6lv2KStMB/K5nWBpHkIPa9J6Bm064R4pwyL0xM8xJ6BoWg + HJdTVuCJwpUN08gFTfXztT3AJKUAVxLg5bo32rwgs/5XJD1EFVFlpZRUWX8RC3eQ + PaMN7mFbNhIFoiiDGGZlJA2LeNCAoCeW0x2/7XC1ZEQ8DDqfCGitrFZfIVN9l+Sj + nOJgIQqBWUTjCUXf0caVjbj9QKtEBhqJw1l3BInwCf3ewzca8cgjVyrBybm0nMzS + XgFp9+imjBWl0fW1PHdukOMblR/iWChIdYzWIYQou11e8Ply19JsmAMYyh+1VBrw + WvtiIhD4jbotHHyjs3WFqeB7Bl/ldy4QbbAJ4izFJCSaz7rRQZmjcIqsikbIqHc= + =T3Qm + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/rs.soeren.cloud/minio-mirror/kustomization.yaml b/clusters/rs.soeren.cloud/minio-mirror/kustomization.yaml new file mode 100644 index 0000000..2a8965d --- /dev/null +++ b/clusters/rs.soeren.cloud/minio-mirror/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio-mirror +resources: + - ../../../apps/minio-mirror + - namespace.yaml +configMapGenerator: + - name: minio-mirror + literals: + - SOURCE_SERVER=https://minio.rs.soeren.cloud + - DEST_SERVER=https://s3.amazonaws.com diff --git a/clusters/rs.soeren.cloud/minio-mirror/namespace.yaml b/clusters/rs.soeren.cloud/minio-mirror/namespace.yaml new file mode 100644 index 0000000..08b7d4a --- /dev/null +++ b/clusters/rs.soeren.cloud/minio-mirror/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio-mirror + labels: + name: minio-mirror diff --git a/clusters/rs.soeren.cloud/minio-mirror/upsert-secrets.sh b/clusters/rs.soeren.cloud/minio-mirror/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/rs.soeren.cloud/minio-mirror/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/rs.soeren.cloud/minio/kustomization.yaml b/clusters/rs.soeren.cloud/minio/kustomization.yaml new file mode 100644 index 0000000..f595a05 --- /dev/null +++ b/clusters/rs.soeren.cloud/minio/kustomization.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio +resources: + - ../../../apps/minio + - namespace.yaml + - minio-pv.yaml +configMapGenerator: + - name: minio-config + behavior: merge + literals: + - MINIO_SERVER_URL=https://minio.rs.soeren.cloud + - MINIO_BROWSER_REDIRECT_URL=https://minio-console.rs.soeren.cloud +components: + - ../../../apps/minio/components/istio + - ../../../apps/minio/components/pvc +patches: + - target: + kind: VirtualService + name: minio + patch: |- + - op: replace + path: /spec/hosts + value: + - minio.rs.soeren.cloud + - target: + kind: VirtualService + name: minio-console + patch: |- + - op: replace + path: /spec/hosts + value: + - minio-console.rs.soeren.cloud + - target: + kind: Certificate + name: minio + patch: |- + - op: replace + path: /spec/commonName + value: minio.rs.soeren.cloud + - op: replace + path: /spec/dnsNames + value: + - minio.rs.soeren.cloud + - minio-console.rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/minio/minio-pv.yaml b/clusters/rs.soeren.cloud/minio/minio-pv.yaml new file mode 100644 index 0000000..f8558a2 --- /dev/null +++ b/clusters/rs.soeren.cloud/minio/minio-pv.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: minio +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 5Gi + volumeMode: Filesystem + storageClassName: local-storage + persistentVolumeReclaimPolicy: Retain + local: + path: /srv/k8s/minio + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/minio/namespace.yaml b/clusters/rs.soeren.cloud/minio/namespace.yaml new file mode 100644 index 0000000..ff9928f --- /dev/null +++ b/clusters/rs.soeren.cloud/minio/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio + labels: + name: minio diff --git a/clusters/rs.soeren.cloud/minio/upsert-secret-minio.sh b/clusters/rs.soeren.cloud/minio/upsert-secret-minio.sh new file mode 120000 index 0000000..9dad31b --- /dev/null +++ b/clusters/rs.soeren.cloud/minio/upsert-secret-minio.sh @@ -0,0 +1 @@ +../../../apps/minio/upsert-secret-minio.sh \ No newline at end of file diff --git a/clusters/rs.soeren.cloud/monitoring/kustomization.yaml b/clusters/rs.soeren.cloud/monitoring/kustomization.yaml new file mode 100644 index 0000000..28c1ab5 --- /dev/null +++ b/clusters/rs.soeren.cloud/monitoring/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - victoriametrics diff --git a/clusters/rs.soeren.cloud/monitoring/namespace.yaml b/clusters/rs.soeren.cloud/monitoring/namespace.yaml new file mode 100644 index 0000000..7a2edb6 --- /dev/null +++ b/clusters/rs.soeren.cloud/monitoring/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: monitoring + labels: + name: monitoring + istio-injection: enabled diff --git a/clusters/rs.soeren.cloud/monitoring/victoriametrics/kustomization.yaml b/clusters/rs.soeren.cloud/monitoring/victoriametrics/kustomization.yaml new file mode 100644 index 0000000..ee187cc --- /dev/null +++ b/clusters/rs.soeren.cloud/monitoring/victoriametrics/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/victoriametrics + - virtualservice.yaml diff --git a/clusters/rs.soeren.cloud/monitoring/victoriametrics/virtualservice.yaml b/clusters/rs.soeren.cloud/monitoring/victoriametrics/virtualservice.yaml new file mode 100644 index 0000000..a30effe --- /dev/null +++ b/clusters/rs.soeren.cloud/monitoring/victoriametrics/virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: victoriametrics +spec: + hosts: + - victoriametrics.rs.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: victoriametrics + port: + number: 80 diff --git a/clusters/rs.soeren.cloud/navidrome/kustomization.yaml b/clusters/rs.soeren.cloud/navidrome/kustomization.yaml new file mode 100644 index 0000000..51cca5d --- /dev/null +++ b/clusters/rs.soeren.cloud/navidrome/kustomization.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: navidrome +resources: + - ../../../apps/navidrome + - namespace.yaml + - navidrome-data-pv.yaml +components: + - ../../../apps/navidrome/components/pvc + - ../../../apps/navidrome/components/istio +patches: + - target: + kind: Deployment + name: navidrome + patch: |- + - op: add + path: /spec/template/spec/volumes/- + value: + name: navidrome-music + hostPath: + path: /srv/files/music + type: Directory + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: navidrome-music + readOnly: true + mountPath: /music + - target: + kind: VirtualService + name: navidrome + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "navidrome.rs.soeren.cloud" diff --git a/clusters/rs.soeren.cloud/navidrome/namespace.yaml b/clusters/rs.soeren.cloud/navidrome/namespace.yaml new file mode 100644 index 0000000..f6a74b3 --- /dev/null +++ b/clusters/rs.soeren.cloud/navidrome/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: navidrome + labels: + name: navidrome diff --git a/clusters/rs.soeren.cloud/navidrome/navidrome-data-pv.yaml b/clusters/rs.soeren.cloud/navidrome/navidrome-data-pv.yaml new file mode 100644 index 0000000..e5c5a63 --- /dev/null +++ b/clusters/rs.soeren.cloud/navidrome/navidrome-data-pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: navidrome-data +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 1Gi + storageClassName: local-storage + local: + path: /srv/k8s/navidrome/data + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - rs.soeren.cloud diff --git a/clusters/rs.soeren.cloud/rabbitmq/kustomization.yaml b/clusters/rs.soeren.cloud/rabbitmq/kustomization.yaml new file mode 100644 index 0000000..b3d50a4 --- /dev/null +++ b/clusters/rs.soeren.cloud/rabbitmq/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: rabbitmq +resources: + - ../../../apps/rabbitmq + - namespace.yaml + - rabbitmq-management-virtualservice.yaml + - rabbitmq-amqp-virtualservice.yaml diff --git a/clusters/rs.soeren.cloud/rabbitmq/namespace.yaml b/clusters/rs.soeren.cloud/rabbitmq/namespace.yaml new file mode 100644 index 0000000..a1e0038 --- /dev/null +++ b/clusters/rs.soeren.cloud/rabbitmq/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: rabbitmq + labels: + name: rabbitmq + istio-injection: enabled diff --git a/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-amqp-virtualservice.yaml b/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-amqp-virtualservice.yaml new file mode 100644 index 0000000..7c201bf --- /dev/null +++ b/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-amqp-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: rabbitmq-amqp +spec: + hosts: + - rabbitmq-amqp.rs.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: rabbitmq-amqp + port: + number: 80 diff --git a/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-management-virtualservice.yaml b/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-management-virtualservice.yaml new file mode 100644 index 0000000..34e4c21 --- /dev/null +++ b/clusters/rs.soeren.cloud/rabbitmq/rabbitmq-management-virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: rabbitmq-management +spec: + hosts: + - rabbitmq-management.rs.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: rabbitmq-management + port: + number: 80 diff --git a/clusters/rs.soeren.cloud/stirling-pdf/kustomization.yaml b/clusters/rs.soeren.cloud/stirling-pdf/kustomization.yaml new file mode 100644 index 0000000..02c993f --- /dev/null +++ b/clusters/rs.soeren.cloud/stirling-pdf/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: stirling-pdf +resources: + - ../../../apps/stirling-pdf + - namespace.yaml +components: + - ../../../apps/stirling-pdf/components/istio +patches: + - target: + kind: VirtualService + name: stirling-pdf + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "stirling-pdf.rs.soeren.cloud" diff --git a/clusters/rs.soeren.cloud/stirling-pdf/namespace.yaml b/clusters/rs.soeren.cloud/stirling-pdf/namespace.yaml new file mode 100644 index 0000000..64774eb --- /dev/null +++ b/clusters/rs.soeren.cloud/stirling-pdf/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: stirling-pdf + labels: + name: stirling-pdf + istio-injection: enabled diff --git a/clusters/rs.soeren.cloud/string-is/kustomization.yaml b/clusters/rs.soeren.cloud/string-is/kustomization.yaml new file mode 100644 index 0000000..2673748 --- /dev/null +++ b/clusters/rs.soeren.cloud/string-is/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: string-is +resources: + - ../../../apps/string-is + - namespace.yaml +components: + - ../../../apps/string-is/components/istio + - ../../../apps/string-is/components/istio-proxy +patches: + - target: + kind: VirtualService + name: string-is + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "string-is.rs.soeren.cloud" diff --git a/clusters/rs.soeren.cloud/string-is/namespace.yaml b/clusters/rs.soeren.cloud/string-is/namespace.yaml new file mode 100644 index 0000000..cffa2db --- /dev/null +++ b/clusters/rs.soeren.cloud/string-is/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: string-is + labels: + name: string-is + istio-injection: enabled diff --git a/clusters/svc.dd.soeren.cloud/.sops.yaml b/clusters/svc.dd.soeren.cloud/.sops.yaml new file mode 100644 index 0000000..7727350 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/.sops.yaml @@ -0,0 +1,5 @@ +--- +creation_rules: + - age: "age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes" + pgp: "875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637" + hc_vault_transit_uri: "https://vault.ha.soeren.cloud/v1/transit/sops_kubernetes/keys/svc-dd" diff --git a/clusters/svc.dd.soeren.cloud/acmevault/kustomization.yaml b/clusters/svc.dd.soeren.cloud/acmevault/kustomization.yaml new file mode 100644 index 0000000..8d2ed5f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/acmevault/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: acmevault +resources: + - namespace.yaml + - ../../common/acmevault +patches: + - target: + kind: Deployment + name: acmevault + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: ACMEVAULT_VAULT_K8S_MOUNT + value: svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/acmevault/namespace.yaml b/clusters/svc.dd.soeren.cloud/acmevault/namespace.yaml new file mode 100644 index 0000000..4b740e2 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/acmevault/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: acmevault + labels: + name: acmevault diff --git a/clusters/svc.dd.soeren.cloud/actualbudget/actualbudget-pv.yaml b/clusters/svc.dd.soeren.cloud/actualbudget/actualbudget-pv.yaml new file mode 100644 index 0000000..ed53357 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/actualbudget/actualbudget-pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: actualbudget +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 1Gi + storageClassName: local-storage + local: + path: /mnt/k8s/actualbudget + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/actualbudget/kustomization.yaml b/clusters/svc.dd.soeren.cloud/actualbudget/kustomization.yaml new file mode 100644 index 0000000..118ebfe --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/actualbudget/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: actualbudget +resources: + - ../../../apps/actualbudget + - namespace.yaml + - actualbudget-pv.yaml +components: + - ../../../apps/actualbudget/components/pvc + - ../../../apps/actualbudget/components/istio + - ../../../apps/actualbudget/components/istio-proxy +patches: + - target: + kind: "Deployment" + name: "actualbudget" + patch: |- + - op: "replace" + path: "/spec/template/spec/volumes/0" + value: + name: "storage" + persistentVolumeClaim: + claimName: "actualbudget" + - target: + kind: "VirtualService" + name: "actualbudget" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "actualbudget.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/actualbudget/namespace.yaml b/clusters/svc.dd.soeren.cloud/actualbudget/namespace.yaml new file mode 100644 index 0000000..6cda8e5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/actualbudget/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: actualbudget + labels: + name: actualbudget diff --git a/clusters/svc.dd.soeren.cloud/aether/kustomization.yaml b/clusters/svc.dd.soeren.cloud/aether/kustomization.yaml new file mode 100644 index 0000000..89dc95f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: aether +resources: + - ../../common/aether + - namespace.yaml + - sops-secret-aether.yaml + - sops-secret-aether-taskwarrior.yaml +patches: + - target: + kind: VirtualService + name: aether + patch: |- + - op: replace + path: /spec/hosts + value: + - aether.svc.dd.soeren.cloud + - target: + kind: Issuer + name: vault-issuer + patch: |- + - op: replace + path: /spec/vault/auth/kubernetes/mountPath + value: /v1/auth/svc.dd.soeren.cloud + - target: + kind: Certificate + name: minio + patch: |- + - op: replace + path: /spec/commonName + value: aether.svc.dd.soeren.cloud + - op: replace + path: /spec/dnsNames + value: + - aether.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/aether/namespace.yaml b/clusters/svc.dd.soeren.cloud/aether/namespace.yaml new file mode 100644 index 0000000..db1437e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: aether + labels: + name: aether diff --git a/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether-taskwarrior.yaml b/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether-taskwarrior.yaml new file mode 100644 index 0000000..49543ec --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether-taskwarrior.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + taskd_credentials: ENC[AES256_GCM,data:JbYLeWSRnP9dkLDCzps8iJCL1cztGBg9Ay4Xl+bXV54aSTtrWGNpV9oWg6pnEDlm7FO0iRW/BLOh0iqMhkz2JSmHOd7LhrAOrB+ElVORoej4rwIySlk4vfJDIa8=,iv:tqidEnHc20mjHz9ZfLLk8X3qlaF/wZdRZzpwOyO+PGk=,tag:GbvaXkPCrkK4onTSg82d+g==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: aether-taskwarrior +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:36:57Z" + enc: vault:v1:l/hTVIjzUHxwCH7+X0BQTwu7UObnf4tjcDSEyWSxgahOHgqI5YJBHcoLmrdubvWiwiLu7e220LyJY81Z + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQnVzdVU1ckQ4dldxSWdN + cjBFOWJoY3NGNitTc2hWMXZlQ3B0WjFvMUhNCnpJU1pNT1V1d1lYcTdhMkRrZWpv + N25YVjRDMWpGRDNMcHJOL3dVUjgzaEkKLS0tIHZVTjZNYWJ5QnhFUVZyeVhVdTZF + Q0RCTXNZUjBZOFhaL2VVN1VNZ3NNQ0UK9FwjrjCkVQzhSyBewpdEfr6fxnUoESCO + c6wCMF8qVTEvOlzUCwb+XARaa5ia+qiZqeXyj+Sbg35Vemi3BycSxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T08:26:30Z" + mac: ENC[AES256_GCM,data:agzImf/6b3hzOIbfsukTwMAyGKSdDrjsCsI+U5DGrMf7JIuNwWR7hN/61zxpXa3z4kxYEpYJBpidQ73Hv8/3rGqknIrBW11S89V/h3jsLsiWDkizr4Dls/O0H6VJKUWw1rq+7uFpE8ti1ofG4Ki6AHEPhJroaOVkxVO+PuMVJjs=,iv:GLMXBQDvbZfZs8FlOdtKf95Qvkoudik4IP28lvnjdd8=,tag:inL8z9u7pQE8XDogbE2BRw==,type:str] + pgp: + - created_at: "2024-06-28T08:36:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAjyNwJ+NAG1lrEM7Ty5HewJ422LrO9dEP4PADiOBJq/Nq + VbZKN5i8XuV266gQkJMi1b4n/B2SKF+rPCP9oNvx8fTw/65x1kgnlLFM6MsXsZyW + sMEC9x0llymp2N2IXML0rByRum1PvSYZNExwqvLy4pW6iwm1iwM2z7WQrmnxbIDz + 45AH8JZ3EMc0oi29vMs3TxRjZCfUlV2UPoRizp221NesMGUZcpfdLGzHPDJbKZHl + 2MwNkgTsQZtyQcSOuqpRDomu3AWmYw3VISbxSBt0npH7AY0wrwWKKHx5KpE7hnLr + A8gv1XY0MqQMtOdSp/l/wbrLuNnHQIxqNT5EptBtXaii6mLCMKokGjH1+GhAhuf4 + alzC8qDdroKlij3Rx/Pevexiv0/9bQCWNUGrrfu3AJkW9zDz8Chpj/i2nMvVjS2S + ejUyRz7EpZFEknjP03IPLxG5LL/9xwebAKXRhnJqsKycKbA6WBXgNOTMVjqLvzqV + 0UpWIpYMYhYGlB5pFmRGFXk1IB+xf5OXCevlCUpJbbnJsFB8cvMLFm9pPKvOdsUw + ZjTc9eo+cMq5nqNAs5drMSYVS8b5phKw3Vy8gDe5xQviJ2VG3bHT7d7SR8nr9lSY + EJlNm+Bg4rOxa0QYhPtlWx1Defcyd0HPqstsVCNusXpPavVxit4brG7sVKBZ73PS + XAHjlRsBldVhKXlFHnTTeDNblB99drywTdKXtzrOP/ZXQQIZBMU4KhgHULPkeZiP + ZpAyxSEId8Pqc2SNVrpoE2cNi569C0knMjhOVWfvd3I3sHw2onpmPTL6FApm + =8Xtf + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether.yaml b/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether.yaml new file mode 100644 index 0000000..a0211ed --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/sops-secret-aether.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +data: + caldav_password: ENC[AES256_GCM,data:MmuHywsRKOFDCfv4p7+GR7jGGnPfEz0x/7MEvMxJIp3EtmcO+8K85x24PDrbX5dtyYPpfFn5bslTtrRFHKdlSSTIAAY=,iv:RlfWzqoT4vBLcTzltW3ZTnsgdOsD9uZWNPSsj3QTkWs=,tag:EIhjwvqmSlMIQhhBUq90Qg==,type:str] + caldav_user: ENC[AES256_GCM,data:SIn/7Y+ZzzM=,iv:8Ex6Obw5ruzAfx1c9H96UoEIs+cji6a7EhYbfyTfuGs=,tag:SqcWRMo5YTrG31f3adz/bA==,type:str] + carddav_password: ENC[AES256_GCM,data:vff3JMSWsfKbQsReOTdNQIWv9XkNGarV6TLlFrhJimR/OG5olw/DjBK+2uExcdTdhF8BMZyIyfT5uArrc8hOZb48gKI=,iv:Hn7btj6Ui4k6BVAhxCR+QO20r0TdP2jEOZYr7OudGEw=,tag:ksKwp+IDquZxKgAczEga0g==,type:str] + carddav_user: ENC[AES256_GCM,data:947+93LnUJ0=,iv:g3zDQb0j1ws+SacRFaW0jiDFx4Hg5xP27CdN2W6LoI8=,tag:mOz1YeowQNKcmdLIX3XBiA==,type:str] + email_from: ENC[AES256_GCM,data:GssLjpUqAvIGarVKGbn0YytDldAJs8WswfxpBijgjBI=,iv:g85V0LpcZr5HzymAQMZZ8J+4Rh6/FqbAZkotarAiPHs=,tag:i0BfgFIjfKMH4KLtulwsFQ==,type:str] + email_password: ENC[AES256_GCM,data:sz8fK0eQKMdQ4L+Bql7iLPnIApHedlh3/f4OhFanxa++PaT4,iv:PAiNWRufehInMXS03Bll2tdCwrZsSJpws7bQxGrwOUg=,tag:YMbHlEZO76Cu1nERxrVyFA==,type:str] + email_to: ENC[AES256_GCM,data:Q1ArpkMhzIOGRDcckBUJdNEjjEeMGk92vJ6y0U8NgMs=,iv:M1pGKzqQqO/f4IWfOVAeSC5uxuIkX7Sz82yvhPfYuQA=,tag:yd5Gng9ojkONshcJSIjR3Q==,type:str] + email_username: ENC[AES256_GCM,data:1koBQBXCR9ZaT1LCQ6Uz6NMgGJ+iIOud4uBC/Bx/LIs=,iv:cCpECXZa1kU5ivWi/cuY9HSth/NwZxdmCBa+Fb2YMYU=,tag:Zjv+6Ia5hWq5rmH3M1DRTg==,type:str] + weather_apikey: ENC[AES256_GCM,data:692TTqwYdpk8mjAs+NNCkFUwYu9jZpi7VNinZHvXUrMjAc3Tih9zxdHbmog=,iv:U7fFmrI3lOEthLiw/vQ05ZAmxAOhh4ckNDrNALD8i3E=,tag:dc0WMoTtVH93h3TA4lHKpg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: aether +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:36:58Z" + enc: vault:v1:VxDiVj/NgVjpKtM3pEnx59r5IlV5LnzL26dlheJ4A+HReR8zVmVr5RKsQsmveBI+qWcs4HXH2yjCYaQd + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OXNJd1RGMEtkL1RQZ2pa + Y2tNby9QRTBNd0owSXNxa1JWY25DK2ZUcTBrCnNRQjF4YWxjK1BCdEpLemJFaExv + NEFuWkNIMDN1VTRzU0N5ZG5EbElzaDQKLS0tIG1pa3FxaVhaUmdMalV0UkhUT0lv + L1laMjQ4RmVuL1RqWEsxL2FKbjlGZTgKbOiPpLTznj6mq83pbzYFEAjuqc3NBbo/ + sZNb4zgmNlc8V8pTSHALpAKxSehuvku71BzrIYx44/FEwxy/XVj3xg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T08:33:28Z" + mac: ENC[AES256_GCM,data:2yJVNDDzYff3HtRDK7TvEJ/X2HBLyR9Q01p6tVMpqU1kbJRZzkDo/257+KALhApdJ/L0OboeT6lK/mLOw8zfox+SfWvPAIZAm+NkqkPPaU/iWn6Fb5YSCMEcNnlH+GVod+pVnEEgLKVT78cbG8mKlGJbSC4OMULMaV+S+mnYeA4=,iv:J57sCe7Z0bhJcNKhkQEx2vFnUYIQAzxB0sQ+zpAasSY=,tag:XNZOZXIuHsJogJp35zlsDw==,type:str] + pgp: + - created_at: "2024-06-28T08:36:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9FKYcroeWqbuvMPon+0a7b/2UZbo8hg8PV+vVG5fCDb7Q + USVcNkFvGa1MW3EpUjejyeUaoQly8f2dH+uF/1TexnyeYdhU94kTb33Yt8mvPX0X + tioN7sfZrOzFa1VrmnXjT1KJpFA33dHHnIaYabwUdEIqFN3OtDxmWfEYUHEZxGEE + Jm4ehd74DLjBUtt2wUPRTUZQODWTkEy7nn7oRwb3k1Ko2tuKFI6b02uapKi4QV9r + deM1b82cz4VB3Pqx6rXrhIgDkJdYDH8HjhxKv3dsnpc4smsTxNIuCAmwa54kM3CR + MoeYuDfpJ9LEpusxdnZZBnr3/5tqcRhzMeumRZXLfkMjrQK1+ZcVgdar/7RIockN + o33UfEM0OhfoYfJJpzA0ZZe7qcS31lTJ1Epb17n36FW45SRmt7ub0RsrzkdHECPp + V9YMtFgFsRu49jDmzA+dPQzPy3AMO5iuXN5+HLKU2IkQf+DqxcnDpTq7jX1+E34f + J3tO6zaRbF/C9OwsB05FTTUcevUhq+rC4ZgWzfT4yIXzKHy45EDcRlu86vNf92LI + msTEcQYiirjof9PK5yw/HnLgsP/CYJMArPDcxFhbPpfxoRKE4f1QrkFPWY+TU2uB + qd+od+p11MMxsGXSqcdam0MhAuN7T89PaCT63uBRsnpk9ETk1W/8vqfIjhF71zPS + XAG0y8E/6qkqvskdQGu0CsUeJ9j9RmlfFYRUlw/lYolY5Zz+6f1J6eZicq4ShgST + mj4iL70AxyM3MLi6ne3GeX6tCUY8C1KWV3Ll/9Jd5tR3TEv4XqbH9nzLxo+T + =85pO + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether-taskwarrior.sh b/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether-taskwarrior.sh new file mode 120000 index 0000000..9562d54 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether-taskwarrior.sh @@ -0,0 +1 @@ +../../common/aether/upsert-secret-aether-taskwarrior.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether.sh b/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether.sh new file mode 120000 index 0000000..e24acb7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/aether/upsert-secret-aether.sh @@ -0,0 +1 @@ +../../common/aether/upsert-secret-aether.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/anki/anki-pv.yaml b/clusters/svc.dd.soeren.cloud/anki/anki-pv.yaml new file mode 100644 index 0000000..e423763 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/anki/anki-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "anki" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/anki" + claimRef: + namespace: "anki" + name: "anki" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/anki/kustomization.yaml b/clusters/svc.dd.soeren.cloud/anki/kustomization.yaml new file mode 100644 index 0000000..9604031 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/anki/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "anki" +resources: + - "../../../apps/anki" + - "namespace.yaml" + - "anki-pv.yaml" + - "sops-secret-anki.yaml" +patches: + - target: + kind: "VirtualService" + name: "anki" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "anki.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/anki/namespace.yaml b/clusters/svc.dd.soeren.cloud/anki/namespace.yaml new file mode 100644 index 0000000..7d06723 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/anki/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: anki + labels: + name: anki diff --git a/clusters/svc.dd.soeren.cloud/anki/sops-secret-anki.yaml b/clusters/svc.dd.soeren.cloud/anki/sops-secret-anki.yaml new file mode 100644 index 0000000..1df4bb7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/anki/sops-secret-anki.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + SYNC_USER1: ENC[AES256_GCM,data:Dz7nLTxV50IGbCvzuOr9GRz4EfzDQg3haidktyZNfcsMtjUjpJ0jrZQaTbI=,iv:wINYeRARy1zmVNPP/93RVObuQSxVckVCw+kG7fIoI9s=,tag:/SzIkkCBnPApOLVg9s0zKA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: anki +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:14Z" + enc: vault:v1:erltzha938cUfJAAD/WBN39dWtzcn2ASD9YOS3zGuQlgBzUa3HuT13KdiYJzwhHjO10TgFksireIzDyu + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0akhzc09CakR0MHlwd1Rn + b3JNVFBWM01aeXNVQjRPWGlMMml4SHhFd1ZVClZQVGdwaC9sanh4dW4rNGgrWlhV + VkRTTWMyRmVQd0tlUStJY0NjblNKTEUKLS0tIEdRZkhYcDBHaEdhd09Rc201b2li + NEhYL3EwZ2tNZlNUOStyalRXbit1dWsKKMK/J7DzzH1Ymuh39q+xxR43hbXjsfDV + 8K+bbugQBo0ufHfrFtkSvbDDNByxTSRTrNyNTrRFbprbd79xuFOIKA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:48Z" + mac: ENC[AES256_GCM,data:Y4SgOKqKy2IHq2wFmOzZAIUKeal5jrSTApRIgmY0qGXD9qBv1uznA2NTrYmclPJ7ixN3doA3MFAh6Q8txv3E88kyGLyP4YMOrDSc+i0UO+vVPBxL2GHnIJ4kax5SrkqkP/Iw/4x1FP8DcIdwtRnk7ta9ehvC5oA5bAjDv8OFdfo=,iv:IsrmisubkhyW9LTQ12NeA9wry2b4RtSOfIzrbb0hioU=,tag:9G7IYsfRLq6ZUBhJfwmImQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAgU8oJJ0Qv6xkE8uVtCLLej9VbpSbLRjk/f8ku3xXNjjL + 20JCv6DQSEHpfDaEwrHV0/QOpGYCWPnDX2RN7NFbuhI6xU8kgdE7ucIWScZWO97v + qQ6r5a3JNpgxRbJzpD8Z8FxLBvHdo23BUBb4w1e5/IRdWtKf9BWsMdh393j3wnSq + Ncwuvm7UTJmpLgLTJcqDPhzuZjBpPz+xgGzi7TKjraLFCPMLykw4DWQH0jPptbsz + 1CVJ94UNdzcIi7oDzqrVo91f1x9qtgTH3xej8Xtav868RmfMA3PoIvxrdFrhMKK0 + pLQDg8MwdqAO3EPDMqxsMUiEqzce2IQtlYtnjaqjoDAW2Hgvdmns0Fpo6ykR+UMy + RxQyIcsJhE5JN3CAy7NbDBgfNBzi90Wt/XOBjkGCjiqqWsQir5Jf1d1UzGFeQFFW + DzmASJF8xlaWWU+RSt6ie7b5rWuAdVjJEngGBQVL5Vl3RFc9GP4JvQ06eUKyMoTx + gJgwIocO1xFPxZ9OVLIYTBAiSpQbfhneLIRIu5cfgRMQl9Ngo6cmIiKaWQ031NqI + NvuTUTit9/p0ZhE9+XXkubHUSD/8HoAXGcMMM7pdGzlCZWyh6M9EtXLDAg/d/+rp + Dw9o1ZJSjfmwWl/QE68CVyId+e4p8aE3OsaV0lJGuOHpwOXnkGpqFf5oJz3jpCrS + XAHDf2jb2fh694uo4wQoS5jtpaN5JhJpCqtam3w4YP/SwhP+k/vMJ3b9v/EH/Xwd + DR6qlcaFVmx8pEM9Hx9qvyvZBeCw5ienSUTAYiAAp+aKNP064Q50/JZdIcmD + =ZIri + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/anki/upsert-secret-anki.sh b/clusters/svc.dd.soeren.cloud/anki/upsert-secret-anki.sh new file mode 120000 index 0000000..996c3dd --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/anki/upsert-secret-anki.sh @@ -0,0 +1 @@ +../../../apps/anki/upsert-secret-anki.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/argocd/app.yaml b/clusters/svc.dd.soeren.cloud/argocd/app.yaml new file mode 100644 index 0000000..c89faec --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/argocd/app.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: repo + namespace: argocd +spec: + project: default + source: + repoURL: "git@github.com:soerenschneider/k8s-gitops.git" + path: clusters/svc.dd.soeren.cloud + targetRevision: main + directory: + recurse: true + destination: + server: https://kubernetes.default.svc +syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/clusters/svc.dd.soeren.cloud/argocd/kustomization.yaml b/clusters/svc.dd.soeren.cloud/argocd/kustomization.yaml new file mode 100644 index 0000000..83a3a85 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/argocd/kustomization.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "argocd" +resources: + - "../../../apps/argocd" + - "namespace.yaml" +components: + - "../../../apps/argocd/components/istio" +patches: + - target: + kind: VirtualService + name: argocd + patch: |- + - op: replace + path: /spec/hosts + value: + - argocd.svc.dd.soeren.cloud + - target: + kind: Deployment + name: argocd-server + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: argocd-server + spec: + template: + spec: + containers: + - name: argocd-server + args: + - /usr/local/bin/argocd-server + - --insecure + env: + - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT + value: "0" + resources: + requests: + memory: "64Mi" + cpu: "5m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/clusters/svc.dd.soeren.cloud/argocd/namespace.yaml b/clusters/svc.dd.soeren.cloud/argocd/namespace.yaml new file mode 100644 index 0000000..9d6c62f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/argocd/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: argocd + labels: + name: argocd diff --git a/clusters/svc.dd.soeren.cloud/bookstack/kustomization.yaml b/clusters/svc.dd.soeren.cloud/bookstack/kustomization.yaml new file mode 100644 index 0000000..bda00d6 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/kustomization.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: bookstack +resources: + - ../../../apps/bookstack + - namespace.yaml + - sops-secret-bookstack.yaml + - sops-secret-bookstack-oidc.yaml +components: + - ../../../apps/bookstack/components/istio + - ../../../apps/bookstack/components/oidc +patches: + - target: + kind: VirtualService + name: bookstack + patch: | + - op: replace + path: /spec/hosts + value: + - bookstack.svc.dd.soeren.cloud +configMapGenerator: + - name: bookstack-config + behavior: merge + literals: + - APP_URL=https://bookstack.svc.dd.soeren.cloud + - DB_HOST=dbs.dd.soeren.cloud:3306 + - OIDC_ISSUER=https://keycloak.svc.dd.soeren.cloud/realms/myrealm diff --git a/clusters/svc.dd.soeren.cloud/bookstack/namespace.yaml b/clusters/svc.dd.soeren.cloud/bookstack/namespace.yaml new file mode 100644 index 0000000..be8b6f7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: bookstack + labels: + name: bookstack diff --git a/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack-oidc.yaml b/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack-oidc.yaml new file mode 100644 index 0000000..071e3a1 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack-oidc.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + OIDC_CLIENT_ID: ENC[AES256_GCM,data:BuWmvaDx/fMIJ56N,iv:U5Hesvs9iOpvfjilYdt18g29wtPVXN9sCuyXdm4ymRQ=,tag:rhB+jdNmvd2JlI3mtoPo/w==,type:str] + OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:CQcWuwF3fh5Psse5gVsCoHff++W1s4+PmidUoa6uvspbkWMo/aotP3tX1QM=,iv:iShmpfDjVd5NcNITg0/DtB+YLegmMq9kHGn0cRdTVz4=,tag:b2SWW4uQlyXwRsox0kCdaQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: bookstack-oidc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:13Z" + enc: vault:v1:VjY+8TgTodaniXz5K8BX/+ofDnJ738bY7l5UT2jlv2Qv0vdLMqkSOJ4xTyqW9jliIDRNG6L4lVrON4sL + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraHRXTGJQSWl5ZGkySG5z + RVBlWW1razc2TTVrbGpoSVhxUno1NVZZK1dBClZZeFZiWFlabk5aR3FKYmlSNWpR + dGxOUkdqaHMzQStwMHRDUGR1MkxVbncKLS0tIDVEbEREUlhzdXNQWklNNHdmVDJE + REJZVFQ5YUxZMUV1SnR4MVFER2xYMXMKT6W7fyQXcTbD0o2SkG4tXJmeonJXXFEB + +ymuO5X5MDqxNFLYA/3TOMjVddhxzO1cnVmicmXFGuhUZB4UK6TgEA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:47Z" + mac: ENC[AES256_GCM,data:MdGfDLX4rQZmtTiIfxusIGDieOamVbte+xTcJNigenj5OxCvyQYoQfVmUvRN5QU7TVyISDg4O5MRTZK72FDOw+lcjMwbr8P7mG+yiihSnRQMHQYaeCw9dAtDLBqP3CSez39ht+67s1PWEFDmQhEh0/pRGf+CGuLP90EHU3y78Jk=,iv:SpaeAkd/QFGECvkxdIJCtKBeHnJg35Im9ovfHf+jq+s=,tag:9ptJ4L2r6P0eYNeiumFcNA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:13Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//ZrC7BibossXXVtsjrERdD8BchSKBZjTeFZ+amtCmsafH + T3DEA9wi0zh7aYjyt6TYs4enT6IkOP4vK1tN1n+pa0apk5ogbJBo61Kpl6xNRDIq + CO9OuEHeROJGMAzQJmHw9geg54RkFBEOp7xxsQ30BD+Zfxa/P2TNRjx6NUwHiX1D + f+5X2yQiZ9xSVOx1bXgNkuqYlQrDg2v5EsN/vcHLsuHBok2FyqrLckf49mb+dEbJ + zu4Wi9VsKgqwcIoJNm+L2J4Gw8+G0PwZ9OSOW5Iz3flOQV2mdHvsw+zqFP1gkCOD + wepC8qE1E9ICisXfimVmOigGdgdeT/e8mIcgLrDaSxksB9v4XcURxkPmYzaAxR/1 + z7N4pJM8HNcMDXVZ/sMXWfB+lXBZLmpdgQd1ZGQ4cyBGAxYkVmFN3l4epNbzTnGG + 56g+uoGBq8PYFhMnEBzVJb6hs8gU2qnM/JHca1HlTl8B/tnYOeYS1RKQjqAujeCK + 0WnSLJ/CbCi7Sy7gx7yFvwTctvN27A8VY2ihD1bDQnv0mmk0TI3JoB5cgROcQCgs + b0QHe2vbJvHhY+LPMixfECnDxffzTel14yAzJbgZxTZSApweH3ReXGZgBThnkBqo + QaX2DFfxIdAKXdLHajKE2fApnqXMqO/99M0CcrL80W7N1QeDJfDymZnzBBG8bpvS + XgEr4xGwki0QXkwzRsmn9jD7NH+LT3pxKxxgL/KtXciX1fjHwWiKcYRqWdExpUgD + LT3GbImKMNh6CmbE+P1UZxIeLOp2EpJ1g3zfdk5IgBkjFGh4b0nr2TFmkGe89dU= + =s1i+ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack.yaml b/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack.yaml new file mode 100644 index 0000000..f354af1 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + APP_KEY: ENC[AES256_GCM,data:wO9zAlCYLeEP/FwcvowcX81pLSAnSFmy+fNMSO4rQxAbbDVlSSjrSTPMN/Y+UKyEBuAa5aiZgDoyaHeC16nmXDy/9Zk=,iv:/tW3zCNbcrIa6K1JcssKidlQB296pjKS9OuAiUXS740=,tag:wzbx2mhvzFq7JhE7K8ZqYw==,type:str] + DB_PASSWORD: ENC[AES256_GCM,data:yv4F5H7T1XrI0M0z,iv:24gFvZHmu33CrdNHs94pIrP88otUKPkqYPBYHP7zTWU=,tag:kRF9gBAiSR0EuVWyEpcUPQ==,type:str] + DB_USERNAME: ENC[AES256_GCM,data:aRq6CMTV0/jUcIwG,iv:59jNf+lJZND3hYzXyhqPHR2vONm0/oMyiDB8ZWpQkhk=,tag:AV0ZQXBS+VuNlxLIIFLbgA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: bookstack +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:12Z" + enc: vault:v1:16BFIFrK0P1r3JL1DSdI+1UqDycAq6e66l1C4kDCyvaOBDQg6GSTtzssl8vU9vMtiyeBqFsihrxYvWnb + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZzlIMjNVMlZJVm5oVFVB + LzhidmN3MkNoZ2FGY2k0QXFOWGl5M204MmgwClNSdGtHNFZzREV0SVdsS3dXWmdl + OE8yZTZNUzdzSjZoQ2phejNjT1p0QXcKLS0tIFNYNHZzWWRTb3R3WXhNeURhdjh2 + bWkyNkNvelFsUFp6a3Z6eW1TS1FnTVEK02VRUfvjYBpNaHW8rFbHGccqaguAKq05 + m3SW1ys6ZABujnJQICRqHLsvr2JVIi4ixdv7qq5XwKE1cPa8MZqBHQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:47Z" + mac: ENC[AES256_GCM,data:0wjrPPPMA9bzx79O6OhNHP2IjMbm9nNSa2cP0d9EI4F3WPFwhR0+rw4CVUivQY8t09e2u6OYpSNkcfTSEwH0YyyCsciAbuxytEpEbD3H0aosTpTHfWPqQ4XtLvQ/WiBfibWuo+o4LcP2yAqvKjIgyR5Xyr6LAbEAtQwlZpsAMKQ=,iv:dfysWmxkMVA9zEYGuvT6ZlcfaxSkZuzKcfYI2fwhVf4=,tag:x8ZGCB2O11qR2j4FGX3Qcw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9F3Vt0IfjVs7MQdAsAOxru/xdhyLsfKOK5Yo66fN4T4GS + EhxD2/WHfsQEYTKvWM6R7bOBW1QojPHPIaa9o6iKG8Ut8AEGrhLiXHObYdCBo7VZ + SoiVPiBn/VUP8j/qNDM9fXidhk4kjv4gLUxwUkkQtm9Gd1QPvTrHDCvrDkVCdmkQ + BXU/a13i7inhDoqbtN0DKApKD5WthGFqUhwh3LIYwIN+5Qt6MfC+hO7WDUUi2lU9 + kdmBGvtzxTUzQ/2eNLyUre5Vx7+0VijMzLW0GaIW3qy+PdJuIB4n1pLwCJYLbCOW + F8Ggy8Tt2OudSV1bR94Eu9GBPiwBRjEaHcOjh+I5uZXJTyELrWyGP/CwjW681NZj + BaAY5JVONOyg/4S25Wj4l9mJaKfm2xEK6aJmoy0eHY7Nhv+ryakjzT9jUMu02FIm + gf4hgb2F5Pw2tKyCXvZkS68VU8qVI9iN082Hjfz6BcowmGmkqvCdIp2GY19g6wX2 + xIwDEf12Pyn0Pzu/Rhbt9oVAN0X8evvrd6hv1RhM8RONwuj/Iux8alxNcKVCWECD + vBxn9gvtygAJ7HrZXfRj9oQGQ3YIKriqb19A0Ai5Bpn6QHC5U6lv9RTJoZvvGJYs + tYvcIin2SK+8JMNjoi7VYaA7fgRyCe82bJ9i/Pd7vu0u9Dl5hOwVFd2BFwWFt57S + XgHjBRMIwfxW1cUhF0B3kXgIf1fNdv/d8T0hIDLj/hyJQ2q/6zhxGW93DANC5Q7t + lMqV8RCXV3ks2AGWTXOw2hiFRgazYlNXDkOwfiagK6J6Jwn8I187ZCySnA5GaN0= + =2WIt + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack-oidc.sh b/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack-oidc.sh new file mode 120000 index 0000000..ec852ab --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack-oidc.sh @@ -0,0 +1 @@ +../../../apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack.sh b/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack.sh new file mode 120000 index 0000000..6e64814 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/bookstack/upsert-secret-bookstack.sh @@ -0,0 +1 @@ +../../../apps/bookstack/upsert-secret-bookstack.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/changedetection/changedetection-pv.yaml b/clusters/svc.dd.soeren.cloud/changedetection/changedetection-pv.yaml new file mode 100644 index 0000000..2bfd189 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/changedetection/changedetection-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "changedetection" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/changedetection" + claimRef: + namespace: "changedetection" + name: "changedetection" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/changedetection/kustomization.yaml b/clusters/svc.dd.soeren.cloud/changedetection/kustomization.yaml new file mode 100644 index 0000000..08797e6 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/changedetection/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: changedetection +resources: + - ../../../apps/changedetection + - changedetection-pv.yaml + - namespace.yaml + - sops-secret-changedetection-oidc.yaml +components: + - ../../../apps/changedetection/components/oidc + - ../../../apps/changedetection/components/istio + - ../../../apps/changedetection/components/playwright + - ../../../apps/changedetection/components/pvc +patches: + - target: + kind: Deployment + name: changedetection + patch: | + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: BASE_URL + value: https://changedetection.svc.dd.soeren.cloud + - target: + kind: VirtualService + name: changedetection + patch: | + - op: replace + path: /spec/hosts + value: + - changedetection.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/changedetection/namespace.yaml b/clusters/svc.dd.soeren.cloud/changedetection/namespace.yaml new file mode 100644 index 0000000..d71ed4e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/changedetection/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: changedetection + labels: + name: changedetection diff --git a/clusters/svc.dd.soeren.cloud/changedetection/sops-secret-changedetection-oidc.yaml b/clusters/svc.dd.soeren.cloud/changedetection/sops-secret-changedetection-oidc.yaml new file mode 100644 index 0000000..6f14a3a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/changedetection/sops-secret-changedetection-oidc.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +data: + OAUTH2_PROXY_CLIENT_ID: ENC[AES256_GCM,data:SGlm00vZq8sPAWqZ11NVehFGDkc=,iv:HDA659u0ve4ycpA0cTUajgWbjYgg3u5f9AN5ThJ1qus=,tag:2rF2bozTp23+SqOgVSof2g==,type:str] + OAUTH2_PROXY_CLIENT_SECRET: ENC[AES256_GCM,data:bjp0/AsIakH+4V0CScS5iDHSFSn5tIUlORnlsF/SJJ+zACWWWEJ+onK2oTQ=,iv:NXsKhjoLNUByjpt8t4Ze3Ck1IPl7UslDmI5jYedygc8=,tag:FFLeyV9rUMNhCFDV6cEjAQ==,type:str] + OAUTH2_PROXY_COOKIE_SECRET: ENC[AES256_GCM,data:Ifkwv7DpXYVYlghNtSaN3ybeICQaaieuBsjdGrXb29MwtCdWkByHEafbDtovK4RkPVbptKoLaiRkIMPz,iv:TGnw6I6duN626wRNhbKC21Dd+a0KRr2W8iDHXJI3m6k=,tag:XfteGLfmtuKAWHFwNlSvww==,type:str] + OAUTH2_PROXY_EMAIL_DOMAINS: ENC[AES256_GCM,data:CwQ9Lw==,iv:R4RsAlJJxHq9/yPWv053dxw8huHQhhQYuVoW39xrf3Y=,tag:r/7s7Xvh5Gl9CNldhvw3dQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: changedetection-oidc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:27Z" + enc: vault:v1:1ul2n1XUYmnLh1oYGkoBzn9DKXGQ7GhA50D6iE+qE6zmhvNpJ5sVmkG9Y80N30p5jJqx221ggwiiiick + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUnBKK2l1azFTeGhwbUJa + UllWUG9Xc0phaDN1RjBITjRvNnZPK3ZGMmxjCklpeEQ5V0NlQnN3LytnWndhSmxO + cU8ySjdFaVhrWUtTRUsveERqV0Y0bjQKLS0tIGtuK1JxTGx6WDJSQWVhc25BM2lW + VmVlQWx5Yk55ODh3dkZKbVFkbkNLYUkKUiqw3pc6qgGDmkNpqhQ01zWqW5mPTjrF + 9UQfXSEo46b8XeyBqa6myNygzAVwz/MPMDbpNzgWRCrA8kreRLMtkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:20:59Z" + mac: ENC[AES256_GCM,data:BsIN4OMo1iEVJHJTQuWFrIfv455z6PWRPQlo6ygiAaSzvuiuw1jv+8ZCETBsaYRiz6JEm4F73IECZY+XoNbv/F2cyCa6lrQOXcVxOULBUUe6tfuhlM3VTm7drf+cUaN7qCgQdKGw4Kl34iQf+leE7ThgEwL70ohYstfaKgH3qbY=,iv:C1TTp3XOFOauPRktUin2tFVhTDeZ3vehip1lP44Ud2A=,tag:Cgmyj4tVD86J8DOiOuWfHA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//U+9M47PN8hSk81NLmK7xc/Dapa2LhEbY8pYFIOf/3IV7 + xWG6epjoxcUhtp/BtBpThzhPs1JlwOho83STgrXSvuL+pXEsjpYmq9EKj3N30qHR + 9TO50dQk/amW1d6HLFmS52pwdTgMa3dase23Td1tl3V/4w+8FQbK/iwZcCJdGwQk + 2IhHVGnwtXvDPV4q0XyfBDBtMGjAfzBGPussb1K14xeA1VBy+WlpBel+DXMRiQ0o + 9R6gp1c8urP/juNFqbhKfO83scknWqLR8okl4RR6zc44bZ11FfJVyUP1uyYcnShQ + ThMR2ZVPfyKilhX410bRLTnFsutonOMKwW3BVsS6pehrt2yRZoln+nK+x0pzIJxl + 5IhAOBTmnMGLV4qf8I7mNXauQGaMjrZ91W5Ycv7iuKY2RBgNRZgaCTsjWNSLaCEc + IAOI+vi2ghPb+RKc2TdOSe5M8eoA7ya0eFPEhVhct1pkqbzyBmscPRrbfgjURY3k + 18IE4k36uiQgmr6FuaI0wyd83TqFmAitAPbRd6+YcD0FKfUQthkt10c/GBoVXslY + 3NQi5MXAMBWy+JWS2HxtlIJ7z/iV4RE2L8ziyDvk8ELEmW/9AW0vpXTQErd9fgY7 + T8p/RWERawaNdSL9AchwZQ3nZpu0EYyvdO3mahakbfMQGbodN5m4219yfNCRB3fS + XAHj8IlB9VKNWcCLdra4dM9W7dWIGycQ1ylNCXEgnuNc8SqXfPibOn0SEGuLUwic + Q9fe4q8tAXZ7Grgeldsfua59VDzD1ZOzjlO8qHEeIWiSwNDUl72KUj435beG + =vNbM + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/changedetection/upsert-secret-changedetection-oidc.sh b/clusters/svc.dd.soeren.cloud/changedetection/upsert-secret-changedetection-oidc.sh new file mode 120000 index 0000000..7185831 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/changedetection/upsert-secret-changedetection-oidc.sh @@ -0,0 +1 @@ +../../../apps/changedetection/components/oidc/upsert-secret-changedetection-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/container-registry/kustomization.yaml b/clusters/svc.dd.soeren.cloud/container-registry/kustomization.yaml new file mode 100644 index 0000000..17c260e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/container-registry/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: container-registry +resources: + - ../../../apps/container-registry + - namespace.yaml +components: + - ../../../apps/container-registry/components/istio diff --git a/clusters/svc.dd.soeren.cloud/container-registry/namespace.yaml b/clusters/svc.dd.soeren.cloud/container-registry/namespace.yaml new file mode 100644 index 0000000..3f451d7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/container-registry/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: container-registry + labels: + name: container-registry diff --git a/clusters/svc.dd.soeren.cloud/device-stalker/config.yaml b/clusters/svc.dd.soeren.cloud/device-stalker/config.yaml new file mode 100644 index 0000000..c1a2536 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/device-stalker/config.yaml @@ -0,0 +1,33 @@ +--- +devices: + - name: "ines_phone" + target: "icmp://ines-phone.dd.soeren.cloud" + - name: "soeren_phone" + target: "icmp://soeren-phone.dd.soeren.cloud" + - name: "soeren_tablet" + target: "icmp://soeren-tablet.dd.soeren.cloud" + - name: "soeren_notebook" + target: "icmp://soeren-notebook.dd.soeren.cloud" + - name: "soeren_notebook_work" + target: "icmp://soeren-notebook-work.dd.soeren.cloud" + - name: "soeren_desktop" + target: "icmp://soeren-desktop.dd.soeren.cloud" + - name: "ps5" + target: "icmp://ps5.dd.soeren.cloud" + - name: "tv_livingroom" + target: "tcp://tv.dd.soeren.cloud:36669" + - name: "firetv_livingroom" + target: "icmp://firetv-livingroom.dd.soeren.cloud" + - name: "tv_bedroom" + target: "icmp://firetv-bedroom.dd.soeren.cloud" + - name: "mpd_bedroom" + target: "icmp://mpd-bedroom.dd.soeren.cloud" + - name: "mpd_livingroom" + target: "icmp://mpd-livingroom.dd.soeren.cloud" + - name: "mpd_office" + target: "icmp://mpd-office.dd.soeren.cloud" +mqtt: + broker: "tcp://mosquitto.mosquitto:1883" + client_id: "device_stalker_k8s_dd" + default_topic: "dd/device_state/%s" + random_client_id_suffix: true diff --git a/clusters/svc.dd.soeren.cloud/device-stalker/kustomization.yaml b/clusters/svc.dd.soeren.cloud/device-stalker/kustomization.yaml new file mode 100644 index 0000000..e26a7d8 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/device-stalker/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: device-stalker +resources: + - ../../../apps/device-stalker + - namespace.yaml +components: + - ../../../apps/device-stalker/components/custom-config +configMapGenerator: + - name: device-stalker-config + files: + - config.yaml diff --git a/clusters/svc.dd.soeren.cloud/device-stalker/namespace.yaml b/clusters/svc.dd.soeren.cloud/device-stalker/namespace.yaml new file mode 100644 index 0000000..da2b1b4 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/device-stalker/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: device-stalker + labels: + name: device-stalker diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/kustomization.yaml b/clusters/svc.dd.soeren.cloud/dyndns/client/kustomization.yaml new file mode 100644 index 0000000..e5cac1c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/dyndns/client + - sops-secret-dyndns-client-aws-credentials.yaml + - sops-secret-dyndns-client-aws-endpoints.yaml + - sops-secret-dyndns-client-keypair.yaml +components: + - ../../../../apps/dyndns/client/components/aws-credentials + - ../../../../apps/dyndns/client/components/aws-endpoints + - ../../../../apps/dyndns/client/components/keypair +patches: + - target: + kind: Deployment + name: dyndns-client + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-high-prio + - op: replace + path: /spec/template/spec/volumes + value: + - name: keypair + secret: + secretName: dyndns-client-keypair +configMapGenerator: + - name: dyndns-client-config + behavior: merge + literals: + - "DYNDNS_HOST=dd.dc.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-credentials.yaml b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-credentials.yaml new file mode 100644 index 0000000..8ccac56 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-credentials.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:ZOArb5rsMugExg4Zvq72z1TVqdGRG7fzX9VLaw==,iv:/eXWAbfODRbJkWkA52+ueuv+Ej1yqfqT+THGxLJA9EY=,tag:tPN7P1uLw0mjboAeQ2sQeg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:7ZB9GrzCqvOk+3UlnUmIwwi1IjlQfV/B8T2E2Y6wooGe/hIhA1svXbBTCM+VuCHW6URED25xR2g=,iv:lhgSAdsCOQHAyazdW+0SVIX6PPWkPe9nL+kba3PYczU=,tag:2XMT/QXFdXnQPCOucYFWfQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-aws-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:21Z" + enc: vault:v1:LZI/WrMLhUy40Z/UflDpbBodLlI+rfggTXexnbiwIu6L17Q/u23MwF5xeLdkeH4MUOnca/2wlQsE+JmA + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5K0pPYUZOelhPQ2w3dDB0 + bG9KTmJickQ5WHVVc0hYbmE1K3laWmhsVWo4CjNYTGFsNXp6UmFQWloxNlB2TE1T + bm1tN0QzeVpTRjZFWmFXOGNuRXNSSkEKLS0tIDN5elBkUXNybC81MmJsd1R5bjFm + elBSellEWGFGbnhHWVl2d2hzOXFKdkkKreXxoIvd+TdFBWJ7X5awBoxzWwbiqoyV + t3MK5oKojtUt4uNXD3iFUrEI6sDFMW5xyCzSJ2JBS7IA7NWCp41udA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:31Z" + mac: ENC[AES256_GCM,data:a09lLldxM1Gxh+ZGP/SQWSJEfZ5EvMmznqScBXAtjUGDj1e9RayEsesDC+wowVfht4mXh55ha80Fw3U34xpsm+eIxs1/2VtTiQ/NK0Eya2hwFGDCXl4eYSifzmLIecegMN2KXKDr4AngAx2K+Gix5xx6ZxSU7nzYjtYzAytan18=,iv:XxRzlhjDDZn871URsnvkID67XU1dKJVFs+jou0h/KkM=,tag:vO21NA5UejqXveENDeMaFw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9EOpaTMnq3QaeH4nqsEt9PyKfxj5EHTKYC0GhadE/lPrD + /pHPsFi4IPwgDJ651FxOQJgWCSMsEqRVnxys9NiQpQws5QBjfpuc4HWx5iTUN1/s + Z2kr3w/SESagSZI9oy8xKDDWmymg6umt6IgUHBbnWCENqQEWvU0LKOp2XEg+K9MS + rxOWjr0nvvnJ1r7q5hK/arQPRZShCF3bH3PqgNMz2cy8Gj5H9+Vo0j1+3Z9z/bld + WfJ+ghg2qcAWJizy4wAcdhUYLUndcNKQUeOM7s5sCVgZvglEcVEOyEnEjMNDmeT3 + 44fGKB+oQ5AWygXrfFIh8xln5dGXqobaOGWg4TfbppQ3Gimz+iqxn+nW+ZFAf/Wh + OCMcWOQUU3NQOdlSBJoWi5yh3vfXQrCVDdhfRPIFPtEiNFHU70CcsUMwkDgrLvoy + 1HuckepGjQWpT4znxfba3vunvbAKm6v1+3yaCmXgT/wAgjn94uI5xA2n3CA40Xn3 + jofHpQJ6lI9MDQUdKpnEHTXcuR44mxzbSWPZnyFxvbojEbKfUuqKeVBgpoHP44TA + f0X907YBgpfGbYH4etO/9tligsecr/Ut8s8QvFMJDNL3A9yI4NG9sfCv9dNSsd/Z + t5lo6c3V52UEKlVPnN4xA0Nr6eRPlOPldfapLAEMVuzVwMgbIXuqomiffTSoDE7S + XAHQuBzqIAhLnCFnFAhlWeUqbneYf+xf9gNpai4VOgwNoRKRqAGZS9nBSnON9kir + Pko9Iz2dUya9td93tNB8C176fBcglB4TZGyGUNm+p2/lZnbOhGGiluG/cobf + =NE0F + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-endpoints.yaml b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-endpoints.yaml new file mode 100644 index 0000000..17465e7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-aws-endpoints.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + DYNDNS_HTTP_DISPATCHER_CONF: ENC[AES256_GCM,data:ir1jOhMs/msz30FAvB1D/5wdaQd9jqrVYj8TutnOQSEZuGPwT83/eR8gcpIHtGz9WgeJwY2qu0xTtzH6zU8L81yW26fvCu7IWPtnW4a32nEmel2xWDKk57XrdjgBERT/PqGz/G9gYY0=,iv:mOaj1kjc1IseX8/50wFGQma0jWf7/5Gewny5MEg7Bwk=,tag:CLAEX92UaxhUrIaviYlhVA==,type:str] + DYNDNS_HTTP_RESOLVER_PREFERRED_URLS: ENC[AES256_GCM,data:lt9JRJ+Z/CwFvJ2sBUtX8zV0yJIJ+ww9SWQP5deOVNo4+p8SATJwz8Kq7BZIphVWF2GlRkPzlmaA1nk0DLyUoLOC1SZ2ObVmN5RldvN/HNO6CwXMi7AexJmlDSwVBb40Ya4zEK1zGF7igWC6Fd6MSZ+zkLMolq2ap5W1obJfgrHCac/H6EkGFyrjhRB3EjFH9D+KKVby5WiGH4BbQqr2EZB9I3JhNj/+VEWtU8p4fS9TonnZ1F/f80/oPp7mfiYQYPryXQ==,iv:9iw7MFwccQrD2QnSIcG8mKzHj/b/oTORBtk7vhShDyM=,tag:j8cIfsZZANCpqgGDptjp2g==,type:str] + DYNDNS_SQS_QUEUE: ENC[AES256_GCM,data:jYe2vbvEojz58+ZdBC+122x09Hf7D5xWQSTaHcZJNsWb5uYxgJVdAhtoDY+jl11LaMgBC1Yje3gBTQsJa3jPqX5C32+7lIDZfP7KZRcBspo=,iv:+Tiw0PYrRogvVRYp1ubf4Ggp2WsBbQhvaGFCP3mGLTA=,tag:tEEZP9AwW8HGgFuXK3prtg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-aws-endpoints +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:19Z" + enc: vault:v1:IIZuZIpy9IXM1en5yE74gHfpTnvyGusbFkzvfwAC9Yc9NScjw29TzYdkHXRa3AZsS7VLh9Sp1mEbP8x6 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNnAwdnBrTmFhOEhVVGp0 + T05kYW0wY0VMYTFpL3JPNG0xeWp2dEw3akJNCjRTdGpGWlRrOCtHU3B6Y0lZNVkw + bWFKY0tLbEtpNFRHMklrY1JvWlVSM2MKLS0tIGJvOFZSSkdKUnRqemhwY2ZRM0I5 + RGZ6K3loL0JGLzYvZDBQRmVsTDVNL28KDW5It4lkbFfTm8oMIQwGYVK/pSivCv5a + qdUEcY+FgntH3MRAjIUlKZpnl0WSm0ngO3bMvQaiq+V2S2GY0KtsVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:54Z" + mac: ENC[AES256_GCM,data:UzCUvGSdamnXmPLCmLmcYY/HzPoEuZZp84sgiCKGcBG7bl171YuSXqBWRShdydZ7OFuI5+GqPfoQjkUqmUpXhZJPkYmDsZuIymFoSOOawbrt4OrMwYI2mqnUT5Z437AANB7BqKY1SqMrLdaQg4Chz75uHWGfmmAv4wVMeqBhKb4=,iv:r0zNbVpLkZ5pfv+iUmJfa3Tee3tqCDqHGSms8vdZzqw=,tag:rln+wbEfpTfQONIleA1eyw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQILA+/EGAve9YBkAQ/1FrdN2Q2F1yPBxTYYS+Ky6URrCcst9V2+/vSNLkaBVNSS + A/MyRwArg44lLytzs1H3kjBEmZpU2N0DCRkjFfTeM6C6c0abWrDBBLzQ9+ZYW+qi + cY8itm5SFI4OIqUSh7cBSoPUDoAVwE1cmFFRNbAnVJBuoIIsykU1K6dwnqiE/g4u + vCOc9u5ZEyqKXaDe//xXwOO2tr3RSXloJ0RQg/Bcito39ArLXRarj37CM0WN+Qcl + ymqYSeNazWrVr79tK0lLWekQ3BNIICYABdbu8XAmMCIB9Gjszsc+abeNqUfpU5Nh + yu+ExJpE7YDZoDIkiIIRf8EcamkYX68XtsGOzLbHzHJsHXHbZwifOzMD1HUWUWbk + 8XwBLKrKyXzx3wIfWIF6Y4W6B5sSRcjbvdg6xMuY43fhthv7bB6IhcsbkGfK/kDX + 4w3PGrlL7u9B493jWDUQQ1wRRSF8OkQy1iDBQhXhWAQDX4e54hvs/VNfsUNB0Lrp + IDb7xgVhILkgEMJiEW8HLUGG8FsKItXsRVSpMOsGwOMrzmIjFv0j78OovDgrcD6Y + uoBbQzgujMgNXm7Ro9wCJAER8VJpP7KQbA6nn+xKNN2l9RhO8Sh4xfBsiK/AYSLc + ljOX4DY/cWmjiCnKkHUA+xgptSwUCL8TLcJaoCncYULgFJQXeFS0K4PCenQe3NJe + ASJ38K6oASzCliXzqVrMRMW2Q7KxWdOgvXEWcJkHIlHsiZjwu/eB46bj7v51cVYj + jQii7hVtPddy7B+Uskd9zQBjUM/3ob1dFMFs9e3F4Vz/6WP+qNmalvovBafQHw== + =cZlx + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-keypair.yaml b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-keypair.yaml new file mode 100644 index 0000000..aaa4455 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/sops-secret-dyndns-client-keypair.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + keypair.json: ENC[AES256_GCM,data:qjJjbsFu9TJaj4/U4yWhCg6Etvgzelk+KG7xb2fuu5P1h559NRtzeohotuRGwuobZUQnkSYg/8xhEowg+8zyC2tDGindSyAplrRhA+ScEIfZINBVAeRI9o290av8siJCw8J1nGP6dGoCLrjffTo457MS/Rjhfe64EACLrwWiTWyoO1ZOlMK+uhNBvNDDelpHKxSQdmHFOXdKqtsXyKbchtlWIKx8mXjAQPwDsaGvvynqIx5dh3cSL5Od263+otJW+48RQPXH271ZIwbT9Z/vt4WcOYGmpn060j1Qp6FtioQ=,iv:1IczCkDDtdq6p+0/NjMTJgtQxk5+SVNONTWpVqFkYbs=,tag:RRQIUJwLrUc3XnCHgATozA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-keypair +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:21Z" + enc: vault:v1:fb57K0+AoVnUJOcHP5kuZK/w1S058ATF6ojhLsPgQmS+LjiSRoR8Zd8AOZdeZIB6Eqaf+1X9edBu0M++ + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTTFDVXV3M2tlVVZHT3Bq + QU1HN0FUMzJpSkhsRXVzRWxjb0Y1WVMxZUJ3CmxseEU0NnNDTXppU040QUt1WlM4 + clI3Y1FnV256Z01CdVBtdml4T0FRQTAKLS0tIFZZSytvZ3hzM2hpUGkwL2J6NEZR + RFp4bDBvSktMVlE1UkNLZXVUSDdONFEKj26LJocNSvJDZ+bf+rczoOMns7BD2VOO + uMTq9xlCN+NUxGDuqJT01budlTgDn4TRPcC+7x5D6whWI5nlyS+XfA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:29Z" + mac: ENC[AES256_GCM,data:JjpSnJqN8FYDqwYTc8MqGzl8OFx43nZDVpg3uvOVhEqSDfmrwFUjvDEFIspK5iFFSdxQwj6IXlWrKYryAd2aOxiFp4K+pVBW0MPZDu1QfKaxprU0kjhQfyzvczr0iNa30PjRXCgKOM0BVeLOst7EYJW0fJHRFOonAwMgmzDHfhY=,iv:NxX1IKj8H1Lx0gI6SSc1TwZYVQC5NDdBwqs/uKcrIec=,tag:SGf6/oWumy6yMWdO+QtdqQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/8CSMBK5xSz8nRpOZKaqddD/59+pQkWZDG6u+o1a7eJg53 + ACSNUtPbEbnSGSB4PcQ9ojm85puSgDU0zmm+YDadG/nDx21b3okrqHmmQ2pxXbhw + 9R/8WaM6Sx6l6f5Xl7dScgujPDSm3Wv+YEUssNCldsXcmnXtcsCtMoeMpGvPwfkq + DqxDpALv2z6vyXzDlOc9Y5CEjlTVsgsqD9v1AxU0+PwNyQ+/vAdxFkwxajIW+YyF + v7ZrqK76glDwLY8XsckJjAgJzKO+tzkG5e+y1zyXV2kz0TLfkNE5RlwgyxLkHdEI + xneev8rLtGpb+Nikm9eV28qBSA1whIFEefbQErQlsxF198Dlv0byOB57Lw4adchk + iVf2DWjAgBOYk+0PKG7X2oYx8L7wwP2xHxN/nvSohBrUYCBZ0I4QeqA/2wBtZqLZ + b8sRgVWsCpb8yVVtDbfFs6egd/Nx9lKIPMtnQEfw+oRH90JZcNOSdOxHk+NGDad7 + VHQpSxq5HB334xZ4MTQU3+HdaCE6QL+oonuuaBfSj1i1ouDoQ2HTpuPwZQxaZ4DS + 4HQnpCFPdrbn4jojZgNi0095rjZz6erSZYlkMAke/paKZNDeQBTu375kINEN2eM8 + jdMXVpeX6AlKiWlc9E3xuUg9tdOLh5qdgBBjwJj+q0HzQ+0mXvD//J4ecbtot8TS + XAGD0p9s5jv5AytWjnQ4MwpFisCL6tTudO7SgtQQwomOhf/yoIOAGdSGRZu9x++m + cfbXlHxRiWHsi/UGTvSxO6MkX94+gszHgBpjKYOvpsIQh4DD0ecvf38NAl10 + =GK98 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-credentials.sh b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-credentials.sh new file mode 120000 index 0000000..f2ab471 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-endpoints.sh b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-endpoints.sh new file mode 120000 index 0000000..a7dc739 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-aws-endpoints.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-keypair.sh b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-keypair.sh new file mode 120000 index 0000000..698dca5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/client/upsert-secret-dyndns-keypair.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/dyndns/kustomization.yaml b/clusters/svc.dd.soeren.cloud/dyndns/kustomization.yaml new file mode 100644 index 0000000..c1d74e0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: dyndns +resources: + - namespace.yaml + - client + - server diff --git a/clusters/svc.dd.soeren.cloud/dyndns/namespace.yaml b/clusters/svc.dd.soeren.cloud/dyndns/namespace.yaml new file mode 100644 index 0000000..d266f22 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: dyndns + labels: + name: dyndns diff --git a/clusters/svc.dd.soeren.cloud/dyndns/server/kustomization.yaml b/clusters/svc.dd.soeren.cloud/dyndns/server/kustomization.yaml new file mode 100644 index 0000000..1c4c228 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/server/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../common/dyndns/server + - sops-secret-dyndns-server-aws-sqs.yaml + - sops-secret-dyndns-server-aws-credentials.yaml +components: + - ../../../../apps/dyndns/server/components/aws-sqs + - ../../../../apps/dyndns/server/components/aws-credentials +patches: + - target: + kind: Deployment + name: dyndns-server + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio diff --git a/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-credentials.yaml b/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-credentials.yaml new file mode 100644 index 0000000..bd15322 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-credentials.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:93imWoDjVAMpzVq62vmzqPh3xTDXETBLcLJIxg==,iv:ezV6XQaBS8LvqVUK4BbWg6srbReq8uAyxIMp82ShXYA=,tag:gl4aavmh2MmkbI/7ajXZ0Q==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:3lVd3Yl/aYuB6liA1qYmQLRQ1OEqt5a0yQxiVnVSfcNz3MPGQ0NxJU4tzLWr8/mfNiU2KPaVW4Q=,iv:CHaQ9GuS6PFs9KzVBYJVKQdi/aTwH5Oz2AUG4+gdcPk=,tag:68CaOGf8ii/g0um5h91Lgg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-server-aws-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:17Z" + enc: vault:v1:DlKmDPm0Lg7Nb8/+44/PtOy+wuo7cnuQpgGN8mJnralxi1CYPZLowyMaym3bUr7ftP3avWS8D8FmcEvP + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZCtTY2JlOWJrK1c5VlZp + UFBjcldDYkltRm0yWmJxWmVMUE51Y0lqTlZZCjl0Q2JYeU9CUHEzZnpkeHpaaTlN + NVo2bll5RzRpQ0xCV1RSU1h4SHdHelEKLS0tIGorVzlZbEtPNVlPT0FIbEdFbzI1 + RWRNOWF2ckNPcHB5YnZVdzZJcW1aeTgK+KO2X0okJSt96DMM4xFprKickBs8Db5t + P3eJGW+32j8KzmtQqIIfEQZ1evuP72QGmiFCut7gdGulXhfLn77T5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:53Z" + mac: ENC[AES256_GCM,data:0G1swY2/CPKqce+XnkEjoYdl4Y8sm88Y0/iFU4T5F1NgO4ZL/JFj1G4xVWvWMXLiZ/sxxlop6q0UuC9HOVb8h7ZD5zzf6vG4Ka73V73Rz/EYcqoMemNlGjX0dLHPhgsHItWWVkAz5rK592SJMn+V7hnn8zgzUrpobFW8b/4FzNY=,iv:EI3j8EhPIjqD92FGEshm1o7xl89/PwKOAlSRQl70QHM=,tag:ukoU/3GuA2MtJPfcE/CqgQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAApWAPx3fIS1xB5DsnVNsIBz9A926EJ9pENn1SjrobIMhP + OC6wWy1OeVa42SRDH9RNhJ3qV88u6gEHN0w6Kaq8boy6OoQRJEJUdtRvVD9EGqI1 + Gatf68VcMhRt/A5DA5nDUaLsIk9YuyXLoMO8Q3u9c6qWNM486RoAC38bd5XSFtlW + +++e2PpF6fztOGRdDPhJ8Yd73jn8jSvkWTKUfL+wRRtq2qs5Uqqpklc1tm7+1zSm + BYYg6VQ9yAzJT0jKcTOysB74eTLjQ0PyFcruGrNBQmkr1ApKENrjZa+NZV/mWB32 + Cm20K4u9Gswo6v2cv+zPF9E68uMkX/UTCVLh9MmljlCKYLIiFHxY9eeI8l+XlEv+ + IFSXNvEEPa9rIneEHS9zzT7Ioq876c6hzBj+4Y1tAmzYg9zsbdL52iNrzpXvK12N + pi4AaKkSZgDj2RrSzTb5xnLDzLDKnT8MqHKv7hyfoZ2l8uUuBRSbgu2bX6/ga4Tv + G4285qHunxrD5fYUA4cQ6qGSvyq1FVAh3nxEJH9A924TD5Yk7sdfc5zI0Mva9o8l + p7+uzASDoU9RacKJB0sd+fR1oCr0/M9zBGStqSWyAj1PqYtcp2dqmnULIjzo5FVV + ZfDYZ2oN9T/Fd2Ilj+Tgv/+/LXjsqe39KvIBAo03fNbsQvY2D0w6MUtSJr+8o4/S + XgEMlX9foA0+rEcqt07VFuwDt+Io6v1PcdkDATU4KvFy6eCnLP6vgDpjlN2iraNY + jzG1kMwf8cgnD3XdE5prl3uy4+EJyH6AczOD0qo9KsayD+1xI/9sH5pqshHzd4Y= + =iLzz + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-sqs.yaml b/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-sqs.yaml new file mode 100644 index 0000000..d11b2d2 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/server/sops-secret-dyndns-server-aws-sqs.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + DYNDNS_SQS_QUEUE: ENC[AES256_GCM,data:VZKL572NVAp3kTK79BbzXDa+imybk4rHZy9ajTgQrqBT7tkE+mwPLBHCkix53Tp5aBGtE9O6oDu/d4oJepDYWP+GSO2b8NEQmmUkVYF+hjA=,iv:3TexIV1GKMk1hIb/MHozwj0pNDOkio8+XbSp3rtgqG8=,tag:FpCdLmBcVVbcZNPDqMP/vw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-server-aws-sqs +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:18Z" + enc: vault:v1:MQFH5vE7HMKf99As+rlREHrZF6MPw0G4v1fmMycHE7SWZ4gf7Ylqeb3OHBYVOOmnBU+qffeH5+1hvRsG + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUEFnbDUrVXo1SUJGSEhV + MlVaU0cxYU55QkNPeFFjVGo0cExzS1ZEK0cwCno4eHZaZ3kySE5jdTBkRkwyd3JX + Qm9tNll6Q08zVmpVU05BanFpV25YNHcKLS0tIHlJR2JLbWUxd1l4dDAwdUJETmdE + STFEMGFJeFErdWRNc2F0VHFodUp5OGsK4n9C6BUKh5eyMTBzLXxNdWeZS/EmHeSi + 3u3cweS5h/jqWske4ftF/guQ5VhzXLUIdZtp22XgvlC8XYqoWKEOnA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:53Z" + mac: ENC[AES256_GCM,data:t/kIzwy5uYX6sExJuiaUK5ALH14enRRlUpzCIWypR5lXJhcmF39fit/Qsll+5vyZ5aUBZCeYIyEVK6cRcoXaT3p7WycUWAvNjjmaUTiKn/jo4JNgv3AVCif7t0W9TzAAwJlrwy6Tk8As4Z/Jw11ELLlHFtOGSY6z03XT+CfolnQ=,iv:bu+QLLzmH2Ca6LhI0EHSLNsDTl+kZ+ZK9JXgJcWgonU=,tag:oqrPa4XPh6h+XMMJ0AfVjw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+NosYBEk+kNJw1CM2yqs3c0MtRXfnWOAQbp11E+oW1AAf + Nc9u9mXGseGT4TFhb+HTHHxdP0dxA5MOrtDVM6avgwH6uDRijC5EeS3dBy2S4NZ+ + 4Jvexx6DyxNEzSONbNYqBy7ryD80dOVu+cslAa/Ftk3mwKr3+nQ36gys752q+OxA + kyFJ7bGyyNQyf9ry9awlsqOJsqVRUwi5RqsxnKc3lQFpMENdHB4VYDksjJGKn8cj + 2z7GR/gVECCHVdDompSJrFaox7o2WOZnc5H3K+ECIaOAOAkeguzbrglBfs3MU3Rb + aXBRQVR9Y0yxhlCAcHZxI4PvjcU8/HHfO3PGunoVnQge5WbiLOidxRBZDVPHlryR + rgZvVJh4ZEhYL8d/mOCl+a1LiisGseJi9m1EwS/gSYBR932QSFeN3zx7BQMHSZya + ldwStRYBWXg5io9G+woguU0IfOzbcC65xfWLr3/H77C8vSDRE6Zb8zchDZc0hqzT + CiQDNKThP1b6chMsbab62E0LRQfI03NgJqn6iVkVXbXPlzZI2opTC6ar3PpgPBsN + BRlSdbx7SWw8Nbjmb6jbFa6g3AYsAsEpT0YJ4PkCSQ2atJBo9VcrXptpA1Q02PZU + pdMAGoRLYt4SQcuIdtbQ20whlIbq0oaeAVFxXxQZotEXDwFmaYFQTIk7Mg0VoAbS + XgEJ0eY2cRos6q6NNmUJVECsU7TW20ssaRAVclNtnpz/QgMU64tz7YknNWti3k1R + ouXo1+KxTggVgHZdugrLxZcsSwXPapoUrveCSQvEo3A8GehDI3ax30hhylLBsMw= + =p3aa + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-credentials.sh b/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-credentials.sh new file mode 120000 index 0000000..1fd71d5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-sqs-url.sh b/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-sqs-url.sh new file mode 120000 index 0000000..3506305 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/dyndns/server/upsert-secret-dyndns-aws-sqs-url.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/external-dns/kustomization.yaml b/clusters/svc.dd.soeren.cloud/external-dns/kustomization.yaml new file mode 100644 index 0000000..367b41e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/external-dns/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: external-dns +resources: + - ../../../infra/external-dns + - namespace.yaml + - sops-secret-route53-credentials.yaml +components: + - ../../../infra/external-dns/components/istio + - ../../../infra/external-dns/components/common + - ../../../infra/external-dns/components/aws +patches: + - target: + kind: Deployment + name: external-dns + patch: |- + - op: "add" + path: "/spec/template/spec/priorityClassName" + value: "system" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--zone-id-filter=Z04750743ET6H1ZBQ5JJT" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--domain-filter=svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/external-dns/namespace.yaml b/clusters/svc.dd.soeren.cloud/external-dns/namespace.yaml new file mode 100644 index 0000000..0809309 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/external-dns/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: external-dns + labels: + name: external-dns diff --git a/clusters/svc.dd.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml b/clusters/svc.dd.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml new file mode 100644 index 0000000..50bb8a7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + access-key-id: ENC[AES256_GCM,data:huMqE83I2YPYwJlk/9rAhuLbsUbiX0YCKo4S3A==,iv:fZnn3VbUlfCh/iowVXNQ6Y5X7/aSUHaepi8CFFdJvt8=,tag:FROQJ9hneSi1m3i+w3rS9g==,type:str] + access-key-secret: ENC[AES256_GCM,data:d+Sa+jgifIyJ23rAqMqpe4rHsTC6Q4d5xzSVz0XOxrJNp9OmAo/sJIygNn8bH0xJ/HbFQNzN5vg=,iv:PAwXN0MHQqAGSODboaGWWq9I3rTxbPTVzrYnHycUbh4=,tag:kMoESmZvtun/kUZtWpD0Rw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: route53-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T07:32:39Z" + enc: vault:v1:qqDn0x5ED0dQ6lMHNxZgvBr+seolPFTtx9rLB4EkBpqEBvt6OKwfWAgO93kFyXBI7pSVFMHzB3yOZJ4N + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaGJwT3piTnFQNzJJR01m + S1oydzY0TXpBd2VNdFZ3R05XUVhpQUJMWm5ZCnVMbEVQb2d1RW0zZHJpQVhYUDhY + OHdGMDhRb0l0YVdqeXpRbnZvazJQTlEKLS0tIHR2TTk1RjBQSDc2L21sb0lSYlFu + eHRFeVpVOVJ6QW84Zk5DRFNnYm5hTWsK2ktNb3X0mmc3dPzRBbk4aYeRA5hiofJZ + wpBw+r6SwMU3zN3M9/XnE+DnnBb+VWD979vx2BF7KK045EVe7Gw4sg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:32:40Z" + mac: ENC[AES256_GCM,data:2mrCyXA4TbIEJHoA2Uv/hdMHUcnSmG3DNelk+gQfkfMOSvFu7tdqrjYPcekt2l/s5AlmPf5ykVgSrNG6ZNyjPgLs3K3EyM4kv6kXsDo20sZrA7XPYDRNesoCv83ubl2rH+25+JJjHXDlyh6qUuNWs9rCujHl12YunpCkHQcvqjI=,iv:M1F2z5ll/AZ6PTUHJub/oT6guPDsHZBUa6JWx8hwsGo=,tag:tm369Pr8rCbAiCZOYtlVPQ==,type:str] + pgp: + - created_at: "2024-06-28T07:32:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//SPznEH+pHhTv7gHwzhe5XOQUJORqUYrdUx9GCrvfjOe7 + CAL44RwZfnx7QAbcnV6vFqnIn+boNKpTFKpdG/xf3GklsQ1xamOFZRZdhp1pYxF4 + 6vjn7aaHs7Z91Ff7OYqAWRDsjWNQV0YrFfGFmK4xIsI0pMwDYQEeqd4Q9R0KVKzv + LtPvzsRXiRbaUmf1sYb1gC2Azt3lbqLJ1LrshQ1JmdA1ycwprc8qkUCklg/4JgwT + F3uhynRz2YZ3VZPZRP2K7M/KdiGKrrXq4RsHjuul1c/KivYa/mM7PUgQpbYRy2sG + vERSZAxLgFT13JplhKyOYXSJovKQ2LGIyhI2m7ofPPz5yMpCXTIlnCEkwVZOGk24 + DH6z9G/8zQkXjvGGBeYAaoSYYFCksK4hPiSgQc0Sl9GyzEIyH1tIpYCjHWUM/wwU + bjJcRDMh/uTgx8smAOP/R2uV4hnhef7lTlrv/4LVItHUGietZaiHZsp14pivo/ck + dPCpDmH/JvRMws2v6b0aH6Iibtpl8MAKx1jc3D+ljwj9TGRadQX0e89DiGGkRkq3 + 3vt6jBqwG/x4w0FOSV9JU0ZSYcHK0hwXyNfoOjzkwpMoN5XPL0zRppv/8XlftEy0 + 1IMTSeCMV9QOaWM3tW8TjGmmfYd4Fp+2DRTDrN/pv93Nfe3sY1f19k0Ddu5ojorS + XAE0SeoQBYgKxmEfve3LvEoycNsUKoTk5b8BP2IKOYWZqsfc7fOx/zNOnvH1bVrx + 89IT2C2qVg2k289lgAepeF/Kdg96jiEouCproJSB/sHbzm+BArC6u1UoQoZx + =lBv4 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/external-dns/upsert-secret-external-dns.sh b/clusters/svc.dd.soeren.cloud/external-dns/upsert-secret-external-dns.sh new file mode 120000 index 0000000..a2591e9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/external-dns/upsert-secret-external-dns.sh @@ -0,0 +1 @@ +../../../infra/external-dns/components/aws/upsert-secret-external-dns.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/gatus/kustomization.yaml b/clusters/svc.dd.soeren.cloud/gatus/kustomization.yaml new file mode 100644 index 0000000..4c97710 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/gatus/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "gatus" +resources: + - "../../../apps/gatus" + - "namespace.yaml" +components: + - "../../../apps/gatus/components/istio" +patches: + - target: + kind: "VirtualService" + name: "gatus" + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "gatus.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/gatus/namespace.yaml b/clusters/svc.dd.soeren.cloud/gatus/namespace.yaml new file mode 100644 index 0000000..97be0be --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/gatus/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: gatus + labels: + name: gatus diff --git a/clusters/svc.dd.soeren.cloud/git-repo-backup/config.yaml b/clusters/svc.dd.soeren.cloud/git-repo-backup/config.yaml new file mode 100644 index 0000000..e5a0d4f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/git-repo-backup/config.yaml @@ -0,0 +1,17 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: config +data: + config.json: | + [ + { + "service": "github", + "username": "soerenschneider" + }, + { + "service": "gitlab", + "username": "soerenschneider" + } + ] diff --git a/clusters/svc.dd.soeren.cloud/git-repo-backup/git-repo-backup-pv.yaml b/clusters/svc.dd.soeren.cloud/git-repo-backup/git-repo-backup-pv.yaml new file mode 100644 index 0000000..dc55abf --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/git-repo-backup/git-repo-backup-pv.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "git-repo-backup" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "5Gi" + volumeMode: "Filesystem" + storageClassName: "local-storage" + claimRef: + namespace: "git-repo-backup" + name: "git-repo-backup" + local: + path: "/mnt/k8s/git-repo-backup" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/git-repo-backup/kustomization.yaml b/clusters/svc.dd.soeren.cloud/git-repo-backup/kustomization.yaml new file mode 100644 index 0000000..3292797 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/git-repo-backup/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: git-repo-backup +resources: + - ../../../apps/git-repo-backup + - namespace.yaml + - git-repo-backup-pv.yaml + - config.yaml diff --git a/clusters/svc.dd.soeren.cloud/git-repo-backup/namespace.yaml b/clusters/svc.dd.soeren.cloud/git-repo-backup/namespace.yaml new file mode 100644 index 0000000..a378eed --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/git-repo-backup/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: git-repo-backup diff --git a/clusters/svc.dd.soeren.cloud/gitea/kustomization.yaml b/clusters/svc.dd.soeren.cloud/gitea/kustomization.yaml new file mode 100644 index 0000000..be73126 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/gitea/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: gitea +resources: + - ../../../apps/gitea + - namespace.yaml +components: + - ../../../apps/gitea/components/istio diff --git a/clusters/svc.dd.soeren.cloud/gitea/namespace.yaml b/clusters/svc.dd.soeren.cloud/gitea/namespace.yaml new file mode 100644 index 0000000..086d6fd --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/gitea/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: gitea + labels: + name: gitea diff --git a/clusters/svc.dd.soeren.cloud/grafana/grafana.properties b/clusters/svc.dd.soeren.cloud/grafana/grafana.properties new file mode 100644 index 0000000..68346db --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/grafana.properties @@ -0,0 +1,6 @@ +GF_SERVER_ROOT_URL=https://grafana.svc.dd.soeren.cloud +GF_DATABASE_HOST=dbs.dd.soeren.cloud:3306 +GF_DATABASE_SERVER_CERT_NAME=dbs.dd.soeren.cloud +GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/auth +GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/token +GF_AUTH_GENERIC_OAUTH_API_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/protocol/openid-connect/userinfo \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/grafana/kustomization.yaml b/clusters/svc.dd.soeren.cloud/grafana/kustomization.yaml new file mode 100644 index 0000000..4cf3d25 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/kustomization.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: grafana +resources: + - ../../../apps/grafana + - namespace.yaml + - sops-secret-grafana.yaml + - sops-secret-grafana-database-mariadb.yaml + - sops-secret-grafana-oidc.yaml +components: + - ../../../apps/grafana/components/istio + - ../../../apps/grafana/components/oidc + - ../../../apps/grafana/components/database-mariadb +patches: + - target: + kind: VirtualService + name: grafana + patch: |- + - op: replace + path: /spec/hosts + value: + - grafana.svc.dd.soeren.cloud +configMapGenerator: + - name: grafana-config + behavior: merge + envs: + - grafana.properties diff --git a/clusters/svc.dd.soeren.cloud/grafana/namespace.yaml b/clusters/svc.dd.soeren.cloud/grafana/namespace.yaml new file mode 100644 index 0000000..4dcea77 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: grafana + labels: + name: grafana diff --git a/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml new file mode 100644 index 0000000..bd51976 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:wFe7hukSKYotJHzv,iv:PcK4ypKzANJZIwkSL+YqzNiq9yuD3LKqn23lpmUzyic=,tag:5Hk2n1zua2AM3VEC3D7RFA==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:7syT6nBv0+QXxsJl,iv:8roQTs68wwLpXoGrJovDjtla/LGrPBB3O9FXeb6+EuY=,tag:i+Od7o9LUIcdoEvVq98pTQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana-database-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:15Z" + enc: vault:v1:U3oEbH2Ve+D8Oi/VApHlfE7UqxNzZ61KQZxOiM7++7lvLaZ/kKjbKFy5IAetZvgTrH4LAusGe2BAdw6S + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYd04vZllIa1hsWDBKSHla + cWlSdFdpWURabW1ZOGg3a1dyMTdPbXkwcGx3CmRHd2lZbGFqZ3NSNkVZL1ZPblpZ + TklJMHVCdDNXcVFBeUxkNXBaOWRSQk0KLS0tIC9qU1pza09GUWFGcHl2VVBzbjhP + M2Fmd0JqcXdnZ0sraU8rTlluNll1c0kKLBoPNEKAuFyA5q9xtKHPfyFocvG9nFDC + 4GeljnGagmhhJuw4f6hf2ZIwXN8XmO4pv8vB+bHCzCt7HQknW9wf1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:49Z" + mac: ENC[AES256_GCM,data:d6EiJ2cpZ+pY9ER3wvYejesxerquEYBAYQnkdjpXOrC1T/oq2S1hXe1yHOyD/c2qJJp+ruy80vtcTXFWIU8zNFnhnhUdqHcQTioq1uLXceF8TQBsLMxEhHg7qxgu/G41ffgULvMJ3T51O2tripmbbuk2KYoP1orPZqNS+Z9jwDE=,iv:cGkRe6mgDiOA+M3/hPcPtapfiOLU+HCJxEAmKFz+dlk=,tag:AYq+Nvy/uiFJKTdBHN20jw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//Rt5S11V6W/sASjwKqZv2PUutRfwB26q8jgAflSIWpRob + 03LBgW/X2S5dTG6yyua9TI2BkNcU+GjlkgBmCzjstMgSGqGilU1rC0C68hi402dc + L8r2ocORQa/HkQGDgin5tcW1+w/a4BvvkWzvu6Mp7V3zWlm0g7nnMB1pe220cUZ0 + Z2C1k1u2vJCMS+sjiKYleI+bpVQSUM9/gTsLW0R/moOnQvkQgiKtn47jtBTAJeb1 + ix0r1XukV7a7MsnBl5kuBLIe8erpIkqzn7kRWXnikZVT4tMe49dkusI2TdXQjttk + sQcdHrnZOuHNhR/V+aZrFW9la7jWgk4MhFdZgVdnkio4Q/TQH3XJqe9nS42AygZA + 5X8QedNHlGUBLw2GuI5j5RIaYO8p2UkECVfe++EMXDik9G/euwGjmeIAuf9ObcnO + 6QuNeMbiLvUocd6bDnK+9xXdyme1ZaF9/JojIk/gsWDvwS2T2d6YL8NsV+sreB3W + SjFdYTsD+70XRPgsWnSjxpAhs5ciqnkuX5mFTeE01m6ZLK3vL991QLSOGSsVcwIJ + M7Hn+ShAAqGhTYcRngsRAV9Tr+qKRAc/tcq2r4IKKNdMK+pkxTVwYBXfLlFeriLg + Nu0tkIjth9jjAksL8qJamdJrg9+dKK0h/LPr/jSBPHz+g4KpsNIPj3mqO+2Tc8fS + XgFkLccWFae1twlUNzwxxVA4s30aU8PQAw8etBgYUUOO18mltp2Mxvbsbz6lPTeC + MWQT/lLtgJrfcnDeY5BQ7qxS8JoNlYELvBcEHJGcX4cgmrktJCIEEf4fcBDfZEc= + =CAL7 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml new file mode 100644 index 0000000..628564c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ENC[AES256_GCM,data:VgzN7jgpvKnWUbAj,iv:wpsnPZAvT0k3pU1Q2AxWyJnJNyzNRloBq1AA4s6iKNM=,tag:BPLo6TWU9ukAkpFOW4CnCg==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:64m+yAsK7CMI4kMx0IzaB3z9wD2pYImGOnngXqRZZnccG7pPTKV/BWzFlNc=,iv:Rq4WNZHkuAMEVIA1bSToVRyb5MZi+fheqvDldzN0200=,tag:/jfSlg/4tLkNN9+emC9UpA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana-oidc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T13:32:53Z" + enc: vault:v1:VbmcIRgQdnaBAH7iFBbkYIbrS+3Z0HWnPpeWFEcA5vmfyLw6QzyjeswZAW0EFG3/VSQw9V7vG+aUmbhO + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSjRIQjQ5UnE0U3NxdDhV + MmNCOU0yeWhSNWh5Zmh0SmxLQ09NN093THgwCkdoWVZGNjA5R2NlL2l4bGJMWlZh + ajMyK0YwbGloM0FweTl5YXVEYXlhSFUKLS0tIDRkVXVBS3oyaHZ4V2VzYWRnRWdX + dkd1N3Z0NmpZWXZseXZCT25haDl5dlkKIA4xDAfGLElRrLfErdTm5iNPg/+suv/t + 7AJT83eaJQ+g3eoNOE/BrviGI7MJMh3KEHzunrYOCs8PF7mk8K/XNQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:32:54Z" + mac: ENC[AES256_GCM,data:DPr6DXWDhQy67Sos5w3Fd0xxv1E5tz8m+/cfu9Wvc3V92cluYfQzgiDs5+tDulYUFpLcquu/GZvhatgeEJ+m8GUuQJqTw1UBKE6Lj8/4lvxlZHUlXhp2E6uJVN7SUDLhdEpDfhjPcQLC8Uj7nK2bG8MoNdf7mfYyGFMEi+HuJZw=,iv:Uf/v5UMkxsEegxAjlArFeBsYErlpaRO7CmzXF1SPFxg=,tag:TyJ020tMN9k/rHBW5S5+gA==,type:str] + pgp: + - created_at: "2024-06-28T13:32:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+Mz05lQJbixglpbCfJ1x1rCghBMt3DL+Vl7mA3w/QzURZ + OHrq+YWlPhfnKcWzj4z58BpRiMUabEvjnhNsPK50EY8lxsMq1mOIYaXLh71x744d + mcRxjT/RAtwv1N6u1u1UVQ5Cwk1JhNt2qi1yjWHdKc9OwRObSofkmQXNGIhwy1dB + NooCZ4fuTbrDawv29t14+m21uQIVXsXTgaCq+OjJ6YNZ30tEsNXAjd2m29CugkAE + fhGlCtn8rxdMR1h0jvQ2tgH4llXLYa4mIwLjjpelwIChe+h3fD4Yq9ZgrjlACVUX + JHO4okw14wE/G7ON6nTh3AUuE8XHaKoykAAcGwMO1LYGWEDrHPmez+07J2XYRZuW + X4ztWwJXJVPfyFgxJIXGD8n0L0FUzuUynKmEmXdPUn1+N2Jh9mWOyjN7j645CxW2 + bkqG28FI977EtHQNJJNJTxFxCAscPBcJOXSgj0yO3vHTjsjJ/IhOtaCsRp+MikCe + 4rGjYBrX2+eeBC0fmMwH7CeVnriQbN2zWf508GtVUy2BMoHW5TNfbwSwv4YxaBh7 + v1aqp6sMg2R69LmozafLvaz1paohlVKFELmDzqfbVYOpANX2fyWFUsbiT/XVFzDe + c2zkwiIdsZZSe51uoBDJm3opIHKEf5iwjopyfGJP+cDRrxz9JU41RWzC/jpNlJTS + XgFxXqt7VgBXlqZhaer1cnFMOlMhEUxh/GVUYMNSwUMlSdwkSi3UR6az8WM3Td3R + a/wPxfGSApdAJqxyFPINhH5xNGLAIk3qG3yicn3+5dz7yicVF1W6dW8h8ycUgFY= + =v+CB + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana.yaml b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana.yaml new file mode 100644 index 0000000..db4ea5d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/sops-secret-grafana.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + GF_SECURITY_ADMIN_PASSWORD: ENC[AES256_GCM,data:ursMtLRnAlqHMgrF5gxkNVGS47uEs1BXL3HiIgYAFB9eNn/QMsXcc1WY4NsJKUD8EA17nJMZW96+GmoJilMVuFjrlxU=,iv:j8Kl5W5thKaMbQa9g/2nfPUXBIMvpTneBUV8OGowISs=,tag:IyxO2mCHay+9b5qlVpX0Pg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:14Z" + enc: vault:v1:l/4PhCTm1ZmppEa2FYeeq/B8IRtTL1NO9esnY4snLmsJeMFUQFRo9r8EmVtXGmV9vGp02AwAjdZM1yKx + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSmt0VE1oRytMVVRRV1FU + dWpOSjlrSnlPaVFqU2JDeUIyNmk1a2h0WHhFCjhwbkhKeW1RQ2gxYnIvMFc2VUtn + ejd4cmJreXkydjVabnJueEllU3IrOFkKLS0tIDRRWEx5Q3lVaE1QU0VpSEdLN2Ir + RUZtcFFzMjJhM3NoSW1uSlFOSGhib3cKSJfR4vDULbLrWPEbbXgN3Isf9RKmUPi1 + Pt/jLBeMhV7VGkD0gX+1P5hlUNeJrfF5LBHYfnrzqR2Wdw4ZFp4Uig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:48Z" + mac: ENC[AES256_GCM,data:0vKq8mQiBBli9NKym1h++ilNwJ2mV11WDYi/jSOVUFUr5Fijk3GKL+J0KMj9t7Ef90zGfmwLnuSkjUbozHTRmdbFipMCP0Nf7PGgAxIBVu9PCfmWSB69UMSlp1B1dJYkNczhXxcTDRBDua2GBR+1xqAt8ERk4b8FTxAwHKnQMDI=,iv:Dm3fcDFIGSyfUcuCIJuwwcds7bVAMiwUZ9DwHmD0t1U=,tag:rtaIxgjydKaX2SavZzorSw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+NQAzNl9GVyoOd8e14HBqnBy07cvFWfCVoUaeKb55Gj5V + 1yMBLgfoKNss3ljN+hbBrI0uz7wSuirnALdDYpxLrrz5IhmfECLtqdYb2jf4G8Bn + gRhqLiRgvaBPkoywOMaiEEy7jV7GDogufYlgGn4JSvrUuB8Th9ZXeOzdQzPZo84q + +khJxrqa1wDi3X/6Lb/92sARk20hHu9vbYxVA4k6/4L19Basex8QvUtez1JjHWOe + XrqsfoHdfTFjWZl8upTmCn1GeC4smLUgW+j88TsKr8AEOmOjRtdKpUCEj4DhcZX0 + kKV0NL6kdJRpqbA2rARcus/uPfObSt2CtYYPQxG0scKIBKd8SJ6EdiD2u+vu/xye + UTp2fEs+KehbidTL1FsbKv+5TPHuzmYrW4jc2AptQ0jOJZ9iZcE8++Uw4lxzynii + 93Vyu01pI67r5LpAz6SeycKlD42YWf7FGpCKT/leAGV3sSEAB0HIQ/q9B6b8dvsi + kTVEkH2d4Ia2ZKztBh/tqR1QA887EqoRJHmRPFMsy0GFwqH1qfRJZukrW04hINv+ + e6xGSQsLVKzAb1YeBk0an0WGqajMCQdhxfrWaChjN6MzZyWkSP3n+ZEiCnV1tlaI + o7ZrZSQPiMvnIW37ywCo7kpLqq6qLGGoMqyGfDSsA5LYzz7U+Ut0ZxJUVrTVrmnS + XAFmFMYS2ELmrhlvdbXUyK/1IqpqFLm+UHxelSn6asyhYx5H1yjn226rBnpqi16m + RnJeKmTwhTVMZKf7BqdWiCkmLE+mHPsOMQXLYw1RmTk30VkABXIRLoj9B2Ic + =4pvD + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh new file mode 120000 index 0000000..8c7c8c5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh new file mode 120000 index 0000000..6491a5e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana.sh b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana.sh new file mode 120000 index 0000000..5833c2b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/grafana/upsert-secret-grafana.sh @@ -0,0 +1 @@ +../../../apps/grafana/upsert-secret-grafana.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/hass/hass-networkpolicy.yaml b/clusters/svc.dd.soeren.cloud/hass/hass-networkpolicy.yaml new file mode 100644 index 0000000..6ac2414 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/hass-networkpolicy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: hass +spec: + podSelector: + matchLabels: + app: hass + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: hass + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus diff --git a/clusters/svc.dd.soeren.cloud/hass/hass-pv.yaml b/clusters/svc.dd.soeren.cloud/hass/hass-pv.yaml new file mode 100644 index 0000000..c3575b8 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/hass-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "hass" +spec: + accessModes: + - "ReadWriteMany" + capacity: + storage: "3Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/hass" + claimRef: + namespace: "hass" + name: "hass" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/hass/kustomization.yaml b/clusters/svc.dd.soeren.cloud/hass/kustomization.yaml new file mode 100644 index 0000000..b5a7cf3 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/kustomization.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: hass +resources: + - ../../../apps/hass + - namespace.yaml + - hass-pv.yaml + - hass-networkpolicy.yaml + - sops-secret-ghcr-docker-registry.yaml + - sops-secret-hass-secrets.yaml +components: + - ../../../apps/hass/components/config-secrets + - ../../../apps/hass/components/istio + - ../../../apps/hass/components/pvc +patches: + - target: + kind: "Deployment" + name: "hass" + patch: |- + - op: "add" + path: "/spec/template/spec/priorityClassName" + value: "prod-default-prio" + - op: "add" + path: "/spec/template/spec/imagePullSecrets" + value: + - name: "ghcr-login-secret" + - target: + kind: "VirtualService" + name: "hass" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "hass.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/hass/namespace.yaml b/clusters/svc.dd.soeren.cloud/hass/namespace.yaml new file mode 100644 index 0000000..e02aac5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: hass + labels: + name: hass diff --git a/clusters/svc.dd.soeren.cloud/hass/sops-secret-ghcr-docker-registry.yaml b/clusters/svc.dd.soeren.cloud/hass/sops-secret-ghcr-docker-registry.yaml new file mode 100644 index 0000000..dab3f96 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/sops-secret-ghcr-docker-registry.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + .dockerconfigjson: ENC[AES256_GCM,data:iQ+M3xuxdrmNwaqkWzqMtRwPq3VsDSXRn6zBv1FhT4boYQono9a0X3c7gejJNFPJV05THPVNHZ8B6FM4GYmevcJ1yEHrs1++fOL67CRgdbAHy7WZVMDjK1DmdnaHouQ/uXEDwf8Hl0ciNtOyOMs2c3Pr5yno8Ojq7I2cW2hc2sxDrJyLhsZhqwPXuAGPhVSljs/bJngTX4ApXYwJhqqBh0B5D8p5rAxlWIMBe4x50PD7nxfYF2/H5yhysDSniw4lbVF2AbSXom15tN3287kfcCtZsdfDk07MF6s2aTERivpXGhIONBx0BN6avYOwp6DF/u1U40ELXmX121pDRSHvMnyQXqgqHP3rPveX791In73dZ5RYVL3CwPxliVAVoIAS,iv:J8kvZ+13/fE7pczi7pcmyk352yWoM4sE6dSb2e7cTc4=,tag:wRwFE2kHI79+YFDG7Mu3Kg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: ghcr-login-secret +type: kubernetes.io/dockerconfigjson +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:52:41Z" + enc: vault:v1:dEmXUvdafXgwXdU4eUgH4GhCQI2+Httv1xtAeJo+VT8/4PDxRP/+0G4aGXLkq8mJyVt8h2KjkGD5OksR + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SXhqeVZ1OU5aVW10ekNW + OUFhMVRJYWtSTDdtSUNrYnh5Z0VFc3JaWXlBCmtTMkN6Z2h1cUJBbnozYzZmbWor + dit1UkxRRDR0eEtyZGxsTk1MeDk3dlUKLS0tIFo1dDRpQnc4akErcENkNU0wRWVi + ZGRBaDgramowWkZVbVFvM2FTTWtpSU0Ku3/f+fzq3rxLgygAG79F7QgUBn0hYEMX + JTGCPZf5I6x6DZnh2odY7TeEpBdDCwrydskm7U+VotQuRQGb2GDHnw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T08:52:42Z" + mac: ENC[AES256_GCM,data:pUn3t7E2LJX8BYqlXCYSKW4PSr6tgT6SUbH0Ve8LJp8bnou0rD8M+e0unuP0favMAqBSnAvVzkp2vtUfANMf7G4dPFiChnzD97/CxvUUqDWYY7uqLmY5uYkruVEHgcheH8rhKJ4skKE7e/MqylYGPAg/kWI5Z1YePS7GQxphf9U=,iv:lpQ45H9w5JJSS883+e8hjKLg/g3oMfZdF34a1Er8elw=,tag:iQ43YfQhrhrPfiZw8VgTIg==,type:str] + pgp: + - created_at: "2024-06-28T08:52:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/6Axn7jbO5tE7HI+cjZTAiQ35IK/n/bQP9A4h548lzOHTZ + eO7onrsHIgdcQi+BBN8dWAV3VbcH0AfPcd32CiqMUZooDspUsijEexBWzB1eHB1Q + wnbO3OvKjPGe8565TqUti872bFNIg/dU7KQA1nvKhsEXF6uOVMQx9a4ittJlnp0w + y/z85GgIIGPlI26GxHCLlQ+2I/jnnxFh85d5xpB8KgwRACK3g8MCU4klFpR4BFIB + 7Ms+/Be263kET6uEAyrlfcEZ76UgTcAjkvrnGIC0HuruTgEZq3+mBwcfhY1ANKtX + +rmvq1s3RYSEOABCwQawDhj2G3WpHS78wTS+cb8hJdulehTBPujQ9ZwXzG8Ng4l5 + ZC82DTpnVqD0VSRx8IYO80NiC5gTW6YMPG+bsGHsTbwNFGMRtCFfCGrT/6ifZTUU + O+/h6QA3iXeu/ycBmIqz6vEvAD05ctOVzOoN8fJxHVBSkvdoEfg5wRLwlZlrNsRb + xrTCCLvJcEBg25VxNJXxDSdN1uXBAHoKJzaZ84XAS6ynxgTwtR4o7fCnJNaDik79 + AJnb/RFt+hY2CQeDMSga4fxFKxqYhCKMlftOuIU+rGDktsUvRpY/g10ZPwBqi7YM + /Bn1/DlZICoZulhGPlcIzQxgCNe+NP959TQzPqK8U5znypx3bq9LlUyNkjma5VTS + XAGZyajpXj0v4UxKgI6a1+zK654TvmunHUawQHMc8Nxs4tQk6nEDykht7XaP+ifR + BopD+FiFn0ajJH6ppm0TiKh6W7l+/UNsxCH/EtSAazI9Jig+Pf3pU5JrcGHz + =JLu6 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/hass/sops-secret-hass-secrets.yaml b/clusters/svc.dd.soeren.cloud/hass/sops-secret-hass-secrets.yaml new file mode 100644 index 0000000..628fc48 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/sops-secret-hass-secrets.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + secrets.yaml: ENC[AES256_GCM,data:UXSln6yUpKL5ljOptrwh+zKS/IkgfWZDF9j9ERSJ1THAqzrB/XOHqVFQ2f3eKtKTHOKId7NwVDNK6FGoDV+r6Qs+oXqDLbeEvJ3Zprp4fKJ4q2OIzhbffN8ENevBGpQ1aYq+fi4TDSXU0iwcxOzEpp8YU4b8hRtVfcBlOABAbePXYjunfCOvJblcGIJLA9J33N2alFRUlPQaUafY9s+VAoHaiVpbwgzRRRI1PD97hw72i6e4Pxdxxhr0wBMb+w1XN+t4/l5WorWZV3302xAhbSGTRCq5hLwGWCVz6o0YfShkeGTwP7vfGGIZQyZVzwMYU0dBSBHillozSupoVENLYZsKLD5w1irGTF55tpmz1EHDNdDfwN9nqmUQcft4p5dur6jYWaRHdJnkjFJVZMKF/mm5UI3EcKo2z0u1X/4awpNWiEcwFHYRdaV66/DI7X5RZWce1nlGo9+aa5Rz6ahCfMpCplMlWhjAhcCF3Wzv0vdMweYxkH4JJii3K9xTW8+lw9cMk08KDemyGhHqf1w2cql1Gys=,iv:jP4UIicAU6wmrA4RRjjWrC7bYnRjUG7f58Tp38FSJbk=,tag:vGe5dB9EyWRBBf0TIvgoGQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: hass-secrets +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:09Z" + enc: vault:v1:8YzfEP9U1iIsj6F43LFfBLRihl2qpwQZo5VYG4yUOzib8NNyU0jpimsrwhBrGysdHD5tc0LoFUQsUF/M + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc2lDRndpZFpmSWdtSXNF + eHpFbW9mU1hpNmY3SVVKV0xhSnFyQ2pXOUNFCnNuRGptTzdqdnMxZFFPNkMvNVkz + eU1jZk51SENUeVAvM0pRY2ZVSVJRVHcKLS0tIGhBQWdaNFQ5YytKNHJDbkZNcmVh + eUhvWENJYk5hbUxDa01OelVwQ2ZPYkUKj1kAvgjgp0BYc7J+zE6/jY/tyLwiiNoM + r+prfegwJUr7x5gI6KnYVryRbBZJZrk9e8CtDRFC0N4P8nF4JHz/YQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:44Z" + mac: ENC[AES256_GCM,data:OS0VG48ZCjU/sBmCiA3aVG/dOZz750mcWd5k1+Z45gIR6QqnxFKQ05zwao3CQ/FSHOIxmq9nrJLzFYIYAc08bUlECXV+UPmaj0CKKO2T+DwPd/3a+rLf6y1Hyt3Qhh2y5096+BdHLG96GVfzOrQutrtJOr8GlCgl2G+wuwQcGgA=,iv:Zfv5wlSaNBYHm09dgonypwhFuBkDLqzARd9gMLn+bVs=,tag:uniSgK2Ls4Rquo+DvOX4HA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//coQYA9YG1qxAS8q/mknnZK0u1I86jYxTTazn8D95pSgr + F9ZoUjBbiJTcuJcdeYRYohga5172jIDiuyl9caayU5n+uyhdAHHUIFKwPOkhrvvr + vYcHpz9IaB0HtRWioFjKR7EXSnqPqh6hqMG5AXIOo/IQS25E1dRLIUodADTmgiGO + O1oM0zCtiYdJ9IUPa9VCJj5vykVrwDLRTJHORVfsSO458F9qnXCkBtdRkt/VBZm6 + GZk/qdTrq2dcLRcsxUtueT40n2LX2cRfSsoyEEw6H1zWVlR83nCHH58J2wsaxcEo + cq2oLNLBHDmi7f6pgxRB+zdaXn3zQYw2WBW6IqoVaLaMox8VOOIqUKXGoSio7Fdv + GnejbIz5NuXe3zTf7ic6N2HNk2xkRvIKcYfvcLDpO404f+zhmbCbzzAeLohLKg4G + kRx5mMTM3Bk//Xs/Ax6epV6pv8kJuypdcagTRaLgYXLbUr+Fsnx/m5kgyfZc4Jyi + b8/zsNZDsOoxS7u7pt3Ud1chpviyr2P0CX+LlhjCru+ybsQBCoK7J5XZ/9iKDMVE + Ndw2mT2Pgp5Zo7vUcHzr9Z9zpTWyNM+RiBaWe4j83C9kmsd1eV5s//on51d0d4Yx + Yjc2M9QVi6YadDYcmebczsclOeDiOo7zFobaIGw7me8sA6MJ/sq+1Fcgyez7q8fS + XgFgpmwM5EnpX8ML1wZlXir/AWG1nDtpfjMqKIvb/U7Ae0s2t7i4f9qRS2opCdVU + uqqTD1pP8aC3elvo77DnnLEFMkmAQB06i51ASzFpzx2zGyfWuBDybqjUXJvzsTQ= + =8x4Y + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/hass/upsert-ghcr-secret.sh b/clusters/svc.dd.soeren.cloud/hass/upsert-ghcr-secret.sh new file mode 100755 index 0000000..9e4e2c1 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/upsert-ghcr-secret.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +K8S_SECRET_NAME="ghcr-login-secret" +K8S_SECRET_FILE_NAME="sops-secret-ghcr-docker-registry.yaml" +SECRET="" + +kubectl create secret docker-registry ghcr-login-secret --docker-server=ghcr.io --docker-username=soerenschneider --docker-password="${SECRET}" --docker-email=my@email.tld --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.dd.soeren.cloud/hass/upsert.sh b/clusters/svc.dd.soeren.cloud/hass/upsert.sh new file mode 100755 index 0000000..54df6ed --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hass/upsert.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +SECRET_FILE_NAME="sops-ghcr-docker-registry.yaml" + +set -eu + +read token + +if [[ -z "${token}" ]]; then + echo supply token + exit 1 +fi + +kubectl create secret docker-registry ghcr-login-secret \ + --docker-server=https://ghcr.io \ + --docker-username=soerenschneider \ + --docker-password="${token}" \ + -o yaml --dry-run=client | + sops -e --input-type=yaml --output-type=yaml -e \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.dd.soeren.cloud/hedgedoc/kustomization.yaml b/clusters/svc.dd.soeren.cloud/hedgedoc/kustomization.yaml new file mode 100644 index 0000000..b8ada84 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hedgedoc/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "hedgedoc" +resources: + - "../../../apps/hedgedoc" + - "namespace.yaml" +components: + - ../../../apps/hedgedoc/components/istio + - ../../../apps/hedgedoc/components/istio-proxy + - ../../../apps/hedgedoc/components/database-mariadb +configMapGenerator: + - name: hedgedoc-config + behavior: merge + literals: + - CMD_DB_HOST=dbs.dd.soeren.cloud + - CMD_DB_DATABASE=hedgedoc_prod + - CMD_DOMAIN=hedgedoc.svc.dd.soeren.cloud +patches: + - target: + kind: "VirtualService" + name: "hedgedoc" + patch: |- + - op: "add" + path: "/spec/hosts" + value: + - "hedgedoc.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/hedgedoc/namespace.yaml b/clusters/svc.dd.soeren.cloud/hedgedoc/namespace.yaml new file mode 100644 index 0000000..aaf5325 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hedgedoc/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "hedgedoc" + labels: + name: "hedgedoc" diff --git a/clusters/svc.dd.soeren.cloud/hedgedoc/sops-secret-hedgedoc-database-mariadb.yaml b/clusters/svc.dd.soeren.cloud/hedgedoc/sops-secret-hedgedoc-database-mariadb.yaml new file mode 100644 index 0000000..e019cfc --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hedgedoc/sops-secret-hedgedoc-database-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + CMD_DB_PASSWORD: ENC[AES256_GCM,data:2klKwWR/cvL1to76AN/fID8tbaQCXNub6cvRMaS/c0faLDw1EbPGC8JSMpEHrtU8dA+z3lk/lq58kE9F6ukziw==,iv:Lm2Ke8bV2UKognbgZAOqvd4cEM8uIspHyxMl+6DwfmE=,tag:UXDpDi6mHL+QP2XYXInG3w==,type:str] + CMD_DB_USERNAME: ENC[AES256_GCM,data:yhM7QH6wxXrlXRHA6Go35eDLExg=,iv:YuOOMc61xUDEcZHEua3ZZYMBRv+qaDykX8SekOz8vI8=,tag:vCfNnFIfdLRjRY6J7BXj1Q==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: hedgedoc-database-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:22Z" + enc: vault:v1:ikvxoQAs2e/TARN9pvS7Z4opW0WdroUiMSJcEdniOIBXgUSgAt03QtyJgumV8/FOk/LJ35LDKZWxGw9V + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMzdHWENrMzZrOHAxaXBa + YU9FTHhzaTV2YlcyZGdxOW94WHdJazFVRlJjCjhjandleFNoOWJnQW5rWkpJNGd1 + K0dLVzVVd05Cd2hHLzloWUduUGVRRkkKLS0tIG9UVzVLVEdQcDRjenhpSkp1dFRo + SkFDczdESUlCNnNNSzFKYWFaTkxtZGcKwtU6/csac0Sk6t67+OlyaSJ5axRf9Xuc + iHJTj/jKj+GYnDKewKUdJvTwW2/BN3i3eY0BBiP9RjH1/keZGqICVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:31Z" + mac: ENC[AES256_GCM,data:3PqT1AVDN1QIhmbSefO1V2QK0b+LDGi9m1sitGzZe3SIByLnSjhVi9xMcbrKd/k9sRtIgk8qs4VOWP7zhj38cHITRVQY64EOjuxZa0OKplmh3CNwdfHwGRIc8dbEX9FYMU04MUfMeQuKs758oGH00i8HZlatSd4CBXrRZKHSwSg=,iv:1RgiqTeemrnh0lj9Xp5m/GxhdzZIdheBndpqPzWRrgs=,tag:haDUGgVEOXAEnSsOIF9vpg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/7B2ce/OPgqLiXCIyDE7BbxwIuPPIZUgXt34deha2fGQH0 + 8K/J+gWhld2o5U2A3vtEB00kNRNt5RP8Tc4oemXb6lvcKserHGlCSf2glUFtwUa1 + JyaEiruZGBso4ceYaXHpsTRq4yBdFJXrg9GiU247zpIM7fCv0WwLiDKFgWUumqsA + 2SK4ZzF3b76uulMmSrgFlnG1MkkzzZ/pLNd6X+VR1TCi8IUbQKNgqiFWgc3ounYZ + N18RRdkYicd/Ux0oA6+XigqvfySfQvbzA+LTb5zwNbGMGvFqdlxnA2f2gXho0pGd + ynjrIxnEm3gyEhAt7Ncu18vLX93XJJ8C1QRsldVKVKBICvBuEEhmjIogsqaYzt4P + F5dOBE7X96YNbBhMwQq5i3fpPAWimMa5NyiHTBXapysMOMgbHQNuz4WqvZ2+8SMt + UcvopXfB9jCs4aSmGQl/MsB05bK1rLD07HMCi6agehLS3L1D8H2tCc/zzVbofUU2 + Ca7PIMBLfxDUmPROt4jXV63273v8zVHbnldhZ/vQTh3di7+qaIplCBnMNUQkm9MA + oHVvunpC80LGV8B+SH7vPhoRNuQ+flIa+TJvF4dDF5MHnFWgaLw82lNBVQcM37ur + BULfkmgoRS5psQHIBrtrwseduNr9uiDCumqCCgXtPyhEcU8jC/KrS5KE2IWo8JTS + XgFzC7w/aThRoO5HRfK6LDGpMC2MP22ya7Ya+vHyl3IqjjxeMBQUXpYUqg2RFRtI + acB4MHIjptJGwHdNH8Y5SnEWF8ZqpY1RJ1LpMa/FDKgq1iOjzu1R3yF45l+SNUQ= + =TaOr + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/hedgedoc/upsert-secret-hedgedoc-database-mariadb.sh b/clusters/svc.dd.soeren.cloud/hedgedoc/upsert-secret-hedgedoc-database-mariadb.sh new file mode 120000 index 0000000..f6e6336 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/hedgedoc/upsert-secret-hedgedoc-database-mariadb.sh @@ -0,0 +1 @@ +../../../apps/hedgedoc/components/database-mariadb/upsert-secret-hedgedoc-database-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/homer/config.yml b/clusters/svc.dd.soeren.cloud/homer/config.yml new file mode 100644 index 0000000..068b965 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/homer/config.yml @@ -0,0 +1,256 @@ +--- +title: "App dashboard" +subtitle: "Homer" +logo: "assets/logo.png" +header: false # Set to false to hide the header +footer: "" +columns: "3" # "auto" or number (must be a factor of 12: 1, 2, 3, 4, 6, 12) +connectivityCheck: true # whether you want to display a message when the apps are not accessible anymore (VPN disconnected for example). +# You should set it to true when using an authentication proxy, it also reloads the page when a redirection is detected when checking connectivity. + +# Optional: Proxy / hosting option +proxy: + useCredentials: false # send cookies & authorization headers when fetching service specific data. Set to `true` if you use an authentication proxy. Can be overrided on service level. + +# Set the default layout and color scheme +defaults: + layout: columns # Either 'columns', or 'list' + colorTheme: auto # One of 'auto', 'light', or 'dark' + +# Optional theming +theme: default # 'default' or one of the themes available in 'src/assets/themes'. + +# Optional custom stylesheet +# Will load custom CSS files. Especially useful for custom icon sets. +# stylesheet: +# - "assets/custom.css" + +# Here is the exhaustive list of customization parameters +# However all value are optional and will fallback to default if not set. +# if you want to change only some of the colors, feel free to remove all unused key. +colors: + light: + highlight-primary: "#3367d6" + highlight-secondary: "#4285f4" + highlight-hover: "#5a95f5" + background: "#f5f5f5" + card-background: "#ffffff" + text: "#363636" + text-header: "#424242" + text-title: "#303030" + text-subtitle: "#424242" + card-shadow: rgba(0, 0, 0, 0.1) + link: "#3273dc" + link-hover: "#363636" + background-image: "assets/your/light/bg.png" + dark: + highlight-primary: "#3367d6" + highlight-secondary: "#4285f4" + highlight-hover: "#5a95f5" + background: "#131313" + card-background: "#2b2b2b" + text: "#eaeaea" + text-header: "#ffffff" + text-title: "#fafafa" + text-subtitle: "#f5f5f5" + card-shadow: rgba(0, 0, 0, 0.4) + link: "#3273dc" + link-hover: "#ffdd57" + background-image: "assets/your/dark/bg.png" + +links: [] + +# Services +# First level array represents a group. +# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). +services: + - name: "Application" + icon: "fa-solid fa-rocket" + items: + - name: "Whoogle" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://whoogle.svc.dd.soeren.cloud" + target: "_blank" + - name: "Pastebin" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://bin.svc.dd.soeren.cloud" + target: "_blank" + - name: "Changedetection" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://changedetection.svc.dd.soeren.cloud" + target: "_blank" + - name: "Mealie" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted recipe rezept cook" + url: "https://mealie.svc.dd.soeren.cloud" + target: "_blank" + + - name: "Development" + icon: "fas fa-code-branch" + items: + - name: "Gitea" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://gitea.svc.dd.soeren.cloud" + target: "_blank" + - name: "Yaade" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://yaade.svc.dd.soeren.cloud" + target: "_blank" + - name: "httpbin" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://httpbin.svc.dd.soeren.cloud" + target: "_blank" + - name: "string-is" + logo: "assets/tools/sample.png" + # Alternatively a fa icon can be provided: + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted string strings conversion" + url: "https://string-is.rs.soeren.cloud" + target: "_blank" + + - name: "Security" + icon: "fa-solid fa-shield" + items: + - name: "Vault" + logo: "assets/tools/sample.png" + icon: "fab fa-vault" + tag: "vault" + keywords: "self selfhosted hosted vault security" + url: "https://vault.ha.soeren.cloud" + target: "_blank" + + - name: "PIM" + icon: "fa-regular fa-calendar" + items: + - name: "aether" + tag: "other" + url: "https://aether.svc.dd.soeren.cloud" + target: "_blank" + - name: "Linkding" + tag: "other" + url: "https://linkding.svc.dd.soeren.cloud" + target: "_blank" + - name: "Paperless-NGX" + tag: "other" + url: "https://paperless-ngx.svc.dd.soeren.cloud" + target: "_blank" + - name: "Wiki" + tag: "other" + url: "https://wiki.svc.dd.soeren.cloud" + target: "_blank" + + - name: "NAS" + icon: "fa-solid fa-file" + items: + - name: "Syncthing" + tag: "other" + url: "https://nas.dd.soeren.cloud/syncthing" + target: "_blank" + + - name: "Media" + icon: "fa-solid fa-film" + items: + - name: "Navidrome" + tag: "other" + url: "https://navidrome.svc.dd.soeren.cloud" + target: "_blank" + - name: "Immich" + tag: "other" + url: "https://immich.svc.dd.soeren.cloud" + target: "_blank" + - name: "Jellyfin" + tag: "other" + url: "https://jellyfin.svc.dd.soeren.cloud" + target: "_blank" + - name: "VCR" + tag: "other" + url: "https://vcr.svc.dd.soeren.cloud" + target: "_blank" + + - name: "Downloads" + icon: "fa-solid fa-download" + items: + - name: "Transmission" + tag: "other" + url: "https://swiss.soeren.cloud" + target: "_blank" + - name: "Radarr" + tag: "other" + url: "https://media.svc.dd.soeren.cloud/radarr" + target: "_blank" + - name: "Sonarr" + tag: "other" + url: "https://media.svc.dd.soeren.cloud/sonarr" + target: "_blank" + - name: "Prolwarr" + tag: "other" + url: "https://media.svc.dd.soeren.cloud/prowlarr" + target: "_blank" + + - name: "Home Automation" + icon: "fa-solid fa-wand-magic" + items: + - name: "Home Assistant" + tag: "other" + url: "https://hass.svc.dd.soeren.cloud" + target: "_blank" + - name: "Vacuum Cleaner" + tag: "other" + url: "https://vacuum.dd.soeren.cloud" + target: "_blank" + + - name: "Monitoring" + icon: "fas fa-heartbeat" + items: + - name: "Grafana" + tag: "other" + url: "https://rs.soeren.cloud/grafana" + target: "_blank" + - name: "Karma" + tag: "other" + url: "https://karma.svc.dd.soeren.cloud" + target: "_blank" + - name: "Prometheus" + tag: "other" + url: "https://prometheus.svc.dd.soeren.cloud" + target: "_blank" + - name: "Alertmanager" + tag: "other" + url: "https://alertmanager.svc.dd.soeren.cloud" + target: "_blank" + - name: "Blackbox Exporter" + tag: "other" + url: "https://blackbox-exporter.svc.dd.soeren.cloud" + target: "_blank" + - name: "Pushgateway" + tag: "other" + url: "https://pushgateway.svc.dd.soeren.cloud" + target: "_blank" diff --git a/clusters/svc.dd.soeren.cloud/homer/kustomization.yaml b/clusters/svc.dd.soeren.cloud/homer/kustomization.yaml new file mode 100644 index 0000000..13589c6 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/homer/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: homer +resources: + - ../../../apps/homer + - namespace.yaml +components: + - ../../../apps/homer/components/istio +configMapGenerator: + - name: homer-config + files: + - config.yml diff --git a/clusters/svc.dd.soeren.cloud/homer/namespace.yaml b/clusters/svc.dd.soeren.cloud/homer/namespace.yaml new file mode 100644 index 0000000..5ceee68 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/homer/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: homer + labels: + name: homer diff --git a/clusters/svc.dd.soeren.cloud/httpbin/kustomization.yaml b/clusters/svc.dd.soeren.cloud/httpbin/kustomization.yaml new file mode 100644 index 0000000..ea3cf9f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/httpbin/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: httpbin +resources: + - ../../../apps/httpbin + - namespace.yaml +components: + - ../../../apps/httpbin/components/istio +patches: + - target: + kind: VirtualService + name: httpbin + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "httpbin.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/httpbin/namespace.yaml b/clusters/svc.dd.soeren.cloud/httpbin/namespace.yaml new file mode 100644 index 0000000..d1525ee --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/httpbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: httpbin + labels: + name: httpbin diff --git a/clusters/svc.dd.soeren.cloud/immich/immich-pv.yaml b/clusters/svc.dd.soeren.cloud/immich/immich-pv.yaml new file mode 100644 index 0000000..27f1c49 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/immich-pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: immich +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 75Gi + storageClassName: local-storage + local: + path: /mnt/k8s/immich/immich + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/immich/kustomization.yaml b/clusters/svc.dd.soeren.cloud/immich/kustomization.yaml new file mode 100644 index 0000000..226637a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: immich +resources: + - ../../../apps/immich + - namespace.yaml + - immich-pv.yaml + - postgres-pv.yaml + - sops-secret-immich.yaml + - sops-secret-restic-immich-data.yaml + - sops-secret-restic-immich-postgres.yaml +components: + - ../../../apps/immich/components/restic-postgres + - ../../../apps/immich/components/restic-pvc + - ../../../apps/immich/components/istio + - ../../../apps/immich/components/pvc + - ../../../apps/immich/components/pgvector +patches: + - target: + kind: VirtualService + name: immich + patch: |- + - op: replace + path: /spec/hosts + value: + - immich.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/immich/namespace.yaml b/clusters/svc.dd.soeren.cloud/immich/namespace.yaml new file mode 100644 index 0000000..343a49b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: immich + labels: + name: immich diff --git a/clusters/svc.dd.soeren.cloud/immich/postgres-pv.yaml b/clusters/svc.dd.soeren.cloud/immich/postgres-pv.yaml new file mode 100644 index 0000000..99048bd --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/postgres-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: immich-postgres +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 10Gi + storageClassName: local-storage + claimRef: + namespace: immich + name: immich-postgres + local: + path: /mnt/k8s/immich/postgres + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/immich/sops-secret-immich.yaml b/clusters/svc.dd.soeren.cloud/immich/sops-secret-immich.yaml new file mode 100644 index 0000000..50c174d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/sops-secret-immich.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + DB_PASSWORD: ENC[AES256_GCM,data:cWQlIn5sOhA=,iv:HUbT9yiL1Obm1dRHMo8eLgb9ywTb4fu8U43cbgvvZRY=,tag:edhOM0ZHRT3emGesvzspDQ==,type:str] + DB_USERNAME: ENC[AES256_GCM,data:95iBUmmK414=,iv:AYRirysicWT4KIzZDb1B9q6g1EhVSlvE3CnU/GpQghc=,tag:4z9EBfGS+22Eln/oBHy5AQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: immich + namespace: immich +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:11Z" + enc: vault:v1:CFMBfTMQwn4laYw+q0emkD43KtEl2g7jeAHj7pKthFyAFXZGJjN94u4CzclJfh0dHcucp8nU5EMt+jBa + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbGNnb1RzekRzcHh2bzJL + MEg0Mm1aV1EzNVZJZWtjaTdrcWR0MXJGM1FVCmtQWmROMDJraE9rdDVjMjZzUENk + cStMeFVhNWxzNnlFbi9GdkNmMTY5M1UKLS0tIGxzUjVXd0hPdk54L2QwT2ZPNEFI + NmhtVmRYbzFWUmtwNnl4cUtQRzVKRFUKArz5V+upi/JTJ586g6VduUdyVDlBIvEs + y+ihUQjVJshNMxPJA4fTgwsb2oAk3hegkJLyDRbCVmik8ynOjsx7Ow== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:45Z" + mac: ENC[AES256_GCM,data:n9nL+j8257k01lB+Qi7nlsCiRfdMA+yZC9klRZWCPTBXZ3HvE5WszmtJzVa1e2O/FdiOMVhgX/TSigC65dI5zI8+C5+9WaJ8N2wmhj62l1FfhD73O9xPYaijcjbGB+IJTnvY8dbnzfTkTzJD+ItzMRyb+wjtqAI7C3OVccHIE44=,iv:ERCtQIHb+YSDHKIaA/fvfIfjE8mZE2A9j2ZE5eKKzhc=,tag:qerYtlFStcoJT8p1Rr25VA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+L+H9RKlpQhtk7DaW98krVXeqZAIsRPv4HymKsP/rc9Ib + TmDKOxCdJ2bd3NkzjpNPdcMYAGe8wqJzGClnF9jzLlDn67+WQdf5rrEE+6kgzbsC + bBoM0Z2IxDp2OWUXbeqCJUQNFOD6JnC78GiW0mnCEknKCbt3C1l8/ZZs3zZ9DHFC + tu0II/1mgZlQ9bqROHd5w5gR/1gL5BnnbU9U+z5fxNO+56+2x2vobUQlHmHyKYEx + 30Pv7r+mtUWBt9V3Cu7IYYyURy6pSeEfsLBXNIeZDpXrOOzgsUcVfoQUoxv1YmJs + k1hWUynJM0SaGwj6BP1ZVN+6/x4OMpQylrM70xNcOAhd/uScqiKdvMtWNIL4/YwL + o1FAgB8ScMfC14rLePl/lYIr8h+r053TIeQ8T7ud6RCr/EnJxC7agfqn0WuTO0Xv + ccrhxhNQfwMWbx+9zIQMz7fZBKywlMzD+cPZcAgf/7/LOAhl1BuooWURGdndnH+3 + CyEleGM6Dldb00Gfcpv4Z2+ufMxdq/trizkXCRHQGJkeSqC245N0UbRum/nj5Cva + thzxMICHmk8caz3xniRIx2G/nJEuKnrbAYbzsLMQJz721+IdpiqtPH6btomeKXJ+ + MxEUDR9sNXcf6p9qptrLSi7z56HcIkozNYmsKD+x7HI0/diiKqaXjRAA9bJ2Gs/S + XgEatk3auQv3MDVIFdo6JM2h1Jp+vlpNhdoosSP5LxR75jTtJx/BuziTaAerr3IS + LBnTboG+UzleOx7uRbqbefhSmav2wWksUQmXGrl9YGdBQN172peUP8rnQtvD7Dc= + =1+7F + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-data.yaml b/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-data.yaml new file mode 100644 index 0000000..99f288b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-data.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:inFI62pe600fQbN1lZTedcACJmOZ0vmiTp28WQ==,iv:a04CjyK3lGNQqxzdpNqm2/yQ522+vL2cTsUs9FqteHA=,tag:4fJ5FlwNOup+ViPLA3m7PA==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:Zhiu9h216z7/MBrrOMwlKgHtxHQW3qObTfVefkrr+agjBfADXfz7JwOICn05WZt2ciyQEaidXjg=,iv:MNcPnvzXKlvL7mS3PieQuaKgPda+wl8AoqZZK6be4T4=,tag:pELEMW3yMwqMUPyxz5h4gQ==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:c9vhNu+/vKrcCjcQN1gwXe7gBPgYPWex9tY8WJMrjN2U9YABFZ52Xx7b1tBy/vAV6GYNP0j6pSaD4MEj5Ve9+k02xjc=,iv:2gQT26oJWCYxYkuwOeV9N6mj5hpvy9oLi9AwP+yfVCc=,tag:ZVGlVwLhBl8+cVQbXJnwmA==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:7pg1n082n9wZwYyNfawdj8+v708s2bKlSBOiTYNHgo/NJiyLN5gmy1ymHRGRzMtMpc57mGFKIiKk4hy+zhWI/jaFTg00VvcNJJzmLog9KtY7RI6l,iv:SOW43CfUR2ewfBKwe1UjsQ8NOM3oXdewyO31FQhZTNw=,tag:bPNUs6SDB0Zn0ThWluElaw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: restic-immich-data + namespace: immich +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:11Z" + enc: vault:v1:xAEB70jklqObVNYeLyQ8cKN+mz1UC3UAO/MiY85tzPA927WDMAwCSSUWpi39hY0adSHrfM+TmJTO+hUz + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SFZIUTF2S3dhK2NTdDFx + Qk1JeC9GWFNhWURYenptS3pNQVhKOXJWMkJFCjB1STFzd3A5VVE4REdmRFNQRDRY + dXRSUmIrUGFwYXJwRXdUK2RnNnNoZU0KLS0tIHNmZkVDQi8vOE9WM3lYc1V4aGNS + T2tzcXBmUFROaTlaMldCKzdDSEQ2NUkKtMwx2jnFpelixO7XFZviFNahTXDJu3CX + hgAPXsr2N9wOX6Kte1AXgqp/no6A70gnLEGQALHgxOvVtnmCB+2tkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:45Z" + mac: ENC[AES256_GCM,data:9ZLEKTQ90RyD/+XVkbjTuDCfM6PHAKZrWegTdLTbHmwe9BflkNjxudHIBUgL6VoSXYijEjJA9VVgUvP9SSuJxKd+i9zPNP0XGpfnTmgKtfE3hv4yCK7Mi0gMRko3spccRYsOyKv7i3Qn7nQiXk66gkGVV/hfynedySWS18J1TBg=,iv:r0lrOe6BIgjsa8+2TPxb1ER1mQ+Njnu13aK3ru+v81w=,tag:lgqHqVkg+dcNoRG0qNuXfw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAjgiyQKcfFQpIbsnAjnqEjVsI8fHuNJjoaunhLTGbrq7O + fWIY2eMtLnIQGyHFxBymSUCXFJYpeISvM6ga61WUpOhiTxrkPPys57kADst4I9nn + 0W3xWb3/wZUHXB9UWn0PR70zj72vVCn3jmkX5mv3E7GupZHr2ie5cKlMt/DdY2uz + qQSmMPJi2RZ6kI7TtYDGcsDncPgVzf1sQrkedXY6fnr5EQHCQN4+z/ezs33dDbbt + jFN2kn/YD4ypQkzHCYd7MqQOKA8NpETE9GOi0ZKkq8bXcaJpn702w8nmTNUXPpcY + KMaHLEExuA7j52YYrrm2eU5IbhKGO8MpoKY1IbhR48byiCoX+ZZ8Zzh74W9j00Hv + bo/yJr0Jer9ZAJ6f8XGlcQ0jDrwuED+AAhzY2FNIoJFJxVNjWoUTYVCoeDDkxAaR + Rm3xthrQt3iI5jg07VuvxtwwGsy4HGhHIzXUoWwl+nlyLM8dj6fB8+VxPT7yRxVm + otk6LAQVAh8czZm8oN1Ieyo+2w25OzmK3cs/u4AQ8/6g1dQVlMW5tlG3lP5ii8YS + +EFN+MDh9Z4LFnVQnGFQ8rXogrdkun4SbmOUSj9+QUdAWIWEbUezwVFTy0kqrE4C + j9tK+AzmamcXJ94COFo/njbbCFT11ZP1XS0DqnIxJogqH71al+ytWdrWh6P8gqDS + XAG0f5pl1Vkok5QqfzoQZhet7Ma93qg+aeLdsgv6XIfWqizFNy483fTZhQk9C4T+ + vFBdhZ4J1vHPxP+xKwG5mR7yIK+Sw4xBakWY6IHI7yoBiEUarPN6d6zpJrSO + =y3A9 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-postgres.yaml b/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-postgres.yaml new file mode 100644 index 0000000..18f444d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/sops-secret-restic-immich-postgres.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:biVYUl455AACFIKXJAzK01NltKrg8iw2HEMvEA==,iv:tntlesE7UOeJmkBIg3EuUMENJ394/ndu49r19+vKoqE=,tag:U0EWU0gsVHcPX7hfB/GZAQ==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:SEkxH+L9ML5m54WElCf2AnAJDCVpdb0x9MfUN6tkKx/3Fum6VFLo+bQeCS2s+x4XOT/WzLMXpQk=,iv:BkRb91IqBfl2YaphCckp2vKglMaq3SWDQsBWFQLZENM=,tag:8/FjBMNA3UyYNRLpAJe/Gg==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:uABb2VhE0tqdk/E/WFEV75MbOoHwozheNC2iLLHRQmrNPwDHRYRpuq8KDQ8w/OuOlq+K04tOm6OofvMGnDHwN6UBklg=,iv:NxSDnQ0lMekN0WwKUnjlhHWObaubB0alhcC/IBeDwfA=,tag:NRxBcx/hpSsOFwGwjNoHDw==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:ThjNeY+uPghoMDK0Pz8Z3UyjL+nbivX/dIenVcA6k+AmJn3qVfuBPQyaqCiXpohc2NInVFosM7Ru0DaA14qRrs5LVMVD4imEILZxr4O5dIvKttTzvBitQQ==,iv:ST8NRr4eJLBWYHEiC90P6yh1UbTJoPF4KtR+33Ye9/4=,tag:kiQgEijo/CshFkxIHMDwxg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: restic-immich-postgres + namespace: immich +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:10Z" + enc: vault:v1:ZWN496JkfEHA9k6GUgVyiHQSbBUJmgpBhqrRydlcUBS5BC0X0NB13vnsmfgaBgTRDN06CU/pVjUlb7yZ + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUFNzdFZxSXkzNDJtWndI + NkxTOWwxYmRiUnlkc2RnM3dkRDY0NWhYb1MwCm00N3pscHdGU0s4Q2xLZjNZVEl4 + UWNkSWh5ajdnei9GMlpleEc2N3V0c00KLS0tIG5MNlZsUXUxVGcrUG1KMHhXWXFZ + RnpVTUxtaE9NS0ZlamlmTkNyM2xZYXMKx3FLupzoHj4BsbTMz8YyX0llNRRdGHsd + bi18w8M91WlzttGbn9aJmDC+PDC2epKZTnL3yyIVOgcWGVe8yB585w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:44Z" + mac: ENC[AES256_GCM,data:JDFpZ/DQ7CiWRjkFio50PP5BVgxYeVRzFGfyoOB2M8N1WvJZPRWBwyy9hESaxLzKyi9OKZPU4TDctAZ3F/5AhdqSWSHyvL0Q7nA9chzMQtCl6x8bCCDWj4mrm2jKM8id70VOiGuGHaWwFk/C+Wdi2U6iJRy9vzZUkP0BdjKNxC0=,iv:kjAUyogi1uNeNEVCnWqrnGD3HstZav5O7AMDxAlQUcg=,tag:Dm5j4dLeOK+e/4f91laoqQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//QhB6qrciEFPqZ5tqAIYz3xLP5Nt31lEC2CjxVwo/NTIb + wPpKa58ecSPVehyFrjYNDr0G/pEOy1K1vMxbRMmKRLxOFEA2iCqX1Bc//PEA7liT + dv2HZgA6kt8B/YMp3nPSi2uRC2/MMNOId1o8zejw3WsJR63+b31AbRr5KGOxpxYx + ubKzp4zFKKnyUnr5J8FnaroYRSDXtERmsjMvmnftsc61H2PcjL00c1S8HXGXJg4b + 89VTwlp0IiJBvPKnXUbfbSSyFhs4JpG9n1DxTbA3WueavQD8nvY0plIc5M4BoTQn + FvOmmSftb0ivEiNo89Ii1PXKz1ieWq6eN/Nww2jIc4MLAvBw/7wBjI/1Lc85otLQ + GVW9aILyrJMIOjOptbsguAhjbwXteQdGHHcB5suBQtJcZWI+I7c7jllLl0i2cYgX + TxSwYvSDUSxE2+DWzGJt9FMMGH2afn+0v/4nlnuG2ErXqpfKBtl4dwjB+E55KjDt + XDp3gdAGMtwtnYuTW0YiTcLFyNBasby0ViLc8DeABhYyyPUDgxNRbwacajzCqOSs + JJEMUB8/v23dXHRF/rez1ZryFIHtx/rBCD2u/Yh331u3013j6vnJyd1zrlvO7bfm + p1bAaQk9VJcdhKPMrVzM42Zjxk4VvtwYAzTaUOVAE3q4VaRLsCbo4CWoq6GL/ofS + XgGSSkrn00F4H7Sm1zYhe5b4Z6ZPE9aiU3e5YwqsUNFV6L9/S+wOLSviZGMSA3ng + ExAyzhbQOZkM5zQkfKCj0DVFkFz5AesnMGZsnpsQ3YJRxrFlnMb7CdHmk2sqQOY= + =XmXz + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-postgres.sh b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-postgres.sh new file mode 120000 index 0000000..c9c1537 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-postgres.sh @@ -0,0 +1 @@ +../../../apps/immich/components/restic-postgres/upsert-secret-immich-restic-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-pvc.sh b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-pvc.sh new file mode 120000 index 0000000..973a743 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich-restic-pvc.sh @@ -0,0 +1 @@ +../../../apps/immich/components/restic-pvc/upsert-secret-immich-restic-pvc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich.sh b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich.sh new file mode 120000 index 0000000..d382a19 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/immich/upsert-secret-immich.sh @@ -0,0 +1 @@ +../../../apps/immich/upsert-secret-immich.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/infra/storage/kustomization.yaml b/clusters/svc.dd.soeren.cloud/infra/storage/kustomization.yaml new file mode 100644 index 0000000..20c9e34 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/infra/storage/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../infra/local-storageclass + - ../../../../infra/priority +components: + - ../../../../infra/local-storageclass/components/mark-default-storageclass diff --git a/clusters/svc.dd.soeren.cloud/infra/vault-auth/kustomization.yaml b/clusters/svc.dd.soeren.cloud/infra/vault-auth/kustomization.yaml new file mode 100644 index 0000000..b07ccd9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/infra/vault-auth/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../infra/vault-auth diff --git a/clusters/svc.dd.soeren.cloud/istio/certificate.yaml b/clusters/svc.dd.soeren.cloud/istio/certificate.yaml new file mode 100644 index 0000000..d69e2bb --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/istio/certificate.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-cert + namespace: istio-system +spec: + secretName: ingress-cert + commonName: '*.svc.dd.soeren.cloud' + dnsNames: + - '*.svc.dd.soeren.cloud' + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + group: cert-manager.io diff --git a/clusters/svc.dd.soeren.cloud/istio/gateway.yaml b/clusters/svc.dd.soeren.cloud/istio/gateway.yaml new file mode 100644 index 0000000..56dd163 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/istio/gateway.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 22 + name: ssh + protocol: TCP + hosts: + - "*" + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: ingress-cert + hosts: + - "*" + - port: + number: 443 + name: https-passthrough + protocol: HTTPS + tls: + mode: PASSTHROUGH + hosts: + - minio.svc.dd.soeren.cloud + - minio-console.svc.dd.soeren.cloud + - port: + number: 1883 + name: mqtt + protocol: TCP + hosts: + - "*" + - port: + number: 8883 + name: mqtt-tls + protocol: TCP + hosts: + - "*" + - port: + number: 53589 + name: taskd + protocol: TCP + hosts: + - "*" + - port: + number: 3306 + name: "mariadb" + protocol: TCP + hosts: + - "*" + - port: + number: 4567 + name: "replicate-tcp" + protocol: TCP + hosts: + - "*" + - port: + number: 4568 + name: "iss" + protocol: TCP + hosts: + - "*" + - port: + number: 4444 + name: "sst" + protocol: TCP + hosts: + - "*" + - port: + number: 5671 + name: "amqp-tls" + protocol: TCP + hosts: + - "*" + - port: + number: 9094 + name: "am-cluster" + protocol: TCP + hosts: + - "*" diff --git a/clusters/svc.dd.soeren.cloud/keycloak/keycloak.properties b/clusters/svc.dd.soeren.cloud/keycloak/keycloak.properties new file mode 100644 index 0000000..3fc27c5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/keycloak.properties @@ -0,0 +1,4 @@ +KC_HOSTNAME=keycloak.svc.dd.soeren.cloud +KC_DB_URL_HOST=dbs.dd.soeren.cloud +KC_DB_URL_PROPERTIES=?sslMode=verify-full +KC_TRANSACTION_XA_ENABLED=false diff --git a/clusters/svc.dd.soeren.cloud/keycloak/kustomization.yaml b/clusters/svc.dd.soeren.cloud/keycloak/kustomization.yaml new file mode 100644 index 0000000..5de69fb --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/kustomization.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak +resources: + - ../../../apps/keycloak + - namespace.yaml + - sops-secret-keycloak.yaml +components: + - ../../../apps/keycloak/components/istio + - ../../../apps/keycloak/components/istio-proxy + - ../../../apps/keycloak/components/db-mariadb +patches: + - target: + kind: Deployment + name: keycloak + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-high-prio + - op: replace + path: /spec/template/spec/containers/0/args + value: + - start + - target: + kind: VirtualService + name: keycloak + patch: |- + - op: replace + path: /spec/hosts + value: + - keycloak.svc.dd.soeren.cloud +configMapGenerator: + - name: keycloak + behavior: merge + envs: + - keycloak.properties diff --git a/clusters/svc.dd.soeren.cloud/keycloak/namespace.yaml b/clusters/svc.dd.soeren.cloud/keycloak/namespace.yaml new file mode 100644 index 0000000..c2d675a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: keycloak + labels: + name: keycloak diff --git a/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml b/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml new file mode 100644 index 0000000..5203010 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + KC_DB_PASSWORD: ENC[AES256_GCM,data:KGtwUaQ/YnsiBYeE8tfjkZnUdcK7XBOh,iv:lY09skNS3//jzF8LeLVh1dZSbV3l0JNdAYFneV3/8hc=,tag:DeRTyy3XMTqt002n7QRf2g==,type:str] + KC_DB_USERNAME: ENC[AES256_GCM,data:g/1uBgxFp2DsHGhH,iv:QCkYrGPkZZP6ZuMlvOkagsT4sA12e6ZTpi07cL8anzU=,tag:DXswGonsqfAc0+wBDZ1bkg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: keycloak-db-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:26Z" + enc: vault:v1:80xN8W9VrdyEmzov5r0P4f7YGVA6yfTnAO3SkmWva/e9dOc593eU60oJLNS209P2ARPdIdcc3OutL6B2 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScXljUjdLVEwyWlFsU2pT + MEl4OWZkaE5zUDQwL01zdk4wVE9VRWFxNWhzClpCaS9MSHFqYUhNdjNaVVlzLy9Q + WCtTTCtIUnhWMFY3NjlsNzRHNVFCTTgKLS0tIFVVSjdnblFVZlJpY203WXByQVVs + YWp2aFFCbUdPMDNKTmRwZTk2SkRJc0UKiWaDmV/lhjEm7oBP9Cd/pY49hJT0y8Uc + qbwEcnCjUlRosCGlkhx+TeSWlXwjZ4+2nwlATglUolCzQFxupFneuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:35Z" + mac: ENC[AES256_GCM,data:FKI3S/gMfIsCSgohMyFcEgTHISCODbYkv0ZrV//lluiHLBqh3sJIZReN3QWTPqqDy+J+drfXMQOiW+2VAUiarulg9X/9Ah4j+Xw4+U90lYDSmTXRGe/jOgYTRtBSiDpOuUfNufBpkN2w2mN91/a5VkerF2jATc9hboC+Kve30yc=,iv:80YUdlzaFeb/Gl2zKuNWxOnpP/dYGDHgC+vOEwSav6Q=,tag:my4MTgq3n7C+2ucb68POGA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//Qp6vK5vnqsngWsb9jQ3Yh7f4vp+eVcD/C9LRPUJLeLF+ + WfvG5NGr4WXBVZ8oovqHbJai3aCZ2RoC7RbyJv5cWLx1yPMLTWRA+qDyuXrTA9+y + hd82qm/mXxCp2+zIDso+zHJo2sJceF8WVRrgFEO7ql2pu+uTFEFVYietgYkltJFG + ncCmlqZd+YzzvcZ2Bl9N3v0bq0A5HPki/N0mjH4BeMq2wjODPG8E66we/MgMFO1g + NrBRzTZyLiMjua+SyNk5LX8g0f5WGqO/PlmtnRdbiq8lyX+pcyflaCbaOC4UNJgF + O9RrKs2v2T8eRLv9V23S7DP1Nvv4ckr2C/Fo/SsE9aHAFDeq9NdkB829y8NRCzsG + 6TfKZrPmUg738UlTTTzlwavl/6UeXm7Jgcl3t87Z8dphdlNU0FEOeqzWsitj9Hjb + QnWpkPiw6ThgkCEZkM1v8IU8QvmFpu22W12pCp9h0mXT0ucC1s9KEysw/8FiLEKs + B+tEla/GYEsTC99l6ztAZBInVa5CyEVtNHV/AswO40se2VmlstwjqUQAeM2c35Ke + Tuv56/pWolHipwKha/dp56b0hAoXSh7Ong/KBZrPORjoNp6tyz+SPI0MQvEHnkYB + RUiUsVzZbi6Wwsqv95A/78+ekqwNBg7riFFjM0Fe7Jlj/SUx49RqQVw3ByECCufS + XgHzi3z6okNE7gWhppeM4bIblUsxP/EAqHKVdJX3nUnO49BR6AVvovSahADl2lX3 + GiLzMLhyyoh7baLjKuUqWXWO7iZbSOD9+MFMwqy4i8o2spXYdMp0RRwru/nVwHA= + =78tC + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak.yaml b/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak.yaml new file mode 100644 index 0000000..a85c758 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/sops-secret-keycloak.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + KEYCLOAK_ADMIN: ENC[AES256_GCM,data:bmbB0EkQUMw=,iv:wYQX3s0/4lPkmvPnFPapfnPSfdScs/1RxJHCfOeQWT8=,tag:N6CnhCf3b4i4cEsQtjAQQQ==,type:str] + KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:6dJbgCtGH8YOVCWLXZpBjA6/SBdmV/wjE+TgDFKLY0MLCvrFL3BQqpuKltF4a/l/wsEsYnaXG8JwDeMUBXEQgTKgaNw=,iv:D9Y+qW6ncNOp6mx08PzTA8yTobQWDq9Wgyq5ZyoEG7A=,tag:PH/qUHqJRQCe0jQOOyGZUA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: keycloak +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:26Z" + enc: vault:v1:iR62rbLLJpOrkCWo0QaslEcSw9nTGM/9PQHWB82UxbfgwAyvmPlbmx02W2uKmYbECAdwyNRm44IFNeQB + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MndYYWhWTXhHVXdwQlNP + eHZGVHpoRjFkM05abTA4c3pCR3o2SWwrd3pZCmN2TXVGUmFsVm1xRUtqTU5ZODhT + VnZueDBkTXhGSlJnalBONnowWHAxVXMKLS0tIEVJdmVkN1gyaGNPSEV5c25QbXdN + Wnp5NFVueXE5M2RCVDVVcUtIYUxCUUkK1TE+wlx+hO8DqcN6+hTcOZZ+eHpJy+2M + PNd3ugh+FUaMj83wy6gKoodDmQG0OBCZ0MG86oYnzOtpQNCNWdIYCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:20:58Z" + mac: ENC[AES256_GCM,data:hGkMfmDegVAHNHLbCRaB4Rdwf4w8bhY6Mbsz4iyGX05wz7YnDY9mEZzjNCVBJA1TCOY8DUWV12c/+lWQLm3azgQWeQx7HlT5sfNCYyquLAzTYwsxvxFHeqTMFvp51rUiY8kHZ7GjLvK5PTzHJPr41reCbEvRClAJU9/cWziPzR0=,iv:dij81iCZNU/FobluWidaur8hvYNVJyivQqeSZP+A6cM=,tag:jC/EZ6wI6xoTZMcmrgf2FQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//ULKhdw/O8qD+/9MBD63Etxp/pTjp+s2xKQRgZphPX6e7 + hHDouQip7o+kVF1ASsTt+yvJEBcATLEBDRAQ9m6UvpEDVY6IrNichWucG/c24MtP + IodODbPMjL4NH8e3mW41XF9F7JnZktfma0L1F94zFSMt8DtI8y3yEH79gAZKdjuU + c9tr2t4BDQEsUMOcfkFBGa9oTDy6cPgz1JR5+SjL4kRs/izp81Gd9Bc4ow12jPmY + Z1OYMJxIksdVkC0qer205SAxfo0v0HoijwR/mx0RDC7yEVKl4IzqXG+ES8VI7x3K + v6Z4vZ4Uht5ms4kvxohPewAbsHlYo2CImUfRdiUeVqw7xBGSR0Lf17PpKlf6OgVj + eVbk8ort8Q20voZ+i1tuG0slk7BN/QIyhHEQEXpSH4+/bhyq0EABs68Od2AqmpB/ + PlK7H0MEun3uZ0aCBnsxuB53mI9LZCMnQqSXK0NBIBaPoamNQTBEF11VhgZWwAGM + k6F7fnRsMQlw+Gogi5jCVmLul8tuSUZVyLKf3eVvqFYkIP2fLtOh53VONnV5yN/D + jpDX4K34Z2NO4ZLBAMPRfy8kxwhEWTqNqEx2n9hTFIkP5EEz45Fn2FxbF8WKqvRf + GEUwuo18Qcy8Z7gwNHe9CjZmCTp6u0cL+a6b/VfnPKzebt6zLo++C2w7UnfknDnS + XAFRnmYa7bfgkXt808+Y7VKGWCXGWpwsDz8+ZBKwusudoE2c0O+c/h7NC6g4FVuO + 5gRZDvycyCQLFPqCsQ9wc5YzKAUVVys+biN8YnVjgqUIQm4TmW7eM/B4OT2C + =dMvb + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh b/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh new file mode 120000 index 0000000..2e88029 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh @@ -0,0 +1 @@ +../../../apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak.sh b/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak.sh new file mode 120000 index 0000000..b3cbf6d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/keycloak/upsert-secret-keycloak.sh @@ -0,0 +1 @@ +../../../apps/keycloak/upsert-secret-keycloak.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/linkding/kustomization.yaml b/clusters/svc.dd.soeren.cloud/linkding/kustomization.yaml new file mode 100644 index 0000000..c81bb91 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: linkding +resources: + - ../../../apps/linkding + - namespace.yaml + - postgres-pv.yaml + - sops-secret-linkding.yaml + - sops-secret-oauth2-proxy.yaml +components: + - ../../../apps/linkding/components/istio + - ../../../apps/linkding/components/oidc + - ../../../apps/linkding/components/postgres + - ../../../apps/linkding/components/postgres-pvc + - ../../../apps/linkding/components/restic-postgres +configMapGenerator: + - name: oauth2-proxy # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - OAUTH2_PROXY_OIDC_ISSUER_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm +patches: + - target: + kind: Deployment + name: linkding + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-low-prio + - target: + kind: VirtualService + name: linkding + patch: |- + - op: replace + path: /spec/hosts + value: + - linkding.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/linkding/namespace.yaml b/clusters/svc.dd.soeren.cloud/linkding/namespace.yaml new file mode 100644 index 0000000..a4a9259 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkding + labels: + name: linkding diff --git a/clusters/svc.dd.soeren.cloud/linkding/postgres-pv.yaml b/clusters/svc.dd.soeren.cloud/linkding/postgres-pv.yaml new file mode 100644 index 0000000..cc245d0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/postgres-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "linkding-postgres" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/linkding-postgres" + claimRef: + namespace: "linkding" + name: "linkding-postgres" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/linkding/sops-secret-linkding.yaml b/clusters/svc.dd.soeren.cloud/linkding/sops-secret-linkding.yaml new file mode 100644 index 0000000..f604b97 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/sops-secret-linkding.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +data: + LD_SUPERUSER_NAME: ENC[AES256_GCM,data:DnUP2bMRIIg=,iv:9rVGekEafNzvZMYnWJqFfl/onrsN7tv4fTEHd2apc3M=,tag:n3UakPkjlojAVDGol4Tz9g==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:sU76Oh38w2SovdAd/yHd6xvO+/d2wKSMuITRABJxKDeMtgPdV/tqeKa6RCbawvwaOF00+7i5oMhFxa+atZl9etFtLK4=,iv:/BzyMCsFhIzp4r8uA5BTchxINvt6ldYUtExh1vTKre8=,tag:8LudUftJphiKtKOTu61PMg==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:FbcSirmz/MCN5tVT,iv:NMHxETpvgZcVhPK7rIBTEZqG7w2VVq59xCQYvTJ1Xtk=,tag:SwjN15x5wo5xYcKNUd7e3A==,type:str] + SECRET_KEY: ENC[AES256_GCM,data:VCzIwti13baHNZdEa9xVpbW0JVdr2/cRAH5WnJsvxIG0UgZage96U+IS+FO5oOX8HC6xpgQlPqial6fsVnk4KzZ89eM=,iv:WPLiDjBrJnVv0VEjwmBsYga78ON1lGoHherEbqR7oQM=,tag:jBb7QmKX4R955smslBYQ0Q==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: linkding +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:29Z" + enc: vault:v1:VJc9DT2tBNFXdk8O1ZJBwdghtHMlM7I32jPmG4swNSiWJROJmXEw20iof815A0+lE8U9/MkpsJK7kL6a + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV3lwRDEwUEkzV0EvTVkz + cWkzREsvVjlBTzQ4MmdrbkIzdnJxbjNrajI0CnE0ZDJnTkpnRzREcVhUd2hzQ2kx + VFhBaWFSYVMvWHF6dG1xUDdPZDVXWkEKLS0tIFN2Nk8vblhybFNTQXpNU2VJRTZ1 + YmwxY2I3MHRWZVZFMFhWN3d2SjdlQm8KOHPyYMhp6Xr3Q3nOJx31T/S16Mn1BCAr + 6l9Eibgghdx43aHIMbI70HS+SZksvLdqNudORf/XVRTxhHYFDB62VQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:02Z" + mac: ENC[AES256_GCM,data:T7w08aq0DwZFHk5LBlOM7mi9MnULI+c+nAXRUt20LsHqiKpAoXu6M6pSJKMcLkGGCb7lob/vn/AZjvR/4nOjDii269xj4ocKAPTrRMKAKfJMdlAqn/qrYygjvFzWmpM7O2paIvk3bS9HihayQD1kfAD4ImC97MUm7ZC+VD8m2/0=,iv:0GZQde+i8EVHEpaXaM4cNw7TgCVrKfdeeqZAiNMcyp0=,tag:6yWS+e/fHegVHi/ECW7nLw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAkzOWvEPeGVoJbiJPJZoJZbz7fJp/s0refhab7qT41Zy0 + RQ8XZSSd9n97KU95wOI3hzDDCx/93yiX/vk5KeJRcTgJpBsuUfIHpf945+8adE51 + IhaO+65xR4awd4eu0Ax6XZ9HkR53rNXPicAS8G+vagq/L4agb5LBSNBspclDVU4J + AMpHvpNxw3YvpUM3F5v1GH2dttzQiCULr4ccbl02TXnsiPE5imn4jAAkkfV/3qSO + RjBf+/UCUZj5y1TS7WJwoKJWRRSr7YcP1AQlsisYC1Z5Lzd7FTLblEgGo0rr5CZD + W3xRfHD1aqlxOf/M+4fiu0oQxGUJhk/ku9rds6lAAbv/r9jfAdCk4RTzSiHm0BLn + Il07yi6Rn0tlOX/S02TftE/LWOSQSEfyjN8QJNYTMPOqqETcQjof1nHH7PozfK8r + zyijyXkn7u5G4rKSZVrtAkRBp8utJhDcWhstsg7Vv02uHmlcEx5dSRYoRFlj808H + IMNWAUJ3Y3gdyf2sMZSn37P9yF4wR0C2mr7OfZZqR9TWZRkW1bUuFPkpDihFuGHT + 0G2gKhi9tYFlcQHYALHCcfK22aza0B/w9yytM//RNeRpC8kxRrlf6cAPa7sMOhVz + kSZz6oObiMcXiuxy0kGSR6asa4IcJyT1KBiLoYbuP/JGDaS5xm324TMqhNrB407S + XgF/kVzLrv/tWfNbhSphYt3OXMAHRT1gAYw8V0L+0kXhq2a15cWRyXYVWzbsH7X+ + dzuoHc/H6dg3PN6lsYcOvyoj6cqr7qcRKAefSY7kfhwz7sN7vnt5fWOoOC5TUn8= + =VciY + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/linkding/sops-secret-oauth2-proxy.yaml b/clusters/svc.dd.soeren.cloud/linkding/sops-secret-oauth2-proxy.yaml new file mode 100644 index 0000000..fee2583 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/sops-secret-oauth2-proxy.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + OAUTH2_PROXY_CLIENT_ID: ENC[AES256_GCM,data:+mnZEEvoyExyyJ0Z,iv:XZWgXtXj6lihwREuEVv8W6tx1jdJuaI7Zn8H527zohA=,tag:93q2aCew9CnF0rY9mO8VTw==,type:str] + OAUTH2_PROXY_CLIENT_SECRET: ENC[AES256_GCM,data:80eApwwGQDAlAs7Lo6D7z52bbxM1k7quCS935M3Zp82B5q0n2PSnMBldb3E=,iv:2jlYdSTvUXQkiL72a1UEcnZLaQ/pS7POOO8CWc/lPsY=,tag:koU0CeHojlnewTqnZdK2MQ==,type:str] + OAUTH2_PROXY_COOKIE_SECRET: ENC[AES256_GCM,data:5jAUwdmE6NM2pxbLDrhqciLB8G71Jxef4IIVUitQwphqGb3hkpNDmHrZSQBZ4Fl6Lqt4BdrwtFGRGZap,iv:Uys7JqLK59RCR5SPLIfvpv2Nd9++jgto/2ItURhKfms=,tag:7vojvqRt8XlyEJb/teXxKQ==,type:str] + OAUTH2_PROXY_EMAIL_DOMAINS: ENC[AES256_GCM,data:kagvjw==,iv:J1C4JCK8qjtmqgq4Yq/swuIb6tLYrDqISY/Jw691KC0=,tag:CL1kywQMM5kqYa0dMTQNNw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: oauth2-proxy + namespace: linkding +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:30Z" + enc: vault:v1:Du661pmMmfasS3tYCu//1sKvUqlVVOovN7DFRCpyI39gAKh2lfGx1KKHVnFmRyNJxzmJWsVr4HBGum0Z + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYmYzQ2ZNNFJUTUpoQVI4 + LzRrcFZHSC91aGIwbEtnRGI4cWFOd0xFeUcwCmJJcGZQcFI0QStZRlZhalJ4bi81 + KytISWtrcXFGT3RjSWVJRGFHUzFkMVEKLS0tIEJsbmVMZGF3RDhaaVJXQTFCUHVM + S2svTjNPcjNuN2J5ZnJKaDBYRlJBeFkKcPJ7XL1EmL2b+il45T6qbs2Tz4KdCyN1 + cjj3kMYQZXJn3cUPJB9JTLta+kjQU9FCHdQt6LfG+3gmNi7Kl1/TtA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:02Z" + mac: ENC[AES256_GCM,data:9VZRgnWnyeRpxLBN0W0r+UyMKO6n6qrQofsIUzSC92OccmtdVqaBg8bUBB6fD2n0t0ge6K2TGHd6ix7kUSjSMDR1hQSFdO00e7o6tPy2EI+fBWy5Q/gz5F2HKFLyPhqU5vnlK1pbblNPD1TN/xMm7hAXWPWVKKwi9Ih84D0uv7Y=,iv:KXmUahzAwP/b2OxMH6iC0mnW3IlikV1FaW7x3etlGsg=,tag:hqEuoiFAHDJ8y7VDezOizw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//UMAbE7Xz+Moy3ZkmyptvJizrOdXNskodhCK9DmC7aPHi + rzXeZeLvcGa6iuGhv0fov8859E392GHlvEYTXw/rme7YUaPXOI3n6BYWUG5A89v+ + p6xy97Yl7gUVpH9vibDzaEVtCrRPc5YQK1D9SHy0dnA6yv+bPuhfDb4RxEwUfm2w + qTIsEsCpxcfc+yrYJCH/4sAwfKXFHbIc4evrAI1arzwz6NxtHROEVGwniOzaHBYi + 2IdjcjiiMFMHLj/gL5RQFhS/P/0pYheY0FgG4tBFQ/lP6H0wXn72Ht3jmwlB1+jH + zx+VOZEjG9uW0rbH9LZkXrURvyYugYinkJACAYpxPOeFqkiQVkPZa0WrYKfZZWqG + VZNcdKAy0yv0pXJs1WKYm27KRDiUCvUBQXjqz1myNDa0OnRbXx/YLCrCySFQ6SqX + mA1QXHbzR5A8rjo+JuA1zTZe38E9LhyCE4oaLdCbP6cAZgwrR1cfXYXmM2nTjhq4 + r+eDWz/ykUpVpdQVb2Sh7jkdYUg8ovTFjHc5xHLQ/uN4Fq7SiWKtgD/8KrEG1O+a + nx/Kr/7751H+AjKvD7W4LhAmnqUYEp/tlpFOjQkuxXKMkcmU17wqNpwt/9/5EItW + 4pGbs65bFE9KyrnuRvy32bU5fJ7OY6xXvqgWs9OCjdFGauwRYi5tQ2F5w+0k9IXS + XAHWN6KNXSiLflcWhh5H13lH74QoFQz+kijWvhet/mxYWPixOFxYa/MdUhKLoait + i/nV9MI6Yuupoj7B3h5i0MtHDi0fdMCBmFbuk5YIs35nNSj6apr0x14ylYy+ + =VxVe + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-postgres.sh b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-postgres.sh new file mode 120000 index 0000000..857e757 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-postgres.sh @@ -0,0 +1 @@ +../../../apps/linkding/components/postgres/upsert-secret-linkding-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-restic-postgres.sh b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-restic-postgres.sh new file mode 120000 index 0000000..ff933b9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding-restic-postgres.sh @@ -0,0 +1 @@ +../../../apps/linkding/components/restic-postgres/upsert-secret-linkding-restic-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding.sh b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding.sh new file mode 120000 index 0000000..bc54f11 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/linkding/upsert-secret-linkding.sh @@ -0,0 +1 @@ +../../../apps/linkding/upsert-secret-linkding.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/loki/kustomization.yaml b/clusters/svc.dd.soeren.cloud/loki/kustomization.yaml new file mode 100644 index 0000000..310e960 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/loki/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: loki +resources: + - ../../../apps/loki + - loki-pv.yaml + - namespace.yaml +components: + - ../../../apps/loki/components/istio + - ../../../apps/loki/components/monolith + - ../../../apps/loki/components/pvc +patches: + - target: + kind: VirtualService + name: loki + patch: |- + - op: replace + path: /spec/hosts + value: + - "loki.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/loki/loki-pv.yaml b/clusters/svc.dd.soeren.cloud/loki/loki-pv.yaml new file mode 100644 index 0000000..9612646 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/loki/loki-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "loki" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "50Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/loki" + claimRef: + namespace: "loki" + name: "loki" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/loki/namespace.yaml b/clusters/svc.dd.soeren.cloud/loki/namespace.yaml new file mode 100644 index 0000000..efaa030 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/loki/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: loki + labels: + name: loki diff --git a/clusters/svc.dd.soeren.cloud/mariadb/kustomization.yaml b/clusters/svc.dd.soeren.cloud/mariadb/kustomization.yaml new file mode 100644 index 0000000..2c7e622 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/kustomization.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "mariadb-galera" +resources: + - "../../common/mariadb-cluster" + - "mariadb-pv.yaml" + - "namespace.yaml" +configMapGenerator: + - name: "mariadb-galera-restic-mariadb" + behavior: "merge" + literals: + - RESTIC_REPOSITORY=s3:https://minio.svc.dd.soeren.cloud/mariadb-cluster-prod-dd + - name: "mariadb-galera" + behavior: "merge" + literals: + - MARIADB_GALERA_CLUSTER_ADDRESS=gcomm://dbs.dd.soeren.cloud:4567,dbs.ez.soeren.cloud:4567,dbs.pt.soeren.cloud:4567 + - MARIADB_EXTRA_FLAGS=--require_secure_transport=1 --wsrep_node_incoming_address=192.168.65.250 --wsrep_sst_receive_address=192.168.65.250 --wsrep_node_address=192.168.65.250 --wsrep_provider_options=socket.ssl=yes;socket.ssl_ca=/tls/wsrep-ca.crt;socket.ssl_cert=/tls/wsrep-tls.crt;socket.ssl_key=/tls/wsrep-tls.key;ist.recv_addr=mariadb.svc.dd.soeren.cloud:4568;ist.recv_bind=0.0.0.0:4568; +patches: + - target: + kind: "Deployment" + name: "mysqld-exporter" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--mysqld.username=exporter" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--tls.insecure-skip-verify" + - target: + kind: "VirtualService" + name: "mariadb" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "mariadb.svc.dd.soeren.cloud" + - target: + kind: "Certificate" + name: "mariadb" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "mariadb.svc.dd.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "mariadb.svc.dd.soeren.cloud" + - target: + kind: "Certificate" + name: "mariadb-wsrep" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "mariadb.svc.dd.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "mariadb.svc.soeren.cloud" + - target: + kind: "Issuer" + name: "vault-issuer" + patch: |- + - op: "replace" + path: "/spec/vault/auth/kubernetes/mountPath" + value: "/v1/auth/svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/mariadb/mariadb-pv.yaml b/clusters/svc.dd.soeren.cloud/mariadb/mariadb-pv.yaml new file mode 100644 index 0000000..b5ae29a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/mariadb-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "mariadb" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "50Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/mariadb" + claimRef: + namespace: "mariadb" + name: "mariadb" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/mariadb/namespace.yaml b/clusters/svc.dd.soeren.cloud/mariadb/namespace.yaml new file mode 100644 index 0000000..23f38e9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: mariadb-galera + labels: + name: mariadb-galera diff --git a/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera-restic-mariadb.yaml b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera-restic-mariadb.yaml new file mode 100644 index 0000000..c5017c4 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera-restic-mariadb.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:MdqgxmtTITfvr4/g1zI8MQ==,iv:kZFCpGdaE/sgJppASHFTe4bFNNo48PzCO3X/ZZ/7xeg=,tag:QUYoG/+/e0QKYuXpUHkxkg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ybKSlRGmKA34WbdDq667rQ==,iv:Y7sd4eNSUbjLYMbS2MhjbCkK4X2wO9bsGh+3Hhl7NJc=,tag:77F7OFtKEC9AQGCY3/xXgg==,type:str] + MARIADB_PASSWORD: ENC[AES256_GCM,data:9LvS02042+BtCjucfk3B/ey4bgM5PvkanUrj05njtRFq2j8lCSeE988778w=,iv:AXy7HrgrHAqyV273tXkCHB7eekgI0Lh87DUuxq4zgdE=,tag:Vw3FjPPWwZSzPLfVKFtyQw==,type:str] + MARIADB_USER: ENC[AES256_GCM,data:T7HqMGFYeA0=,iv:5wsc8mTK25KFFzJSGS/sfrqZDrKoxdp1juocw6JsEII=,tag:ggXGFv9biZjg3w2fXihPEg==,type:str] + RESTIC_BACKUP_ID: ENC[AES256_GCM,data:dueJz3gCHxox+YNdyApv0w==,iv:0coPiU3XDvuLpuTTQus+CRJm7LIMSMWeVtBRajBcOyY=,tag:xD1aT2lFnc50IKIgNcKrsQ==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:Nbr6KOTCSvd3ZXWm2Xd73+SyM9o=,iv:9pSdY9A7B0ShSRq96/aAgce0xXbkxx3gVyrrGowPY4k=,tag:svsIzOggoA0pT20U8uIpQg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mariadb-galera-restic-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:07Z" + enc: vault:v1:xgmgfpG/u5zu9lQjM3pnJPoaZ0q9ZGwI+hCrWdZEaifhVUJ+MZwX1DDsJKaW3F3zyBF6Bb6dDrRlrWkb + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCcmNlSTBtWXVIcWFZU0xL + OWREMGpCeVBVdWhhOWxRZjhXRFlhTUUyaHg0CjFIa3hlSFhPOTM2dWViTkptN1Fq + UmpMZDhNRnlZeEkzL3RZbkpPT2phVW8KLS0tIGpUN2NvbWp1OXhjTERYMk01bVJU + WjVCNml1R0c1aWN4alZOY01MVUxZbUEKi3HlmT9Pa7SG+ZvnGuZYkPyIPn4A/bSI + McbPI9ICU/GiEmsHRyaIta9+NWn1eCWAlCRxqHD2tI/QEm53KFOYoQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:42Z" + mac: ENC[AES256_GCM,data:OAKH4kqUHzXKqwVGWMs3ZOTMcTBQMnPmdMH8T66m8uOyLHCAsnyXTxZScAQQFk/h8Ad+5hexhKP9xtHdggT7NciS+bHG+DaKU2GFnpokBmaVl9NnVqSsjqZ4j67yHJyKHojnC6YtF3OaDhBkxlv3vP2SgLxPqdAVyh5kYKI+t4c=,iv:SkEChps7W7zZMFAMO/WMtZQgnLtQjjDUbdM0xWVE0Qg=,tag:ILoM5r+VesS4hy03RWxgBA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+LXPSAK2CU7slUIZYQMo0HITjjKq5TXf+3uj2OYzIYbVL + 16b5DKownJfiK4zBd1NCIpFdvCB/S13WqLh5fdBS1wwVmJORWCR+a0e4t9Wmx3/P + U7U4MEOJtDOpnENxIXEURZy1MQVXSkNKnsV0Q3qvGOpdCsChVgQ+XliCiM75cKVd + nMyUhSXIclC+mJ3u+DYf3F8deL0uqSjnCMbTWMk82CGp54/ww8ENgDDT7Lqt2CSv + 2GbOkjr4UwVfaZTIa+03qbY9Py+AlM72CxMxp9fBS9GCvZ91X8sjJgfLhxVpetpI + HkATYsb1S2Iwv5jk44qJ/lUD7v30ftB4iDJJ3d4S5mgnTIiUJvMdw0lkeuFxsByG + fRH5JfsgTz9XwX3msacOL7EJP2zf9CA/qrlh2MwKd38g8GUY9SmikefdbEmV7ygH + 1ztHocMsgUkuysekPlQQBpmr/5kWc99HRYdIAY6GIqDaJY9BLiPZUM//ry2S/irU + 0UdohXG10YY/SpbdPvm7nqm2U+Cp5NEgPboSMemLxRIzjsiN91eVmjOzq26+vPlC + HTjvnKSK96RbgYajWEfkY2wkiN5IM9b1Sbndhk7gqa5hYvgLgO44TZEONk29BBwV + raHGqGoj5vmBDaX3KTxdeetgQWa3skYAOAuSX29LuOX8n7ZjtGoms4O54Ad/jyvS + XAFpHd3Q1UJEVeEBakQXHCWI948BvmjC233uK5Rg7gsmoav88dKDusXNcYK6oWc7 + XheZeCOu9wVcA0CAKYEgrjiXhB0FXXuYYkL0v0CDJKrEKfRxC6YBCwQ2HOKE + =/lsT + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera.yaml b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera.yaml new file mode 100644 index 0000000..138cbb2 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mariadb-galera.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +data: + MARIADB_GALERA_MARIABACKUP_PASSWORD: ENC[AES256_GCM,data:CYanWargflJX5nEt,iv:OroudSJ53gguMDu+wM40eND26ilD4inEOTRWBH6/YnY=,tag:Ed5cYvuMzmGTck8hgsbqcg==,type:str] + MARIADB_GALERA_MARIABACKUP_USER: ENC[AES256_GCM,data:6LER1/SIqUs=,iv:YRUA+rpHEuJU3rlpsHsW2mVU7lKtF8H7dyM5NqydhHo=,tag:nasaurSYsZjenPtg9Jc05g==,type:str] + MARIADB_REPLICATION_PASSWORD: ENC[AES256_GCM,data:g++sstYP5tgcBr0JEaOOlw==,iv:mmQqf1tkzyaECwmMaQ64JHzzveRgnutWXNOw/1UnAHM=,tag:Ckrs58A2D0qhnQjzryx9EQ==,type:str] + MARIADB_REPLICATION_USER: ENC[AES256_GCM,data:QptpNVc2m8APEUi2EV3gbw==,iv:laHc5uOWUyl/49/7DUuByoreu8FT+QrSuY/r5Nraehk=,tag:IptjeoYTxJAOdA1y1iP/2w==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mariadb-galera +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:06Z" + enc: vault:v1:WXv6m+1x3snDRwuaGJQhMX9e/gQVzaME48LPzr9zxUHG/Mo5z1/HuwdCo+6vjr5bkDP8EwO/XALS0mdl + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaOWVXS21QWWw4ZE1idDFY + a05DVmQzWmZ2c3lVeFFzZnluT016R0wrRW5FCmE5dG1SQXlBdzBVRnZhMDViTlRJ + clArbHk2WFp3NkhhZjF3S3hIR2ZhblkKLS0tIFFaWm1LaWFpNjZyZjNVWWtYOFkz + bFdxcEtVMEVRNVVMSlVhWldkcXRxV1EKljD2/egM9BlMu1uT9VJEBgpbsEtdUOd8 + Ecv4xs8fOGplQfNt98xyT48z0fKoro+7SHMHeZtHUHEPh2gz9a3uPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:41Z" + mac: ENC[AES256_GCM,data:EU3YRJqvuUaFaU4HhuyUqHC60MSRAUQ0jMyEKR/ZHJRfvqgg5/dqwyajZ3qWA9Sj9eVlUSPO9QFRc/l87LIqV1E5ekHZzCu9SAd9i8iRqK1q2ZU8bnhyeEa7X9HdGe3qNgWE5FB/ILjnU0dnMaXgkoryVWJ3wf+FYYHTnqPAENc=,iv:O+SxkbTD68JrXNQOm+seiOlcdcfYXm7tmKZU4YaCeq0=,tag:SP9hKxg4lCPIef0DfK44Wg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//dNZ3F/nNy0pzUuaP0NdNxz5txL1OWWDgSqw+NSp4mJE7 + J6/2ipJ9gI7r5mn4xAHA3o5vb/xKEbkkDS7rrD9Q/QduQFxc+f+pJxLIj5pbktiE + y+CHoGO6/tTGHry9AYIkpM8OmIYg6qQH5mh5hKk54e+lmlJd6yGuHluOGFhmdmCp + 9ewNJ6PKacYT22glgVVpil64oFsNedA/+qDdgB6JN1VFJ0vxF2dmtGkvdLctYxVE + Kv+q8P2J63aYqwCW6cjZ1pzZylbCtZR2ciLoBQv3InJy4fsnL6gIzilSOuoQJAKs + 3uOMhN/SXvn4VY9V8R7kAN8Ze0gt6AaWjX5pQcrciU/3Su45cLLafQ5k/KV+9Jq4 + KtByz66JcqIx9qsdDl9Bmt2grwTq4hE8SAUlfL2KKzVBOCfstHFHYvYT68/+jA1g + XE6TrwVKXbBSRhM6eqoHWvNTygIZe0M0CJbICAcZoyf2nW/uUUy5q4bOeUhVo0g7 + coBcdpHMJhVtsNYLNeCXJ4xrJBfoQ43xMXfUDMXJPekLMSLN/paIikcfQ0wtRDj8 + cslmUkc/uQfb2R2NWZi/GAUkoS8TZYqQwaTlbwgf/WCn1dKZ2J8pDVVCtczoXK8I + eM8PySunqKPyTshukjg4RQhAj9Cyah0+j+v6FHcEHK1xxn7FhwMO9r/56w4sBLnS + XgELdYfGaKoFagmYcpX6pO6v8wNA/3psL570L4PVL64bXlXY0oFpSHTOS0wXTTcO + 0aT5O4j95MlhtiEQdxZnx7XDqdnyuHKWxnckJA+GBTwvVpmwMI7Qq5GjQ8241Mo= + =M77i + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mysqld-exporter.yaml b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mysqld-exporter.yaml new file mode 100644 index 0000000..33cf9e9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/sops-secret-mysqld-exporter.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + MYSQLD_EXPORTER_PASSWORD: ENC[AES256_GCM,data:tag0uDOfvGrrJhxFY3px5bLeQq7NC/UUtVbWIf1YrENrTRTmtUtra4CJQ1E=,iv:LgkvxiHrw/s73pj1MD6Imri4OYmqYipec0QFTvelRi8=,tag:nbGdKjSaTacDRMluB1onUg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mysqld-exporter +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:07Z" + enc: vault:v1:rtWOrbuRCWVnjvJOiPz89YBaLvk5pJh4WSAfcFSFMiKxswmi/6j4du+eYTlyHqtRGCyOf1lVBIDtUGBn + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVDRlR1RQTFhyWktiSUZM + UjFON2RQZDd0UHByZWlKSUxSNTVwUFN3LzNrClBTNDNBMGFTemdieU43T0FucXZt + RVhkaTdWZWFsRjNmY1N5aGIxUGd5M1kKLS0tIDhPbGhiaFA4SWZ6Y1Y0QVBpaXcv + MEZ4WnpsTHN6ZmVoNEJTaisrV2R5NGcK+ZQJOKLEDGUcb49qoqQ5YClT5n4ZUNkw + aWkBikZqMUeAsaBldaKebykgqiJhIj8LARy7n+19viaU6cnNWN63pw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:41Z" + mac: ENC[AES256_GCM,data:/WU6HnXSeFbVD5Ky7TzeI6tC2sgPTnp1CLzvOrts77l8NEDG4Eig5nCT6+q9SSl4rscGHQGWqEIgmsRshRTz88mZAS9TjPOsrhCdnDp1BAovGLDyc4VBAdWeAAcouMX2dokjRvOLV39x2Mp1KiJhklUUc3S+GtIFEGORmVuV9Oc=,iv:gXjWAO2kie8zkDXSblS62HfeEy1pYIB6gDqb0qv3mbg=,tag:iu63JixX+pWW71TXiR+78Q==,type:str] + pgp: + - created_at: "2024-06-28T08:37:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//RBjuHGLRMtx+b70pG+Yb3r8Hfa5quGpBtE+PFvfMmhYu + aJWVQz5yVhf1vzifcuwGp0G+BgLa47HPsnxT1tBmGx++aEIlCLpB4QKTTiJjUy4H + JLrx1T1mh4iDGo73sbQALqqHcTcJarjUjl/VNSAc0i5I9SlQNWXkUrgvJ8OlHzmZ + XLIPhXnsc7M1n8OgPm+U5PcprK+oLCOg7IHBgJ53awZ+7LHIhbnCKM86zluel0yc + Y/FWJDI3dbpD9KTssegcR2g69dpneBZ1OP1AXJ50xO0H4jdmJOcMmpVqsSLOGJ2u + nwX4ZgelxfBzekUOZvB64elNZ8h5rQhmp6h2EJetjg9CSe/12QjdCGNgpQ21bz6O + YRckH5zzD9lzDVkb5/+ogNj6KAgPYHkBNbtjid8jqBNgtAQnf2AyU07ZhPrAGRag + X2g2+YiDTFdn8gOGKyFbhGVcudYhRi0vAvoIhBScpbHl2e112nB/nxcXE+et0LOG + uK+eqE1jGlW+36lUT7zCL4tthlFxgn1ivqLMczvqzi6o2WdOyTIseOHx6XsUFZhn + Bo/CqxpZ6dzg1xRfo3lAvpvW0cIPQdd34SWmF+IYxBdHaLD0HZILl7zEmktI9bFZ + T7DTuCermb25M8/WIa1XpAMHXyfPwdF9qB98avKO55OKJuTokOErXz+BPEFEXFXS + XAHm5+0mX6/jis6hgX9w0IqchTl6Hc0D5iC7tyLachJyVdqUem/eBmFzSrtjh2NI + cXH12PXkRVcSLfhC685VMWoJsZfWg7rMyuUUbIPOJScYCE8Na8jOHnMFZL5k + =4IPJ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mariadb.sh b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mariadb.sh new file mode 120000 index 0000000..7b41478 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mariadb.sh @@ -0,0 +1 @@ +../../common/mariadb-cluster/upsert-secret-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mysqld-exporter.sh b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mysqld-exporter.sh new file mode 120000 index 0000000..aa2a869 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-mysqld-exporter.sh @@ -0,0 +1 @@ +../../common/mariadb-cluster/upsert-secret-mysqld-exporter.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-restic-mariadb.sh b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-restic-mariadb.sh new file mode 120000 index 0000000..adba826 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mariadb/upsert-secret-restic-mariadb.sh @@ -0,0 +1 @@ +../../common/mariadb-cluster/upsert-secret-restic-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml b/clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml new file mode 100644 index 0000000..b7e792f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mealie +resources: + - ../../../apps/mealie + - namespace.yaml + - mealie-pv.yaml + - postgres-pv.yaml + - sops-secret-mealie.yaml + - sops-secret-mealie-postgres.yaml +components: + - ../../../apps/mealie/components/mealie-pvc + - ../../../apps/mealie/components/oidc + - ../../../apps/mealie/components/istio + - ../../../apps/mealie/components/restic-pvc + - ../../../apps/mealie/components/restic-postgres + - ../../../apps/mealie/components/postgres + - ../../../apps/mealie/components/postgres-pvc +patches: + - target: + kind: Deployment + name: mealie + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-low-prio + - target: + kind: VirtualService + name: mealie + patch: |- + - op: replace + path: /spec/hosts + value: + - mealie.svc.dd.soeren.cloud +configMapGenerator: + - name: "mealie" + behavior: "merge" + literals: + - "BASE_URL=https://mealie.svc.dd.soeren.cloud" + - name: "mealie-oidc" # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - "OIDC_CONFIGURATION_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/.well-known/openid-configuration" + - "OIDC_USER_GROUP=mealie_user" + - "OIDC_ADMIN_GROUP=mealie_admin" + - "OIDC_PROVIDER_NAME=keycloak" diff --git a/clusters/svc.dd.soeren.cloud/mealie/mealie-pv.yaml b/clusters/svc.dd.soeren.cloud/mealie/mealie-pv.yaml new file mode 100644 index 0000000..c0a2f0f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/mealie-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "mealie" +spec: + capacity: + storage: "5Gi" + accessModes: + - "ReadWriteOnce" + storageClassName: "local-storage" + claimRef: + namespace: "mealie" + name: "mealie" + local: + path: "/mnt/k8s/mealie/data" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/mealie/namespace.yaml b/clusters/svc.dd.soeren.cloud/mealie/namespace.yaml new file mode 100644 index 0000000..f0a902d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: mealie + labels: + name: mealie + istio-injection: enabled diff --git a/clusters/svc.dd.soeren.cloud/mealie/postgres-pv.yaml b/clusters/svc.dd.soeren.cloud/mealie/postgres-pv.yaml new file mode 100644 index 0000000..25b22a9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/postgres-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "mealie-postgres" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/mealie/postgres" + claimRef: + namespace: "mealie" + name: "mealie-postgres" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-postgres.yaml b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-postgres.yaml new file mode 100644 index 0000000..96f8d6c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:AWUpKb+dmCoeCG5u9nV8uzKKDFCbAfQxoNi1KZjdxyI27v4zVnWiOL8anBStiC/DWLoQ9+GsDRu/sfQArr8Ls2FqGMw=,iv://erOWjkzGKFdrby0JU97M7EPnguxWyg7roXB5Yf7hU=,tag:iHxZ8HQpDNDq1c3I3Ldh6Q==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:BrPx8qZLCiU=,iv:F0tMM0MTtkhBeRFh+aDRxMeHr6+t8urOMUGUH/nUkvY=,tag:fVEUdBskkfjyioezvv04yA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mealie-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:23Z" + enc: vault:v1:EGnYdt03mlewg4ryRXxXr6pwlWBdHQDRxfC/E17pXxg7RFzU7P+b0SRGd+CzxU5/r3gCDBPutHigF6iz + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvVWVzVnVxTW1NQ3RYUysz + ZjEveXFzbWorT3FURFBrcGU5cEd2ak9mRlZZCnNmaHZLeGRZalYyeno3ZzluWjNk + dzlOeUdUN05ua2N6TVZFZVBkb2V2ejgKLS0tIEFPRFhQQ2xraEhtSmRaUWlQeTNM + bzc2QUtxSTc1Q0ZyUEIvVUIwZC9ia0EKTaBpLs96wOn+5Qmj9v6eTb/QM9VNwp21 + yrfR0IEWWMZUx/KkMzrjP7dmOHamuEuKTQJPr2diajofqD/uI0sS7w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:32Z" + mac: ENC[AES256_GCM,data:F+ph8mrb56YGdyG52V5icW3I6lwp66wir8OmbbRrHFQO3anlLGXcRC2/4H8XjeQbQ9DjfiMo2OEzGBCiVBeNygxvBmg1fgOuZ7BVqNoPC95+976N8yESSCWGmF6I73rRkMgm4cLURqnMhYDmja9w3tyHI5o+uCujw3EQWyZ7S7s=,iv:TgcFQo883Oeu5uER5XGUAOsOG1o2gsttOppWEq9c4A8=,tag:cDvBA21+iuEkilKxgFYgWg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//Utex4u3aTK2hiQ9z4AgR2Zk+rmr5BYB2XwP4GG4qD+ho + Q/K7qYYmpvE27qY6PdIVmC+qtHt/fkUOETKJ+v3LUX347N8Vqaacs+eTSb8qKVDJ + MVEEqv96qCJUWr/2e7flWiajRZY/P7bUYJNk4Z+9oRZGVZsQMCql90x9LgW/IR0/ + DVMYgjrVPU7LOMaQcJ6XXl4zhlxXje+P+hFil+Hc+JtmxHbwEWcM9W5hQuGjMGZH + kKFx1L+FDQnVqdeHZu3h2hUpOs3oQZ0DMxJ+Cx4bxpBNIUlW3fZoiK0xKk60KLqr + w4xf8I3slgfj0oX+N/xQadJZNlMA6iYSi7paadwvAYqOa7QStS6wRwXxwxt5VIzE + VuWWvcE8/dezockPoYADwa1COih9qCVqqyK3phC3AkC2Pv7Kpf0UQuzgzOLd0Lnu + 3+4jKvmKcBknb1JLTyaFv7XwZrB2RG62ZZx2jNWr5NpQgMlfRCWKc6ZloX8/BPvC + Bl/4Gk+GdxMvJtg4nGB+Kk173WACQlz3WNKk8e+apPa5RIAQAcQOdlADHuzhCTAP + kqJp/AYot/PLJfk70TfMqL4qlVAkOM3PnRbfQG9p7uJAcwdLIAe7u22KRQLGQ4Mw + hH2RP3+pQX6d4EnJ9CEE1ISTvFdfyEsW3gIV8+FIjIe0VpXLhJzeO+AGbNG5He3S + XgFCZFK9sYKfU+RyC8n0MX8Q42yizb2q2kghM5iBT00+EdJqSS5ngioH/souzD9E + +tC0zYmdASEbrogKkHL+sUBYcsSf9RM5RvwWCwGcFPdBvn0k330UZzgPaWGdqIU= + =qwps + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-restic-postgres.yaml b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-restic-postgres.yaml new file mode 100644 index 0000000..c6d07f3 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie-restic-postgres.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:Vtluk4Wuzk1grkgFb8uFDqo/8A1g234qxVI+FA==,iv:/MkX3AhGnlPOHekA4JFkyq+/Dj9sdbRnuECQxVGNU/4=,tag:GckNjJA0J2raZhtIdAp7mA==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:p99P6c+musjfWBSt7+bcG4xOWtn8Lij+E7ni+lQSIkLUI2DYXMdSIbYlcaNotSm0TmCFG3c13zw=,iv:Dz/qcPfGgLGA4CW+cd5yHvK9ZFsPW281yYvfYecGaDU=,tag:fmdA/15oDSAK1b2Asp1deQ==,type:str] + RESTIC_BACKUP_ID: ENC[AES256_GCM,data:WtvaQuSuIFJ/ckCrZpqNhfsOuyE=,iv:E+5CDwUSiwhelk0ERVmKDOacWKvR/9VP2deHcMbdqFA=,tag:jmlWw8nJCkYAmdpXyf8TDA==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:ZeKF7gfUa+eajKFrUCrxIWe8dfSlYUmR9TicczR8PUOi9uY5GWVxroRSbSl2npNSXoVjvWak/YU4h+yMwNAjddUxWDM=,iv:5pdU8JNr0rGYIZi1ZexbqtZ6EBDoRSZzEkd1E6XPMF0=,tag:8E4YLMcom825MUy7WppqGg==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:yJdrgwW43uQdNxO+OZeyhf9qFamoDxZPeBPiAu1RdJP5IjAuZoFGHned+BDBFaoKbwZztM9vFzGEX1LszsqvcJHzA5A5lLZfRJKwUTzL4fJqEJM/Zbphjg==,iv:PNzmZKw14FMqYE3cWzkdJ5ZA1SGnPlGHuVn1XZUX6gE=,tag:PYiO0xX8vHeBYo838FYOgA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mealie-restic-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:23Z" + enc: vault:v1:q1Uk1H1KyIv9oG8ssCiLyy3E1IktK+gYZMO5YReTQXN5M2mNDb01yJ7DftSAwSlTW16aajf21cJcnod1 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXU2MydHRnajcram0wbkti + RVJoYlNCTlBYdm1jblo3ZE5ZNHk5OW80c1Q0CmplYUYzQlFRbGhNajJnSmVzWHl2 + ZjBHeWhIaXBmMWxhRHR5YjY4SUgvSWMKLS0tIFg3MWpjbjdCU29zbGkyVzd1TVRK + c21CTXRqT1pFUmxQeVZpL21RWncwelkKuol1vwJdleeOL7ulwyf7dG5CeZFE6VSY + HLrgcaBHqIP5/jbN76yprTqLjDDCYkic9oQtU3frm5DhH30Jj7sBHQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:32Z" + mac: ENC[AES256_GCM,data:PDgaiO1VPR4wWsUtUrwUYr5NiqMI9Xasj36Xc9QVGhOv8+aFJMCGaNs0W/8OiNAPm7FulwxN76YCMyp3p09OZmFiQ85iXtLwivNute+s2dXcKeSaklRvJrbZnciKIwrxLpCDLZZN8T4nlP42JnSfWz6raE+IllOkmJ0GiU6IykU=,iv:yacLVy5jhxcx4+JqbDD4Ufr2aD63PhyuN75OeIYoAAA=,tag:rnikfHwQE4po21PkWFoKSg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9ESjEnWeGMXW76DglVVRfDtv21WtcRjmQiXfmjJEfll5r + MYrRC+tWjGgXKfuHWBxR3ZTKoLx5BAaQmIQ/p+A3dhVOmxc2GURwYNNxWaydJGZv + Unpt6pNS6YT9gL62xfSrGmjg+NW3aP4Ml2xU2DF6TjyqlkN5KnYyzjngKJsnLYZS + nO6IcGCNsFhOgVaxeZSHcAcmDmj+coYp60Igej5rYkm3AxV4L1NfUtAApthI/1zw + pS+Vw6GMiBvx3Q9LpVj7zKe0t88fWwPnf63M8xG4PJe3SqJtuI1XhzzpLZYUOCPN + U48WO0hhfzSskRk1YCnJDMtODUWv1JiQ2iGvn6Z5ZXe7EHXKPvvqFHaQKbnuWvvS + AvAm0VovnbWGahI0k/kPRiqJKYuFS1HDjWkPiB6Rl0EuIU4ZadFM5di7mAD2Cj45 + 71pid1pj2PJOAY+poe4h5Gz9e1fxB/+RxL4QOFlwCOu2/O8OHEsz+KpGkbotM41G + dPCcSMKmYX1qIg32vXXKK1ZJ36UsPUjnbgOMKW0ZprjW7OSEFbrcQAKkS/swbGVe + tALFkbTBLymOE1PhvGBCiG1buvlZnHLb9y4gFHfIVg+FcbiuHh0pHX/T4G3UV7xs + s3vhPeWL4hScuusSqNALSRGh6mQlT0qd6zbC2N3zMfJfjqxILsrGMPXpCxgwLHzS + XgEw/azRk6Q7E2fXI8AmoYQeAgrAWNBhLJ3o9v0gN9lgFxqitR31DW0LEy8pMXCu + o8foALSFTPz2JPj0h1yBqSSadfrFCV7lMSOabd/e5uHCwMzSsKLQljzZfknpxI0= + =FH8E + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie.yaml b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie.yaml new file mode 100644 index 0000000..b949666 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/sops-secret-mealie.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + SECRET_KEY: ENC[AES256_GCM,data:4C6qCDqtTIJ277dNcAWK3bWTfccNIroA0zxMveU6I+juigRHxXCcBBRUZEdFXRk/4hE4kc0oEPwX/iuxttjz54EHChObyAKpOzyTMEHmNcJl3et55adtB6fBax6ap2Ia6Hnl+Q==,iv:eeNt+H9j4VGqJB4k3BvIPlz30gOA4VWQRl9pI4zyDu8=,tag:DBy/daCLWgAQSnUFgVhHmQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: mealie +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:24Z" + enc: vault:v1:mWPFvfEw/VrJfEAxgwNo57KHf+As9lJt3WM0/dXZtGLhvdmfR3qSO9y6wmqDlt/OR5OVcQs8bW5XUfNO + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWEdsdFNGMVhpajBVbFRK + SGxCNFJwVmJoRDdOOGVhWTd3VmUvT3pqdzJzCkRsVklXRlBzL21YZzNBa0E1eTFM + NS9WWjlGRzBYYi9pejc2aFF6bEJjMG8KLS0tIDR0dkhBMUlXY3ptc3dXeEk5c2hr + V1VWZnVPY1RFR09YeGcva1FLeXJyaFUKXZst3TRsCZP5ZrFcS/byS3ejbfyJVQ0o + UwafaW+cLwR6qIFopAroMFkNWDqnM0JKuu5FXnjXissI/P9cAuvQtw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:33Z" + mac: ENC[AES256_GCM,data:xytLwBONu/8Ig43H/ZMCwD9xEqsmVCNF0dLzZ+XszWc1Cub8Yw6QxW2yW5m59mjD47g/ypFi67F/R9uaFi7VQ6LpEQ+Ma46H0znmcvncGx6a2o6vKFfTJOGd3MLu+L6wP0yNZRDSvWgq5qFJcDqTdVVFhwx6eM0mS7KX5q+y6F4=,iv:cHbrch8etjfDeOYWvUgQhhX+7o/LztRo384T7+fHGXI=,tag:1srwV/hHsySNrnNc02X+8w==,type:str] + pgp: + - created_at: "2024-06-28T08:37:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAksrEfvpBuVAIqB8Qz+Ye9lFIIAWc2oREFCFaEmCN8Dak + p5v5quzOI03Lbne/ngIKZjEC6cQmyAQlGm9wQP9Hcm/18/XLgJ1EGi/8z0/SoHJH + qVUrH9XJZJp0T2L5SySiaU3l5c4AJ9elyGHv0bcQZDkNWKdlTlWhWR5ogxMsFT8r + qLGIhPTWuhcOgLIVGV5vq18lRcrHtFVMNMoSqeF20XUYePJJuvNMMhbzealoOlUZ + 76iEcoHsPpW+XP2x9XUfCJaOQRcXOdQIC9Ug7e02qa8Z+Xnn81+CUle4sISVpIQ6 + v4k1zj9c1+dLzE5TYtppcvUSfpNyr+i7OhRhbcO1WSG9oYcuIF8/56WjGe33eHn0 + mfBrlug5vOLh8YhMPKjjGOzablRuDw9Mwoi7zN1HDJlsGMJa/bgmqTPWxLEfV1U7 + cRnFZtinCo25v0EIbGIrgfqerAAgkeVwuCI8RyJ2l+2N5HJVpGdjw5iCNzfg78yK + tpSojemMYdu7+vkl4MH3mOS3spihHCck2hQLDzRrNmmLXOyFrT3rwUxb7RqVpoO5 + kTKznsC6tIUHWm/oZg9toa+0OxsIm73nMSSWI2MHCoW8X7BCZ/UUlbis8ewvhoIy + pfEBGiVlLje1hA4HmieMxMBmZ/tZwr4f8zSBuYiRAy9DZHJk/wdnEjCtTM71VAXS + XAFv18GX0CFyrAKwjQ/II6nXbyfEKRligLNmH3NpqLxMwqbU4IjzoYfeLEfss6XR + P2PH0xS8jqKQdquK1bEIoFPKX17pGnWtzHTvyHU6VRk/uHb1fe7tdMr1X2/u + =Ox7f + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-oidc.sh b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-oidc.sh new file mode 120000 index 0000000..5068fbd --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-oidc.sh @@ -0,0 +1 @@ +../../../apps/mealie/components/oidc/upsert-secret-mealie-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-postgres.sh b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-postgres.sh new file mode 120000 index 0000000..2b0f377 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-postgres.sh @@ -0,0 +1 @@ +../../../apps/mealie/components/postgres/upsert-secret-mealie-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-postgres.sh b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-postgres.sh new file mode 120000 index 0000000..58a8eff --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-postgres.sh @@ -0,0 +1 @@ +../../../apps/mealie/components/restic-postgres/upsert-secret-mealie-restic-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-pvc.sh b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-pvc.sh new file mode 120000 index 0000000..de0805d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie-restic-pvc.sh @@ -0,0 +1 @@ +../../../apps/mealie/components/restic-pvc/upsert-secret-mealie-restic-pvc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie.sh b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie.sh new file mode 120000 index 0000000..812ca2d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mealie/upsert-secret-mealie.sh @@ -0,0 +1 @@ +../../../apps/mealie/upsert-secret-mealie.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/jellyfin/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/jellyfin/kustomization.yaml new file mode 100644 index 0000000..6e41c60 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/jellyfin/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: jellyfin +resources: + - ../../common/jellyfin + - pv.yaml + - sops-secret-smbcreds.yaml + - nas-media-minio-pv.yaml + - nas-media-microbin-minio-pvc.yaml +patches: + - target: + kind: Deployment + name: jellyfin + patch: |- + - op: replace + path: /spec/template/spec/volumes/2 + value: + name: media + persistentVolumeClaim: + claimName: jellyfin-nas + - target: + kind: PersistentVolumeClaim + name: jellyfin + patch: | + - op: replace + path: /spec/storageClassName + value: local-storage + - target: + kind: VirtualService + name: jellyfin + patch: | + - op: replace + path: /spec/hosts + value: + - jellyfin.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/media/jellyfin/pv.yaml b/clusters/svc.dd.soeren.cloud/media/jellyfin/pv.yaml new file mode 100644 index 0000000..f1217f3 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/jellyfin/pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: jellyfin +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 5Gi + storageClassName: local-storage + local: + path: /mnt/k8s/jellyfin + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - k8s.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/media/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/kustomization.yaml new file mode 100644 index 0000000..aae419b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/kustomization.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: media +resources: + - lidarr + - prowlarr + - radarr + - sonarr + - namespace.yaml + - nas-media-pv.yaml + - nas-media-pvc.yaml + - postgres-pv.yaml + - sops-secret-media-components-postgres.yaml + - sops-secret-media-components-reverse-proxy-oidc.yaml + - sops-secret-media-lidarr-postgres.yaml + - sops-secret-media-prowlarr-postgres.yaml + - sops-secret-media-radarr-postgres.yaml + - sops-secret-media-sonarr-postgres.yaml +components: + - ../../../apps/media/components/postgres + - ../../../apps/media/components/postgres-pvc + - ../../../apps/media/components/reverse-proxy + - ../../../apps/media/components/reverse-proxy-istio + - ../../../apps/media/components/reverse-proxy-oidc +patches: + - target: + kind: Deployment + name: lidarr + patch: |- + - op: add + path: /spec/template/spec/volumes/- + value: + name: media + persistentVolumeClaim: + claimName: media-nas + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: media + mountPath: /media + - target: + kind: Deployment + name: prowlarr + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio + - target: + kind: Deployment + name: sonarr + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio + - op: add + path: /spec/template/spec/volumes/- + value: + name: media + persistentVolumeClaim: + claimName: media-nas + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: media + mountPath: /media + - target: + kind: Deployment + name: radarr + patch: |- + - op: add + path: /spec/template/spec/volumes/- + value: + name: media + persistentVolumeClaim: + claimName: media-nas + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: media + mountPath: /media + - target: + kind: VirtualService + name: media + patch: |- + - op: replace + path: /spec/hosts + value: + - media.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/media/lidarr/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/lidarr/kustomization.yaml new file mode 100644 index 0000000..2678fb9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/lidarr/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/lidarr +components: + - ../../../../apps/media/lidarr/components/postgres + - ../../../../apps/media/lidarr/components/reverse-proxy diff --git a/clusters/svc.dd.soeren.cloud/media/lidarr/upsert-secret-media-lidarr-postgres.sh b/clusters/svc.dd.soeren.cloud/media/lidarr/upsert-secret-media-lidarr-postgres.sh new file mode 120000 index 0000000..84eba80 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/lidarr/upsert-secret-media-lidarr-postgres.sh @@ -0,0 +1 @@ +../../../../apps/media/lidarr/components/postgres/upsert-secret-media-lidarr-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/namespace.yaml b/clusters/svc.dd.soeren.cloud/media/namespace.yaml new file mode 100644 index 0000000..6a13a7e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: media + labels: + name: media diff --git a/clusters/svc.dd.soeren.cloud/media/nas-media-pv.yaml b/clusters/svc.dd.soeren.cloud/media/nas-media-pv.yaml new file mode 100644 index 0000000..ecc01fa --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/nas-media-pv.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + annotations: + pv.kubernetes.io/provisioned-by: "smb-csi.csi.k8s.io" + name: "media-nas" +spec: + capacity: + storage: "100Gi" + accessModes: + - "ReadOnlyMany" + persistentVolumeReclaimPolicy: "Retain" + storageClassName: "smb-csi" + mountOptions: + - ro + - dir_mode=0555 + - file_mode=0555 + csi: + driver: smb.csi.k8s.io + # volumeHandle format: {smb-csi-server-address}#{sub-dir-name}#{share-name} + # make sure this value is unique for every share in the cluster + volumeHandle: nas.dd.soeren.cloud/media## + volumeAttributes: + source: //nas.dd.soeren.cloud/media + nodeStageSecretRef: + name: smbcreds + namespace: media diff --git a/clusters/svc.dd.soeren.cloud/media/nas-media-pvc.yaml b/clusters/svc.dd.soeren.cloud/media/nas-media-pvc.yaml new file mode 100644 index 0000000..4d23fc1 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/nas-media-pvc.yaml @@ -0,0 +1,13 @@ +--- +kind: "PersistentVolumeClaim" +apiVersion: "v1" +metadata: + name: "media-nas" +spec: + accessModes: + - "ReadOnlyMany" + resources: + requests: + storage: "10Gi" + volumeName: "media-nas" + storageClassName: "smb-csi" diff --git a/clusters/svc.dd.soeren.cloud/media/postgres-pv.yaml b/clusters/svc.dd.soeren.cloud/media/postgres-pv.yaml new file mode 100644 index 0000000..2b89e1d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/postgres-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "media-postgres" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/media-postgres" + claimRef: + namespace: "media" + name: "media-postgres" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/media/prowlarr/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/prowlarr/kustomization.yaml new file mode 100644 index 0000000..4663333 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/prowlarr/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/prowlarr +components: + - ../../../../apps/media/prowlarr/components/postgres + - ../../../../apps/media/prowlarr/components/reverse-proxy diff --git a/clusters/svc.dd.soeren.cloud/media/prowlarr/upsert-secret-media-prowlarr-postgres.sh b/clusters/svc.dd.soeren.cloud/media/prowlarr/upsert-secret-media-prowlarr-postgres.sh new file mode 120000 index 0000000..0c5d857 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/prowlarr/upsert-secret-media-prowlarr-postgres.sh @@ -0,0 +1 @@ +../../../../apps/media/prowlarr/components/postgres/upsert-secret-media-prowlarr-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/radarr/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/radarr/kustomization.yaml new file mode 100644 index 0000000..0cc63b3 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/radarr/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/radarr +components: + - ../../../../apps/media/radarr/components/postgres + - ../../../../apps/media/radarr/components/reverse-proxy diff --git a/clusters/svc.dd.soeren.cloud/media/radarr/upsert-secret-media-radarr-postgres.sh b/clusters/svc.dd.soeren.cloud/media/radarr/upsert-secret-media-radarr-postgres.sh new file mode 120000 index 0000000..d1b2291 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/radarr/upsert-secret-media-radarr-postgres.sh @@ -0,0 +1 @@ +../../../../apps/media/radarr/components/postgres/upsert-secret-media-radarr-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/sonarr/kustomization.yaml b/clusters/svc.dd.soeren.cloud/media/sonarr/kustomization.yaml new file mode 100644 index 0000000..95ba552 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sonarr/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/media/sonarr +components: + - ../../../../apps/media/sonarr/components/postgres + - ../../../../apps/media/sonarr/components/reverse-proxy diff --git a/clusters/svc.dd.soeren.cloud/media/sonarr/upsert-secret-media-sonarr-postgres.sh b/clusters/svc.dd.soeren.cloud/media/sonarr/upsert-secret-media-sonarr-postgres.sh new file mode 120000 index 0000000..89f36fc --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sonarr/upsert-secret-media-sonarr-postgres.sh @@ -0,0 +1 @@ +../../../../apps/media/sonarr/components/postgres/upsert-secret-media-sonarr-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-postgres.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-postgres.yaml new file mode 100644 index 0000000..edc685d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:aPR9K1M0iMsH5lhcSar7AkefYlem2KHH9EwgeNOCqCB1lNJLvYAvRg==,iv:ZcHDxuSZNRFpptwaevvMYY1hjTfs7MWlrj6C8GAMjkA=,tag:1mvxHCIpLJgNL5WzABlgzg==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:nf2mc6NxYtLjsjZ5,iv:M1ojpcHY95/vz/zKkuIMTGJDav6znRVPt2TZYoLL8HQ=,tag:siKfqxDFgeAHRm4ZUKC+Wg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-components-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:32Z" + enc: vault:v1:CylZ1932hGmR1VlaBqlt9GHC9LQ7/sn8k8m9ZPIAZBBFl3VTEeZwXrxq9mVfjimeIIWLswqlAGYYY43P + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRmhDRkhuT0s2c2dxWXIy + dWUrM1FYUE9QWGExYmJDTXh3M3l5NnlpTndVCkNXSURYSCtoUWdBUlhCMkFQZm5j + ek9LaWJqSDFBMDI0Q29JQlo3QWFUQmcKLS0tIGZSMU1JNTRkMHlnQ2R5ekhHck9K + UlhjOFcxUUZoOTRXbGVRQTRlQmZoWm8KASYV7czlNitxg1Vf3snu0IDfQU0D0kaA + v4XYXW1h1FoimRX9mt7/D9cXOR427Jr3CiNW4PygBYofLKr7UglA0A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:04Z" + mac: ENC[AES256_GCM,data:kWRldR1XGANKw1a6GY9WUYwIDgnj2XfWhfph47yBUmwsON4ie8f2B9NyJZbMbgNin1VATy2IqOR009c3oAHqb8geQTIde2o+uDFkd0I1PyX879oTZmWgkusAx8WkWP/Iw/fMSDXGdmBQsXhmqJQd+6Yd/i3Uw21fszK0HDTVoy8=,iv:GViieV6OozIL8EiHGFsoC2kukXke/afqkgPFN3G18aE=,tag:AToSFNlFqbP3pG64T1BzmA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//Q50KH7Qmb9ELq1/d/yMzyVdkg8l3lj0pjrfjtFzubWBZ + d2O08qFUZT3wGMLEKQzeM5ay9bHBMyBskTpuVq3d49IouuTipdUKfD6vfogpUtj+ + giTXNAf3FugZm4bo0oljp0olBrTxlukKw98wnFgbYziJmF8+Ugz9KevovV69KSno + uo1tRAgdQnDwnHZFOxkwlgZuCFAwSgzUFL4Er4TZrB/ymL9vSSPPyB/aeUbv81VI + lA+fd8GHCvJvQrHvlBcp5fUgKuisRKWK0MCsMITYKFpknJFvvo+hvKapaiP+6Din + V0bO4uVnaXTmen70VKbW167TEawm6eZET4RneN8e3cCjhjE83HoU0QFB2/m+lTTI + Nkp67pwwXRG8sSJ0DarbvicdNdcR4QSE0ynp+fjBogPDhW62e/IJ/RzbY7lP8L1p + KAsxWcSQEfo8omX+uT9VeKZiDnz8Tpwl6Hdgy3+z7suYbSm9+3N/OB/Fse2f4hX0 + YNlo2wVeK9tstsRvftOnHrLVpbqNR8xPVgXHCRAtKhJegh4v6sTXAJ+4lc+c21Tl + 4vL45UjsREoCXCwYD5pYWhRxdGfD84kEHuvaKq+qZxvQSkvxPov42wkgdIOD3rKf + uaeHt92mw3RuR7C4geE82PIkXQDcWdgqcMszyvCNEDHF3KFnoat507o5CGSANFDS + XAEWVazMgck38E5G7fWpvGnibt31eOMsQyuJwoXCeqoqWvzhDdeMM0V8m0IpsAtS + c0xmqU+1O8TtengtNB1JHUqrt1GIsG2OFAHpPGHtoXp4/t+ZvICiOoVhu+ta + =nMDM + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-reverse-proxy-oidc.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-reverse-proxy-oidc.yaml new file mode 100644 index 0000000..1f67ff2 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-components-reverse-proxy-oidc.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +data: + OAUTH2_PROXY_CLIENT_ID: ENC[AES256_GCM,data:VnLZS36sE6g=,iv:zHDrY02PijH8yBYj0cyk7TWnQs4/eA1fhafUxEVggUA=,tag:nxzUMK3s8gAQZngIZp8aQg==,type:str] + OAUTH2_PROXY_CLIENT_SECRET: ENC[AES256_GCM,data:zkV7gwgC6mkceK0F2HKKE0oe5BVO58SwWKMyO0IvqsXCT5L9wAnwIQy1y5s=,iv:HKR40HRfnuiuLZfRpTAE/RISfg6NSJFt7swCvKsrByQ=,tag:8HdMWKCRMGW0h3hehRkPdw==,type:str] + OAUTH2_PROXY_COOKIE_SECRET: ENC[AES256_GCM,data:Id4sgBsDCjHJ6N4EwZhPhoAdp4FQc/8kO0HKARfdlXNhaxFLbwBRP8BvG0awxLpAy8SZ3/rpPDj1lENr,iv:6D8Er1MLcYxDVJyoSTngGOmK0+CcuN1FHYPQ3GGfxP0=,tag:2YALjL1c/rRUlUDNPJxT1Q==,type:str] + OAUTH2_PROXY_EMAIL_DOMAINS: ENC[AES256_GCM,data:+rmKVA==,iv:6mEodJ3vaIdCSZ6/spmjk+Phbk4+wWwgq398Bw2Ce6s=,tag:uSfYNA+a98Rr1h983hzI+g==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-components-reverse-proxy-oidc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:31Z" + enc: vault:v1:syeMEDoJWX6Txuu1kaLW7x83f4i1SQEfWUEiFDqo3dMdSXJx1yLvgLztExiWOi5bnSK88MtkBys8c1eT + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBialF5cGJIUmhRcktVbVFQ + S21NdFJyNkl1Z1ZpYmNZQUVMSisxdHUreldrCkdlWGhoWUMxSlVpUVNaNGhLRVMw + QVFBNHpVeGxRUm1wQjY3a3BUYnAwTVUKLS0tIFhyRHhON2RzOGExV1BjcFd1bkdH + VkVnNlM1a2FMc2p6RmQ1WklLRXlWbFEK0MAgKs3dVrlGLozWpry+q0sfCZBRu9Up + 7KQncqTUWwwPVVuWVAOwnRTwo/fAeG+7FshZS4T5BziI0xisNulUrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:03Z" + mac: ENC[AES256_GCM,data:Xly6FbOAUK2JYCPlBena//TWsYciYIg1DJUjs13sUxZkDblUvCU2To+LPOkpz+gQjHK5cKDn4dZqCrJ04jRlBj7dl2qlIR8wqB9mRWdeVUPo2g5bsp2obWVlzBXTlZkxDffY4yyqoK+yq1AjpljlsKQig9yoATjN/mS8P/fFgoo=,iv:bD/p7yHREpSKy9NdrM0d/lf46E6EshtON5zt6Qk6ti8=,tag:zK/f4TL6xX/ksGFtL5JU6Q==,type:str] + pgp: + - created_at: "2024-06-28T08:37:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//bjj6tMZIIKD8PRqysTbBy19fUzaG9fTUBZvLJLePKXDk + ltsGswnO6ks07tjuIXaiWUgRGPwzJuIK7ZOaUlSptpSYTGzw54/s1xKH1Y+1Ej/S + wh8jEG9py1J9W1Kg7hRFJTcTcodxHgdgpyGzetGYNp/PSIEZK9HqKboPY07LwMv4 + G/1EHiFK9xoeTjbc52tmUAG9S8sXknyt7rYT1bFmzNgOzQlsB0hIYtbzwr4knHgS + k6HljeHHXDeT28zlCAq6dO5bHBiqgPu7j68Pwojr5LwQP/G/CV3L9NwG95Nt04E5 + UJfBTvdVug9vwEusDHuVud8zLOZgN82plcMbltYfMyMA7MXDdpvYOAQWuF1g/VgA + rhQZGHKhYNUfnWPgE3CzTKjcl0yvrF4DST5j+6WF9C8MjRkBUxyxc/a60HB/iqpt + RmEDJjKyVa5Pbw2+ZZHqggDa/WdPxNzS0Yy4nGd7ryfjEhklymn1SZ0ZI5oWTFHD + FqkDO6phHfcTRnnZnMUJX1VG8JMwsbCcOlWFcjxH+oO/WmUf6zIMW8JyRuhHt/P0 + poZ7dBztlOWzPBVe3PNk9vd5XfopBjUuFMq1pPxBHa+BAEmLwi4iqgL1ImF4621Z + NgTyT6r9kSELgcl47yfDeILg/I0tnxoBnMBaJwQWB04lQcRtaJLenhR62MouspnS + XAHX1Ux/TOKVUj081sAr9lhXyMZXjoj4Tl2sG5kH3pr8uNrQa7ac5rqKiTlbrj/j + HKWir9+91hPCs3rVEVLB0lg8VRUMYiT9zzq2cVBgDeSj7VrYFS4uP/RMKazz + =zuhv + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-lidarr-postgres.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-lidarr-postgres.yaml new file mode 100644 index 0000000..90c3f70 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-lidarr-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:vsduf7X5r1T/u8R5SHhutUsH+YriTFDggYpbzKobx6u7CAUvcrHQxw==,iv:xJWxOgI1cnNzigr0DdfS9cDlw0jYRySDDylh4lOXMiA=,tag:ut5DfuayX6vQa8Zlmx3o/w==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:0ybYih+Cue0=,iv:GSbfiIObiQd0f0+eWUj8grRh9B2iuKreXIpe4ngeruQ=,tag:r8dFkzx+23xNsK6+TbhkWA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-lidarr-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:33Z" + enc: vault:v1:xBS6Zbafen44Bhip9IUbmOIbAss7bPlWr3MjMZ10AYwjjhdxXFYtttCTXncOVVOkNkXG96+nT7kmb+zX + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRFdWNWUyNk1LeUhtOE5F + aXhzNDRUc21aQjZXMXVJdWl3a1BMdkdqR3hvCmJ2SEpLb1pFTHE0ak1sU1NaQUtQ + TVdUNWh3OEd4ZXhIRStZMU5nbXdKUTAKLS0tIGVOT2x6Y09MV1BkdjFCV3EzMW4w + QzhTeG1aVk40YWd5VEFsTVFKYStzY1UKWG3PVRkSSZEdXn7vofa0OiwSxLMbvknj + GVbMhEGICdumTmnfYfVE7yR+p6x4A9GZdkjZZ8CMPQObY4mx1jbwrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:05Z" + mac: ENC[AES256_GCM,data:mmw+cF8v37IfHAyB/DGQc13jj42Y/cu/YarvSIde1+tJJGXKfGvCb9XCunc95xH510tDHONsnIggWrjUwuyis51gZ19JW31snBCUJaXjz740ux7HzE48JUErkz82eKEb1ZJbc6lx12VVWH2my3sBKP+7KSiEYkK25eP+cvMACTM=,iv:e4TBzmwY4XMfFV0egENd+QOkmnQNE3/ac+6AH9EkJNI=,tag:e6rHAurVWSm69L/aGDt53g==,type:str] + pgp: + - created_at: "2024-06-28T08:37:33Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/7Bm+iwHLUAxJe6ZWzulwrYu7DlV17uMcOEXyy/TGpH2+E + CUNVeJi5g/TrqjipdyI27HfBHmlOo2+9G/G5wvUBCePdLOEeHWcY20IwJy72nBCp + tGFAxhKt3ueYurJa/7/qU+JajFrL6WzlZzwXRNLWhRclRLlTeenB9sQPHxD2xOIs + SXAv7fjrkEsqVk7vfiXE5y6aXj44OHoKkjQ2cmEYEmL4wOgKwYGwbFZoQbejs4n+ + SYyMOECqa2jBGM430aqV4sSZoxLj2WO8c7PbU0uPVO5HsB4sq/2MYZRBFQ9+a8uz + 3jSfEZ9GB1nNaabTBL+f4hxfj/hi5Lejtilmf3ha1mo1b97Xyeoimv/2JLzLE0KR + K0j6dtBDm0QqWf1SFbrbsl/pWeIYXf+Mobwc+uFCbiD8mf6NpDlG/ji45Fz5gAI3 + aDhhRA7++yGT90YxXKfRPbYhE1WUyaIef/48icPC8jczn9pdw0CPhpxbslGLHORc + 05AYUjcJ0Jb+6zUHzYnZ61f2Ql09SuB0Kp39t0Gku9TWDS6UiyuJtAIoWUFZm0j5 + uitVTaU9l5KdejWx7P/nxFnZhne8TtbjwYU2h7zMERmQmo80/f1i+ZTY1l9O/HKa + p086nencSxHIHpxnw20B+SEn1AAQi7nLe8SmDiGDJGx/67DVb3pJJ/2C2+zkzMHS + XgHspi81Y5C50D6N/eUmCVXCIKZAjNmy62aV3NsDQ8UBcf/i3m8u4lBItuzj/ZIM + 4Zq4BZg4yPsbplAHudZdrYkpRscw7GXYnQiZga82Qk6D9RBeYqQ/gNYWm71s0c8= + =6edb + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-prowlarr-postgres.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-prowlarr-postgres.yaml new file mode 100644 index 0000000..36b92b7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-prowlarr-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:Ri9yd+fxHgOenVVewEl9X685jzHBxIwmKuPeX2PPWkqa3x8tjvOIew==,iv:BOMcDP8lkV9cMR8D6OgNn2ndB+zI+BXaBZIbhu0EHkQ=,tag:Drp+lZ2XkH7POlP2cL+yzA==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:2DzY2vU8SWc1Eud1,iv:iVj2rN20qtb14Y7S+W0jFs+1xqUYi7ujHgBlySiqPPE=,tag:0fv1sOD3aCpNsvbw3Lhx/g==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-prowlarr-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:31Z" + enc: vault:v1:Ogl+b7bnLSaFVWGxs+A9+MRI4ZfRhEHpBqwD77lkg0nYucp7ZFYCACjkubjAWu7i+L6vM6PnEvh0SXOi + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2c0ckRielFScVI2WDRn + YXVGMkt6Sm13U3lVS2JOTERHS3VXbi9EbGhVCkVsZmhwTXppUTJrS0xsVjRxYzU1 + SUwxZ0UraHNYSVRpdncxalJwNi92QWMKLS0tIDVWVXRxbjNheGVyMkxFakQ1VTY2 + YkROM0tqbi9XUG1EMTdlMTVOdXZFU1UKW5y4HxJ866/Bsd+OUcaIeRTtwhbWgqGd + MbXEp3bklwSK8/cXpUoj/bIdBmyoUSEsXZYCwdWJfCSr512MwVcVwQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:03Z" + mac: ENC[AES256_GCM,data:Wcqpx6APBEnrtWvfXirIHucT98NlOADa3ltJTtgBp/Z83kkfwGOdtCvMFyAYihM0k7mkMyBVrrMULccf9Qx11kRRadKcv4YvQPHTdQVNHtM3/d9FMEF/k16euc+APebElj+Qxo1wRn3L+I/JFSJDKS5ClBDtIj8vE7UwQSyWji0=,iv:vyuX0+SuSTLhlR/ZpVzSpW0aRLakzWRR6s/djPOjugQ=,tag:p+nITfCALs1AUAtCXfny7w==,type:str] + pgp: + - created_at: "2024-06-28T08:37:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9HHIx9/oMksZaBrTCduEa7MaGAv1WESNNsdNDqBC+0UxS + Lpa2tByecmz3rKkw/uw4bxceqGZ/RRpS5ceChyGbr1sXCTpwZpei3W2oGqqk0cNc + Qhw0qZMlH9nxMIq3cIqh+5PqCi0/Fp5x/fb50nYZZKgnt1t2ilXYetIoQMmD8ysS + wQWv+MFpJl3Yq1/ygITXyugTNq4Gqb3g+ZMh2Lfje4FjiKjmQ8Izjixfq+JqW673 + 4H3KPN+6AfPzYJdxnGHh6cczB5D3Nl8VLR0Jx4NfJKUSrqkLD3ODVD5fE/19J91r + ub40dzxaMBofooszM0ysjKGrkGW7f7SfRvZOhRVHHzMi9O0FebZ3H+OmGtKnK3V8 + 7zJse37mpKIrL4gLmIwrxlDyHsbewnCHIu9XvI4FTqZ3vPpmajptl99C061lR5m3 + nljnWlH+yGeeMZXGQ63OuldpoBf74dXVIIYeqIAJIDhLheuXTsJoQ58dvOOsZI0s + El7hoAelI4WStz6PW60hyu+zqlcq/2znBBomiQpC3YTVkjuQTKlZq61l9yXVtCOW + HcMtqHQa1S38U0BR9TDsFZptbQDLAm1Ar7QVyjW+GGNIytzhmIp28qpEd2ymHqKK + uzlqEe1i3UwlmAeN3K5gKbcEMydTHjziu4v5BqNOt/nkYLQDvcNqSm83bSKaaWLS + XgGiAyRAuPAfrX5B4gT1+6zep5ALX0zVPCxqhr/Y+Ouo3sIEThvX+chhoPtGTiTA + I5WaE00yi1iVYrQPNO07dqUUwKG+Rh366Cg/0Rp4SCrg8zcDoMQcnGBu0LNhf08= + =pTlt + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-radarr-postgres.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-radarr-postgres.yaml new file mode 100644 index 0000000..603d5e9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-radarr-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:mxHRZmHtcSy1uAnuGiu0O/+Zp5/Cn6kqA68DjiXKqZED/jdPlN3f6Q==,iv:ffSBn0uztfHTc9C81zMm6QmoZHA1NDJnc95c9IzJC0M=,tag:f4j4MrrX6uRrNK40+aTn/A==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:EvXzIiHmCbs=,iv:7/eVj3pQBAkNYFxf6COHg28ttqP5qDKxrXXk+IGmTpM=,tag:dj2/d5b2y1a3Jr+8ms8eEw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-radarr-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:33Z" + enc: vault:v1:ZfFwYKhyjC79BBLArbBFrv8rmB83snkIngVRlWiEbH8KI8Ti6e9to43KKFy1JmlOQxz2gd5cRtSnU12e + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNWoyNEZwbDdhaTlnM0Yy + cUpCSHo5MG96YjIyUjZaS2xZc1p1SmZseWlZCjYrWm1IdG1LMDZuZWhYeG1BVEtp + Zzl6NnRhcVE2d0IvczJteVNRL3QwcTQKLS0tIEE5WGlQaU9IdUtDZkRYZ2RhTkVF + aXNKUm1qQ1VsbUc0d1BjeDFya2R3TGsK/XmZTalWEVAtDzAwN5YX+J5yqgzDa0x6 + CuDKdOx4WqffAnnyc6qeBKJlRZurWlJ49K0fcJ9P0PaZdPPNUoOU3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:05Z" + mac: ENC[AES256_GCM,data:gY04qLaFMZAetKLIwY8rFSPLAkT3RrfXZal4gX99dRBTsZuFHk9C02tAAxmWlascQKBQbZR70DtKQUIIDUbrmKAsPvXm/+V9B8Dv4tYwxA7BEparECbDElJoX/MlYRiz90579gJsKlKoqh3V/G2UASIOjQetqcZFWEdePka8NVw=,iv:CWWbKNrYzRZsgAR1Uqa8AhLz0IshG3nuCbD5L8s0E3s=,tag:cmmstWwJqCfkY5ukk7O36A==,type:str] + pgp: + - created_at: "2024-06-28T08:37:33Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAowxW/dqtrAu/ntLiv92scH8KAjBPwWCxCdTTUwJsA/cT + 6+dIE8PqGJuBNg4GudIaCbdTUS3eL2aOMBulXayzfV4Nt9oYxdFXuPrg9XcII6XB + piIKMogp5m/kxvde2XbNkqg1BPyMHZZOLku42n4Ol3YxqyJ1gvuaDDJI9suGem/Z + yafbdJpKK5LtO3WsRGK56SRoBgzjPS8lxjNe+gblR0xxFuP5IujIToKaqBqb3PvF + 6UZ5oBoUR3S2r1utIabyV72ertZL9AVhATOr2Kod1B0Zl723r5cS4kAJcbesuSos + EuAzVoElnZncDZxrimRhaFimLRqPcIio9Y/mC9Mhkfmc8/Gl3amqTiCQ1BL/qU9S + k1HqJ+oCjjd5IB/mIoV7V8AUv3meYDmZJfEi8fM1GpybPdYbb3AKnC6nCfqJlJv8 + bDuIEMidqzEcBqyvj8AnQLZcb13nTDv68eStJMUHlgtQ+ydqm5dEiiqaMy3JGMAp + QBe95PgC7Vvxjpfefp9h34Wpq6B7yg5KBkv3VgHnoLUQhxhyGw5ehMg+M2CPQrnR + ueeuDspcrKzAHu8K9AKIZJEKldJWPWGm7ZH9NHSrvVcrVKQW941m+/iyk4uc7JBh + o7bmYPHbTmZdT3CuDe0U5FrdDYQZ/x/Jse2bl9MB7PA59V77Q7jBh5EGeyFq3f/S + XgHsstom/n2CYN97Cfvbu8mkAH/qfpBat0pbEUdv56K/hlNtO78lDoAk9kWZBgWR + wZFluVjR4EViwI5UkscODvnSgXmC91UD1tWR9q4CiDQAuXXsDdXWrBf+wbXJqaE= + =TqiG + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/sops-secret-media-sonarr-postgres.yaml b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-sonarr-postgres.yaml new file mode 100644 index 0000000..83254a6 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/sops-secret-media-sonarr-postgres.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + POSTGRES_PASSWORD: ENC[AES256_GCM,data:9e/FE7UgNEpi4QMP7FkdGStZWKBbG3Qx+k19KCkJd7DjHU6WalR4wg==,iv:IaK3NkxazZgOWX65G4umb+n4ALa9BMU5ewcj3yBklYI=,tag:YVFP7Ewb4iLxvrvriM7gqQ==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:LA2aAX5uHsI=,iv:JIBzEmFzt3SsrAgvW8VWfHFodLn1eNEuo1elxMC4JZU=,tag:c3K+pbeXciclh2gcBfnjDg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: media-sonarr-postgres +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:34Z" + enc: vault:v1:0SwweJ75p/qneDZ1LqslMyfqCBwIbScNWl3/smGbBlEX12Z9y8glvMTVTWl50CN8kQOyqiwrofLCvBKX + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOY1VyZERYQkZ0TmRDSk8z + Y2tJbUY1WXVvWFo0TC9meTdnT0lxdERnZDBJCm52cThOemNGeUhXR2FuUWY2ck1F + bmRaM0J1eW82SWtnTUxwVWZNYkxmNjAKLS0tIEF3OXBDSStZbUlnbTZHS1JsVWM1 + dUR3STNYZW5oK1dlVG1HTXFtV091NUkKKGWAG3F9iiyjpKlyZkKtWTuL0MbkCL3r + +DXoBekWrreYbmtCDvBCC9/o+1jOcsmnYOWCNxbXWpHmVu2uZM8pGw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:06Z" + mac: ENC[AES256_GCM,data:NHt+0nIpZo5pP9Ds0Sy+yOnMNYkLnoG6dsRm/qxQVgyVopHJUr57hlc4L7E3+THclzdpn93WqLzKul883tHnaVKOasD8OqJ3Y6VB+fkUVb4KmCt3v3EwwCSlry/RtzuE1fO1M+yUfoIeTBp/9KQU+6p3m5ufDOUDjrv3fwZJBlE=,iv:cQVUDCV9TKN88el3P/pd2jfa51Ve/PEyrQoWAaq5E7Y=,tag:pwtVx9D5EnPe5wwpwZhmAg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:34Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//ewGPy5AIkrCAlY+25GJUwVJkWJEcrarcaVlT0/cA0LYo + 1btybJRMTqpKwPd/Xv0TyF/xCDxZpdkb9o6kSadQU7gqwVs6L2v9m+zf9NlKM8fi + RVPB83ZdkfEAsxdLAbFcPvOiR1Mai2+vKGKhWTPSNtTs4bKpym7xt5pdge190Lep + gd599NGpHw47ePHX/CpwTS6zai+/FwJI9Yz1ylNZJVDohjyrdun3+J/8eI8CndGP + VpUajLQhfJDpvrW21im0m45pYrJlVKbrPUrWLIYzNDwFzHjKP84TKDALvj7yS8St + L5APFkYMny4SBUhv+HOqWrt3TzK6G3yND0gaDpVc5cT++l8N7Brzos8wV0ws7zym + n0cfKFnUS2jgFagEbRQw16NprkM0rZyKT3wpe8WKRF+Bqa3CyW7WLNpkT3QmR4YZ + fnc+fnAcbLhvXbOUPm4XpqONZGiQgRVvQg8mJiOygU9NcAY/ythKHNbbVq0NCyj1 + bmSzVTQ7av+ybs7Zb4MEb0qEwr3Bqwl8ZMjXloRwMvE02lFJOtRhS3NUhVCYN4vV + ArmdGf4CkcFtrIZJgv2ORNDOYfP+7uHlo1cSRXKARm52NNKlkBL17Bh3FGhFN5gM + ZgTC4MWWT3C9yNSYn1PQJe1/mMsdnpw851Adi2T/YlYkktibjKcBr0glNRFQfWvS + XgH+AcQ5mzaOg6UMdQcad7Ul0jcjd+yOyFHQecXZ7vDyWQ2cxPglDdYVOwii/hpZ + djcj+DUZ3gxFQ0yNAzl6ZrYssuTBJn1yRuHgp6qdFr3Fa4t/dOjCGIP4MDb5buQ= + =dGF3 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-postgres.sh b/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-postgres.sh new file mode 120000 index 0000000..c48a335 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-postgres.sh @@ -0,0 +1 @@ +../../../apps/media/components/postgres/upsert-secret-media-postgres.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-reverse-proxy-oidc.sh b/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-reverse-proxy-oidc.sh new file mode 120000 index 0000000..84fcefb --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/media/upsert-secret-media-reverse-proxy-oidc.sh @@ -0,0 +1 @@ +../../../apps/media/components/reverse-proxy-oidc/upsert-secret-media-reverse-proxy-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/metallb/advertisment.yaml b/clusters/svc.dd.soeren.cloud/metallb/advertisment.yaml new file mode 100644 index 0000000..af92905 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/metallb/advertisment.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: dd + namespace: metallb-system +spec: + ipAddressPools: + - dd diff --git a/clusters/svc.dd.soeren.cloud/metallb/kustomization.yaml b/clusters/svc.dd.soeren.cloud/metallb/kustomization.yaml new file mode 100644 index 0000000..45b6cb0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/metallb/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system +resources: + - ../../../infra/metallb + - advertisment.yaml + - pool.yaml +patches: + - target: + kind: Deployment + name: controller + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: system + - target: + kind: DaemonSet + name: speaker + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: system diff --git a/clusters/svc.dd.soeren.cloud/metallb/pool.yaml b/clusters/svc.dd.soeren.cloud/metallb/pool.yaml new file mode 100644 index 0000000..52d1aa0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/metallb/pool.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: dd + namespace: metallb-system +spec: + addresses: + - 192.168.65.250/32 diff --git a/clusters/svc.dd.soeren.cloud/microbin/kustomization.yaml b/clusters/svc.dd.soeren.cloud/microbin/kustomization.yaml new file mode 100644 index 0000000..869ed7f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/microbin/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: microbin +resources: + - namespace.yaml + - microbin-pv.yaml + - sops-secret-microbin.yaml + - ../../../apps/microbin +components: + - ../../../apps/microbin/components/istio + - ../../../apps/microbin/components/istio-proxy + - ../../../apps/microbin/components/pvc +patches: + - target: + kind: VirtualService + name: microbin + patch: |- + - op: replace + path: /spec/hosts + value: + - bin.svc.dd.soeren.cloud +configMapGenerator: + - name: microbin-config + behavior: merge + literals: + - MICROBIN_PUBLIC_PATH=https://bin.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/microbin/microbin-pv.yaml b/clusters/svc.dd.soeren.cloud/microbin/microbin-pv.yaml new file mode 100644 index 0000000..b8f58d8 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/microbin/microbin-pv.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "microbin" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "5Gi" + volumeMode: "Filesystem" + storageClassName: "local-storage" + persistentVolumeReclaimPolicy: "Retain" + claimRef: + namespace: "microbin" + name: "microbin" + local: + path: "/mnt/k8s/microbin" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/microbin/namespace.yaml b/clusters/svc.dd.soeren.cloud/microbin/namespace.yaml new file mode 100644 index 0000000..bb62edb --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/microbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: microbin + labels: + name: microbin diff --git a/clusters/svc.dd.soeren.cloud/microbin/sops-secret-microbin.yaml b/clusters/svc.dd.soeren.cloud/microbin/sops-secret-microbin.yaml new file mode 100644 index 0000000..52fa4dc --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/microbin/sops-secret-microbin.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + MICROBIN_ADMIN_PASSWORD: ENC[AES256_GCM,data:wVVmD2b8nRLlad3hJuFGwziQqTcLeL1k7IGqOP0kd1kotrN31fSJkw==,iv:bzk2DreEcTZ52Zn2ueo1RqAXVVOi2nvOlxP2mTOMlUs=,tag:t2DStRzIk2+VYISA5g1G0w==,type:str] + MICROBIN_ADMIN_USERNAME: ENC[AES256_GCM,data:uCUreUV2abI=,iv:lXBAWMc5PrIrBmw0pQWklglpWu/htvnxK/lryVM7CBY=,tag:r1PiE5ZlJTCSzBKIG4JSRg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: microbin +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:16Z" + enc: vault:v1:a3dx0w5Io6aW97yT0f+GOIKyKjOSTrzs04lfUNNomxsljfVIo3NMBGMxOeYXgkept+N6R3QpOeTkne5b + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNnlDYmF6d1REWjlvRjhU + QndxaHBWQXp3NkVRSmlnV1VQK1pFSWpGVlZRCjVjMVNwVEJiNEdQS3FQVHRxT2Nq + Y09KeldBRXd5RXhVQ3ByWGZwTlZpdHMKLS0tIFVzbjhucVhyaUxsVnZHVXI1d0xP + SEpTenUySmFlQU1NeDJaQ29RSlhTTXMKUITa0uIAwnXYhk4+sFKEn6/9fJFE4gvF + 5AH6ojMuakLPef1VurtKscQvtFJrahe/jCIHgyYuqqD9Vp4kZgS1Mw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:51Z" + mac: ENC[AES256_GCM,data:2r/bapYSOxK2GXeR87D6WQdWgHoZGY/HSaAa324g76C2zmWgvqBcxSSeW23fhEfwW0WN5KId33aw1B5Wa+Dcuu8L1QchtnGJ8SacZ1cHptfe3WwyWcfeOZtkhEroVmTNQJoKSui/khSR7n3YJyoADfki96XcV0RIPfGBt0c37b8=,iv:K9UuJaG5gX/PPpZrGC/6O67IMLp4vb4VRviQzo3X+0k=,tag:pp9xxLuKF46rqA7nk+H0BQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAhNITiAN8lPLCu9g47yoNHmiufh8gf2xSaz0wkrw+AIw8 + n4ySUrm4jT2lEAJ8UQ+j/3FH9Hb1Yc6Av+5mQaiqFPKR3+ZOh8frK/5d3hTq5/y4 + 7UM2Whw/dwmdpFIK0dtpZp89Z2smV/7xn/wFSW2qfjmMrSMFPKX59lMkp0etO3h8 + BZgCv/lwnRMoogrNKATJK4Mi4efi4KrZaUmdST+44b/ZgvyC7/xWFDP2PEs4DL1n + +1neJ5FcHNCQbmB/Q/6vP2xmNR6sKgVZB+9NLpCL4zmxNnnGfwUlFbbaH+7Sh8zl + B+LNFkEpCtWzPxcXNL8fq8DPdIR0VUKQdzoWZ9fdux3ng+ihxWaWX/3NJhELWa6D + NYY/4F4u1nT/V0XabU4WymX/MzJMIpZhbhhGaV8+4A4FVUG9HjfeF5dYWmkNnlEw + 832rULuYWasUcIGVcL7vT1rDm0+hVBv//q3HHBipXlI/rQoJFcE+SFlp7UMemNx6 + CbUOq383vlUMRtes50C7H89/NgaViMG9Ey/7mVEjk5qtPdVENB4C8i4ewZXs6udt + +itbKPI1IGPOrYIbGDY+bMS5fL8XDzw2k46w3Hg3b2d+fH7sl3CZczNj236qa6oC + 3NaZH0Is0qG3hq/qrpHzocGv6eZJvxUFhBtnolCTqbSVQgP4afiQJMdEhlAc+VPS + XAFNKBE6Dt8Gxj5ov3n3KGJB815LNpkIKTa8031F34Eqc6grXmGSvIOOkLfvK8Ae + /GvwPRihdyv/yHPrSKunkqlckuzPdGYmxH39qylvGhl1ccboCUmb50gwnvcY + =vNM+ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/microbin/upsert-secret-microbin.sh b/clusters/svc.dd.soeren.cloud/microbin/upsert-secret-microbin.sh new file mode 120000 index 0000000..9a62a6a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/microbin/upsert-secret-microbin.sh @@ -0,0 +1 @@ +../../../apps/microbin/upsert-secret-microbin.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/minio/kustomization.yaml b/clusters/svc.dd.soeren.cloud/minio/kustomization.yaml new file mode 100644 index 0000000..8bdaa0f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/minio/kustomization.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio +resources: + - ../../../apps/minio + - namespace.yaml + - minio-pv.yaml +components: + - ../../../apps/minio/components/istio + - ../../../apps/minio/components/pvc +configMapGenerator: + - name: minio-config + behavior: merge + literals: + - MINIO_SERVER_URL=https://minio.svc.dd.soeren.cloud + - MINIO_BROWSER_REDIRECT_URL=https://minio-console.svc.dd.soeren.cloud +patches: + - target: + kind: DestinationRule + name: minio + patch: |- + - op: replace + path: /spec/host + value: minio.svc.dd.soeren.cloud + - target: + kind: DestinationRule + name: minio-console + patch: |- + - op: replace + path: /spec/host + value: minio-console.svc.dd.soeren.cloud + - target: + kind: VirtualService + name: minio + patch: |- + - op: replace + path: /spec/hosts + value: + - minio.svc.dd.soeren.cloud + - op: replace + path: /spec/tls/0/match/0/sniHosts + value: + - minio.svc.dd.soeren.cloud + - target: + kind: VirtualService + name: minio-console + patch: |- + - op: replace + path: /spec/hosts + value: + - minio-console.svc.dd.soeren.cloud + - op: replace + path: /spec/tls/0/match/0/sniHosts + value: + - minio-console.svc.dd.soeren.cloud + - target: + kind: Certificate + name: minio + patch: |- + - op: replace + path: /spec/commonName + value: minio.svc.dd.soeren.cloud + - op: replace + path: /spec/dnsNames + value: + - minio.svc.dd.soeren.cloud + - minio-console.svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/minio/minio-pv.yaml b/clusters/svc.dd.soeren.cloud/minio/minio-pv.yaml new file mode 100644 index 0000000..6132cab --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/minio/minio-pv.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "minio" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "5Gi" + volumeMode: "Filesystem" + storageClassName: "local-storage" + persistentVolumeReclaimPolicy: "Retain" + local: + path: "/srv/k8s/minio" + claimRef: + namespace: "minio" + name: "minio" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/minio/namespace.yaml b/clusters/svc.dd.soeren.cloud/minio/namespace.yaml new file mode 100644 index 0000000..ff9928f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/minio/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio + labels: + name: minio diff --git a/clusters/svc.dd.soeren.cloud/minio/upsert-secret-minio.sh b/clusters/svc.dd.soeren.cloud/minio/upsert-secret-minio.sh new file mode 120000 index 0000000..9dad31b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/minio/upsert-secret-minio.sh @@ -0,0 +1 @@ +../../../apps/minio/upsert-secret-minio.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml new file mode 100644 index 0000000..3adae53 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml @@ -0,0 +1,116 @@ +--- +global: + resolve_timeout: ENC[AES256_GCM,data:AlM=,iv:hr74lWCzsJ3epq2vaeravGF52OMtbf9AFWcx1vH4Oqo=,tag:7ANDm7MOS0yICNVZKRPGtA==,type:str] + smtp_from: ENC[AES256_GCM,data:stid++JITfnSX6yPDzYlpha4rYwTjXOR0uM03vQ4tQ==,iv:0reEi+qEIfGpvsA0ufZELNSGjemdvEtOyuQtxj+fr4w=,tag:podQcEGbE++ceT9r4R3Naw==,type:str] + smtp_smarthost: ENC[AES256_GCM,data:bwOsdb4f4qVoUxb2vMXr6BH5,iv:AiTkie82lgoSLXkCTAAlPsLLoj0qMxLczJ/FDSkqQEo=,tag:Pvx3BvOQhYE36E6Aq/jU6Q==,type:str] + smtp_auth_username: ENC[AES256_GCM,data:1dqM4MniB4Jha6DJfqKrjG09fgzklkpGfAUzmbAVOQ==,iv:mtDp34gAAUwuVXBUU6kNXAMyQLEI7V6LHtG+3XbjQ14=,tag:lB4qBI2x6UBFJ/kEQ1i09Q==,type:str] + smtp_auth_password: ENC[AES256_GCM,data:IThvwWm6PwVMyv5+5VkIxmuG6r0nDlDVdTXR0zk4,iv:2GTVEV/avNsKPxQjkTt+ktBMEERWXN0HQx5bXd6RclY=,tag:0M3anzzBleVn9RR0drmnWw==,type:str] +templates: + - ENC[AES256_GCM,data:dJ/hNjpaESDAdbIpY2lSL2X0zz8zYbzzuRpoIX7cTg/HnA==,iv:6tX3AG1nntgXorVtekQRQf5rOqRocPGnIICwIY68i/k=,tag:B7DPKnAbA7CoinMmfkJIuQ==,type:str] +receivers: + - name: ENC[AES256_GCM,data:FbwbtFYx0/g=,iv:HA0o4fSHvsG7lNryQvl2wtxzNZD8B6kp3beHld+w3O4=,tag:hJ+RYvrrHDgLossBfVUGDg==,type:str] + telegram_configs: + - api_url: ENC[AES256_GCM,data:sMDCne3xZXd7UTMeBAeEMC3yn7eMP+VQ,iv:aH+F8JGkSgzSLC/eNvdbor7lziMlmBBpPo6wP2Q0b+U=,tag:mLDb+7Kx3qwTCUSNZavilg==,type:str] + bot_token: ENC[AES256_GCM,data:+ABjyccSfFyguo5EeWTPPHdsEKYNEBxbCQx3H8BrpPTPbN+Uhzxw19Dp/f8kcQ==,iv:zEP23wjHZRjWvDN7pokx/EOMw3te//Bu391rcPwa3vg=,tag:JzrMjqywAnfyssi9GJE/VA==,type:str] + chat_id: ENC[AES256_GCM,data:9Ksh3VG1odV5,iv:JnReArGKntoYCstegPD8rO3TxNLEe1bKJ+NPss+jRBA=,tag:QDcjVea0cRuvukbF3XqUVw==,type:int] + parse_mode: ENC[AES256_GCM,data:55veZQ==,iv:7FXPKzicv97QV4Yd2odJcQpDD5gd8aVEiBJFkYYw9Rk=,tag:wQu9rdKR+M+E7GK6n6++bQ==,type:str] + send_resolved: ENC[AES256_GCM,data:/tDk1nE=,iv:BUdq/U45N74ZQRLBiydsLwrjaFjNTiUilJVpykpaAaE=,tag:KiFEu1kprF8Wuo+fl67cpg==,type:bool] + - email_configs: + - send_resolved: ENC[AES256_GCM,data:/inqT64=,iv:1wgC6wDyInqjk5DGEaF7ayWQtZXsentgDSc7vY+DLV8=,tag:Pp3+AONHlq7bamlj5BLOpA==,type:bool] + to: ENC[AES256_GCM,data:5JTi+QnedFUmXTYAokzvY3wcsHnkJeEViw==,iv:5T9wywh8LHQgZLuKhO0ZKGZcu7ACcrgKnq222EyliPM=,tag:eZgxgJDv3RDPFB4Z6Jj9cA==,type:str] + name: ENC[AES256_GCM,data:tLk6hCs=,iv:8HlXZVLtW6Ihr3yz56a5iGVJJNi/0Rwnq9Az/e90rhw=,tag:xbfV01yIIZIYXBH2JAYnwQ==,type:str] + - name: ENC[AES256_GCM,data:JrJaVxjsbhH6,iv:m4FFUFAKFbGR3trx/Jlejr+8JXb53xPeAsR0QNhyqJU=,tag:+gTQa5Ma78Hd4ndx4HBMIg==,type:str] + - name: ENC[AES256_GCM,data:83MqCPJY7Q==,iv:QLvnC80XDH0zDAs71sQRIAO04VAiL4PQEqguu9Vqn/4=,tag:9Re4o9v8fk5qsfr3Kp0uFg==,type:str] + webhook_configs: + - url: ENC[AES256_GCM,data:2OWfnecA/EP2Twv3d8iNLYtwF6FkF2FPMH9CQ5kZg6fv5vRQRHvwHpzyXn95KSCDteZpNY62FBMtUJybcRIq,iv:JXXzCpEd8BqMu7oBPpZ/87/VlG+gDtyQhZj25h2qkJM=,tag:wtfFYI6uNDDQ5YMrpSEn4g==,type:str] +inhibit_rules: + - source_matchers: + - ENC[AES256_GCM,data:djv9lE0Ci9sP2sIdegt7,iv:HOkRhksdZl7q++R7PXbx03eC9aVe2feHi48Ka66M9Tk=,tag:Rjjtws5n8WUd8gduOKFeEQ==,type:str] + target_matchers: + - ENC[AES256_GCM,data:g92GFXbsyOLU5WJoEg==,iv:YmCoqCdOaYEF8Up6O8S6Zp1VhChrMYwFrpE9lLNYs30=,tag:gkFbONXoScC21/tP2xGYCg==,type:str] + - source_matchers: + - ENC[AES256_GCM,data:uSJQMJCyGY2H9qBsB3TK,iv:pOgbaJOhKBDZqk2IBzE1XPe8fTejJikcdHsUS86BX1o=,tag:i3bXEmFaQ4J206rk6SLWgA==,type:str] + target_matchers: + - ENC[AES256_GCM,data:SuCYw0gVD7OURMt9KSW005ZNn8+BKk0=,iv:bdvRRvUUTqFjAe6B2kUeCdc7KoLTK9usBuxG3GRVBgQ=,tag:Ik8M8+3Ts9pwDQS2m7E8Ig==,type:str] +route: + group_by: + - ENC[AES256_GCM,data:6KnYkEjLCCCv,iv:/LynE/Vi3LWtG8PCKE8gWaoniNImROr31t8llHEzLTg=,tag:SW7aO022GSijhk0VjDfQqw==,type:str] + group_interval: ENC[AES256_GCM,data:VY0=,iv:blRjylnCm5Aqb4YengWmi+VXNCqdtfjWBicuDXVZEDM=,tag:QHvCNdGU9UA7gP1ddfM0Xw==,type:str] + group_wait: ENC[AES256_GCM,data:bfQ=,iv:pMyAN4AbP16dW6sfqhij0JD5yMPGQs9ycZdxTqOy1Ao=,tag:ksDqTYqaeNHuNa4P5OUNWw==,type:str] + receiver: ENC[AES256_GCM,data:OmyvC7D5pfg=,iv:ObdQGaCZ4HttsDSBfPTGptnVEy16vzPFTVdgKR3vLGw=,tag:UVmcsFIyDweTcnaoyt/9WQ==,type:str] + repeat_interval: ENC[AES256_GCM,data:q+PA,iv:MMPgm3VDLbmllnvsuY8LuJkEW5hjbBFsDCI1we2c5x4=,tag:HqEfI7SwDQvAjvKP5vV54A==,type:str] + routes: + - group_interval: ENC[AES256_GCM,data:E3c=,iv:y/rbmnXZKY2chbpMsK9yG8dQRDWz1WYqeAkDzc2KwLg=,tag:SPNTIDcGqqP0hUGHgtiuSg==,type:str] + group_wait: ENC[AES256_GCM,data:F6U=,iv:zcKJxVi4vJ0k0+b9pQPVu8IQUkCNRdgvz/yisr0GYvs=,tag:577FM2zPx9a7cPlz23rGpg==,type:str] + matchers: + - ENC[AES256_GCM,data:8ZfcXxI1t9JxgU6kmZ5LP7o=,iv:BxFlzEbv1075Iq0jOnj4zK0iFQtPv5IFFgkEL0Ik/E0=,tag:2YUGxUlKcp6xk+6H0JlCSQ==,type:str] + receiver: ENC[AES256_GCM,data:0FdPIYSHmg==,iv:RGQWLbmfFoltVOJxovG6SIz3ELmTGxd740WH4vpzynA=,tag:GkRhjNARLBgvg2lIlari+w==,type:str] + repeat_interval: ENC[AES256_GCM,data:z14=,iv:jYlQ65fo3q9lJQbZZMNsfGBSxQDQN9msdmrWtfOUHLs=,tag:5eKc7i8QzmVh+jdw10QnRw==,type:str] + - group_interval: ENC[AES256_GCM,data:pueY,iv:Ff437jePmM6reoPVRZmEbFnQPHTZj+G00mlnX+fLRDY=,tag:2wnRLV5n/Kc8i/Rku2VK5g==,type:str] + group_wait: ENC[AES256_GCM,data:/SHW,iv:QaVN9mH9dmN+MwWx6D80jvaq+QBH2qRmjo5znu7w/EA=,tag:RjzKdQ/Yip8XHal9zKwEnA==,type:str] + matchers: + - ENC[AES256_GCM,data:dSdhkQ9T2It17vm2XemDZ0OpBk0=,iv:ogT3WCi0MxfR/nkyoopnVwuOAwErpBHhKohN+UClGEE=,tag:GkQznoq+6d4TX3B6gUvh6Q==,type:str] + receiver: ENC[AES256_GCM,data:3ZdMqkc=,iv:VnGXnyNQo+/8Oif9425MsppWD2xjxcn2ppV3HxGiZF0=,tag:soKsN5v5N28oeQrrPL29Hg==,type:str] + repeat_interval: ENC[AES256_GCM,data:H/LRmw==,iv:8/7Ol9owX+jlDxQEfY1SopYmLSxN8NivuOznlAfRYBU=,tag:AYb+256XS/pFGAqrJcXWow==,type:str] + - continue: ENC[AES256_GCM,data:egFnuw==,iv:SYYz60k+9N67zfVb04UgajRmd6uY60CX8WP2dp8D330=,tag:Y0Pqv5rJpiEWyVBitDsCKw==,type:bool] + group_interval: ENC[AES256_GCM,data:CV0=,iv:ZvR3RYxBgln7idnlMDoENuRm+ns/ZHD2ZqK7A8W2H5o=,tag:unblZgCpk4MhnQ0hU6IgmQ==,type:str] + group_wait: ENC[AES256_GCM,data:zYw=,iv:bNYNs217M4q/BJDAISlSIN9JDT2O1mA6wizx6prOEes=,tag:o1tmef2G6XrFgAxFgB7ikw==,type:str] + matchers: + - ENC[AES256_GCM,data:TAqpeHesoh8IJT+hMovgUZ3sG2A0E0cPD1Gs0w==,iv:s0vKznlj+5gUrcxZB/rH0UMvhcdzr8fOJzhfYDD9lkg=,tag:Ef7NuxRTuKJjParaSZQaLw==,type:str] + receiver: ENC[AES256_GCM,data:1bGeIc0=,iv:CuaOHtN28+WcNXlsbVWTDb4ydgV8XPmmF5ZA/EtAYrU=,tag:O5QH+fQTvC+9bHgfObIozA==,type:str] + repeat_interval: ENC[AES256_GCM,data:9wsCYg==,iv:UElhU7lmjPIjv96okkCy0+nOzuOuCwiTPdlJK6TRDJk=,tag:Q2/jgFDqkk/aTkQ55VcN+A==,type:str] + - continue: ENC[AES256_GCM,data:LlNkiw==,iv:U0Gw1NDbCG+4ACXuunYBuZwDyRdpj4pnKNMSrPf4e7Q=,tag:3yPAFIwr0RGYF3+LzvahPQ==,type:bool] + group_interval: ENC[AES256_GCM,data:U2e6,iv:uQXFE7I2h5m0jHNv83wQz+eFtg+LAaU/K/hkG+92p6Y=,tag:PygcstgpP6Ppzp8dqQMn5w==,type:str] + group_wait: ENC[AES256_GCM,data:MLq/,iv:bYGg93ie87QKCdTQ2cYgzSbF3w2Rq53UIlNGmsp3nQs=,tag:xay1LDuFkt9qXtsGezIbXg==,type:str] + matchers: + - ENC[AES256_GCM,data:pBFVGAc+OsFBJlrYXYOr+npY,iv:gU6b0n1ILmIR6YxxkX24ripm6WeEdLOKMFcsz1RojC0=,tag:UkPE1PkNsvYvM3r+jQMmrA==,type:str] + receiver: ENC[AES256_GCM,data:0QsoP11xu7o=,iv:dKp+V3tCbIQ201Ee9wLEm7gldd/Cnx9tz8vM0qFO0lI=,tag:dR6xlhtjWrW9Tg2+qAgpPA==,type:str] + repeat_interval: ENC[AES256_GCM,data:l7lQwg==,iv:rGd0jcOOmzTb4Yemwy6xZkJbER8GmJ05GLwD6Qqm4Yw=,tag:UbdscYiMOIrO6vlF56zmeQ==,type:str] + - continue: ENC[AES256_GCM,data:ZMjomAU=,iv:uKtcTk43xV13rOhjPagZfg2gZDJ/E9OpxvuhfEpjX0k=,tag:XTDYKtUV/dW+cbM8iuhKwA==,type:bool] + matchers: + - ENC[AES256_GCM,data:fxAudV8bIUDjqVvvPXhcbazhbOzt,iv:K1Xn0+QadBeBGUNj1ZZl4FWi4dmvBQUKyX/of4Lmmqg=,tag:5fN7BxkV6/hi62pKYJDNYA==,type:str] + receiver: ENC[AES256_GCM,data:myKmSK6crKY=,iv:vljs2bpCd01EW/F3igDgawfdoEVuA6IkmDkgOQLJpCg=,tag:iSTnmDXxktORvb3yW+Nw6Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-03-29T20:12:30Z" + enc: vault:v1:vfawpF+OafS0tOsqs7YH1Wz7I6OnGqN7hH5LqdHW3GjOLLrSZvFscE071TWZ14ntg/6tmtkQbMPz58q6 + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdEplemduOEQxdVROWFBF + cWpNcCtRbEsvaUU0cHJpdzdIK0VEeHk0WmlNCkNMb2VsaEtyb2lkMWIvZEJMQWxD + anJ4d3JrZ1ZNYXZ6R0pYK1IrRSsvK0EKLS0tIGU0ZzNtcmpmc29mbkw5WXZwRVV2 + RGs2VlRNN0s3MHNWc2EzUjFHa25mZWsKopYp3KQBcSehl3NY+du4pC4MQGZ4uKFr + 985AhZuT2mK2Zpb8o7MjvjsIoBMq6yfBJqZDyxlJ9Wkv6JrqVsVULw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-29T20:12:30Z" + mac: ENC[AES256_GCM,data:1FZlJ7OtIDLdE2Pr2020yZccaey68QB2t9cdJEonFe0Pq7A6I0vrI+PWT3ZMJhsF5Yqw2+OSw0wX4Z2pdWcKISq1Y5QHNo7cO0zRQ/9JAoxvFR8vPgLj8KK7LhleRUaQyjobUi89u5y8UO8hrRIOs4TzeOlIF8xeCIt92XxmKZM=,iv:hz5FFyvEHO8yPrqlK5Nn0/v6vQnhqaTVS6z/ZFN1duo=,tag:pHUFTHALxSyEyaDQPdEZSg==,type:str] + pgp: + - created_at: "2024-03-29T20:12:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//enNWaREnfG13oHRnIXZJ0+jsQVXj0iEg18iVkO0cJOVn + So5vvKtsIQCif0aROeNHRHnMTSVqRIGGl0ixv4uG3UYL11CF4CKLDRXvhXYWaAEI + 4zC4hnWBajYx5PQhn1C4YHpYzzbSzQ00+vgGyhem/K9Tq6p9LWRn7+uJM4zqOY6u + 4AxxHfuNhBy9NtMik/qBx1muum5riF6VdMQ5IBFOGUtDE7HBHmBTduOWFOS56dWZ + lL6F7SGBW0ann5xzRWwNKcJPmBC9qgOdvt0/qnE8tx6RuK7uGbjdx+/+DTfM4Dq3 + 3HCdflxUd7EdmIw7REsUo/9RO/qZw4q+EAh9zW/ALQeWTT3o/27OFQE4h+/K1pLf + n/9taSLxyzRqi10NJPxkdCu47hZfopxY2uY0K22jgtDD0FiccD7y0PDjYquv9Cx/ + LUWIVSjokjsGikrCi+r6rZKmUEzRBVP5QXL+UbnNPrXIhy3rBmnGOmZZymCSLzxu + oE2Fjt8GB919EIhGlRQnji9GD75OiXmMPk34/fO1ZuYM3a3u5Wc9hutyUEJDy7nt + 2TrkT+wYdGVnjgdOwZKo8NNe+eJhOhyayxH/fW3hI/Q5kEuTNeFBmTHH7hKFgdq9 + ZneiDJhlMfNbdYtlRc8It8N9JRiEOnmeXb4nxQ3zPulnJv6FjXWAy6IWN5XODD3S + XAErDTRAtj6o3VAhH6OyVUdQDrH+jQmiv052rXI9PRh0wk5MBD69SreF9heEmNpP + 1fqHQH9VXdqI6mjrwub9GkYO2z2achcIC4+mPhDv0TuCUT4OsZhZMna3Gp1d + =oV3A + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/kustomization.yaml new file mode 100644 index 0000000..3065145 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/alertmanager + - sops-secret-alertmanager-config.yaml +components: + - ../../../../apps/monitoring/alertmanager/components/config + - ../../../../apps/monitoring/alertmanager/components/reverse-proxy + - ../../../../apps/monitoring/alertmanager/components/cluster-istio + - ../../../../apps/monitoring/alertmanager/components/cluster-tls +patches: + - target: + kind: Deployment + name: alertmanager + patch: |- + # alertmanager does not accept relative URLs here + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--web.external-url=https://monitoring.svc.dd.soeren.cloud/alertmanager" + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--cluster.advertise-address=192.168.65.250:9094" + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--cluster.peer=alertmanager.svc.ez.soeren.cloud:9094" + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--cluster.peer=alertmanager.svc.pt.soeren.cloud:9094" + - target: + kind: "VirtualService" + name: "alertmanager-cluster" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "alertmanager.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml new file mode 100644 index 0000000..ca3ae6f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + alertmanager.yaml: ENC[AES256_GCM,data:WjmcwsqsMWupq2W7fIIEDpsh61eUR8L/sbDPiQfI4lKcLUhqYPrTBFaVr7iQXrF9xZUknqZAszku7w1peMIB6dvDNweZ3Oli8b5uzcQkNliSLAS1MyM8YIYueDQ2ItEpZiyiLC3J8gerzedGuB3RhOVKe5NXqxF6RwyBdGN9GVZFLntfv+B5HL3qvIquFeSCsrub9Wza687EHb9aNdEug/KrqRWVjrF/Z3SkihSKgz1gZa9HYyBcvo1RlvgfjwspU1IvlvLmgjcEnWIVptTmGKhLEbs8WJPcnxiEuuWq7mjqJfggn4mwD1kzZJ0mfnz+fhZIJ3PsLx7/uKbvPK4VkP6wBxozAsdftDu/T+DPEbcw7ANfkBkvAtsJz61t1JKoi6CGuu2/qgegojLFrb27CK9O6cpCs0Lqr5FrPnRT95cSB+1Scr5PNemG7mwnyvcftHw0/Q6LhwgobJMb6O5kJGc6r9Zf1PeGwYkr6Ud0RIsH7twyqKW+wgBSsJpl15GI18f5utSKMGlZtz7dv7VtI+CN9LiC+IoX5T2ryCgzTcabz6brQhljkKd10l68QKNZ7oaOb19kI/RQraGfG0WM9uMwfdmVV1UfGY2itEzTy69OL1hQ/uKVkRvNFO2GO2Zucp4GPAyE8eus+YoXeUZLqkyJoYqu7IOJjXfcJIRVjdrFXDy/besUuHmWoWcBrmFhEYnx4c9VmzNR+HUb4tIVry+beglg5R37DWsFsA9R2YgORYMi3Uu2oBd51Y1rLf+ycCmE6vi/LvkcIBwQs0v3cMIp2OU6zR8l0ks9q9i5hn0NoFcL8zTomZUMtI7nynQBoup+ehVmsaN3yHTA0COnt3GPQqphlwws+lJSURpn7JACetPmjPos9vK4p5K3mUa+Gty5Pvc6ZmCk/MiQz57osBE3DAEe4s264TNmTmtsP1tm/KI7eUdG86RJpFRKnCJa9nhIJUo4c+gPF/VRzj63BsloyKNJUm7JJUyOWJhL9oTr7pJM1QeW8Il+u6iA2wXdSqGGYLLQwgs9W1XoZOAaiFfZdwZv2CYgz06wdJaMQBvAeu0Pnh82GeeJR9cwHwbgvadviJRlw4nNEinKOVwByK9H42LeYhT+8Id7SyAgcxF6y3ChtQYnRPyHZB0IwtRXQ22eXS2MkO9rBuxPcoFvy3bB1GEtygrjffLA/vy4MS/dnlwFRtRGBVqnfQWOUW1j/MxEPCSy76GlpeExhuyCNxcE4mK1qUXPVsX/nIZPQtHz4Bj73TAADXKAwBcwu1KzIxqVnbIY11zueV+r+ffjwZcfL8VEpNWCPOhHEZWML3gnkButmffl4x8igFWiLchjWjaz8z2uWikPalzkwseT0uP/hH0vyKR+WaWf5fvO3/Y5usZCIGWWkeU3y4Ktx3bNtKQiRekZNxO7AZ0Vr0azXnAxtcnwzb6PyZM2D4CPrfNoCLpNLxkm9nh+yJAZZ4M1c/bcdt4EMiRAp4TRumydrrOOi9zNnXL7bs7iKaqhoQLNJTmJUiw6RtpemZP1ThXhkx8gGSjy2NEjVGYcXg/rpv4A/uu6HVkYTakn1X8jEugSQ/BnIzryeLQYvUF/Q9370lI3cqezxj5/AHFMb5yNHvzLsjzhllnnXuNtFJyRuE+8wXVYBpkSY3sdSHJFYS4Em8O4G2xqiP+jkzNTI7/j2lsmnNaTXQGrMxEUEPUvAR9KeWEEZtulbPspB9W7MBRFJpRyRDAnreBSS1PW9WrGK4HRFAZAZvmhE6oos4fxByoXxvDoMjGgsZhb1WKevBx9tZlm2zLnZDD5NUrogT3pr7RccrU1rerSCVCR37AAL1+rSguD3bj40p1vPsa8PdatMDXyKnHaxJJ27rGui/p6+bG2W0XD2z5Dpc6RiJYeXbDlM3md4qxr1VH8P4L9oi5TCVWeh1JDeksDqnZHor77Svpl9VpA3zpMadQ8zX5GPlu4d5/S+rM+NkQA9dvcgc3vuSOLGdfQEvaWc1By591TLtH0wMcDYHUqS4p+OgF/Pc9n5QpXjO1n+70qVsgYQiw62uII13+JvR8cBaezpja0XBNp0QbVnXFV/2EjbVAnxV3G+hUbB5nvgDyIrVRcLxMByc0S8W1OxxA2azYnqo23WBEYkYI1n1CElrI/fD28sbDLLiYOs4TdzHXn7BCO0zGuQHaXfcvZG2q9PPs1J/w0vyaeX/PldoZWBDbaFMAk9rWlDnw8lDGqyFsN61wAz5gYm3qCny2I6aigB02+ZK+qsdY1X24MtlpmB66SuNf3enPi4Zo5IrH73X1iRaGtPZ3tiUwuxfHTMMPUpPBY/k5aMid5vnSuTQGf2zpAwInm8Myqg/KXQ+WWdW+3QQGhqn/AoFY6vAoilcEpRTDpEH+arwXdN7gPuP7JxzCMuaYJjXBnn7PitpwA3Mk3XY/qr/QJ1A64SNIEtaIvfINpg9L0DPNzysnvWcerPGzwdEsZnrVhs+yVk9CyHV+m3PNysVl+RfP0veau8J1vEmGpr+HpDGfLb8F8At7ergZt91xUkEKSRy+q2dHqp3rnOt+RPCXAV+QT5dVET9RKbt6af31QF2lYUD2KW3SJ+WnrAnFXbkxcepWCrY29E/yk2TiQg6NYFVeRGPsEjPIyxq5AkAiqn+6rsHIfcf2W2zIcPiAAd6+6oz712F2dMVT9qsMtrz2OAu6O89GYsmQm0RnS7TsdXp6V8up+Y7u+Al72Kcfe3nds+AplewuCGzXsHGye+AlJZ3fE9rT4XUtlja3E4ycS3mzHcsasgQTqKUs89f+/CPbTb3p11bUPPUQT6zEzHFy5USNWs+8G6IAS7loSNELLWCqVeLauZ6/1sgmjyMvaY6tYFvtTJDdPW4jBLpka4i4Syo15rgQLOOjtzpFheAjQ7OpKIzLCtdPH4iNiW93ewfULLGyacFkNWy/2uFlDsq60mgNXl4zzx13Bs+0BhYjACT9ugKt082NE8tg92XC54Venys+M14MGnYRVTZ769E2GaRx2rpV3kwQtmdG7qWGxkuJ8YDs0LnkLH2eTVpU3ICNGHzvoXz4Ss62HuN3jexlf24JzEYWppcuypmFx3g8FuN4bJH1af3uSOp1ftj/5rlMQNwjAunUDy5D//EbAXUeutwuHT4wqaN+bv96IwHM9NOLPVnaYYkXM6v9QqC45a0Qm81L+aqLGcXFHG+v3iRxUERoEK0+Hl1b4CMAtvzZCfErShLrl1Yukj7gNw7xZSxN50OkQjUoE2MnmkXyvJRxSyyaKl31EUxb3+oemPh5LVyiuhD3C5z+tKVvC7n74csAiMvrJf1T36fic2vwaOztDFnQMBc1b6uMCFUuhxgWweoacNdADqdOr3FJlnbWuVUrYqY+4E273nSR6Ui8oSdPrM26CSPdFpbJHQIcR96L/DH/ENkD7CH+uSU/4sgS+5nbC3RMH7AA6pjnK2vc19k4FlD78S51G2EOuwmDyogFt0n4FDl4hFhHaUwvxl76i+f5rNJNOG3hvXCGJxHnbyEC2p6OKgRz24HX7cQ8G,iv:TD64rE5QjEn+6aVSzwoATvYZTjxGI/pgr/iH+xxv+0A=,tag:68G6LC5tpYYG9T92/lqNLA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: alertmanager-config +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:24Z" + enc: vault:v1:Gf7LzB3iUwDRZ1QGdTFMVxpqeeShUtl1p88xvnpSH6qG9n6NZKuMPdDEPkikGDeMHhsWlGyBLBkVvXxi + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQUNzVDROM0FRUU9pWUR4 + UlZFbHkvOEdjOTFkbnNaVUYyQzRRV1l3T1d3CjVZTWtxcVpIeEluK0lDeVpVWmlO + N0JnVlp6RmlsQnNUZjdPVXNrOU1FWHcKLS0tIEVpd2ZqT0hmRmU0N2Y0V003ejBE + OXRQb3BCaWt5dXlKNUxMVnNEVVNvZWcKMM1E9oxir2g9RwkBMpJ1tnFFBYWQO0dv + VAH54kGkbgMCUDnB7d/oVasROP3iemfiDJO8R8yHF6QNHhH/IZ7/0w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:34Z" + mac: ENC[AES256_GCM,data:F3xE0zK4UPv/BcBDhSkddWyuuapj6brp9CFsxeIZxqjs4UICsGcYbzAYhcyBSTkmEQ3dJ9DLif3ilZhfXIxsrXuC6u+DskQkQc8vmImEoYX/6wgf0i8WUIchYCD4ChLTP1NiZPIuv/NsBPx8ioFvZt35uzpQwmpgbNGGCkIA6DE=,iv:gdYP3M3PFmNJave4bH+bz1hJTWtq8id/tZTQ9/vU4aI=,tag:7CTMRtR1YxjHP2qFi4lnBw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAsV4a7rfcP3aLnl0770A1pxV28f0DUIUwBnobhjhHiRNn + U5Gvj0jlF4idSqgokzwn3M8inOgqedtJjunQQmpM3YSiCYpBoW9Drn+Tnc/ViH8F + ArhJdt0rqTMAvxf8/zHfCTXs+gRJggK0Vn4AEOBjr5LLQEfAvqn3rhyG+4xQ6Zei + kUNAe3g6R6Ze6nlYiCtR30Do19vm29eMVan96T0KOiUIf+wzTTiXV8MEm+ENF7wi + b9urZr2I94wrBrgn0QrR601PpyFFGcq9KVRLQcn9lmxSf2D3F1Faxu6diiu4Ifzx + 5R7UimhwESi7XNMuKNbJaNy3CaSiACwym/w54XCgZoMZiTdJCa7A/HDYw2Q7LSeH + MxU4NpP4WU18HCCmR6dzEwx2zqN4v7mWmVcZmSY+9foY9nwVQVPYD9Am+oGvouPu + Qc+aijiWJgse5yr5SI/3jNZ/QimD2IRQSZzAQl4k/roP+OXexrekCRhzlUJagnQR + NH37VRg26WAHj1mT+b5JjrfSql7VLZTQuqmjxiYqdwXpjLJd2ijj2YyCScY3m3yi + VbKfcCB/yLM1FVtqiXqeDX0eYyQjucte9yfLxH8rM34C74x8xbsWsDTmenX6WpPn + v/D+8QZuxCmtmKs9JtpLfD3qFWfYG7nugsLjsMEeBWU02MTDXqk6rT66ldQzqc7S + XgHmWUi6KqF9WFfor1ATOL/LK7MyAfPsooekCop20RjGvzljVDmby2gPeeSzYaFO + QV4hnuVhHnlghw8FSEAwYmfWC5jCL1yrdoeFl1SU8gddkoXkrUXntUSfBRnl1L0= + =ewzr + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh new file mode 120000 index 0000000..dab3321 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh @@ -0,0 +1 @@ +../../../../apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml b/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml new file mode 100644 index 0000000..417814f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/config.yaml @@ -0,0 +1,40 @@ +--- +modules: + dns_soerenschneider: + dns: + query_name: router.ez.soeren.cloud + query_type: A + validate_answer_rrs: + fail_if_not_matches_regexp: + - "router.ez.soeren.cloud.\t.*\tIN\tA\t.*192\\.168\\.2\\.3" + prober: dns + http: + http: + tls_config: + cert_file: /certs/tls.crt + key_file: /certs/tls.key + valid_status_codes: + - 200 + - 204 + - 301 + - 302 + - 403 + - 404 + prober: http + timeout: 5s + http_2xx: + prober: http + timeout: 5s + icmp: + icmp: + preferred_ip_protocol: ip4 + prober: icmp + timeout: 2s + tcp_cert: + prober: tcp + tcp: + tls: true + timeout: 2s + tcp_connect: + prober: tcp + timeout: 2s diff --git a/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml new file mode 100644 index 0000000..c2d5b75 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/blackbox_exporter +components: + - ../../../../apps/monitoring/blackbox_exporter/components/custom-config + - ../../../../apps/monitoring/blackbox_exporter/components/reverse-proxy + - ../../../../apps/monitoring/blackbox_exporter/components/tls-client-cert +configMapGenerator: + - name: blackbox-exporter-config + files: + - config.yaml diff --git a/clusters/svc.dd.soeren.cloud/monitoring/karma/karma.yaml b/clusters/svc.dd.soeren.cloud/monitoring/karma/karma.yaml new file mode 100644 index 0000000..f1e753b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/karma/karma.yaml @@ -0,0 +1,67 @@ +--- +alertmanager: + interval: 60s + servers: + - name: local + uri: http://alertmanager + timeout: 10s + proxy: true + readonly: false + headers: + X-Auth-Test: some-token-or-other-string +annotations: + default: + hidden: false + hidden: + - help + visible: [] +custom: + css: /custom.css + js: /custom.js +debug: false +filters: + default: + - "@receiver=by-cluster-service" +karma: + name: karma-prod +labels: + color: + static: + - job + unique: + - cluster + - instance + - "@receiver" + keep: [] + strip: [] +listen: + address: "0.0.0.0" + port: 8000 + cors: + allowedOrigins: + - https://example.com +log: + config: false + level: info +silences: + comments: + linkDetect: + rules: + - regex: "(DEVOPS-[0-9]+)" + uriTemplate: https://jira.example.com/browse/$1 +receivers: + keep: [] + strip: [] +silenceForm: + strip: + labels: + - job + defaultAlertmanagers: + - local +ui: + refresh: 30s + hideFiltersWhenIdle: true + colorTitlebar: false + minimalGroupWidth: 420 + alertsPerGroup: 5 + collapseGroups: collapsedOnMobile diff --git a/clusters/svc.dd.soeren.cloud/monitoring/karma/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/karma/kustomization.yaml new file mode 100644 index 0000000..0309f0a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/karma/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/karma +components: + - ../../../../apps/monitoring/karma/components/reverse-proxy +patches: + - target: + kind: Deployment + name: karma + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-low-prio +configMapGenerator: + - name: karma-config + files: + - karma.yaml diff --git a/clusters/svc.dd.soeren.cloud/monitoring/karma/networkpolicy.yaml b/clusters/svc.dd.soeren.cloud/monitoring/karma/networkpolicy.yaml new file mode 100644 index 0000000..6ea6732 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/karma/networkpolicy.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: karma +spec: + podSelector: + matchLabels: + app: karma + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: karma + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + - to: + - ipBlock: + cidr: 10.0.0.0/8 + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 9093 + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - protocol: TCP + port: 9093 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/svc.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml new file mode 100644 index 0000000..d6fd40e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/kube-state-metrics +components: + - ../../../../apps/monitoring/kube-state-metrics/components/rbac diff --git a/clusters/svc.dd.soeren.cloud/monitoring/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/kustomization.yaml new file mode 100644 index 0000000..7a18792 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - namespace.yaml + - alertmanager + - blackbox-exporter + - karma + - kube-state-metrics + - prometheus + - pushgateway + - vmalert +components: + - ../../../apps/monitoring/components/tls-client-cert + - ../../../apps/monitoring/components/reverse-proxy + - ../../../apps/monitoring/components/reverse-proxy-istio +patches: + - target: + kind: VirtualService + name: monitoring-reverse-proxy + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "monitoring.svc.dd.soeren.cloud" + - target: + kind: Issuer + name: vault-issuer + patch: |- + - op: "replace" + path: "/spec/vault/auth/kubernetes/mountPath" + value: "/v1/auth/svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/monitoring/namespace.yaml b/clusters/svc.dd.soeren.cloud/monitoring/namespace.yaml new file mode 100644 index 0000000..cb3be8a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: monitoring + labels: + name: monitoring diff --git a/clusters/svc.dd.soeren.cloud/monitoring/prometheus/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/kustomization.yaml new file mode 100644 index 0000000..ac21482 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/prometheus + - sops-secret-monitoring-prometheus-config.yaml +components: + - ../../../../apps/monitoring/prometheus/components/config + - ../../../../apps/monitoring/prometheus/components/rbac + - ../../../../apps/monitoring/prometheus/components/reverse-proxy + - ../../../../apps/monitoring/prometheus/components/tls-client-cert diff --git a/clusters/svc.dd.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml new file mode 100644 index 0000000..fde4eda --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml @@ -0,0 +1,543 @@ +--- +global: + scrape_interval: ENC[AES256_GCM,data:R4gO,iv:B/DjsscWDrL0h1kPYSAPdLa3UD6E0Za6sI6938AZnH8=,tag:cra3hsphxeFTQM+t5TZlug==,type:str] + evaluation_interval: ENC[AES256_GCM,data:P06y,iv:kxVSw0Bm0H7YzVwGNpheiCiJIMI9Nq3z2hyBvauMlfQ=,tag:jigPL5LYbXF8i1fvmlUz6g==,type:str] + external_labels: + cluster: ENC[AES256_GCM,data:E12muHph7eeO4iRyivByite8UQ==,iv:2zL4sCmh/D5Z0AL0XVi8vNfP0qcCr9uP7P2gg50eIXY=,tag:hQONmHbvdKD+FRi3S0wlJQ==,type:str] + location: ENC[AES256_GCM,data:abw=,iv:BWJsKYh4F1s97dGqneAqV9G6AT49jHMIULhF5IdKlsE=,tag:C49rP1J0D+AJON015gWD2Q==,type:str] + datacenter: ENC[AES256_GCM,data:2zQ=,iv:89LdIBzWxonNWN0IvThgsffwaclbm3vAEGcrcPp08EY=,tag:8mAzu4CPgk2s8c8NnKE1AQ==,type:str] +rule_files: + - ENC[AES256_GCM,data:bSKNZYLzovQZanruRoXaQXItKTnexPBzlF0MwbQ=,iv:p+Nq/7EZESEIatjCH24XVWlUgDp7NNEaVz7TXTT9rAY=,tag:uLz46d+8us+i0tBnh274tw==,type:str] +alerting: + alertmanagers: + - scheme: ENC[AES256_GCM,data:3tt5Mw==,iv:Woq3OZnNoPYuWo8nPt6OKITg+FDS6MwL5zbxYB3gOcg=,tag:zKAywnTFYiRzhN/WAOe7Cg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:1+YUg0QagjR9Wnj8,iv:qqV5GcRd6M4gNbinrBkxbyDwP5lxqbYCid4FV1MgdjU=,tag:7XQ0z2WB7U3b1NzUc+v9Og==,type:str] +remote_write: + - url: ENC[AES256_GCM,data:gHQIA1hlrIXEzKM06ktlhNo7ae8MMcAPUzS8iA2Zxsa+dpNxUnfr1t2ZJJI+hOt5rB3YtQ==,iv:kv92SZjjwFIzfEO60xwUEnX+BIondkPsCacnDM2JU28=,tag:zjb6z7twx5qhlR3q25Y5hw==,type:str] +scrape_configs: + - job_name: ENC[AES256_GCM,data:2ecXXTg1+YOCV0R+Yg==,iv:goqwLz0WImW8m/hIkjaGZx5cD6X/MnuqbE+tpRLmP14=,tag:Pymie78DBwBkQyKXJUudLg==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:uoOzZLQdVADxqQaimlgn/LHtPavNQZ+eXdqnbAuX9m4=,iv:AXAdXwCnR8Gh7o1YjZUTWaCJPWdO9hxu/tv7U+TXujo=,tag:XmUH0p+P+DAzX+wdvgPrkQ==,type:str] + regex: ENC[AES256_GCM,data:RYhY2alRHlAewjiJkA==,iv:fUh5jDpf9eKKwjKy+sRH2hbaNIa2VdjoshN/Pg1hjFU=,tag:+9xhZQbYgx9Hx2tVVy75vg==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + - job_name: ENC[AES256_GCM,data:SH99ZTxgnJHLyfOM9AQq15kfhiUv,iv:08Mr0Stebl1Q8hclojOwDNvQlrmQUMCaD8tpKBYVl7g=,tag:sd8IvYScwAIiyVhkXgKRTg==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + - ENC[AES256_GCM,data:VfNPvwVlY1DUS24ZanGhniIS+CWfNZm2/ozbYMr0,iv:wk49Tg/hlCvL8L6BQeBfARB524ypSDsKLj148dlR00M=,tag:ohLqJGjhUVu8/utne1kY8A==,type:str] + - ENC[AES256_GCM,data:XL6LchJW2vFbKo0LgLeeelVJHOpoJzmt1HnpIJV0DVwgRKlT,iv:Z55TFuhzNB/WQ71OWdAXkz7zez4Q7/aF3lQljLS9A1s=,tag:JpvgfShytEp3zQK+SLHMzQ==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:qgdXtc+v0EousZFIWdj/5DEcgsyMx3Yb,iv:RYpE9p9mOig3q1vlnciPncTWD5Vf205TJ2RIUlwNOOw=,tag:W8MgcnEZpGSM6rgXtDSTaw==,type:str] + - job_name: ENC[AES256_GCM,data:TzYzyTGJb6YmhAfvxA/h9w==,iv:SFR/NvTBaMp2MJFtN6D2XeQ5yMrmSl3WTYeZws4sRLE=,tag:9zF4OU9ABWWmIvLwpOOkIQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:GgrXgA==,iv:8Ci9Kqrq6woXHfqyxu7XGv/nv1UDSmA10OKgYUs8dIY=,tag:G+9mnJM4V1QYklATmfvRWg==,type:str] + relabel_configs: + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:bmTMcoGqFS7dROeU7c+n01pBecSBYNq/sr0ilGVexQCa,iv:9aZ9brU7lUC5x6loJFRS3lGQQDZS2qTqp9VlvQaES/Q=,tag:LPdAEDprBxb5MSdQhGAk7A==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:4crN0yXNrRLQ4zhZJcT7DOJpW/uLl6ba5pw=,iv:nFaz6lIvrXHxgonrBsBzL6PqTigBcinJuiMtYI7MdO8=,tag:rMTqvqAzA0wqtqrlxnZ/bg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:mau+29HrlrT4K2CNDb99mXWnd4iWJWuXjS7u,iv:4+n1vMwPEcXn1RlgkpzyemROHxeccOfz/4PZtRMEFv8=,tag:nXAlEXktMdLci7b49kh8/g==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + replacement: ENC[AES256_GCM,data:4C83t50FR+R+CQ7g47LCWsT6bk/d80jSKjYsBZe8xeQ=,iv:Fz2z/YNBVq9aAWmKbZSibVT/BkX5xEUrI6jLFIjd1hA=,tag:A1NR1rWDasDmHTGdjfYq3A==,type:str] + - job_name: ENC[AES256_GCM,data:z+DlObOG9T7ZQ6sIRNYc,iv:CHpgkT1+E/M1XSvzXiqxqhWUDd84AS/LBRDvZ6SW644=,tag:T+416h2AdDgZbbwdHkVbMw==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:pxJf,iv:xV4ocAH5VCesyCfSp/qklJgEtXg/scKoOnLVEd2MiV8=,tag:S5iYMfKqidO3pzaymYolLA==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:oq0kXVCkKT3L118XqCmKRFax9G/9L6voL/r/EDgzzsnLBIGlLYCjKS9k5GOiiSoFd4ivMkI=,iv:+q1Na0dh/CFfdwF1nM/nwyM5ik7h2hiW3JG4ztCMjjc=,tag:ynOVIvpv1YPj5qK0YheeIg==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:Vb2jNg==,iv:4OCucBuFyWsEc1Cb5yej4Zn1l7M5QRSrJRskcJsQoKE=,tag:HoxCXLZNPR6LIxrABnxq9w==,type:bool] + - source_labels: + - ENC[AES256_GCM,data:GE8Jm2mtYE0re9ZJ/R7AtWJlt0NtsvJcDGEmlcN1Cbb7aOIrYsf/RxijveQbLGhIDXD3,iv:Qvzt8JfsT18S2Vof4tseeYZiXlKhwn9qJWtebyL9Fj8=,tag:bWRh4uxyFjvIQhseQrdP6w==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + - ENC[AES256_GCM,data:qNo6CW78pfomyTxGJBqyenbjJdzddGW4ySp+NyJcNhi3LzOaduMR2o4mKPyhxOLdZ9/W,iv:mlvtsNRlew3z5s1Ou0I/r5GLtKHtmCH2jqRWSekpHM4=,tag:CvW+Pvm4npo4exEULXPEcw==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + regex: ENC[AES256_GCM,data:0JSaJYzFEtDeTMc1Hwampez8COIc8Q==,iv:WioomXOPzwgKpe4E7X4hD17v6IKrVJgKEnwwr31fG98=,tag:VXZotDEd0f3wSfF3qPbD2w==,type:str] + replacement: ENC[AES256_GCM,data:ruuRTcc=,iv:bGNRkmzIw24YUH6ni99u4jpvM3yos1tbSJJdCWiz/kE=,tag:NaKO8dy03l2wjVzxg4qDdA==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:qwIlYDt6es3A1D2d1FPENx9b0mS0oFuTUJvrNbHWmek=,iv:CdDCbUCq3MpapvzXR3O4vr2gZrOzljY2fcWiv3bb31Q=,tag:hXfCQsRXPU4NCPZZm/5o6A==,type:str] + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:0SDXBZzozDl4w4JfERkbH/f6/HE=,iv:CD9dAc5DUh93Z2+K07abClV6EqNdtz+bvdoT6E3XONQ=,tag:6mbBbEwdgWpcfvPPeHAGJg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:95TMq/yzEfVgx+F8qelMug8HpyNE8k4+/mI=,iv:S1hef3OWWN4SR0oj2rXwbSc52h2w24QuN8tgeKBKMik=,tag:WgjeTuc0kub9XxdydV//XQ==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vjmUk5/g23MjyrgZMrlNasVqnQ==,iv:ICureH+HvzlbWVD7hear4xy7JYCAp1VXaPmh3LabbXY=,tag:DNvv4qECGvvrHFFGssUMWQ==,type:str] + - job_name: ENC[AES256_GCM,data:jKjq+pvreAPTmjhgutGYWuf9kA==,iv:s0f6JIu414S0bZMVU5KmXNnXKFvKEVuSEBmxE2pBdQo=,tag:HAxUEwK/x9qGPc3kTicARg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:GgrXgA==,iv:8Ci9Kqrq6woXHfqyxu7XGv/nv1UDSmA10OKgYUs8dIY=,tag:G+9mnJM4V1QYklATmfvRWg==,type:str] + relabel_configs: + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:bmTMcoGqFS7dROeU7c+n01pBecSBYNq/sr0ilGVexQCa,iv:9aZ9brU7lUC5x6loJFRS3lGQQDZS2qTqp9VlvQaES/Q=,tag:LPdAEDprBxb5MSdQhGAk7A==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:4crN0yXNrRLQ4zhZJcT7DOJpW/uLl6ba5pw=,iv:nFaz6lIvrXHxgonrBsBzL6PqTigBcinJuiMtYI7MdO8=,tag:rMTqvqAzA0wqtqrlxnZ/bg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:mau+29HrlrT4K2CNDb99mXWnd4iWJWuXjS7u,iv:4+n1vMwPEcXn1RlgkpzyemROHxeccOfz/4PZtRMEFv8=,tag:nXAlEXktMdLci7b49kh8/g==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + replacement: ENC[AES256_GCM,data:6o/HgKMUr7U9dqkxlXIW/xWMCxuhmlcQLMg7JYagZGSQphTOcEvG6t0=,iv:3asosDA6Ta/7TVQ0KOqn2Ul7n0sCAIJUXVpIYnCzMZU=,tag:a0RMt66ypYAaMAOsUtDq2w==,type:str] + - job_name: ENC[AES256_GCM,data:vmkb4qjQbOlaPvpyCyLx34fT7byJo4ptBE0AMw==,iv:GnbNjnCRw8QGJO4vd7ive4B4hyg25/0CONQi09QbAFs=,tag:uDm38R43Un3aDGQa+TZShw==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:PC8UtrsLATDAfEVumLLY5acZLGbrDs+kLbilSiicSuTcnOgjkOV/9H3D00vTqsy0g0X4hNhjcun4,iv:oO5lZB9s3IZSxNHaG3t4xXWNSYrEj5SjRZAbmEgll1M=,tag:Qbb8wedR+rw3TGNZFQCqoQ==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:Vb2jNg==,iv:4OCucBuFyWsEc1Cb5yej4Zn1l7M5QRSrJRskcJsQoKE=,tag:HoxCXLZNPR6LIxrABnxq9w==,type:bool] + - source_labels: + - ENC[AES256_GCM,data:fbZjPo/lBK3/14rqQ6kwvU8UYM950vwLYXLvf8eZVHvnXyurtzJgGfBMPHGbl7HKr6plE10xXDhb,iv:WfhjEu4aAsb1O4kfU6jYmZt0zwz3o+HtzzL+Z+lBGA4=,tag:s0GRu5os/qaM5KJ/OkdJQg==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:AbgkST6JoEDigQ==,iv:yAq86qHfUhIuBW794deSBoCBdYKmzgylDGXR3StSxuw=,tag:+lP443iZYK0tTac0NC8DeA==,type:str] + regex: ENC[AES256_GCM,data:3HgkjXf7wiM=,iv:mllkhX2pfh9RAHShr4me3BLGA2n8tn0AoenJJ2WW06s=,tag:w6hoB7TVogbPHfqZvZcERQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:uGsDouaDOXktckrjyoDO5c9krTzvCBtgaiRsLeK7+ITzWagMm8/rVcYOSw9ABPWA+cLl+c1KRg==,iv:34ArJcjO3oyD9VAIx7W+sihGNCBHKENRN5mRQF8YYN8=,tag:/C3xtjsGld1MEL3qGOCapQ==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + - ENC[AES256_GCM,data:nHaBTl/ChCZ6UeYVvhEYCeA+q/zru4hTfzk7CUAL8VQeo8vEw3mrm92mDH9ooWuElyugLfnpqw==,iv:3b44G6MRpW2Vf3fLiRa8hSaWSnMTOmBj5nxvdFsO22I=,tag:43gbxE5Iv1rsuzg5bxmqnw==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + regex: ENC[AES256_GCM,data:0JSaJYzFEtDeTMc1Hwampez8COIc8Q==,iv:WioomXOPzwgKpe4E7X4hD17v6IKrVJgKEnwwr31fG98=,tag:VXZotDEd0f3wSfF3qPbD2w==,type:str] + replacement: ENC[AES256_GCM,data:ruuRTcc=,iv:bGNRkmzIw24YUH6ni99u4jpvM3yos1tbSJJdCWiz/kE=,tag:NaKO8dy03l2wjVzxg4qDdA==,type:str] + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:Su+lOYuMMjOhOgCr3edJzslNXlJAnaHz2fMp7dy6NX/gm/IA,iv:H2afk6rYIB3/I/QbvGZKZIR4uMfbFBK4VFecprskKuQ=,tag:nUbbnYpayfvnbhdczhoK/g==,type:str] + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:0SDXBZzozDl4w4JfERkbH/f6/HE=,iv:CD9dAc5DUh93Z2+K07abClV6EqNdtz+bvdoT6E3XONQ=,tag:6mbBbEwdgWpcfvPPeHAGJg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:VfNPvwVlY1DUS24ZanGhniIS+CWfNZm2/ozbYMr0,iv:wk49Tg/hlCvL8L6BQeBfARB524ypSDsKLj148dlR00M=,tag:ohLqJGjhUVu8/utne1kY8A==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:1icwb60d7JXeIoXzFkDf,iv:3rUDyaMKJI21PbToYE0oQjgbClV7/yxoFh2Itdp8evc=,tag:5RunYusWepi1GHMzCvH4Qg==,type:str] + - job_name: ENC[AES256_GCM,data:Y/wBSJoP4Q==,iv:813+YrJ94bnis5aNDtVb9I6IF6MIbnyaCxDCK2h3bf8=,tag:SFQXjRrXnwTMLLEqJmWBng==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:Ju6nJnfj59QgSEas0G0kNUHe5LOV70LJIvoeLofITMSMag==,iv:Rw8x9W8d2FhzPYUSwfDrPTBkOizAqB99hxD9yhpxYW0=,tag:isaylNHtg1G1r0RiyV1jjA==,type:str] + - job_name: ENC[AES256_GCM,data:z59i/ZBOOoHNSWfR8w==,iv:NjWo6WOZc/TeX34X7fcHNjWWw03wq0kzbzjsYt7UtvQ=,tag:nVfI6qGjmkhyvWqVmZfMRw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:Sbnifk/1sOieG8Wp/iVRA09qOS4Y5QfpfwpqYdWm,iv:UrvQzigzqkNSEn3/pcPJig57fLl2zUQgxKs5G6vrwmI=,tag:8fIFOd0tZk1bea+wWzG2LA==,type:str] + - job_name: ENC[AES256_GCM,data:1MfgqwMqI1E3PtmwSTXVCJx3zlM=,iv:6pqhWAJ5Ruaee4iYNZjWc1bcZ/rzmMKdMBv0S4seSL8=,tag:icikY+bLQRzCbEUicaDL9Q==,type:str] + metrics_path: ENC[AES256_GCM,data:0pqEfE16ySpfcaQHsbYHi9V9s/6w,iv:5/3frlvRCh+Y/NW42MkEonUbI1YRHrsEnSBE+rtjvhU=,tag:3nMjtc04VF+EnffAmfTUaw==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:eDHbAtQbQ31TFj5UIznKkmxkNYEA4w==,iv:UjKQv54ggnlXVg3Au7RN2BY4I0QJX5Ijl4QLS3LEqWE=,tag:trHEpOdIBFKpy3UslDEXLQ==,type:str] + - ENC[AES256_GCM,data:QNlfvxNdv7TJL34Wef+MIFSjLlDANQ==,iv:I2cI7JoHOT0d+vzWPPYkbpYglWXqU1GceeC3vcNqug0=,tag:mN46vzhvTPWx+BBrJbdyGw==,type:str] + - ENC[AES256_GCM,data:A8pxyM1JSvHKmVPc4SccVLGusUHSmA==,iv:QEQULJwg7HtFA+3xbY30XM0AfIzAgH18Rk2JHx+TVj4=,tag:3UmHAgguycxKuzlhLpv0bg==,type:str] + - ENC[AES256_GCM,data:a3pD7cTKMIT/pSHGjQdTGYJa4hYba9U/HfYK,iv:YaxQ8/e4FZk0gPbLR+XnxvfIw1Jz4A20PuXhBBd5Vsw=,tag:8e6y6f2/38M/RFEdmYSMzQ==,type:str] + - job_name: ENC[AES256_GCM,data:FrmWxtCQtHbJ3/2xXn8znq+uNdsJVj0=,iv:V0moh6Omuxin6WRP/gnpkP9JnAAP9KvnDef1QyFQRU0=,tag:bLbG186XU07JK8aImjRN6Q==,type:str] + scheme: ENC[AES256_GCM,data:hGkr6w==,iv:1fECXl9glV+3+YSMPrOnOwY9DO8S5FmWlQfVKnqSziw=,tag:QoqPabKXx4VOciVtfiZieg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:TyUsicefu6/XcJFRv0NOrqNsKxkEyV7ErSpE,iv:B/38YGlT4cbNKYASO5MlT2k4ftWl5fgIMRVl0dhNVtk=,tag:jMd8hyHu1TQCf4k10P8sRA==,type:str] + - job_name: ENC[AES256_GCM,data:DoLOuj2he9tuj74bMv07YMGd,iv:pjcpIB7z3Vn68lCc0+lf7QpMKW4RbbVJCW03kamS5Ds=,tag:S6nzKlIpDju6ii9zehOrLQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + metrics_path: ENC[AES256_GCM,data:Uuqppevs078t8UVYPuR2Vfigqg==,iv:jbgVLpdCmw2hrEvoyky4atON9niGQobUyyTSuEl+2QQ=,tag:OcyjjUV6yf9/DYenPndPjA==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:eDHbAtQbQ31TFj5UIznKkmxkNYEA4w==,iv:UjKQv54ggnlXVg3Au7RN2BY4I0QJX5Ijl4QLS3LEqWE=,tag:trHEpOdIBFKpy3UslDEXLQ==,type:str] + - ENC[AES256_GCM,data:QNlfvxNdv7TJL34Wef+MIFSjLlDANQ==,iv:I2cI7JoHOT0d+vzWPPYkbpYglWXqU1GceeC3vcNqug0=,tag:mN46vzhvTPWx+BBrJbdyGw==,type:str] + - ENC[AES256_GCM,data:A8pxyM1JSvHKmVPc4SccVLGusUHSmA==,iv:QEQULJwg7HtFA+3xbY30XM0AfIzAgH18Rk2JHx+TVj4=,tag:3UmHAgguycxKuzlhLpv0bg==,type:str] + - job_name: ENC[AES256_GCM,data:QmesbCgZ,iv:bCR/9EOVjudNLOvnO8DotRPABGTEN68ht5ak989QGBQ=,tag:qSTa6x0S7tXVk2/M8YnmtA==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:qUzmShB4n7IgQ7nnlIo4t99phfIPB6mBkui3,iv:TPl8xHaRF5bWFXoBkyaQh3Vus0bj7Dc/Im3f04CIHDo=,tag:5PfDb6ceC5u0mGRjRkkAdA==,type:str] + - job_name: ENC[AES256_GCM,data:Elj5,iv:1xpa1MtaZ30akeyhMmhGc0e+ygWZhKYFBEE3+0pMBrI=,tag:KE0pgn4n0RxCMbo7O9DtLw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:HHKE5Zu/9oUshpfzCEV0p2oxBzfikvHF1IPhkn9sog==,iv:Zj+78ktgUU7F4I8VTETj/BZo/nb5YdaZ7UhWGAGkQ5A=,tag:B3wVPyi9+X+fqmk5XLondA==,type:str] + - job_name: ENC[AES256_GCM,data:8B2a,iv:Rj2ONDAverlWxbPGPp7CE4+I+NGNR4q9YEjABzc6eKY=,tag:c2SstqCyH3DMyFWIa+CsUQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:Bl87YfsQ0wXqTuE5Xd6Pzz0vzWGyGJ1TENk9gRDv+g==,iv:RBq+hDPccXDNoRtCaOEyGG/1eOoT7dlBD7DJU7taUM0=,tag:wXZuuMHh95JZXDFUjOyr/A==,type:str] + - job_name: ENC[AES256_GCM,data:LlGNmw==,iv:nXbWiWku10X5ipyINYMEKf/AR4yPlkuDo+xCBD8uuM4=,tag:3Nv0rCVdeJ2Cj/a/H6S6hg==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:jhN4pWlwI6f6QdvLeU7CbzBxLB12jp2qmGR8n0dXZ/Q=,iv:6xqgxmsaFiT7vK/NBSXSdqacPyz2ts3VZpkWeeKD2iw=,tag:DZfS/Gw7YKU724VtOsqREg==,type:str] + - job_name: ENC[AES256_GCM,data:TADSmtfiPg==,iv:72m0nEW1Z9Z+3CWj8dKnHc/ePxOLoTZMyLun2bH8jT4=,tag:WfIHH6amYLOqxmF6pmBPMw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:In+9V5tZgG/nPHtrrrEE9vUYGlsQZ3e5mw5c+akQs/2Kp1c=,iv:BVjYB+ORDiB6X+eRA1QqJbe7ZymUFs2D3xbddtbEsfA=,tag:egQuThSUuVXpi0pdk5UhAQ==,type:str] + - job_name: ENC[AES256_GCM,data:3vcrEIl5ZA==,iv:tGGrpMTlL/cclhjW5SMpmsUHkO44eiFTiDyzHlqmUxE=,tag:x8Dw1Cp1+x1Nuk0AZghywA==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:PW5z0BHVQZ6JWZytlepU0sYTQLk1anEYRCsdP8tjSMLVmkQ=,iv:wk6ExDV4kAdA+RBRAE2uIetSBm5nt7t8DrG7IlSCk0Y=,tag:99koWPtrr4HRguVwueGSdg==,type:str] + - job_name: ENC[AES256_GCM,data:1vKkyRRGokVGghPPojQ=,iv:GlrIYGDAZRzBbJ7uh5FmvpK03DbehtlueEwv/yw0Hxg=,tag:Th0xeZ3CsmOAJ0k0DxQirA==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:rm/i2ys8uj3g67dBia2xvxlaACA0ja1S0+oEKNI+El3D6gd9XqVPUg==,iv:PoBE7w2I8maWxR6+gL9byerDgkEta2fQNL1Tvp1NYq0=,tag:zlu2b1s/eJcg+Tb7TQ6sOA==,type:str] + - ENC[AES256_GCM,data:y5EdeC0sN+has1nKILOI/OCl/Y/wT8DpW32UcCciJDhXH/Iv5OuBht6g,iv:wtG0jby3+w2vy3Gx0XbyECDos1Uuv/5ztKEgbxPFSLQ=,tag:QmzhV5MWdnnwl5iwGWAFzQ==,type:str] + - job_name: ENC[AES256_GCM,data:qfH6,iv:yk4sDww6/dl+29YJYRFcBpYiIwW3W1UePereXmzdiQ0=,tag:1tipWbeMPah8Dv04DgQqFA==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:jhuSSmKOQ3Nh5AORn0SwCO19YAZtvYw/Wx/sG4iZBw==,iv:p8jy5ueLajMSut2uQc/hDE0yqID/CoAUliua7i8Xj9U=,tag:9OAbmo4NSvnS6itqB+231Q==,type:str] + - job_name: ENC[AES256_GCM,data:k9/EAw==,iv:ge59fUTEhLbtbROvTgFWysvwIUSiZJI0NWUbAQWxwho=,tag:/aTZhRXfDNDMtCxnBfvyAw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:6P/98rlps929VGQK4v2RY3XFpw5HxZk0k/o/+8odTq8=,iv:dq/qhXVtN/sQEHEbnrpkLikWmvcgVKZRAwu4APvAEvo=,tag:IO4tScf6mcSiNaEEVj4CyQ==,type:str] + - job_name: ENC[AES256_GCM,data:sA97Y3kaBg==,iv:YVTswLDA1pCsdOpZI9C/84RpDaCxTzwt4fwmVlNAdYw=,tag:JeS035lr3TVGUS+pDF182A==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:4zUBmfoRyq9klmwUkGzEv7HeC1e2jX1Vkg5S8nxTXSDSW4A=,iv:d6UbWrwY5n/qtM4mV4YPA8RiTywAas3MXIpEcz2dazM=,tag:Oj6oE5IjqPToR7UGT69P8w==,type:str] + - job_name: ENC[AES256_GCM,data:ovZ6BjvmtA==,iv:uh+Y1AwrGRQs0DF6heRmYXjrqo2ckxXFsgTYhumRm2w=,tag:kFxZ7rj8AwlRQm5wxeFAcg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:JwQvNOCyQsgpPUAseJ+FWTtic/kyttY7KkXpU4FoM4Q=,iv:5VyLB3W7OS0E5QPpMIBrI2zsVM6h1kCS1F++i2mdnSY=,tag:+lAkUcf2lf4drtqYCxDp2g==,type:str] + - job_name: ENC[AES256_GCM,data:5+HHUQ==,iv:6czc3svxwgsIHKC/HE3LLJ21gxuP1RJoInFPoYtksac=,tag:o51aA7NbOOSqAZIOWoDijA==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:l9FEd8zaUJhOJutIap0oRCaohebJHv4T2ijBpTdAc2U=,iv:JSBkcM0iWirgUM6iFFF7OUb1dw1FraVBF4HPrHtnhAY=,tag:Bv16HFU5t9XIFSeRyBRBKQ==,type:str] + - job_name: ENC[AES256_GCM,data:ppmyiimL4A==,iv:iYkIg55xAW9kcEIXY95GaZL3f7gMcv/6RRmO3BKgVOY=,tag:l/CQxh1tCNBZ4I82Qn6uQQ==,type:str] + metrics_path: ENC[AES256_GCM,data:bl6NieOKEyvBsee4NNj7,iv:yZOtsvinl3wCEubUYJmDml1/HHcm/A7YhxNKRwxJUWE=,tag:Qc9MBy5Hi2DqNEAWyaa+4g==,type:str] + authorization: + credentials: ENC[AES256_GCM,data:qYtKrcACN35hn0t0Ra/LJXKx4IZDhZPJ6/kt0BPx0sBHFgki3YBNw2xrxHb1C9xn7vzhCOPiNKQa6aa+lIoDo8em2ztAe8TIUhtYbLnZCB7GgBFumt4vXclK6FZC4m4VgfwgFoMPerFA6s92NYQukNrdeTsKamTc0BXcKdVrLXapsJSRP/LOfwUP51CLN8tA96D3fBQFfFnVkIjDrQVnk52FRt1l1PEVS0kz7giZfSgqNEEDx2RT,iv:JpP7IUNo9JkFHSZAdNool7jEkFpCIWx1GsaNlsoLo1A=,tag:0uRJMw3TPR/UPQnJtn4C0w==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:Ys3mPz3f07th+FWql7z7QvmygPs=,iv:9RubolFo1aOUc9L5uPmH8UKNEgmziufHXdedI+mkATo=,tag:xvARkOx6n/9t0BU4GEA2TA==,type:str] + - job_name: ENC[AES256_GCM,data:sOe1OLYFp2yV,iv:4qJfHfSTecpPyjOBhRGGcpRR/tPSH/s+S4pYAcvLLwU=,tag:4/yq65gR0EX8s5AhrVztVQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:XEnhDOg7eXtd0mmOgKNkC20hIegv3efaGeqcg96AsaOgYruL5g==,iv:3mQBeip+SqsMD2NJSt1OcsFUb6yVpEOs/qsoO48Nvvc=,tag:WyYOipY/F35wEuyTr7v/mQ==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:0nS7BtvD,iv:vHrfOS4HSQ2VmDsy5AUye8K0TwyLpMlxurS37+stUj0=,tag:ZCctve2LtIOQXzagZjJbKQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:2nJdpDi2V2NhnVHxEUL/1LltdemkNl+ROKaQnQMTEUOFFw==,iv:jOVute2avgnQcOpTd8ZmevDfwuPqMnO8e3ukgl6+fdg=,tag:L5JH3sIpAA5u9my0GkmIKA==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:9Tn78qkG0Es9,iv:fS+Eed+RPjy5ZoQrvNJp6EaHo9ZEoMPn5rcMdic11CM=,tag:22C7GuzXOc0vYMRi5fcm9g==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:u6qTxLz4VuKtBN+1u57aWiQ3hthS1XwtyKXQKB/ivyXHtckArViDgJG8yjo=,iv:rtXqqSU056tEiTLPZtoToKNec2jXGQgX2h8bp30x92U=,tag:s4SBrViNbbdPugdr2HxqCg==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:1BGRGvR46/IAmb0iBg==,iv:350g2DOtBgegPUCbJuKXhDiMzNYMtJ6/FcVfGKKydYk=,tag:mwVXQj7n4X65iVw+6NFhLA==,type:str] + metrics_path: ENC[AES256_GCM,data:QHGtOudDIjMcyrkGGJ9A,iv:balEaS7vRmVj2sa78KAtWDMHeeW10/59TsnCp8khwLs=,tag:RSPPzRUNRb43ewJv9v6ubg==,type:str] + params: + format: + - ENC[AES256_GCM,data:QdqCseN6OczAIA==,iv:IzbScNcUy6zcmOZ5eUv/ozQYH4Y9JoszziZmotKA2to=,tag:hmhoLGaZKoCyjRxPIvdAJg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + authorization: + credentials_file: ENC[AES256_GCM,data:wkHZyo/xX+L4L+b6XB0LhENjHL5bsVXaHzjjUH0lG7my,iv:7O0/P2aYw8kTJ1PNCqg1CWY86qDZPwijbQveDgFMhFY=,tag:U1k0QksSysVlhCS9WtboOw==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:XgGpdE7MhBSoU6dVFLNFO5rvaBsT5cvafx4=,iv:cAYE3x/+/9L4RplnYEzy8YzfiYxTTpGN3rx5Csp0/GY=,tag:c38izjxpbZ/AKfY9NABCVg==,type:str] + - job_name: ENC[AES256_GCM,data:b32YNxZNXFzD,iv:8BRVprRBh5tkpzt/82ZfthuI0sYsHem8+HD+/jcUfFw=,tag:po96F16o2U56MXmJ8kCLGQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:pbTPzizuvII+Q0FrKLp/7f/CzbmqlOMMOWrRgzw9wpEg,iv:LeTanTIYr2Vc8sRjndBL4U6YVsCivoRL48orjrprOyY=,tag:RZW1sPJX3ofmLsvlpOuJHQ==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:5eB1og==,iv:1LYPVh0SPbNPIySVw/w6fp3R9JWwwjjmBa5lFJuDcaY=,tag:TL2bza0q/l76DEpe5c6yhw==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:IwlEyDZqufQoz9bfwf/dj8JoywCo8V9lg3YLQwSdEFg=,iv:UKcXnNghPdjGlU9HzpDyVY58vataPihNAD3lQAJhjco=,tag:3IPhyXPJE/lu2m4VmuPT8g==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:L5Ry,iv:0EBJvrfOFQcnkypRLRHk3+kcqxS4N/JbkucgGJ4fT0c=,tag:W0tCtEHbFSDUUVAXzOVm4g==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:BENx7OJ9hmqZPGl0b7jciAc8x6nS+BiLj21+v6CxWg==,iv:8mONcZI/xKZAy0egbAnd8DqxtjOYoiAx1uVT1EQR2SQ=,tag:xsFJR5jf8tbJgZwSfPx4gg==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:q3QYeZq3RBk=,iv:Xd5rJZvsdU4jSM1bI3D8YYQzVl92oYhvAiPOMqiAKFE=,tag:WS3a+GSzvWdZAe3djQaudw==,type:str] + metrics_path: ENC[AES256_GCM,data:8aAhCNyNrQzDBHRO5ucDNvA=,iv:QudvMW3B8IIabSYPf6TBr58zdVjq7ev1oSeTlRaBea4=,tag:3NSdo3ggqdy+SI2ZX4uxvg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:eDHbAtQbQ31TFj5UIznKkmxkNYEA4w==,iv:UjKQv54ggnlXVg3Au7RN2BY4I0QJX5Ijl4QLS3LEqWE=,tag:trHEpOdIBFKpy3UslDEXLQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + - job_name: ENC[AES256_GCM,data:H+zSgeZ05zK3uCp2uFcTN/4=,iv:/YFrq8t367bLrNKOplHzqjuJE3iePYoNSsAUNNsXWII=,tag:8K1R6NJvDD5/qNWOmtqRuw==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:Yfg8NOYOIgL5pQ88jg==,iv:XFa/+nIG+eXpKQknZK2iwj57hadSoyB3xbXtxjHun/Y=,tag:C1T6PmkBRr42PHAs1iwD/w==,type:str] + - ENC[AES256_GCM,data:uAu8TjBcWoaHlvc8dg==,iv:3wBLBXn4reGTGpj6WCorGu3XT4o6zyyBWGgxmnCA4mY=,tag:QwVv2plUGXC3Sa3FpsvDBQ==,type:str] + - ENC[AES256_GCM,data:bFhcJ0X6Cfcf+p1bZg==,iv:2iGi09kyKqGPL6EC1VJvBb/yFTjz4xj4Tip3GC+OEa0=,tag:oKdNd0GWEGzUpRxxbyFa/w==,type:str] + - ENC[AES256_GCM,data:N8QIDJAQ/e5YGEdZ3w==,iv:6QXI3RR0CiqZIpt2Cjf8IljCqJQyNBiBao/ISz1mqsI=,tag:eI08r26dioh52YDEhO1Dmg==,type:str] + - ENC[AES256_GCM,data:U4Hoj/mpw2AnYjJvnw==,iv:9feYvYLRzrC5QaYMydFnRAL4fIDHDsFXFqOfnPrJSvI=,tag:rupUfZV/Iu/+BqKe0ybNfQ==,type:str] + - job_name: ENC[AES256_GCM,data:0rz6ngVaYt+Yox79nIEWNVvjcJsu7g==,iv:7wflYizTtL73Xm15WSd27o0GeP33yiJlhZuoNvndfOY=,tag:qdsFmvMhJ1lx+jN406emBQ==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:7u+3/7IJYw==,iv:goZmfOQqSC0VLMgDNz/zbvgighCqjtqMHq3se0FRpDw=,tag:A5MPGEQiriovAxnRP0omAA==,type:str] + - ENC[AES256_GCM,data:cEW+FOOmKQ==,iv:8uftFysowgw538eWERoURMmOXB3ZvB47I9XjkCd2HM0=,tag:85y6gsyn1B2YUW036MbH3g==,type:str] + - ENC[AES256_GCM,data:aKHV2pNVEw==,iv:tpwBwJkzbKGfwnx3TL3lXTdM4wcjsAtOKSYnhXk2hzA=,tag:VmrjaR1jCn/A0+DqDp/kDg==,type:str] + - ENC[AES256_GCM,data:RolFJAz7gA==,iv:heFu2AYTfcHoB/VntY/+n2bsd9T1YePDov0xIIJ2mAk=,tag:OIYj4tSDBrV7kMXqPMVBjQ==,type:str] + - job_name: ENC[AES256_GCM,data:yLbGQ+eitUauKcBr4w==,iv:/4WlIvg8+EKU/HBi2orjBUxtil+tFd7rR7ItjtjZi/Y=,tag:cooFL4LYE8qKowbm9MOoMA==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:mTquiceTJYdq/OBJWNCbgnR69t5lTpF1lBpkNHulwBjpqe2eeZ7i/hg=,iv:KdHt4J+/2NL/Q+tBE2CgCB4vwC7nb5bxiBgKyvfITLw=,tag:2hJL5cL6CLkrfVICxfl4qA==,type:str] + - job_name: ENC[AES256_GCM,data:rlikZC6BtPSfKMjT,iv:PCBHb0w12sF3YztZXVw3kknzA83f8mNwI/eOB2MD3jw=,tag:1bJ6Sqhp2gVfIxJX9qs68Q==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:E3LaJQ2UOB5ysTJ5ALiNIG53NQ==,iv:yI13Kj3yqtV/r+A5N56u2LcZGPlGRZdHWRAig/oJDO4=,tag:aXJt5ThQUPSRpxnTlMKHmQ==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:LKDKgB9NgneKVdU=,iv:8tu505WmtAkt6yKVcfP7cvh27k0Jcm4RyGgtB4f65Bs=,tag:m9ZIrL/Mq3Eaa69VN1pVhQ==,type:str] + - ENC[AES256_GCM,data:JuRJ6VuZWkzP051v,iv:iEWQys/sbQ7GlbHF1aKiEhlgtNtjCqOcgRdHAX86kVk=,tag:4ZNWTEcZIU9VeJrvyeyXzQ==,type:str] + - ENC[AES256_GCM,data:FKOTCSdsNaWoOCLM,iv:axb0bkR/NBisJlhOHooWrHcfdgVy1YIPfH02auz3Cjw=,tag:F0YfEMPaBO/dEIILo+LCag==,type:str] + - ENC[AES256_GCM,data:Yfg8NOYOIgL5pQ88jg==,iv:XFa/+nIG+eXpKQknZK2iwj57hadSoyB3xbXtxjHun/Y=,tag:C1T6PmkBRr42PHAs1iwD/w==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:LYsuU7ZjxVgtzXVznQ==,iv:etvhvy1uRf5bsCfiMLmnkVUVnrOtyPDKbAoApDeIXo8=,tag:gwpjgDYyfZrvRgyPIOPLFg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:KZhAkA==,iv:ZIbv01rRQrhzMPtImMn+j8hhD0RQW9SpeaZsnMJD7GU=,tag:0GzefOG82/DtV/K7CbnevA==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:mRMOxO9wXDJQ3+7AAHQFdt7UJILyIs1rBp+2dO/bJR5tSeyMRfxC5wQ=,iv:M/4pQ1JU4W0I6P8u6Pi9HObGArglu2cdZj3UgV6rX00=,tag:ri2zWvH2zBJK/upczigWgw==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:RhUECR0+6QtlPyywZYw=,iv:GG/KIt4NIRZ7KPAqzZOlzDzAxPCF1Rp1n3hX2+LbgBA=,tag:h1vFvIGbu4RSsISeAJBg+g==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:KZhAkA==,iv:ZIbv01rRQrhzMPtImMn+j8hhD0RQW9SpeaZsnMJD7GU=,tag:0GzefOG82/DtV/K7CbnevA==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:LGeaIRTCCpVz1yOeyR107KD1IBpnMJ8I4swTe5kK2VLty/JkJE8m+rl9,iv:w43VYGN3l/vlOC+0XmpvUUtvBL9kctwqmb2k3wvFj3M=,tag:Vjv38Y6Xr6LvrmCNYuIRwA==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + replacement: ENC[AES256_GCM,data:vpHUJfGucZfQggI=,iv:o46duT7mJ/7ffY7xLpkpxqrrSg2PVkykYdLRpI5FJEM=,tag:6fgE3dCQsA3eMSWnvpc+RA==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:hqDAAz0t5AIMPsARxmQM7w==,iv:3WhX+UBzLTPbjowqYqB1DSHojmIabhnuqasVBqyBSn0=,tag:sO68bxt7cMHPufxsf5+WCA==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:sIkfGDzQcmw=,iv:A+y2MgfebWJLwN+OHZ1BXbAsFn4DS8Vu4bamc3armOI=,tag:jLrLAPWldFcLBsf5ctVSfQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:P8GNZ9G3SRr0O0OuHQf/rj+g9+DBPzyxUAHLfUP2aeZJGTq99WywnlKLpQM=,iv:P1XC0SgZAb4xPJL8bxIs71qbYdor7qEY67VqWqhcGBc=,tag:8JWUlMRVikNJwJlziqELZA==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:tX6i3oD5gGAygYtXm+Rani0=,iv:ujsZgo97eWfpxn0pi6UiAlZHnVxOFXQiE2mh8ROLXSE=,tag:c/7aKQRt2Ad/xhARulAMgQ==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:sIkfGDzQcmw=,iv:A+y2MgfebWJLwN+OHZ1BXbAsFn4DS8Vu4bamc3armOI=,tag:jLrLAPWldFcLBsf5ctVSfQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:f7rC5qhC55ixvcNNHyWTKpMKqaL2CRhZjIAKUY08zD5jklg0z6zB/2QuKWCk,iv:909sAvFhQ8X13Ss+S47UR/GBEChP50UznL7RTfn9rUc=,tag:jGE/+KWH+/sKN38e+/t2Ig==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + replacement: ENC[AES256_GCM,data:vpHUJfGucZfQggI=,iv:o46duT7mJ/7ffY7xLpkpxqrrSg2PVkykYdLRpI5FJEM=,tag:6fgE3dCQsA3eMSWnvpc+RA==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:zSUKZnvBUcsFRGlw,iv:U7Tx0M5LO3yRkfOpB8+F3yo6JUN8C62nEQkc3m1pKfY=,tag:CtjJHqucszTJlTwb5SZGZw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:GVptjZJjmumYlrmhiICnjmlj1Zj/ci7LcF/XI/wg6WwmZkUOS4QK6A==,iv:n+uVlW+nfaD0jVG/fl/6aep8XQVVa7VIRSgBJPCE8cY=,tag:77Z/DbpntVysUxqf1fQo2Q==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:/eIs0+c1ZDS+b9Y=,iv:9/mthGPz9MF/EKD4ztsZQP9j1s8VC3PFjPhhq1zdflY=,tag:O96rt7j4fI/9XtGNP2db0A==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + - job_name: ENC[AES256_GCM,data:YnDm0NrIDyH95iAVLeRW6VM=,iv:R51cIb/UE6OR8cQzIlQU1cZv7V+Zer5+koaQxTOH64U=,tag:OiCr5A9EId9fJLUCZsUAgg==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:KSS8vvXJyxuKQphXE/hsYVF0JkNDiwxECKUXSSD2L3mT2+y16H7Jn8ZFvtox,iv:5GwtQlkZLpIaqWV83mmKPe7lQ7bPY0H2i84EcuvppEU=,tag:DYT0WRp2x/H076ehRH4G6Q==,type:str] + - ENC[AES256_GCM,data:2yGrx/lUGL0jAh+b7PQuJ59QLX0LXwXGs9PDOvG6ulOuP5akUIkfoxba,iv:29bwuoGAYYaxm0zgUhywxA/r5di+lI70DW+MShnUmeM=,tag:2N0avPX6nYeTIxJW3FfEKw==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:jOSJtuip9Hk=,iv:rIDgsRjF1tlBtLmbimb5VukQ1zy4ubJRQlYEmnuC6eI=,tag:pVmE9FbpsV4s7QjXZFDHTw==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-02-19T07:12:12Z" + enc: vault:v1:BdfAPwNF8ik9QIQtT0bemyJTqKcbZ55CdZ43FClWPGHkRxnsFSS8saXzzVf2vedpCbA3KqNGgyd0zTfn + age: + - recipient: age1g67vnulzds6lsw4sqvvavxjn0kz0h6u2lnt5znu3yne0xhe6sgss0an4zu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OTJEMkhnYk5Za1g5Sk80 + QS9XYlZoeG5iTWkzeUkxZTNyZlhjN2wrWFJZCjFUZUM1d1RSSGw2RFhhT0JCa2pO + UnJxZXNCL3JIc3ZyQVRjZTA1aEV5blUKLS0tIEhET2JtaTNrWEtESWNaMmo4NkNL + SmxJSWZaanRRMmp2M1NqVUpTcGswMVEK5JcwGLxoSf+1RE6ioI4edt/zF9tM7sdd + /7ILRTWM/9dkngS7v/zkdqJS/e8GBKdP7ocWfwuiRZcyuNB2KmHadQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-10T18:05:57Z" + mac: ENC[AES256_GCM,data:ROfZXCVxP+KzJe+NRmF9xDxUqtY/m2gpkQLiH87u7UvVoz8qrg1FbpUaZfz2R8L6swTJ1rdpQ4/3m8qWbXaJE9heZyK7EqcJD0M6hLI8jP4d6FGsXzU1VRQtNmLBM2S8K3LmsmuDVhLsCM8Dw7MpzQ4EE5aBcHfmFr0M6X3HGu8=,iv:dyIOGuBZNbOakDhkCdP95fP+iyqJfr8mWBXjE7cE7Lk=,tag:NqkKLmHWjs8FMTeARl0/Og==,type:str] + pgp: + - created_at: "2024-02-19T07:12:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//Z1StUXPL0peypoo798FttVsle03JqGFm0GLq4cAK+fnY + ysCvh24MoDKGkqmyXZek8ncB/Bk9WOMMmsy9EiLjJhWLZoynq2gc07CfEaKpffos + DzkonKz0mLmVlnOHcbmKrFlg4g5ZVxtkokGLjRJY/gmcQmjyhJxvpwPxSOAk1ZU2 + IPnWM0RVSSWdYgRIN9wwvgeynld0F0JGdbhv0iBaGjSPXj5XG8YhF5BennJc4AHP + oAg3bf5qfi/v0pQF/A6R7yJ87v9tTkJsEytAZKRAt7gSJndh2paaxjMNsfA3KOYe + gxZ8NTMA2mTB9kCeX+XMDSOD4ppIObsVexvjQzzx7ui6P/KhSdB6/GE080Iyhx6m + TeYuTiJVI6qn1efxZJuPn7plOJMhzFopVFWG4b70y4Vu6ibtPBeqCxR5aCbcZKtJ + OU5dGmDSS+dw3HVwIXoDplF4JK8DR0Yt6xE9x0fpJNuxCk+if8SVqKDGjWncj0kt + USZwc/jVqjJLR3uC8tVlmF6FdFUxy7KIM+QdTw2DTeSHmgOxtHLf5HuRN/MofrTy + BIcIL01J6B/T4uOb+Td+ULRRtyDQOaZdf4/dk6GijNgcMAZDPNsQxBXpdmGPvIpZ + So3QEJE9k6r1uM+en1SuXGGFgTMvbgb0K+LA2mxD7iOUzYSbJElZeby0aaE5u1zS + UQEWKGAHflh3zu36DYYx9AISjBW2yTgwgUwzccJxKX9ajqJRMuFjhOcOddfIX3mZ + I9NTf2I3qmLgqb2YclerdKIclbJCDIJcDUzIcmsTubb9lw== + =j1Ij + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml new file mode 100644 index 0000000..55019da --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + prometheus.yaml: ENC[AES256_GCM,data:dzW8eLEzYlSgX2YjMxJJprWfYTAJ/QsEDbNGjGYeh7dm45JOnY6xO5p0zNpkFT5Gei/WYdpdnlAa2rLLyUZBYrmFc+gLlyXlBK0hQN/BseZBQ45ytLbmhD3KX7jTXECDiDkkbp75pBqosalqR3Bqg3f6SlnsPgHKhg3LH9inlIKHbzgZ7LeY33Cry7HiDMV4aBoMrlj0pDH1MMLuhJFT+9BkWmRbQCfluWA0nOYGvtUWm/Y0pS20Ng69U7nCk1uUvC2tPKkRJ75hrvKFIrYqyhEUnnfs9fkV7KVOCt38YoOvlFKe2Oi49yDewYPeS4mkztD23ZSy/lKFaEnueFcvv6GcuLMfum8z1AhOuUm+7NWCJ85Ncu62YwofmSOOzRek3y8WzG6Tbyz/XJ4is2xS4Dw1XKOI9Ej4yZCYriTwobd0K0HsKBG4gf1QmtW0x2mBmrskDxQAVmPwr98a+kNsoDE+670unPaujZF0AJGKEkieWOj9KIsQh1tpMlnvEvbmkNU0GjXHFtMbSaF/IdObse+xYv7AUG2Znur0Z+RNx4eM/0mDs52HFQQlvTP0oaXjTf6kwgHo95dxAefVVLD2nFSubXSpDIeo4Ps4cax64LI/mlVewtHSBNfPMbp4wppEtDrOeyRFraVhnk50wfM8ey2Nuj218zjAHoojDai2kY9RH2lCImHtVC6z4H0pcTi7jHmErOM7nqEAVzlInSFdEbhZxnON03fw5G0o8E6ylg+4HcfLxqzl5ENxG9wVi37cn4KfTJpixozGZkjSNbTFAyC3LwebBaKCqVMdvX3D/I5/b5pug2nQMq3v/x/5/54+Tp5kZqZ1Br8/kxJyPuL7V2Ze3Qi1B1b0eR3bEQUgS2tfZ5NTtpokyRAMYeRTJGfI76PAh41oHT542AilAcCJhKGSVakW1Br6qYFagtvm8gxFVOyh701X5FSgqH9CJO2QDwfmblp1Bo4+FeCbenzmybGi63ru6AKc/XFThvlRCnNaqZrpygcN4V5EkGD1kXbnzxUW6y40C85OHuMNLZJJCYVjeBCXPX4IuTc/n3BGl3KRkXl/LITcTyu7KLWi+1Yt/NJQfoOo/Dl59EL508qsqJXhrOzAIzgXTN+xtFIKF6QEHfIaO5SzBRWWgorqsOAM8+q0PBL1PhyLOTbOjzMr6mGiocWh5wzLVk4ogOBSLr+SpftH1XwvsSa3RHRL5/oak7I2u/SDBKB2dnanCTPXxJaUzCYXF70/D36DfzfTJOU5+65HhNAyUEKcrUboI8O9FZH+ocSgL3aKHeNVao2zrhhe6/qShyiWZqh6AMOhFYuU4/2mkpCloHsY+85xYEsJ9YtByXmuz5JVRCdz8/Z7g8jGCVDFrz+SVFtmUf362pb0Ony9qXtuNHrlE6mf0jzNEpFaatRyR53sn+OsyG9jFHcGYldzRsaEhByWkPhu7VyrrjOyvhYLoR6+nxwKUWetJTlyjvDUhLudEj3Cly/MvIdRvabLD2auDvt5SLAWk+1D26LZmEQePARQtjrjGjGKPDYMs//f+O7nyeBtH8oUmNhJKguBWPNkA28p02Nw1NRj1kMZTv8Q8uP8/ayKQq4bnN+7DRrWOIEOiRufKTnDawdfBxAvUU8fiws91+IkEDkRrN7Rt5wsrd4Qfla7XPe9HhlKi4hYBvt8bFQyEdqdkgygIP3sDA6uKWUzst4FyRld7wpI8/6nnSYa+8IK8xioPD+UOB95isgrlAzftTeNLBnHuN8Zlrsavv3TO0n6Y8pm+/KtRCagmj3G0+cwi6tCWYUjw5rHI4sOyLTPFwK87AAsjU7peQBMVs3pnwiYnv8Jr9RxJW3A/Tjk6E9lSOQ8MdnMADFZilN1iE+kI7KEEVjhOI3jqwHgokAZ4VgVu8H7bsciz1D8O7SOERurZH81LwyFj+sUaCnhLaxzqMd2XW43ukURTAKjEs+HHLtU1LTQqdmzXq5BE1mbPJZjEhb4MAd9bF9xAMhcpGkCyGD2gaeqGcsjuJHRLVe6BNsLTXObcYVcJ7i8xfkWa3qJ+3DSK6DsVPCslJCmiYb/3tkaBc2Rdqr5o9aTGR+YlL6gLcKgumytCSw98IUYMtqNi2r8J0NuiJUD/h4G6yA7inMHIPCO9VhstL0RkXnM3r5+3AL1MyQYEOq8Spg+tND/oATj9vGQYPrSjREHeDOykLVFr8ijFRr0pcX0egUNyj1UMs7zzCMNh0kzbCAvdYwdCRy7qAvO9C6P1NC162xQoq6XdmnmuIvTBf8vDP8gTDcZomp0WJEl53wW/UsptpV5DqbXEELasm4SzeoJGJdlTGzvhxin1kajV3wXMRsC+Z0tal4P926y6k9B+SPFepJULBPUGQlJJqfECP/RyukSxyITQkfl8n8PmnTkqnRWnioi3nz6+MAOEvlmzVuONZqUVwcQ5nCxivdtj5i3T/lo71q8DJoEESFBTo6CyUIoLABYeTlLTvwN1ysZ/sLCBz6/otVjwn9pavrMWeSNwdXyExHxe+isbIU2pzzbDiWZ90uVIu12+hfYN15ScSL9+R/fNkMcjmQC8SxxmhqMCZ3/GJgnmltnYxlPdOoO/BuhmbLvxPTkT0pEPAT4cwue+X2ZK2P35W8DOzZvB2PH7pRrLzvmHEITy4Zi5q4c6fWP1XfNet2VvoQZ6oRaILHo2y5h4ET+j36DCbXM4vBjIDCZ3fntksZPFfRcMfCO3mk7hSydAuTFioB549S5qilaxnHYJcn38d9FLyTSIrrgWqwKTplW+TuQ/3hnKjtwVMa6HOZkR+0v4Dr0zWU9FsRw2Cwqai62jlDLnt0RpW8RCHcJpc0btldTbJzKtOp2V5BFQAgDxTnlqnaWJfJxWmQ4OGhwRWv+Rle/QYbPCKcWjJZ29ZbzuQihuHu3X5HYJstKBA6o8UAl65zhDK+FtHhrbejrVzQpQLXlTrbRQEQp71CJ7o5ZjdJ+OqssZs3JcYQdvhj84+Q06jgEkkRUo4t/q8Bbvbi6uWtl9x+eNkdCLCK+aV+2PDCl+viMwa6n+GEmn2wcxJEJwM3aAZjZ+sIqL8qoxO03cgk98YsBoTewW336EbcMhRELYV3JOdiyK52iEPBkk7d6TuSYZusAMMr8ylG9J6hSRhepTpPEsFJhZq7NoY61XuVDAqiZ3294Moj5YA3bglAFTBM7UCFTuXi2VvxsTnAt9p6tnslFsNcy+Fy9JL8iw41JXm2BoQ/Yf/4nyTAFxoZImzMi7RaTmLc2QxFX1pPrJM+FK3QQ17d35GR0YTqBQ5sxqKaPgB/MS4pd1vy9heKrH2jFQX54xU+16njp+vdg8EBB5jQotk7vUH70dUEGNLbgdCtMXfXtv+Hq5rZC5EuQ6uYIvAmNzFXCj5w9yaDOzCTo82aJq4hMAq/b5a9OEDeBzNkaH5WwArvpG3WxDX1kl/IiclMgfTrJNgPiJAdVlpIXGW3UzQonAr4jJYp4GEsun53JiQ8zNthz3NgMC43ATuwsCkyBMSYFcNIVHg+BFObmPF8hseO5jJ8nbxM8aD1zZ408j71IVs1V3sbGnZcrAcKyg1+IQTT4sS4ElamEH029HUDqxg57gzMKc+KzcRq8vQWIZ/QS4Qxa136UQf/Uun39pJBMSNt8KDYVzbRbeixURIU857JtvhSGnwFfz61U4VnhXBRkcOhs4N2H+Y/rU1IdgLv3YgLNMsOGV7pmTL5kosBdizGMNSW1cYqOskJFs3U93os9+8iarAfVJcgmo1zeOly6HBax8V0mkVpMaIyePwdHlCytppesGkXstmqeS2ZztxG2sUidD8D8aAUMhwlj7HopR7lBYzqjXxK87Xb4FIYSBCrBXuOKPtks3nsBhbrCF/v9vxcZG8ljub71+dr6KWn81h13hHfqhnbekQoFcDjTblGC0ZNTrPn1qkPoE/oBwidam6pLH++ulbVpjVBxg2GQy/zcCBfNvBYV8S5gOi7QbmYRmafV0Z6BxuOvlF5AQkVEKSB+X8E2Yj9RH5V4PMJWzQm2Z2I/XNix33ZWwv/jxPYbWQPM0cLnk39cIVCQn6fFz8ymsPOFr1Zq3dcJ+7tjhZDnXDHubxtMDhn7tBLqzfEBkjLbvgdK5Gy/iJP4DrXtnoR8ncCGTpf0E6phyUF5e1OQ0X2b/h/jhg8NtNP+NN3pOOoLJiCbuzUfjcmPB/Gp3zpDrZX5vPH4PZbmme01Jh8jX8dyrd9bIyvgqF28FHhWygOATloNkei8P7pqv3MxBsNGAIMXiQJ5Vb43IYdJ1PIPdSBsQm59sts8+kuEuDDED4LKDJGbIYbQTWmBO+I6AHPo6oC0CjoBU2Y2x0/8BA6lV0zCFqITFGoAGwt73LrjhlQDk6gvFonjIVIJF5H0bcM203MNePK0Vn6v7wFQK7+3QnKiQ/yjG99xgKZI2e9OsTOsHj3weGf2qDgsXCkGpGCwDFTIDbNuDiy1BL5PTNqGJWP9G/x4rdCyCWid+nmP1b7MX6i8Bpc0zmeSsrnFOIG24GGY/cSp/kaHaISunk83Zk319oIxPiNzv/sd7OhNpqyLqRpmh/wGrylGOx8etUYn0YQT9Yywd1VXFVhs4WXURoFMXhwgh1YJFxSMU40P2iCk8voFBvP7WAq/UhT+oGBLSVvJtVTf42mVNqeh6H5IKsBpkNSLW4pVeedeCvK3qTL+9xasFwuUNXrZu2qTgcyXZQw943BfGPz64Mh7YQOZP8pN4Vll3jgF1gwaS2lo7Am+mpkvmWQy75XJKNXTP/8GBG5zDNvDKN2wZIt4q1Kd/0QKuYBX6H+vx5PnmLlVa/nFxHtq+Uq3BTR6R7PQMIAiY/aavXybRTsZGdDrYGWKuRaYojyf/3hs9n68MB9f7gmE3kutTO2LYNJZFBcroJB7LVsf0SjB6OkXBz69S69aO8eSd3GOeeF+NpDYQF9qE9Q2Xezgth4upHXHIxYp3XltUfCmJzgUmIaAXQUJLp5IRFB69KyXakNk+J+gm57waz6phy00aT6uIUfgmfflkcjRew+Kc38sGKb9UCKPGRIN0t+UIeXS2RJFfVot48CXJzxuEShA5kbLNVcjxr7TavRVNhIat5HUxv/kRoqbdtssZAMVPErIQEkWp1t1J0hDjb6JHmATsNa6Q2UBtT9bTB5i92txWlyL/WTuq2z3Xzuq47RMEaChhlf1GmH8rL0688wJLYTOo0lrRsaDZI4so66XZco+vEcDr/EW8+ek7Fs+GWBvtfwLe61op7PhyV+y4KsE/K67+TSRtIjPK7Ld5o4phhSOrghTF6/byJqUd+R65Fo8fqaSYv2iPjVPgHR4ERKFqGq3GZ4lcLOzgfneEOC4+0RdHG9PO1n332kL3w4viMByfCURxNHYcip2zcsGJhN6+6dAPksuZyvpUzfwxvFAVTGDg1/EHsekhmouN4eZpZtOjSYj+3yEuVs3l17qmx51LaAlMXegl7CqV3s6HEB3dRGa1UHuXUL/PZdpfSfdbkLeEF9WCFBC130MrZykgFVyjxO0XowzsXebcb+PDjIJPmq/9SZ1AGHGR+g89EPd08vggNGMgXu/OVPCKb1lLAzpTsIQlQPxSqeezqNDhunLh/TyEhzGugKngwHKeca6HQiX6jmD2JM5BU32WioxzcF6mExdJa00LjqTV008NB6Xrybnz8O8vdxnf8XcYmotJg7SkRiSdlX+dsHsVmtZd2yeqgb0tpCdE8lffnky49sbcM6QKENOYma2YFumwK/PSIHHG4mqe/E0P6vtMHzduJp2FeK9Vy6C8HPonqQNNzsp30sHPRyMVifJizsjYIP3MeXNzlRnJRdLtunBDOGGMlbOCLCd4pQPgYUloPY/KPAN/K+lttSUXsReDTGD8fb5opCf4cAXFQF3ans3K6+6dd6UZX/bKDLBdxbFBVBSC8YWQFNuls7PvtMPBAXt5OIp5h6yYuMUdjtHlgcNMvRYM5lytLpNEsn3DeI79xcLamMub8icmLmn0oZfVdpML21vFXgu7NBw+J/pJAfwQTozYgd3Mbgmdr9NuNcdW2viicXox195OqywL0AYSysE0+6syeSK++Q9Ttu06q6nQSh5HkGp54WwY+p4hBKmwOL7GrxN/oOIIXKG9UAxN/3/sKu6kkTyV05Ie2vqBEDcPufSZsL6MGuxUIA50lEiYQAYl+3KvkvNluyXipB3rqBpDgvQY0fJNtFYD6Svx3KIWCW3uI4TYw4fQBeUo/i6KOdRD+QFcxNuOnqQdwxsnC2djpCPqLyXSPJN+cpG0ThPx/uFYq+56rbt68Qurj/D3aVmKpDbSTViPRdTDnSzJeZTVkzkXMedzJrdcrPTS0ifM3S6mWgofSQyKqBbjqQdj4BBE89Mq0Ug54j1W2QI1xOTWuXhPGOL5Q2Hv1VCWW/6tM4ofPuQShDt4JW1a8hxRWDjMKVwernuO32r+4nt+p5+Vzh81xil+6VJiiEwDGRi8X4wLhZPwNG4rF6IqLZ1kvWLTYvEY57wZWvFSxyWrXge9UiHHUC1CrPig9MV8VweTXxd0LheVGoXiNbjlsF4LlSpwICyCBQDRb+uVr8IduhKCRaG+c7R/7WSJlDdxIoHh/uJt8LiNn9tevv/bdhLBrJ4by1TcArRtlN4/fw6gOzgJG3EyVFrrOxiKmlzUFNHpMoW3BWJnbWieKAhZKZR9n/izXgTPWvfNi5tUPEiN5mgZEt8d34XGUpSTB8Xx8s1xNIOFatH6S/rzPBQgYY4HyI5GVW5R2H6okh/oGuSaE/T5teDM9RHGTFbpcERIETUjp9lJn5FON6QgTtjxWgEYShz+THv5OXWSL+t4CYW/5w6LRYpbbjEhRsQ8xmbZHWhVgrxYKW4S+o+euFiSXYeEcM+JvqIfk1/o3z8U3TzXZy0ALTTsNUcu/VGGHiXsrjm2ptmeF4+FrfCkGoNx96w5TCJKKpkbcosTpPYqg9URowUqFZAOEBoZ7eEKxWsCtwtR9kd5eMRCw4TEGc9rpfortKHdA9kXjYADlGTDo56AZsoYGL7dFcjPyMoB6xH0WJfdsxg3OYuxepQIWeZq4RmZch1zWer3OBJMLFR4BXqObVi+cRCNdvOvgS8whqCzBjrMPISl0RU9sxyvm3Wzu+F4nd3xmbGAENwe5bhMqs/iSzZBxD1OBnCek2X3qT9RyU8EIgpIRXA9WfxQd34rROB7SBNQBjIi2+UgTO4QqrPBW8yThoceWKzgKOr2+4brMBq/9P8phP3agmlANeHmHlrABNwpggBeghCN/9SmHcODAIs/GNYCSjSQOliIsWR4xNotQRoK9N7rIyiAzN3KQ8kpncH62CF2F/z5AP09dOrwEfYtPTCUy6B39mDY12+zEe+cnl3kZ7JDP1xThuOObVF5Jn/CC0G4ehFrHLXT1rPPoyO8NzIe0trsYWsmKvgrbDWUsky+gHIYr5K6r99XGlAIap2Dbyky0RwbT5jrrPmK5v5eQGjosg2gg51dxUQs9XsplOo/8sKj3e7BK5TVClzlXmVfAMBY0/8Zk3te9PajopCyV9Z8Jzc/sE4cX862EzpIsQwS5v6YYcJeDHYL4Y72IWn2DkGsivRicMJd1HdrRTZ1SVijkW+iprtwewxMtC9rbM8pcGjY+9i4PKKW9my9u3HGFTok1aWBrPucFVwEbW+o2+2tDoP86Bu/Prl7KMSD5cHOwv3GDbAnZEDY5m/3Gophzjxp6sLYnVSQMxW2Kx0V/znrpPP1vTsQZ9+9v+5u5SsSdePKv6j1H+GwYG7XXtpRmiCE+uMkauw/oCgiauUncPzd0UEAvdrrTDsChnrZ9vBJPAQkpyU9/yzbasSl5buzcyME0+6eyTJO489bTY65As/KqhYfRZYJVJ7jmg7Zs1eAGfaJextRi3it/0Y1Iaws78fGEKJvfPuWp0BIB1SKWIKdD0I15Zmc4CQG2oBU0DL6p01kOnUCQVJM26OJSoNpq6jSIb9gio4ZvYnOkK9qvy8palHKfcPbKFcNOogouyXrxK5Ho2hQnEjaSSxUFiyVkLAwf6NKVpeVkmYFi537U+fArVWz3MNQpnx+mFOaoxiLGGIa1cl2DJipaZqhGPddBDSPTwAgvZqVK75QGW3TlPFsTi3RllRMDey53dSJk7XbUTLFCY0E0is2aLVqg9d6nW8Ip1t9vdUNyNvA0J32bBvWti9hvFe7LjmpsAM6m3TjzOCTwMLzMmp3MQM4NdgThbDKD/K4lWgDh8GA15ArcrQs6F+OcntCk7wKeFP6d+VwnSWfjsF5rmxLIqwltpoBSer5to6BmUxzC9XB06OV2uu3C7lYiRe2rqO9sS7SoH8vm4AelbhrHA9OAXIRvQgt4SkObJ3FghwwXoJas0I3XzO1C0il4H13C/nUEsbjHDVltOCOkUdXAZoizQ3wkuwRiWes0NNtZ3pp7yxMVrPo53qhHpZpy+4vN+ZRqirbS5CsQneBau1iS9DSb4nYxHfWq/0PP4Fc9h5v0Zy9SfjFqv8dPutP/ZIKG+yaXmAK/imf/iAxzbXRQPbTFnTgXTOSouZYjpm3rNRz/ekbbfyoThInzwf5Pm5u9wng1MOS/d8R/XfSfJXxjEHyKamxuzp2vsatnxVQ3EdeYub3vO/NgXzo8l2sxmfdMBUoRPsSpxGjaEFng0w8AOKNkOm7MUY4zAvlnRz0nqVSp9u2knjX8Ma2dyZYV32vmR4y6XiYGKaHrO44RihLGda8u44acVvDgRHQ7QiVK3xaYmOvy6J5Z1ZhB8sZ2T+RwwTP0vyxM4k/dGVKJZQEF92y5SYKu2cIsacmH0ylbJIs3MT0alqpJHAUEGh/OS0mT6xZ2yRDw7EdPiwhV/6r2bHeW8MxlCPBLHFCh5yojUBjhGf+FFFyiYiqShe6ufN8tLvhppUYWsGiX8prwOireIF5vUcvLqInAc3nop0N7DNkLa8WE5JwEr2ReKSUCGsjW/WBTEwMjlu+fY6yROTSMpid+770zObvKd/TXFz9l9pmwlH1CGr9SUnw3W8UN9vfldchN8SbAwApN4yCF5B6IXxCqUen4Cn9cd2/meCudtkS9lLPc1GeGoz2zhU+1LiFMMt2DB/ZUGkZ4hdidaZ5sRhNJFO727uONh3jCxbXgK32CsyhyYzNlmCp8z/Eg3HC4kns8n29kP72eituygEVz8qSv/2ipkmisezjgjKwfU4LKZjFOxtCghYvAfd2in1PSNEDDFYfsbG0QQLMJ1iy3f4xew8qKXPhLuJ3im5BMbAWq/VuI7QhamI+urdiLJCuUsAmxYSFK4HoOW0h64dG1glDCt9fHKLpSMosKWtDFy994ImYL1V7mTph8gUVPaEwQJeeGjihIETDZEKnd65JUgfZBk854Su4AcsoNPsoMKJ4ekYy2g0YsDpeeX5TK3pj4wp3GvdWCbABhjar/tHzHiYyQNs8FX9TfNYNd70EpjQ9JxTyeu4MZJkrhA5R2BjgskuUs19B3hn8hnaXSAHue8WRZAg9bzvdtglsFf4pFnnxCSvnGXtVBOvtXAPki4XP7SXyXpjsEF8cDTdef8SP6cXfb3qsEY4FMr0yg4gToCXOlftPSNRb/fbnGcIKxepNIyppU7TUXD74tC48yLqVg8I91ZP597W62Lf03NHyEkioeY2gn7MlP9VKbRDcGM9kdmN1tO7wal/GDRhLKGC8e5ywu6dizc2z+rL4HPaml9lfvFMS7TIfgyIrCYg2V/dn/OIZsksPSogusSeYNO2JWEwhyVaNPZ67R3rWDb+rBg5N08WMlaXpmfxBMLd6slSMbDIuCBRwEenITyOR7jXM11eifONbLBldJneXT+ZCrc/CJFP7ivXeLjUAPwDVjaLxQRY0H6qTO3ZdNVJnRHhKKPm0VdOWzj4zUSLH/k5Vz3YGcPbfSGydNk9xsu7eHpw6fK9WjkFFWQY+hXzb/i1yqiSEx57tA+P6KahumS3IH4dPfyDrpqzZcPt5yhY94JGKXOa7C3++McUCxKgj795+bb6jdyVqKZ4RguKEx2c/7anr73EmDHeGwrZl9vgi40cHi9C1gZFFam7IAR36mjjIPBSVd4enRkvEupZLB49uvgk//90eim4S8FsaKjJpAZ+npHiHOvIKen4uolM9Pcon7Wqpk7dOORHSjVSQ+5jQbsAeGgUaav6AgU14m7abPxCPaxmYVhy+SzTBaMLRGZoJHk4N2ApVy4rOSTf/sBZWvmi00buCdeT1aU+acImxY9EBo8pjeoSx79P57HUQ/T2PRce3oK+d1zl8lKBDGbm5y4g8OG9sKnyUBfHUvAJA9liWJ0NauwFf7XV++7MOo9BJU6CxZ5vYGwmljQCGJN8dKzrnAmH4U0FHsCPAunwsGf4EpffvhyqfCalfE89aduYmKyQSUoGDf/5kPOqlqKrmtke59IXIwaHUYEtZJtPgTbeV/0knK5PDMwHGpTj4LFVUPCBsk+HAPHI97ubs13Vt0SsoZ/iXz34OEN7GCXSIdbG0aIiON3Z0ecgIfsLmATm/tMiSka0qqcw/5cM1S7uU5uP9nbeqeViL7GBIv2rwazZC7HD1RRoYHrBEPybablYLl8UU0CT1gJXpCmOqrdw9KlxlD/Son1nJxdCeW9XGOBli6nt8MhzEUe8JfIgmseauV8LM8Szfnjchn1Zkr562C9EucdIBf3eoMPhXpTLfLVy+R0231AZGNX26KkDKR47uznZrw5bnTqt2j7SyByH+igN+uSYTBG88TlNBW6qqSolKNlDto+o9XLnxtSJg0t5MGZRxpXH5Spo+xk9tf5LY+1rvPoX7xBRufz/ll91gRx8E4llF3msYS6MM/IKiqujeKpYMPnPCguqS/acP3DLBkyl7aZY90vl/nKIPhagrubAPUNgkOQlhmRzlZHFph2HuJjUSa8WViTzPOkDcLfpXzmkS/MVoKoY8NNoWOqdPW14GB/HRQFX7YO9WbU/UXyeLF8jAAdbLczB+mSETxJoMzWHgBjPy11EBy6sxJx3CbCxhDkK2VxXgC0yYRtAHBzqpTj7JlmR/AWbJpy9kQCt+j2enQyeII3UC5+yK3e2ryDFlknHC2wWBv5UiC7SZ7O+p2caiLdGiDZaa40EsxJOvl2i2rSTSW6sbq9ne+wtn2Q5jU+LN7decATWTfBLiNHchP5CXSzLt6ox1nizCwPNc/h/AjNsZhZcZH8VgutNuE4r56o/oQDtXsCMmpcECJO4Mnl2luKHj+EnQvWJ0eLXUaVKDvQE43dDKxP2IpJux13KjkZhF63UiQSksUtjhvZOQpIkq+UvaLWYnYp4TI0XsT1+FtXAtwzSYeVjKBpD0XyI96++XdXfq2Qc5IKG3L37rtXR0pKY9MXLZCzp6/TvjF0/R+F76PUahNRIJmrMzIEcgneluRyz97hQf2y+r44Gf8FVy56JLSvR2r3bYlJ3Jb73iE3qK7luQbTtTxunbtZOf2YEm0awKH3vWhbD2iOlR5qSVPInp9u7AIiMO9khJlC6LoCqLRdK7u+FrBY75XeFVqaZ34yyt1Q5M18VFx/zNjxkMx66OilE7QtKtfjyK8RFljJFW1Zme23sy0cnxo8U58V72FlyoUYHmqrGxKO4/T1PcT1taa+PlywUx7Y33DV6i+39Isg2g3U7SxPema491SgRR4mieo0LW6aBhHaGuj9AkB87FQnrk3FLyoJOeGRpJ6OTVSCPkK8E2ICozrnGbb4Ly83IhmIcCix9ow4CY9qY1IugT+uRwR8sOMxSHAECeRxYoBpTBFUVvJjXtfu9LsFEuemljbif6YieHnKeQuW+T93D2G+ZuNxwCc3ckaEX8BJJIbuGsKgF6qzgIGQjgd7IK5KopibP+A2qKT1/uSg7c5++86MdPhq8nU760kMkBhDl5Aof6Ke+Ak4nXb572vcC6M2OV5FPtQwzrWW78+0hPn7I2wV5AejXWk3kdFZ5luZUjNi4lr4Q2hNeiH/NI2RfuzKn2yh8rdyc31ssUuowjdqQkwHpKO7DqDObOfshkHUfwJF+S06npO8IGtITFwZ6S8CODXbCmZQ8Sb0587SegmNhaGDq6ahAHuAFVtQ0tj1vuXro+cWCd4LtCfz+8uD7+pQf44ZAKCgm/ck0I9ZaNbdSHBzP2wh29bCfGu0NdD0JvbZzLEnSRO0T6fy5LDUoekpp/qEsAF63dhY3GYp1p0iqzpbosOI6KPyv/mFDy774vhTWZZXqr9+t77HCCBxPAMKRqN6OIbp7u33q/ceaUDj3t4Dh47DQweYKMRBUZ9mpEKVeh4GLzOak1dI97TAxW59BJHCRbZhqzqoUn8Cb7toHop506MiFH2layFAgV/0O4q9gOykqunB4TzwScz3RAjxRxFDhyhNTerF+/seJSJcPKoUWnicPW9eTnnoe4nAVMoBnWktm6Fxn2M68WFa65sTg4Mc680iUBx7PWQ5QDDw8BestD2Hv1cq9hheSOfMXejGEBOlKF35/GvRtyl2LlZce/Kc3raA66YXRiRCmnkeGO7GiVkuMn91R6k6ON6DLvytQMIkJBWrlGKPafKhZHFHvBmw7NPOcZ+plaaF50Y4erMM57sEG2gBmwwu0Pm+ogDc/WXrBXdVsAqofqLYMgnRC9l5NZ3PsgM/5Rswy1zA2bJvK4z54kao7ykf2WSnC/kmJXWIUMm78ZlUqNltZQ81ekzXtJzkpOOOYwUYsW9omqfRk7yFieFgyHZ5ImJBaDEyQPj/0u1Y65OcdbslhCjNfCewxG77jGk1TXIgxIAPYy7cnfADvY5CEL+XQ4q3whDhS5Jb05xolo7ViFpx0OFHdULywY2v4KxNbic3E/6zybyRfSu6NnvjivxidzcfH/o6DWclEdJxkfCCh2kRkD8r+S+UBxhWKXaqV4df9BEcVLjwUtPV0RHMmga+kxuGOtr1aN5FzI1cqDXdGq5+SIoFQ6gXX/y0gJS5/uG/6H5Sw6YM1XGFTMvtZiRDVxepFpy0tdp+2vV4beA4RzQcYMXvT7Z0dU4jTgvuqjwBxF5uFqUCkPh8LoZfUEBBf/dEPKqy7eL8+W+JuGuM6rrQiK7sFPnn0A/SdzRhea0mwFz7GlCHTSbHCe0PuWiKwA4ZX12THOQ5LCx6V4CIz7nCVua1RPU34/dumTXd99aII5AwQWt3zzb/a+x+RV/E7qRNZJ87zlZkSYM3nc7rdwLLpWCWlXP3P9CDeaHNPaSuLLSOOE6ZYoiWjw4Bl61DKqox0EbfjHNiwpwq4gPSmFEbi0B1EvmYLWBnrfF82RgMcw8DLltADaWRCxon8QTOl3tlxez8t1K31ww1nfgup90W5x6SHFC/U9JgD+hXzh6EVsFMoey8KH8XJnyoljgIh6wIsxjZgxmz+X7Mu7Agz8QrrGpjhBs5H2LoECUAfeej8m8obyJpsIDsDXmLh+uMlbvgvczq2H6GML0onVn7x19jeJWkT4U49E5fmFcEqilkm+2W2Ioyk9fsOfBa7rUUNtIXXk+v78RsmAyzHu0ziPwriyEgNsuDOWAwvtoGwo8RKcrmyw8ZQ/OxzKn2wByziK+RebMplDnd6Moe5y0+HY2CfVgu4jh8fyetwtfXx6VuDYLM6lzZsfHl/0jZxn+2CISppImfgnmSdO0wn71Vs2NgMr6SNnDT2ub39ZMAdfmTkeEl8F6+XFQse6WsXDyCpdglgw/qowW7HhzGYh4IW1KhWTt1mCPmt2spBUsaF7ZMSePJJYCqyk8VfZOo409IJNi+kOTISwEkXN6BbmYt/PZ33xbdH8hwli4frb+QPUwbvvulO6ZdBO1derHboIkh7DqPJwkwrjzPRPhXC30D1ctRLPaKC3dCHwJawYAHYeQ4NegND58hTW7uE0VXCdSOn4D9KB3GlDCYepsoscHomsXkeZwhoDWZ5dmpbQY98auPTBFxnK6tnSv0/ICOiDaII8qbCsdw1tGxkAikEv2M+qLbidN8Le4olqsHLECSMx12TywJGMHSVgrBVW2Rez9l5M0igrye6UpGY7yZHuH+YyCbHBs+m4EOVbrLyln7fCPmDt/Za+GHPsgAD1sfCDjkK/CWXDNxMc6oh95kbBrfvzt4zAHxJqEuDfgIN70It/qOyzd71B0AcZ3r/tBYjnQ/fdEbbi3qggYAm4430ZIA40bemml6+0WBqNBJeH+Z7AqTaC4uNgHt268IVmqx56a8d8+KAvxeuA++qhhJPrZKtNEckpnEUXvNpP4L0tZiUx2lIyhlStzMlAlywR42M4pn5zvdG62nFKH/Q1mmh0/GiJikWRK5mA++ywqQTL0WxJsrsUT5J1F4zRZ0DHehOiuKznRF3WU17UJ5fg01ISkSdtHbwPjYaOqyMXUOp8kvOAJ5C9nCHHyQG9c5OGpGBPslb0lQXJToFpsmwxpJ2bAm87y2aXf+4/bSPCHvM2yzpk21A23Izy+nAiIwNo+0c2/8ZtX43F3cWZiKdJ5daphKs+CsXKlyExBWAnt4d46OWpAQxFRyvOp5YWS+6jE7VINMRXyVCr7fqDO/wdlmhFhP+0hOxiTKQd/xqhskud1IXrfTGfjBkU3OrXfvsJ4oUABmQoIwjDLLQ0IB+jsgCHUePm/920DkglNU7pHqL+h9crJJN1PdDXm/vBF0vDMeFDXOyXImvr1alNX4U1Bo1HRKTlh4m8FYXj1whg5eYTTtAtUZ79Gz0o0F+Uj37x3Bq8bWpXb9P+khfKgir3SX99RMpI+KAomSntgeA7uF10K8K3SVXNrvxFzmNmGjtSir2FrASGLOPqwRG0l0qmIvgL9/i0bW/+kTI+v8OX9N4BT/htL7s2/V0LIxPnljvEQk2pSV3wB8OIEoIG6K2oz2VnvLdXCuomLnFPgGTgyGRTbsBcxV1TU8MFS9aPJDYbEZnErJAiLJiZWxR8c8ey2WAlJ6L76RR20MDZVd5zL/Qjguq8B8N6f2EkEesUdis04eXK5KKpSM3ARGVhZp5cbozkgZmbO+hxbqfEyl0aROy1z0yV18N/pbsrMeMciJIkxdJhFvBm0uaEYwTfxRYivzWak/mU6hcSP61LAoUbff1OK6V5gckNVjpFL89hEicdp6rQgHgik5S8eMg6syJvXmvm0mHMxxgUXvOoJAZVkUmLEMFZG1D57RzHCZo2m4T3IxlCaIX+Sl0SesNOmRGWtvhRbD37z9vS+x1IFTZ6KLO3oUaSo6CQ8Ug5CWZOwpiPvqxR9rh5b1XTTqAdq/dotRtxXBn8v0Ihv3JNd9UNpXZ+1fq9GkIbgGHuk5slztbUW4DAv1vHYHRc+hc3CqvYzRY/xhp6RuErqKK/eO+p5+Mtlx5QG3yx+MYYERqRVoXP5uAxvko/SWfjsmvpOyE+PHM+8XpKt1QIeeauHMbF4OSK3OOWBifdqTv/UecYLNAiYd/ZAZNtaB4EoiOUfEQKK+BTaMr0L84MD5N/IPueikPXgFGEgq+00UpxXqvbOqH7B1RZdo1KOKkVrbX4korzz9+8SrgrwJJPM+E2dwDUVMdtR6txJYvZRzZ/bQEy3sPtiHng2t2RNwW9qeYqE7Jq3kFDAjfkj+5EPzSG5h2V21bCAsw4s2Dd19UtFNxpVgsFId548IY3g5ZL3vVtY65+EpeUwXoSjy+tKTiL2Jqk/xST3xOskhrOuH6ROdVc1WBW7W/IrCd9QWnEEsXcCd0IzApOKOmsxwsY3/QXu96VA7ZTKOy8y+kuGdHuc7prU5DKzKtqM7Z/dTpDpB7xG3X0W3yq2JqFGl8hiXLa61PWowumWxUo6ZRv8y+iqq3rLKKTh71xOa0xrRf7rZAu4NoY4J9YvwUeQJ5ROksX6waGJRNagMSDwHVd7kHfd06VU81hfwiNiGTPh618PvJkKvMSD1fa3L4BrA3SuFznzTNn7Z9J6lBY9ZJjMTnmgrqfwTwEYaCwSJjgIntrn8CZNMIWDjMMeBoy2E+r/UY6mmHkH0SaTRtluYTnlwq37gz2BwB+/WfYmhzp7/ATqZz8BzU9m6yQvXJ0P9rFb6UxFwcX83RO2uqedUsfNVhYYFNnVwKE6MiL+eMcEvIl67mklGnbJlcHZdczKBTuVUXQ6ds1Ik3q4R2/bRWD5aN6FQ5jE3aflD4+YQQErRP3eSDQU233Ir9WxjWLJt3UqZGc19Ma2QFCYwnbf0k9pT9aPp4yjadbFJXpUpRCXx+6vqMViXSuc6PgAGG+8l3814IUm+sVH1A5Al6OL2lQemmc3tIol3M/vTByHjZSZ3VmLTGzXb7Vrr90eN8sgk2IV4Oy2q7XKD+Qc/U4kFCv1J51xqnPPCxandV015e2YSEvaWBaaWy/2scu9alk3zEV+DmL/w7TRYhcaQideX0vGyghwNfYVQ09QVVLcP70fPP/CdlEpHzHwRlUO2HXHcx3C3AG6Qae0RgG6IwGwNtE2YukPO4kaqza7JmI/aywRMSPmAKI94u1DATzGyeejHZI6d66Pexdd9GTq4fCbrzzyFLnKrhj4SbLFgvJp4LrdNkTkQKT3U7sXRLbuou8DUK47/knO06JcckUFnMzCIDo+u747scsLCyPbsUAE0+A8PzQORUGW2C7R4ElhyIgy43iM5uP2y4prKSBsTGlqYvvoshMbJlKF/w0XtPCCHDkbiHchWn7f67qnw4vLZdTO6bZ5w4UE+I6SE0J3bByKEFUnysK3wdxZ0Y1Nx3FbkuqQh+x0fQATh7kH9Q44+N9wZmWxPxahTe5YiOhA04Dvwt8hc7ly9FxFdtO1Ht9RR2s0D7eZiDuvHTilp7IfOqTgIImPPAeZAyCtUv80JyLhF/p6deeJRdGz0kUzEwkMbpgGA2hq9ZZya7IPpvGVj5HXPqlsF/d4M44z/yI6hu/vCLIKsZv6bcmyxBMC3Ql3JxZvoA1bwPW7FVS93eVNf51KiQq7K2GHdX2ARMPg+O4sb9XphWAFs27GAlw6ynIcW15E32v+7UUUYeAc0DKRbe/qbS77cjCxmyFkeEOD15/XGB27ZzMBfOCOOybc6QBMmZs+VNLLc6evlkhntaH5jcSlFRb3mkvHzhww5NBsGFS1Fv2UuyvyxB4lr4AjR35GL1/H9oDeoMC/CwwKUzpwwz3LVsBy6UdI10vm4sfwzFYIBwMhEPVSRUipcoUK+qMaRSqIN4UfrWr7rxfluMqfqVuKpgVdGT9zWF2Fsr+peRXzUCmAkozSO91iwOirI4VDPzGk1t5PtBuM6jIpmekg6GyU/fRyzQXozOFKDP3GjcjzIbD8j6TOWAGB2JZUBa0Gl9hVR61F3ad7eYzuhufGweXsrkIlyYlDpikKlI9hG4ClTQkR2bBQzww/sjBNq3KmFlWJIQXcKZ+a1HzttJmBncSQqYWDf0Q6n4Gu0FFRSfKE0RnurdOLLPt5/cCr3VYmDRCpNNSctq+hd3/zaLlqIYRBUTtH+1dzVv0Wh9uB2PvzqGr6m+hd8tDGramgm1H8266NJXzn4qp5kwVAd7044mQ1MZ1h/l6PmKF1FHcxVxsyqCSq0Tsad5g0QCUt5/806PuJdDGAGzHudk+PfqdBjLQNdcWvAnleSO/LSJeQ+ZHhFlaio1bt8jnOmf7RCrE3/zu27egJBKO68Ln12hM76rvGWJYM5ow1Yf0afONJAA+zMS6JGuNLl8xPKSatHFOL1YGUI9bXpZnJMJZ9WQiscsOnkq35xcVdyGq2NJbvjUqfysHbGy38Uj6iogBovFWb3VjB74QDI39yEUr52bMpqPS8yI0Nhm8Ny3SA6JekszZHJ+DGMWbvSmqKlIqX2WYo6KOCaADYRR9NUvXw0YMNLFN4iIx0a1geKjlaQ2vpmF0BiHbEAhv6VzTJ0gjwYfr4WZuKkNPKcJH6oOJrupJTadRsjkXluShgwwpYkaw9s+rwNPMMEw+Q17IioaKIncDrruhPdQjMUZKl89fHSY7+KLfR67eWvmEcxZxDGWEk+YkDVGdDHoiwnVR1ztjWs/6PEC0yUu8Lvp7ONwVfKxzI1k2uAWkth1gWxsp+Yj1HEOpCAu+5OViWQHfrL8SfpsMuHp96MvHrIm54D1807cwF3Hp/TM5Xy4ASLtJgZdUmavse1jQrFc1yk6zErP/vEHZXx8l4dW9qM4eH6B4iWUt1L+DgYXrtyv9o/ShvdzaALIugdyiolBpDKssSH0Baujx1Jyl7G2DtCnmDdk+nbbzJ/BOfZg+LxbydtuwUTSGJoyhWWi7mWX+yumg9qVCd+x0BcDZmcZsjJpjPU9UX2YDOmu+EdNxTMtcC+VwCeBh8Vk7JGDQYpduExV7/U7L7h21zofHEqej9pJngUjSOhkpLHPxi5G8qxZu+N/3VZ6eIuBPGRKPVKMVARFOaSAq+lH4m0ofzxtbmQo/FEr/SWEBZD6jscY4Q6vLAS7APl4b9OF5q7/BcSr50UQA/OtK95ibx9Pgb9YgEPdcadBMl/UbJ6KfauxPYBqHMex8X+XaBNq4XgT+QMOGzrD9fZj5qwtxhEJXzbyZbWGqFGYxqk1vrd0ktp8wl0eDRCXR3ZNPfu/iLb7YlVtJ6wwoPZm0ftBld73JZQCWkYKUAzrL0CFsccdPhEq0ycURTjUGlAI2NEXywzuzdjqgtTxtmapQ0wGCzkwpXyS0YOKWJAsIQ0HrQpOwUagmqNh15vCNdJaSUzDIlJyJ4lsSubhC5dkW4DPjgF75NleOHNHWN/Pf5oPykvVskuMKum8y6XueoxSeegpZPTN2iOqOl6m8q9h11bTVMDaZpVWyb5hDnGF4P6ulcQk81AyFYok74R8pSpgb8OnWqiC3nQkuHAFtN0NzUH9N9ou2LAatbv780jcXntkPhPXehoI7X7QZp4Muw/DhrxdfAw+7PzRseOWS0I2HUchNuuOMQMr6b0GBzxuPGR8p2SS2/rXLfb7Q9834fGtM9VB8TkRD3S0FCUHM2a9box1iZZeq+k+9KIhlUqcheou8iltyUVXRc4/KrIR1NX30Jauf8zlfdgao8Wsg3ltqOPt6nrzVsFer0adDnP0Kei1ydDh8ms0dZy/Fr3sDKd3xCIW+jNFM+bk8TRiNi9Ylrn2PSIPmBdocpKvndZa6sRP4/6vb2O7vp6pFUb67fuZssmTnOS80REZ3Akd1tD5InE6X4vezxNxHTKUBXPvgpVQ3ZXP2Q8pZAkn8OaLNb2D1TbD12nbpJoecAn+b40goyFFLvkCiFhBX/nO/qEgsaGByxMRRJzToY/oEEtQDelxqDTMTglbRFAmdOkoNLdt9aLA8JYRH7X9ihT9RRkayHJg1dc4F/aNX4DJ8w3ixEwwfcPaS0aDWtaRqGdST46Vgh0fWNJDjg5qhgVhLaFRfOcJjl/nuUZOy/0CWp80yKVec1N781XhlkV3pbnCpbUEV43Z5RG65dZw+eVDRxeZH2dSJ0TVuwaL5/XU9P0baNxthr12DB2hcH6qETqZE56aSsIE7TIFG52IIRJFocbSLCOA0h6hy8Wyq5nZmOAkTq5r8R4WMP8dwE2jE3sIiCvsuGZZ4deVX0Brk4+/SXnEpwx5sn/nI4xrPM9jIMDLpjArZLnRciRmIDtVXUnUQ+Wi/Xzbmjcye1F83onA5Sk33j/4Qo3NBdRWYoQIFmQMH1qe5PXy3qoeXGmHYFtAMVKT5Hjb4+tccq0/QOSDpBun6sLDj1zeSVp9iO4G7SKX/DAcXrl78OBWfbZZYlAB0v0AiS23cFKNlcXP72PucxJ6YqaJ1qA4mBdJJWecEQcONnnYhePTeQWOkc1jrWAeQEiGtvg8hLQmbvU0I4a18T1SL6sJ0C4jkIPkHcux9oFJdi7Dn1b2e3nsWOMFugsci6tV0VzR4OgI24nh5KJ/UKn1Ce5B51L137Hbz7yWNeahsVuajI+weByuRdCiHmetHlnACHWiW1e1LkBE3r2fFuDtzmUSFg4hMEAuuX0C1z9AGjnKPaYdSu1+1v2YwvUSbVYUEGUeezZub5KLGSeouLm0b1XiyUVNn789g9dBFcYjRe7Iex1pmFJPkT754ruYAITifzJnb6cVcR+T0PllZ8bZO3/lNMmZWFQxD8fJSu9Rh0etWvixE1s+/whA2H2HAvVHYxjz1f//sSS8F4j2KeJD1ygoQeoCOnYcob6JSUAg2WGT3CqGoy/N2rjpbnUjGgoX5jpUHQ9A3t2tTg1Pb5fuis100c4EXqYs21YklJA+Vkd/lDYr9HBQbyV97WuyLPmLqrM19o31CFgaxqVGBOrJ2FIbp9AOx2oblf8kQJqmeOjmcvuUvh51vf0WZU+/LzbpCPHP7MNtbTR58SSLL3ncCWXz8mfqyHe1/G7yLOkC0VHyc1FkTa09l/CCwffJ0vp0ExfpH6po7c8QckqQ7mUHlyZzKBkMgmG9ODQn4ONCgTFH48Wja73MILKltr0ZP/dPzXjwzvKVzg6Aj65zXZYvKoB7tsfgIZlM5rlJeD48eBptunwchbVj8U55dPrhs+ziCQSN9Z5xMaIrSWcTLIyyRzDuK3Zn3ZQ8Smp1tW2/AefTuHFzVUr+Y4360Z0GxToeLCvnjMNKEoV1I+i2cHLMfK9A5lBayfE6pnH9OClXn8UZ11PIiOjmkRKYOl10Xj7zn3bKpZrx5cjv3RpNVIG2da1iQ35b6tZdC9FP6Az/86xueM+j8Kv3e1U+7RAQDoB8kCjPrFZg2V2nBbrQ2nU3jT5s937Qq3oA2gOL55s/d2pSzsWgbgyy922nweKE64F9CFa665QUydGDD/eUKy76m13dIwhMRsAXHgH/Q0fUljiUvnNMT6KiTe50yJp0EwC0vvDjmj1iTo/OUqnXdbLtsLom5QKhTjIJM5oi7nN21HP7r8joo0RGyMt4ku6wKbozk/PtB6bWreyIFq296nPLZkP6kO0BL/eROz08/kRI7SZkkqRkTvHWfBLZ+L6H1ReEvYNG8YfHPC63ajGHvGC1BlSioEeosXcUIt6m8f6x9QVMEvYjkswzXcWQqS0EElrKrkq9bJx8JI3S8sZ2rTF68Qjui8G05GYwUaMlx9v1kdcyt999jHY1d3PXi4d6LRBVqSAyjFCoEHf+ElMktZFUgR5+m0Ui82ji2/8s2f/fjGA+t96EJpSiW0MbcXX1KqYPsaU/1cxhPajA0oTsc5AhkDHodJixpc2MGB7vf6ZBw4LhbT1QLEDJJFuTD7KtNWSwMN8KyWsIDJ1CQ4h+NFAQOM9H1m9+YtaN2i3jevOv4mUPYYHIfeYr5Y3xKhh2ksu/KE0/7TFWlQJfAp4LnuNOp0USPfttJ5n3AO/hSdsVakFBi0+LFr4pSMHAaM3be6ZRe1wvUj8+FUC8iYdXRZ1h7VT1HdSgwHkfZeXve4KZdfOucFRV56hra0mT7gsrctEvy43OAUsgYFYM+i5UU54Qi9BcaRTkBMH5TW7au4hq9bqJarz7w7LjQrscDXIuCbfC73/w50POXWkLW/wiMJz1yljPQIgAt7DSDAWK9qXb6ztdi52Gdf/SR5jO7+LXQJcSznbxobFMV9HrhjMBtTF65nyJgHaBCKmTkVF3mX1F2HfVZvZIdLNzH5W0e2HYZzRBxXIMyWRsLaFVZA28nsidx6ho3t2ePxLUAcjPWHKSf4D/5ZphkxFxmtgCAkFFk6d87x1b8MGnywaBO1eVn0JS06pnCYRiHbUxHhXDFkrPlwMdeIRsxc6BE1qP3Hri3VZWCjyYdJetlrmDY/bs1z7g1jcUXwDDohw+UrciPnT5se3So/kwQlvTYulOHimNVn3Le5wu0rQvKPp+0AgKb5PrT4C6o3Mzdop7IxDSIflowQ8Pbq0a1mB2eDELCAdDfJBSUcU/DeYC/mBFkTKA/ehnaw+AyJ65yB16KFwTlMLkCaPybAJYhRXho93ji51eIJUYYm0YcmnAp3WDhAe7ZFOvzmfpfvSSqwS9e1SQal8ttDuHeKyxkreGM6Xj2ZWofyul/0SUohF/9ruBQtKlcuYC6tKUT0HI+VOwvm6ZoYJ7TOe1B+5WBdtu/BhZfk/yyZ1ncSnKmNxTzQZIkEXwWZd9xWLX0e+q4PZjjgTY9zy+u6bNrur92QjW5ASF0ZnXrSZs9aRZDrcGR/FFet0Yr8qkrfl2gb3WS7kugsKI1oyq9U63dJkZUZgkuXHuZnDO2UkedGNIq2x8533gu0+jhpv8RbuUuDtHzOpcYU3P91Q3KwOO++Z/8M4Mw9q6DUZjTwN7tWz39hqm7qDx34QHKalPWmCZAHDjTpaQSnId3ZN0GBT/YXnV0Ac0OSZNlHDIw7wMnprRjuzVemmLW+mNffJNKbQOUMXbhvZIiGautUwqUcm16BP0FlTw675sgCGa++u5WsLn7yDZ+LW2X844rp04573G3+c/CummQdz5B2DuTVzgnVnZlsF3A1mLTOZATiD3yQIfJe1qB8Db19fDnIRBlvmc0VgUdsJFmV5ND2Q2P8V6/N3QkcZkiK7210wey9wzZnDfrMtPXTRliCnysHOnzJGfJirCluh8Yh3sA3tAthdMNgvpM6wqlXY+DL++q7+4BkkooFact9IGp9XIGH7z+jb2fOMcufpB3pkNvzheNy1/nvbbVbbdSi7AND2Z1se0j5Tlgfpx1X8Z0Y5oJWd7IbCElNlLpJ7QDNzx3pj1SGBJWnei/4D2Dcj+2cZFakZSN4QaVbrgORkeACFrUvwSIo1Krz9TdleXHAr3f+omjTLMFopwA4IuoUo7KiKeOnL7/ouEccuq+ddJ/H7ftM0n0EKEZCOYKgtC34XJ8jJm4GSkLlsq7AoXkrM4horpeQR1sHrOwdiQgrfNZvZVuwdMAdFlTZm64rYHQRDrBs1Kw1O7R9QK7uFDkRmNsrO1d05DaRfpRDXyM0PSeeXmdNbIYeYvs+JXuOZP8LtVC21/Z5atc4Jj2+U3abucdbDpxL7zyab81W5C6WrCttL5maIce7GotpF5rVx2dT/a8muimyvt12f1Gi3A7pq5hNmuoIlOu5tHUnec33wuKdTTIJBKG+RxK6BvZSrDjo3cZ5OlikoCi14Dd5iKG/u8APdsow4umbsn6tGMEWy+YDQmq0majQVdEbW9c45u2Oyr7zz/nuqvz6I0iTWWAyZSYSzrSb7paM/oa2r0MTBSdH1C6K23SGwMDnGLVD0ubU0kRiouEbNjnh8IfYdshhYnpwJIpVzWvDl3Rd/KdlR1BWkjBzVvKpXvRIxaecxrMrI4wci7CRNvZN7/eN+sOPfjKrL+2W+rC0Fn+oHpIHMuTq4UqRMJliqGSFNcSuRq90Vhp2EZ+3msIg5byxkNoCvT0HfOQgDdHAmaeSuHv0gTFyrxh2DheWcNnfJqXP/3omnpHyk5RC8CETrM/ya+6zhOkcWLg9qlzyMZd1maUXZ8Dn/KOT+dgRCTw76eys4fDWXtBn0FckJ2e2KfM6ryWdbd99U8YcAfHoWO1IpUpJavFXBgPcNSpDUVc6SpToHl0s9GqGo4VvE45O9OLy/XmWrDS6UDgtxgbmd2sQHO+l28d7KGl3z/Xp/O9512G6BtlkQUT05s9eweP3QD9eCYS9Z/Nq/vUnueJJY52SC/NJnoq+prlPw4wuxutuEegnrpwOSWW2XW+jwuB/wCJuxpRHPp3/FY9SSMKJM03r5NQcFlCYIzXHVcs97AwY1LLaimrawJCga2sIjUUsKCVXNrX2qTa3XNLQfZ01T/Iv7QLmSVhyQ4SKVPxHvYk/fD7bdOj9D/saK/4Mjwp02vxpQnNTSQHMJUvrW8FmflbVyrBoEtkGN7sjJSAzMPyf5VpQAc7ZpwYOpkWWLry0Ab9qJDNAPljbafOaIrbbWeifareJ/MaZiplruXIV99AndgyMlOo/voNC9U/PYtLWWrvOlctX8epdOXxxqQI7uL2X2a4aZ439o1xirLng679nJdqv7ZHObTqtUaI8ZOiolO9UJfUxKWwH2UntK4xDI8+U7JLg4RsNnUs/nLMCnOGN9dMggEZN6vHejTaeIwogdrGCSjZgD2P6mqKM7dhJlTXd6/fj3/lZoEOqzrrP11NfPT8YxEE7hsvDL5oDWQx89cOm1JsywudTbHDiBnBk2eT5qFojaEwL/f0Ls7oYWiA2b/7IPezhneF5y392n80gqaZSkilk8lKo/fFkOfcA993NcNBOKgXUJWXaZe84WM/5sLR9q+VvHpL1MX4u+AatskWuHSQdbH7e9bfGeGzCBpnv9wq/Vn4gRjV7YqQispQU0Zx88ZqcYEs/3zsb2fxA5MjKZTYkRLLwWPPiTmjrSWUAP6LJAHP+IYfIohu6yVz44+aaF6xrloN5vnnJJw0CUOqmM4a0ktOCWLTOOWCfW40EbkUy+6+N/v7J1dKVx1DMSG10mLv4y7AY9Y+0jYkFJbi2XXRFhK8jWqp2jxNmV7hBQb/yHlulxkmNbL12msXMWTYqdUCP1m5UtusW2mi7CLjdsA3zWitRXwFiTZMqCJp9E6e2iPfKcGJQ1JS/Wef8HdY8KzfxM7e+abCSQJOXnh3MGKKLWgLAIjvew7TirWFnrGADmUq+hWXfg9zILQelBS5gzUhADsZduwFcpVgUHfEaLOdE55EuY52Z1aC6t67gaxB2pEm9qNCO81n2Ee+TqOOOqClH2J14DIU6IjAF8z4uaSuMWKOTy95pCCsnB8zCOEgtzaUq9ewWQMk3IV5H0Vse9g8KrpG/C9w3rQ1KnzLSzcmf2kl8PMJnyF56H14rMreYqoNyyepyPEC33Ow104a4B4FoeoppbUF6CuiePOJUHNUnEVHFd2lbBJy4Jnw+w1ADugso6LU5pMdcKgjU9dZlAYnXFC4dKfclDfAIZnOsqcF9xYaNx4tF1pm1SSaZ5b6/NozAPlnpfgEJOy00a0ubwEEzUC8A8grHc5cOHitbEv7puvGRao7u0qU1BVvoVnllX/VukTTgL4E3GnW1NGxjkHIIsOPoM5XeD5LnFmLF6RWpcbX1E5OHr3AvijqtQF8j6K/sZAXBmBsezRSdFScHRZ334ciL6W5eY2lAdXOqSibac349NDm13DkMVob7FgzHo4I/uE1XrEv8BxqHB0sj6TQzIE3/UOH5wVYyoYXUXkUOmpcSGUir79FNyFMt1P182zLDeqMXb7X4YF/qHPPx0JJuCThFpJU5tqZpvJBvu4ZtkJtvptv6N/vS434ecOsXGCqIcCg5zJzEWEwnQ8vHgtW8U7y4R48KRar2fU2gWd12nLiyUp5GqomG5qd6TaEp3l9AHskJrfviQ0cDJm8L3UXWi/t72U+SdMGsGvfnkH5Ah96vfGFAQPOl5gbyN7gRrfDriduJNfiJ9OijFWbQYqcuVwGNKnXVp07j4M/HDEYt77bJ9MWPZsT95irOFb8p9MNR8xfwY65DCjrvMlzpnVDXWN1kciUQFy7yi0/G4TQujXzllJgRHkTW8AeUmNgeDBZkduVLS+3ZaINpngOwkRbLh7NZz8T40dQroghNIF28WG1ZmioIUcpKjUuSxYTk8L8/Lzpb4Abql6f2sGNMx3KUxlB/2Nl8q5YA+/KxFdId6x/Q/Hzwj75F8lJoOAMLhoXl1Rs2ru+cMCv/N3DwfS5EIIQzH2xsb715J7FbGnJkdRhFosiXJjtmJCmaZvCz61EgpiclRZo/yc0wx5sRMnlsLGS7x64Bx4kb0grPSnpPexfUB/OrMwhCj/a0RbGHQ30w5gy8tzMmf4z8H2N6njfvaFSJ8t9N38bm2ivrijHerwir6sfsGU+M+u/Y6ApWfllIvOc+HUhyl9XSNa58BQBJM2FkJH1Fs/vcGSjg8iht1ICLbvhxG6kOdcKTMvP63WTdyxfHfA+XjKI/LkvFivNQFau2aeIyOwAWElbTvTHaUC6TlgBYNfSkhSFQ+TX7OAjaWD4TC17mX+lOZJAT5CelhCLxTLhm9z01Ml2lJkqD92rZrVHt47gtyEOLiBEuf/bNBG+nSG6Kl6N1XYnW4HSJwPs57jxTJdVlQVy1P3pOMIdwAoX9at4SRBywYuzh2/e5627A7kAySwbVcj7FxrdqNrzgcHMme/HtlEx2qZKKXgHgsA9rfMEgOs8jQuEJUDYpNLj9HISBmbDHIBPGqITTx8oSzB8uxk0IH7b7SbUx5kOoFQH9DKo6g7lSw/+OU1wA4ifjBldql9XGFs3p7viyP59ybaRhIEx8Fd6zA7dhMveL1RelHo5YuAt41PcuG7+n/00X5KcpR+d6usdx8JIE9IlXpu6BJJGU6sfyliaXggufpYHl4hMvY+alj0RtR/x7Zewt7657oU9yNdI6X/RiBnqF9M2W8n/PISw3j1QUV2f8J6pHDwNCenPAY4wMPylBWDIkOCXLr0z3+KRRM9NtpoMm+rOZ18DdZJ1cmJ1Gh90tZBFxpl13l/YwOjANxkXBpvIMtXBbfnYcAm++NzHDadH1J7C46kPeo8VGFQu6TqgPz0dQkbXpRLN9RqG7kQNShJJ1x6AbA3Vv5Cj3ORRlJlnCy8Bww7EpMQLAZ+vWlAeKgsWkJ7+qgwOgnpMKRfzVCvjOBfrOR1yNowFX/0lvIh44AJOAj6BJXx/PA2ceub/bNLGDzouk7pAuK0kFdGKMaexLE5kuLWARa+vFZ+33ikVnkH0ZgleoUX33m9xRLSoZXf1AkeXON9nSPK4MbzDuFSzKyAFuDN9mgYtkmcnMap8yM2apjS0jCS/zqJNJYvnRJkr+and+RBxu9IodQphP3RIUIOMOaZ8DXa8xHQn8pY/pwqBeiJStIJy+zEDF535Nyt/zF033PuuXtNQLWpF68FOjOoyo1z9Qze//OfbMv47ecmJ6YMCxbiZLNL70A8LENR,iv:EibOl+427H7pQSAHKttZLjkw8+O9Ws6Clssqfmp3kfo=,tag:ppJ5soDMoX0c6Ovu9Umv1Q==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: monitoring-prometheus-config +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:25Z" + enc: vault:v1:HNjhct3QO/ysmTAiMFui0X2OiWxw9xHPJBkri7X+1xdR66OES7CA7OtomZNEb3lanp81tn/j29Lgxkle + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3V1ZBdTRocFZLdEVhNGVZ + L0NId1YzdlVVL3dIL1BoMEVydDI0UHN0MkRFCmVacmN5bTZ0dUtGZUVmUFR3ZEZE + Z1BWQUgxMVV2NktnU2RXdnJYSjlpc1UKLS0tIDlITDdRUlRBdGxEaHVpNTFKYnQ1 + UVlnQldWZzkwQ1RHMVR1V1ExQjhNR1EKFl8hQn5P3QcRCbuITHdSXJzrT6cNGFDz + tBo4osLCsjEasn2PVBVBS8BmFA7PFELpSrg8Pjuk+fHMbRdCeDVBwQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:34Z" + mac: ENC[AES256_GCM,data:uwdJRlZi4FmvMxNwt/1gfTWoEZrUitf7Oi35WEH09Yx3TzAbekuvwvP1KY8LFa9b30uTNIU1n3R++9PbUxF/49myjhZm6T0YZTRlRFZawhB+l8tjWxKOpiPzmWKKTt1Qn+wv62jXOZgmddoehLY6na+XCZ0vZP0uLPa5jxyaz1c=,iv:SvPtpu4QmqczTee2FuUrtRNERI0xdRldGelWIvHf7Bc=,tag:C9QXcuwKLC0v4DYwSPS8HA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+OTgmzck20Q04tXqvn2j9CkZdxLifhunAfxSvUCsFqTDb + oULErt34LNri23T7PMnjv2MSL3o4y3skLIOQHzn+bXTpeQAG6tBNa5BRR0bwLM26 + rkLUMiTwvAKRU6d6G0lHdcgxxz1PbalXLq5AxzAtIEhnyfW4eGQ2pe6STuzPGFEJ + lqL8Um5PagDbNMtqY0BYkdZcnj2HSXNMAIMA7azKfZi1uCJYdcY6egyukJ+nTrpr + DBaSJ90+GT6GJ8ZPamyDWF3Eyy1tYXHLu7qvjqHBDQGiK64W4NxVd7EH1JYnvLJs + 9AQiYWywbbfHsKmJeeHG2wq/i8IbYi+6zLIcBp1pILLiyOJ7YC+Fu4HO9btdnmyP + mJ83PV4KQ/2+1Jinvkx9kPmYG5R+RI7q/Tl1U/qzIrl/8XCB1WWlCTlySsdHSmNO + 28FV7ZqiVDrGrnK6Tfz+9Go7H7vPB0QFGQNZWVlNw9OHDfjbMK1wegJsbjYjLUPJ + dEZvyIQHfryi4vBO4DzaFFZk5m+Ll/lI9t9ZRRWsP3ci/LHwv1MI96/uh3VQsiEV + fccj3ALkMIRu/fsb/s769zVQmLjYqIvp42gPEooN8eoStPXZJqkvEDMjeVVvAuSX + yupCeRn/SGAAoXhFkNM5RUOq5oPrCpVVtnUvZOO0x2ox0RShOaEEPk9k6y5qZmPS + XAE5eLe1ZqefrQkeW4wjMDxdUb0cMqxra6ob0YVvuvdJBUjTrNS7HZw+WkHCEl49 + gP277WyC/rssEchSES5a+eK7SW61MAqCk7O5S9FYY2AEcIKSJKmxTJ5YHw8G + =JSud + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh new file mode 120000 index 0000000..fc600b7 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh @@ -0,0 +1 @@ +../../../../apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml new file mode 100644 index 0000000..ded268c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/pushgateway/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/pushgateway +components: + - ../../../../apps/monitoring/pushgateway/components/reverse-proxy diff --git a/clusters/svc.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml b/clusters/svc.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml new file mode 100644 index 0000000..5bceaa3 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/monitoring/vmalert/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/vmalert +components: + - ../../../../apps/monitoring/vmalert/components/tls-client-cert + - ../../../../apps/monitoring/vmalert/components/initcontainer-seed-rules +patches: + - target: + kind: Deployment + name: vmalert + patch: | + - op: add + path: "/spec/template/spec/containers/0/args" + value: + - "-notifier.url=http://alertmanager" + - "-datasource.url=http://prometheus" + - "-rule=/rules/*.rules" diff --git a/clusters/svc.dd.soeren.cloud/mosquitto/kustomization.yaml b/clusters/svc.dd.soeren.cloud/mosquitto/kustomization.yaml new file mode 100644 index 0000000..b1fc8f0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mosquitto/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mosquitto +resources: + - ../../../apps/mosquitto + - namespace.yaml +components: + - ../../../apps/mosquitto/components/istio + - ../../../apps/mosquitto/components/tls +patches: + - target: + kind: Certificate + name: mosquitto + patch: |- + - op: "add" + path: "/spec/commonName" + value: "mqtt.svc.dd.soeren.cloud" + - op: "add" + path: "/spec/dnsNames" + value: + - "mqtt.svc.dd.soeren.cloud" + - target: + kind: VirtualService + name: mosquitto + patch: |- + - op: "add" + path: "/spec/hosts" + value: + - "mqtt.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/mosquitto/namespace.yaml b/clusters/svc.dd.soeren.cloud/mosquitto/namespace.yaml new file mode 100644 index 0000000..e63491b --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/mosquitto/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: mosquitto + labels: + name: mosquitto diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/kustomization.yaml b/clusters/svc.dd.soeren.cloud/nextcloud/kustomization.yaml new file mode 100644 index 0000000..922cbf4 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: nextcloud +resources: + - ../../../apps/nextcloud + - sops-secret-nextcloud.yaml + - namespace.yaml + - pv.yaml +components: + - ../../../apps/nextcloud/components/mariadb + - ../../../apps/nextcloud/components/istio + - ../../../apps/nextcloud/components/pvc +configMapGenerator: + - name: nextcloud-config + behavior: merge + envs: + - nextcloud.properties +patches: + - target: + kind: VirtualService + name: nextcloud + patch: |- + - op: replace + path: /spec/hosts + value: + - "nextcloud.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/namespace.yaml b/clusters/svc.dd.soeren.cloud/nextcloud/namespace.yaml new file mode 100644 index 0000000..98bc51c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: nextcloud + labels: + name: nextcloud diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/nextcloud.properties b/clusters/svc.dd.soeren.cloud/nextcloud/nextcloud.properties new file mode 100644 index 0000000..267bb10 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/nextcloud.properties @@ -0,0 +1,6 @@ +NC_TRUSTED_DOMAINS=nextcloud.svc.ez.soeren.cloud +MAIL_FROM_ADDRESS=nextcloud@soerensoerensen.de +MAIL_DOMAIN=soerensoerensen.de +SMTP_SECURE=ssl +SMTP_PORT=465 +SMTP_AUTHTYPE=LOGIN diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/pv.yaml b/clusters/svc.dd.soeren.cloud/nextcloud/pv.yaml new file mode 100644 index 0000000..c5b7e07 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "nextcloud" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "50Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/nextcloud" + claimRef: + namespace: "nextcloud" + name: "nextcloud" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/sops-secret-nextcloud.yaml b/clusters/svc.dd.soeren.cloud/nextcloud/sops-secret-nextcloud.yaml new file mode 100644 index 0000000..9a25a96 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/sops-secret-nextcloud.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +data: + MYSQL_PASSWORD: ENC[AES256_GCM,data:PrZJlWbxXKI1IpxZ,iv:GqrVSTEnsMcpfDIBo532+k0TFWDVOUJ9Gkqweq/wuuU=,tag:Va18ToD7GM4KGYybf0nJXg==,type:str] + MYSQL_USER: ENC[AES256_GCM,data:A5WE+xtxpNC36+lW,iv:c8LkFsZpvtI7ID8xtjzwWxsOhe7Wntkwfhw0mI68LoE=,tag:u1m3+J3Fkb3JMRRp/AHy9A==,type:str] + NEXTCLOUD_ADMIN_PASSWORD: ENC[AES256_GCM,data:EghyASrhySSxXfxwmR7LnQ==,iv:sX/g7mqPj7I2rQoeVWhthVE63uZo4EjGl7P4yIULnTA=,tag:5/sTsJky4ScSEVjsU7MR4g==,type:str] + NEXTCLOUD_ADMIN_USER: ENC[AES256_GCM,data:DlrAyTKg3KI=,iv:fN5+iU9ia8byt161+pKY9TQhwghwY0uRI0J03rzjt1U=,tag:H1SJ5+cUSEDE1E9D6W6zkw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: nextcloud +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:06Z" + enc: vault:v1:1diL3BsHfVFs5VuUwbKUanrQjdG/oq7s1sPPNY19uFOqyVnQ67R/L/dWeMBTdkf6DS3cKWyiUWmeeGCT + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeEZwV0F1THM4T1lOU3dI + K3N4cWNtbFpWTENBVUdHaTVobDVvdzlqMEhjCmo2bk1GdFRUME9ha1lZRTk2WTFL + dUYvWk5OSU8rVkMra05oa1ZuaUt5OTgKLS0tIGxBS1FEMytTSTlvQUZ2ZU1JZnl1 + UTJKeG1NMUZVNUU2eVRtM1RaVUF2TkEKVjaEy+kEX53ytDwhT01x/jqVQpc7KUhi + AwzbMtK3YmBo80Ws3zCOdjF3olAfcmQSjZ/BX0K+7CbbHdCJvrbLoA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:40Z" + mac: ENC[AES256_GCM,data:QGcmMbDKB2mKbswhp4+oJ4GwyiodfG1cakkrZqgzrXNMjPNjMoz0oNtmkNDu0YWpQPE7BOuJpmwaVW7iYIVAL6v2QCKpKHa8PM6EdnrGkNN21cEn4xl6nJPWePuEH3ebquvO1Y7OEzLa1rP84VFY2Ohlxzc5hybcrNWof+31lnI=,iv:l9O/r2Dd+clPwUa/4TqrOrqZb7BcK0eYkQ4PCqMQp/I=,tag:JxWupYQHIpnpB591rIqJEg==,type:str] + pgp: + - created_at: "2024-06-28T08:37:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//ZwZYLsP7h+bsN8BKN9LCo6r1nf4zA0VNwqfjnO25N38K + dvA/s2Q7y+WhryQ148dnAqIvBuXWCroomYHTPFiWOHtCN/3mBAdSfmOpqUBQBIyy + H1zchIVp1gOXSUYesypvNemBSesfcRnd1esQFkPUSz8+Pm1gsY6vNHdSQeBTHw41 + bYZYkszSZJRMPCi06Aq7UshNu1cez+Zl+zsqzV1Q9hAkFMPTrLb20SmurUDd7+yn + KAQYXG2pweICWLO8ysXnsYkySJuC5pCJeZr5WE0JM++piqtsoZpsKua+NNtM9oq9 + GaLtPU9aHtz8e5HRyu93rBKTCCPWOP2Dv+GtpMP2ypZXL0xPve43vAr64Whc0MZj + gE0UZB0W2HCDNMtsnBWt3CfXhtVxJ2+tYiaN4qV/5uEhju0l9z4QE+/66zZqWqwF + 598//e2K+8rqUosuKi2XOkh7pBEWdtqbzUiCTeL2IzPO9ZnviI8ll072M4S5yOwy + VwjR3XjAgGRmcIuy5TcLwXrmBvEEAdxgQltPQfX/hfvFrz4Ff4rv6SuZOqyln1Sj + Zwedt7jkcyEVkuIIEBlW0tW9T8+lSJO+oI4yN40vDXQwsVuyEv3AWpMo/1ZFw+os + YqYv7gmmZmFQgmniUsNMyDc3gS5wcL4IU+xxffzCnEKSt0Bih5nYx4SV2B19RhzS + XgGm7jFFlqq/E9WWeCa9thuFGLaveglHQu5PfjQkZ7m4u0+yCsYr0ap8QnBHHTsU + tYrIdN+NOPwk2TRCxsY3oqO3Hk45ZeonWm83+XSIX0utiGpAu7xfW/XL00ruhjc= + =pQ9/ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/nextcloud/upsert-secret-nextcloud.sh b/clusters/svc.dd.soeren.cloud/nextcloud/upsert-secret-nextcloud.sh new file mode 120000 index 0000000..addfff9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/nextcloud/upsert-secret-nextcloud.sh @@ -0,0 +1 @@ +../../../apps/nextcloud/upsert-secret-nextcloud.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/kustomization.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/kustomization.yaml new file mode 100644 index 0000000..330a84c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/kustomization.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: paperless-ngx +resources: + - ../../../apps/paperless-ngx + - namespace.yaml + - pv-consumption.yaml + - pv-storage.yaml + - sops-secret-paperless.yaml + - sops-secret-oauth2-proxy.yaml + - sops-secret-restic.yaml +components: + - ../../../apps/paperless-ngx/components/istio + - ../../../apps/paperless-ngx/components/istio-proxy + - ../../../apps/paperless-ngx/components/pvc + - ../../../apps/paperless-ngx/components/oidc + - ../../../apps/paperless-ngx/components/tika + - ../../../apps/paperless-ngx/components/database-mariadb +patches: + - target: + kind: VirtualService + name: paperless-ngx + patch: |- + - op: replace + path: /spec/hosts + value: + - paperless-ngx.svc.dd.soeren.cloud +configMapGenerator: + - name: paperless-config + behavior: merge + literals: + - PAPERLESS_URL=https://paperless-ngx.svc.dd.soeren.cloud + - PAPERLESS_CORS_ALLOWED_HOSTS=https://paperless-ngx.svc.dd.soeren.cloud + - PAPERLESS_DBHOST=dbs.dd.soeren.cloud + - name: oauth2-proxy # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - OAUTH2_PROXY_OIDC_ISSUER_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm + - OAUTH2_PROXY_CLIENT_ID=paperless-ngx + - OAUTH2_PROXY_EMAIL_DOMAINS=* diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/namespace.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/namespace.yaml new file mode 100644 index 0000000..4470fe9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "paperless-ngx" + labels: + name: "paperless-ngx" diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-consumption.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-consumption.yaml new file mode 100644 index 0000000..61953d0 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-consumption.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "paperless-ngx-consumption" +spec: + capacity: + storage: "1Gi" + accessModes: + - "ReadWriteOnce" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/paperless-ngx/consumption" + claimRef: + namespace: "paperless-ngx" + name: "paperless-ngx-consumption" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-storage.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-storage.yaml new file mode 100644 index 0000000..0217ac4 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/pv-storage.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "paperless-ngx-storage" +spec: + capacity: + storage: "15Gi" + accessModes: + - "ReadWriteOnce" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/paperless-ngx/data" + claimRef: + namespace: "paperless-ngx" + name: "paperless-ngx-storage" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-oauth2-proxy.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-oauth2-proxy.yaml new file mode 100644 index 0000000..8940dee --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-oauth2-proxy.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + OAUTH2_PROXY_CLIENT_ID: ENC[AES256_GCM,data:tnNGJOSSGoq9/yC3KksM/8ulHCI=,iv:mhruxppM+yR7UJBer13vfVc4twsHMkxvJl+ht+YxQqo=,tag:Tc5feqnPe2dpEG5Vr0yr6g==,type:str] + OAUTH2_PROXY_CLIENT_SECRET: ENC[AES256_GCM,data:n+rWG5jkj6EOo9NkXUaxs//vHjFuqKG5QgqQnUnvmdTjscNcFQmO0iFxYd8=,iv:mih5NGnUkbfZns4eKRXWFUO8mk6D8q2cesnYjsiSAxI=,tag:zSGHTkEomt4YAjjKhf2wWw==,type:str] + OAUTH2_PROXY_COOKIE_SECRET: ENC[AES256_GCM,data:srGHrsvJ9ISzNTnRPdoQfuKp/5GEGjqBo+q1D8xZ+IJGWIDEgocdKIxZJM9vqr4bcdLrzBeX6MYm0RbH,iv:LJCCArSUvonus/uLzWkxFrynf6VeFfTy5HmTxxoauww=,tag:/sCIXwUFoo4McYe6TVNJJw==,type:str] + OAUTH2_PROXY_EMAIL_DOMAINS: ENC[AES256_GCM,data:9OIyhQ==,iv:uxvg8bGMfT6t0cS1S2ule/HczBfqQ4PrQG0AdLra9C8=,tag:e+c7UQhocMZqY+z0EkCnRw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: oauth2-proxy + namespace: paperless-ngx +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:29Z" + enc: vault:v1:a9DavTHdAfstMs6btBZcZ/q6QWqOiQ0XumSH3Dh2jtTkGMq+fEpyPtQC1wEXQNzYHv6hAtZUnTuZ1Kuu + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWkpvT3k4ME5LT3crMXll + QlBoNnNmbGhHUm5GRUJvSWxIc0xMNjVUcmp3Ck8yVXpXbnM4U1k3anhEa2JzT3dj + VHcybkxZdGgzWnNqTkp1NnBRWGVuejgKLS0tIHloMDRrcERoSG9nSTd2UHdiZzNw + d3d4OEM2bG81NFEvSysrUFYrNGQ4S1UKG6N+KVpOIwKrPzKLRByhCGW9ZwxfzNWj + EGSDXa3TRzy6LqM1nbKMVx8ZFVbdIfwue9gL+BCa6X3qdSzdS2tqCA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:01Z" + mac: ENC[AES256_GCM,data:/Z5ULFmOnDzhzM4HQDak84W27G+WKre5NRx8uubQydHwWzNjUbk8MI9GNmZyz2M8smGqlvD+fd15yBtMpqMuz/RXla3EDozvyWEY6K8zyC0GXKv8efn0sqiiODnuNtQqdoMv/QakVcpybqy4Ynr4Drd9zXtCsemd3yy0bZuGApw=,iv:bKolRzf3086iiWvU28R7Y5cTFP+F6cTrJMWIKqdQPio=,tag:VZ+3yb18c2WgoUm66UVCAA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:29Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAjBoyWakw/2n+LL42+N33buk9BCun/jsk/T3xWMzEQbbF + Jh7gqfATL/smSKdZcouwjsZOS3FDQMSXZXh562qqUs+9Q78X/U9kjKCEW8AV5KDA + wbuHOirzKfsQBDj3ZYKy2lYHNnYpFNMtp6LZEAW5iDiErn4Sov21RkkprXMElZXq + FxMf+pzfw1ukCiUVvN7oTFP/jlU+I1egdHj1+sE88Pzrvuf6Yf/4/kiGFLbSf8fW + 2n0xLH/1WMMnV30LHb31IVh/zPdlESGxf3FJ9bUNk9KzakRHoQBTNiBu7SjJbGAd + BTiATV9Rq8M2A9eXG/JuOCqim+QBt8T2g+7Dto2z9w9xAQE1YTmgt1rvmhJ68e9N + ZfR3aXthfKvJY52BpMqMI2O7wu8559D6BhRwWnoK0g9PkxtZVlh+DElgEEfduf/o + mq2c0NFEP6T3n2J+HAa+VKHA+nt1aKaTRcs2Ti3gZ9rLzUSEl3q2qBR8bazhqWn/ + 1+mwkSDB4jOrsTalC/kK3E6tvz+cHvlYdevvEUQGl2/3rXEgrim4BE8aJvEnm8Wb + oX3it1FtLVwaXQKD3j9jGLIl4f4zDhGASRe1kZsqajIXgndk4Dvz2Uc+HR4srnVb + BamINl6eGqdwheSnnZWWG5mNLH/W3fee23JZZ824VO7HxsDzZ+5LuhgLib3QUlnS + XgHCmUFbXruMa9FPB++LDmz9dfmy6H4i4DlqGiqfQdX1r3IJxWESK+v5cfmw8fib + hzQUV/UuhY0wsC5iFgFxFYRhxuqRBQVOcssLfMm7/cHC7LHGqFgZ/VbV2HqqITE= + =e0VB + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-paperless.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-paperless.yaml new file mode 100644 index 0000000..8bb1387 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-paperless.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +data: + PAPERLESS_ADMIN_PASSWORD: ENC[AES256_GCM,data:DUsiqHOrYNqYUtV0cBQdfZWhfnaO/M14vQ+CNJ57Zq2kcQTyX7jCNQ==,iv:776gV153WZHizAR/Gw1gQ3DBC0pRiBo5+BhiFIY2t2M=,tag:87f7CKo+eEPHa15EKwSh6w==,type:str] + PAPERLESS_ADMIN_USER: ENC[AES256_GCM,data:hqbxmlNA/lU=,iv:c+EH2L+SiHIs6fkPPa0uEU0SBxklzCX8cqdR8DfgTpw=,tag:VrW2WW71yCTky651q4+OIA==,type:str] + PAPERLESS_DBPASS: ENC[AES256_GCM,data:HK3rHZbltf4rU31k,iv:SNk+eiqIeo5VeOexTPorrTTNdaf+xRDEUxXYtfZmEW4=,tag:jVg7kt29mzQrG97i5WF4LA==,type:str] + PAPERLESS_DBUSER: ENC[AES256_GCM,data:YFgOB2DV32fEcMUo,iv:n38nfzsP7IB5hSs9H6TMnHuf9Nzv25DnUFONRIP9lEc=,tag:2eQpHeR4WREiHbuc7XVJTQ==,type:str] + PAPERLESS_SECRET_KEY: ENC[AES256_GCM,data:7Fw3QortD5cw9cIiAiy4W/2R5cwRQRS0MK7LhfqRePZNsvgt6JFJoFbKf9o495DPtqjX0lAgbB4GAu1q,iv:XuT9hW9HjwagGUirSWMpL1UcZCCyyDkyJswRir4zloQ=,tag:WtcLtKFBelpgh8dm6epsWA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: paperless + namespace: paperless-ngx +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:28Z" + enc: vault:v1:PFJb6TUVq/nEcw42hCHKMwnmDBvfv/WGSUu1QFFr7GNhqP/TPLEJ0had45ADp2vPNgRP8324rEGySz0v + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVU2V0dzM0ZhaWUyTFpV + SkwzZUJCY0RlU3VVT3JJbDlCZWYrRGpyczI4CkFUSHRZZm0wM0k1aGpLcE1USG41 + bXJMWEI2c2xPbk8xNE56UkFLb1BwZHcKLS0tIFF3amMrbXFPVVZHTWVTZkNKQmIx + VElKY21PTVRncXdOYTBra0FKK2tpcGcKAI+lU9dAM3dDYLgyzvGQyBu5U2mnT5HC + hgj1RXqvOIcJEzLNSDB52wfTlY4f6kUx79Wtf+wIPQXLZRu5FQcJrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:00Z" + mac: ENC[AES256_GCM,data:Eij/coLXUTJmkQWoJCnjgemWMl2owu0NY3fcLrph+RtWZzKDBJEEM7xjth+SUSHk3L1f8VoayKrFrSQf589qC6xBlnQkjdp7Tw9YawznqJHx9e8m+VN6mRpjsD0hNHwy9IJlUrXad7uYgIJaiUZ0UnuMYolqV7fA7ON/V2+j5wg=,iv:AWbms15WtXWJV1Ud+gnX+h0klpwCIbpkxXm7k22ljPY=,tag:mTiPjmI8PdvqRgN/g7CrRw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//S59QiFvjbKL8enEaPLbdx9k2+f/+E+VzPi3u39zEUgMQ + eoqttsbdaccnBR6Mj7xvK57zgwpV9VoJjp+FfudWQfXKijBdPre0NDLjuYIhx9Ec + imU1c+v51cem1j4wjrVHXXFtQaDAp8GBLMYqjSAb7g8iJRbRsystxKSCWPoA/yQ7 + szuWK1nTo7XF5Gla7UNIl3temwWTi+S4Wriiv969fOnK1MeGNbg1TAQna8cdDLQL + 7OFdTJJxRq9MCI9REy6Cf5vKRnilrWiX+YK9hLZ6TvXE2T8SUvVZBH/WjS5pu75/ + 72Eu0wVsN2o3IzzO143/QnGDqM1TofnQfJDWm9pJ+MA3H7jElwM4m1yg3kTbsjtx + fKkESq5S0TURMxPWBH+7ublSctolH7attWzDgRPyB0NZttCk06DGrioeZsexGYyY + kl4/hoGtdOAPQG7HCF1vN1eLS4njU9oBMJpcv1DytwUADPzcq8x0Mi0he50u7SBy + 3JrUYxaY33HQAnQSQEjxY2qAIh0Zv+np9rsHOGvxGt97FPdLD+6MPc+JYtqHbRRd + P3Hxv8todg2CQkoAroA6PMfWpQ5Gzz/eKhAH4deXX4CWNu9rI4f3svmqve5qpHkR + uRQ3FyNCJgSZRGIMXOnQRZhKZGAn4Buf6D/EDV/RMy1nKS2+wrZSURocaFT1ZNvS + XgGfKkydqZr3YjtG4pd4sLx4EF+bMzlNJEGz9aEmnPrPK57QaE2haIUZOBOHklwj + Q1mVJqKNIeD8gpyaUppO+bmVG6F7YE65ry0KILEoHDMXY+hz5WIUmvs5raBp8l8= + =kwfm + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-restic.yaml b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-restic.yaml new file mode 100644 index 0000000..8a5c44f --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/sops-secret-restic.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:6JbTOXNpp/DmB846EYsAiNaiLTJjIrxp909u1Q==,iv:kHaIAWYv4ytVS3jJ00L8xJGcFKj0Toasr68+jDRdrYs=,tag:3bEM9NN9+0CjonsqiZ6Ing==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:EbHiD/VN3O1vXakvcGKlwJWiu87JPzeasFPGb0DXsbYvppTqPoY0Jniud8Ee1dX0LB7L4BtyjkY=,iv:3Dw36+uwybT8VObPTymf05aufYKDyvx+eqgoxGYonao=,tag:QmMeZMX5iboctoNGwo18yA==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:oJ3h9Ddn8k9tQa8AG4m8HHh4967lKqi4jZ2r4XsDF3AQ45Y+Pfb9lEuV5PJMB/cN3U25UDCmFzyH1UWDNrF+q9FecBk=,iv:0Uqh1xzg34Y3sdAHdc1qejKHqsTifKzca/JZUhGkVto=,tag:JmJIFFbSm8EwKF8OoSj6Tg==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:D451acJaW+7P3snAdz1O/pfzlLn9spBCjnGlU0PGdHdhRrrzpFKS30moSBQS7d6d3u79D/PaoJ9b5XTLOy7QAW+nHIF8TTHCPu7AFBx3kHYExMvz0a8wTQ==,iv:cWdAsqIROjKhlQVyrf1ElGypfL1SfsJZOQ3KKlcqd+c=,tag:Gb5VnfhTcY+gj67z7o+MrA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: restic + namespace: paperless-ngx +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:28Z" + enc: vault:v1:voj9jgjLfw4Ffg1sGSliHXcCAwcbwoE3TmeW9hrxcPKY/xd8ycnq53A8DQ4dfd+X42TX5WiQBggJvyY5 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTUpJa1FzWFdZT3JrZGtL + aHp6dGRXeUxJaXlNbDk2eS85bms2UlVBczNnCldsemVpYm41ZnJOYng0dnJjRnV0 + ODdGTlpBUGJla2UwQ0c5UnJTaHM0RDQKLS0tIE1UWVBPdHZSZkkxTFNGeUZybE9X + WncwTVRuVlZONWxvQkNSMmVkTUdCelUKinJXblofLaFq6lztc7Pg/xKjte7wCB8x + tPjBPj5ml/8+JJ4MwJhPSaQ1JhcLXxorrs4Ii7DV+cEE9VnSI4pSOw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:21:00Z" + mac: ENC[AES256_GCM,data:t7SiwEH7cKDfGk58V6jH6YFokjL8Za1EJz8v9q11MganjS5i2fX4AM4qucdN4MuujD2Xow4jOx2BptuEVrHcCbXcyp9Ay76hENTYMGVQZi5AF80QcrebIr/tK9oOGPuvy+ZYegkTAauuzL1s6U4C859h5CnIAtZ9NUlOvVyN+Uk=,iv:uEk7ISyZZnsCWPFL07G0nIiy/Kxey+RIXygMdh8YY8I=,tag:NfOSjItmAwd58YE1/0w2JQ==,type:str] + pgp: + - created_at: "2024-06-28T08:37:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/7BCIUf2VHM7Jrz6cgDzTvR72OTTPadM7y4UPnJF9YZrtt + NSlirnqhuQGu/HEpgP3qVySCMnMKwBMcqNvEY0NdKXZLDC9q7Fimyhc6NdDlZW+z + wigeJvxnGtPGCGGp8hiF9frEzmMI+ANLtZkZ0NPUql2y72RYLjjjhQILbfYweTGi + Q+H18N7k1Huxz/i41kB4G4s1YB7tl2+SgRK6PgCUIvovlTYQX9EPsJBjn3bmf6wL + +4JKKIdEw65s9GFLKotRjVrqYafbUV8/lJJBPvq0MDMKFll/1ccUQ97STooYTAfb + 4RLQRTN2TplxAOTfqAJ5y6ybhgiQ3fVZ5rZ8kwj6KU/b74MjvI6/IIqHkJIo+a5O + vkNjjJ9G6etlL8e2jaJvreTcNHcboB+wTYpKQ8LNFoi+NtGlTHx82m7k6egKcuX9 + 2gA1rgO32oS+cDalH/rFdiILZB4M+Z3jE7LasV3bDsaDU3up+uwo1MIChXLJJ4uh + Kq34rhvJzyG8HoWHFpE00fVznydauQBt2NrN4lVrk5nl1lWZgR2jb0pJQTI/Nzmy + roPgj9tI9df4hPP4s9FWP/80qdNtQJymSQLbXpMShtMRpD1UT8Jj/1uWF8M3lgUh + DF1hNYCTlnQFIDTkJyxi7yyFuTihlgT3X90bsnS2fXa8pw+Z+NHT7wFwvxl7QkvS + XgHHxoL3xEc3mYE/DIy0+TWnZIEgEjAetf9Fvem6yohV1WE+2zjWpJBU3W89otWU + HmkIEEqGzCdDu+d28zgU1qz6CZv/uNPEZo59X8q/YeCdjCn+eEIdauxOSnT+Vl4= + =PjV0 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx-oidc.sh b/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx-oidc.sh new file mode 120000 index 0000000..d75affe --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx-oidc.sh @@ -0,0 +1 @@ +../../../apps/paperless-ngx/components/oidc/upsert-secret-paperless-ngx-oidc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx.sh b/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx.sh new file mode 120000 index 0000000..f8d1022 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/paperless-ngx/upsert-secret-paperless-ngx.sh @@ -0,0 +1 @@ +../../../apps/paperless-ngx/upsert-secret-paperless-ngx.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/rabbitmq/20-cluster.conf b/clusters/svc.dd.soeren.cloud/rabbitmq/20-cluster.conf new file mode 100644 index 0000000..5461969 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/rabbitmq/20-cluster.conf @@ -0,0 +1,2 @@ +cluster_formation.peer_discovery_backend = classic_config +cluster_formation.classic_config.nodes.1 = rabbit@rabbitmq.svc.ez.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/rabbitmq/kustomization.yaml b/clusters/svc.dd.soeren.cloud/rabbitmq/kustomization.yaml new file mode 100644 index 0000000..91cdf35 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/rabbitmq/kustomization.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "rabbitmq" +resources: + - "../../../apps/rabbitmq" + - "namespace.yaml" +components: + - "../../../apps/rabbitmq/components/istio" + - "../../../apps/rabbitmq/components/istio-proxy" + - "../../../apps/rabbitmq/components/tls-server-cert" + - "../../../apps/rabbitmq/components/cluster-tls" +patches: + - target: + kind: "StatefulSet" + name: "rabbitmq" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/env/-" + value: + name: "RABBITMQ_USE_LONGNAME" + value: "true" + - target: + kind: "VirtualService" + name: "rabbitmq" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "rabbitmq.svc.dd.soeren.cloud" + - target: + kind: "Certificate" + name: "rabbitmq" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "rabbitmq.svc.dd.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "rabbitmq.svc.dd.soeren.cloud" + - target: + kind: "Certificate" + name: "rabbitmq-cluster-tls" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "rabbitmq.svc.dd.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "rabbitmq.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/rabbitmq/namespace.yaml b/clusters/svc.dd.soeren.cloud/rabbitmq/namespace.yaml new file mode 100644 index 0000000..ec56aeb --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/rabbitmq/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "rabbitmq" + labels: + name: "rabbitmq" diff --git a/clusters/svc.dd.soeren.cloud/radicale/config-cm.yaml b/clusters/svc.dd.soeren.cloud/radicale/config-cm.yaml new file mode 100644 index 0000000..144b994 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/config-cm.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: v1 +data: + config: |+ + # -*- mode: conf -*- + # vim:ft=cfg + [server] + # CalDAV server hostnames separated by a comma + # IPv4 syntax: address:port + # IPv6 syntax: [address]:port + # For example: 0.0.0.0:9999, [::]:9999 + #hosts = localhost:5232 + hosts = 0.0.0.0:5232 + [encoding] + # Encoding for responding requests + request = utf-8 + # Encoding for storing local collections + stock = utf-8 + [auth] + # bcrypt requires the installation of radicale[bcrypt]. + htpasswd_encryption = bcrypt + # Incorrect authentication delay (seconds) + delay = 2 + # Message displayed in the client when a password is needed + #realm = Radicale - Password Required + [rights] + # File for rights management from_file + #file = /etc/radicale/rights + [storage] + type = multifilesystem + # Folder for storing local collections, created if not present + filesystem_folder = /data/collections + # Delete sync token that are older (seconds) + #max_sync_token_age = 2592000 + # Command that is run after changes to storage + # Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s) + #hook = + [web] + # Web interface backend + type = internal + [logging] + level = info + # Don't include passwords in logs + mask_passwords = True + [headers] + # Additional HTTP headers + #Access-Control-Allow-Origin = * +kind: ConfigMap +metadata: + name: radicale diff --git a/clusters/svc.dd.soeren.cloud/radicale/kustomization.yaml b/clusters/svc.dd.soeren.cloud/radicale/kustomization.yaml new file mode 100644 index 0000000..0c99b38 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/kustomization.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: radicale +resources: + - ../../../apps/radicale + - namespace.yaml + - pv.yaml + - config-cm.yaml + - sops-secret-radicale.yaml + - sops-secret-radicale-restic-pvc.yaml +components: + - ../../../apps/radicale/components/istio + - ../../../apps/radicale/components/istio-proxy + - ../../../apps/radicale/components/pvc + - ../../../apps/radicale/components/restic-pvc +patches: + - target: + kind: VirtualService + name: radicale + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "radicale.svc.dd.soeren.cloud" + - target: + kind: Deployment + name: radicale + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: config + mountPath: /config + - op: add + path: /spec/template/spec/volumes/- + value: + name: config + configMap: + name: radicale + - op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + name: users + mountPath: /etc/radicale/users + subPath: users + - op: add + path: /spec/template/spec/volumes/- + value: + name: users + secret: + secretName: radicale + items: + - key: RADICALE_USERS + path: users +configMapGenerator: + - name: radicale-restic-pvc # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - RESTIC_HOSTNAME=svc.dd.soeren.cloud diff --git a/clusters/svc.dd.soeren.cloud/radicale/namespace.yaml b/clusters/svc.dd.soeren.cloud/radicale/namespace.yaml new file mode 100644 index 0000000..d5eef3c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: radicale + labels: + name: radicale diff --git a/clusters/svc.dd.soeren.cloud/radicale/pv.yaml b/clusters/svc.dd.soeren.cloud/radicale/pv.yaml new file mode 100644 index 0000000..626324e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "radicale" +spec: + accessModes: + - "ReadWriteMany" + capacity: + storage: "512Mi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/radicale" + claimRef: + namespace: "radicale" + name: "radicale" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale-restic-pvc.yaml b/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale-restic-pvc.yaml new file mode 100644 index 0000000..d573a10 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale-restic-pvc.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:+1YHCLVkY8DRWe/gGnOjB4/ihO+j8ZC5bgvhag==,iv:5ueHjAcMbZDh4p5unrTO18brDs+tgcub2j5/Gm0t+mA=,tag:5uvvlMiFEqKYie3WkhPr/w==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:GnGjSqnSd+dJ87818zPYPeim2iIjUX96WpY98fdBNmjAIV39W0pwH7zMdKoMqdKT6Kao0Yzjqe4=,iv:ynBJaVKPR943nlIV/AGrrnGy1t64vhrZEeIiJRkUids=,tag:2TEGwwcOZfdc33N+qM8fRA==,type:str] + RESTIC_BACKUP_ID: ENC[AES256_GCM,data:y21CDER4B+JHPTIf,iv:KsC+4Hwr66g4R8LdrkxaZmkKkJ28Ge0ov48/oISFTjg=,tag:F5bqQDXjlrKPHu5paJvtaA==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:9Rbq5DESX50yqW5qqBLwlhU+Hc4CJwhg5gUsSDEiGycNq53uNV2vsQQM1ZY2r3gjKHznw/WxeVpTzNP9iEYNjPN59fI=,iv:sAhggwY5iedCuSjG4ODtKR3swE8K4nIrXbABMGw3F2g=,tag:JkoA5S3ubHa2jT3mmVYCMA==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:TGkPEN/xDlGNJBNvXx3ctt+AkpWvF4kQGWz84p6zmZ9uwLk/3WFFEvkvFQI8JiwY3wC0lx1hsFLQ3IkcI1Zuhu2kCsB70k/fLmwHqT2szRg=,iv:XCbBcoNIYwvSC63H5Yzk76G28i47glQ0CF1e3lcpNDU=,tag:7bs3RLBLiFWElC4wJrpXPQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: radicale-restic-pvc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:08Z" + enc: vault:v1:ZBU2ql5fIHC6fXpLCD40PjoO6smWNYK9vFg/QKa+w61KiUpvIqNjesLvoET0iEMi3hM9UpPApN1UKDB8 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDb1VtdkZyMDNDa2RhVWhK + c2hMbzFFUXRiQ1h0Zy9TbjJBMVQycG54MkZNClZSWWNnSW5GNXJGN2dIMFlzeGtq + eSs3d1g0RERCSDYzTlpBNnNXeHNUdm8KLS0tIHlsYWdlWlB0eDVjYWVldEUrMktD + N3RNQUtORnVGeW1pZ3Y2Y1Ria3VUaXcKJsdT1DwNpYGLcgsTxV8vDiXsG288Xjuv + vNLFZ6geVyl7MFNbFuNllF1QbkwaMIfv80UqJg8WgNbJKJx6CScj5Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:42Z" + mac: ENC[AES256_GCM,data:lqCqDcEon76sMwry794nk+jxHNQpSMYYkx8cjI1uxOiVVAAeiZZPjp9mmTTePrJ2HxyYuOCh7mk/bZ8NZV0v3QrgPjt6X9XaHA7sFpQ8SDNsS2vxbPG1C1AdVb9GXCgOvpy0iEEv2WpxUzlXdczlOgyqrOGuigxJd6qc0c3lujQ=,iv:1GqozK6Hkl3Fg9nPoRk0b1mgMfOAyY+SZ7SWGMETync=,tag:EZTR6+dOnIBMJ+UXL7gu7A==,type:str] + pgp: + - created_at: "2024-06-28T08:37:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAh5cH0yocfI0z2MpG7WlBFEyijJuOO6YER2gPfq6QTs5J + D5l1zVqmzu+oL33oA9kcXvRfaHr0/ivf73U2kGp71noxzYj0NKs1pjUUK+nS0KBv + 6RNKSDoXAirsf3N5uN2Gjv27ZoYX2oIrXnJFf4rfuWHR1MTxeGOk/IEpUzKUUNfS + On1lC+f8We8uneA5AOY2XAJGzn4+fMdSk5IB+oUEZLXw+pVlVR0pANnmQZp5uJN1 + 6PgmmduniR+bw8bsSpa1Fxs97CEzeM8xqmbGkjDkBmJ20AiAwrxxknVxvh3lb7/D + 1QdMkFE0zprvqwN6FLhlqGhD5DqTTYoRAbFzGkmD3zdq0SJRnrm/tTjjD5AIKqKw + QzAEBjmIPgb4iE9RsCfHnd1LxttkR+HusPzyxk6TCjdJFPugPd6GJu1xAjz/3l87 + CIuF/uP6DpIIKoTz0SVecsC0a1N1FRQhDBabjZoNjgZ14w2BKexPwIna1Uj/4O7N + mY4oOApr+Scm9AD0ohVj/bUvt8uA8ychUBFpQ4zrggMLAvKVkqnYEMaQoHxhjgYu + EoM+iHhZw+VnT98h7Teg6M0GJPPGRnAR8xUTLYf3Ku9NVJbe9tA/ku5dsSasBmG+ + +AlFvnmyg2SdAqC/b3EWwm2VUGOB58TOwfCOYtprAfIdYUL3pfPKNqZHILqShDHS + XAF8LiCsu/fXGG5nZEmpgA2tM+rA+D1HNrfU5H4YZehNTJVe3tzHLHPvcaZkwtNW + NutpXTB1j++HudKZwoUKDgNPYtD8mYJsM3XKBXpBwT5N9pqXSriBdY3e84Gy + =rbXt + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale.yaml b/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale.yaml new file mode 100644 index 0000000..d157cd6 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/sops-secret-radicale.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + RADICALE_USERS: ENC[AES256_GCM,data:Ri468E9Gh+eDlUkhM5YNLGHWjXDTer/731cYpFprkBdkBp5GAPSBR5g8Zo8cOzd+IGiKO4g2se4YRzEfhWwpXSSOOxPu0HDom0o4G6Iq7AQsgnBzpjUpKuWBsK8=,iv:Q4g9uL6Kkwtm/wF51MwfM59H0Sn/7+g4t5qG5TcWYMY=,tag:+VrEhIfLKcyqaFs2xffi+A==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: radicale + namespace: radicale +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:09Z" + enc: vault:v1:c0UfYJLwgywM3HNRJ5OLY9R8zPH9S+QRFsiub/kA0PGA3W0RmNhufIvySoL4phVVw1CdTG9B48Hp7qOU + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYTFvaHBpMnk3OXNMeitq + eS95MXV6YVoxd1dQYXhoQmY1bkFab2liL0NnClVHRkVnNVY0Q0R2MzFqWHo1TDdI + aWN5VzBqSE9uYVhFa2hzaFprMHVteG8KLS0tIFZYZ0FtTEh2dmZzTGVFcWtkS3Jm + dDIwdTVMYitPN1pUZ0R5TEdqeDNYaWMKkFoCe+D3WeRpgmT1HKloejicyjp9mF9U + C8C3gzDWVH0spIGZrCJxMhUTBWIYdFm0IhN+V1cigF8DRzfQCHaOFA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:43Z" + mac: ENC[AES256_GCM,data:5ICx6bgwZ11Y+bUs0N11DX6BDnKkdcReTUGhrD9pnap7sCX8YJFAppFX62ghq7CKshYD5xoFgNMdSm/9juXW5PxKhEU1YXWMTy4yQXbsNfc4/FN/+WoxGk27f0Zki9bPYL918zwcggLLmAUyIocerVE8H1kuPAq9DuJhhbJkIbQ=,iv:OIKznX+QgQ44LJ2LzGnf/bZcIb38780EE1TB7iS5fiw=,tag:xtsNjYD1BwASvq405To1Dw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//a9iXc8EJzjGaqwc0LG28+OB2Khq+6+TQLHxWJP5F8i4g + jBfx7bb1iRp8ws0UULlypa34FGWFFm0QFnX7yXCOT/FIxj9c8Gs8LUFzvTBUJoHS + agJJnsheuP8ZZxjnA8hcelpue0hLTPMRc3cQ0lH6n5Jf+7+NkCuEF4mFjle7RoQ4 + JmnXZFPyVAApZstefyDdEh3wb1nK3MvEmQyVn3+GVMLe6R/n5kWcL18zIp6PVNI+ + oUmOw2pjs8y+lS3NahYpO3wfBveU3qJLM2ChsEioBz6aWjqqFsRjGIjt7PaJvAyM + JRI6xv78kQSxvOSdl4INGN1NxkFfdVILO9GC++A9e8fW7P9IZ5swWDAibXTQDeNH + kKZJ0+stYKTeCqEwtkZ1RrGLsaZeGrTXQojTk9u8bAC8Vi1vMOBWbVjF65DUsURA + RRk1f1yR4IYXbGhwl4Wj1BoWIhKSBuA/Dw2lbRCij5oSH3LDoShSGKQnX3LkTH7U + VjIyrXCI/kzxpJYCEWgtulE70vMoiqkbs3zKGiL+QjV0HoboAOv8TTZGyHlcVHsm + s+IkYwXFEWBU0ot/mjTaB99JJ+F5qGz70K5e40CHd5pz18XoJirsnvafQ6yWI91y + wRD001plVOccJ4mH328Nz5h3uQLfJkUOlImrW7BAbXL2OZlTB0SA9nmghx2z6jjS + XAG1ojmdkOTKjyOPT57j1SR3v2Iv/NlRcpAG/s70moVE8Vx13gH78nVKQXN/Jekn + Ok58sxjAUC7sHWaUzEB+Qrx27XgyIpOn+p4tA1ldvWbZb6v99WgzADl9IYB5 + =j3C5 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale-restic-pvc.sh b/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale-restic-pvc.sh new file mode 120000 index 0000000..3514ce5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale-restic-pvc.sh @@ -0,0 +1 @@ +../../../apps/radicale/components/restic-pvc/upsert-secret-radicale-restic-pvc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale.sh b/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale.sh new file mode 120000 index 0000000..5967fc9 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/radicale/upsert-secret-radicale.sh @@ -0,0 +1 @@ +../../../apps/radicale/upsert-secret-radicale.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/reloader/kustomization.yaml b/clusters/svc.dd.soeren.cloud/reloader/kustomization.yaml new file mode 100644 index 0000000..7c04773 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/reloader/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: reloader +resources: + - ../../../apps/reloader + - namespace.yaml diff --git a/clusters/svc.dd.soeren.cloud/reloader/namespace.yaml b/clusters/svc.dd.soeren.cloud/reloader/namespace.yaml new file mode 100644 index 0000000..0ea8932 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/reloader/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: reloader +spec: {} +status: {} diff --git a/clusters/svc.dd.soeren.cloud/renovatebot/kustomization.yaml b/clusters/svc.dd.soeren.cloud/renovatebot/kustomization.yaml new file mode 100644 index 0000000..744a27c --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/renovatebot/kustomization.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate +resources: + - ../../common/renovatebot + - sops-secret-renovate.yaml +patches: + - target: + kind: CronJob + name: renovate-github + patch: |- + - op: add + path: /spec/timeZone + value: "Europe/Berlin" + - op: replace + path: /spec/schedule + value: "0 1 * * *" + - target: + kind: CronJob + name: renovate-gitlab + patch: |- + - op: add + path: /spec/timeZone + value: "Europe/Berlin" + - op: replace + path: /spec/schedule + value: "0 10 * * *" diff --git a/clusters/svc.dd.soeren.cloud/renovatebot/sops-secret-renovate.yaml b/clusters/svc.dd.soeren.cloud/renovatebot/sops-secret-renovate.yaml new file mode 100644 index 0000000..cc5936e --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/renovatebot/sops-secret-renovate.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + RENOVATE_HOST_RULES: ENC[AES256_GCM,data:nr+xnHIXgJ1HS22m+cVJIUH8HtqG3y3/wmmmNfM/rQZrw/gN0qVUkVIIO0Av6sW3CWU8sRL/94+TjMQ50lotuLhaAv8TD2/YNZyZA6SB9O9TKkb4tXnZuOIgNrsC2wDFm1PI6z4/8nynR6VJwz7+ahGdnbHW3WxlsVtvSKFmY3foYePGj5EoAkauu3S/lCNmqIdSLWbEhrrs46oE7c8D8UM67onoIiIqJMfmnYp/9H5oJIN8,iv:7i89dlrpsVHA5eKzeQLSPmzB19qVI/N8SMazv39ocQo=,tag:Zdf3C49e8porsPEKIWQXrg==,type:str] + github-token: ENC[AES256_GCM,data:tnRVSzZq3s6AEt2w/3dAogk5bjE+k8q5EdGvuCoBogFfD0XiZ/ZgK4YigOBGy/nt/E9WR+ubC5A=,iv:sVPDCetT8FstGx4Kk0OW6BQ5bp2l7bop006sGTJKi9Y=,tag:Brjnt71+wzQ5AutK67fe2g==,type:str] + gitlab-token: ENC[AES256_GCM,data:3m1o56G6hP3rqTXdd0WCHUlPpOjbjyRPXOSbJjGJW0fbPB+P,iv:0GIdy10ViDIRLbfPGqx4vPWl8bwqG2Xt7Z94IUMVD1o=,tag:hmptIdjV3tgBxnar4Ar/zg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: tokens +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:16Z" + enc: vault:v1:eKzcnS8Hl9ewOu4VNnw/NE1g8AQ5g/960jTPuiZ38/XUYHLZQJKS04sg1Hf9wDQz2umMzaIvw0i54Elo + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZGo0eEpxRlhSdm9PR21x + R0xwTlJYckRQdlh3K0lVWXFNblRpQXVIUzNVCkliTG4xV1IzWjZsS2V6T0Jjcnp1 + S0ZkWmNtQ2JZdDJSVmJyRnEySlpxVE0KLS0tIGZFa1V3b1ppWHR4YWNyZ3lJOTl3 + UDEya2ozMjhKMUJRb2ljY0Z5OVdtY1EKLilWslSBwt7A2OUIwjGFVDf/HyruhB18 + iuyy/x2D5U/FjynuX1PMjyVKtIMBZ8QM6K12/CM7Iy0WZZ1neGavlQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:52Z" + mac: ENC[AES256_GCM,data:eSi4qqYt+Oi68muZgapCFC841XxfmVEQJVOknWPCOnXGAdYXBfJyqHL9g5cKw+hiCCZUo5RnBm+tSufWWBZuGAirxLeqElTsNy+D1GJGFmvc+jPDuyBou2t5ZkoUX+JSmqTavxnurtt+UXW3DGjROTQNoKayQJBaNwREuZTVcRQ=,iv:Gb/7FqA7XzmZlxVAbUmH1LUOUzbZjviDpkZIZyiwec0=,tag:UUt/Hvnln6lzg2pnu/hP7g==,type:str] + pgp: + - created_at: "2024-06-28T08:37:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9F8e4C94+kw+sRQ+nN8et7sWTiUEELD9JKCmD85EsV5OC + aXq5SuY8JYWHG1+3szgI9vg5fNlAjrlKXS9VRBG+EBr5oO3LNuOM2HJgpipM86US + C0oHBuu5F4NiRPW0rIlcc6qkvfbf3eENGtkxCD5zLzhtG47+WOaSrv9i9zTaYXWm + D3OSZc1Iy0XyyVl8kSYmjol2zqcP9KM1Z+l7xr3mJjlrszjoozgNjQQwbX8XpQml + 6f60N2+AvqtpUBs7bWlJI8lHg1fjc42QogXhJRDyB3ZzCkdl/hwgRgb5RW9T/HWo + k9WpXG/G9zdaVzmYwWd7qEsvML0NT3FdAteaUOAtzaq+kVC5ttjqUjIq4qShqr4S + bqjwFnAPVFVqyGB75RJYHzeEb5nWMsJqKRwTThTkqMaCfvA61GAk0HOfEbw6XeqU + fvi4qx/rXEaVgNaDmlvcQkY7AiWnTtnaW+0uaPozFK1eO2ATv0N21uNu9mzaaMFN + FLQkobJcaBbpyZGJDCQODYN8tklaqCwZ8HAF5EU8atZX5zUui4aCmM5jBz/PIwsM + mIgnQv4Salq1yXu3MwebCC9wcte4EISbtqCmS+EDCjiwog3X2duk6WY4xs8YwRUQ + hVD7x9GqkeDw5ajZE+pVKoVmccucRck1arp0KqDhVgdZGOs+3undSZ4Q0Lfp/RrS + XgEFN0PURWEILVRfSlPKy4idwacRBVsVLlegvZ+OQf4m6nICBpgvPXGehoNKuXJ8 + 2v9EdvqhQRLJAwNvUKJlxL9XMwNARjLHlyacmgARpMFh9GPcQBAzfHP6w2T3BPE= + =3d7B + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/taskd/kustomization.yaml b/clusters/svc.dd.soeren.cloud/taskd/kustomization.yaml new file mode 100644 index 0000000..f9e42dd --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/taskd/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: taskd +resources: + - ../../common/taskd + - namespace.yaml + - pv.yaml + - sops-secret-taskd-restic-pvc.yaml +components: + - ../../../apps/taskd/components/pvc + - ../../../apps/taskd/components/tls + - ../../../apps/taskd/components/istio + - ../../../apps/taskd/components/restic-pvc +configMapGenerator: + - name: taskd-restic-pvc # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402 + literals: + - RESTIC_HOSTNAME=svc.dd.soeren.cloud +patches: + - target: + kind: "Certificate" + name: "taskd" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "taskd.svc.dd.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "taskd.svc.dd.soeren.cloud" + - target: + kind: "VirtualService" + name: "taskd" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "taskd.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/taskd/namespace.yaml b/clusters/svc.dd.soeren.cloud/taskd/namespace.yaml new file mode 100644 index 0000000..d97c146 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/taskd/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: taskd + labels: + name: taskd diff --git a/clusters/svc.dd.soeren.cloud/taskd/pv.yaml b/clusters/svc.dd.soeren.cloud/taskd/pv.yaml new file mode 100644 index 0000000..4e46d7a --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/taskd/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "taskd" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "1Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/taskd" + claimRef: + namespace: "taskd" + name: "taskd" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/taskd/sops-secret-taskd-restic-pvc.yaml b/clusters/svc.dd.soeren.cloud/taskd/sops-secret-taskd-restic-pvc.yaml new file mode 100644 index 0000000..d9a7f00 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/taskd/sops-secret-taskd-restic-pvc.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:8P8casf7D+VlajR5VHyQ8ryfcOr1ZWbGqHbLIw==,iv:7VknPN1CyeuH9937NHE9zuwnSBv3xCVklTkEG8ZAy0A=,tag:JhHX8LYdADeix2XPsTANWA==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:D0tyHcZAgkgY3gGOwPEeuy8zvUgR54v2rrNCzTZpw54dcHKlYvfflUO+v1lGK31/7iNXC8jQuGM=,iv:prrpFss61TTWagy8koPTuFq/Ntqe5H7QZvVjKazqvAc=,tag:9ANapoPRDhC8Ee/eR/Z75w==,type:str] + RESTIC_BACKUP_ID: ENC[AES256_GCM,data:qpqskrE8tDw=,iv:01Xh4CLIOcKCH+KtZUAHF7lUzQdONNYsP0sZlLoqHGE=,tag:rQFncDhcm8kHvXk3C1uc9A==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:KbXZmBRQSs99Xce+b5Lm1E/AF9IwQyYtuiZtdV9OYgkhn96zFzYgncFfOArmYOMxZK13GDnXSq4=,iv:OOBIvz1nUSzrZJp14qudRdb3lrgFh8RlrFyf19uAjrc=,tag:6cwaXkL/pUAGjiDzore7qg==,type:str] + RESTIC_REPOSITORY: ENC[AES256_GCM,data:FVw2g/gjP+QHl/rOCRotwKX/3uo7y2DlgpFzG2sqSicJdVoQjVSxziynE2B5CrJJ6OT9cxKeGptRz8RV14vtCxoX2c9xxjr7xG0+wg==,iv:qYQEEIj3Pt5Gv/vEneyy1404/XJGPS/NCKvhotJB2Tw=,tag:SIC5Fo87K7+z64niuPwjBw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: taskd-restic-pvc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:17Z" + enc: vault:v1:d6MdqSE76RLKZ7dfv0CWlSpqad51FuOf7chaFJex9qifWeBRVh/TMdBIlHOnrIhczowmGXFn7MDKOtDY + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaKzFiSTh6MTdUbzhPUWJ1 + SWN4eU9qTkhBbWVvcGtyeE9mK2RuSGhjQkQ4CjVQS3RSbUtyc0V6KzUvWm5KVzZm + NkpFdmxVUU02OVhsZUtpOFA2TWllQzQKLS0tIG5pU3FhUDdCZ0tSMFRTaFNIMlIw + dmhLcjVJSjY2ZjUzUXBZQVQ4RXFldUkKudGrXRpMjBb1FryAwI+wIU4gohXT5qle + Dpl45bvHIYxyl+e9RH3vUuLotBUn7eXDnA6ZfZOfWIMpZKhgQN4d9g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:52Z" + mac: ENC[AES256_GCM,data:wcmW3WD2YeqqSLl+M4bOGftMLEL/8kdJbXBY2kFrvVsEyRMI15FmaNLArU98RsK/hTEAWyN6hP4VtK8sPXPP70aZEjWQk88mZEc/H/+yHe7odaNtS6EZ21CphsFQQ1RdlbcXVS2FhJR2bf8Qg44MZ0Rp3VK8fSIYvTWyYSslJP8=,iv:/7IzQVic7Ra3oBFj14VlBDzJpTwh3znkq624nGw5ha8=,tag:7W0MRv2HRb//OzhmRRYPBw==,type:str] + pgp: + - created_at: "2024-06-28T08:37:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//dQtPTLKHsGe/O0ZnO6/EMvJJjyYjRSlO+AP4YkP5uTCS + hKQoNbvw/bDM5VhkUMVq467aBGCscov0PbxuWyNj2YAfYnAfbvtN8MnP/h1SsAXo + wx3nSm4F6arLrFny3PZXI0GDe/Vu0FduqDgVGJzc9Lt7RX7BIs2TZHeTgHzzo1ED + pBLXgNgR/kAuXUrTxtYW5/z9JCap0cPQu7oHUVE7N5tkOvtzdULOCv0Fi6eQZ6/r + PLcgfhiWKSb5HMlwMbi7VGw8voU+7Wqn+mBZ0XY0EPuD+1vCVKxsVz4GFXZMsCLb + /tQUVR3r5IPubRAtcdQJBWjMDFL2+D42islkrgGffXvCVCGVxZ+RmP+CgzU+FQ7b + eCpI+u9R9Nw5b4AocYpLeUZg3rV7TrG2peHNg/vLAMkVxMzHhuz/5dW8Y/5cgHfi + thdlpYxKY9vPbZQPVoTcxspRo/YC2sC33JYm5Zd7gZF8Ctp3jdP6oWXsBU7iZJQf + yPk/L+YD0ADxg3oxu+mTLcqrSSri2nPieuj0WyBzaKmRiLJSFFtvfp/dL088osEV + C4pp1nO4qSJYZucFgUa3a7alt+7rOWtyQSY1e6icmRvlvtnId94EM4Fksvma3nu7 + 96YGHZ5wUpXBawnVIhhPWmvCa4oy5NrnbqsyM5o+ARbrv6PMCGQl7lZ04lo3JvfS + XgFAsMbSMLtvqFoS5qDhHgAEiJm1+oLn6Lw0QQe0w5dlgmNLg2npUEZncIUGxsk3 + sr+wczTWLVFs60dwnkE/hiFJWYFHNgKr17YUHFASbKNahp2NOGaEPQPZKCL5140= + =vOi5 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/taskd/upsert-secret-taskd-restic-pvc.sh b/clusters/svc.dd.soeren.cloud/taskd/upsert-secret-taskd-restic-pvc.sh new file mode 120000 index 0000000..c47eaee --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/taskd/upsert-secret-taskd-restic-pvc.sh @@ -0,0 +1 @@ +../../../apps/taskd/components/restic-pvc/upsert-secret-taskd-restic-pvc.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/vcr/kustomization.yaml b/clusters/svc.dd.soeren.cloud/vcr/kustomization.yaml new file mode 100644 index 0000000..f7897af --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vcr/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vcr +resources: + - pv.yaml + - namespace.yaml + - ../../common/vcr +patches: + - target: + kind: "VirtualService" + name: "vcr" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "vcr.svc.dd.soeren.cloud" + - target: + kind: "VirtualService" + name: "metube" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "metube.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/vcr/namespace.yaml b/clusters/svc.dd.soeren.cloud/vcr/namespace.yaml new file mode 100644 index 0000000..9042687 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vcr/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: vcr + labels: + name: vcr diff --git a/clusters/svc.dd.soeren.cloud/vcr/pv.yaml b/clusters/svc.dd.soeren.cloud/vcr/pv.yaml new file mode 100644 index 0000000..2b0ae02 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vcr/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "vcr" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "10Gi" + storageClassName: "local-storage" + claimRef: + namespace: "vcr" + name: "vcr" + local: + path: "/mnt/k8s/vcr" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/vector/kustomization.yaml b/clusters/svc.dd.soeren.cloud/vector/kustomization.yaml new file mode 100644 index 0000000..61fcc0d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vector/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vector +resources: + - ../../../apps/vector + - namespace.yaml +configMapGenerator: + - name: vector-config + behavior: merge + files: + - sinks.yaml diff --git a/clusters/svc.dd.soeren.cloud/vector/namespace.yaml b/clusters/svc.dd.soeren.cloud/vector/namespace.yaml new file mode 100644 index 0000000..99acb20 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vector/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vector diff --git a/clusters/svc.dd.soeren.cloud/vector/sinks.yaml b/clusters/svc.dd.soeren.cloud/vector/sinks.yaml new file mode 100644 index 0000000..050607d --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vector/sinks.yaml @@ -0,0 +1,18 @@ +--- +sinks: + prom_exporter: + type: "prometheus_exporter" + inputs: ["host_metrics", "internal_metrics"] + address: "0.0.0.0:9090" + loki: + type: "loki" + inputs: ["k8s"] + encoding: + codec: "json" + endpoint: "http://loki.loki:3100" + out_of_order_action: "accept" + tenant_id: "soeren" + labels: + datacenter: "dd" + cluster: "svc.dd.soeren.cloud" + app: "{{ .app }}" diff --git a/clusters/svc.dd.soeren.cloud/vikunja/kustomization.yaml b/clusters/svc.dd.soeren.cloud/vikunja/kustomization.yaml new file mode 100644 index 0000000..089d928 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vikunja/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "vikunja" +resources: + - "namespace.yaml" + - "../../../apps/vikunja" + - sops-secret-vikunja-database-mariadb.yaml +components: + - "../../../apps/vikunja/components/istio" + - "../../../apps/vikunja/components/istio-proxy" + - "../../../apps/vikunja/components/database-mariadb" + - "../../../apps/vikunja/components/redis" +patches: + - target: + kind: "VirtualService" + name: "vikunja" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "vikunja.svc.dd.soeren.cloud" +configMapGenerator: + - name: vikunja + behavior: merge + literals: + - "VIKUNJA_SERVICE_PUBLICURL=https://vikunja.svc.dd.soeren.cloud" + - "VIKUNJA_DATABASE_HOST=dbs.dd.soeren.cloud:3306" + - "VIKUNJA_DATABASE_DATABASE=vikunja_prod" + - "VIKUNJA_DATABASE_TLS=skip-verify" # TODO diff --git a/clusters/svc.dd.soeren.cloud/vikunja/namespace.yaml b/clusters/svc.dd.soeren.cloud/vikunja/namespace.yaml new file mode 100644 index 0000000..e6ddbb5 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vikunja/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "vikunja" + labels: + name: "vikunja" diff --git a/clusters/svc.dd.soeren.cloud/vikunja/sops-secret-vikunja-database-mariadb.yaml b/clusters/svc.dd.soeren.cloud/vikunja/sops-secret-vikunja-database-mariadb.yaml new file mode 100644 index 0000000..40b1ecf --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vikunja/sops-secret-vikunja-database-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + VIKUNJA_DATABASE_PASSWORD: ENC[AES256_GCM,data:Gwa8lOtCi0pX43euzhedhkf8AEI0t0KeAIczZNaSYTU4mhmu5hphjjvM4w56J3RfISTBXvcaCWFVq2ExtoyUrw==,iv:fl5ts+SuCWFC2AoKCjOdYyBfVjpGVKymIXP9uGv4nCI=,tag:NKJgRn/EI2qcA8KbQzybqA==,type:str] + VIKUNJA_DATABASE_USER: ENC[AES256_GCM,data:LFezweC6aAxtlMmslltemw==,iv:1Zl7BiAMszh0iM2BTcGczwK/U33k4/YpnKIf9tUtVss=,tag:u15T8p8cVFYURia0u83rJQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: vikunja-database-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-06-28T08:37:12Z" + enc: vault:v1:JlfjtRvF4zESxvlo+laTlSWhDB59N2tAkpfuDgm+QyoBcdhvhYX6wMTO0uVRX1q0eVyCisvKfwrmOwT6 + age: + - recipient: age16r9mm6m7559ukcaf9ceher6slnexwahfdtxdre3p9tcttfmqn92q8xetes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNDRTelpSeGk0TlVzQ2dN + VUlyL3E3d1lrUlBZcmJ4QWNjOUJ2N1plR1ZBClEvOVQ5U0IrRUFlNkZkdU5KY2tQ + bHNsZE5vQXU1YTZSdDZvRVBtdkV6VmcKLS0tIGFrMGdVMjdXY3owVGEwc2pHdzhN + VjhxTzVEVHFtaTVKc1hYdjVCT3NwNUkKETELTFLrEdcF+Gs/cWrdDbcmw34lTZT3 + INWmvOv33F+NZKxKinbg4vu1+Hxuk09ykbXyLeN+huhVf4/n2H+s7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T07:24:46Z" + mac: ENC[AES256_GCM,data:lLUUJtKy+9WtBX9gIetzYlDV55FpDNHXy1FD+9gAsmfFC5UeJR2LnmHMgo7O86hz+ZtbaFz4uzH/BnCyo60S6+FImNjjgUK/xM2hSU5C36vI3DbXL2N1N8jLvJKf0QEKfwSAfCR/xUFDwx3/31YJvF7VxtAAkrLzyJp1UN4HJA8=,iv:qZJfQR+swZIIjkbUeqXBxEGjB7lZR2CC2BKsSkI0qa8=,tag:5OlZ/Ile7d2WG1zyWIlQTA==,type:str] + pgp: + - created_at: "2024-06-28T08:37:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+JUz0Jl5j2RhB19sycQIh4VcroZl+3+49YbQMqqbOnpFl + pXlLtudM/ydfzH1y7kzhGuyOLRyW902mzMv7FKOQ6qRoLy/SMfOVmZSpWhdOSfr2 + ruAoYiF1ThEzXxIk6yYLmWIQAAiR9aW/63uJp/RnMyqo8oJKWy1Ly0Ca9jncXuZj + Iv/n3no3GdNXYzbJuidg3JR1wKkzCX6G8stQdql/r9uw8JGIsh8ro8ZXs8+flxik + +hxOenK7wq8Zhjfom+VGgUK/IGJWxKbc6E8BSM3XyN5pQYoaZprtva+FT1V4w4zH + 7nFUjnq89KeYdZoUuDSYpqxOAYykkKVOn9G48jcpDoiBnQwhaE3tKHF4fykNb1J+ + 57zsFeYMI3wMzJhIlZ52gSg6HGAS6JCifaDfvrhkzvBcsqJJJHak7r3N0+LPrEPY + M+T42zvzyBq3i4JT83muDhzkUWKH2ZQOHXJF4I/kyWx25cDHfae6DWNWit8ZwZWj + 6dMqzA+Kd9N7HKzjqIdFCx8jHJya/C+TsLXA8uEKch9n3BHlIWbmyPYEWQpnGa+3 + e6kB44Qdhg15nobifM0Z/m5EW/JdCNDPfrErIxltg8a+v3/u6oJV+QdOtA4SK2K9 + dIah2bd6MfOeq1KGKNpwK4gXNwE93jNnYKI6E5nIgLAL4H73Hn/5RPju8IJcHWPS + XAGtbSUEPpbuftALeojCpHroCeuPxEO+/Pbvg8zQykPKbAm2uFtfPMldv9ZaNtGu + xkZGZJ66olohOcPvvJu8yqlYfUDZ+G21JXcfmyRZIbzu7rJjuc+GxAXeKYXV + =Bjwg + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja-database-mariadb.sh b/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja-database-mariadb.sh new file mode 120000 index 0000000..3f93e98 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja-database-mariadb.sh @@ -0,0 +1 @@ +../../../apps/vikunja/components/database-mariadb/upsert-secret-vikunja-database-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja.sh b/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja.sh new file mode 120000 index 0000000..1bfd956 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/vikunja/upsert-secret-vikunja.sh @@ -0,0 +1 @@ +../../../apps/vikunja/upsert-secret-vikunja.sh \ No newline at end of file diff --git a/clusters/svc.dd.soeren.cloud/whoogle/kustomization.yaml b/clusters/svc.dd.soeren.cloud/whoogle/kustomization.yaml new file mode 100644 index 0000000..7a683ad --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/whoogle/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "whoogle" +resources: + - "namespace.yaml" + - "../../../apps/whoogle" +components: + - "../../../apps/whoogle/components/istio" + - "../../../apps/whoogle/components/istio-proxy" +patches: + - target: + kind: "VirtualService" + name: "whoogle" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "whoogle.svc.dd.soeren.cloud" diff --git a/clusters/svc.dd.soeren.cloud/whoogle/namespace.yaml b/clusters/svc.dd.soeren.cloud/whoogle/namespace.yaml new file mode 100644 index 0000000..0083145 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/whoogle/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "whoogle" + labels: + name: "whoogle" diff --git a/clusters/svc.dd.soeren.cloud/yaade/kustomization.yaml b/clusters/svc.dd.soeren.cloud/yaade/kustomization.yaml new file mode 100644 index 0000000..acbc101 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/yaade/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: yaade +resources: + - namespace.yaml + - ../../../apps/yaade + - ../../../apps/yaade/components/istio/virtualservice.yaml diff --git a/clusters/svc.dd.soeren.cloud/yaade/namespace.yaml b/clusters/svc.dd.soeren.cloud/yaade/namespace.yaml new file mode 100644 index 0000000..d3e1a10 --- /dev/null +++ b/clusters/svc.dd.soeren.cloud/yaade/namespace.yaml @@ -0,0 +1,8 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: yaade + labels: + name: yaade + istio-injection: enabled diff --git a/clusters/svc.ez.soeren.cloud/.sops.yaml b/clusters/svc.ez.soeren.cloud/.sops.yaml new file mode 100644 index 0000000..00f66db --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/.sops.yaml @@ -0,0 +1,5 @@ +--- +creation_rules: + - age: "age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl" + pgp: "875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637" + hc_vault_transit_uri: "https://vault.ha.soeren.cloud/v1/transit/sops_kubernetes/keys/svc-ez" diff --git a/clusters/svc.ez.soeren.cloud/acmevault/kustomization.yaml b/clusters/svc.ez.soeren.cloud/acmevault/kustomization.yaml new file mode 100644 index 0000000..6997461 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/acmevault/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: acmevault +resources: + - namespace.yaml + - ../../common/acmevault +patches: + - target: + kind: Deployment + name: acmevault + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: ACMEVAULT_VAULT_K8S_MOUNT + value: svc.ez.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/acmevault/namespace.yaml b/clusters/svc.ez.soeren.cloud/acmevault/namespace.yaml new file mode 100644 index 0000000..4b740e2 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/acmevault/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: acmevault + labels: + name: acmevault diff --git a/clusters/svc.ez.soeren.cloud/aether/kustomization.yaml b/clusters/svc.ez.soeren.cloud/aether/kustomization.yaml new file mode 100644 index 0000000..c385cda --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/aether/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: aether +resources: + - ../../common/aether + - namespace.yaml + - sops-secret-aether.yaml + - sops-secret-taskd-credentials.yaml +patches: + - target: + kind: VirtualService + name: aether + patch: |- + - op: replace + path: /spec/hosts + value: + - aether.svc.ez.soeren.cloud + - target: + kind: Issuer + name: vault-issuer + patch: |- + - op: replace + path: /spec/vault/auth/kubernetes/mountPath + value: /v1/auth/svc.ez.soeren.cloud + - target: + kind: Certificate + name: minio + patch: |- + - op: replace + path: /spec/commonName + value: aether.svc.ez.soeren.cloud + - op: replace + path: /spec/dnsNames + value: + - aether.svc.ez.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/aether/namespace.yaml b/clusters/svc.ez.soeren.cloud/aether/namespace.yaml new file mode 100644 index 0000000..db1437e --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/aether/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: aether + labels: + name: aether diff --git a/clusters/svc.ez.soeren.cloud/aether/sops-secret-aether.yaml b/clusters/svc.ez.soeren.cloud/aether/sops-secret-aether.yaml new file mode 100644 index 0000000..d1545ca --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/aether/sops-secret-aether.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: v1 +data: + caldav_password: ENC[AES256_GCM,data:Buja2MCWd/bS+IX0WhC5CC8ydfScxaW9o8MzuxUEjI31Di/CaJoAo5eqC4HizZrdNJ1tsXZlPpwrAojNKw73YSLLaqY=,iv:ZUt4oepC+8DSNazxXdhqS/Y2csQctgIhIFToyK8PcdQ=,tag:ZpDshDx6kbVqsI4QgBq5Aw==,type:str] + caldav_user: ENC[AES256_GCM,data:lSkpJcQO1Wo=,iv:WezXyEx1Q5slNKusOq5Oyqb4W1rkoBs1YrAdewmRF40=,tag:+xMaFWyl5wMuqAnqbDT+iw==,type:str] + carddav_password: ENC[AES256_GCM,data:liwkWPCMmfX+4SA6gMlcgVyGsd5c4wHGY0EqoYmHeZgDAixRRkpwTgyE+Bw4Z3wHRDmNE4XH3zz4KA/9WQ0HNifDyNU=,iv:djlvHJXDj4NtyYgBoPx9Nj5TrAu3EdgjEWIJLda6sSQ=,tag:bKTrDr0cfBSnI4jrEK4HaQ==,type:str] + carddav_user: ENC[AES256_GCM,data:nbf6OoU3Z3E=,iv:9fjiY0AO9rmE/q83bv41Is3jMlOA99U48sUCZU5dfoY=,tag:0RNNtRD/bDaunR+BP+TnBQ==,type:str] + email_from: ENC[AES256_GCM,data:RTsd0vHHzoO0FM/CjOdAwNC/DlvSlMGrja7Av54nYls=,iv:i8M2BVTfAv+WlLO9mT3gBUZ36RtMQgMFYL92V2o690A=,tag:vFHiLlVTjM04A1XH7k/Rlg==,type:str] + email_password: ENC[AES256_GCM,data:QMBHgMiOBektMnqAdcheMKdP4gO0mXfg0dOWCdzJAiEOn6Zv,iv:TCg7j2S13U6XSdps2dwMI1fOfxU16cVBHjLYFtTn4IQ=,tag:4XMHX/Qkzg6pOD84o6WGXQ==,type:str] + email_to: ENC[AES256_GCM,data:mBsS2Mt2HMxHStnz3t7aZAQjOT34pjG/op8R8FrC8Nc=,iv:H4UlVcToOsThGZ3qbSfnNaO2fXSBTkrg2VBuVoVu1Bg=,tag:fEMK3nyBplwHlO32YTcdpg==,type:str] + email_username: ENC[AES256_GCM,data:gdvw6OdSXL6OZ2IXlTPab7XXEEw/8+3nQ3a1zqEDKt8=,iv:HBCqRWMosNn1Wnnr73avXvb5J5Gnltowu+C5Xm9rUHU=,tag:syBN44F/jczm/fs6DOWZVA==,type:str] + weather_apikey: ENC[AES256_GCM,data:BY2GPzIe9oFLGwu79amWRb9jBClAeTb3Z1tJXsVlVWhQGkjB0yN0fGN4BFY=,iv:bQ8jbrZp028/yKZsYwR/RGBOszVWDLJwOtb33QJEBLE=,tag:umyB5O/Uz5G7EefVWGeuuA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: aether + namespace: aether +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-03-31T12:29:10Z" + enc: vault:v1:86H53LwoC4XYwvLAGzRlW8EbrcjlV9jiXhtize6cdmck0SzL/cQnS9LDj6twpZ2OkxH1sQgTzW4NnX/5 + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MGVGYnRaZTNDNlNoTklR + L1RYdWd3OWk2TnU2a3lwSTFTMnpBcGo0aTIwCmNGYmd2clZqNjVoTFhteDZQTWFp + MTFjQ3hvUjVGL0NUSEpLeUhqODBZQkkKLS0tIHNoUjBYTnpsUm54NWt1MGg3ekNP + cENZRzY0TFZ6SkhKb1VFMlhMT045R0kKpC2dGWAx7Eizu4YYwk/9cNQZ4wf0kM0q + u2J9UBzY12ALF2SQ+LlDZz11DgMPqmii5i8BeNjOQi4yEGPZTeAMXQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-31T12:29:10Z" + mac: ENC[AES256_GCM,data:BKCm7KoVXgaZ/keSFQlEhlmrv1ixaLScNm2lG+ToXDRAKM+mnrqd7xpfCy2xZrxaNhxvtVdpLtuaRAMgVGrEqo4p1OVljujYSy3RVtM2RRVEDOxFIQzGIRz9L7cdeXjGq1nKC/H1VXXBmpGQm3nMiN0iRWQoFgDIQi7EuE/2JKw=,iv:vSFwv75YneSMw+oNV/yNHmoBiPH97FrVWmfcfohDO8c=,tag:VewNiXf2OmzC10/I7F0nAg==,type:str] + pgp: + - created_at: "2024-03-31T12:29:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ/+JYzks7rv0RYbqzNhWvZ8MwVN2TkYXp2x0h2R9vLeKnIk + GR/aCSSN5yk4HNIF0KLvIp90G86q4YDUm3uydqqc3y+HYZBr3diaK4zmlr09oxc0 + wdDz0CubwqZq/5YZnj4Y4WhKpaurAjWuKpwOvyzEzxEBvVYfs015gsLAYAUTk0My + CQanVBsY51sU1I9l13J4cnN4E6zXMxTtBOV/yietUwhyD6NHj+Je9IcRzDtkSKur + Wzum4AjL9xnEKuKfES6ImNdDABfxHb0N3k7D9p3Ru/rwNjgQJd8CtaOlt+c7h7ba + W8nRhE6DqJqH7wDgXpt6+bVqTGJuMlh7ZT/nq0Jty/KnETtWf9jBnxJclb9d1ltD + wkZUT9nGP6mrL3+Edrubo7vc3q0CoZfLDu0HVbhKg9ZGL+n06uiz1JTF5/s+ptPl + CSOzx4L5JMLiNyykvARQjfCht/2HaWH9XNK5wxVdush665VB6TYm6EmIrXaoiL40 + Ir2eAZeCNRAXiJf/A8nvNGp2qX9GK8MgDzKl2nj36AKscKmYXCEbouK9oN5zGftx + w6xxNFfG7oElPPkDTR61Yqb9ESBrMCEfz7LQAgLmuI5raUDA67cFeSULK8ilyUY5 + Q+gWxAeynxlFDtcuHLFffV4L0v9D2yOghUWAr/dRh2I7y0Hge2LBlGodhdr42JjS + XAGL9RJnmQ1JtSAXib8QqMi7He/IiWNsX1h/csuMCx24UgNWmZ431u8MLU7FWpyA + Dp4O3kvJOFBPWbDyrylc2XjNGp1/a+3Ekzxgm8MnLgq0JgD2dtARoNYXq7H6 + =2kl5 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/aether/sops-secret-taskd-credentials.yaml b/clusters/svc.ez.soeren.cloud/aether/sops-secret-taskd-credentials.yaml new file mode 100644 index 0000000..18e40d6 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/aether/sops-secret-taskd-credentials.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: v1 +data: + taskd_credentials: ENC[AES256_GCM,data:1AlSF7quUzjJ3O8+R9bW84pJhhFnbF/vQkiOgeDlX79gA4DfCaEDR7LA9xvm/rTTvUuBxDlYHXbDekaksfB7Sepy2UpDULBEZRz3dc+RbQ526NPFGT+1mlgIq88=,iv:06HN7bAjWM+ciPgzerahJFjS0XgRXmqCu9ooGSflMkY=,tag:oum/BR4uzTRdlXb8lArh0w==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: taskd-credentials + namespace: aether +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-03-31T12:29:17Z" + enc: vault:v1:XDbjavvFXrYNeEZsQarV4/x6pD8if8Cm3krD8ROkeWLTBbCsgUVTTgc2N3dH5fOmomtF9k/zXPdgCAjJ + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOWhZQ0R6VVcxdWRoWnNO + b1dGNm1sUW5WMDZ2L2VjbG10d1o2RE5rMlFvCnpndVZmTC84Q3J2N3IzNWYvc0tq + ZGVBNmVMdVZIMUZUM2M0WE5ISDAvM2sKLS0tIElYRVRKU2lNYjlscnk1Ym1VYklo + RDdNN0NUL3hsUHlZVXJDbWtQL2lDRlkKBUsmxfKoQ7H/dZgjhqTszJsTk70cnZmh + w72l142BBfFlfTF7Km9qDKdyyczLvk1peZYl+7OQlMzCiHLIHlRUvA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-31T12:29:18Z" + mac: ENC[AES256_GCM,data:RYmh4vLM+7P7ymPXKONUhHMTSaO3D5wWNjiScKNuuOOwwMOhZfSOtzQRn1WnvMiCg9wkg1N2WSzjcth2V5/9DfOyImlhD/XBnUYhFe2gxxFb8VMux+SvppLxvEUzB+JJaS/2d8lsUmm606R520wBMr2jCMwWystuC/PfFxInqBE=,iv:FGcXAyTWWXc0NSImuXkwz+qzE/0Z2UM7Ga40tzXmqrs=,tag:9tbCc8V9WvDHJ0HakhP++Q==,type:str] + pgp: + - created_at: "2024-03-31T12:29:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//RpBp1cshy+JIYYoZcPEvuE4y+/wq1DsiLJY7BpLwDnSb + qfabyCAinxvsrJIQOrBCPtglajQOM6QsOfq3V07V3kBOClhY+l7ByASLymFH8lgx + vEyJ3bupmXJdOrs99D+6kIBCUv6a5JQ//N843jChvNxQi/j7In8TRJ4EFmh9yb2f + 08ipPUBdZEfRPhoKbJ34kVM/ZvpH+GtvH5VRKrmPi767yZ4w2x4V1w2tBxe4E276 + ncTpapJI7drCJeYzw1ItvrcoUpycmcc3g1VPM8MaU144e1eVJ6VXjFhCtTtGJNVX + sBquixSAf0cbc6L2Okc2ql7hB/DHjZliVaZKOT4RMphX0zYtBtPT3VqIDBcGRwvY + QfaE1wyoqnhODvEh6KTT7NWnfpkz/rF81LIHgTgTH+AYQER3S+YBz+vTeSWlEVyM + IdVRIZvioNRJIGTPM443fzfe30HMuKdI0KHklEuthtwvdCxxDNbLaknW3UCSdveW + k8Y9nHVZFU82D+1JH0hh19o/459w1R4s3fBywGgPo9V3Q7XiGHs1cRQMbHWLLcQ/ + woJ61GID5367KI4/WNckXupbruj7h21y0dyjG68BOIw1CfA4wnBzZ5eZX7xrMdi4 + jrpD69wQK9iuioWzrJSMa0mizsMYOq/A+zaCKugbiXrkJhGtcVR/ZYTYqfwnSGDS + XAHnniGwVSh/KdNMIHliEfEiTCngqendVzkwdDXd1kW+3tH1EsVPrngv1F8HJGEV + zkiR3CcUIN8+nWHQbIdvBUz2FOzDR/61PzbhOqGewerIfnErFLNDxFJ56Cmp + =+9S1 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/aether/upsert-secrets.sh b/clusters/svc.ez.soeren.cloud/aether/upsert-secrets.sh new file mode 100755 index 0000000..3d4d360 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/aether/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash ../../../contrib/upsert-secrets.sh diff --git a/clusters/svc.ez.soeren.cloud/cert-manager/clusterissuer.yaml b/clusters/svc.ez.soeren.cloud/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..4d8ad06 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/cert-manager/clusterissuer.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns-prod + namespace: cert-manager +spec: + acme: + email: letsencrypt@soerensoerensen.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key-route53 + solvers: + - selector: + dnsZones: + - "svc.ez.soeren.cloud" + dns01: + route53: + region: us-east-1 + hostedZoneID: "Z00955223PRL0JAAO3BHR" + accessKeyIDSecretRef: + name: route53-credentials + key: access-key-id + secretAccessKeySecretRef: + name: route53-credentials + key: access-key-secret diff --git a/clusters/svc.ez.soeren.cloud/cert-manager/kustomization.yaml b/clusters/svc.ez.soeren.cloud/cert-manager/kustomization.yaml new file mode 100644 index 0000000..29ce29b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/cert-manager/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../infra/cert-manager + - clusterissuer.yaml + - sops-secret-route53-credentials.yaml +namespace: cert-manager +patches: + - target: + kind: Deployment + name: cert-manager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers-only" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/clusters/svc.ez.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml b/clusters/svc.ez.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml new file mode 100644 index 0000000..98df8b5 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +data: + access-key-id: ENC[AES256_GCM,data:yqMotgsxb9lOOnT3C+9sQTBqQ2wcNIlLVw1WDw==,iv:dHV5r/4D/899kB5+3lWExJ3GwWNLNAPuo13b6l2Yavs=,tag:YvGWlG1+vW06fxzNQMsl5Q==,type:str] + access-key-secret: ENC[AES256_GCM,data:gD41bWUGlxaFFIY7igPc+4bM62yOS0+iVlhfLxE1jt2L5bxLyK5TP9XpCw6UJRie7n2As2+plpg=,iv:4c8RMFmf0jjNq9Y5E1BfeIjyXlZknYcLUOdKNrpINXo=,tag:Ks8TvpXkp61XLxjtsOeaXw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: route53-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXRGZCVTVqS0lzbVFWQzlD + U1RhYzh0WktyKzR5SzlXNGtKbXZQVHZsR1hZCm5VN2NSNHlpdDlyWE41YmVVS1BZ + c1RYaktEeGh4ZHcyVjhkSWhKbEt3Q1EKLS0tIFo5UGF5N1FjckwvcGsrbnJIbkFk + U3VETkV4aFkyTHlFR1RDT1NlYWw3MjQK4RekftLaUBgpoD7aJ6dJmpxQ5/7cH0cT + okj0Cbd3ik0dC77wwI4h4vaheOt8alxPlEydLJSDcQGfsd543aWaHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-22T14:45:46Z" + mac: ENC[AES256_GCM,data:UObthg0kfs2D9klCWrWfOs69r5bpVV+O45xC1isoEu1nhdxXV0A2ZJpFTxb7BFKCKwQrNyFJwBfLUVXIgfr3yzEBH/D1zTEHwpQmiBjAO59iFKEiE7M0DlQZnw5Uo8XGx1nx5921yImbPMo2/AK7UhoNfU5YXeUrMBNAh7/6I+c=,iv:hN+lO5cqcDpRtITctITRNCD5gmTZHeabXBha01C3K4c=,tag:/86qeMTeliCp2Ogtpr0cTw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/cert-manager/upsert-secrets.sh b/clusters/svc.ez.soeren.cloud/cert-manager/upsert-secrets.sh new file mode 100755 index 0000000..ad6759f --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/cert-manager/upsert-secrets.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +CLUSTER_NAME="$(git rev-parse --show-prefix | awk -F'/' '{print $2}')" +SECRET_NAME="route53-credentials" +SECRET_FILE_NAME="sops-secret-route53-credentials.yaml" +echo "Upserting secret ${SECRET_NAME} for cluster ${CLUSTER_NAME}" + +TF_VALUE=$(terraform -chdir=../../../contrib/terraform/route53-credentials output -json cert-manager | jq -r '.["cert-manager-'${CLUSTER_NAME}'"]') +AWS_SECRET_ACCESS_KEY=$(echo $TF_VALUE |jq -r '.access_key_secret') +AWS_ACCESS_KEY_ID=$(echo $TF_VALUE |jq -r '.access_key_id') + +kubectl create secret generic "${SECRET_NAME}" \ + --from-literal=access-key-secret="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=access-key-id="${AWS_ACCESS_KEY_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.ez.soeren.cloud/consul/kustomization.yaml b/clusters/svc.ez.soeren.cloud/consul/kustomization.yaml new file mode 100644 index 0000000..f5c2fbf --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/consul/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: consul +resources: + - ../../../apps/consul + - namespace.yaml +components: + - ../../../apps/consul/components/istio +patches: + - target: + kind: VirtualService + name: consul + patch: |- + - op: replace + path: /spec/hosts + value: + - consul.svc.ez.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/consul/namespace.yaml b/clusters/svc.ez.soeren.cloud/consul/namespace.yaml new file mode 100644 index 0000000..68020ae --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/consul/namespace.yaml @@ -0,0 +1,9 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: consul + labels: + name: consul + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: latest diff --git a/clusters/svc.ez.soeren.cloud/container-registry/config.yaml b/clusters/svc.ez.soeren.cloud/container-registry/config.yaml new file mode 100644 index 0000000..54f75c9 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/container-registry/config.yaml @@ -0,0 +1,9 @@ +--- +http: + addr: localhost:5000 + draintimeout: 60s + debug: + addr: localhost:5001 + prometheus: + enabled: true + path: /metrics diff --git a/clusters/svc.ez.soeren.cloud/container-registry/kustomization.yaml b/clusters/svc.ez.soeren.cloud/container-registry/kustomization.yaml new file mode 100644 index 0000000..475838c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/container-registry/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: container-registry +resources: + - ../../../apps/container-registry + - namespace.yaml + - networkpolicy.yaml +components: + - ../../../apps/container-registry/components/istio +patches: + - target: + kind: VirtualService + name: container-registry + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "cr.svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/container-registry/namespace.yaml b/clusters/svc.ez.soeren.cloud/container-registry/namespace.yaml new file mode 100644 index 0000000..3f451d7 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/container-registry/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: container-registry + labels: + name: container-registry diff --git a/clusters/svc.ez.soeren.cloud/container-registry/networkpolicy.yaml b/clusters/svc.ez.soeren.cloud/container-registry/networkpolicy.yaml new file mode 100644 index 0000000..14e4c40 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/container-registry/networkpolicy.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: container-registry +spec: + podSelector: + matchLabels: + app: container-registry + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: registry + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + egress: diff --git a/clusters/svc.ez.soeren.cloud/device-stalker/config.yaml b/clusters/svc.ez.soeren.cloud/device-stalker/config.yaml new file mode 100644 index 0000000..556817a --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/device-stalker/config.yaml @@ -0,0 +1,11 @@ +--- +devices: + - name: "ines_phone" + target: "icmp://ines-phone.ez.soeren.cloud" + - name: "soeren_phone" + target: "icmp://soeren-phone.ez.soeren.cloud" +mqtt: + broker: "tcp://mosquitto.mosquitto:1883" + client_id: "device_stalker_ez" + default_topic: "ez/device_state/%s" + random_client_id_suffix: true diff --git a/clusters/svc.ez.soeren.cloud/device-stalker/kustomization.yaml b/clusters/svc.ez.soeren.cloud/device-stalker/kustomization.yaml new file mode 100644 index 0000000..e26a7d8 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/device-stalker/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: device-stalker +resources: + - ../../../apps/device-stalker + - namespace.yaml +components: + - ../../../apps/device-stalker/components/custom-config +configMapGenerator: + - name: device-stalker-config + files: + - config.yaml diff --git a/clusters/svc.ez.soeren.cloud/device-stalker/namespace.yaml b/clusters/svc.ez.soeren.cloud/device-stalker/namespace.yaml new file mode 100644 index 0000000..da2b1b4 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/device-stalker/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: device-stalker + labels: + name: device-stalker diff --git a/clusters/svc.ez.soeren.cloud/domain-exporter/config.yaml b/clusters/svc.ez.soeren.cloud/domain-exporter/config.yaml new file mode 100644 index 0000000..29e0f19 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/domain-exporter/config.yaml @@ -0,0 +1,4 @@ +--- +domains: + - soerenschneider.com + - soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/domain-exporter/kustomization.yaml b/clusters/svc.ez.soeren.cloud/domain-exporter/kustomization.yaml new file mode 100644 index 0000000..a699fe1 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/domain-exporter/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: domain-exporter +resources: + - ../../../apps/domain-exporter + - namespace.yaml +components: + - ../../../apps/domain-exporter/components/config +configMapGenerator: + - name: domain-exporter-config + files: + - config.yaml diff --git a/clusters/svc.ez.soeren.cloud/domain-exporter/namespace.yaml b/clusters/svc.ez.soeren.cloud/domain-exporter/namespace.yaml new file mode 100644 index 0000000..9ac9821 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/domain-exporter/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: domain-exporter + labels: + name: domain-exporter diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/kustomization.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/kustomization.yaml new file mode 100644 index 0000000..0e43ac9 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/dyndns/client + - sops-secret-dyndns-client-aws-credentials.yaml + - sops-secret-dyndns-client-aws-endpoints.yaml + - sops-secret-dyndns-client-keypair.yaml +components: + - ../../../../apps/dyndns/client/components/aws-credentials + - ../../../../apps/dyndns/client/components/aws-endpoints + - ../../../../apps/dyndns/client/components/keypair +patches: + - target: + kind: Deployment + name: dyndns-client + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-high-prio + - op: replace + path: /spec/template/spec/volumes + value: + - name: keypair + secret: + secretName: dyndns-client-keypair +configMapGenerator: + - name: dyndns-client-config + behavior: merge + literals: + - "DYNDNS_HOST=ez.dc.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-credentials.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-credentials.yaml new file mode 100644 index 0000000..1245f86 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-credentials.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:UMvzPoIM3QrntFYjRp9yJZ+FW3HscR7DVIHBuQ==,iv:ctRlbYB8Gxj9yn1c3dK29YqT0mXzovFUPzGZ/He+8jA=,tag:YzSQUe2p+cVL6XGIrzcWBw==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:2HElaIPaq326FQsQ3WG1g70pFMv2W1bmuJLyUJsbX+ukw7o3PRwc+T6oEmt24ADt5q3A3WyqeY4=,iv:NPNnQO1dxJBvwVodpeT8aClpOPFgC/m7C3gqcBEE8Cc=,tag:Wqsy0V21MfTC85/f82Smhg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-aws-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T12:57:22Z" + enc: vault:v1:1KW95BX1lS3zIWlWWCU7cTkf96w2rI3ol9zmzdEetvLARxElg9NT9Kpb/6xTemRBzmusDQR3UJosVvLl + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOVQyNzgySElDK2l0NFY5 + M0tXV1F5eFZnYmxETGs1akhRZ25PZDBhOFZRClVZUGpUaXhaN050c1BxYm01dDY3 + cyt1TDQ3clN1eHR3WjV4RlRTRkxncXMKLS0tIHNWbmkvMEdWdklXWmp1SUpsSWEx + dE0vS0YxRkd3UXd1azFoa2xyUURXdTgK5Tz/fedUwCohsmSATPAwSr1V4tCZn+U/ + 6fglOERPZFjIq2Wf/nz4YIjcZyzbEm3GL6Gd0SRjx4iwYkK3P6c1QQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T12:57:22Z" + mac: ENC[AES256_GCM,data:nrm6B8DjynOcdOYhzsStFBGFNl21ZpK1BRaDWRBPkBAWgCWmEIzX3sh9Yg0ChM7JHujAFMr5JbZGEmLWk8GquMTYnlSq6DvZPhuxPuipP/jZxTuEnXkiFRfOf99Ijc5Cp0ZjUlVEje4ZKRepyQv3lMJhYOoBFD+sRsstuT11y3Y=,iv:j4R/34MYU4x0LWK+YZ2WQAPj2PywmNNZzipk5lKhj3U=,tag:e2hg1ex5Krt8iUKdH7/mcw==,type:str] + pgp: + - created_at: "2024-06-28T12:57:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/7BrRhncUzGjoHYEOsYOoZy2ss2qP+vJ4qHm1tjzoPcMP8 + iealvahbqcantxvm2qEKC2ov10RiHgghYQGbKreSHT+8YDEVrbWJ3KSI/cYrJB1U + aeep0nMG6DzZld20cAl1cU/M1B86MfVf+mcO6c9qOn9vRB8Oz/I9+7YXf6/JLJX0 + +CRZkmmAdfZsvxL+vZm8Y52JraayFHJwFgd7Z8k7Cj89KghaOVSKbeUBMr3WrUON + +Sjrzk+Z2ErtMSmEKweodN6mNvM6UnkHPaMuYKjE6GoCHHS0/UumsBk79aywtody + sJ+eo4tNJxdzhkinHqSyNn9QvEko0uyTDAGapibkC/qnXTduO2SNLcXTXS3bpXFD + RFzVAlpz/JcBiY8kHddyio/OKFNJ6K4g/IuFr1gr1ZULKS8rEcca9CxJmjq+yxdE + MfYViWL7DthYuWqdMWQQtY0JLtNp0CtHn6ffueKxcwxq0+eAuo2XAOOpkMUIhs67 + rEHklEXMeuC57r96hTzsHB49bwcOLa2XJk957JF2pu2Q+thFkIsJ3ptklf+LUyfb + kk3WkJoFnl49nxcE4ybujrQMZxiza2FzgVShKvAs0asPQG5/3dXiS7kOll7A8NnZ + ufWE+k+dxPXtjHb0hXoZ1mqFLA3fZSillRWQg6pQ+2tPL97PxKnDpgknUzai08/S + XgGc6XYn1QmmfpckCv/c/nPnTGQk6NVEiCU+78RO8qxJ94RIjkHWD8ouoKP2qGsE + UEPf0mLSVqUlKfFwNx2WvYeVed+tTkHcBeXEgO3K3ZVksxz3idPzTjynB0E/erA= + =rJC7 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-endpoints.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-endpoints.yaml new file mode 100644 index 0000000..3e2f459 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-aws-endpoints.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + DYNDNS_HTTP_DISPATCHER_CONF: ENC[AES256_GCM,data:8mhSeOPpBD8nTIhC+468D7l2Caq5urOYm+i1H09ICjPBkFOZik0uB7ARSPGVo3z0xfKMPKjex0D2QC1Um5UCOBnYv1OSTr5ZrHWWiADBW4x1bOLpUVg7MYZn8jp4HjLfh518C3/Em2A=,iv:rkhS1QC6+l8P1A/O7bNOo++0vBG87+PYrI4pwY6HdqM=,tag:McUZo3ObTLdS5BpbqTywsQ==,type:str] + DYNDNS_HTTP_RESOLVER_PREFERRED_URLS: ENC[AES256_GCM,data:ta17JSuVLgxtM7clFPhRb9Puxyw6MqtVNSxzUc7+YyYNIRVWkWpegQIt3GBt78pdsL81bzH1cK4752/6KsMbzkbYC6HOqwyxGr6jvenmCQkXUTme1jcdzpoqNaQAa6g1F5flDAnH0uXgkTkNyU5ibaU7e043G9VXhybdChpCBtEPyvjDKl38Yk0ozDVSIiO35PNxY00KzwdaUqJNCk+RrFDErM0/BIFCj+wDDww/pnNxIEzqk6B/tGzM6jNNNNJpOu74gw==,iv:wSo1ERPZnLND3i1SnLeN0LI35cAjSEJm47tUG9x2On4=,tag:jewJIBySdMPnxFre1hV2cQ==,type:str] + DYNDNS_SQS_QUEUE: ENC[AES256_GCM,data:0KC3KNDjShYDeM0yukkeMV9f+RrcTbPUaM86CtWsGHEf234GPdEbUC5k6K4TdCN3PHsADh5mUPqEyRWaGnR3vp4OXyJjQ3tAMb4oyvaUJbo=,iv:CIPOCKxMMESOqzlOm5zV8edVT4kz7NiRIHL+/V2bBVs=,tag:oBUHr2lMHTsfr0bAaLm0cQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-aws-endpoints +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T12:57:27Z" + enc: vault:v1:lH2BChhOL+Zr+iG0ZaHr8ofJmwCjd9puOSYOCYal8EYCj+VoaSPjpWFKULHqzf+xYAvWdFfJsUidul5a + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMkFQTmhGVHNweE9iUXVG + RG5YcUVYNkVJTVNLSGNCVmpEbndKekUveUVrCjFRSi8yWEwzOFY2SjFrOTNsRUJv + akVpYm1yVk02YVVCQVBVU1ljcE1jMGsKLS0tIC9TMVE5Zy9HV1UxRHlwR0JwSksy + MnVPZE9CaWU0MDBYTzVMemdHREkzYUUKA0/jNuCz+B/E5xE7xKvkgCQqrxNoNDr4 + rmZNFV9iIUYAfLyV0M4gNzEK3RI8Cw1kYfnI7I4GFirl+RxK9KeqcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T12:57:28Z" + mac: ENC[AES256_GCM,data:skDLkXPNhj4v+liHqw1wS7arwCBc2bUEKwS5BR4SIQEPA6gWB7r/2ibtjEGgztYU2+i/BztiJ9iBTOvxMKAQVTOm2nn0WZu7baZvyASGy7AQCKrcUTHc9XKD+JInHQpyxQUUaUZPsqS452jlwFRk5kCO1BhRhKP2Z9egS+x4xxw=,iv:ujwJlrUZsvDDXL370mHZdtJaZoRDYMd6ookfZIysoog=,tag:ed6Jcu/U4mnHYSKOONC98A==,type:str] + pgp: + - created_at: "2024-06-28T12:57:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//c2matM38h8MEjnBpP8uC7y3mhN3YX5YK+m/fm8pqqafl + 52A4UBEbVgIZtuooh1PmYjpyjSMPJbD7PQRXuZFhpyLG+lvJp+1dQaMzNsALWz9S + EFAthqROZ9N1+37TpABquC/wLux6Tpjs13Rfhx5OZCuT5ZJbVQAPIyHEI9VYHHw9 + FY7ZwKVuwn1HdciU/UoVImulrCbes406vu2QU4u4Y7YoHkvRIZelGrhLd5fZMj7N + 4ieepq8mm9nTTZnqEzsSWludyJgeo4zPEakvlY2WPFdH+19h1NEQIeCh6A73byAc + naz9IFPlOv7akekV3FEapofZLz+CBsBjEvBgFWpYFzqETPpx3F6Z+BkWdbB/I2TZ + GFMO6r92oH+srxBY6RQnmF+YHsbB6l+RzUPctrzm5KCj2Ljfg/gdwsEmzKzHcv6L + Xpi78WnMEpO8up+X+iP0NMW15mh3ZDHxqL7LSeEpuD8/Z/+EQrwSfCiu0qCPyaMt + 7WdVEWXmaiU1e0UppS2hGxQyPfnhyzii0/Tz2I7XZo4QpjbtYEI8aifSueT0BQn6 + VqpzO6nmmluaXMYCt+D81g72e7myl442+Q4oowrWo5O6HOTcqwR23yfF9gIIWeKt + 2GGtPU3wLefDjEaiEWE5+ifFasiBrWNGc91+ORMrciqK1pxuleUASBXSyPqyEY7S + XgEVsJoukVlEDPZfebodFzy5XjVzdGcRBDwhbMXkRaqagObn3B3OvdSwkG+ozp74 + qDxbJXt0SaKvBLcAYsPVYz4qKSZoD3mc20fZV82m6HIujMTE18/k9SvMq1miP8o= + =qP13 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-keypair.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-keypair.yaml new file mode 100644 index 0000000..432ed6f --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/sops-secret-dyndns-client-keypair.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + keypair.json: ENC[AES256_GCM,data:JWHyShaFrBE1YEmKeheUqQHgb0oX0NacQ0E/kWdnrzP7LD2XtiWv0fzNxZlbxKZFZqEkpsUyOu5v1MThnZ+4HlNQkDoTDTum0OZMt3GyfmBa20JRRj9GV+NfOczpPL3phCVOcezbmWRtTvhx4s5j7pmsuPWfdUk09e91xZReYtbyfaPL6LhrenTI7EH/3opGxVDcc8sPYILy/8lF+mkHtiB8mqU1FAxNC4Y5jpz5lW5ixC+OEPDgVL6hYfH34O7qEATPz8Q3+sGal+IXaMFIB9ORVfI4KsjSyCSciqEWl4Y=,iv:m2FqA+VU6wWQyGpMMfFMokMtzf7xDuYN+QHh6Ksy1FQ=,tag:TjDYOobHQjAqbB28kUD4GA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-client-keypair +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T12:58:37Z" + enc: vault:v1:jZRCWf/lFJtvS+b0ZYtODVXwKnrvAxAJqASM6gFfYKMBnXzPPc58e5N717VGfk1UB+YyzbEJjAOa6t6G + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwdWFmU1JFakFqK3RFOXMz + MS9RbEw5MldhOXJDS3ZlaVI0d3F4LzRpSmtBClFqTEY2NEhsQnpmZWFXYUdWUkNR + S2crZUxRa2FpZys5ZVlKeTNhZ3pvOTAKLS0tIHR2QkRVNFl0V1ExQldRbkdxbHEz + alJrbk5scjlmR0U5REJCdGtGdFVqem8K5bPcOilV7cPn2qJMt5oe5vC1pMdUrJiT + Kmwv+iofET4EAM8VtYxHIbE3t+zn+fm4n2iu+rrEHv9b9KEFtNRj2g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T12:58:37Z" + mac: ENC[AES256_GCM,data:jmX0eoJHhttj1aIXnaH5O3Rl+5cYstBDv3+GKw6KsxHN5v0248JwGsFI3JASKOSeX9BqHhAF36yq2Deb3GCeMsq80dF1ChtHDeTAjbnL9tdys83RoZhS25fbySwt82OeY1RnS5KEnqV5wiz/Ao+HuKL7ySwaIrrkSWcuqept2Ao=,iv:smB/oquiGfv7NmYLSTVc8nNMOWryGV+JcFPTDHG9FQQ=,tag:ys+szK39WdJCTVWLbfJY1A==,type:str] + pgp: + - created_at: "2024-06-28T12:58:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAkl/9o+tfqhIszWcpL+KK6Bv7/tRCAfs7xoMCajqCNfGu + /nsoZISkRo7SqS1MS8wJ7yBnRlSdDFL+sOeJZ+Kq4Tqsn33nS50O5m8zDCvKSDgv + 7AguYM87RNmKGxUwJD/9nPud78wVosmQmdBPE7wgpPC155Yz3M3hOsPyf3QyzpZY + zvXSK/aj5129ATgKwvn409FN9Snflzgg/6n+ugI9UrA+BIeUm9C9jEUtV35gIHkv + m7vVpsiWbwxxP/dvoEW+Du/DMFoyhc7V/wgwp8KPIjdsKzYAE+ZSNqjZuZy0COpa + No06K5ps/yZFROxMol4zeQXTguIAvAectoSPtjBFQEevHxRlT5bySVYPQflagoZS + +LLwyUGQj6k1Ww6vWlfMX5pdJrVDD9DxRTWp/RENx6kJ8SHF/ximSi0ZMI0LLCxN + a1+FRzhDZPjf/vHDZ92N/ZDTbu/GAYN82PLMOaTd30ouQZl5NjTSFx5t4bKXXT+h + xvTYkTdAboAZDWoQXNjriopSEoM5+Gfm14BkAwNa4yaR0n0bWghIlhczReBGdoCV + RZD7BbCku3PC41DtXV6TQ0/73TjEBOukSwdxQwvUsWOfkIKRSNhxi+fD9vwXq8SN + GXsFJM8l8p9BPVIFexjwKvbL7yHsSia56sU3teOofOmduCsDxX0OnbW8956mohjS + XgFKoStl3pFjoBanupbd6rufHfXlSvR7MMat588ujFH9LoVleXLbD3Dfk91SUNQZ + q213eswHchH8B6wvS4+nAcUG2geWg9wSAgqfID7jzKdUHZffUeOXlOxXNKwd2GM= + =tiUC + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-credentials.sh b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-credentials.sh new file mode 120000 index 0000000..f2ab471 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-endpoints.sh b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-endpoints.sh new file mode 120000 index 0000000..a7dc739 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-aws-endpoints.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/aws-endpoints/upsert-secret-dyndns-aws-endpoints.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-keypair.sh b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-keypair.sh new file mode 120000 index 0000000..698dca5 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-client/upsert-secret-dyndns-keypair.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/client/components/keypair/upsert-secret-dyndns-keypair.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/kustomization.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/kustomization.yaml new file mode 100644 index 0000000..1c4c228 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../common/dyndns/server + - sops-secret-dyndns-server-aws-sqs.yaml + - sops-secret-dyndns-server-aws-credentials.yaml +components: + - ../../../../apps/dyndns/server/components/aws-sqs + - ../../../../apps/dyndns/server/components/aws-credentials +patches: + - target: + kind: Deployment + name: dyndns-server + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-default-prio diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-credentials.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-credentials.yaml new file mode 100644 index 0000000..2f9be8b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-credentials.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:Xr90K3nB8Zxw2oLWsVoVuuuNBXo5w3+h6QB8VQ==,iv:+aMlngggrcMl4iftkA/Bokj2DlA1cq7PTE1mz963sgw=,tag:yM5ahmvDCvq2b0jNQbH27w==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:YEksluI7AcDgexyNYWiOM3inoZmvvUOFPEjUFQygi8RpHeoIJFF8DyoKlewJuSaD5R7M3xlJeVw=,iv:J55cGclX4jU9tkS0TnwmXsSMUnCZaCAOPIUPRW6R0JY=,tag:6/+7Me7rUO8+SkqPejJvSQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-server-aws-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T13:08:25Z" + enc: vault:v1:/5rBAPrDprPpdYe02rfZ08R8ScBubxMnRm/jijoYOMOXMQ+ZGMMmPUXiYdrjJpU5NTo47bdXM81VGpaG + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodG5XdDF3Yk9lZ0ZJYlA5 + L0svb1Q4WUZ2T09rY2hCTFBMU0xyR0pqb1hrCkR5NDlyd1duM2ZyT1BUeUpkZHRv + VzJwbjF0L3BHQTE0MDhCNFZ2eXVEU2sKLS0tIFc2ajBSTDN4WEorTmxaWlpqVW9S + L3NBSVBvYjhkbTNzckZpb0twMHcySmMKyEE2ZeI+V9vdZgoGfeacWO9FRcARkxMZ + HWUy4gHvyHyXLfLfbhEpyL2aoKNra+JbzrnRivXwmQcIbf9/OzO15g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:08:25Z" + mac: ENC[AES256_GCM,data:E93c197zEuAgozpC+ADQH+50BISwD11RR1U6qrdUfWm/W6HlEQr1Aklxdhws/7sgKRn4+uNLcDRY4gqEPbbe5qmB7bcFia/cHrUbryekR0AuOSYN602k2mvAyh0jvLsUveLFLLRk4ll1BBjiWOs9XnGGogoQ/CoUw0cNgy8RjVI=,iv:zaCjzDOZwUmVP/+d2nuDAWPEdTRT+zWV0C3AOuMzDW4=,tag:55dndu7dlc791kDGhzpPmw==,type:str] + pgp: + - created_at: "2024-06-28T13:08:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAlZfM6A0qw45yq8DeVab7s8Q9bfnYhJ3w5tbk0h3+hEHL + sqGOIQ7yEBfmFw/lKmb9OTsVAmhmZdBA32PS3wIw6I7GgD4/oU8vdjFY9b/cUx33 + 5ZbJ1QcHS0aajX49d/0RzIMD95DRoXJfhOdgzV/SfxXk2Fb6tJZbeAk7P26FhLKl + y7lRkEAVsZhpsiMfc8ytgYQZkZAAn7oULIfnb7NuiZfQ/414vAmIHP6FyZCEsqua + fy0QHB5W3cC8H7pNdBAXLUGLOLISHvU4GXViA8+qGdaJ/t6z5nL/DHiPx2GQf5NL + riY3nFbDeEtDoMQvDFEJSCaiyIetVheBaL5YtWsykNLCHbp5O8+foLto2jsIrSqw + dY0G3YwPId86F5815lbb3Yjk2fd1re3TweuLjkN6bOoKgVcvh04GW5oxZZevNGPo + ygRmvWnjoSqbXb+9jq2XOshCJgbrLF2YC3wZrLH/BPqdJ40dKHWWsrpSM1wdkFZk + W5BV2QF2e2yHkieGkzy3bjU7BMhc0YxE8oK8hAgGKD30my9vi4tLWXxtkSJtMfn1 + pKGlyuLDlA4RW+YWNq2isEu9ovVglJF73688sFxQi+dyVYQNXVMlzR0E1p11R7LE + /E/mimp0aWpJ4Zb4IThDo4rRxQ5DKLsJv+Twm3G8PNz6N6xqEXlJ6jq58Moa7oXS + XgGq/KyymLIxelRz/dgN8DxA0zTBoNGHG6W1CcmB6A5gHvR4aS/D3cZW7QjFw66r + vKfaZfyKHvnZj1TZieiRffoKYgN6fVNPbn5A96thsdnT0gvsaMujXlW2WDN4axA= + =P6lZ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-sqs.yaml b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-sqs.yaml new file mode 100644 index 0000000..96f644d --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/sops-secret-dyndns-server-aws-sqs.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + DYNDNS_SQS_QUEUE: ENC[AES256_GCM,data:ZLEmtCiegTTn8FpgZDAqUsgO3Nbm6UI2eQSBTPodGtsq3Lo0abLPGDcqnAUO4YgvC6JQrMNdw7lKjhZYYQ2L3GEI3EieQP0jSz1IVmUIl3k=,iv:i8L1fW6FOf+/502P4jGl1sESq9wqKkzQ+Ff6ZlZASvI=,tag:gAiy30MpTBApV0PCNY8/0w==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dyndns-server-aws-sqs +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T13:07:24Z" + enc: vault:v1:cxq9P9dMejS6J6wBuBshMxI4N3ZcCerhxkWBjLyyoWyuAZRMrBCuvt8NuUQdqZ4ulM1bXmng5slx5X+K + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMUQ2RzVqWnByVzgvb25q + bVJRNHV5MGViZTg5dUJrOFRLWWc1NjR0VWowClZKZ09IS1U3d3hDZUdWaXhoc2Fj + NzI1TlJsU3dXNFI3V2hyZ3h1a1NucEUKLS0tIDRtVVZpTFlFVkNLeE1rbHdlN0Ex + aDN0aWw1TTV4TGxoU1dLU0dpcVQ2QkkK8pmQopynEyaoUXQhqEKGkmiMvuPW6bAd + XJW3OLRe9yO+9x6+E46Td88lB0qYZk5g/bfPk/0jyOvdEaVNcQtguw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:07:24Z" + mac: ENC[AES256_GCM,data:RX2erHJgMGpM5COtAoL3EQywkk66bXKhxpanhbwD9aB+umFJ8+8IGJadDy3QCcmYQWh8HQnZv39RxOXKfOLN9eQFpctiLFhXwKumOPRSztsaAX37R1wHX/Nr9xJLi+4iFCDSCZf9FW2RtqxPR6DkZVEwcEHGTzv9K+Dl9uGNTJI=,iv:GgZTeZNr9zpZvC4NuIATJYR1b+bmMjZd2Xk1vJ8ENyE=,tag:hTaC1qLHXX1/fcRBICxn6A==,type:str] + pgp: + - created_at: "2024-06-28T13:07:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ//UnbkvAc439Gt/yeHFugbZ8ZgE/SD34Oxpcln6zx2Y0U8 + 6F7DQ93Qf2KNpFjvLCdPZUlT5Z8UZMREIXX60LcybwhS3QOBUF3MdNvvivqypxM4 + YpCvQdp9CY4+xmhNuaI6aOWS/l3km6MqSOwB2UiwRzMDj2OlsiodaI03WH2qHaHc + TOaguTLPAJNxsZQyzgP4fQvtLw/qGjFKn9tjBw2J1MDOQG4OuxZhNiF07crSybOA + QDBVjr+5V5vRnN2ewfgzAsrjO8FZdbYbsuf1rjfZBkghuaoGB/THv0iCZh4kZM8U + P+mY/A+LQmfIoTNAuvZwpn09qQy/DBC4AKoIfiYJK94J6OhpiIa0jQmvXUQuoYto + ndlg4QUDg2PbrEzjuVYDJJFKDnhKkG0SERUkqZySqIYcdFquxizMhZWfv0LAdVyW + rW3DN39yaHUrBBNf9zQ2ZAc9l+DSHQHaRAeVpsZFo0xlgT8RuZ2ok3xD1RnNfRmd + REdbp4LUnFVAv/l6kAlA4+Z2ucrbDlF9mGVBmjFZqupTG0OvOmuC92N93aoTSi/E + NVBes9Q1JgJq36a25W5plj7QXMIyahtw1kn2QFxQEeACSIzH9NVKftFYmTlwHgCg + +D5XveVwYCW7KDrGo0e0kGiFsLh9HsNNEqwwASz7M0OPq4yjwynlIxfBKtV7+X7S + XgH2B9kONaNHfTIECAYR/9ZLizECV8/guu7BxOCeaHfiJgRqQdjuM4hRHT37D25y + 85BBdMVzaC8JPeKzO7QwsblWNYujxXggJpJzQ78qlGkk76+GNH4j3+WTxC5SLzI= + =q5B3 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-credentials.sh b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-credentials.sh new file mode 120000 index 0000000..1fd71d5 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-credentials.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/server/components/aws-credentials/upsert-secret-dyndns-aws-credentials.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-sqs-url.sh b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-sqs-url.sh new file mode 120000 index 0000000..3506305 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/dyndns-server/upsert-secret-dyndns-aws-sqs-url.sh @@ -0,0 +1 @@ +../../../../apps/dyndns/server/components/aws-sqs/upsert-secret-dyndns-aws-sqs-url.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/dyndns/kustomization.yaml b/clusters/svc.ez.soeren.cloud/dyndns/kustomization.yaml new file mode 100644 index 0000000..9cf0a11 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: dyndns +resources: + - namespace.yaml + - dyndns-client + - dyndns-server diff --git a/clusters/svc.ez.soeren.cloud/dyndns/namespace.yaml b/clusters/svc.ez.soeren.cloud/dyndns/namespace.yaml new file mode 100644 index 0000000..d266f22 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/dyndns/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: dyndns + labels: + name: dyndns diff --git a/clusters/svc.ez.soeren.cloud/external-dns/kustomization.yaml b/clusters/svc.ez.soeren.cloud/external-dns/kustomization.yaml new file mode 100644 index 0000000..b385b02 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/external-dns/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: external-dns +resources: + - ../../../infra/external-dns + - namespace.yaml + - sops-secret-route53-credentials.yaml +components: + - ../../../infra/external-dns/components/istio + - ../../../infra/external-dns/components/common + - ../../../infra/external-dns/components/aws +patches: + - target: + kind: Deployment + name: external-dns + patch: |- + - op: "add" + path: "/spec/template/spec/priorityClassName" + value: "system" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--zone-id-filter=Z00955223PRL0JAAO3BHR" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--domain-filter=svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/external-dns/namespace.yaml b/clusters/svc.ez.soeren.cloud/external-dns/namespace.yaml new file mode 100644 index 0000000..0809309 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/external-dns/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: external-dns + labels: + name: external-dns diff --git a/clusters/svc.ez.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml b/clusters/svc.ez.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml new file mode 100644 index 0000000..cb7d842 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/external-dns/sops-secret-route53-credentials.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +data: + access-key-id: ENC[AES256_GCM,data:0vFHWf/cECW2I1M10pS2swJV690E9wCTUTTpsQ==,iv:joF/cIYErSgA+kqg8iyQPYabU21MD8nEySBnBQP3G9U=,tag:fYPAHQNB/zdpHBwa4YYS3g==,type:str] + access-key-secret: ENC[AES256_GCM,data:PEvMM54EouBSbkY0vIPHage4rYPQXfXk/B/3WXBgLnwetZ2MfI7gWV2EA5ZxKC++IUTB/dAFQcY=,iv:w0IReKlP2hFRO+I9JvLLxTEwPhDMLaalMv2+EGoWjhs=,tag:ZVMn6/ffhmpvaTAnttE9GQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: route53-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYzVmSWNHRVhRMTRLQklD + TEM2NW9pcHozN1p0OVBjZ3hZbU9ZRE9RZ2t3CmlWMkpnK3AzdEhvTlFjQURQelB4 + UTJwbmJzYzlrcVpORXZMTWlqa2pVVVEKLS0tIEZlRG93b0xiM3JZZC9TWFFWUGp3 + UW9BY0FjTVYrRm90RlBGdUhnSk9sWDQKtjKB2JNPLHAnHYo3hSQs8NlN7aQlsROY + 2n0TU8PjmSvYM92xjgHCFdAFdb6cGMErzLyfHiPq5KD3D3arCUI7vA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-22T14:45:34Z" + mac: ENC[AES256_GCM,data:glr6Z/+EmcEMYWaEyCdjexVgk2u6Y8Vgez7H4Pe2YIOx60+KiJFZtruOpHcTDh1B+fsXjWlGuE/nybOvY9xix9NLSBdmk8fowevKs8ll0qsu5t9isuhtP2BdqRVS2ikQ6L3LsYI9cr60p5MjiTS2gCQc5jluB+/+i79sYFU0fe0=,iv:54KhQYOmlWPahW3FdKMUzaGEDh5ODCNgSc/Wi3cKrto=,tag:qoK48durlCLHxfBd7reanA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/external-dns/upsert-secret-external-dns.sh b/clusters/svc.ez.soeren.cloud/external-dns/upsert-secret-external-dns.sh new file mode 120000 index 0000000..a2591e9 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/external-dns/upsert-secret-external-dns.sh @@ -0,0 +1 @@ +../../../infra/external-dns/components/aws/upsert-secret-external-dns.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/grafana/grafana.properties b/clusters/svc.ez.soeren.cloud/grafana/grafana.properties new file mode 100644 index 0000000..87c7881 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/grafana.properties @@ -0,0 +1,6 @@ +GF_SERVER_ROOT_URL=https://grafana.svc.ez.soeren.cloud +GF_DATABASE_HOST=dbs.ez.soeren.cloud:3306 +GF_DATABASE_SERVER_CERT_NAME=dbs.ez.soeren.cloud +GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://keycloak.svc.ez.soeren.cloud/realms/myrealm/protocol/openid-connect/auth +GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://keycloak.svc.ez.soeren.cloud/realms/myrealm/protocol/openid-connect/token +GF_AUTH_GENERIC_OAUTH_API_URL=https://keycloak.svc.ez.soeren.cloud/realms/myrealm/protocol/openid-connect/userinfo \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/grafana/kustomization.yaml b/clusters/svc.ez.soeren.cloud/grafana/kustomization.yaml new file mode 100644 index 0000000..14b9ef3 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/kustomization.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: grafana +resources: + - ../../../apps/grafana + - namespace.yaml + - sops-secret-grafana.yaml + - sops-secret-grafana-database-mariadb.yaml + - sops-secret-grafana-oidc.yaml +components: + - ../../../apps/grafana/components/istio + - ../../../apps/grafana/components/oidc + - ../../../apps/grafana/components/database-mariadb +patches: + - target: + kind: VirtualService + name: grafana + patch: |- + - op: replace + path: /spec/hosts + value: + - grafana.svc.ez.soeren.cloud +configMapGenerator: + - name: grafana-config + behavior: merge + envs: + - grafana.properties diff --git a/clusters/svc.ez.soeren.cloud/grafana/namespace.yaml b/clusters/svc.ez.soeren.cloud/grafana/namespace.yaml new file mode 100644 index 0000000..d99bccc --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/namespace.yaml @@ -0,0 +1,9 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: grafana + labels: + name: grafana + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: latest diff --git a/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml new file mode 100644 index 0000000..95f6408 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-database-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:sFm5VKC+ffU4Srn7,iv:Yd0Gj2w2NVBwmwGfEOJgeTfrVcgxK3Tl88xXwC+W1MQ=,tag:WHX3gP+U6Uegw8AHNJlbAA==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:lwRLz+Q2Hqsmrhez,iv:4UqR/X/bkx+czJcef7Icy4flGB2ivlQ4GBjjmUl1B1U=,tag:4P/QhpAltmO9SCJcggVQPA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana-database-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T13:26:44Z" + enc: vault:v1:3Zn/kLMFO15XnBLpGYIRCIjq4s7bj34z60M5MfWtx9t6z8WH7RVkQL1IzoPGIe+AccmRQCM6IfrYqO67 + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOUtWTGM4YnNaWmJuRlU0 + MzZLanBpbnpCdlR2cW1OdkQ4YitWdjl5NWpVCnRJbG5DdjVmVG1JU0l2czl4K2Vk + N1hWVjRPTnBZOExibHpuVkVGTDhoVDAKLS0tIFB6NVQ3UE1RMG5CdmtMTCt6dDJm + YVlISWFONit1b2VIOEt6MnpnM0J5WE0KLwlOBxMaKdaGivfgdRl3sjEa7NmI1ruE + rIxA1ewPsNeutNWoXc0tOuxafAP5SYLivJ342TF0i0ke5udCCywp6Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:26:44Z" + mac: ENC[AES256_GCM,data:tHotHOgm8Z8600VuiHCs6oXFDvUDAG2lHjVK2IwaHqbQ1NumsZy5zVb2uc1s64WkKvdSpMAudKgZG45LrheYJQcTptynEw7yb15/Xpa0ZN6WA/mYWnJUx762yOdfKoDl6vKoz1bgjBCgyw2hnzHeZOe+0tljVdnERFsPJPs/oMQ=,iv:6B4RpZk853ktIxAxXEldOT7LvssfcgiJw1hLU0W7Nkg=,tag:ut1adIcjLhGqEgw4kQ+/oQ==,type:str] + pgp: + - created_at: "2024-06-28T13:26:44Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9Glx3XWcdHvm7r6tzQL6mV21I0Giu/fghe79SBB9z8ozM + 0L6ikLaZfy0xgKVxb5Dwlo2QIdZKK6ZWRNn/WPJPodgxIUOR4C883VyJ/LY5E+VD + JZLtCcJei1GqCTCRbmb8dD/YiRd6cMGuc4FZMNbzzP9UloA8vtLD2u0bn+ehGxo3 + k2DtdLJz26LBz27TnTPL+Jsf/nWQYJyMEN64u0awxFmNOWs5O6oqahLIbHhPO+rG + BN6OSBZwvyEfr91X5KFX2On3w2E6NtZ26n+SU9+IigB1Oa/duowTbCXl0YHmDTLm + j+iBP77ItfsPaEYQ3jY3RouZuBZJMT/GlMBMKM/dhHIDocax9wyMNO+O9TXnghFx + ULHaKUJ+7ZW73MdYBdxkCBs35zaGS8W7q6uw5u+KCeYHq0K4ZJ4lPXiGFg5KGvBF + W4wRJ6zKKUdKCktaa3bFPmS74gfadaIRnZx82+kwqXGdGlhRKQNydfni3dEDw4Qm + sp1QBbZqI3W8Q1jZpv+nILv2tkDXKloDgNOxBD8aI3djjT3zjHOSVAoylsOYf28J + 06g3relyVNBC9zATy7eO04CR0UnBvNb9PnCx1q8EH2b/GErjDIwiIe2rB1DnrJD6 + ByYL3raix00qSpGOl982p9hP77wbYqsskOMLiCOk41XCTzgBxsIvWIo31/VFK2TS + XgGrXtqo52PYdwDQ0GTPtIG390Ign/kD2KfmJoXdZDSxaApo6OKkm+ul6djL4eOz + uAPdws7eowphWKNCrt1Byz1tp9+g0ZY/+WKfFA7VPdJ9gbCpsT5+7sGIw+nkDlU= + =EJVR + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml new file mode 100644 index 0000000..ad33250 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana-oidc.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ENC[AES256_GCM,data:s8j8WqyBtLecv9GV,iv:o1d8A//wWJR79H7hi6QfetTwsbHxgQeR8oWJKF4KbAg=,tag:we7vc2wmXGNhXD3vYCwWBw==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:ZY40/Sk5W4ELu4NdOdxY+Hhnpta+nByl3GlY+Wjt8t/5/E8V4uswB5NrQck=,iv:WG5O4TzWePsnfLkopp43gkLa6ElBSzD8OschxSNdO2k=,tag:mllPMS7ADo7QihJUbzfgmg==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana-oidc +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T13:26:09Z" + enc: vault:v1:lHFTKi0vSf+UJpccy971urB8KNh9dSg98CFd9TSSXYRgDMPDdxuNieGtMeLtWAmamnLNyHUaWmjYLNG8 + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSEU0bDR4TFc3NFZsQnAr + WWxjN1pGRHhoakZiOEJ6by9NMFBTTTI5Y2dnClNUenpOcGNmUkxndUhMZWlrdnpK + cWZyK0JpTEh4bGovSlNqMGY5QWVhem8KLS0tIFduTlJCZzFGYVBYSGcyc2U5UEtD + aUVkblJqMVg2QXEvNWNzaGRneTBuTUUKloZ7gwXxVImuFkgQcc21yvGb4TNQ/BOO + mvraL4j6CFrIB9889ZV3PROtjR2ZujdYWaEWLNqfFU2jspVT6DY/PQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:26:12Z" + mac: ENC[AES256_GCM,data:IKY5vV0C1u6Xu8aEB+4abwxto8o0aMYkj51rUSfpa2/rbViKjPsTs9IL/GjG9lQJzFa7Vg1Wrkg7X6i7tV+G1DPVj1eRc5dXT42k1URJXI8VTv9HgaCDYke8DS4jQlA/5kIiB8B3bua/TqLJf4eH0ifkvzDV3Q0JoDq9J8CAs9M=,iv:hOLrjqKuLqBeUVAHIZIo7P+wjWCB6co7j6l134uxuBE=,tag:NHI9hsdX+y4xg/4S+WFUxg==,type:str] + pgp: + - created_at: "2024-06-28T13:26:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+Ioxx8EDyDieNZHqEtzVG9imHSKLcRTuS1N8iI3tRizub + xqfZw+myKyrzB0hWtpFOCNpa0duCmwIb9nt1ByqPZk7ZMQIg/Y27L/1lAAgUFsaN + ZpCaOaPZFcLj3mwJOJn8VJqtPTj18H0XVON+7+E4Ig64xP5uxCnejliXuzm1HNrW + 7trqG9iDPWSPe3ZfuZp/o6mD/Mkx1rDied0gM49knuPJS/1ecy5QjkggHL5CdikN + 4h9KT+aUSTdMQAOD2iGK9ck8QuFkoW8E2izO3tptJgr3KvDCYhY5jmVfTe4L/4D4 + iOLGd43mHNQUuPRed5BBAk35fGvCykZtUL/Do2l2KPvfKUTMkCxCsYNmgrCR/S3V + qEQpbAozyda0kvKzUZrfV8h6amBXVRXzwbtZPxLMlGdS+tVZ2SqRMWPpVF8uXOPT + xZXPhbFvmmLiWYiObtlBA/zJDMWY9SVcBnWTRDnmY5//TTIU5JNcpRj7XlkhRgbq + F8UnS1cU7lcrAV3E7Wp2IrblX3adYuCivsav2zJM+dN9S414DX/cnXphVrtDjIzN + HvvQOvKXxRG1ARkuQWl7ZaMlWKWqMKHDhr6zn7Z6R+HLaB6riahuJbN3a2hd6TW/ + APu9sD9TIQa3iecL3Ys1hZtzzUp+GFbLo7WoLXQpkr3gCrLarp4mkABD0PcxpKvS + XgG1HDMxprZ9zSQKsIOm62N8S3yDX8t7OkxhtIxF5Szfskc/cC6qlMk+7taCY1/S + JRl41RCQMmB5cLMJREJuaFb8JoLfC6YtZsvg7mc3gjik2K8NWc+xikCf9UCmveU= + =cYqM + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana.yaml b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana.yaml new file mode 100644 index 0000000..65fa915 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/sops-secret-grafana.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + GF_SECURITY_ADMIN_PASSWORD: ENC[AES256_GCM,data:L/Y5cMUJAjlf/tUEXKUDACpAGnELm434eiV86pk/1NnnP8LNi1f3P6c6+vh4VUrIHrcXRL/j3XfeyZIk4994Qm0XyC4=,iv:obHwBdRDhFpwIE2xQMHVyDujllO1h/m+MW2RK8itIx8=,tag:jjP609xbi9fmyH8XcaeZQQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: grafana +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-06-28T13:27:12Z" + enc: vault:v1:I7doSLZdYkffw/e8z6C41CWsrKFTBznXYAPe11Tv65k+jeTdXiZgK3MalrvysESokhDyigutgt7MW6rx + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAza3dUZktIdXRHTDVETDdK + cGZzWlQ5L1dhMFIvYmUyekVaM3FiVnRVcHlBCmVuc3QwVW5sdS83SFQrUDZoV2FF + emxVZmcwTTB3M3g1N0Y2SE1xWjdWbGsKLS0tIHFYaG1TYkpEbzYzdHkySENiRFNH + b1ZzUmJhU01QMDRQWC9rVDUyYk9na1EKizeRDxmo0R7qZAeXvWyC/fmr6mboC8y0 + qx6arZgYxd1uEhynIwmxwDLzCQqqteZpOcqDiGw9Uehq4JuvTaduWg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-28T13:27:13Z" + mac: ENC[AES256_GCM,data:SrPesHO3JarEOKpGlr66WUbsamnLKAz7RvJznDuhdFB70s9WA3rzfci/2v+gfEqax6zelhYJ3t8GTAtHwkKcGIU/nq/ZOMBLb+nIgdBb2+64aoc6tC/MvPiBTFomqH3Wjxos0035egnN2hwe9hsIULb6WkmWN/ya41RnYQtJ+c0=,iv:cm1K0GEp5W0c9Kyx4d5fOXabgbP9dHJuvLu/A3CJLXU=,tag:xEzTMR+RERxBbuxeYlHd+w==,type:str] + pgp: + - created_at: "2024-06-28T13:27:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/9FMb09cqxlxzTlIq/TsFvobCM/wH1HOcM7usgE6n/5yZD + o6ewDhoamDK2gB7opjOLQsE0KpWFzXwFa0Q6eBhS47WlaRNW1CBkZOD9MeIltdQu + QZ72FM13f5F/r2NGxK61yNq6czMHdq8w7WFUaFj82Y2STcWl9XeVS0CvwnCqaTb3 + UFKnM/+wL8L8PeUQ7SjnuhlgNbYVIbZ7mgHXhQ4qrIVcfI0Xub32h8zPNxlCQ8Y9 + wY8+ErZY4F2t9WmIgrwLyOsxI6+C/QjL//wPZ/S9b6kRqP1ATf2qsqYblBQQ3aR3 + wK2qNBGpchHHoZDTl0rPZ7/gJDZYBHqNNkXgjXUQfprKTelBD+HwtPWuKE2Cu3IX + 0fGqma1qrnC0ARXZ1Vg1X4qfswrH+zotlaFoqdMx6D22gB9m5RG+h3xsdiekwJEv + u0lPSumHDUa1Y1NK3x1KrQWBmAh8cWLEsD6ljiFGrh4BLy5Q4BhUPnVTl3Dgcet3 + EeE0jGD8mm7N50SnAJNDCZKqCUSJJ2pXo3GDSCGEf9+Be1t/2QfWI0KHPbcve24Q + +oeIXIPOMOkD7TP6WG5GEcQveiwmcbxgLfqzfxx2OSdjfCOxR08fGLsRJKlrpWOn + baqacizlABBI2FjW+tndLTlJFMOo30hrXs80CUU2mzH4LUn/pU0RkAeeBQoHsVPS + XgH33SspHCyii+43cWKVIj8HOXuiT3Y0Aavqj7CPedJfsM/H3d2lL7K0v1KaDkaw + zdMUA59dvmHI7j5HMnq27JAT0cinA1cDwqEh+uTOqyDdsLh48UuE3Ci6kom8ESw= + =RtE+ + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh new file mode 120000 index 0000000..8c7c8c5 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-database-mariadb.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/database-mariadb/upsert-secret-grafana-database-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh new file mode 120000 index 0000000..6491a5e --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana-oidc.sh @@ -0,0 +1 @@ +../../../apps/grafana/components/oidc/upsert-secret-grafana-oidc.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana.sh b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana.sh new file mode 120000 index 0000000..5833c2b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/upsert-secret-grafana.sh @@ -0,0 +1 @@ +../../../apps/grafana/upsert-secret-grafana.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/grafana/virtualservice.yaml b/clusters/svc.ez.soeren.cloud/grafana/virtualservice.yaml new file mode 100644 index 0000000..b244d10 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/grafana/virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana +spec: + hosts: + - grafana.svc.ez.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: grafana.grafana.svc.cluster.local + port: + number: 80 diff --git a/clusters/svc.ez.soeren.cloud/httpbin/kustomization.yaml b/clusters/svc.ez.soeren.cloud/httpbin/kustomization.yaml new file mode 100644 index 0000000..f7e08bb --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/httpbin/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: httpbin +resources: + - ../../../apps/httpbin + - namespace.yaml +components: + - ../../../apps/httpbin/components/istio +patches: + - target: + kind: VirtualService + name: httpbin + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "httpbin.svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/httpbin/namespace.yaml b/clusters/svc.ez.soeren.cloud/httpbin/namespace.yaml new file mode 100644 index 0000000..d1525ee --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/httpbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: httpbin + labels: + name: httpbin diff --git a/clusters/svc.ez.soeren.cloud/imapfilter/kustomization.yaml b/clusters/svc.ez.soeren.cloud/imapfilter/kustomization.yaml new file mode 100644 index 0000000..20f13ae --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/imapfilter/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: imapfilter +resources: + - soeren + - namespace.yaml diff --git a/clusters/svc.ez.soeren.cloud/imapfilter/namespace.yaml b/clusters/svc.ez.soeren.cloud/imapfilter/namespace.yaml new file mode 100644 index 0000000..7c5c1b7 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/imapfilter/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: imapfilter + labels: + name: imapfilter diff --git a/clusters/svc.ez.soeren.cloud/imapfilter/soeren/imapfilter-config-sops.lua b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/imapfilter-config-sops.lua new file mode 100644 index 0000000..4e52961 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/imapfilter-config-sops.lua @@ -0,0 +1,34 @@ +{ + "data": "ENC[AES256_GCM,data:YoMmgw5N7Z+JfibMwYP50ttgGM8l13+CSe847utU4wQ1hBLmp50MSL5zVymSk5Nr8vV7nK072BlveqEYqcPRRZe1aUv7DXXfeKn9rlAJBZ5M8OZTHGypZ2mDe/8nSAbskisM93dPFcDeXkzmc4K13kvZa1j2zEfAuFjjbzgXZW4BdnfoGaNoy+JUJFPM99e4N6oYE2F1c9W6Klw3LT1Zf53leFhSun7UfesoRqy4LCwa0wfZ6evQrKq0n2eZXazHpMAh+rAwkTh1fzgpN4Gl/pFvE9d9L4VB00AMdwQBMI4I3ii8vbWNJ+VSZV0lPpovhhm6v3HQvBUic7+Mn5ZWfLsAzYWRKIgtic9P0J/VEMVj1+ZqPMOepp8J/Na7EaLQazP/iyhGcQcfxhFlB2F+Jkz3IN7mqewm0CYGA0r+4UCp8I8zqNIS4QCVUhycG2Q0GS51BSbM3Xn1/hL2nZ/K4OP8JzEnuwawkoVhOfldwr7ngGyDIKcgtKNXyH50TGpIY1Oh/JAqi3znmOS8qEgd8nAhEbabVVSAN+yzTAAf3hIUez2DnXeO3/IzOYNo2qrH4sGN29+YiyfMZAGZ1xEGWm5IqbaCoRYFQMR9PlCzsA79t7WOXFIa8srjGFgpvKEN5oO0ox8Ehw1oHdiMmNr1HtN6pBB9EYMIGPUt7JSnyEOxYfO61C+UoNUfJux4WkCvW4KOz0Nk8P7Km2c9KhCUXUb81OwRX5G2nKThzmzsYH5JLrfM25QRkkhIIEHp4lMHH0v5Z3lHkrkx6Q/8++BX7Ms6BjImC1QLJ+wR3KetiFulHVPJvcgtT3kihE6CkhRTgF+NdqhgX2dRYWs0j79gVw1IUG8DuFYeyDs1rJ/7MCOzEEsvgs4t0B3hw5OitlyQCgQJOMGEZ2Iw1ClRQXI6FRVqbK38jcmkr3BXGLvgvRn9MMBiW5iIU2T1ZwPLbhJ861Ie1PesfxcWqEJ972FmgQMtxXCXssoo3XGMIIQ4+H0R87p1F4HQzvyLVEwenhFoG/XR8meyH625nPEjpBdMOOSMRDiOG1QwIIptRPDjnGwNIw6KoC5XvPHDu7DV63/fNESAyXbsMpsiu+9Hoz83EPZLhdW5yQxXkYtIFNOkadv6KrqEmNkSTitLOdp7VM9QtdBDUZajsMOwXLzCuw1gY2Ez7Pm8o1/HdBJK7Mc39ObSYmw8yY6TGxvVzAXtcKnxZHIfyruhgdOt2tfBmJ2UUSlAbRruwHBhjOUTIOZVW28NA36+ayreegv/SvHYVoee4nsR7wl50DgQBjOvLiLspHkmrvSy8E/juPn5UEWZRNceAYkUlhuRqpCC/3p7fqdXXaOXUYe+UtYbMDu4o/0hQSRuhCDn9F2cgYUuu6tKMaMhwMKNjK8HYThHtINcAQg4FA1nFQ5yBHVyenSAmuGT/36UtXEBDdjyhMG71OdB41WHAY9GVdZsGiiA4zNbP+Urh9UCncA04CZWQPlWsF1hXQKVt66glFnXRoCYcuayYRmDHNx7M8rt/nDo4J8attEtmwoyj+o9vGo3d9T4WKCdJ9FItJgLMBsBkyNl/4mJ7E9BMgyrP+EA+TouPnrA3XM51U5oWtmcVmBJhmXrbIU8IHJEFZrJ/ZhWGIs5fvr3OyIZtaPXc067hWzaac4lmZXEaEF7x5Z8qh2sLObVxsW3ulFCT5hKJCUOGZeUPEuldQgFgCmqtn8+lx7ysrHiAN5rAWprncXDooCTnri1ZOmU2eXNH0Sy8gR/bHKAbUtgAJWzai0+ThzZ84ZorEMq/rauWrnvxLmuqtUi5WimY4jITv3dHQV0G8vwyd9oc77GJzXwE/QwVRtPA+O3jIZls+Jo+8G6b2353iI56c6tE/UDXp2VtLrWUimUnzloXIFAAMUUtzLj2AsxzV6++GtrTnSDXmq0m1T6YZ9K5Cl0Dkk+9AbWXB6x1DXjxc5TGb89E/mE1aen4c6iW2Cq4uyyUJn9O3FbsDtBicv7doOhpkPsbtzVl82WFLb9LP1exVl7rVXeSCj5JfucZdWLM7nUGmmhJQriH1i/jmS2Lat/azXCmEZXoeNovfzqdYo+Je+6OXIGpvvDAJEr16B36vfC19ysv5s1g7IwIiuQY2+SNUHu5fb9tyf501gCqmLSW0fCPBlDQjev2UnUCUsYzQ6Qh8yFtImYN1z3x/ADiT9FLZ2NUTTW/twksltbl2uoPPqOWftH3+VjTySa8gBvVV2NQnc22DFo1qhiDbeN1L1esRlG/QUszuAEUOhWwhtZ5Sjl6buJ1gCByEtpFMrB05chnBDBr9VhprRjk/95tnpyrWvR/PxmQPXwpJQ246ndc3Xz8Uvd1YHjNpKuB5sQHyjjOlTyXs/hrD8HUgYfTxG6Z+lTkExR8v78w+AHcgzOxgaQZSmqflSxXMy9A98/Bb1+SHQEWXoNqeLg0CEwIB6x7E52iW+4Ru3x4zW+dJV+sWiwgKBmEhwTrZhKzWoxSYa3A1QQZwS2kc6GwtR0C+Ss1AzWb0PJb21zyd/Pcu0sD22vRez71nqnyzxnJwGbtxETFEdt+7I+xH7NgBTWY9s1zjTPEvWoHRtzRh47xr1j07Uq+LkX2ICgYc2ueYqowTPmFSlSEIRU4rueUDwk9LoNuiXWhb5NpDEJK3QRQbSwPEagUdpCzgTi/sNBr0RUmWD8qtMgv5TvedqxEDf67yPgBCrKLKI0SXufLe4Mz+X+jW+e5LFTVl1LVCte4qt7yKZJkOHcMoff6CTNkaYDHM4L9V+i2lx/Ci1LJOf05zidZQwJMb9V1nG9lBs/16gJMo0sUNdV762InrUzaSEHFbjUFAgCGXKnmifdD7y5v9THLDxzxF/Eb9ilE08vinPacTsSDhf96qEo3TMyLpW7sO32IBBwE00/2cDq6Y/wtoK8QGNK8yEZK42VXIq+so1hXVxCN6UYctrh7AXde4IYzgNtjBCCkYWAvQs33iZiWRIF1w+DryNMDHs3GzPP51dnwOR7FNmTtBaLIv9ZO8Yk0JjunZGHXb8H+rlEKm7M2DmgQbFrYTMtOTRMtPDXlltekNvOYBH7cfTHwKVVbDL6DBvHoOQbeSbLY3nN183HrUkk0OTdNogIR9MNGTmzd1kWznk/rAncJBuXuwsQgE/1nByKgkKFFQ6PLbuuPesRyH+TPrJ119mu3OGtpi9afV/6e/ue6GaGb/Y2LjnRdk+9nINa8zsUrb3n3JMRQFaVj0t8lBmoNbC/KCTvEs2srr7bCvdXjnhrqqdkQtV101sj8w7+KpmWnj2q87rb4DFJ8ppfHqVFKqtuLOcYI84SLmvzZSwt3jlqoRF768M2xDS3sxZ/4i76A08FpgOiqKBmMjBrE8D7jMrzjsmwf+aqnNgyCV0sfngv5Dq68TgFCv+DXojT3Zv/P7g6bPfu4aydmrGtOt+1TQvvpztUD1A/iAgs1FNQqJhiIoua7VK3Z70ZxPmnKl4rRgjGFOmugP+HBZqlv8r7RirtrmGFOhtVjZhc6Tk4I26tCuJ8NErVVYhgZCK2sz6Zorz/g+t6TCGqZcBtBcQqZCeCWhvSghc5AsFCaxTrPv4S+IjjkUHcclWvISsXUDMAv3aQBF2R4p3akXAX0v0e7cqFPUO3nrS1XFRPhWOu31hVmJpjrHQGFurQEmQhbmShO6hWqeI4G/dJGGzxkiiSpgXtG0lLNKmapuD4yF4=,iv:zAOec/WyHsOKtSR19OKtuGsiC/Oov8ptURCzrtrb4hQ=,tag:y/xumX3MvMkGaq0SonArkA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": [ + { + "vault_address": "https://vault.ha.soeren.cloud", + "engine_path": "transit/sops_kubernetes", + "key_name": "svc-ez", + "created_at": "2024-04-02T16:30:38Z", + "enc": "vault:v1:bvslIu3AGCk/1WQCUBE0ZZd/dDVA1ytar1dZGkRiEAutoGB7rPWTzU8qIgEsJ3JdBu6A/Ta2TZ8Mj/YX" + } + ], + "age": [ + { + "recipient": "age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU1lmR1VhL2ZQNE1yYWRv\nQlE3M1oyTFpvbStRMkI1Ym9UZzdSZ3phb1NVClVOL1paeGlhVVRicndLZ0diZ3Ir\nWmkvVXlxQnl2RVFFWWFweVVOQ3hLMjAKLS0tIGZrdkZwQktjb3I5cFVBRkVFOG82\nUmFEYXBnZ1pYRlRabzk4U1Z3SzM0YzQKX5qQ/3DWBedbrazZ/n/feHl/fDAchGsV\nq8jyP0hWweycFEniF18PRbVty7MNFM1jxPR57DetsHtOcEuLqgm4AA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-04-02T16:49:01Z", + "mac": "ENC[AES256_GCM,data:YnTu1fyuiO5uxtueVw9iufgJlOjcSWxDkbRmrovk/EIvfFXPeIZaz+YCvxQmTdHvq8Y22UX2r2OyMSZtUD+xFs3wkYWfWm0xqdj7cDpTD1nXvYGKi2DF6jA0xfDnz88wOZLXMs8389KwijjQ9HNcNhsFShckLZcJRANMn8n+8kc=,iv:/FvP32eiQmFHqc3UXdCZLsf9cj7DYWYDEhKJ2czr1Ds=,tag:3VuLX5JGG1svVVOlaVS5Vg==,type:str]", + "pgp": [ + { + "created_at": "2024-04-02T16:30:38Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA+/EGAve9YBkAQ//aNEkLFoG4DS7Takf0vwW3ygid7oJv9Bck9ZYwV7ZprXo\nctdYq57sC+hzIpPHCK6O79pZglL90REws9bSjcVdFQ0bgj4OLVA7IGSScFXyPbEC\n/vmgd5/BA5r32GA05C+S/xU9yl/lHrpmPe2Xj+WfuY1622aFplkru3a8+LP8ItqA\n5Rzwo5jqspo3v2xGiFZGlvgCgvUPIDjEmYmq/TkJ5KmQDB8UzTiD6Wb3kCmJ6ogO\nO6EcQsp3/eS8Qkbbcs+zm5NVCVa5jn/VBZqVb3YczpctiI+wRUSWjA8mZanW8+qm\n+EB3R1Jo5vnHzmuNInrAfdeonkOswwrvm6wnSoLA60SBbeP2erTBLoq5SpKvFNaB\nE1k4VjdK5Jo1pR9K1yA89XP5M8tH8z/z/AYLb5MipnqGnrAL4N2N6v9aFg1e0HSj\nTS2yUXusuken3PXJdIBWQXpSmwbpNgRB7m527Rrg6G7wZqGpfeJMIkowoEY5/RC8\nQS3kE/+vXevWcwWA5+OdDqSA5aKWZHsiYe7edqOwy37KqTajWVMAjyUDv7irFrT6\no6clHr30enhArhPNA2CtzCcDJn4uOzAkNovF3mFiSo/51jPPGgSkoBh8thzsl8X0\nd0vUUaibzdG4vj0W/n/PGcNGx2G/bcwQdU9HbiKwSYQFR19vBCpVTKz57JU4OI7S\nXgGrlpHJB3/5tvsCGn5/PKFVE/ZfpQmgKPCdZuZhBvccAGBBfj2bs7g4wNb8RJvY\nLBvfFihp5EoFgZCM1QT1VGzhnYcoJeUCnJ8t5KvXc/qoszDPhICIuUpgjtAZ4g0=\n=W01/\n-----END PGP MESSAGE-----", + "fp": "875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/imapfilter/soeren/kustomization.yaml b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/kustomization.yaml new file mode 100644 index 0000000..0aeac6e --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/imapfilter +patches: + - target: + kind: CronJob + patch: |- + - op: replace + path: "/metadata/name" + value: "imapfilter-soerensoerensen" + - op: replace + path: "/spec/schedule" + value: "0 2 * * *" + - op: replace + path: "/spec/jobTemplate/spec/template/spec/containers/0/args" + value: + - "-c" + - "/config/config.lua" + - op: add + path: "/spec/jobTemplate/spec/template/spec/containers/0/volumeMounts/-" + value: + name: "imapfilter-config" + mountPath: "/config" + readOnly: true + - op: add + path: "/spec/jobTemplate/spec/template/spec/volumes/-" + value: + name: "imapfilter-config" + secret: + secretName: "imapfilter-config" diff --git a/clusters/svc.ez.soeren.cloud/imapfilter/soeren/sops-secret-imapfilter-config.yaml b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/sops-secret-imapfilter-config.yaml new file mode 100644 index 0000000..39635be --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/imapfilter/soeren/sops-secret-imapfilter-config.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +data: + config.lua: ENC[AES256_GCM,data:ac9q/vQiWgY5eKbB0FQTIunqj22be8JUUdqo+LS02TN3VgubY3yJJAuRiDzW4DLPye+w9hZ5enOxCtyt8FDxpfHRXDy+XbGZjcs2LmKykT/GBCuQWJLOYBNdf+SuwkqYxrHO13Fpy/qe+Ggs2c3E4hhppuscCxm+LU0GRGb4TGZ3zJ0GlAA+z4L7ZbgcIqEM7Kfe6KfqiER6NtCwRV/jUDnhcKAhu8q1tI59YWIA+dMIZrse457q7GRRC9kyqSjNkta0PO+JH3s/ocrToAn1zNds4+VtiiyffX1KsPXGMVwF5evbxfGUlkl+9T0INNiB97Vq9PDmGTIgbmqQjXG0MiKfj6sesQ8GR0J8+x+UMwGTQGAF0KI9rr/fEaP8G3EvrMz2XkNoG/MA1EqyiT3mdR7iRrG57Lrf25DRrFtqkbTh8+uloERY51jicK17QXQ8rvsaX3UpdmrytOo6brmdjGO+KrtekbavUp4xbq1u6TRL0RYqJ5UoFQrlDeNEtRJ1TYZkzRGogkMWWIPVtw7NdUQ6b47nTU1KB74PRJ+8pu4USQcoXCeqVWHItPZkbgebtrblC5TFB6EParvCCicrBxXLchuGiHyqR7oCMn3Qo88LwOV9nFdn3RiABN1J8coe17J5Rv7MzkWD2m0/xJr7MUFqsBHOeNuI3GO0pJDcInVcaN2Q48aRvJ1t//CdvGeW9CpjV0808I4rwWZ0wm6DjKvTM59ERctkPjA3NTxC3Zoxastv3VSuHkbFp9WeOppupddCKAxHQolo9PJpAedC1/DMCjq3eFsGs09eKHGcQwfd+N1PfN8V/V+5xhZpTz6l9foBjh/4mlDSu6JBKnyo7jjgqFLDw8k52t4HnZwV7G9ivXn8y5wvaJqJ13rXCn/6cKD4WwQqp0ZsCiUataNM+slgzaHYyz/47JokNxIEZufqX/jvCjrSwgQarvl6aDC3OpV0g7sZbEYjJop/G/RKveZ7O7v7TwiEb5+2ehc4vPAvLyqtpv85veYWA36b1wJRf/fxn6vqvIL1Zjt9M7vNIux8p+OkYM1AAUiwJz2W6tkOzivgP3+Zn1zpQhDhF25Nd4SQVzNKgervpqf+RI5AGdMBEWPsVG6PAlycVr7DrDYXOZ4+liBGqOWmNncbCzKbVycW6ZjBCCx0sV/Ho79uJWzO6RGe2cm4yuI464gQkpgyB+D7aUXZs4BPQlxs7deEU6px3iq9vSoqXhEjFurkQMqEgOXS1UKdHggzaz82QD23B51deM8z/z161GO2BFEQ6kyXFhhGbWlNSjAaDXKjm5AGXn+UREVNgPFY6M09QxgVG5N+KNIfjB/mpXBur7kewR/xgP9sNkAk/a/CdhOP/Gs/uMGU/byuqThuekCSL/37FEGGHJObtnylUCzSwycdDeaZ8C8YSXO4ZxZTCN5GXAjdUR2ckN73LgvCrFXaIdVJTrO7VtAg+cQkpQ2FiuXhAVM+4WBUWvDo5Mh9tft4wFxL7B/OQJt+P1R/XmaCvFBA95Vijm3UeTXaeIFX1CPXGvouP6FNO4046NAj1dDT7y9eKdlB0DAzT6GslBbRaLiYtJNlWbM712I7I9xAckMmFUdUZG48W2SgYa5ZgDxisebzVXCh4SqEolh6qb/Vvagr7mXLAwOHA5VB8XVxXlcbQqHV1n5XK+sEIFIs+A6jkukQ1TOho6jtHMsY1DQXwK/ueJtOp/czJZNtKWIqWXVD0bZjnc1eolb4gbrzFnnTvkmflThGZ4Yg9jffBHbZ55W3YLLga+umTuBpT4YRaGi0bpi/yjKheJk0MiCUJrymyMNChOGsiiveGZIZPD72942uwBADvqDCas7Hd9fFJo1me9cZr1a38LCo6R1NEBxROeoitfuy78+ieteDQSk3DNJb15wEpatU9FM8hsA/AYheLpcs4SFjl4UCDXHyQrlT2uEEOZ8YSoO0NKyHI1lkC8s7dnuQtmTuVCONwBNBqzXEntN2o2BglBErWsIN35t17ub43GIRG4wjEJYHGGKw0mOOgSOZzraDzlxf3Fv0E2s5EAh7PeVMdG/e+Lm3dUByZie9mLVBgeql93vvVQp2+I4kEc0MGX+lU/xQAOw1uFPiJWHfcrxR9wryFJxyBLPm1RThEol744ihx+CZnSTVSWroQOBBPI1tQsfdRtbSHefTLyoqGzt48n5Sfz6qqYSNoWdQQD8EiiN8/UXeTSnBLZf3x09L3t/+CJUp02yClSUa72x8PD+4+nzomAyDhgphx4MSuFJnzP1DpNkju3KXb2ckoIavA99h56Br2vejTAh1Fway8JaVa7wpqlCHYsYU14OLByqyLi7Z/RaAxCzm5Wcw3ukHWuROlZhYuQXxN7MSyumlGzizUQK1eUd34IhxpeQM2g+BSA3rV9fVnSgTN5xydIgwfdYQar+xssSCrbl5jUR5Z3F4mklYI5OjITKq4zUB6ZKAqqcKB6qPMCIiZhO/e8OOQvgmSQz7v5oUdn9bHM/tGoV+we87Qay+GOnHmPVQTMj09zJbFsx1Qb2Tp9X5yd8B95htEiVytJnujAf5/d5bHKzp50tSH/PEtuBUK1Hq7x1cwHBCKBXp4fL2po0lpUE6nRDKf9V2Qzx7kDujIZgfT0Ud6yNALjugUXDYjCNB67bFkc0dfoN28TmPMlEBafZ1PZ+lTD3lIqUtpU22i6NZZF2T5Psjg++aLsIfbiknPU44vrOvmfDTUA9awRSgz6wVSJFx06T2U4q0IAMKYT8kwKICC2HmNX3SO0sSBsN+4CZ1XFQhGMZZrPy2hrsCbJbNcfhnjQlkOdQKDgmASlMqVBliydSh8IDXMu3eMnmX3E68kZ8JNRxWW0XL9V8yFRemJgbkCYP9sVXlO7W6bCtKfWiX8IFqv2sANoM5wB/9SpI9Geqyjjk4v0E7Nb/wJtxv8ecs1JQ0wdBxsKoV7Q5/YyT82H7zIZzdSyTTBJvdpjTtM1JSX3AusxiVy6dLXVKsMVaI6j5nyDV87j5wyHF6RTZRM7GVOR3PFOHvrsHY5i4q9jmYLwaDifSfQpK+GPguiYdO95KK50lzUa6rhwNlamBrJ4VbbqZkehxed9amcKVZL3inxNviBnYaWxCQt37mNuT+DZB2hWND1+bTqDLyHFQPHtrDhVkvFYe7KHbE7mnLXcGQ+P/G46URlz+pkCfpdqG6/do20MN9A/LJPus086nhGcEkNmziigucCJnyPlWAdn1PepC9QWMIKuNERZz6ajTe0A/NuUVMtKiQbZncA8+Y2khEMSfuaLDoPBZHDlUS6gYxwdCil+NwJelI/23pX1cQsJe+Uq1OqnME1ERGsR4nRMvXK6kR4M3Ch3MJyTVRLrbUgIwnlGfsAsiUuX8QNOFSWBZvfIrUaopQn3RMF92tkwOQTMIY0mGiT2h14TvHZ8hfjCt1QFIiRCRdPombsDR7NrXTuCHKpTx9kH5EM80Zlfvh9aRizRYMN/t28GpGMvNOzqb3lFuqjlYTwAiTMc0Z9DKT2rhZpC10n77qDiUpSqKB3bJq6J6PoIWiJa2SlZDOi5IvpuLe8jU4MOCeyS/HC/PgDEKp+3H+bOXAt5IPHkiqumU3mKJ6r8wsEK6yRuOhmR2gVXxnlcz77bGxf2MGcHamaQ6UGIqbGd58U3TgOWrkzgEMI2Gq5kPRDY7W1ji+KTfiI1UJbgOt02ZsDfwBNask7tV9ZWd4Vt3pk3nki/4kjxHr6NBJWJa8lrsAg0j1oTgrr2nqzd8HlH9Onx96PqFLYVTz/QskJ+o+6OPPlr/VGEMn8wUONbtZPo7aK2QFe6Mi3kj4GTAnFoqickIGZkh3HfwZphfUpCzEgh9lqCvXBLAWByPgQiOyTMskN7WAu23ehGSL/E8Bm5IfOJglPmimIe83hq0hBhYRLJIs6SH6FxpQo4hbV8MfHmMJhq5yyIfY4HkZZ0HQ+rJT3qv5/lBgwP0xDM8uoGhJB9f7QEFktHKnWbCeBSyzM5Oe5+4gItq81dYgUlYWWi8vY/oI2dNTpAln4uEa6QRC6cmm1eRqFTPlkCgkxev0HvQFiHnnubP1iw9N7HIckJ5KQ1vb02hhWox48b83857zvqSVnfcNWLUzcQyYBMIB2q4ty7UhADgg0j+3UiRb1x86dDpGgJXD7wxw73mb4qQIBFzRcP4snyjdMoKV5w8sWREENJX+OgBMhwow4e+XMezqlpZRBKTs4jHu1XmU0mILAiWJ9QcwKk7vKKkmwMj1WG4LypG6yCQdwSc+Tw+XydC4Cqdf0esr064/smsFWFtt+gzjfn5vvs/I2tn0fAylx1wqbY+QTB1016dquXLLrz4zFHLLCxaxvbs7YXPm58I+mV91zyV9MisCZQmONzkwRwUExjB+FRIbMWVaBMk+6NqT7McUgv/u47kopezfjaPCUJbYiMIoMYTO7a4CI1ON4URaYtgmvT7+pSPIxBT8nBp/gqGeYtnC15ywfUWwSyXK/1CMsB3QoPoAhiEOE5iSoBzPDUcCZ1D2eVOi197shrxTDq9ChQBWDDnWhAzNjFeYIVMmxExAh078Vkkeqhw9kS2f75Zz3Uc8k9fkw9yoFdYId50vUV6ullOonY5CSvKkgV50MgQQ59onRsbbdpf8MDKomhPJYu1baxBC7ZCudsN8IilNzytzxiVNHuuZhyKB7RYFNQG5wenFwAk4J0aUVXPi+N4yFgj8jHRD/zFZsfD3OXzEYw5IDLWW3gtmTI+ib8P6wT36uEyAJiJbVJH0z3E3zjj+aYRQacU9Iase2UvR2tDlaV1hdF3JCDMlDG4pbHYiM0yHrEUnggPlKPvnwQk/7/gPG7G7zDwzfaLz+FEj9SFQ1SLtxm9XtaSNSvsb81/ZUiI15VRSR3LJtlTihq04ZwtGJrnq1TXr7xTaoBpmzSl05lOIEhkQga9r52q/AgCZePI5n4JC,iv:Lj23BcoSuHNruc5LJC8ENxa3Kacz6ysNMfgAn0LCGtQ=,tag:8E1K3x8KSf2M+sVgEMWjuQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: imapfilter-config +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-04-02T16:49:08Z" + enc: vault:v1:UB9l4DN7+ZNBW++PPgz3oVyEGWqCF7CjzmZ0rgblzSfA9LEydRx6xrhxcWGN0L+Dzvd2ZKK/SBStsXTJ + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByS09QcTVFU2JzSlRWZmF6 + elQzQ3NnbFI2dTc1aFBSSUJEejJteXRVcm1nCmhLUjltMWhXZDYvVnorSUVPV2ta + TnhrTVl6eTlIWEF4ZTFmbG5zeGJjWGMKLS0tIGZnOUV0NlkrbjFZQWczRTFwRFo5 + MmZ5b0Y4WGRna3hCRGZsam4rWmZiSEkKJ7GcpTiCBD6Q4U+UkNU4Atql0QlVHm2v + DZQiq5NDqYGexx4zdHL3r9IaJKqowmG7Q6Hzoun0PmGt+ZDWr6WoIQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-02T16:49:09Z" + mac: ENC[AES256_GCM,data:ICDMPPRxT33wK0zcGj8dHf6ucOdUJodPD5/qhGyDxWeSPUTp9v2pJWKjQgUOLFj9LGciLWHNHCOBe+uc1jfqjcxhaKOQAVOMQAAG55IGiI11NjhWzkkHXP0F4uakJHxhjmTzeNp5txB5VPevH0k9qj7ihfQ8jRnXL17L46oVkrI=,iv:ZTGEuGkmEk3UJu93WDTEgIlwacWymbwGUTkiw/dL+pE=,tag:fBoijF4AvA9e/GBkjCLUzQ==,type:str] + pgp: + - created_at: "2024-04-02T16:49:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ/+PEeVoLI/RNZP7QrbGlahw+SK+zBVh/o+Uz7gTwGz/v4m + TiUQZygV+VsaZWW0wCg/9HMGCb962oXO9igcyaOwGVYDC3KWLxDpJClDaLJAzzfe + T6K5WJmGJN/Ffd6ywWpglD4u0jMrOST9PU7ZkpQCV7EdvyhCvCQcZ82crxQg176V + Racp/17As0CsjleNHij8+yQf52Ama43qrN/XyFtcMK37M9FzkVnLCSLAGtJZWqnU + MV86hpamUlzFiBsFPU8AIASbRIxLsfEfq0vKcJDuxKU4sbkeZyHZqg1dzdYAycrw + oBkgOuhsGS4yOYmCtEWkLjZIIeD0tofxJv70YJIP6OQ+duthjmClGGWxeY3R6fzY + 6VTWiDRAV11epY+gykw7M4T/hNOgAxmdYI67OIV3JwFRJtJ+PRU8HX/UmfW8n3Z+ + 3s3mOUSeLXzTUJZ0ll6/tNa197YBAEf1u1TuIQtPv/K7kEv3zD26NFQM1YNqMZx4 + AI2Ny10IZ/SyCXKaWxRKCRzMqvUtFsqWeTOx1GytO0FdQqmAVw0GE+nmW+IC59+y + oMPaCP92dmmIxMVLCSjjju1VOZERLqJCYsFSB9q420HXVPE63inX9LA0Te2MDF9t + TZBAZr59iumXczTVpRBF4E0A3TpA8DbmS81c99t6NGOA8aoCrXDTjXY8QFuYrKPS + XgF9iX8JavJJ89sMgHItSeTknUTvzUordoQabk6fT6ZTgPeu1Mslr3AM+7RC6hx0 + VjEbclvSNSTtB9HYsxpooZ6NtxOZNOEJiPlMZvmSTQkcLbG1xA6xEquUCn1ju3o= + =Mqbq + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/istio/certificate.yaml b/clusters/svc.ez.soeren.cloud/istio/certificate.yaml new file mode 100644 index 0000000..e8fc4e9 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/istio/certificate.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-cert + namespace: istio-system +spec: + secretName: ingress-cert + commonName: '*.svc.ez.soeren.cloud' + dnsNames: + - '*.svc.ez.soeren.cloud' + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + group: cert-manager.io diff --git a/clusters/svc.ez.soeren.cloud/istio/gateway.yaml b/clusters/svc.ez.soeren.cloud/istio/gateway.yaml new file mode 100644 index 0000000..9dca3eb --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/istio/gateway.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: ingress-cert + hosts: + - "*" + - port: + number: 5671 + name: "amqp-tls" + protocol: TCP + hosts: + - "*" + - port: + number: 8883 + name: "mqtt-tls" + protocol: TCP + hosts: + - "*" + - port: + number: 9094 + name: "am-cluster" + protocol: TCP + hosts: + - "*" diff --git a/clusters/svc.ez.soeren.cloud/keycloak/keycloak.properties b/clusters/svc.ez.soeren.cloud/keycloak/keycloak.properties new file mode 100644 index 0000000..d4dc697 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/keycloak.properties @@ -0,0 +1,4 @@ +KC_HOSTNAME=keycloak.svc.ez.soeren.cloud +KC_DB_URL_HOST=dbs.ez.soeren.cloud +KC_DB_URL_PROPERTIES=?sslMode=verify-full +KC_TRANSACTION_XA_ENABLED=false diff --git a/clusters/svc.ez.soeren.cloud/keycloak/kustomization.yaml b/clusters/svc.ez.soeren.cloud/keycloak/kustomization.yaml new file mode 100644 index 0000000..8b980be --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak +resources: + - ../../../apps/keycloak + - namespace.yaml + - sops-secret-keycloak.yaml +components: + - ../../../apps/keycloak/components/istio + - ../../../apps/keycloak/components/db-mariadb +patches: + - target: + kind: Deployment + name: keycloak + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-high-prio + - op: replace + path: /spec/template/spec/containers/0/args + value: + - start + - target: + kind: VirtualService + name: keycloak + patch: |- + - op: replace + path: /spec/hosts + value: + - keycloak.svc.ez.soeren.cloud +configMapGenerator: + - name: keycloak + behavior: merge + envs: + - keycloak.properties diff --git a/clusters/svc.ez.soeren.cloud/keycloak/namespace.yaml b/clusters/svc.ez.soeren.cloud/keycloak/namespace.yaml new file mode 100644 index 0000000..c2d675a --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: keycloak + labels: + name: keycloak diff --git a/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml b/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml new file mode 100644 index 0000000..6770228 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak-db-mariadb.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + KC_DB_PASSWORD: ENC[AES256_GCM,data:jLRXxGwNT08SB5FUciolUNhQvyUVrawZ,iv:nxLwQcdOPkvM/Z2rreC8nmIj4XRWacrEGSLNTVK6FfQ=,tag:aGNZzVdqMUnP0kJHDEw3Ag==,type:str] + KC_DB_USERNAME: ENC[AES256_GCM,data:p+yiGijuxNHTId8n,iv:PINuEX4QyDQbn0/I+GqGw5CSYIfqEectMOT1kzH+e1Y=,tag:kYM91T64bX9kg6CP2EhOIQ==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: keycloak-db-mariadb +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-04-20T15:30:26Z" + enc: vault:v1:X+pNdlt/Z2A+6yMalbAMrz113t19ychnfmWl9aHgsoycd58KC3KFdlC6Q742xjRoeuGTjUUoU/4+QLDh + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTjI5TWlMcE5WQXhMVjha + RlEwVThqT2ZrUzYrRVlTVm94Q1lmYml4cm5JCitrd3hlYUx4QnFIc0VnU2ZHdVNx + T3dLdHdrTHUzRTJZMWNzTFVRL1RPQ0kKLS0tIHhQNWtNN1A2YnkwM256bTdtWUlz + cUNxdWVkSlM4Q21WV1F0bC9tU3ZiOTQKx2CggEBgXu/HMwj+M58amvwgAbz3Uu/V + oVLuRCSG5ewg97eHWe+wZVINDN35q6q/iCd93OVk+19D+bBVnmW/2w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-20T15:30:27Z" + mac: ENC[AES256_GCM,data:F3UkeVKunADhpolRDObbwN2reulh3fy9TzVQa5+zMOmtUK5vV2An0z2zegiChHucWSbgzIvvKWGX7kiDl3MSAgrYcKhdSMzA9vvuJ7HiQVRFmCWvKl0fKckYowiIEJ/ZFAA+LCHZXqoEYnM5dggmMot6xg6bOnQypxctYKdp6qY=,iv:xAVSo8IBjoYvg+PZsqiR6KgQ0BCilmE6UU466h+vE6A=,tag:XakdPd0faHvWoic6jSQhkQ==,type:str] + pgp: + - created_at: "2024-04-20T15:30:26Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+NYLf07V47BYpIJUM4qPg65hbq66mv0Szbz7YkfodkKr9 + g25jsk9wdqh6T09abJXDxwD0fv9Np7uvyppaHpjNTDtQvD0ob0Oiben1Jrhpprnp + WG3EF4miEHTtLT+S6yPAwesVqTVthadkkiOjLRvVilgcrkFYls2ZNixi+7gY5Z0Q + 6Gkzj85QBzXAhOglWuSPckp9KKI/IZXa/mq6LYBnwwFVPhgLqKz4LzGaRAe7FZt6 + uyzjqXUWyMyyOyOv3gJNa6w1mJkNshhf42UmoYWuVcXmqBIIxhMPxyWfEuNTLNRP + Vz1rqRtROll2cAePaekl6A63EHCKub/kdibhPGHOeG6EdHNgJLRrhRmSFV15obkB + EkumeOD3AYDLUKFnoKJ09SdPvl5bRZAZCECmUCRX+CM3Oa28SQC6LbHAjjzHpuMt + DD3PSmVh5peXyczJDSQXf7DlZtXUVqTKSKKcSTQTJPNXhtkWoGe38YtrLP1cBiA1 + c23B/EPzfsY1KDWLR//yBUhuAZvqjJqy4UhJyAGeQLnZwwKr6j79vpe3Nsp1pJGy + DvohGb3cq6iDCLSbB5FdUf6jXh87sReRKtjWEAIFm0lzR5Oot5KPs0CivJOusJqI + ki3kJcfDLNTkfEI4RjnkyYYzcbAT0vxh4uGB7Et+/wmp6GRku7MSmQX/2CytuV7S + XgH9aOG08VynKGSbRAgM4ScM4PGhAvktgIgOZrqERloHXGZoMfXRwY5Cy527ATCq + g+f+4HQJznZcVlBvLH0vYCXNWWOzdm5hm1oQll4pLxgLW3ca5Q46f5zO7GBdHwg= + =uTM7 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak.yaml b/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak.yaml new file mode 100644 index 0000000..1f8d204 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/sops-secret-keycloak.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +data: + KEYCLOAK_ADMIN: ENC[AES256_GCM,data:tp21euNNwoY=,iv:fPJFBwSP+HOIJkZjFWMd2CcahodOp485IQB9SMeDDHE=,tag:0+UH8DGjMyh2s+Zo8GjhEQ==,type:str] + KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:KhN+RzslMFt1wsg4R+2XnbRzfzsMW1lXUedREUQD5OLiI+4t7lyoAJBp8Jm412eOwTJV7w3q6GDTpJr38/f9bzhRbcA=,iv:5ALHkIuHl6FR46n8ol5gI+PZbfh0zcQEt1cdflaad90=,tag:sjyJWPX6PQ5BSUIBWRmc3w==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: keycloak +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-04-20T15:32:00Z" + enc: vault:v1:ZTjYYEnAq1xLz6crpFawjXianNNUYVYh33RVZSmXa+PRwmzW0pi6J/6vRAlcjUAL9Rggldcmg9viBNoZ + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1V1M1VWFTRHZiS09WaEsz + MmVtRytmd3JxUGxyMlFLaytqWWdjMUFXZlV3Ckl3cnV1eDNzYzJwUkY5UC9WMnRZ + M1ZCbm9IREJWUExzRzNHYnZvNnZ6eDgKLS0tIHZQWXM4UjhyK3ZYOW9odlJvM1lU + VXhWRXRMeU5Gc3YwY2ljay9tU1VuN00KGO57mS9lDoqDds63rcDpN2UsPZKFzxgp + IXelXZg67RuqrKEAFwXf4et+Vv1XrcNgfPKicV6RO6YE+ixMcbT7qw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-20T15:32:00Z" + mac: ENC[AES256_GCM,data:mSeALcExnT2HMUUsVlFZLLreRLZ+SlkopK/D5Z+7XotgYWlnoymCJsuH0ZQagUSOeDp7cR/JWvCjJv2qFslPYWuREMN9ORZ5zpcGcfOasZMXs+iZCeOgjQDVM/cwHXvw+eXcIsJ1Ln53ijPDWxpk7ceuz2oRu3j5+EA8uaJScxo=,iv:zj4hvJ/HCEgXEq0e30T/sem8n4QSWSGCWNNEEA+1sr0=,tag:G+TULRsYZ3yocRMIvW+yQw==,type:str] + pgp: + - created_at: "2024-04-20T15:32:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkARAAjb1+c615Oir/2F1c640elWYHsYhtadTMao79/bt9IMfJ + Z13m6c9UGR5Y0Y4tWk8BqLu0jJvmrNQGY+c/UywgJlC7kxS0sGO5SC9pkXmiiT3M + vWBhLeGjKj7POS/h0Rtbe0tN+x/RBTTVmBpuREO2idGhj+gIgW8DoIvSS0OivaU6 + pG+4ntL63/F9s+O5Szm44oXrROSs9KA+N1LS+P8MCLnk/+e6M7q+IZHLz4SD/QsN + XVzki5TKCIOyaanHk8HrNTumTv1weVPt2kcAmtMzLRnFBQs+zUTVreNuronSjUGQ + r2JxgJhv5yPtouZ77jxdsUJDF9D57hgoLn/BgeoNN7JXUmVuGcoz0yldXrSuvCSP + oPsQDHHYFDMcOBHYyB00pVDiSYvP0BKPdxi+sR0OA/UxgnQbHbLeXUGU+1qni8X+ + Yl4SRNEEcA0YV62bb/fZBiQDhkshRVedl+fs5PLtAm+PK9qbBaAmHYbVQ2s2O4Yy + smOixDp+t5YsNjjNkysH/e/ekrgQSfYipXmc5QrmuVUy97l8ROvMf9Sax1OfU9Ri + WauDtZRprXXZjeaqeHHjAxXEd924hfFOe+hBhc8EuYyfnlKjgQBEdR4Rfqq138l7 + r1vjGsbzBRXy4KmP5Fa2yRw+Iw4C5W4deCrlRluyMQRS5VDnzPxQ4zqxkdo8AwXS + XgGJueLeGWzfPvSJqtLn9t8abL7C9Kj/Q4FnNSDxjPalLQ4zw4ID9eecqF3vcEIY + NzG3yQqYopT8PQJPEfN1QPDdrA9TNX3foVay6aLviJIQp2SSdhwvTtc5S0eCF0g= + =4B26 + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh b/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh new file mode 120000 index 0000000..2e88029 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak-db-mariadb.sh @@ -0,0 +1 @@ +../../../apps/keycloak/components/db-mariadb/upsert-secret-keycloak-db-mariadb.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak.sh b/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak.sh new file mode 120000 index 0000000..b3cbf6d --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/keycloak/upsert-secret-keycloak.sh @@ -0,0 +1 @@ +../../../apps/keycloak/upsert-secret-keycloak.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/kyverno/cp-istio-virtualservice-correct-domain.yaml b/clusters/svc.ez.soeren.cloud/kyverno/cp-istio-virtualservice-correct-domain.yaml new file mode 100644 index 0000000..865ac3c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/kyverno/cp-istio-virtualservice-correct-domain.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-virtual-service-domain + annotations: + policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.4 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: VirtualService + policies.kyverno.io/description: >- + Virtual Services optionally accept a wildcard as an alternative + to precise matching. In some cases, this may be too permissive as it + would direct unintended traffic to the given resource. This + policy enforces that any Virtual Service host does not contain a wildcard + character and allows for more governance when a single mesh deployment + model is used. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: block-virtual-service-wildcard + match: + any: + - resources: + kinds: + - VirtualService + validate: + message: "Only VirtualService objects for the correct domain are allowed." + foreach: + - list: "request.object.spec.hosts" + deny: + conditions: + any: + - key: "{{element}}" + operator: NotEquals + value: "*.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/kyverno/kustomization.yaml b/clusters/svc.ez.soeren.cloud/kyverno/kustomization.yaml new file mode 100644 index 0000000..332a08b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/kyverno/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kyverno +resources: + # - ../../../apps/kyverno + - cp-istio-virtualservice-correct-domain.yaml diff --git a/clusters/svc.ez.soeren.cloud/kyverno/namespace.yaml b/clusters/svc.ez.soeren.cloud/kyverno/namespace.yaml new file mode 100644 index 0000000..eb9f399 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/kyverno/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: kyverno + labels: + name: kyverno diff --git a/clusters/svc.ez.soeren.cloud/loki/kustomization.yaml b/clusters/svc.ez.soeren.cloud/loki/kustomization.yaml new file mode 100644 index 0000000..441c1c9 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/loki/kustomization.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: loki +resources: + - ../../../apps/loki + - loki-pv.yaml + - namespace.yaml +components: + - ../../../apps/loki/components/istio + - ../../../apps/loki/components/monolith + - ../../../apps/loki/components/pvc +patches: + - target: + kind: "VirtualService" + name: "loki" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "loki.svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/loki/loki-pv.yaml b/clusters/svc.ez.soeren.cloud/loki/loki-pv.yaml new file mode 100644 index 0000000..0b6ff1e --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/loki/loki-pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "loki" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "50Gi" + storageClassName: "local-storage" + local: + path: "/mnt/k8s/loki" + claimRef: + namespace: "loki" + name: "loki" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/loki/namespace.yaml b/clusters/svc.ez.soeren.cloud/loki/namespace.yaml new file mode 100644 index 0000000..efaa030 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/loki/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: loki + labels: + name: loki diff --git a/clusters/svc.ez.soeren.cloud/metallb/advertisment.yaml b/clusters/svc.ez.soeren.cloud/metallb/advertisment.yaml new file mode 100644 index 0000000..1785373 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/metallb/advertisment.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: ez + namespace: metallb-system +spec: + ipAddressPools: + - ez diff --git a/clusters/svc.ez.soeren.cloud/metallb/kustomization.yaml b/clusters/svc.ez.soeren.cloud/metallb/kustomization.yaml new file mode 100644 index 0000000..00fb956 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/metallb/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system +resources: + - ../../../infra/metallb + - advertisment.yaml + - pool.yaml +patches: + - target: + kind: DaemonSet + name: speaker + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 32M + cpu: 10m + limits: + memory: 128M + - target: + kind: Deployment + name: controller + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 32M + cpu: 50m + limits: + memory: 128M diff --git a/clusters/svc.ez.soeren.cloud/metallb/pool.yaml b/clusters/svc.ez.soeren.cloud/metallb/pool.yaml new file mode 100644 index 0000000..0f5acb4 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/metallb/pool.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: ez + namespace: metallb-system +spec: + addresses: + - 192.168.2.253/32 diff --git a/clusters/svc.ez.soeren.cloud/microbin/kustomization.yaml b/clusters/svc.ez.soeren.cloud/microbin/kustomization.yaml new file mode 100644 index 0000000..a9c1052 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/kustomization.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: microbin +resources: + - namespace.yaml + - microbin-pv.yaml + - sops-secret-microbin.yaml + - ../../../apps/microbin +components: + - ../../../apps/microbin/components/istio + - ../../../apps/microbin/components/pvc +patches: + - target: + kind: VirtualService + name: microbin + patch: |- + - op: replace + path: /spec/hosts + value: + - bin.svc.ez.soeren.cloud +configMapGenerator: + - name: microbin-config + behavior: merge + literals: + - MICROBIN_PUBLIC_PATH=https://bin.svc.ez.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/microbin/microbin-pv.yaml b/clusters/svc.ez.soeren.cloud/microbin/microbin-pv.yaml new file mode 100644 index 0000000..74c2541 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/microbin-pv.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "microbin" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "5Gi" + volumeMode: "Filesystem" + storageClassName: "local-storage" + persistentVolumeReclaimPolicy: "Retain" + claimRef: + namespace: "microbin" + name: "microbin" + local: + path: "/mnt/k8s/microbin" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/microbin/namespace.yaml b/clusters/svc.ez.soeren.cloud/microbin/namespace.yaml new file mode 100644 index 0000000..bb62edb --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: microbin + labels: + name: microbin diff --git a/clusters/svc.ez.soeren.cloud/microbin/sops-secret-microbin.yaml b/clusters/svc.ez.soeren.cloud/microbin/sops-secret-microbin.yaml new file mode 100644 index 0000000..cdf3b8c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/sops-secret-microbin.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +data: + MICROBIN_ADMIN_PASSWORD: ENC[AES256_GCM,data:+zfpSrY8blA=,iv:sccsI2zr4VcMOAj/VIuo7JA5PyrKMpHEWCwu6O+3OLg=,tag:GsJfC5ZFyU+iXYuSto3nNA==,type:str] + MICROBIN_ADMIN_USERNAME: ENC[AES256_GCM,data:yeDlCG0cBTw=,iv:6tobXVK8rAd7vAqf24XkykuRMHBuV2ZPXBA9euFR5I0=,tag:GUsDcWSOXP3JYFGYR5+Yug==,type:str] + MICROBIN_BASIC_AUTH_PASSWORD: "" + MICROBIN_BASIC_AUTH_USERNAME: "" +kind: Secret +metadata: + creationTimestamp: null + name: microbin + namespace: microbin +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUM0Q0RDVyRnllSExmUnVT + ZlNGd2FVRHRmOC84TmpuRGhpcFl3Q1pMbDBJCklISmROdGZYS1paVzJvdEExV3d5 + cGJnM3VRUlBMWlhUSFpYeis3bHpHRzAKLS0tIHZjbVEvM2dRVm1FTXg4SWIrSzQw + RmtTejZKcEd0UFk2L1BKOUhrQ1ZVRncK912QasYqBWGFKCAHFX18FqaJ11LatXD4 + lRZDV6Y0gjNn6dqNaDqy7len5kGw3Awa5ZhAiuBtb9n4UeZwtMqAaA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-30T23:43:51Z" + mac: ENC[AES256_GCM,data:XXPBZRVKSvKlSV9fph7TWqBTTQk9lIS8oaPvkqP4dz4oilGGl8Cy5xjbbISc3oS7HhqRGDmKAawrwtSlYFnhPHnKzRrFFwTzecjudUDYBzK5hDEfpv5oW5eRRStRS4scZaqXbeorxqpdEc93VO6EuuxclZwp12G8nd+1K4TwvUM=,iv:scKMxctnJXi08ACxWu+7JRde8d8/NE8E6yMHcl44kdg=,tag:N/DZtvtwuo6PrpKCvdpleA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/microbin/upsert-secret-microbin.sh b/clusters/svc.ez.soeren.cloud/microbin/upsert-secret-microbin.sh new file mode 120000 index 0000000..9a62a6a --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/upsert-secret-microbin.sh @@ -0,0 +1 @@ +../../../apps/microbin/upsert-secret-microbin.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/microbin/upsert-secrets.sh b/clusters/svc.ez.soeren.cloud/microbin/upsert-secrets.sh new file mode 100755 index 0000000..e1e5a8c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/microbin/upsert-secrets.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +SECRET_NAME="microbin" +SECRET_FILE_NAME="sops-secret-credentials.yaml" +NAMESPACE=microbin +echo "Upserting secret ${SECRET_NAME}" + + +PASS_PREFIX="k8s/prd/microbin" + +MICROBIN_ADMIN=soeren +MICROBIN_ADMIN_PASS=secret + +kubectl create secret generic "${SECRET_NAME}" \ + --namespace="${NAMESPACE}" \ + --from-literal=MICROBIN_ADMIN_USERNAME="${MICROBIN_ADMIN}" \ + --from-literal=MICROBIN_ADMIN_PASSWORD="${MICROBIN_ADMIN_PASS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml new file mode 100644 index 0000000..3adae53 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/alertmanager-config-sops.yaml @@ -0,0 +1,116 @@ +--- +global: + resolve_timeout: ENC[AES256_GCM,data:AlM=,iv:hr74lWCzsJ3epq2vaeravGF52OMtbf9AFWcx1vH4Oqo=,tag:7ANDm7MOS0yICNVZKRPGtA==,type:str] + smtp_from: ENC[AES256_GCM,data:stid++JITfnSX6yPDzYlpha4rYwTjXOR0uM03vQ4tQ==,iv:0reEi+qEIfGpvsA0ufZELNSGjemdvEtOyuQtxj+fr4w=,tag:podQcEGbE++ceT9r4R3Naw==,type:str] + smtp_smarthost: ENC[AES256_GCM,data:bwOsdb4f4qVoUxb2vMXr6BH5,iv:AiTkie82lgoSLXkCTAAlPsLLoj0qMxLczJ/FDSkqQEo=,tag:Pvx3BvOQhYE36E6Aq/jU6Q==,type:str] + smtp_auth_username: ENC[AES256_GCM,data:1dqM4MniB4Jha6DJfqKrjG09fgzklkpGfAUzmbAVOQ==,iv:mtDp34gAAUwuVXBUU6kNXAMyQLEI7V6LHtG+3XbjQ14=,tag:lB4qBI2x6UBFJ/kEQ1i09Q==,type:str] + smtp_auth_password: ENC[AES256_GCM,data:IThvwWm6PwVMyv5+5VkIxmuG6r0nDlDVdTXR0zk4,iv:2GTVEV/avNsKPxQjkTt+ktBMEERWXN0HQx5bXd6RclY=,tag:0M3anzzBleVn9RR0drmnWw==,type:str] +templates: + - ENC[AES256_GCM,data:dJ/hNjpaESDAdbIpY2lSL2X0zz8zYbzzuRpoIX7cTg/HnA==,iv:6tX3AG1nntgXorVtekQRQf5rOqRocPGnIICwIY68i/k=,tag:B7DPKnAbA7CoinMmfkJIuQ==,type:str] +receivers: + - name: ENC[AES256_GCM,data:FbwbtFYx0/g=,iv:HA0o4fSHvsG7lNryQvl2wtxzNZD8B6kp3beHld+w3O4=,tag:hJ+RYvrrHDgLossBfVUGDg==,type:str] + telegram_configs: + - api_url: ENC[AES256_GCM,data:sMDCne3xZXd7UTMeBAeEMC3yn7eMP+VQ,iv:aH+F8JGkSgzSLC/eNvdbor7lziMlmBBpPo6wP2Q0b+U=,tag:mLDb+7Kx3qwTCUSNZavilg==,type:str] + bot_token: ENC[AES256_GCM,data:+ABjyccSfFyguo5EeWTPPHdsEKYNEBxbCQx3H8BrpPTPbN+Uhzxw19Dp/f8kcQ==,iv:zEP23wjHZRjWvDN7pokx/EOMw3te//Bu391rcPwa3vg=,tag:JzrMjqywAnfyssi9GJE/VA==,type:str] + chat_id: ENC[AES256_GCM,data:9Ksh3VG1odV5,iv:JnReArGKntoYCstegPD8rO3TxNLEe1bKJ+NPss+jRBA=,tag:QDcjVea0cRuvukbF3XqUVw==,type:int] + parse_mode: ENC[AES256_GCM,data:55veZQ==,iv:7FXPKzicv97QV4Yd2odJcQpDD5gd8aVEiBJFkYYw9Rk=,tag:wQu9rdKR+M+E7GK6n6++bQ==,type:str] + send_resolved: ENC[AES256_GCM,data:/tDk1nE=,iv:BUdq/U45N74ZQRLBiydsLwrjaFjNTiUilJVpykpaAaE=,tag:KiFEu1kprF8Wuo+fl67cpg==,type:bool] + - email_configs: + - send_resolved: ENC[AES256_GCM,data:/inqT64=,iv:1wgC6wDyInqjk5DGEaF7ayWQtZXsentgDSc7vY+DLV8=,tag:Pp3+AONHlq7bamlj5BLOpA==,type:bool] + to: ENC[AES256_GCM,data:5JTi+QnedFUmXTYAokzvY3wcsHnkJeEViw==,iv:5T9wywh8LHQgZLuKhO0ZKGZcu7ACcrgKnq222EyliPM=,tag:eZgxgJDv3RDPFB4Z6Jj9cA==,type:str] + name: ENC[AES256_GCM,data:tLk6hCs=,iv:8HlXZVLtW6Ihr3yz56a5iGVJJNi/0Rwnq9Az/e90rhw=,tag:xbfV01yIIZIYXBH2JAYnwQ==,type:str] + - name: ENC[AES256_GCM,data:JrJaVxjsbhH6,iv:m4FFUFAKFbGR3trx/Jlejr+8JXb53xPeAsR0QNhyqJU=,tag:+gTQa5Ma78Hd4ndx4HBMIg==,type:str] + - name: ENC[AES256_GCM,data:83MqCPJY7Q==,iv:QLvnC80XDH0zDAs71sQRIAO04VAiL4PQEqguu9Vqn/4=,tag:9Re4o9v8fk5qsfr3Kp0uFg==,type:str] + webhook_configs: + - url: ENC[AES256_GCM,data:2OWfnecA/EP2Twv3d8iNLYtwF6FkF2FPMH9CQ5kZg6fv5vRQRHvwHpzyXn95KSCDteZpNY62FBMtUJybcRIq,iv:JXXzCpEd8BqMu7oBPpZ/87/VlG+gDtyQhZj25h2qkJM=,tag:wtfFYI6uNDDQ5YMrpSEn4g==,type:str] +inhibit_rules: + - source_matchers: + - ENC[AES256_GCM,data:djv9lE0Ci9sP2sIdegt7,iv:HOkRhksdZl7q++R7PXbx03eC9aVe2feHi48Ka66M9Tk=,tag:Rjjtws5n8WUd8gduOKFeEQ==,type:str] + target_matchers: + - ENC[AES256_GCM,data:g92GFXbsyOLU5WJoEg==,iv:YmCoqCdOaYEF8Up6O8S6Zp1VhChrMYwFrpE9lLNYs30=,tag:gkFbONXoScC21/tP2xGYCg==,type:str] + - source_matchers: + - ENC[AES256_GCM,data:uSJQMJCyGY2H9qBsB3TK,iv:pOgbaJOhKBDZqk2IBzE1XPe8fTejJikcdHsUS86BX1o=,tag:i3bXEmFaQ4J206rk6SLWgA==,type:str] + target_matchers: + - ENC[AES256_GCM,data:SuCYw0gVD7OURMt9KSW005ZNn8+BKk0=,iv:bdvRRvUUTqFjAe6B2kUeCdc7KoLTK9usBuxG3GRVBgQ=,tag:Ik8M8+3Ts9pwDQS2m7E8Ig==,type:str] +route: + group_by: + - ENC[AES256_GCM,data:6KnYkEjLCCCv,iv:/LynE/Vi3LWtG8PCKE8gWaoniNImROr31t8llHEzLTg=,tag:SW7aO022GSijhk0VjDfQqw==,type:str] + group_interval: ENC[AES256_GCM,data:VY0=,iv:blRjylnCm5Aqb4YengWmi+VXNCqdtfjWBicuDXVZEDM=,tag:QHvCNdGU9UA7gP1ddfM0Xw==,type:str] + group_wait: ENC[AES256_GCM,data:bfQ=,iv:pMyAN4AbP16dW6sfqhij0JD5yMPGQs9ycZdxTqOy1Ao=,tag:ksDqTYqaeNHuNa4P5OUNWw==,type:str] + receiver: ENC[AES256_GCM,data:OmyvC7D5pfg=,iv:ObdQGaCZ4HttsDSBfPTGptnVEy16vzPFTVdgKR3vLGw=,tag:UVmcsFIyDweTcnaoyt/9WQ==,type:str] + repeat_interval: ENC[AES256_GCM,data:q+PA,iv:MMPgm3VDLbmllnvsuY8LuJkEW5hjbBFsDCI1we2c5x4=,tag:HqEfI7SwDQvAjvKP5vV54A==,type:str] + routes: + - group_interval: ENC[AES256_GCM,data:E3c=,iv:y/rbmnXZKY2chbpMsK9yG8dQRDWz1WYqeAkDzc2KwLg=,tag:SPNTIDcGqqP0hUGHgtiuSg==,type:str] + group_wait: ENC[AES256_GCM,data:F6U=,iv:zcKJxVi4vJ0k0+b9pQPVu8IQUkCNRdgvz/yisr0GYvs=,tag:577FM2zPx9a7cPlz23rGpg==,type:str] + matchers: + - ENC[AES256_GCM,data:8ZfcXxI1t9JxgU6kmZ5LP7o=,iv:BxFlzEbv1075Iq0jOnj4zK0iFQtPv5IFFgkEL0Ik/E0=,tag:2YUGxUlKcp6xk+6H0JlCSQ==,type:str] + receiver: ENC[AES256_GCM,data:0FdPIYSHmg==,iv:RGQWLbmfFoltVOJxovG6SIz3ELmTGxd740WH4vpzynA=,tag:GkRhjNARLBgvg2lIlari+w==,type:str] + repeat_interval: ENC[AES256_GCM,data:z14=,iv:jYlQ65fo3q9lJQbZZMNsfGBSxQDQN9msdmrWtfOUHLs=,tag:5eKc7i8QzmVh+jdw10QnRw==,type:str] + - group_interval: ENC[AES256_GCM,data:pueY,iv:Ff437jePmM6reoPVRZmEbFnQPHTZj+G00mlnX+fLRDY=,tag:2wnRLV5n/Kc8i/Rku2VK5g==,type:str] + group_wait: ENC[AES256_GCM,data:/SHW,iv:QaVN9mH9dmN+MwWx6D80jvaq+QBH2qRmjo5znu7w/EA=,tag:RjzKdQ/Yip8XHal9zKwEnA==,type:str] + matchers: + - ENC[AES256_GCM,data:dSdhkQ9T2It17vm2XemDZ0OpBk0=,iv:ogT3WCi0MxfR/nkyoopnVwuOAwErpBHhKohN+UClGEE=,tag:GkQznoq+6d4TX3B6gUvh6Q==,type:str] + receiver: ENC[AES256_GCM,data:3ZdMqkc=,iv:VnGXnyNQo+/8Oif9425MsppWD2xjxcn2ppV3HxGiZF0=,tag:soKsN5v5N28oeQrrPL29Hg==,type:str] + repeat_interval: ENC[AES256_GCM,data:H/LRmw==,iv:8/7Ol9owX+jlDxQEfY1SopYmLSxN8NivuOznlAfRYBU=,tag:AYb+256XS/pFGAqrJcXWow==,type:str] + - continue: ENC[AES256_GCM,data:egFnuw==,iv:SYYz60k+9N67zfVb04UgajRmd6uY60CX8WP2dp8D330=,tag:Y0Pqv5rJpiEWyVBitDsCKw==,type:bool] + group_interval: ENC[AES256_GCM,data:CV0=,iv:ZvR3RYxBgln7idnlMDoENuRm+ns/ZHD2ZqK7A8W2H5o=,tag:unblZgCpk4MhnQ0hU6IgmQ==,type:str] + group_wait: ENC[AES256_GCM,data:zYw=,iv:bNYNs217M4q/BJDAISlSIN9JDT2O1mA6wizx6prOEes=,tag:o1tmef2G6XrFgAxFgB7ikw==,type:str] + matchers: + - ENC[AES256_GCM,data:TAqpeHesoh8IJT+hMovgUZ3sG2A0E0cPD1Gs0w==,iv:s0vKznlj+5gUrcxZB/rH0UMvhcdzr8fOJzhfYDD9lkg=,tag:Ef7NuxRTuKJjParaSZQaLw==,type:str] + receiver: ENC[AES256_GCM,data:1bGeIc0=,iv:CuaOHtN28+WcNXlsbVWTDb4ydgV8XPmmF5ZA/EtAYrU=,tag:O5QH+fQTvC+9bHgfObIozA==,type:str] + repeat_interval: ENC[AES256_GCM,data:9wsCYg==,iv:UElhU7lmjPIjv96okkCy0+nOzuOuCwiTPdlJK6TRDJk=,tag:Q2/jgFDqkk/aTkQ55VcN+A==,type:str] + - continue: ENC[AES256_GCM,data:LlNkiw==,iv:U0Gw1NDbCG+4ACXuunYBuZwDyRdpj4pnKNMSrPf4e7Q=,tag:3yPAFIwr0RGYF3+LzvahPQ==,type:bool] + group_interval: ENC[AES256_GCM,data:U2e6,iv:uQXFE7I2h5m0jHNv83wQz+eFtg+LAaU/K/hkG+92p6Y=,tag:PygcstgpP6Ppzp8dqQMn5w==,type:str] + group_wait: ENC[AES256_GCM,data:MLq/,iv:bYGg93ie87QKCdTQ2cYgzSbF3w2Rq53UIlNGmsp3nQs=,tag:xay1LDuFkt9qXtsGezIbXg==,type:str] + matchers: + - ENC[AES256_GCM,data:pBFVGAc+OsFBJlrYXYOr+npY,iv:gU6b0n1ILmIR6YxxkX24ripm6WeEdLOKMFcsz1RojC0=,tag:UkPE1PkNsvYvM3r+jQMmrA==,type:str] + receiver: ENC[AES256_GCM,data:0QsoP11xu7o=,iv:dKp+V3tCbIQ201Ee9wLEm7gldd/Cnx9tz8vM0qFO0lI=,tag:dR6xlhtjWrW9Tg2+qAgpPA==,type:str] + repeat_interval: ENC[AES256_GCM,data:l7lQwg==,iv:rGd0jcOOmzTb4Yemwy6xZkJbER8GmJ05GLwD6Qqm4Yw=,tag:UbdscYiMOIrO6vlF56zmeQ==,type:str] + - continue: ENC[AES256_GCM,data:ZMjomAU=,iv:uKtcTk43xV13rOhjPagZfg2gZDJ/E9OpxvuhfEpjX0k=,tag:XTDYKtUV/dW+cbM8iuhKwA==,type:bool] + matchers: + - ENC[AES256_GCM,data:fxAudV8bIUDjqVvvPXhcbazhbOzt,iv:K1Xn0+QadBeBGUNj1ZZl4FWi4dmvBQUKyX/of4Lmmqg=,tag:5fN7BxkV6/hi62pKYJDNYA==,type:str] + receiver: ENC[AES256_GCM,data:myKmSK6crKY=,iv:vljs2bpCd01EW/F3igDgawfdoEVuA6IkmDkgOQLJpCg=,tag:iSTnmDXxktORvb3yW+Nw6Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-03-29T20:12:30Z" + enc: vault:v1:vfawpF+OafS0tOsqs7YH1Wz7I6OnGqN7hH5LqdHW3GjOLLrSZvFscE071TWZ14ntg/6tmtkQbMPz58q6 + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdEplemduOEQxdVROWFBF + cWpNcCtRbEsvaUU0cHJpdzdIK0VEeHk0WmlNCkNMb2VsaEtyb2lkMWIvZEJMQWxD + anJ4d3JrZ1ZNYXZ6R0pYK1IrRSsvK0EKLS0tIGU0ZzNtcmpmc29mbkw5WXZwRVV2 + RGs2VlRNN0s3MHNWc2EzUjFHa25mZWsKopYp3KQBcSehl3NY+du4pC4MQGZ4uKFr + 985AhZuT2mK2Zpb8o7MjvjsIoBMq6yfBJqZDyxlJ9Wkv6JrqVsVULw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-29T20:12:30Z" + mac: ENC[AES256_GCM,data:1FZlJ7OtIDLdE2Pr2020yZccaey68QB2t9cdJEonFe0Pq7A6I0vrI+PWT3ZMJhsF5Yqw2+OSw0wX4Z2pdWcKISq1Y5QHNo7cO0zRQ/9JAoxvFR8vPgLj8KK7LhleRUaQyjobUi89u5y8UO8hrRIOs4TzeOlIF8xeCIt92XxmKZM=,iv:hz5FFyvEHO8yPrqlK5Nn0/v6vQnhqaTVS6z/ZFN1duo=,tag:pHUFTHALxSyEyaDQPdEZSg==,type:str] + pgp: + - created_at: "2024-03-29T20:12:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//enNWaREnfG13oHRnIXZJ0+jsQVXj0iEg18iVkO0cJOVn + So5vvKtsIQCif0aROeNHRHnMTSVqRIGGl0ixv4uG3UYL11CF4CKLDRXvhXYWaAEI + 4zC4hnWBajYx5PQhn1C4YHpYzzbSzQ00+vgGyhem/K9Tq6p9LWRn7+uJM4zqOY6u + 4AxxHfuNhBy9NtMik/qBx1muum5riF6VdMQ5IBFOGUtDE7HBHmBTduOWFOS56dWZ + lL6F7SGBW0ann5xzRWwNKcJPmBC9qgOdvt0/qnE8tx6RuK7uGbjdx+/+DTfM4Dq3 + 3HCdflxUd7EdmIw7REsUo/9RO/qZw4q+EAh9zW/ALQeWTT3o/27OFQE4h+/K1pLf + n/9taSLxyzRqi10NJPxkdCu47hZfopxY2uY0K22jgtDD0FiccD7y0PDjYquv9Cx/ + LUWIVSjokjsGikrCi+r6rZKmUEzRBVP5QXL+UbnNPrXIhy3rBmnGOmZZymCSLzxu + oE2Fjt8GB919EIhGlRQnji9GD75OiXmMPk34/fO1ZuYM3a3u5Wc9hutyUEJDy7nt + 2TrkT+wYdGVnjgdOwZKo8NNe+eJhOhyayxH/fW3hI/Q5kEuTNeFBmTHH7hKFgdq9 + ZneiDJhlMfNbdYtlRc8It8N9JRiEOnmeXb4nxQ3zPulnJv6FjXWAy6IWN5XODD3S + XAErDTRAtj6o3VAhH6OyVUdQDrH+jQmiv052rXI9PRh0wk5MBD69SreF9heEmNpP + 1fqHQH9VXdqI6mjrwub9GkYO2z2achcIC4+mPhDv0TuCUT4OsZhZMna3Gp1d + =oV3A + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/kustomization.yaml new file mode 100644 index 0000000..3b35546 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/kustomization.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/alertmanager + - sops-secret-alertmanager-config.yaml +components: + - ../../../../apps/monitoring/alertmanager/components/config + - ../../../../apps/monitoring/alertmanager/components/reverse-proxy + - ../../../../apps/monitoring/alertmanager/components/cluster-istio + - ../../../../apps/monitoring/alertmanager/components/cluster-tls +patches: + - target: + kind: "Deployment" + name: "alertmanager" + patch: |- + # alertmanager does not accept relative URLs here + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--web.external-url=https://monitoring.svc.ez.soeren.cloud/alertmanager" + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--cluster.advertise-address=192.168.2.253:9094" + - op: "add" + path: /spec/template/spec/containers/0/args/- + value: "--cluster.peer=alertmanager.svc.dd.soeren.cloud:9094" + - target: + kind: "VirtualService" + name: "alertmanager-cluster" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "alertmanager.svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml new file mode 100644 index 0000000..d04f959 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/sops-secret-alertmanager-config.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +data: + alertmanager.yaml: ENC[AES256_GCM,data:6rwrk7J7aW5AycZhPi/ECTRvgVK+4o+EGDzD+5fRXa/DOwcG7OHM1Nv7iQJbU5+I+jJJ8JGM1XV4pocQeFJoTXC69HFsHfq0whdbfxwFs+VIVBBza94RVMM1WBdclWKkwBr0qCphHEBceUi0kB1YnyMDSeCueMa/hgJobff5gZssCo5ltrXepavOTRhuruSvoYj7BdEx+TuVdegEF02hrHqbDlMSdEtTrUgEabW64RYKKO5uYruNgACmuTcUcLEK5IzoKhuM5Tk35M/LYecMzdOD5wWor2cxatxmJfKUDpwEA37NM2or89dAeTNyQfwWUBEbTiVLCOIGJJ2p6AFnBQMjmsdfuHU4vIsthnPATbb98QRY+YlgUtTSQm77ZuothFfueG71MOR7AytKFPh39P2XyRgVGOyAL3i9yd/EbuNS/M9bINJ73uhfN07FZRvMHiDYzYcyqJTpIgSClAF5LYGP8Nn6W60PzsC91Vb3ZAyg54eWC9rnSC+LjWvHvU821/drvTsYm6G62TCrVZ5XOSyoCytNvrlFCuryECyoSjLM0U2J2v4+wr8D6VyzwYHtyV9KJKwPJZESqwz7rRw8CZOcXuqqibUJ8q8EKTN7okUHE12zzOCavz/FbACBcqlmRO7rsn0r9TR+NMwfnUV2B/iRq+2LEErkKhAG4u/DYDb+xaSTVtcEpUSlSBdl8pYzq/NauuHuvtY3FMX2kiiY79Oi1CecLU20TTR6PWaOktFe7AJ3+p+/D7o+OmKiRlmqATlR7uIDkj2HB/bVfXUJGuE1mZFa9cIUdDeEvxXXQ2kcIzRLYaFarj9bpdCBttrq0uFEEXcTp5gU5c88j9jAvYQytshAoaStlUtSKPCYnaprLgw1hP+rensLpouPiqkSaWBvHDy9qGGdA94xd6hCjOoOipbMRc4g+3CFDGQk6PB1XjcRnzQrl4IT29v4Y6wADFtZNr0h4Xdivj67hpGIUkQDoE53uCO7U784JhKuhhxtvjS2h1+5WGP/sl8M02O4aBfslefHGPicCtBAfLnacH38Q5ywIE0Dq6JKgmC2I4+GrH2HqKzImC9FXPmE22g+t9NcXq+8Y7ISIgIztMx7xBjf4ZJf+1XGITpe2hkGdR1eQZd5fPEiJFNIu6NRLk7c7PkTmvlr7zt8hM2s43nmvek0ekLMUZJFD2smMclGIY5whUZWllK3ERXMfYxEaohYxZQkeR1KuLemyT5wwr5VqVOYcRTDwoJIO4nALQEFOHKs/a5AEIDJaqGz7ES4OFgNrhXL0wIeK8H/EK1jc4B3wnNAvqkHvX5yzVyBva/OMrVdES4cZYW+VWgebMw9KKLF0jjp//NzOyc4+DQHqWjv70BsoQGEG8M0ZqbPDnVHUlx4+yhlT1R3EIfkTPBIu1RI8t5U2tewNzT6DHb8hjzw9tyXePqsvDVbAaQ8PnJOGQ6eYPmVrepk8fwhzNm+FlhpgEeW6hvZ1IA5ZIZ1zmf3MohJmVIB//a8DV43dLVd+y2b77mmQq4B2FY/vG1XW0K5u3B1txJEwcp0uCs0pnS3ZR3EsxeKS9USVFok7RFnOK6RV8r4hbHvAiHcRc+3055P94NNiG+9hwrmUMxj4hOKQaDqpgWsaXItsepfd2f1rOPIBYxfEfMTgUhtp2H0wJRAOj8cSzCTKFVIxs/q/fVWS3wJUHHUZif5Q8CJFnT43LnbutS2FW0cEcxaIfbstHQOa/ZG/Xupy9v5VPPvRees6K7w8a5FW0Nft0sI4JzKfh9tk6EBzEoDlRe4eu8C+GIt0nZq5Mc8WBf20gJtVV2GGztPikvFHZgugt250a0WkCY7NmkD1ilWs4TJL8UYhiV0Dar50OsSJ06GjI90nL/En1S3hqGDQd7GeXuZ37FJtbNWwHLj3bedjiijqcFqGsADTbrmzuPUY4rGy7Z7DXh9Fq2dIHXmsmSMUCbaRK5FJQ5TQpCapscT2j0jZfQvhkKjX1eoEBNzuTD9Bi5+FNimY0kToRxBiuPC7Ah1mvS+rZepbpEdTXrpk0/8K5F5wSWu/grU3bNDRGw9NJYmd9GLN5TCw+dfIpN7yZdPd+swaU4BfYR29wTqUZfZBfRfy+CsRw9qdZLNphuEVjCXOdWFSVSkHQLXV7PzQAeoC81qz0yXef6D7KLvO6Kqdz4lAEgSr1fsjbmx/cDRKye1YTuQMbrFNJl4SqX73mzrVBHifR88tNxCIqBfYEr35ZFnJqSrkhgJ5DND6Ah+6n2cCljUwFGiy/82Uh+VJXYHfg6Fn7hziX+8ahP/UkDM+6ZJPj9P3nY4pXhVg/dcrFL1dGrHhZRgCxZKfY9ch3WIja6uHc6DPEveGVTyD5qEe6UpYAAzde0uXlfDGuvqltCCWX8EKyg108eBoTPAODbBhCsss7X8GF5p/zCoQojgqrzVhdRVw0H3iLRz999qPqn7OMrx5JtT3DJ0EL7pM1LsSwo6f9jaGry3jsXE4MjifjNyhIDgJAJdBW2ZCwyiHf1xRrMoO9tqA3nc25YCLXAgUYJcX+Ui3Re1elagL5NjSvu4qVqOoxglxDsTp/i4AGtex7HRK3jY/yIi/H8w+JPfB25N7RBzn3KT4aiTAX29YXNG5W0LCcihq/Yse7BSn5z6fRy9sEBLtajuZCzPrYnKJpiSgun4PMy8IfXYU49ebfFdWWbb6CvrXd2VbuD/4lYu2ijwrz1i4R/ub5EfQ6NRkHR2qxa06QqUCLqKnZes5jS/7xXb2JCl2u29/DXbZhJH3yl6W2KeJOknz6wOIqb7qefCu+O57549uKiqtqXbjckWC41gvGHKnlFDmgQJItiETAGVKFZtswi6nsXET+uN+wXoR2MSwFYzRjb0aoaFhcrokHsdVEoM3v8TVNkWN4qSHMbDAeUgtJWhaPNvFnLEwywBW9Luo4xYVYqU96csG1yl8ttSmnWnKg6e7s6YM0ltvQbgFjj1hh/AnMOlDiWPfdd2eL554YP+j7ZK6OvkACLN37LMTSxNb56F4wuzfd8doy35RJjJtFIOT01DLicBH9rlfVHcXg246UCkxJVB3ZXR/yuaGsIZmrUNC9ISopmXZZEEcLzrGv2awWlE3YHuq1shUh4tQVHSqh2ujkxd8sORI/mtSEzu9ydJUiSciPeh4iZu1WxZQ1rdFiQIhHYpxonLY/ZM7qtyF5bwjMUFddZoUFmjJ67T5nZqoGJFzmplfwCCd3I67/0n1HBY5N/2kzhi9qgSBtMSEChO/n34/3MFBbJZ3c23EqMWRMlAh5/Te957nLVd1MiVMXf3dFLTSH8ip3FLnM23Lcq9eTnuZEHs1BNpqMMsWeFZ28QXBAbtWppPfFaCEajDZyL2YpSltploMJTVap7FiHPVCt50ST2jXfLoJLRHwcg29DOhlpYBoVJKabyk4gpvqS2RquMGkJCFrG54UmLWrS1H4lSrz8MOj0MuGbyFhvnOj8ni9oB5KrhMjx3v//O6Z861Q6IJ6CZL4XhiaZ0hRIDodoo76cQXbA07n6QNUmKVQWF3T2un,iv:cJY81LCtO6qRsp9JCMg+dyWDKCPHt98iNiLLIrjAbFQ=,tag:UAGioaTWo2M7kVj4+XEyiw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: alertmanager-config +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-03-30T11:12:37Z" + enc: vault:v1:04Nqr5PiL9pMn9paCgRaJvGpvIU5AOaAEMS1atdDYw7b+WRa+KQQVBQn0UT6aTMo+nep6MTBdS/lroTR + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbWRIcGI1WWU1UGVTd2dY + UDZhdnZjM0lOTFNhVE9LdmV4UmNXbFFHMHdNCk5FQWh2cHUrTTh3RmE5dW5OWVNh + K3pZQzFRMU5IWHpWRVNQcVlFeHZ4WlUKLS0tIEhBQUJzMVNnck51VWNQNFFGWkVR + dkU3eXRlak0rbVpMVjR4Mkl1d0RqUGMKcE039hwg0DdiVnBdXOUf2JV/TEhALSiT + VBylYhK3q4r+TB1ISvRodVggf7sd5wxT5TKD5Hp1jmzGEtXCHlOMFg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-30T11:12:38Z" + mac: ENC[AES256_GCM,data:VCbKcoFxS9jl91QTCC22vjjoBZ6Wa5doy2vzItbxETELIW6b8Zu+zarqgbeQSVaO0/59fznXDfbs3y7QP9RW4h/IdOXmKJ1X66mpHyq5G5+n09Ajs6jF111L76ZCTk7Xh7w4b1+LBx1zJfl9KY8wk3XPc39q8wLgTYVlkjH/pYs=,iv:IB7ERTGSKGdbD5sqCQe5Br7d0njdwJZ/fofCIbTP630=,tag:U+CwAB59PhccKY07CZ8jqw==,type:str] + pgp: + - created_at: "2024-03-30T11:12:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkARAApMD9ioiQK9QobxN9z2kRa0Y19K+8jt7Jg0FOFoguaQRJ + Hyur0iD7ftTuF5ShczGB7mF3a1rLsjLNdmHSTQwPJj7P67CytGPrZ8UD0MSO51l+ + xsiJsUxtWjJ/VLGR1dGfPWljjkHKVfslbcil8wm/yUXVRtP9D1uwcMW21lROBU2Y + n9BBZ8BY7eqwGR2pOX+MGAg3Qcfl3efc2bfZ3b9qIVzh614jqhl6DlRNqtN/JPEo + rsbVVb/IyIP2PXRLPp47AlwCCVtIjlc3EbVwItNPAwEv0TZeIC8GGw7a90pXuG5x + MKja/L7yh1To5HfPJJMRErFYwgaUyIGFwMF6nZwuIUtxZHnbFfj8IbIpAEYaCMqi + wsV0uULhdaVvZvm0vrGFL4SbwcuJ8b6zo8CpQ8zmVWCM+t/vfXHfraAw/FdbnQtY + TDRODh6Dgc/NSyHpnT30fRCIOrQ4LTJNU0QDpldWQy/S+LgxVdholERVQ2Ed0i93 + de6nxYBTZWN+HW+iSscEJ3xW3rrUgWYyYcmoa33YMxP7KaD7P34+NMUYM9DmXhtC + TFiTwwIgoI5FEPXTHewznZwshb+sosTIp7jPQuemqe+CZr7DPCABaZTkpz6XYcO6 + 4ADQ2hak0BbyC0QAGsOvii3Y+hybZMxUIRT69qkB6L2sWo/pWaju+h7nxDudSNzS + XgEq0qocpr8MHl5gK3nN8uxrJnOWKZJYeJvV4t9o8HERR5j+CfMwcz00FojOdyVC + kie4URCVJcQwHtl481tLUbxZLO2ORd5bGbFvnITnZQctxAffXi/dMwaQyhwgvLk= + =E3hl + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh new file mode 120000 index 0000000..dab3321 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/alertmanager/upsert-secret-alertmanager-config.sh @@ -0,0 +1 @@ +../../../../apps/monitoring/alertmanager/components/config/upsert-secret-alertmanager-config.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/config.yaml b/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/config.yaml new file mode 100644 index 0000000..417814f --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/config.yaml @@ -0,0 +1,40 @@ +--- +modules: + dns_soerenschneider: + dns: + query_name: router.ez.soeren.cloud + query_type: A + validate_answer_rrs: + fail_if_not_matches_regexp: + - "router.ez.soeren.cloud.\t.*\tIN\tA\t.*192\\.168\\.2\\.3" + prober: dns + http: + http: + tls_config: + cert_file: /certs/tls.crt + key_file: /certs/tls.key + valid_status_codes: + - 200 + - 204 + - 301 + - 302 + - 403 + - 404 + prober: http + timeout: 5s + http_2xx: + prober: http + timeout: 5s + icmp: + icmp: + preferred_ip_protocol: ip4 + prober: icmp + timeout: 2s + tcp_cert: + prober: tcp + tcp: + tls: true + timeout: 2s + tcp_connect: + prober: tcp + timeout: 2s diff --git a/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml new file mode 100644 index 0000000..c2d5b75 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/blackbox-exporter/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/blackbox_exporter +components: + - ../../../../apps/monitoring/blackbox_exporter/components/custom-config + - ../../../../apps/monitoring/blackbox_exporter/components/reverse-proxy + - ../../../../apps/monitoring/blackbox_exporter/components/tls-client-cert +configMapGenerator: + - name: blackbox-exporter-config + files: + - config.yaml diff --git a/clusters/svc.ez.soeren.cloud/monitoring/karma/karma.yaml b/clusters/svc.ez.soeren.cloud/monitoring/karma/karma.yaml new file mode 100644 index 0000000..c14d045 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/karma/karma.yaml @@ -0,0 +1,68 @@ +--- +alertmanager: + interval: 60s + servers: + - name: local + uri: http://alertmanager:9093 + timeout: 10s + proxy: true + readonly: false + headers: + X-Auth-Test: some-token-or-other-string +annotations: + default: + hidden: false + hidden: + - help + visible: [] +custom: + css: /custom.css + js: /custom.js +debug: false +filters: + default: + - "@receiver=by-cluster-service" +karma: + name: karma-prod +labels: + color: + static: + - job + unique: + - cluster + - instance + - "@receiver" + keep: [] + strip: [] +listen: + address: "0.0.0.0" + port: 8000 + prefix: /karma + cors: + allowedOrigins: + - https://example.com +log: + config: false + level: info +silences: + comments: + linkDetect: + rules: + - regex: "(DEVOPS-[0-9]+)" + uriTemplate: https://jira.example.com/browse/$1 +receivers: + keep: [] + strip: [] +silenceForm: + strip: + labels: + - job + defaultAlertmanagers: + - local +ui: + refresh: 30s + hideFiltersWhenIdle: true + colorTitlebar: false + minimalGroupWidth: 420 + alertsPerGroup: 5 + collapseGroups: collapsedOnMobile diff --git a/clusters/svc.ez.soeren.cloud/monitoring/karma/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/karma/kustomization.yaml new file mode 100644 index 0000000..0309f0a --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/karma/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/karma +components: + - ../../../../apps/monitoring/karma/components/reverse-proxy +patches: + - target: + kind: Deployment + name: karma + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: prod-low-prio +configMapGenerator: + - name: karma-config + files: + - karma.yaml diff --git a/clusters/svc.ez.soeren.cloud/monitoring/karma/networkpolicy.yaml b/clusters/svc.ez.soeren.cloud/monitoring/karma/networkpolicy.yaml new file mode 100644 index 0000000..6ea6732 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/karma/networkpolicy.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: karma +spec: + podSelector: + matchLabels: + app: karma + policyTypes: + - Egress + - Ingress + ingress: + - ports: + - protocol: TCP + port: karma + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: istio-system + podSelector: + matchLabels: + istio: ingressgateway + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + podSelector: + matchLabels: + app: prometheus + - to: + - ipBlock: + cidr: 10.0.0.0/8 + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 + - protocol: TCP + port: 9093 + - to: + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - protocol: TCP + port: 9093 + - protocol: TCP + port: 443 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 192.168.0.0/16 diff --git a/clusters/svc.ez.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml new file mode 100644 index 0000000..d6fd40e --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/kube-state-metrics/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/kube-state-metrics +components: + - ../../../../apps/monitoring/kube-state-metrics/components/rbac diff --git a/clusters/svc.ez.soeren.cloud/monitoring/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/kustomization.yaml new file mode 100644 index 0000000..468eec2 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - namespace.yaml + - alertmanager + - blackbox-exporter + - karma + - kube-state-metrics + - prometheus + - pushgateway + - vmalert +components: + - ../../../apps/monitoring/components/tls-client-cert + - ../../../apps/monitoring/components/reverse-proxy + - ../../../apps/monitoring/components/reverse-proxy-istio +patches: + - target: + kind: VirtualService + name: monitoring-reverse-proxy + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "monitoring.svc.ez.soeren.cloud" + - target: + kind: Issuer + name: vault-issuer + patch: |- + - op: replace + path: "/spec/vault/auth/kubernetes/mountPath" + value: "/v1/auth/svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/monitoring/namespace.yaml b/clusters/svc.ez.soeren.cloud/monitoring/namespace.yaml new file mode 100644 index 0000000..cb3be8a --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: monitoring + labels: + name: monitoring diff --git a/clusters/svc.ez.soeren.cloud/monitoring/prometheus/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/kustomization.yaml new file mode 100644 index 0000000..ac21482 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/prometheus + - sops-secret-monitoring-prometheus-config.yaml +components: + - ../../../../apps/monitoring/prometheus/components/config + - ../../../../apps/monitoring/prometheus/components/rbac + - ../../../../apps/monitoring/prometheus/components/reverse-proxy + - ../../../../apps/monitoring/prometheus/components/tls-client-cert diff --git a/clusters/svc.ez.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml new file mode 100644 index 0000000..b0a9271 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/prometheus-config-sops.yaml @@ -0,0 +1,449 @@ +global: + scrape_interval: ENC[AES256_GCM,data:R4gO,iv:B/DjsscWDrL0h1kPYSAPdLa3UD6E0Za6sI6938AZnH8=,tag:cra3hsphxeFTQM+t5TZlug==,type:str] + evaluation_interval: ENC[AES256_GCM,data:P06y,iv:kxVSw0Bm0H7YzVwGNpheiCiJIMI9Nq3z2hyBvauMlfQ=,tag:jigPL5LYbXF8i1fvmlUz6g==,type:str] + external_labels: + cluster: ENC[AES256_GCM,data:E12muHph7eeO4iRyivByite8UQ==,iv:2zL4sCmh/D5Z0AL0XVi8vNfP0qcCr9uP7P2gg50eIXY=,tag:hQONmHbvdKD+FRi3S0wlJQ==,type:str] + location: ENC[AES256_GCM,data:abw=,iv:BWJsKYh4F1s97dGqneAqV9G6AT49jHMIULhF5IdKlsE=,tag:C49rP1J0D+AJON015gWD2Q==,type:str] + datacenter: ENC[AES256_GCM,data:2zQ=,iv:89LdIBzWxonNWN0IvThgsffwaclbm3vAEGcrcPp08EY=,tag:8mAzu4CPgk2s8c8NnKE1AQ==,type:str] +rule_files: + - ENC[AES256_GCM,data:bSKNZYLzovQZanruRoXaQXItKTnexPBzlF0MwbQ=,iv:p+Nq/7EZESEIatjCH24XVWlUgDp7NNEaVz7TXTT9rAY=,tag:uLz46d+8us+i0tBnh274tw==,type:str] +alerting: + alertmanagers: + - scheme: ENC[AES256_GCM,data:3tt5Mw==,iv:Woq3OZnNoPYuWo8nPt6OKITg+FDS6MwL5zbxYB3gOcg=,tag:zKAywnTFYiRzhN/WAOe7Cg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:1+YUg0QagjR9Wnj8,iv:qqV5GcRd6M4gNbinrBkxbyDwP5lxqbYCid4FV1MgdjU=,tag:7XQ0z2WB7U3b1NzUc+v9Og==,type:str] +remote_write: + - url: ENC[AES256_GCM,data:gHQIA1hlrIXEzKM06ktlhNo7ae8MMcAPUzS8iA2Zxsa+dpNxUnfr1t2ZJJI+hOt5rB3YtQ==,iv:kv92SZjjwFIzfEO60xwUEnX+BIondkPsCacnDM2JU28=,tag:zjb6z7twx5qhlR3q25Y5hw==,type:str] +scrape_configs: + - job_name: ENC[AES256_GCM,data:2ecXXTg1+YOCV0R+Yg==,iv:goqwLz0WImW8m/hIkjaGZx5cD6X/MnuqbE+tpRLmP14=,tag:Pymie78DBwBkQyKXJUudLg==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:uoOzZLQdVADxqQaimlgn/LHtPavNQZ+eXdqnbAuX9m4=,iv:AXAdXwCnR8Gh7o1YjZUTWaCJPWdO9hxu/tv7U+TXujo=,tag:XmUH0p+P+DAzX+wdvgPrkQ==,type:str] + regex: ENC[AES256_GCM,data:RYhY2alRHlAewjiJkA==,iv:fUh5jDpf9eKKwjKy+sRH2hbaNIa2VdjoshN/Pg1hjFU=,tag:+9xhZQbYgx9Hx2tVVy75vg==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + - job_name: ENC[AES256_GCM,data:SH99ZTxgnJHLyfOM9AQq15kfhiUv,iv:08Mr0Stebl1Q8hclojOwDNvQlrmQUMCaD8tpKBYVl7g=,tag:sd8IvYScwAIiyVhkXgKRTg==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + - ENC[AES256_GCM,data:VfNPvwVlY1DUS24ZanGhniIS+CWfNZm2/ozbYMr0,iv:wk49Tg/hlCvL8L6BQeBfARB524ypSDsKLj148dlR00M=,tag:ohLqJGjhUVu8/utne1kY8A==,type:str] + - ENC[AES256_GCM,data:XL6LchJW2vFbKo0LgLeeelVJHOpoJzmt1HnpIJV0DVwgRKlT,iv:Z55TFuhzNB/WQ71OWdAXkz7zez4Q7/aF3lQljLS9A1s=,tag:JpvgfShytEp3zQK+SLHMzQ==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:qgdXtc+v0EousZFIWdj/5DEcgsyMx3Yb,iv:RYpE9p9mOig3q1vlnciPncTWD5Vf205TJ2RIUlwNOOw=,tag:W8MgcnEZpGSM6rgXtDSTaw==,type:str] + - job_name: ENC[AES256_GCM,data:TzYzyTGJb6YmhAfvxA/h9w==,iv:SFR/NvTBaMp2MJFtN6D2XeQ5yMrmSl3WTYeZws4sRLE=,tag:9zF4OU9ABWWmIvLwpOOkIQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:GgrXgA==,iv:8Ci9Kqrq6woXHfqyxu7XGv/nv1UDSmA10OKgYUs8dIY=,tag:G+9mnJM4V1QYklATmfvRWg==,type:str] + relabel_configs: + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:bmTMcoGqFS7dROeU7c+n01pBecSBYNq/sr0ilGVexQCa,iv:9aZ9brU7lUC5x6loJFRS3lGQQDZS2qTqp9VlvQaES/Q=,tag:LPdAEDprBxb5MSdQhGAk7A==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:4crN0yXNrRLQ4zhZJcT7DOJpW/uLl6ba5pw=,iv:nFaz6lIvrXHxgonrBsBzL6PqTigBcinJuiMtYI7MdO8=,tag:rMTqvqAzA0wqtqrlxnZ/bg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:mau+29HrlrT4K2CNDb99mXWnd4iWJWuXjS7u,iv:4+n1vMwPEcXn1RlgkpzyemROHxeccOfz/4PZtRMEFv8=,tag:nXAlEXktMdLci7b49kh8/g==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + replacement: ENC[AES256_GCM,data:4C83t50FR+R+CQ7g47LCWsT6bk/d80jSKjYsBZe8xeQ=,iv:Fz2z/YNBVq9aAWmKbZSibVT/BkX5xEUrI6jLFIjd1hA=,tag:A1NR1rWDasDmHTGdjfYq3A==,type:str] + - job_name: ENC[AES256_GCM,data:z+DlObOG9T7ZQ6sIRNYc,iv:CHpgkT1+E/M1XSvzXiqxqhWUDd84AS/LBRDvZ6SW644=,tag:T+416h2AdDgZbbwdHkVbMw==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:pxJf,iv:xV4ocAH5VCesyCfSp/qklJgEtXg/scKoOnLVEd2MiV8=,tag:S5iYMfKqidO3pzaymYolLA==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:oq0kXVCkKT3L118XqCmKRFax9G/9L6voL/r/EDgzzsnLBIGlLYCjKS9k5GOiiSoFd4ivMkI=,iv:+q1Na0dh/CFfdwF1nM/nwyM5ik7h2hiW3JG4ztCMjjc=,tag:ynOVIvpv1YPj5qK0YheeIg==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:Vb2jNg==,iv:4OCucBuFyWsEc1Cb5yej4Zn1l7M5QRSrJRskcJsQoKE=,tag:HoxCXLZNPR6LIxrABnxq9w==,type:bool] + - source_labels: + - ENC[AES256_GCM,data:GE8Jm2mtYE0re9ZJ/R7AtWJlt0NtsvJcDGEmlcN1Cbb7aOIrYsf/RxijveQbLGhIDXD3,iv:Qvzt8JfsT18S2Vof4tseeYZiXlKhwn9qJWtebyL9Fj8=,tag:bWRh4uxyFjvIQhseQrdP6w==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + - ENC[AES256_GCM,data:qNo6CW78pfomyTxGJBqyenbjJdzddGW4ySp+NyJcNhi3LzOaduMR2o4mKPyhxOLdZ9/W,iv:mlvtsNRlew3z5s1Ou0I/r5GLtKHtmCH2jqRWSekpHM4=,tag:CvW+Pvm4npo4exEULXPEcw==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + regex: ENC[AES256_GCM,data:0JSaJYzFEtDeTMc1Hwampez8COIc8Q==,iv:WioomXOPzwgKpe4E7X4hD17v6IKrVJgKEnwwr31fG98=,tag:VXZotDEd0f3wSfF3qPbD2w==,type:str] + replacement: ENC[AES256_GCM,data:ruuRTcc=,iv:bGNRkmzIw24YUH6ni99u4jpvM3yos1tbSJJdCWiz/kE=,tag:NaKO8dy03l2wjVzxg4qDdA==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:qwIlYDt6es3A1D2d1FPENx9b0mS0oFuTUJvrNbHWmek=,iv:CdDCbUCq3MpapvzXR3O4vr2gZrOzljY2fcWiv3bb31Q=,tag:hXfCQsRXPU4NCPZZm/5o6A==,type:str] + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:0SDXBZzozDl4w4JfERkbH/f6/HE=,iv:CD9dAc5DUh93Z2+K07abClV6EqNdtz+bvdoT6E3XONQ=,tag:6mbBbEwdgWpcfvPPeHAGJg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:95TMq/yzEfVgx+F8qelMug8HpyNE8k4+/mI=,iv:S1hef3OWWN4SR0oj2rXwbSc52h2w24QuN8tgeKBKMik=,tag:WgjeTuc0kub9XxdydV//XQ==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vjmUk5/g23MjyrgZMrlNasVqnQ==,iv:ICureH+HvzlbWVD7hear4xy7JYCAp1VXaPmh3LabbXY=,tag:DNvv4qECGvvrHFFGssUMWQ==,type:str] + - job_name: ENC[AES256_GCM,data:jKjq+pvreAPTmjhgutGYWuf9kA==,iv:s0f6JIu414S0bZMVU5KmXNnXKFvKEVuSEBmxE2pBdQo=,tag:HAxUEwK/x9qGPc3kTicARg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + ca_file: ENC[AES256_GCM,data:7/fYBF7Du/OnocQOWBJ41rHhLB17XWK3QW0CLwGBQr6GGRpfw+AuetRzHEJQ5qCLChJsCg==,iv:mdD465/m7b4mGv9fsCptgnng0iSTit1faICUWyTmvbc=,tag:BOzm3RYarogUC9X9zclrrw==,type:str] + bearer_token_file: ENC[AES256_GCM,data:ys5N8ych67GK9yqN8gz9sVbZtwpccnOPs8PbZMrwkFVSviuu7e10iICk1eDAUUIht68e,iv:iPrbt7JpVWjrr8iUmI2NlqXg19iMe4Xduo11S8leyFA=,tag:VrFR8Zufj0Pxt7qm6IL41Q==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:GgrXgA==,iv:8Ci9Kqrq6woXHfqyxu7XGv/nv1UDSmA10OKgYUs8dIY=,tag:G+9mnJM4V1QYklATmfvRWg==,type:str] + relabel_configs: + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:bmTMcoGqFS7dROeU7c+n01pBecSBYNq/sr0ilGVexQCa,iv:9aZ9brU7lUC5x6loJFRS3lGQQDZS2qTqp9VlvQaES/Q=,tag:LPdAEDprBxb5MSdQhGAk7A==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:4crN0yXNrRLQ4zhZJcT7DOJpW/uLl6ba5pw=,iv:nFaz6lIvrXHxgonrBsBzL6PqTigBcinJuiMtYI7MdO8=,tag:rMTqvqAzA0wqtqrlxnZ/bg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:mau+29HrlrT4K2CNDb99mXWnd4iWJWuXjS7u,iv:4+n1vMwPEcXn1RlgkpzyemROHxeccOfz/4PZtRMEFv8=,tag:nXAlEXktMdLci7b49kh8/g==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + replacement: ENC[AES256_GCM,data:6o/HgKMUr7U9dqkxlXIW/xWMCxuhmlcQLMg7JYagZGSQphTOcEvG6t0=,iv:3asosDA6Ta/7TVQ0KOqn2Ul7n0sCAIJUXVpIYnCzMZU=,tag:a0RMt66ypYAaMAOsUtDq2w==,type:str] + - job_name: ENC[AES256_GCM,data:vmkb4qjQbOlaPvpyCyLx34fT7byJo4ptBE0AMw==,iv:GnbNjnCRw8QGJO4vd7ive4B4hyg25/0CONQi09QbAFs=,tag:uDm38R43Un3aDGQa+TZShw==,type:str] + kubernetes_sd_configs: + - role: ENC[AES256_GCM,data:vSz172LwUA65,iv:pZvMxP7uP+VWr6Imc73GjzGKLJ1KeBS5xpKE0ELfDPk=,tag:lC6VKvx8/Gc1dwNUEF9fHQ==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:PC8UtrsLATDAfEVumLLY5acZLGbrDs+kLbilSiicSuTcnOgjkOV/9H3D00vTqsy0g0X4hNhjcun4,iv:oO5lZB9s3IZSxNHaG3t4xXWNSYrEj5SjRZAbmEgll1M=,tag:Qbb8wedR+rw3TGNZFQCqoQ==,type:str] + action: ENC[AES256_GCM,data:y3hGTQ==,iv:8q5/9uCUHubajU+SY7OI0nEwwkY5+gOc/aSVQvMdyGc=,tag:Agx8/S81ZmyN0XhuZYSmLA==,type:str] + regex: ENC[AES256_GCM,data:Vb2jNg==,iv:4OCucBuFyWsEc1Cb5yej4Zn1l7M5QRSrJRskcJsQoKE=,tag:HoxCXLZNPR6LIxrABnxq9w==,type:bool] + - source_labels: + - ENC[AES256_GCM,data:fbZjPo/lBK3/14rqQ6kwvU8UYM950vwLYXLvf8eZVHvnXyurtzJgGfBMPHGbl7HKr6plE10xXDhb,iv:WfhjEu4aAsb1O4kfU6jYmZt0zwz3o+HtzzL+Z+lBGA4=,tag:s0GRu5os/qaM5KJ/OkdJQg==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:AbgkST6JoEDigQ==,iv:yAq86qHfUhIuBW794deSBoCBdYKmzgylDGXR3StSxuw=,tag:+lP443iZYK0tTac0NC8DeA==,type:str] + regex: ENC[AES256_GCM,data:3HgkjXf7wiM=,iv:mllkhX2pfh9RAHShr4me3BLGA2n8tn0AoenJJ2WW06s=,tag:w6hoB7TVogbPHfqZvZcERQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:uGsDouaDOXktckrjyoDO5c9krTzvCBtgaiRsLeK7+ITzWagMm8/rVcYOSw9ABPWA+cLl+c1KRg==,iv:34ArJcjO3oyD9VAIx7W+sihGNCBHKENRN5mRQF8YYN8=,tag:/C3xtjsGld1MEL3qGOCapQ==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:vG5VbEphBB9xKxWnTfVtIQ==,iv:bFfFLXpAbyoXntdym9VifqHurEPkhI20q0O8s+9M4S0=,tag:vtc/nCLZi+qMMcuuxmIUNg==,type:str] + regex: ENC[AES256_GCM,data:gXWNMA==,iv:ptvr3WkaliWUF45veDTDuHQ/sVcZX47wTOzLNaSaTLk=,tag:g+z2H6Yc6bpWEKMDhphfuQ==,type:str] + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + - ENC[AES256_GCM,data:nHaBTl/ChCZ6UeYVvhEYCeA+q/zru4hTfzk7CUAL8VQeo8vEw3mrm92mDH9ooWuElyugLfnpqw==,iv:3b44G6MRpW2Vf3fLiRa8hSaWSnMTOmBj5nxvdFsO22I=,tag:43gbxE5Iv1rsuzg5bxmqnw==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + regex: ENC[AES256_GCM,data:0JSaJYzFEtDeTMc1Hwampez8COIc8Q==,iv:WioomXOPzwgKpe4E7X4hD17v6IKrVJgKEnwwr31fG98=,tag:VXZotDEd0f3wSfF3qPbD2w==,type:str] + replacement: ENC[AES256_GCM,data:ruuRTcc=,iv:bGNRkmzIw24YUH6ni99u4jpvM3yos1tbSJJdCWiz/kE=,tag:NaKO8dy03l2wjVzxg4qDdA==,type:str] + - action: ENC[AES256_GCM,data:u6Eabrqu/aI=,iv:uFIVfnWOjL600wx7AAKuSRUASBHYHsG9NJqKcaynbLc=,tag:B1N9Q6qfMQIuTt9ka6uGVg==,type:str] + regex: ENC[AES256_GCM,data:Su+lOYuMMjOhOgCr3edJzslNXlJAnaHz2fMp7dy6NX/gm/IA,iv:H2afk6rYIB3/I/QbvGZKZIR4uMfbFBK4VFecprskKuQ=,tag:nUbbnYpayfvnbhdczhoK/g==,type:str] + - source_labels: + - ENC[AES256_GCM,data:+yarztwjN/i2uC14RyCW4ERIwrA1Wq0XM2mU,iv:Ji5w08ITlWYbn+d85kkYYv5oU2Sr6rafdkX+KSfqRco=,tag:FJg0ZIpT08NPvatpEP86vA==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:0SDXBZzozDl4w4JfERkbH/f6/HE=,iv:CD9dAc5DUh93Z2+K07abClV6EqNdtz+bvdoT6E3XONQ=,tag:6mbBbEwdgWpcfvPPeHAGJg==,type:str] + - source_labels: + - ENC[AES256_GCM,data:VfNPvwVlY1DUS24ZanGhniIS+CWfNZm2/ozbYMr0,iv:wk49Tg/hlCvL8L6BQeBfARB524ypSDsKLj148dlR00M=,tag:ohLqJGjhUVu8/utne1kY8A==,type:str] + action: ENC[AES256_GCM,data:s+qnujAQHQ==,iv:pzyKckQDcdE8Ti4p9ID7Fd11TGlEIX98pzTLnvklhho=,tag:ILqU3uhR5kr0ewds5V7mCg==,type:str] + target_label: ENC[AES256_GCM,data:1icwb60d7JXeIoXzFkDf,iv:3rUDyaMKJI21PbToYE0oQjgbClV7/yxoFh2Itdp8evc=,tag:5RunYusWepi1GHMzCvH4Qg==,type:str] + - job_name: ENC[AES256_GCM,data:Y/wBSJoP4Q==,iv:813+YrJ94bnis5aNDtVb9I6IF6MIbnyaCxDCK2h3bf8=,tag:SFQXjRrXnwTMLLEqJmWBng==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:jH6OV7bWO7IqqOdr0eMpFwuKhpeenc8JNW6GCU0Okm791Q==,iv:nJM8EsEpgXFDiHNvSQDeXi5pUV8jfVtwGaHEJeYP7dw=,tag:SObreFiPw9RkyWZTHPhR+g==,type:str] + - job_name: ENC[AES256_GCM,data:z59i/ZBOOoHNSWfR8w==,iv:NjWo6WOZc/TeX34X7fcHNjWWw03wq0kzbzjsYt7UtvQ=,tag:nVfI6qGjmkhyvWqVmZfMRw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:zLhwmmDoBjn8HxtS8itLCAy5B8o/QuB4IwmGiXPG,iv:VUl5QVOhGsJYTzWyhSp9L72IRV+gGvUaW/lOMYB52hE=,tag:x5QJqcuL/3W6TGmD1H73Fw==,type:str] + - job_name: ENC[AES256_GCM,data:1vKkyRRGokVGghPPojQ=,iv:GlrIYGDAZRzBbJ7uh5FmvpK03DbehtlueEwv/yw0Hxg=,tag:Th0xeZ3CsmOAJ0k0DxQirA==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:a+/eeg+wORov6A5QxuKSJ7zU+1mzlCAwtwz78J4n26yE6q6TAP09HQ==,iv:HtbaLmn0mBBN7sQpyQpMRP9MtBxVPJDCSquy4PdkH38=,tag:FyMOVn7UkctI5Shjr1DvDA==,type:str] + - ENC[AES256_GCM,data:LijmMJPenthunpO9ucOJzPSR2+EWx0N2LMNtT7nEsi7ZJo2hhrMcB2kL,iv:cQlg8L+mAWzMJ+zrWTZmN4gEConkiZCu4mrbmLDWj1w=,tag:ZPeLpUGK4rF8enyYw2dBRQ==,type:str] + - job_name: ENC[AES256_GCM,data:sA97Y3kaBg==,iv:YVTswLDA1pCsdOpZI9C/84RpDaCxTzwt4fwmVlNAdYw=,tag:JeS035lr3TVGUS+pDF182A==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:RTy1/MA900Lef7oLsM7mcDUSnpsvvcJtLlC1eZ9hyYLBGTs=,iv:N7mvlx1p6pOcaG/jab1FysjYpCagHV2rsykJj54OMCk=,tag:kFeJxKvBkXOsc1yIZmXz5w==,type:str] + - job_name: ENC[AES256_GCM,data:1BGRGvR46/IAmb0iBg==,iv:350g2DOtBgegPUCbJuKXhDiMzNYMtJ6/FcVfGKKydYk=,tag:mwVXQj7n4X65iVw+6NFhLA==,type:str] + metrics_path: ENC[AES256_GCM,data:QHGtOudDIjMcyrkGGJ9A,iv:balEaS7vRmVj2sa78KAtWDMHeeW10/59TsnCp8khwLs=,tag:RSPPzRUNRb43ewJv9v6ubg==,type:str] + params: + format: + - ENC[AES256_GCM,data:QdqCseN6OczAIA==,iv:IzbScNcUy6zcmOZ5eUv/ozQYH4Y9JoszziZmotKA2to=,tag:hmhoLGaZKoCyjRxPIvdAJg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + authorization: + credentials_file: ENC[AES256_GCM,data:wkHZyo/xX+L4L+b6XB0LhENjHL5bsVXaHzjjUH0lG7my,iv:7O0/P2aYw8kTJ1PNCqg1CWY86qDZPwijbQveDgFMhFY=,tag:U1k0QksSysVlhCS9WtboOw==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:vEgC66sV0fQd1DRbJKyi2Msbv0s8pV0qtMQ=,iv:UfUdVnezeuKJSLQG0Z9J1ZCRm4dut30gcCupuFlFrHM=,tag:udMqaMovFngse/ZKWdIdOg==,type:str] + - job_name: ENC[AES256_GCM,data:b32YNxZNXFzD,iv:8BRVprRBh5tkpzt/82ZfthuI0sYsHem8+HD+/jcUfFw=,tag:po96F16o2U56MXmJ8kCLGQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:Q/v+JFN+Y/FVeMej++3s/KLepgAViA3MB7u10X+gYx1w,iv:J/be3bXecSj4Y1Q+u5lN1iIPrGfgTRldxgBdVLhSvbg=,tag:c9plQ4iIu2ZY0kgtKALgNQ==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:Z9+9tyOkw9A=,iv:fHgxszY2JPMhDFY/GE9c8QkOd29JIsawNEJ2Glz8Ajc=,tag:Y6OdDGJ9KB33p26M25Fp4w==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:wWqL0nYvY9tiaz5wFOWQFhJDTtRFniKCfnFYD0kiJn6qOIvs,iv:RKF52gkCLCI10dDIkPUjPsKg1GdHzlb53TFGDvjxl7Q=,tag:qkTU2/uMO4yxxIt0jNFQsA==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:1JmNiLdExQ==,iv:IdBIZN6C9LLeliU5+DXiRuj0+J2uuL5F9R/3zUN/91I=,tag:UM2kfjSsd6GiJz4F2J1Uzg==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:se0TB9ZwJBws5IuvRjca+Ukl35OaSBNCvI3NdEB2EkOBJ/s=,iv:mwIstvvjxl8NFuFzm2qke+j78kyQUmn4lbPimGK1a+U=,tag:cvpnU8NfIGgqkVbjiXTYpQ==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:5eB1og==,iv:1LYPVh0SPbNPIySVw/w6fp3R9JWwwjjmBa5lFJuDcaY=,tag:TL2bza0q/l76DEpe5c6yhw==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:PaZXnWfxjCgcgvINeCyRZQDoZCX3kP4N3dqKmY7bi5Q=,iv:m/M3SUyeoqRoyhTvrel5feK7xvGw5qiElqT0wjEfIUU=,tag:NWH1Hw6kz2+rLEnzOabODg==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:xISD,iv:LERc1Lp9HFjxTsPA4h2gJTzTpPsJJ9up2VwkQKhpxrE=,tag:4AGwq2ZTU1LSDhPTPsktxQ==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:w7Lkt+yCOzNEFfb58UHdrEaTwPAQrBDIbeoMhwbmlw==,iv:PI43Z58k9FYbo4cqOmZ4jcoK3h74O5BS6ajjAs7AQaU=,tag:tmTn7B26WuLTjj0oa6H+zw==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:L5Ry,iv:0EBJvrfOFQcnkypRLRHk3+kcqxS4N/JbkucgGJ4fT0c=,tag:W0tCtEHbFSDUUVAXzOVm4g==,type:str] + scheme: ENC[AES256_GCM,data:U+6jR/Y=,iv:yO3miu3Wq/iRHAhOJxC+QEYAwVNal/XQAchUG3eOeuw=,tag:SBr947r7MY8PX2qS9oyxsQ==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:SnJgk1rP2do6r52PrdMCfrFTlWvOEyT6HiRlXJ0jqQ==,iv:bbt3mx1PWv9XNlr033DyL4gpHOhq2yzh57MDC90c7vo=,tag:bKLOpmT0jY4/PlErxkZlbw==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + - job_name: ENC[AES256_GCM,data:H+zSgeZ05zK3uCp2uFcTN/4=,iv:/YFrq8t367bLrNKOplHzqjuJE3iePYoNSsAUNNsXWII=,tag:8K1R6NJvDD5/qNWOmtqRuw==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:Yfg8NOYOIgL5pQ88jg==,iv:XFa/+nIG+eXpKQknZK2iwj57hadSoyB3xbXtxjHun/Y=,tag:C1T6PmkBRr42PHAs1iwD/w==,type:str] + - ENC[AES256_GCM,data:uAu8TjBcWoaHlvc8dg==,iv:3wBLBXn4reGTGpj6WCorGu3XT4o6zyyBWGgxmnCA4mY=,tag:QwVv2plUGXC3Sa3FpsvDBQ==,type:str] + - ENC[AES256_GCM,data:bFhcJ0X6Cfcf+p1bZg==,iv:2iGi09kyKqGPL6EC1VJvBb/yFTjz4xj4Tip3GC+OEa0=,tag:oKdNd0GWEGzUpRxxbyFa/w==,type:str] + - ENC[AES256_GCM,data:N8QIDJAQ/e5YGEdZ3w==,iv:6QXI3RR0CiqZIpt2Cjf8IljCqJQyNBiBao/ISz1mqsI=,tag:eI08r26dioh52YDEhO1Dmg==,type:str] + - ENC[AES256_GCM,data:U4Hoj/mpw2AnYjJvnw==,iv:9feYvYLRzrC5QaYMydFnRAL4fIDHDsFXFqOfnPrJSvI=,tag:rupUfZV/Iu/+BqKe0ybNfQ==,type:str] + - job_name: ENC[AES256_GCM,data:0rz6ngVaYt+Yox79nIEWNVvjcJsu7g==,iv:7wflYizTtL73Xm15WSd27o0GeP33yiJlhZuoNvndfOY=,tag:qdsFmvMhJ1lx+jN406emBQ==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:7u+3/7IJYw==,iv:goZmfOQqSC0VLMgDNz/zbvgighCqjtqMHq3se0FRpDw=,tag:A5MPGEQiriovAxnRP0omAA==,type:str] + - ENC[AES256_GCM,data:cEW+FOOmKQ==,iv:8uftFysowgw538eWERoURMmOXB3ZvB47I9XjkCd2HM0=,tag:85y6gsyn1B2YUW036MbH3g==,type:str] + - ENC[AES256_GCM,data:aKHV2pNVEw==,iv:tpwBwJkzbKGfwnx3TL3lXTdM4wcjsAtOKSYnhXk2hzA=,tag:VmrjaR1jCn/A0+DqDp/kDg==,type:str] + - ENC[AES256_GCM,data:RolFJAz7gA==,iv:heFu2AYTfcHoB/VntY/+n2bsd9T1YePDov0xIIJ2mAk=,tag:OIYj4tSDBrV7kMXqPMVBjQ==,type:str] + - job_name: ENC[AES256_GCM,data:yLbGQ+eitUauKcBr4w==,iv:/4WlIvg8+EKU/HBi2orjBUxtil+tFd7rR7ItjtjZi/Y=,tag:cooFL4LYE8qKowbm9MOoMA==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:kyg9gA==,iv:nJtIlTAFr9KSTu7urY4xrTqKW0h8C6bAhppR3FOkDvY=,tag:ututR3M9Jf/lCBTslDbYew==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:WQ50q1P+zeiNLn4GYepbvCpVPZeALXHcku3OURCXpp2mhbuMfsLgLeo=,iv:YLE7kIss84lDugfcvzYqCZ/Tggi0AhC8fTubr2uYkRA=,tag:qIWAYtcyWW5sNPkBvFU2Kw==,type:str] + - job_name: ENC[AES256_GCM,data:rlikZC6BtPSfKMjT,iv:PCBHb0w12sF3YztZXVw3kknzA83f8mNwI/eOB2MD3jw=,tag:1bJ6Sqhp2gVfIxJX9qs68Q==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:E3LaJQ2UOB5ysTJ5ALiNIG53NQ==,iv:yI13Kj3yqtV/r+A5N56u2LcZGPlGRZdHWRAig/oJDO4=,tag:aXJt5ThQUPSRpxnTlMKHmQ==,type:str] + static_configs: + - targets: + - ENC[AES256_GCM,data:LKDKgB9NgneKVdU=,iv:8tu505WmtAkt6yKVcfP7cvh27k0Jcm4RyGgtB4f65Bs=,tag:m9ZIrL/Mq3Eaa69VN1pVhQ==,type:str] + - ENC[AES256_GCM,data:JuRJ6VuZWkzP051v,iv:iEWQys/sbQ7GlbHF1aKiEhlgtNtjCqOcgRdHAX86kVk=,tag:4ZNWTEcZIU9VeJrvyeyXzQ==,type:str] + - ENC[AES256_GCM,data:FKOTCSdsNaWoOCLM,iv:axb0bkR/NBisJlhOHooWrHcfdgVy1YIPfH02auz3Cjw=,tag:F0YfEMPaBO/dEIILo+LCag==,type:str] + - ENC[AES256_GCM,data:Yfg8NOYOIgL5pQ88jg==,iv:XFa/+nIG+eXpKQknZK2iwj57hadSoyB3xbXtxjHun/Y=,tag:C1T6PmkBRr42PHAs1iwD/w==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:LYsuU7ZjxVgtzXVznQ==,iv:etvhvy1uRf5bsCfiMLmnkVUVnrOtyPDKbAoApDeIXo8=,tag:gwpjgDYyfZrvRgyPIOPLFg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:KZhAkA==,iv:ZIbv01rRQrhzMPtImMn+j8hhD0RQW9SpeaZsnMJD7GU=,tag:0GzefOG82/DtV/K7CbnevA==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:KAp2BWhlgVsF/roajkXgaDkyR4IWVEHNU2w3AfAzUyKS5HYxit2wivo=,iv:7FVV4tYWou1xMLQAaPeusBXnZeXRRmlS7Cm1ss3RPNo=,tag:FWq+hORK1i99E1C9vcf/SA==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:RhUECR0+6QtlPyywZYw=,iv:GG/KIt4NIRZ7KPAqzZOlzDzAxPCF1Rp1n3hX2+LbgBA=,tag:h1vFvIGbu4RSsISeAJBg+g==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:KZhAkA==,iv:ZIbv01rRQrhzMPtImMn+j8hhD0RQW9SpeaZsnMJD7GU=,tag:0GzefOG82/DtV/K7CbnevA==,type:str] + tls_config: + cert_file: ENC[AES256_GCM,data:C+jCpIONvtYIKZrhfNE=,iv:e7hSgpeZ3qeUAuD2eaWwy7ZDiM7JiZx5XZvRDOO252o=,tag:anR7SkSzhkNEs9+SWO5teA==,type:str] + key_file: ENC[AES256_GCM,data:N6ElPDt/xPkO2UPalPo=,iv:o6/6WWTh6UiKu5LXZF56mGJOf721/sz4BnODOex8Ry4=,tag:wIb+WAx+8hwTbrvZkwKD5g==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:eMFwa857Q3tV1heE2X8bGe+QPUrqXEs/YZx16j3NbkOn+EWmZwNdOlrm,iv:ncUtO91G+Q1Uz39wYfz/n3IpMtXvbTAm+2O76QjVyhA=,tag:YaEH7XUQw9CmxcS9e/q6lg==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + replacement: ENC[AES256_GCM,data:vpHUJfGucZfQggI=,iv:o46duT7mJ/7ffY7xLpkpxqrrSg2PVkykYdLRpI5FJEM=,tag:6fgE3dCQsA3eMSWnvpc+RA==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:hqDAAz0t5AIMPsARxmQM7w==,iv:3WhX+UBzLTPbjowqYqB1DSHojmIabhnuqasVBqyBSn0=,tag:sO68bxt7cMHPufxsf5+WCA==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:sIkfGDzQcmw=,iv:A+y2MgfebWJLwN+OHZ1BXbAsFn4DS8Vu4bamc3armOI=,tag:jLrLAPWldFcLBsf5ctVSfQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:uLtgVaslKkzqsVrtEgA9Dk/86sju8BQGnQp9OKhUoF1dxsXTQbl+aXtHpZs=,iv:VPuaybkEZfXuO/nf4+Itw/mytYQYrdUGFJluIii+pXY=,tag:vocrVN+RaOZ0jw/MAvhqCw==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:tX6i3oD5gGAygYtXm+Rani0=,iv:ujsZgo97eWfpxn0pi6UiAlZHnVxOFXQiE2mh8ROLXSE=,tag:c/7aKQRt2Ad/xhARulAMgQ==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:sIkfGDzQcmw=,iv:A+y2MgfebWJLwN+OHZ1BXbAsFn4DS8Vu4bamc3armOI=,tag:jLrLAPWldFcLBsf5ctVSfQ==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:eBU7LsXwli5Xig84wxpjTXpJEhz6va/LsGErA5NFOv8856nOXWdTJp9A6BpF,iv:rBPh+H6SQ/M0bnnLagjfvKBuaHiOZW17im4J47tncYQ=,tag:haYBp6dKd/AgRuJ3KcDFIQ==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + replacement: ENC[AES256_GCM,data:vpHUJfGucZfQggI=,iv:o46duT7mJ/7ffY7xLpkpxqrrSg2PVkykYdLRpI5FJEM=,tag:6fgE3dCQsA3eMSWnvpc+RA==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + - job_name: ENC[AES256_GCM,data:zSUKZnvBUcsFRGlw,iv:U7Tx0M5LO3yRkfOpB8+F3yo6JUN8C62nEQkc3m1pKfY=,tag:CtjJHqucszTJlTwb5SZGZw==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:DpnozEoYDhMJEKRio8QsGn+YYplfuI0PXtCSWaxf59ZAjxjPOdeFCQ==,iv:s2jjhsKnclh+VzA89jrPDuETfATdvazH8LYTTUG8RUQ=,tag:eymo4AFvCKkfHy7fKlRrgw==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:/eIs0+c1ZDS+b9Y=,iv:9/mthGPz9MF/EKD4ztsZQP9j1s8VC3PFjPhhq1zdflY=,tag:O96rt7j4fI/9XtGNP2db0A==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] + - job_name: ENC[AES256_GCM,data:YnDm0NrIDyH95iAVLeRW6VM=,iv:R51cIb/UE6OR8cQzIlQU1cZv7V+Zer5+koaQxTOH64U=,tag:OiCr5A9EId9fJLUCZsUAgg==,type:str] + dns_sd_configs: + - names: + - ENC[AES256_GCM,data:cOhCVQcqe/R4+obqNT8tnsdlva/HY8PcUS/bRc/VReQEY7jWgiJAslYWrJqf,iv:Of49opLy4xI9bJHjKpRmUvU4PpO2Rw5SWvwpYn22maU=,tag:1KdInBSo5oS9fodHKnPCJQ==,type:str] + - ENC[AES256_GCM,data:2yGrx/lUGL0jAh+b7PQuJ59QLX0LXwXGs9PDOvG6ulOuP5akUIkfoxba,iv:29bwuoGAYYaxm0zgUhywxA/r5di+lI70DW+MShnUmeM=,tag:2N0avPX6nYeTIxJW3FfEKw==,type:str] + refresh_interval: ENC[AES256_GCM,data:2IU=,iv:d32bklxd/2krdiLmmxaAiwoPumJ6eQLHN24zQVWjd24=,tag:UeZlJX7Y+hK5sQm27P5kMg==,type:str] + metrics_path: ENC[AES256_GCM,data:8h9QZRJ+,iv:ymPHSYlMnk8iI6fLkCEcp6V1SJUOOFJXrlIy7h5ikXU=,tag:hGyesnmRdH0EjNh/PORDTg==,type:str] + params: + module: + - ENC[AES256_GCM,data:jOSJtuip9Hk=,iv:rIDgsRjF1tlBtLmbimb5VukQ1zy4ubJRQlYEmnuC6eI=,tag:pVmE9FbpsV4s7QjXZFDHTw==,type:str] + relabel_configs: + - source_labels: + - ENC[AES256_GCM,data:i96Uy/Vb15XYOxs=,iv:90RGMeiWksSOADUyO0x4g6s3hLML31z8RseE6+Is0U0=,tag:38OaUlVidLaKMIe19ibTHw==,type:str] + target_label: ENC[AES256_GCM,data:e2XAldOnfVeRfKDnnbY=,iv:DqlrZorri3CUpJIClLN+pckNaeSaDat3rrbO4UlJSd0=,tag:usVqz3BpAbYc3USBXbqMpw==,type:str] + - source_labels: + - ENC[AES256_GCM,data:rHjn0scu3McDGv6GMRk=,iv:Riad/CnBH/MmzLQRFxbF7RjgV9BXfoAB852eZeSQYEc=,tag:rgCSFEiSppx1yBhpWRIb+g==,type:str] + target_label: ENC[AES256_GCM,data:FKcMSAddf7w=,iv:zxreFGFIShXdvTNM0AXF1hAgo7mC5ABgNbcZuIQTlBM=,tag:aFoP0oX2+E+t49XwNiiJEQ==,type:str] + - replacement: ENC[AES256_GCM,data:jfKd/VQZa75tPwHfqCGw5TrICIU=,iv:7khdJ7T1ohkEuYHgVW3tFnHBA0IPPYIaYAYQGCCuEyQ=,tag:YEYugq+2gYVvApJoiq+tWQ==,type:str] + target_label: ENC[AES256_GCM,data:mxSmYrrZS62vEA4=,iv:M5UBTU6ikBL7KxqTK4U2pBOSVlP9XqGruAvgq11uGlw=,tag:0zFNGoUHMdApKgfPQ4H1Qg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-dd + created_at: "2024-02-19T07:12:12Z" + enc: vault:v1:BdfAPwNF8ik9QIQtT0bemyJTqKcbZ55CdZ43FClWPGHkRxnsFSS8saXzzVf2vedpCbA3KqNGgyd0zTfn + age: + - recipient: age1g67vnulzds6lsw4sqvvavxjn0kz0h6u2lnt5znu3yne0xhe6sgss0an4zu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1OTJEMkhnYk5Za1g5Sk80 + QS9XYlZoeG5iTWkzeUkxZTNyZlhjN2wrWFJZCjFUZUM1d1RSSGw2RFhhT0JCa2pO + UnJxZXNCL3JIc3ZyQVRjZTA1aEV5blUKLS0tIEhET2JtaTNrWEtESWNaMmo4NkNL + SmxJSWZaanRRMmp2M1NqVUpTcGswMVEK5JcwGLxoSf+1RE6ioI4edt/zF9tM7sdd + /7ILRTWM/9dkngS7v/zkdqJS/e8GBKdP7ocWfwuiRZcyuNB2KmHadQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-11T11:20:10Z" + mac: ENC[AES256_GCM,data:Gr/0AKo4sdTP6SdrfU0MHN+Aa0CmdkrIO7mR6i59ImGlQ2IbSpZTEbaLVu0ifrvboJmGxoyMn+ogGtEb1pZ+8NfvxfyK+bXTyV1d0tWZAxIN3NkpBQcJs2+8Xa8fC+Zu0DzadEdIAZKX0Pwz+Vozve7gMRI9CmLNDTEsjglFoog=,iv:fin0dq8cu5zHJbhqcbSVxZ7120T/CRC0bvuV/9dknjM=,tag:Tgg1igoCc7EepuCRGcVuyQ==,type:str] + pgp: + - created_at: "2024-02-19T07:12:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + hQIMA+/EGAve9YBkAQ//Z1StUXPL0peypoo798FttVsle03JqGFm0GLq4cAK+fnY + ysCvh24MoDKGkqmyXZek8ncB/Bk9WOMMmsy9EiLjJhWLZoynq2gc07CfEaKpffos + DzkonKz0mLmVlnOHcbmKrFlg4g5ZVxtkokGLjRJY/gmcQmjyhJxvpwPxSOAk1ZU2 + IPnWM0RVSSWdYgRIN9wwvgeynld0F0JGdbhv0iBaGjSPXj5XG8YhF5BennJc4AHP + oAg3bf5qfi/v0pQF/A6R7yJ87v9tTkJsEytAZKRAt7gSJndh2paaxjMNsfA3KOYe + gxZ8NTMA2mTB9kCeX+XMDSOD4ppIObsVexvjQzzx7ui6P/KhSdB6/GE080Iyhx6m + TeYuTiJVI6qn1efxZJuPn7plOJMhzFopVFWG4b70y4Vu6ibtPBeqCxR5aCbcZKtJ + OU5dGmDSS+dw3HVwIXoDplF4JK8DR0Yt6xE9x0fpJNuxCk+if8SVqKDGjWncj0kt + USZwc/jVqjJLR3uC8tVlmF6FdFUxy7KIM+QdTw2DTeSHmgOxtHLf5HuRN/MofrTy + BIcIL01J6B/T4uOb+Td+ULRRtyDQOaZdf4/dk6GijNgcMAZDPNsQxBXpdmGPvIpZ + So3QEJE9k6r1uM+en1SuXGGFgTMvbgb0K+LA2mxD7iOUzYSbJElZeby0aaE5u1zS + UQEWKGAHflh3zu36DYYx9AISjBW2yTgwgUwzccJxKX9ajqJRMuFjhOcOddfIX3mZ + I9NTf2I3qmLgqb2YclerdKIclbJCDIJcDUzIcmsTubb9lw== + =j1Ij + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/clusters/svc.ez.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml new file mode 100644 index 0000000..3a1d4e0 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/sops-secret-monitoring-prometheus-config.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +data: + prometheus.yaml: ENC[AES256_GCM,data:OW8ymltJ7ToWlHewUX6gicZpmGzgsfg8oWF31hBLlMY9mfVvUVRxc8mgqpr4ZGy/NfkBjQ2IuZnjUVgXo9SfHOzHgo/EdhRjYTLG0wSVzuX+1HqjDWWq746G+PG9Y6qCB18XO7KePVk4NlcagFdiYSKmBsnXGqUPqg4ur/I4nfH1AmEVMRLBgNq/bg6y0rLHcEaRe03xGYVG1NLkI3EBwhI5MDfaXRAtvyx2g5XWN3mt/CoYVZftkrji3bLQmu49Q8j05Rxnzaya9wR8Zhp/qf/ENgFcakHs5oZuB4tShrzXAIZ4bDI4ZQTdO97ghzRf4CVDTPsAHK+MuTAbIAP2FCktJJVFtY7CaDtPB26uZd7kepZZP3xJZ2rEw9MCJDwCfQDXFqsTQblBpKrglm5rVHne5wVOLUm5G3QyCEOjOqEEy9QEin3Cd2Ww5J0jvq0i0vbTk00Fe9ypPAEQd2ykJxJtH7CTKjcvylLuVRfCPO5vBFX6RqNUK5rDzgtlWtKmnAvR+Xw4gN/ctM4M80MnahofOmyXPhqPhVDoRzMwvD56RVHBKipf8ocYfAH/UMvFpefODwGVdSle7MOiyMAXjSREXjj1aP6bF3Jx2vIGNckiiv348/AmvZt8uC2KpiK5v96jTnEG8xbn9NOFRkzsbarSTHH79E2ZL23DSTculSImIrOEMf84qArnKi6R2LzIrqZ2/tPvJKpI64mHFYSXFd8cX658A7hH1ld2eztCAlOPg4+4HrDJjclic93qv4rqSJxqyecaHW7hLrkqkuH2o5C2G6KFlrlxPf4aOQBgp6Ph4slLXtD/fIhmSNcYhwvqSBZvPu8jzAQPIJ3Rtdlquvli+fb5U7jt6wb6rsJCOC1OVOo7RABiWavFkkZ+FAD6+1/El2Yn08X2PQkLZFYdoQ6lBMTfbDd5Kcd21TogvK4rrpaypgzgcl8vQ9oo+MMJhnctseqG610vDq5fFFSgaBUfNPkqOVohrRE41B7KGj2kVjt3PFN7Kvlku+RDM/3deSlwJjVHFj6gTO9U9h3a1pRWh5ZMdX8+/lMZ66AeJTzqlVD9FAQpCn9GzWpoUv2dAjNPim96v1asq6nBTsmME61spimjTm/w2BeC60Xf3pfUJKVGG7MmfDzCCIsq5HzW4CuknpkMBTRQgwQTiJOeaXploylASGBaD5jymqYP8eqr0gFfKxEn8+/W+Clv5nuqb/6ep0BlwohpnjRpT087qCVK6FCqa5MWR9/olerDM0kbLGZP23cqZRdaL7Do0lhEcMA5OlUeaiScf08jUzXW2wjjJTxrWe/L5ozusP6qTEx3TVDGXyrHyxxWqvByXkNaoGr25IgcZaEgUZKLCANHNfvLf/Kgpe+xNGVUQnwmPxEz7Di0pgcWyha94kFwwkWpob5zr3ybN+Jq8kOyaSooQbxwoMMoYQNdk5+b1q3aV72LodwKWXo1LjNQGtfasJ9vDyLinuVsUsji7BZjfuQyRPzRufj1AxJwm4OohKSUycpgwj/IBXFOicGmSL+rzR/e5R/lwwaD0jHU/r7crbgatL5TLs7Os5Vf04CStfj51/t1Gn3lvXo33JAPKS625vfrNmKl21dxk2HKz7qMqrfGRxlsF7wf5td7i7IrFQGuNB0ptMYSYpZqsZPMMCyvsRjuohbE//Dv2r/O5WwZUPiUY+vAtK4m6sRT5+zhoP2u8U5JOY29nzearUwqvqPq/xcAoDmihXCFCiUKcjCRMgsd5d8HR4obgle7dBZqmwvk3JCRcGMoQWI8lyHOlig9jQGgEbf0OV/D/TAjXd2U0L/peBiyNovOGlsyxhk6/aaAjW/KYnaWkUfO/v3q9fPK4TQu9+Vp/2qaPCkyhmsmBVd+X1AvZkFO9BrzybyLm7KXnLkPpwqPQA22dZcXmxdhuW5WwxqsM2FTP+QMSgfN78iCBy8xQoi8WlhsNYZmy9XSmoDnTskHtSygLFxHgfAUObMh9/EhiSY7j4EwJlz/BCrBiAYJjJAhNd0NMdmXFuwGiXN2pPMGkhf4i5M1D4tLSfo0s3Mir2OTAcfWbrkZnLIt7pAgReAuoA10dhn4wyaribPmTKk/OlrDHWnzyamoJT5zZeyI5f0GcGlIi9buoJQcUuhIf+XVR7wnVlpEKRwDHLqLG6fAXLWYTvdu/cimTkvtPM+I8fH/izRWOee3kiB8M2sdtsw334B3Mzs4eIBqhZny9en70GftTfaaKGY7nLz6IsRfi08KbJVLJHY+D9pyB6D2cMncunfJFiVicDu7bizGjdWN0omzGZUKMI+OCtQ1lOWm8pI8LviXcfplF7gFWNCia7JpsvuxUdlsMlK4V83QN8DiyD3w7bPyDY5aCYlwmqJS+jVKsNqNBBHGEXMrBLMN7lg3NIRtTwIM6jsrjT5n+V7qfMWyL7N+Q0Mis7zgfZ0NrxlTcZ8MAttA1bZ0FimHlgn8WAh+zm4liowLG7BxpQZ6GwZPjuyTzYN6WJkg50Q96yIul6WAUFfwBMkS+sayWelQxtmXE4B/72Vria5FSaPyQC6MBhJT0LoPerHwTAsAR2UBl5zFcAIxk927qJb7N8UNXISRTG4eVeWj5il2/tjxMuM4v8xYvgrgArhhTwKV0Rtg9RXEZL0LvikCh3UzPtYaLEUH2upgXuvlqceuTETHkXOKRu5j5i0YwfWZmFa7YeBataU0QnbWtXAo8SSFSyHVC//UJRkgiJ7Sk9ADz+OKyF29JtnspK+SWi8L/yA9WIY3CsLepnbLDpU3sfOieXdBLx/RvpbrfjiOfgPJu8GK3MT4IVTkYXrvYqsVF1lNyIPrzdE5YrwVCbiycp4sFyN6H6zR1+7L+/1RhOPTYkqArRcKItqFFYr7eD5QnCXxE+JPtUcbzlAe3oXYrrKGAR3t61ktuSVdVqWXUX7CwqBajaAdKChfiuyeNNmW6B/4dsnVP01y6UcR1zcy/nP5/jfGmPESDPrTAAvxpsf3BaDcgen1NNddkhC+nz0P/IJN2mne9F+fBzs04f2QPlDhdDxE0YZbvwXwxbZj0A40mdDjyXIDt7nmpF5dXUcQ4kF0EMAXa29GT32elyJ1To+t/45CVFhSh7yRVfdzrAgS1lk2d+ik6n+bR8vsghFhqfjTfNUXLRcyUjl0FSw5aB6ORktQIJPzkkpiFCnUU8pxtoZVM9mbb4RwV/g81OJMvRRAETbpq8Oz4UU5kQrFtD+4X5n9/gaVZ2MDoexDQwRlqGZ4sDigreTG6fiSkNlEDnY4sJfLoVVt2ZMGn3ey/hx4y13Pii9A80FrG41UybrHuJmU/SGns+E3FxHMw1mcSMuCu8Ivj2qO4PtbZlDGUqWw3MT1/pDbfC7dpMQmDdVH9yWgIy5rRTHrY0ExPPdJTOChPTii5BGKRmUWSQbVs99bYu+AHZ7WSw9eYJN/klaFVQP3MWD3GKMq5FUiLqOUD3QL9srfdFrQ+i5kEM8ut1aVwDFpVqUqkiDaw2lm97M5FhVuWKtAFqav+hnK+8V4dPd4iA8Vjl5wlEip+xz+nG0nKycDxaYDdhMTHeOk96aqiNfJ2i5SPX5SAopAh2N+SSR5rIoFR7X0faCkCATFiE2XJhqr/LXDBsa0JTGZ2AkrQZQOxTTG3jIs/YdBJr0mH/LaMPq9wtBWMvEoLQiFNSNDwIRIgeVcF2OBHaluXFENGuO2wumJ9fLpvXSFWPMqEbiXc+s5yqxxTbd2pvmYPW3Ico1EZaFQUYCl2iowrLwytIzd5xlotIY87t9HJjZMtphGhrgZZDXBoG2DojZ+frMfGKljn/pSm1wuz1Rn7tGvytW75mfMa1SyOPht0Q0fOU/xVq3fpaETtusVyBzDedZw58/aAFkyxt1BWSi6fw1oTZTbAbjMiIeN+5uKi3x16DsJl+XYfEfdxvOTuHUvI6tdoYnDaDBEY9Lfo8UXTBR9+7fJ91hb6oYnSBvtMCCDusZg/Weft7iCYrsHpvFjpzYpsH2eZghGRDnTg87KDAvcxnXyeQ8WZg3oNyeuKdx6m3A3pacixUF154kFJFdkvh3ml7FgmtQBfp4Y0V01/E9YtD9tr+U3bNMIztMmxSbkLWLZ6ksoXIyjYvL/6nUXTvCTTS+JMw3HMMGR8B5o+esJsoEsZBTEaNHaODVcHp6nbpUcH4lyruplg5SXqr4NS4avrrZHdgyIuESHtYdlg9epQmZupyV4JCtxhMzEdSsAhdaRiz1xqe5AW1EXELZKL16DU8n34NffIMIXNSjXQOCurJzO4fuzwWr6BjXEqHriG2yitVOK86C6tYWLpj30jeZtDOygYRP3iBNIX0K5Xouue1tMJWInmizcjmx/iARmGSp15dGI1zYxB88mLPLbodlfjfD2ski4CF0o80PQWVGnHMYBXidF0ywL3cxmDcWnClKlZQXfjt9mTMXH+8OhXnfxPtqeMqdDw0Q8b/dRw8pSwBpsy3RQU0XjtLEJP8xZvA0CY67ePOTcIFHrGYWSRKrXYSTaT5DtsmfcOHry5f3yxlE7/9XzPmtvqK2+7V/mzaXpsK6hZBHsmhVjKLUY7MjUPcvd1yWiNlKWVYR+XvldgUENHxieZG0nbIUm+0bBlv0PP6BMPcJLqE1Rszt0NjJBnrCt2693UZTBNVMNwd+hoZoo1sYj87qiRmJuIIBnC0pouFGUAbJs2K+jKYyikLFwQtRK+US3oHDoOw1FZfroXM4fa+K59u/t9hfndyaBdDuSmhtGVlLDIJBl/MdQKthzRUfKB25Z9buYQIIeYVvDeO6EqHx1CFT1z5qADpydkhWGXxrHFRSbWWISU3jUzVMU2MhxPF6b8hYkOMkMY/LKzLLtGXKUXhLe8GboFEboS+VwUbqADvQWbvifY/8yN+Ud3htVGFvkByCmqxsALn0F0U3Fz6nivjE+CtGbg/Qpbi3HBjeQW1MWI2R+FHtMkv6wFprsn1kQ8g0+vpP87blnKKkyauKh8cEytMOBehrrT/3Wk0mzSy+EsMQkwIw6B/+wVjsfvrZT7s+vMzp9ReZGKuG4pigGNvm8Y1soWzlsxH1p8rw3WBfPBBFSRmRcZAMUMACMcenD04CyVxgP45g27lxj0DMpWjgt8epgD9Q6mLREUM+44cunEOKrN/eAufsykwchfiWbvVnbHouU/3ekUMIcg8WcZoLnF7SFEpOvOUo0ZsBWqzRx4WCue7fZ1WRcRn8dvrrsXppVqeAjQb2k239wuQ1pYSg0E8BXUMlA31QvHBIeryEwbG3mHTzB98p+3GekD7i0OPhYGPTrxWetDkTWB4oxqGmalIFKS2VyQLzUNbmdBXxKwRGh+MUtx4WmSPYnQJuNw0NCpJrvq0z8hgcHMKhtVrMufV9/PURlkZ48WrKG3Y1FIAKvzYn6mr3YEvEfhQAwX0eSUSrILjFA0QmUptnMeaFYgx+d936Mf9sqTmTZhtPWVJXQmhiPK1yG9IqnRRnadn9HfBwMLOPuubBt+b16oondBHHY5hv0eZhNZFfbCxoGZzgV8ropzmlY1poRvE8RL+8aul7ZRoItgjGu7t6V3wKoH9GI35x4x8UsJnVERkUCGpjfKaNP47JqMUb003dqjUSinUtx0qtKXJoTDnZMGHtVfQ2M9AbbHapvLjeZw0vMMl6zMS9hzsaWe1ZWV57KEM56q4+qDIbtcXZcSIn5yoNWizmE4ve+h2DBqGQQR+U98kRpWmTfTaBLkIz13+Q2pxMlYFJQGMrkXk79NItyZT+poZvm9rU3y9uPmSwEXrSFRwOpDRl1l05aVm1P+qXa23IBkFRy0RjlrA0PSPtcMevtWZtGACigMcyMBjE8N0rq9kmoablH0fBHPId/pxd7DAAg58/VjLH7YxC0v1UWHl5Agbxc9Wc8JKQgu6p6Lcaie/sAKDgfT8XRFlrFlz1Rg2t4bf0pqUOeO9Ek6764+a5VqAWk639+gOXSgX/B4P1rnnSx3HLtL4cHbLo7EwpKOx0ZGwHaohSk/Nnr39SRhUcOEbjxfdHsXp19ELRMFENjCTYHlQoXukDiX+25PIoX7WtdqteLhLOO7KWiwO/X3W+zFRZmJeZ10Fj2fh6co9EKPe6ihuvVSNLl/Osnm6qLx8/w/ZAMs49t+pgkWErcGw0KUbhi5UVSLQ6h3RyCC/oI9CYS7HaUkOJWhRqv9z8Jib8gQwPV5jiPqw4yQSCMxNr9UhEQFcVc6W4057tPPQ1pxIdnXgSPiZLy+hC7y/Lm+2tVb2uOiaJQxonDB+OIriSiXuHR4xDFtd+NjFPXC/xZGZU5PpNJaWILz1rr6iB1tCw8WwwXlR0JZ+5VAQlxdBPaHGcfuz0Xlmoebxh+SBfnLvnmpyLKlg6dx5eer343eva7Lr4m+uYwrSOuMOgEDkQUPA1TXggDcNoGvpp4abj6IPyExFVKM9jTms8SXvnNXz7pj1Nhn+tJa1YD6irX2zlObji+jwVcGpl2r8m9bzOIvpgnux1x6XPFEKj+2NWaHXYkq//lYd5R0BrDbQsyRYkxD/VqxRwH/bQ3WRut9Qft6gxv1XmXiaAfp0nXOcMuwgzuL72RNlwwBBi0LbmpgJbE1bz4qcGMPxMaIKq4Fyh+LdYWN3BKGfjDqXOJRPQLK6rrtJX2cU6ONyCI1Y3wtktocb7a4G4pafCWQjAvPtSLWLBZa0LjWVj3Z/uKKU0xLE/ROX4xGvuWIB+SrdkTbZO2ghe5AZl5bh/zZNVxrDus/RaPip8/QmV3tQVrFLG4OfrwFiFHxEbvvWPoXSDfevPg48ZhAMEW49RQrp93TU48a8Vow1MgbHY5aQzhenHJBfWQfZ3GI3n7MNdzBS+ioplol6f7Ql/c1WBX+u3T9y957DqD8izQj7anfGOTHrwO+y5Ar8lY1jsu0OtMPyHNgD4wVWFn9ma2dK0suwQ0z7X+VzyAGKRsPeS9kpDWIc77KnDJyicZ3465uo2zpdPy686cJ9kZsdGkqzjJ3HObnuIMA54BfH7JXrXT4JKUZH1GWUDbacYZOYXS+ErhfNbVdLcgZPXwtYD8iJi1PY/BqtJo85c7rkyCxidQFqSe2AhZ9L3D1alKWc4a0PZ1ZvHtf960B1+m4ZQvs+AnDuHVt2epvNIINhzhXehq5JP1wDaUfhib1/fpnH6AUUzlMPLb7pXA8faDDTMCtujWAnNOQcuT2z7I3xLBA4yCI8nsKcfUu9dKAU5/k2DMZiAcuNgMKn4X8ghm7SLFHKxUmYUlYiztibxE6pcnlKV3ANJqutl3gdTVSBewgFa4fbDP2uBDhRbegGj+4HEPlLr+6BTSTXfJnZf63YGfquwLZmuSreiVEXnclH2FMJguGYTg6KywiEGtqQZGblJqira6SDjf5RzTs5vePhQDgJ1uf6CVsdmoTf3H8E+10VoJMMDVuxZ/9UjRskYpyn/3X3n7lidwdR6nCV2iU1sru71fcXb/AmXSKpbbguHBucq/3OCXvAyMlUmiet6EL1J5j9BWWFobEWkpK1I8X66MVxvDB2faEL5M6XsQlf57VixvDJe7zeAywZnLb3vymEgZdzrpaLRq+Igd51IwjH3OMbmhTMQkWTrLGlXmMYg8XmE43jYIKfXRoYbH2oiwzVp4+Sanku8/v/LibywWgTW3Bd6cOS6I5kqpjtVZzxaYPk3epLP29UnxEOeJkXLHCnKWDhPjWtaZb8iwpUxXdXlbQqgx+JDUx2IgBKsoNvlKPRndbEq9cpF9Qd55otG+ZU6iq8ZKSmB6QPYr6+D2yf/DW99q9svJfMK44CFJ9MBE6s7k1mrAp/xW2HhTwnxNYiLXAUIjRgIWtnkI/6+zNPlk0Dr0UI59C1MhUwS9foBeZZZHyzTqLaVLUceCU2C3Cd8HQk1II8U6B8+TfUE/Kl2tqqKSRgMJt4Fxedq8x+MD5OXwInGdaw6i4MWBVpiDmdcJgfmaJE0DWq5cZ7IG6qmi4O97o6I04T2dJD31xr2HUtvlgWdHoBTcFNhBZCLhU06X5kpsxUCYZk3qXHPCyMwYzW9P4t/ir5cGAq+w0wKdzuM4cMZygLAInob90f2oHPd2PByd8eDPTrBjAv+Egc8NPE1XdufpbPiLDEGlV+9GZedwHQn+KPs7cyY6BzYOEDdTgnVAUG7y0kRng7+T86MPuIEjZMxrzTaxlVzVY0HdQWev9xZnAfFu/nq7Ij4vEHlFn7Vjov8gpATQW6HCyBHWGDbgJ8FK0h55C0nfJU0JdCS5XFrj9pvMe7Z3j9Py2eujalh8wKVygSF2EGRXAjHPJyJ8zwWE5xz5HXQ+AGqs5XGkvormr/kDh+LgpY33nUoGGz/5XEo8JzKyNl5+vaJcwp4hFIUsbkMxYp0SVsOgDug829RNmOuMqQU7naqivKFYUyybJyOsjfX7K9KDyim9wTy+uV1p2XJqnuo3A6L4QF6xhYYC9QW4EROWnKSBo5Y9JZ09ENfTVIa1nePQ3F4q7iVLztlqP4QZSSEuL114pVlMhguFjPKDFMHRa4KiRInUlixhDpdlC1ihnGnH4MEn4T3K7hr/yG/P0kjElbjL9E9zcDPNYt6D3hF4e4+/rhLMt8GzrUMYayCt5/gt8wTdwxNGz2d6Lj0EfNz/k0+EKe5kj6E/ZfJ4aI55vPJkNoi+/YKsgY/qjxiKDA2e9mJ95Ok8pvx24vQTe/VV20O4RreUtJ0PlsqayhUmmDwb3VXeg4hJS4/TJXd2tGRRGQT02jWCln1sco9pgBOI8wS+uuF2LPITlRyZ5Zp1R0NP6Y9zq0B98vlNwSwLNGzXRlm3IOnFoVSq572qyXF8G/z0Op06YIuzir+j7YrOObh/O7OV4vEyDcp07Zyx5CNuWkU8vcwRKzSmd5/jH6EBD/4iIVPDemYxFfOR9GiGPZu7hxcSgoNhpEkZxJTJ56COHacFVH+Wqg2IWviuvKp1D5LBHBHxvSZhYuTVQwzQ2pY9czW+LHdRSRav5UZh4qeSMYlVz0Sa+EdmNWFu/xqfekMrYujzLkuh3bXQZfbmAcPyV746Na/qZK7C92uh7fNtjqtBMaDXZQLEeIlyP5iLAU/MzEBuAMb+xw4vKUl1MpHAN4mRi6uXjhiLX7/eOBaI5sKHiYQi8y1Cs9JmF4dE3jk7HpaGTy8t9y04iXnlQ2VH/lG3C5rJiBr0yQDMQskrfZBPnAGlE42zLfBLi/vncCzjbftftCVOUaO+74mJrND6zgCoWJ4tXH+Icn5UAsb6oJstbOhDbes6TLZsgJyeeO38U7+vWLyQX2WLRCx5X0ndxD2rn0SIVweyXlAEMU3f60qLINrV4soeulP0JL7AUoDzSv4FH/n2zWkLjxiJV7rsY57B0aaQTpF+GtSFJq4YzlXJkJ/2yKMws/+igYN+TQwZHYRTJYM5VaoMvJA54QlKU3XUl9QaS0oDTZEz6BtmptVrW2+c6Sx1g/E3v34yOsSxixABj9QAvd7zDeZ8on32QhVbgURmevAfrbUvse5b6DdYB7cuJ+Q8Fo02ZIGOyEE/u3r0xA+z/fElwQN2UiYWfr4cWAfzLF/KiZQ+EJN5lCkRTM88/Zehc0LdHpmwj4G5+1qKgfxJw9mjUvifSmy+4DD4/XDBqbK7O9wWaz6FJGNaWNFopPXUy6eMjSTSn380IDzaTExS9+9LSyZVu27BucaIdSvr7jf/ZRT1LGo4rDVkLDo6oOY/GxMuR/gTQUBdyETYEcMl3x1qWKbTscYN0Hl9pmS5tQ+wl3p1MEdUo2nXuOILp4ujAgurf3p75zqGIvYLcBdXb68LQ4TNvprOvRzO3YGpq9C/PHFuQB6HFyIq86Uc6IbV6xvq8O3fAUxY620e1fEw6VZrxYs1JjjorD7p+HedGmyUpnQW4h0NXOGaCOxBckHMmP0G+ovb4Y4ccgemPt8FPWy0t10f8TlQiBM/vJc7Z5rWyQgGrNzzLhflZKp0m/PpZ4bunO6TVCOWM+dyTC8ntp8G3+BvMMT1UPez5xq8ov1JNwkaH1mSoZrhurRWLyKo713+rWOvhRAIcnzBhuA13lK7apBtIeJtc9GDpo1Gj4Wm9L2w8tuIsFer6ePxNm7caqXia4GZsg8nXpWp5GxBU/zwSaY8vjOGFwYgHLBlgoa4/Hh/5RAs2ahg4kdh5+fp5h1hMFsyGyFx4iV4taz6dp+GyopfFTB7YOUIR1V0ufZU0l02/P07a7W1WhBMizuJMMHmEssSeA1Btw6p6ExD18h5UynxRgoGLiCc+6HrYcccM65pazswDB9Bsb7hHkuIWYXs0sZbmVGDacvIkLSqQvYYC2XISJd5D5hakymG0SOt39+Ezf+A90WCBqtJxqpjYTd4x9QpH8tL7k+Vei2tfsbcvGdpdjTVx0B/0/cw/OLgtOW/kgftXCTWrP5ngJwuhA1mTS8VMRSadlRc0wKbpowvtAOOfikHK67l5l4U+gtx4fkwXjNCDcxzf9nJsqT7EWDKqWH7F+z1bcAj+uFkrYPA6yn5XJBaGIYCFozUEFsLOW6UwudQqXFIvR2slBEPMUo09lzU5jeUD46fOtK/7VqkLMuXUhBL9TrW5VIgKHiuplxwegcClKkf8fkpc49IOZlFDzAnvWoDv00IPUbeNa8nuTEmekV87rcCophOLp2fALOKm2/xnJjIih78Dj6Pju2hafpeFfEJCxza3mOhPKl+VP8h6unRHJFt+O4C4zWBlwlxzyb4JM+YmscDxViCQd9VXTCb9z3twkRkyRFu0ctuHRzBeTu+dIhAVcQdebkrXxB9lrseJNImkff+JkTgIfQQcncYxsKsMAyKVxdM/iPy70qlYa4/dciqoBbiX9Nw5mVmBNwQY0g21MusNTg5F81pVCrenZu8UqiJKhUKTBvJ3YMUV7LKbk2nCFipoM7nY+wbyWLJgKDNoBzW6tOpqmeh0Ygm/i4D463lIPjkaG3IMxspB5TnPrWgJykcoCTdt6y8jgYQBbTSAAqq0WvJSDLQkeMAqeE/Pqs4cOMc5oe6pkQB5tkhEn10HSlgmmQLe5gtUb3R06MbGKIKadva4C482kGU8GUI/Tdkkw+BBIaVT8K+Or9cI8mQJUoZG3M+003+xRKDgkMgOizkgmvoFPKXMSpPxyB5WkDAERM0evyao+mC4NQjkjmuUY7RV1baEgRaFsyDsWc3eW8/+KVvutfSJ8oa7FEhEoFtKZjcjeYfinL3YniPXCguCjHg8MDG5L03g3daKjj2WmaAVLAhJPQx25KHFPjawiibltWEOHcn3lxxSWP4JrLCn2d7UOE0ZJnVUSWMvVtW+6Q2OAZaBJMfaCDNi3Bx5Ayy1MeCxLwwNx7jRff0MmJoyyTn0ZhHuoFTjBsBNy3zu0E7dHe6JMTWLYzfz1+MnvuloyRRmBRzIGytfE/aBRjxBG+vVtukYmfua3wILYXUflpexYF8vGHPq1eoGhIA5E7EwLnuoVfJoNF+aatWNZz7Rupf+SEr/ylOXx4UthAtvGoQ48jWjahY68Uw8bGwrd/6xrEO6cX0GkqEenGRxFUvJXnd+HV1GAe4qb3zCncP7zTJ8ZltumnVALENf/Sq0tQnqwmFgzk6hfdkkersinb6+nK2XKAe7eSAIPl3H8iF/JNfvV+9YCeOahhCB5ScRQUJvC6HYy5ks4CwBZHW51KDR53p+NpwBl+Nk3hANxx2JSRwf/ec411IslqXFiCydW8xf/42/KFAj4OK0MOnqMNm314TCYTfb9j2pi75CpCCQtoe4aAAuFxpRvFgJmBiv4j1RWsPjk89aNDiuXQxY4d5MZz/TS9iYfO+dttLp+VIDU/mMYAxmILE6OUGx2HPsoDYp9ENRSiYAgof3BU7zMCfnsMw/7IJY0ri77JREE9cOw80OrZkcZqG0xJuvqESyHzhftNe8mSfZ078BxwFWrfnBm5a9lCYelpoZLUTgPF4XAVqP9iP5jqyjyFfhnK6dRgVoTAWH7NEyJ+r/7n9N268a8NVrn/3VFwxFZkFGc8nGQekYq1c1l0vswSfwb/IsSUrrn4ToYh8DnocYgt5m6dBdR76yHKYRXF4Wvx1NsPqhgtO7zfpsniZ73dhi5q+12/eX/b+ka/la8x8cHjb3SLnl+wUbpUEZQ/qZPmYL7nKgVZDeEehaGxYi2Ab0FQgzQN8544dzpBVWj3rJ/HQTnf3iCBw9PDToiByf6uVhSlqRTxINHpQel2bCPSCiq6lSwZmcbT7z6tEl4dMSwPsGdP87Gf04jsGuNzjSurNzEOUm8ndF095umP+cqBcetCRCKMdAX9Ojsufg7jqQ5vF6D7+LdwlcRGADQYrkJ+lELG8tIqYtXK5rbIqly5gapXKtAGrAQoVQxPzS9I5YxiovOsBnoOIhxSaw2tX4CLD+LiYwuVXLldWNUvwOmSZf9Fihuh9Rs2xkV+fQSTz86Da+vWo8f1JP2jL/fl817Kd7aZUhULYidHYhW2xuIcDrEARjhU6+j9Nwxl7wcTv6gFXAIAgcRa8tDlYjY6iwW7ypae6lLitZwJQoH6M2Wa6KqMBAz+qaDTwOTYH93LM4QrBO5tZohVzUJHEgFpqDlol4kUW4xvheonSXhvy1CrSSC7N2dqgL5WCP3Z6xJoA4/gQ4kbUj8ZKnUDXtuHA2ajzZsetjS1wbJJJ6l4ofX04UU2kH9Cjr5shlo5a2pJXQ2ory4CIBstQJvWapJUtNW62MkiJ2prpG4JKQWIE6DR716pRvg+M4ot0ARI9zreys5EV27Zk0phQiTY0DflLr1Ga+mmAVR66IHo3xYpWlmlvYSSqlJ8lBswCWcBPtfNGTdNgPBedRwpTVhkW+BovlAQroZia7DUTS911rmeF4brRmSbeI7zFdb3HVtEaSX2ubCqU7FgtzCCJ0SCqeENa7OOr8hbpigGdKXpnF2EDvBqI+25wFICaFSwr58sCMXHRzNaZSeiGX9La1tmRzo5VQqH+HjMM3C6ZEAwnlnQOC2ACreM+IsKXXjpAIInE5jD8z0cS56P57KP9u94IBUIfxhS/Wc7q2UIHV/oEs3LvmjUY7tMfhdy3cgo5Y+8tofPplI+LmCV2HxX3nN4LI4TomH3Phc90rBNgZbW2d5G4n9jKISdbUMgVyqcQTUruJV7/ECweJXSsDjKpfJpIRyh8czRD+I3Oug9tDUPDDzvIfRup88pUrxYkObRmUkzdvdp5WaM3AQU1/7KTzQsk7KaBE5uPlTUodTvgQqPcpv3CMaYXSW1mWFcfd8i5kGNccH92DdfqZfKN9sgXfq+R8wmj7peGQyyVethWMULBPULOZilusvV3MGaLm2YUmB1JrZiwcJG0v9pdVjY+WWAmsbGY7525ppqOHc3WZwf4/qufLYM6jkWAYflYPvhR7kTENZJNfBcUKgo8BfHBIcjeZBRYeLNOqyqDWcRnAwp5oamHDuvL+0Elthg0Qt/SmwZIVMAbKRPMB9mmckmm6ltskBWAhjqbaU58ZsznTjGKdic8m6CMs2trjdkULW2JOxV2WtyVt7E1lPdQhUt6gDR0tLeyQG7Sq1W+uIEBwmIy/yCZhgeMj4qnSt6tYBqbvGwGgV+B4hpSsNjcz5drbwUZpC5rEgw4xQhAExWjEwKZ8TUcoVRDL3UPYLwHgcLYYmNeQpdNRTA+mZmg46EMI721clQpfign6qvbFoLTaiQL7orOsPwVJkCt2qceI5ZlmyoHuKbaTu9FUaGFYal1d/mCbc5f5gF7fhzcXPMP35TSFXsqzUICOCpN3mKhrrz9gY0NMlM9LR3NB9FavICi4O0CBeodi7r/nt8+H/uZ7i11ut4+4pcBFyYyx4Xxlbta87Wj+rX9LY9aVi2M8h4Tyc7+cGAMpK4Ol0TTFUgw0N6lZ/KJkhOFYnrzacHcHWwlRUM9LHGHPXRL5cH4TAc2hVkka8ApD51shskc4/l9bY6+zWw1uc83HKMrMq6jv9Q8L38ZnfbrbNjgfl4hIQgmZ6wVlkPAITSE75aw7AQYeENX0dJkWqyjX4fcj5FqnuE506t9NTZxTfmYG+jZiIN1TcqhUFcPY/W2L51FNBw91lZE4ocn2qRqRMFMPeRohfLknhsdj9EP5lpO32kSfzthqumvfXlbO1tWN60szO3rDMmiraxbKdjgBf9gAJWEqijzLKq6qPkbCUVkCxIa54rMIgCe6cHWhUHtrCMld18njoHgWRsyzSJofuu+WuA/KlQWrtiHHjlANTNn7N9BfXKSghTEzG982KOlW6jwW6WXEGi5jK8BiwyCj3ksfYeGmAo1Tq+47NsHXLILVuX8/8SrT9H+bSGB00ZLVLJijEzUA/C+FZgQY3WBjkL2j5SFbKJmqDByr5psczTvnAM+rPwGFr6muIaoR684iOiGzYME2xh+xA/4uR1qQqP2x52/itcC9eNOKKoSr5tf0Ab15f2ituRx9EQfBAeCi/ETIwYDqxG7SvC0NdlwVLqdj9vPC4jm9Hr6HEv7JT398sQPW8OfiqG2HH05FvgRz06MHbjV0lJukBxvqvUY/D6xslevPvu2/b6+WxWdY4IF1EbnZaDEczyhTGJ9YYZIFlFwRm0DFy1aG7feomsJtaAhkImWxyBmd3zdTFS/11Pooeaa0tGqWPCggOH7oFNR8PVmOQaA4tbN1zVx4CohoqcVK+WWzydoE5vXy+lL/u3G0gNFemzW8bbvo5FpOhDDyDNGg9yBESBdZcqYYp8VA99t8xZjJ1pTSedYnRb2BRMbfvfl/i2yU0iAVQ9se8yEgtHut+ML7R8vaKWTvYdjujkPwX6qLA8A69bMgg9W9IizDHDhjDYAgYvbk1gKGhzGm7vdShx4rKlkMczzoScmF5Yqe/9moCkWgCQjentFv7COxIaChW9tiFN3v5SXWXMesAvQVztJ6M6NVnu7OJcjP2K29RMhkmC5j2MqpcZEgid9uonMe+svQypQntB+dYDbMW0lKu+JWAJvrSBhem7ma/oI1gMGCVsKjAirRHTNyJ3mcahtW7e+CVgwiv2zla0AWYYfEBlDyPXIL0tXTckym/xRCDqFEjyYFYAaq++0FfEJX95KPh70XYQN9mOVfHg/d+RkGTEnI65hF7t3qtWY4+7k8Agi/qWx+Xn1DFjHXGyW0OYCFBs8dGJirzZgPPAxLsKX6Jjls8LAVuEG9wjK0DiZhJ4PNHu/PspmnmlyV7FPLsnMh0dwsfn05JFS1gMLKLG84qgGSZJ4AEfysfvBaoGvp685QzkfMW0wAmvLxT8CoXh1lomzJb5jHnTi63/bi8Qs80wqVxF5kWQXkiRtR8RGzCmGWXmI3wigBb6vvFHPIBiTrTDB0yBm4OpVFf96XJ3qmyroIlJhaAFn8NgJc/OsShHhULl2fDwGY87FgYHbt6flQvifCjAYJ4VIUiVES74jKo7puNK3Y09Xbysturh65L1rd3huUS0vHAQsUFNIJm2S2mDstCKfhh9epydke5amsDKUfCgLECYKX2aGsqf7Scf4Az8v9VJWGTAnqmCMVwutGP4alyAYrjfe7eHTPJFYeQ9j3TTjSZXkyRApdPQSWilDOaebaYp9sglrsa5KGo/hNZ0opdSlCudcUSkzh1doUp0ngG7Zm06l1IokRu0la9FwRV0gvsEPlYkt8CBM3bR5vaj++xGJ42sbVUhZfZXxNBExaJT2+vCckCuCrHhVAB45iq5wNuLuMRqiSAee4TaMON1UKyuiAT7S3FrYTih6E0CQKFYW4vLmtLU93rsz4i5PcPBJLEtHLsHZuszadhrDuc1xVukki/M1psc01E/JhiHDp6r4OsjVN/FiGormv9WOLRNoXzye9/8VveFN6Yqd0Hktoi2rQRBx8zedSVzpPt/1dXFRCchHhg6gHVmwSSozECJlMq6zkffgJ80moWVWGRaK1hqANB3LiAFZPex+BQp9hHWzXBvlQ23khLb0s4skypEgr8La0PmLHUvOF1YBcrffw5b0ln3sUhZikUmQpaz27vn1ghISgul/GGRtwqT2c+6vdxtM6VITIOAB3eB2QZ9dJurJMbc+KTvhFUUJPQt2lrb1oL2xsq/b8XxyObwcxcd/KrMre5uGHC5kxQJ3V6vGUmfmslj6wVrHhIyorXIykX2aqV2BRLBgNFU6BvrqgqbgcI7xRGK14dBv9vpXo7EsGvo9KfxYVM/B+KEi//bAX267dG1GyCnVD1sXKqOXRSq2xTWv1FHsKl8wTLQLwzE8octhr0Ni/diLJrDpSH2c/pfoykwJJi+jc0UDC42ct5T7HzXY882P+7zfCoLXrJScwlOqCfC532zwJ8qx1vF7GqxR7Yzlxie/66Uv8lLtmbQ0s/+nb/C2k0VJmGTEgr8Bqf85LPb/njnCtUbqgy4zCIWAEsQx5P1E1d39throSo9QxnRG443dDh8wgUQrdwyBTgWTk+mME6VnLprMmogLh1Wt52X7yT3Prr/VSH9HUGJ2vigD0XEMCk/F2Dghi+eTZ55n9w4DLWkIoYKYAII0UHh4zlI3lgkUkXUjYWFZalu/PyUnjPDDzqwagkWiFxOLBLDqZ75yjwHbXIcvvxPlJ6+cONuJ+pCbgQ+hzNotPhgVNUVt0aGPppcmKaCH0NlYVZlrSPXkQkfEtvvIPohAjoP7B2U7nIGv3Rddi2RteArp7ZLDrXVRyazCMvNCU0DmD99hxtOpBeXI0nKq9i8AvQGGWE4jxgKg2qqHa4VMkNMmrc8ynoAZpEv8WGRvqNZLsGHsonjF/zS7wjIzyHox46MyaJs+oQxBQRVDwpC2DLRB6WqNLIA7Nb2egAsMOoH48su8zMs9I+Ed+uFRdiRsXRU2To7ndCYmH37VA0u/TVKdAIiAjbXf6IIX9d948NOFrRo6OQJ3ElkcCezYI1DfTeG4rjQMkpKjvzSj8eaVNUbGIZDmiXoTGS0Wa87zdC7tPAKkr3KfwCCO97zS6LAFn4gNg2p7AIrguV1XGN6UURjSPkZ36HOWwNXLres+ANpuu2u+jK35J13fJBa1YtuuqBOWITG/ADluTCcRE+clo8wGHhpnIycGBuF8nTd0jGUcpfCi5BWkxX588yWNVA+II3ustr6HSr9Ds4t6cTeZKJP40C4g3npQjsvOELrTolXIbuPaATOXCgHWeHX4pZKPb8dYVKBXVKV7kaWYBPB5Cp0q0dPoHm/LCjFqelX+dn1PneMaNwzKTeH4kY87+hrWc/4fgVDA6VkGMxy3zh/djBhdeo7re3MHyukGfIOm31/T9Qbb26RYUDKSnZrsWfljjTwtgThfwuRaR/9EVJMvVZMHRXRXu455m+yWjaBFReSORdYjCcz3Zx0i5C1GZ50ug02j3vJHTdAVcaZQj8cEwWU6C6aDvQS4qX1zz90ClvMfpqsZ9yLdRucXABPoWgPT3rLwJh9P6auuuvBl9rLn6TQTeNEqDxCf9Vrcc7Jpg8piGlYvm0WPQFHrXxnivTKXdtXxPgKb2JXs/Eo37lXM1IX1wWIzf62EJe/Wmd7wvJqAKFAQeM/2BJHSkt9NlJsQTNpWoJp+ZhL8IRr7BvU0pMavFD1a6kYHI2CSfJ3wwKIWg8qvAR0PdnsskwvOXP6fV6QgwJvU5bUWfHCTpHXRic4y3uA5r9Fthrc9xhpsn3yElstUznYJlagYO9jbMbDcCzOJmhQMGObgAUx4TvIFfTAgAr6kv6Mybeg1SFjNPB8eMnknmoVcLzCyB22pp6TzIuoZLK8B7GkTJ89zatrqx0b+0flGCjGnUdwKPci/WQgrICz+hstLCJGMdAtNsFaxCVGwy0o5yXZWYfbh+y83pvnJdtXHiUXxRlyP1TQQOZQUem90Y86Wm5E7XpaLhZONtU3AXv2/LFO4fi0RJV96woAfxXZfTfuRVGk2wCyCDFjD6K+a9wGL+16JBGfcKIncoUKpWOomt8iDzQZoCU1B4P9ZnNLHruBzzMtf9aQD3BNGjwsIbwB0LuM6opI9/nwgU3Fbt/cZqerPYCV6WxFAF81UHFMoquH+TZHxDuqa4NldMvy2SxnDkf+51JTCHMaolZwjJlaNONT3zUDwoDNyBrkizjvkVFUiv485scgeUYS4jPOr14FmSV1lXjJbAJ8tzc7RcAU/krIUlUs137Yi9zEyVYUOa+sH++z7mlUVOobu0a3/NTcYTCVF/alCuGoWPBfGR4N26KOZnGLHBWLf5VS9nkzQHV7L04ttiITUmiiqbc9SvqSsAEjhf1sF2CsCWurRGLIO6/o5PUlcocn+N7v29Po6rXP+ibymamHYnz+Fym5rJwEGWzlXIT2Jmp1JVN8pITmBX4khC8wm/t50YxfKPcVgHQnCRA+8cfTY8LCm2qUmUFZPG3JTsAPdIdw5ipqMZQPHtWNavAYwORjj7Zo9u6JSDS7MuMqCwzUpSPGdujbJncFDvtUT+RBGDPcBJiyIWZh8rj3IGdHf/HYzU3oTLNOAUCMqTQWgBqYBZc8881XfYUFe43uSKoXklW4T9kZDivuMYd4pvnAOQVvv1g/cuVYvLUpsAfeofqoYgK+HoBRANxa4m4hV0bcxM73PNryYwe86zEV3Anx38qxZzSUrC/vwjLPQpRaTEnGBq7CicKyGs4/iSBXJcrBm6LmCUVN6xINEFughq/o7WUKTFFo8z9ylWUsKjYCGNbFpL2RVUlSg6UW0OMgGCDA06gSkp+DXeZRF/i8Vje4jFN2Xx5c/cAzTMYqnkKMAEbAUXIx2m4MSQp5eqOs2s3DJamTE5aCmWBXRKao1/tr+ypajbH7FDQFcjwegOrQVPllDVDzvsEWEVaXIDdzdCxQeTGniGV4pkXIiVWd1Piv4TIkXEqRSVwIlINjfy3FFrM26sbt6b/GceHTayWqRlo0z1JFO0BO/bkpBPrdz/PYjbg9E4z/m1DaeQCTj4zaCPqNjaskWmCYlfP0VITFQD4Wx4v3UjUPMy5Vfff33FiTXTXk7qvZQ5kpAbOwW28nWU1cSnc3jfzJ6Aa53mNXi1nngu+jjf+8nxTdRkkEI9xJHwmKhT3oVoRDiBq5t7mVNmrFFf6bAI19k+NJwzd/b8dR9nUvt4ecad9UaYpbArJV7aQCUBWKU84xa3vT+2KvmG43Wb+PbMBojIrPzJsTew4QAHip1Ojybb4fOXPkbj5CgvZqLmtBaFcSfoO5AVlvQDfQgZRbFbbI78FIH8fsbNRQrjWJDM5gin2Ha4pNj3cOmdf2tDSalJ29H6EgDYnTrMY7CapjGMndv/usb8Ze/5063WlB97DYLGvfga6X1faY69IJCS/sv+p38mUH6gbwg6/D+ZayhJPfm8qQFXYxDeXIu5hCzJy4wEuyeIgFTXzOmBebxHE956SsV/wXVwlZ1p3+UMBqBE08LFUx4jz0vtXbn7TyXR6yDQI83uZOaDcnPrMGfYwdaWTeOWrySTCZKAAgP/H7zmgSWB3p0o4Igr3NXyzPn/B0d8957AQDwGKgqZt/8Qk2+wBleA/gj2R7OLIPgFKW3VIDe4nMaEg8ulOwx4X9M0cq7H9WB+XSoshFu6I4neDwTC9dn0zYFr0IRylO1au4TTzj1Ge2MRMz4AWe9VdpdoBU5l4ddkbSecSzg9yT3GbgV3L4mC7o+o/XLHRwRbbQjibgxmpDHd4tZ/yWItklAOWj9znYbh3xln0PhX+QcaGWpKRixwPr7uI3lvA9Tqwsr/y4PbUq44JiAJlPOiYMjNH/b2fQ7SrcjO9FQMYW7866czkyEQMBrTyHz9cnTXdBQDImHqCpCHfHTqjWys946eYLiXqgDc6aNFWC5TKue7mCDr/ZmXdRik3EBoeFTggxYvJs2lAAH42P3FG/W9b3A5+lM6moo1Iq7yG7oQWdagH34rlVDvUd88fBu5TSjZFobMpxWHyTdzdzKuWQ33tQ7wWxOMnCvft0vo/lRIykH/rcxpWZ+3vpYUlFJ0kMQHJLOh+zuiFvHlHVoX9mULeG6bvlmYjeB0rRbOxJyLmDM7PVUjeFTCPbH4hnAEdX+xeyf6c5fUUIZSHjxEkQ53K+Rhg1Ya6qFR1aLuCaGVrKCr0cqAP5S1WXnH0vfi4ApJw20nVkHl4F/p8GLBMMVWzdAs1skL4U0No61vmcN7+LD0whNoAhgA4vrxp7w/8SC8Jh7J1/BFVjBC7AL8R6aQlwmYdPr1oHaKGcde93z604cQ9Vv0jN4rJVHWluKQvh6zfRU4ixJskX6f+iAC+EdOGS4DSjUAi4Y7hSJmWdTcf3/ZgiqU71Cywm9QwN1sEhklyJMvpGe1HI1VvBNw855N2uSF/aqQPUMw660hDYXZSIxUEqVE1OgBjbZTBxj0qs+2icVGywcuhOOpjrSBSMS51G5iBPQi3szNpwZbnfQ35xMCywKv6sG3SJpu4LBm87l0nE6ImtyGXaSNfE4mEJNazUYPWpSDW37oTOTeA2yl5MxrntLjgejXeAA1jCTdlQcPrG0JYFYIJpt2qNRctoK3YCdaCdC1wvn0zOzklJbjzNkVSIH4ZhbOWev5zMwE9Dkjc+1+8/d9IB3/Lt9NpsSmu5bq8jRKvxHYru6NLrIxSntiTwDIkDPRhKzaXVSSyYXIcY+ygmo0T6twJx/uqOt+xL0pOHJIibHW9F+pZ3jfcOUPegIaF4hRnnMebBPY1+N8vmCgygNGR6DEroRIowrwsjD9bT2nX96uT7KIaBoGQbgc5TjgxHLxjaZk03Z8wHNbEhYrnaedRvfLI9OmH8MtUvKlU37EYYqxGFVVZXmVowOUZxjBCoHwBOB2lExztoYEwcBUqT115oMdV0LM7UzbYFr1HDhGjogw6Qzlj81DDVtpLeW5UAUOYQlxlBeWT5B8eujvu0wWk8DzCeLIC3+awtRaYeSi2AoRVtWjT2RKWUf4yz6jdHxAAjadXGwoT4E50JPKsUJ6ln74ox6KTP7CzGOprRHE07SDPfu6vZHXQ67rTC4Xyk8KzoKtFCtztKtmEKP711gmojMKjoVWmYc/Y0jS6OC7px2V71IS1gDkNS3PIPhJnWjlV/pixafGeMcU5vq2kbyevNp2DCykUuvsS6JacUzSrk90M0PDWjWkSj1+/BBOeY+cH6plAwhIK7lSpEUQiJqC8LssKzXqnLsL2y76HNZ7dil7K8chKcve2qCEnbZpdxD6g8+UNRR7GtuhCSZYbK/YwJPXaeyazCAiO3gCzzn+udGO8BMakt8kegYEYWi7sjMZMnEsGSlcLNkGXcakieSTauTWhqTx784JInNk+mZO00iKZuZ8V1RXCIA75CAcWgR3Vd/rU4GQII2YMBrqVbb4pJQQlVSU8Vc9mLWg6NupzbXZ+GmqwxpO77F9HnTRDceMoDWb32QCZJJhwFVa2DDcTID32aA92Jzopibu9AZtkwt3MbPf26UFMAFy6YoUiiFsLy6VaAYsMHq74z7i7PmpCrOQQzeWWRCwwKsWnJItX0KYh4V7rJTkjsWqcx4du4u/LQ/tm0PQQ/d0k/F+kmHs1KxAf6j/cmyCY3jHBlayvXYVjuvPMO5d3xNjrwNn2Bk1J1HJ4yyqxd8sLQxslHN4uTTGCAMfUYrPpVpQWe/YnXrIqTVK1jd7ONUgK0PQUyiCoQy55ocWyg48piU7nmJtapAP6gfdEtMhKkycTE1PN9Je0c426SOxJRln5rwCeEmFVsilva2hzDEfHfFYAg0zMBOlzqbSPUupsOUncMSY/rZ0rqjvFBCbgFE1bSGSlFe2s6dcu76+dL+yIAfc/NRrQHA/D/ojXhDIX7gpyGN5woQK5jHLRaiLIo7EvoxxUrK6hoSmcobpXc2O1KUvCnP0AncVgAjx/y+1knToBvcL+FuvJTxccdi4xrHiusxErWfarIzeddoWaat0M9TPA==,iv:AYEckKs2yMOpkbSZb870rteeLghL+sVxbw48mRkdCtI=,tag:P/u5fv9+OHKFK6Iz8r0fIw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: monitoring-prometheus-config +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: + - vault_address: https://vault.ha.soeren.cloud + engine_path: transit/sops_kubernetes + key_name: svc-ez + created_at: "2024-09-11T11:20:32Z" + enc: vault:v1:cB+crwGyFJB7zjDmaMBTYAgebhPw/VM7QdCjmwhnCgDDm5K+1qFCivm43Gy/4B5nw6mvfgmzfshx5RZr + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlBhb01iR04vbHpseVg1 + Tm1hYm14TzgxRmZ5WjMxK3hKc3BZYTREQkJvCkxOb2cwOXN5VVdSY1g5S3lGajV2 + QUloS09xUC9xdkYxcEZsL3M4c09uU1kKLS0tIGFEdTY3NGt1bDRmWWVxa3Zja0pZ + N1lBTEIzSnlwUXp4eWVXL1Y3L2hOVVUKejCfXqLBpShZPwcP3C8BnRPJWJS1PEnZ + PaAeQ3tBQlGZ0c74hGq4rIxeEf8pxe/firDQdBv0B/3AXXnvY3/nFA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-11T11:20:33Z" + mac: ENC[AES256_GCM,data:nER0TvaYLB4GcrENcs9I7YlIf7NoHAD3SXRoC6VCfUnj5j6uJLTO2Sd259AmFOB/9TYbw45c3/+ALEHrubV/3XzUcs/Q2z6vJYBv/iC3Z4H4wJHeKpDwarBnEkLH9WOMowI7/cGJiaaUSXuwsN+4WOI9YIh3F8Nh6hhjjcUmvcs=,iv:oGF8cOt1HR2ZWl6mS+hDsa/2EwE/siJZuGHmI/71Sak=,tag:pl0A7c4l+jUjtPlThVue+Q==,type:str] + pgp: + - created_at: "2024-09-11T11:20:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+/EGAve9YBkAQ/+KIqt3qQV0tHifKrmpLrMu2Fe8ixa3eZA2RMw4Wcb3f3s + 7ytVQWDsXSL2YUKFHMz2VWIa4BsBf1sAw6iuaiNuN0zpcWUiwVauXETtPDOMdaTX + +foEpyICDDVKBxbyySckWcOttkvFdg2lr/S97vog6VjpEtEKVt8QqWb1160+pm2p + cWU6QV7O7xb/TmnSLCXp+8IcqZ0XuZ5Lv/3vuemQHaJcXzOTXHR2X396Yismk+Fo + i5iYLfJpbYG+OOX6mQIZlNgPz1tUjuKCI08FytVBlCm/3I3zcqgzsT8j9vr+SAoW + kGxabcDgxNtVBlw8tV00oY4AxV4rrBpkifm3bVdGznZtmpzFPeAzD7bXjLK0jTEA + KjanPMzxvId2D3tPurl2nzu04Jj23NcKibfXActEA3QovC88dbcEkzaAyWiwIR7P + DwrfOcv+g1ERY0oL4m9vIqgGnpp0y8cNXJAyOxq6u2G54JwBsNR94tHIF+03GC7e + OqgtqA0YuuWAY1nUyPygx2G+3mWq9GO/e6gZ/I6Uffn1rBr4pwPefJszQ1EWausy + /seYMimAaoG8jvefp2P0rLLrRkq5W4aAeMo9j4vYcrVAKzCT5rnrmMetBMXzEccK + S9TjaXQU6s+jUwDka3Sm6NcAxilWGkUZa1pMavt7yGwYhfycjDqGfVR+UKq+KmHS + XgEhmbDmmZ+qVbVg3Q9iejDh1VGvmgyN5zhQGtwfr2pNnnO5+9vxluO8/cTWK6L4 + iBrhTh/bVSN0MoYTCPwJ67qIGo4jlTmPa2Od42nqTPkWnYbighbAluEqVpPBgTo= + =G7Ee + -----END PGP MESSAGE----- + fp: 875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637 + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh new file mode 120000 index 0000000..fc600b7 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secret-prometheus-config.sh @@ -0,0 +1 @@ +../../../../apps/monitoring/prometheus/components/config/upsert-secret-prometheus-config.sh \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secrets.sh b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secrets.sh new file mode 100755 index 0000000..c7a36d7 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/prometheus/upsert-secrets.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +SECRET_NAME="oauth2-proxy" +SECRET_FILE_NAME="sops-secret-${SECRET_NAME}.yaml" +echo "Upserting secret ${SECRET_NAME}" + +OAUTH2_PROXY_CLIENT_ID="prometheus" +TF_VALUE=$(terraform -chdir=../../../../../tf-keycloak output -json clients | jq -r '.["'"${OAUTH2_PROXY_CLIENT_ID}"'"]') +OAUTH2_PROXY_CLIENT_SECRET=$(echo "$TF_VALUE" | jq -r '.client_secret') +OAUTH2_PROXY_COOKIE_SECRET="$(openssl rand -base64 32 | tr -- '+/' '-_')" +OAUTH2_PROXY_EMAIL_DOMAINS="*" + +kubectl create secret generic "${SECRET_NAME}" \ + --from-literal=OAUTH2_PROXY_COOKIE_SECRET="${OAUTH2_PROXY_COOKIE_SECRET}" \ + --from-literal=OAUTH2_PROXY_CLIENT_ID="${OAUTH2_PROXY_CLIENT_ID}" \ + --from-literal=OAUTH2_PROXY_CLIENT_SECRET="${OAUTH2_PROXY_CLIENT_SECRET}" \ + --from-literal=OAUTH2_PROXY_EMAIL_DOMAINS="${OAUTH2_PROXY_EMAIL_DOMAINS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/clusters/svc.ez.soeren.cloud/monitoring/pushgateway/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/pushgateway/kustomization.yaml new file mode 100644 index 0000000..ded268c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/pushgateway/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/pushgateway +components: + - ../../../../apps/monitoring/pushgateway/components/reverse-proxy diff --git a/clusters/svc.ez.soeren.cloud/monitoring/vmalert/kustomization.yaml b/clusters/svc.ez.soeren.cloud/monitoring/vmalert/kustomization.yaml new file mode 100644 index 0000000..5bceaa3 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/monitoring/vmalert/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - ../../../../apps/monitoring/vmalert +components: + - ../../../../apps/monitoring/vmalert/components/tls-client-cert + - ../../../../apps/monitoring/vmalert/components/initcontainer-seed-rules +patches: + - target: + kind: Deployment + name: vmalert + patch: | + - op: add + path: "/spec/template/spec/containers/0/args" + value: + - "-notifier.url=http://alertmanager" + - "-datasource.url=http://prometheus" + - "-rule=/rules/*.rules" diff --git a/clusters/svc.ez.soeren.cloud/mosquitto/kustomization.yaml b/clusters/svc.ez.soeren.cloud/mosquitto/kustomization.yaml new file mode 100644 index 0000000..837eb46 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/mosquitto/kustomization.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mosquitto +resources: + - ../../../apps/mosquitto + - namespace.yaml +components: + - ../../../apps/mosquitto/components/istio + - ../../../apps/mosquitto/components/tls +patches: + - target: + kind: VirtualService + name: mosquitto + patch: |- + - op: replace + path: "/spec/hosts" + value: + - "mosquitto.svc.ez.soeren.cloud" + - target: + kind: Certificate + name: mosquitto + patch: |- + - op: replace + path: "/spec/commonName" + value: "mosquitto.svc.ez.soeren.cloud" + - op: replace + path: "/spec/dnsNames" + value: + - "mosquitto.svc.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/mosquitto/namespace.yaml b/clusters/svc.ez.soeren.cloud/mosquitto/namespace.yaml new file mode 100644 index 0000000..e63491b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/mosquitto/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: mosquitto + labels: + name: mosquitto diff --git a/clusters/svc.ez.soeren.cloud/rabbitmq/20-cluster.conf b/clusters/svc.ez.soeren.cloud/rabbitmq/20-cluster.conf new file mode 100644 index 0000000..b356a86 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/rabbitmq/20-cluster.conf @@ -0,0 +1,2 @@ +cluster_formation.peer_discovery_backend = classic_config +cluster_formation.classic_config.nodes.1 = rabbit@rabbitmq.svc.dd.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/rabbitmq/kustomization.yaml b/clusters/svc.ez.soeren.cloud/rabbitmq/kustomization.yaml new file mode 100644 index 0000000..f4c9211 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/rabbitmq/kustomization.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +namespace: "rabbitmq" +resources: + - "../../../apps/rabbitmq" + - "namespace.yaml" +components: + - "../../../apps/rabbitmq/components/istio" + - "../../../apps/rabbitmq/components/istio-proxy" + - "../../../apps/rabbitmq/components/tls-server-cert" +patches: + - target: + kind: "VirtualService" + name: "rabbitmq" + patch: |- + - op: "replace" + path: "/spec/hosts" + value: + - "rabbitmq.svc.ez.soeren.cloud" + - target: + kind: "Certificate" + name: "rabbitmq" + patch: |- + - op: "replace" + path: "/spec/commonName" + value: "rabbitmq.svc.ez.soeren.cloud" + - op: "replace" + path: "/spec/dnsNames" + value: + - "rabbitmq.svc.ez.soeren.cloud" +configMapGenerator: + - name: "rabbitmq-conf" + behavior: "merge" + files: + - "20-cluster.conf" diff --git a/clusters/svc.ez.soeren.cloud/rabbitmq/namespace.yaml b/clusters/svc.ez.soeren.cloud/rabbitmq/namespace.yaml new file mode 100644 index 0000000..ec56aeb --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/rabbitmq/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: "Namespace" +apiVersion: "v1" +metadata: + name: "rabbitmq" + labels: + name: "rabbitmq" diff --git a/clusters/svc.ez.soeren.cloud/reloader/kustomization.yaml b/clusters/svc.ez.soeren.cloud/reloader/kustomization.yaml new file mode 100644 index 0000000..7c04773 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/reloader/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: reloader +resources: + - ../../../apps/reloader + - namespace.yaml diff --git a/clusters/svc.ez.soeren.cloud/reloader/namespace.yaml b/clusters/svc.ez.soeren.cloud/reloader/namespace.yaml new file mode 100644 index 0000000..0ea8932 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/reloader/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: reloader +spec: {} +status: {} diff --git a/clusters/svc.ez.soeren.cloud/renovatebot/kustomization.yaml b/clusters/svc.ez.soeren.cloud/renovatebot/kustomization.yaml new file mode 100644 index 0000000..744a27c --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/renovatebot/kustomization.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate +resources: + - ../../common/renovatebot + - sops-secret-renovate.yaml +patches: + - target: + kind: CronJob + name: renovate-github + patch: |- + - op: add + path: /spec/timeZone + value: "Europe/Berlin" + - op: replace + path: /spec/schedule + value: "0 1 * * *" + - target: + kind: CronJob + name: renovate-gitlab + patch: |- + - op: add + path: /spec/timeZone + value: "Europe/Berlin" + - op: replace + path: /spec/schedule + value: "0 10 * * *" diff --git a/clusters/svc.ez.soeren.cloud/renovatebot/sops-secret-renovate.yaml b/clusters/svc.ez.soeren.cloud/renovatebot/sops-secret-renovate.yaml new file mode 100644 index 0000000..a6c7e00 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/renovatebot/sops-secret-renovate.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +data: + RENOVATE_HOST_RULES: ENC[AES256_GCM,data:p3iNegJzIe7kS2cihfKxLK11eHxGeiPzk7DpkUerA7mgXZGTCRHekWR0x03UR1xuFyMiCGX7mP6Bol/Wfw2Lsb+3ngzhYn5NEH5mX7GKEannegBDmwQnjGPGWsp6P6HNIlVRsG9Sy6zoPYkUAFy2H/5QrxhWRjUJB8C7YX641jYApKUT6kjEoNNlbmITNkgH1Um+5UKl+r+YEAQNpc2YaZH5JWZPUHWHzocUsLNxzhQ=,iv:OforCr7pd9VXrcM6DDCWzLDH/t7YkOQczkVJC2md6ac=,tag:wZtV8YR08E0yrAHMz0TTxg==,type:str] + github-token: ENC[AES256_GCM,data:GKwz5fRdcu2cU22XDN/ww8+YD0e8JDzBUQmZLeEuIf+9M9vpQ2dGGbTPwBnDGqUwB+rhz4o43gU=,iv:KGxO7XbIYDqDYySAWDWfKEvh7ypz9GuOW+wj/iPp+No=,tag:K3teENBfcXm7rsXFmnx50A==,type:str] + gitlab-token: ENC[AES256_GCM,data:ktI023bsXueN6d8NEY+qpm5SDNUFk+eItSSbdmu1DFxKe0jo,iv:NKdkNNwXXykma4hnO2vPXIiTNY+EQe3vAS00xFkDXME=,tag:DmiriuedJu4wmQrBqXqWQA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: tokens +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yp9962dq7huq2xpwxyyrpd9p9q7g2rkwudu0h709h4w6jxz8r5zqsx3rzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIUkhjWVpLTVIzaTFPL0Fr + OTdDY3dxbkphWHBaV2lPSnlkM0grdmY5eUFZCjVYUzZXaW5rcWpreFpGNGV6bkRT + RGdISmEvNTBlQnhQaVJlaXhGZzlhcUkKLS0tIHE0bzh3dUhzditEZTAvVlRCODFH + Y0FnU2lsRGxSck5LZzA4dGpwcmVRY3cKnGNNxOGhHShlwEaafIshQW08O0Zg/JWw + MF1pbKsvg/y9jy8wKzRHi+QsYjdOoY53+frQLIuklroBlyxFseNGPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-29T23:48:47Z" + mac: ENC[AES256_GCM,data:CRS5xAj+2QdqAPqZlMeDnG/bihpV/ek3Y40B44aBpFiMnyuI7ASDw/Dj+mElLQG6c7gRNISup5DUYPAezl8HrnUWyfP0/QCOf2aDOtF3Xuyvss2f47TzftPXy8iRV4N9u5+HUANOi7CwcksS/RIAj/uIT9lVghCzV4YqM8k6cog=,iv:TiPmA647o9/csuVnZzmjYV1YqZVy2ZSIJyunrnEJM9A=,tag:CPbCtXACMQJaBWk2WfsZdA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.ez.soeren.cloud/synapse/config.yaml b/clusters/svc.ez.soeren.cloud/synapse/config.yaml new file mode 100644 index 0000000..3d72a00 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/synapse/config.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: synapse-config + namespace: synapse +data: + homeserver.yaml: | + server_name: "your-synapse-server.com" + metrics_port: 9092 + # Add other configuration options as needed diff --git a/clusters/svc.ez.soeren.cloud/synapse/kustomization.yaml b/clusters/svc.ez.soeren.cloud/synapse/kustomization.yaml new file mode 100644 index 0000000..b83f378 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/synapse/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: synapse +resources: + - ../../../apps/synapse + - namespace.yaml + - virtualservice.yaml + - config.yaml diff --git a/clusters/svc.ez.soeren.cloud/synapse/namespace.yaml b/clusters/svc.ez.soeren.cloud/synapse/namespace.yaml new file mode 100644 index 0000000..a1f74db --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/synapse/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: synapse + labels: + name: synapse diff --git a/clusters/svc.ez.soeren.cloud/synapse/virtualservice.yaml b/clusters/svc.ez.soeren.cloud/synapse/virtualservice.yaml new file mode 100644 index 0000000..f80a0d6 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/synapse/virtualservice.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: synapse + namespace: synapse +spec: + hosts: + - synapse.svc.ez.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: synapse.synapse.svc.cluster.local + port: + number: 8008 diff --git a/clusters/svc.ez.soeren.cloud/vcr/kustomization.yaml b/clusters/svc.ez.soeren.cloud/vcr/kustomization.yaml new file mode 100644 index 0000000..8015159 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vcr/kustomization.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vcr +resources: + - pv.yaml + - namespace.yaml + - ../../common/vcr +patches: + - target: + kind: VirtualService + name: vcr + patch: |- + - op: replace + path: /spec/hosts + value: + - vcr.svc.ez.soeren.cloud + - target: + kind: VirtualService + name: metube + patch: |- + - op: replace + path: /spec/hosts + value: + - metube.svc.ez.soeren.cloud diff --git a/clusters/svc.ez.soeren.cloud/vcr/namespace.yaml b/clusters/svc.ez.soeren.cloud/vcr/namespace.yaml new file mode 100644 index 0000000..9042687 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vcr/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: vcr + labels: + name: vcr diff --git a/clusters/svc.ez.soeren.cloud/vcr/pv.yaml b/clusters/svc.ez.soeren.cloud/vcr/pv.yaml new file mode 100644 index 0000000..b6ecab3 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vcr/pv.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: "v1" +kind: "PersistentVolume" +metadata: + name: "vcr" +spec: + accessModes: + - "ReadWriteOnce" + capacity: + storage: "10Gi" + storageClassName: "local-storage" + claimRef: + namespace: "vcr" + name: "vcr" + local: + path: "/mnt/k8s/vcr" + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: "kubernetes.io/hostname" + operator: "In" + values: + - "k8s.ez.soeren.cloud" diff --git a/clusters/svc.ez.soeren.cloud/vector/kustomization.yaml b/clusters/svc.ez.soeren.cloud/vector/kustomization.yaml new file mode 100644 index 0000000..61fcc0d --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vector/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vector +resources: + - ../../../apps/vector + - namespace.yaml +configMapGenerator: + - name: vector-config + behavior: merge + files: + - sinks.yaml diff --git a/clusters/svc.ez.soeren.cloud/vector/namespace.yaml b/clusters/svc.ez.soeren.cloud/vector/namespace.yaml new file mode 100644 index 0000000..99acb20 --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vector/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vector diff --git a/clusters/svc.ez.soeren.cloud/vector/sinks.yaml b/clusters/svc.ez.soeren.cloud/vector/sinks.yaml new file mode 100644 index 0000000..fa2578b --- /dev/null +++ b/clusters/svc.ez.soeren.cloud/vector/sinks.yaml @@ -0,0 +1,18 @@ +--- +sinks: + prom_exporter: + type: "prometheus_exporter" + inputs: ["host_metrics", "internal_metrics"] + address: "0.0.0.0:9090" + loki: + type: "loki" + inputs: ["k8s"] + encoding: + codec: "json" + endpoint: "http://loki.loki:3100" + out_of_order_action: "accept" + tenant_id: "soeren" + labels: + datacenter: "ez" + cluster: "svc.ez.soeren.cloud" + app: "{{ .app }}" diff --git a/clusters/svc.pt.soeren.cloud/.sops.yaml b/clusters/svc.pt.soeren.cloud/.sops.yaml new file mode 100644 index 0000000..e8cccad --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/.sops.yaml @@ -0,0 +1,5 @@ +--- +creation_rules: + - age: "age17e2d0c5aeavmpfahyzwrsm76ujla9flv7wdn7u5ssc3wqznw7p9seecsd2" + pgp: "875FB36D1EE07C0DF7D5E0DA5ADFB1F470E97637" + hc_vault_transit_uri: "https://vault.ha.soeren.cloud/v1/transit/sops_kubernetes/keys/svc-pt" diff --git a/clusters/svc.pt.soeren.cloud/acmevault/kustomization.yaml b/clusters/svc.pt.soeren.cloud/acmevault/kustomization.yaml new file mode 100644 index 0000000..b188333 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/acmevault/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: acmevault +resources: + - namespace.yaml + - ../../common/acmevault +patches: + - target: + kind: Deployment + name: acmevault + patch: |- + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: ACMEVAULT_VAULT_K8S_MOUNT + value: svc.pt.soeren.cloud diff --git a/clusters/svc.pt.soeren.cloud/acmevault/namespace.yaml b/clusters/svc.pt.soeren.cloud/acmevault/namespace.yaml new file mode 100644 index 0000000..4b740e2 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/acmevault/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: acmevault + labels: + name: acmevault diff --git a/clusters/svc.pt.soeren.cloud/cert-manager/clusterissuer.yaml b/clusters/svc.pt.soeren.cloud/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..c9294b2 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/cert-manager/clusterissuer.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns-prod + namespace: cert-manager +spec: + acme: + email: letsencrypt@soerensoerensen.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key-route53 + solvers: + - selector: + dnsZones: + - "svc.pt.soeren.cloud" + dns01: + route53: + region: us-east-1 + hostedZoneID: "Z0410978UXMAAIQOFY20" + accessKeyIDSecretRef: + name: route53-credentials + key: access-key-id + secretAccessKeySecretRef: + name: route53-credentials + key: access-key-secret diff --git a/clusters/svc.pt.soeren.cloud/cert-manager/kustomization.yaml b/clusters/svc.pt.soeren.cloud/cert-manager/kustomization.yaml new file mode 100644 index 0000000..29ce29b --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/cert-manager/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../infra/cert-manager + - clusterissuer.yaml + - sops-secret-route53-credentials.yaml +namespace: cert-manager +patches: + - target: + kind: Deployment + name: cert-manager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers-only" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/clusters/svc.pt.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml b/clusters/svc.pt.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml new file mode 100644 index 0000000..0386e06 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/cert-manager/sops-secret-route53-credentials.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +data: + access-key-id: ENC[AES256_GCM,data:rezqQmI7sM61kNt3K1fvhekPD/WPzCKJhDLuvA==,iv:7ew5bHTYP2sgHGP3sFdT2d1rq6z8z5x3aFixj1hhxz0=,tag:tiSay1rN48m9EaIfyF+jUQ==,type:str] + access-key-secret: ENC[AES256_GCM,data:UJbpi0URzzqmTDGBqOP0ZNVhfm1GjsduXhXSggy4Rb+dNANdAO4tQtBPI86gofMJe21VtzQTyxI=,iv:zPAHKG+2Y0y99wvHyZAQhjIdZoGiQeMIE1Tz7MdCS3E=,tag:t2v5q1TAxmRkH0IL4TNDTw==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: route53-credentials +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17e2d0c5aeavmpfahyzwrsm76ujla9flv7wdn7u5ssc3wqznw7p9seecsd2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvY0JSN3ZvSDJ0U1RxeGFW + K3oxRWQrRTFlMnZtdXRLanZlRStUSnBkK0ZNCldRY1dLMWVBelB0Ujg0RnJvcGxj + QXFqRVVrN0RBL3JlNXBvcGYxZ1REaXMKLS0tIHhzMzJybGk4bFRwaHA0cWVRRTZJ + ajR1VW9Nb0hrenpnSnNEV2FLb2hmMUUKdhqOldFzKcEu3UJv/Z0gSN9sJLLqaPof + 1M4v3QKqrpJUn676mnKuhz25Iksehp2U9+CtTVMO7JtOEMxltIRERg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-18T13:26:25Z" + mac: ENC[AES256_GCM,data:WHBy3r0kjvUvVojiLanDuOwap3ERaE9awAIfvhfRTV+2aMwRl/v4AsGNbtTCWQHU+5x3v+1ZUKElt/M5+OC1j1n8IzhTZC5g5/osSnTdmxYVwsJ3BQGao2AM7miwVsAiIH9di+zpz1grCrRHo3ILiCD7UqgRNPvw7ioNMrckbQM=,iv:F+zLSsN7lydPxBrPdR5nXmbVMissr0y+bX1SrXZvnkE=,tag:HGuK1p4L9GnI0dMC4Sw5pQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/clusters/svc.pt.soeren.cloud/cert-manager/upsert-secrets.sh b/clusters/svc.pt.soeren.cloud/cert-manager/upsert-secrets.sh new file mode 100755 index 0000000..ad6759f --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/cert-manager/upsert-secrets.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +CLUSTER_NAME="$(git rev-parse --show-prefix | awk -F'/' '{print $2}')" +SECRET_NAME="route53-credentials" +SECRET_FILE_NAME="sops-secret-route53-credentials.yaml" +echo "Upserting secret ${SECRET_NAME} for cluster ${CLUSTER_NAME}" + +TF_VALUE=$(terraform -chdir=../../../contrib/terraform/route53-credentials output -json cert-manager | jq -r '.["cert-manager-'${CLUSTER_NAME}'"]') +AWS_SECRET_ACCESS_KEY=$(echo $TF_VALUE |jq -r '.access_key_secret') +AWS_ACCESS_KEY_ID=$(echo $TF_VALUE |jq -r '.access_key_id') + +kubectl create secret generic "${SECRET_NAME}" \ + --from-literal=access-key-secret="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=access-key-id="${AWS_ACCESS_KEY_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.pt.soeren.cloud/istio/certificate.yaml b/clusters/svc.pt.soeren.cloud/istio/certificate.yaml new file mode 100644 index 0000000..06976cb --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/istio/certificate.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-cert + namespace: istio-system +spec: + secretName: ingress-cert + commonName: '*.svc.pt.soeren.cloud' + dnsNames: + - '*.svc.pt.soeren.cloud' + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + group: cert-manager.io diff --git a/clusters/svc.pt.soeren.cloud/istio/gateway.yaml b/clusters/svc.pt.soeren.cloud/istio/gateway.yaml new file mode 100644 index 0000000..ff78bcd --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/istio/gateway.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*.svc.pt.soeren.cloud" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: ingress-cert + hosts: + - "*.svc.pt.soeren.cloud" diff --git a/clusters/svc.pt.soeren.cloud/keycloak/keycloak.properties b/clusters/svc.pt.soeren.cloud/keycloak/keycloak.properties new file mode 100644 index 0000000..7138ce1 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/keycloak.properties @@ -0,0 +1,7 @@ +KC_HOSTNAME=keycloak.svc.pt.soeren.cloud +KC_DB_URL_DATABASE=keycloak +KC_DB_URL_HOST=dbs.pt.soeren.cloud +KC_DB_URL_PORT=3306 +KC_DB_URL_PROPERTIES=?sslMode=verify-full +KC_DB=mariadb +KC_TRANSACTION_XA_ENABLED=false diff --git a/clusters/svc.pt.soeren.cloud/keycloak/kustomization.yaml b/clusters/svc.pt.soeren.cloud/keycloak/kustomization.yaml new file mode 100644 index 0000000..7b52146 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/kustomization.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak +resources: + - ../../../apps/keycloak + - namespace.yaml + - sops-secret-keycloak.yaml +components: + - ../../../apps/keycloak/components/istio +patches: + - target: + kind: Deployment + name: keycloak + patch: |- + - op: add + path: /spec/template/spec/containers/0/envFrom + value: + - secretRef: + name: keycloak + - configMapRef: + name: keycloak-config + - target: + kind: VirtualService + name: keycloak + patch: |- + - op: replace + path: /spec/hosts + value: + - keycloak.svc.pt.soeren.cloud +configMapGenerator: + - name: keycloak-config + behavior: create + envs: + - keycloak.properties diff --git a/clusters/svc.pt.soeren.cloud/keycloak/namespace.yaml b/clusters/svc.pt.soeren.cloud/keycloak/namespace.yaml new file mode 100644 index 0000000..c2d675a --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: keycloak + labels: + name: keycloak diff --git a/clusters/svc.pt.soeren.cloud/keycloak/sops-secret-keycloak.yaml b/clusters/svc.pt.soeren.cloud/keycloak/sops-secret-keycloak.yaml new file mode 100644 index 0000000..7e22584 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/sops-secret-keycloak.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +data: + KC_DB_PASSWORD: ENC[AES256_GCM,data:llTP5EtGmwI5DIwOQYNCpbcN/NFPOioh,iv:w5DofSHblFOsBEXf0aVVkXhRid+oDfV/0G1cbryKO34=,tag:9qqBxE1/Pi4K6GiSm7G2og==,type:str] + KC_DB_USERNAME: ENC[AES256_GCM,data:OSVcPcdXI+SnH7BU,iv:61A/TVtTWtEmzlBuS5eZKpdHKFOkKHYYF7MBefgS3ns=,tag:Q7KstpkdgVfeEp/uPoFxPQ==,type:str] + KEYCLOAK_ADMIN: ENC[AES256_GCM,data:49Nd5VQCxLY=,iv:B6wPtZj/A17MYSbujIDrRS696qTvon/1vlTCyeJmtTA=,tag:VNvUawkqeEtVclFglEQKsQ==,type:str] + KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:gpUsmAGkkmM=,iv:HVHQW2IZs/Omarr/x1Wq4kmfyt1GLMuuin3s/4gr3+w=,tag:jLCEeUWK83SgP2s7DXw5qA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: keycloak + namespace: keycloak +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17e2d0c5aeavmpfahyzwrsm76ujla9flv7wdn7u5ssc3wqznw7p9seecsd2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWEtxbC9zTnRzVVh1bUNi + K3dWbythWnNWaTFWazJmTjV0Smxsa0d0LzBnCnlkamh2cEh0Y08yaWhSR0NNT1ND + Z2I2azM1SGE0MUZHbVIxcjRmNDVkYzAKLS0tIHlEU1o0M2ZRUXNaeGRiamF3d1B5 + SnlNZE9PZDEwcjZOUjR3SUthNmJjOUkK5deWVuzrZOfine/0mviKzsKr/LcDKEHO + clrpKc/2iDVMXBbyiLZEhp321K+VoxeTYKLH86L7YGjWfy+G1f/72w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-31T14:53:48Z" + mac: ENC[AES256_GCM,data:XFtEqz0FLe9ou7oFP7cCZHg+FoaqxaGhb4A3qqDZlDiBQ9gsvm61/OSnbBW5gOPh943RD0wIhmsdVLcGjTVaxYmPxU0kC2QcsKyO4rc87z55+xYyfOa3GsWgXBnwx8Yh5j3kNEbPyFLCSQqKbDhVXh3bYygGk0AIgYK/WT/fjf8=,iv:lxEpvzotUwgzXR5DkLbb6yoGi++LyRTNJaZ+Lk+eHkY=,tag:DnzPXl0FdYdqmZJbblTJ4w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.pt.soeren.cloud/keycloak/upsert-secret-keycloak.sh b/clusters/svc.pt.soeren.cloud/keycloak/upsert-secret-keycloak.sh new file mode 120000 index 0000000..b3cbf6d --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/upsert-secret-keycloak.sh @@ -0,0 +1 @@ +../../../apps/keycloak/upsert-secret-keycloak.sh \ No newline at end of file diff --git a/clusters/svc.pt.soeren.cloud/keycloak/upsert-secrets.sh b/clusters/svc.pt.soeren.cloud/keycloak/upsert-secrets.sh new file mode 100755 index 0000000..1ccfe86 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/keycloak/upsert-secrets.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +SECRET_NAME="$(basename $(pwd))" +SECRET_FILE_NAME="sops-secret-${SECRET_NAME}.yaml" +NAMESPACE="$(basename $(pwd))" +echo "Upserting secret ${SECRET_NAME}" + +CLUSTER_NAME="$(git rev-parse --show-prefix | awk -F'/' '{print $2}')" +PASS_PREFIX="k8s/prd/${CLUSTER_NAME}/keycloak" + +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=admin +KC_DB_USERNAME=keycloak +KC_DB_PASSWORD=keycloak_password + +kubectl create secret generic "${SECRET_NAME}" \ + --namespace="${NAMESPACE}" \ + --from-literal=KEYCLOAK_ADMIN="${KEYCLOAK_ADMIN}" \ + --from-literal=KEYCLOAK_ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD}" \ + --from-literal=KC_DB_USERNAME="${KC_DB_USERNAME}" \ + --from-literal=KC_DB_PASSWORD="${KC_DB_PASSWORD}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.pt.soeren.cloud/loki/configmap.yaml b/clusters/svc.pt.soeren.cloud/loki/configmap.yaml new file mode 100644 index 0000000..59e45f8 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/configmap.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-config + namespace: loki + labels: + app: loki + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki +data: + loki-config.yaml: | + auth_enabled: true + common: + compactor_address: 'loki' + path_prefix: /var/loki + replication_factor: 1 + storage: + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + frontend: + scheduler_address: "" + frontend_worker: + scheduler_address: "" + index_gateway: + mode: ring + limits_config: + max_cache_freshness_per_query: 10m + reject_old_samples: true + reject_old_samples_max_age: 168h + split_queries_by_interval: 15m + retention_period: 744h + retention_stream: + - selector: '{namespace="dev"}' + priority: 1 + period: 24h + memberlist: + join_members: + - loki-memberlist + query_range: + align_queries_with_step: true + # runtime_config: + # file: /etc/loki/runtime-config/runtime-config.yaml + schema_config: + configs: + - from: "2023-01-05" + index: + period: 24h + prefix: index_ + object_store: filesystem + schema: v12 + store: tsdb + server: + grpc_listen_port: 9095 + http_listen_port: 3100 + storage_config: + hedging: + at: 250ms + max_per_second: 20 + up_to: 3 + tsdb_shipper: + active_index_directory: /var/loki/tsdb-index + cache_location: /var/loki/tsdb-cache + tracing: + enabled: false diff --git a/clusters/svc.pt.soeren.cloud/loki/kustomization.yaml b/clusters/svc.pt.soeren.cloud/loki/kustomization.yaml new file mode 100644 index 0000000..a15c7ab --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/kustomization.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: loki +resources: + - ../../../apps/loki + - configmap.yaml + - pv.yaml + - pvc.yaml + - namespace.yaml + - virtualservice.yaml +patches: + - target: + kind: Deployment + name: loki + patch: |- + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: loki diff --git a/clusters/svc.pt.soeren.cloud/loki/namespace.yaml b/clusters/svc.pt.soeren.cloud/loki/namespace.yaml new file mode 100644 index 0000000..efaa030 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: loki + labels: + name: loki diff --git a/clusters/svc.pt.soeren.cloud/loki/pv.yaml b/clusters/svc.pt.soeren.cloud/loki/pv.yaml new file mode 100644 index 0000000..c594827 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/pv.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: loki +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + storageClassName: local-storage + local: + path: /mnt/k8s/loki + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - pool.pt.soeren.cloud diff --git a/clusters/svc.pt.soeren.cloud/loki/pvc.yaml b/clusters/svc.pt.soeren.cloud/loki/pvc.yaml new file mode 100644 index 0000000..6bad14e --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/pvc.yaml @@ -0,0 +1,13 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: loki + namespace: loki +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi + storageClassName: local-storage diff --git a/clusters/svc.pt.soeren.cloud/loki/virtualservice.yaml b/clusters/svc.pt.soeren.cloud/loki/virtualservice.yaml new file mode 100644 index 0000000..889eaf5 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/loki/virtualservice.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: loki +spec: + hosts: + - loki.svc.pt.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: loki + port: + number: 3100 diff --git a/clusters/svc.pt.soeren.cloud/metallb/advertisment-pt.yaml b/clusters/svc.pt.soeren.cloud/metallb/advertisment-pt.yaml new file mode 100644 index 0000000..9c60492 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/metallb/advertisment-pt.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: pt + namespace: metallb-system +spec: + ipAddressPools: + - pt diff --git a/clusters/svc.pt.soeren.cloud/metallb/kustomization.yaml b/clusters/svc.pt.soeren.cloud/metallb/kustomization.yaml new file mode 100644 index 0000000..9f484b2 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/metallb/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system +resources: + - ../../../infra/metallb + - advertisment-pt.yaml + - pool-pt.yaml +patches: + - target: + kind: DaemonSet + name: speaker + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 32M + cpu: 10m + limits: + memory: 128M + - target: + kind: Deployment + name: controller + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 32M + cpu: 50m + limits: + memory: 128M diff --git a/clusters/svc.pt.soeren.cloud/metallb/pool-pt.yaml b/clusters/svc.pt.soeren.cloud/metallb/pool-pt.yaml new file mode 100644 index 0000000..89ac90f --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/metallb/pool-pt.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: pt + namespace: metallb-system +spec: + addresses: + - 192.168.73.250/32 + - 192.168.73.251/32 diff --git a/clusters/svc.pt.soeren.cloud/microbin/kustomization.yaml b/clusters/svc.pt.soeren.cloud/microbin/kustomization.yaml new file mode 100644 index 0000000..dca9cf9 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/kustomization.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: microbin +resources: + - ../../../apps/microbin + - namespace.yaml + - virtualservice.yaml + - sops-secret-credentials.yaml + - local-volume.yaml + - pvc.yaml +patches: + - target: + kind: Deployment + name: microbin + patch: |- + - op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: microbin + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: storage + persistentVolumeClaim: + claimName: microbin +configMapGenerator: + - name: microbin-config + behavior: add + envs: + - microbin.properties diff --git a/clusters/svc.pt.soeren.cloud/microbin/local-volume.yaml b/clusters/svc.pt.soeren.cloud/microbin/local-volume.yaml new file mode 100644 index 0000000..c620e13 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/local-volume.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: microbin + namespace: microbin +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + volumeMode: Filesystem + storageClassName: local-storage + persistentVolumeReclaimPolicy: Delete + local: + path: /mnt/k8s/microbin + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - pool.pt.soeren.cloud diff --git a/clusters/svc.pt.soeren.cloud/microbin/microbin.properties b/clusters/svc.pt.soeren.cloud/microbin/microbin.properties new file mode 100644 index 0000000..d3a531d --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/microbin.properties @@ -0,0 +1,211 @@ +# Require username for HTTP Basic Authentication when +# visiting the service. If basic auth username is set but +# basic auth password is not, just leave the password field +# empty when logging in. You can also just go to +# https://username:password@yourserver.net or +# https://username@yourserver.net if password is not set +# instead of typing into the password +# Default value: unset +#MICROBIN_BASIC_AUTH_USERNAME= + +# Require password for HTTP Basic Authentication when +# visiting the service. Will not have any affect unless +# basic auth username is also set. If basic auth username is +# set but basic auth password is not, just leave the +# password field empty when logging in. You can also just go +# to https://username:password@yourserver.net or +# https://username@yourserver.net if password is not set +# instead of typing into the password prompt. +# Default value: unset +#MICROBIN_BASIC_AUTH_PASSWORD= + +# Enables administrator interface at yourserver.com/admin/ +# if set, disables it if unset. If admin username is set but +# admin password is not, just leave the password field empty +# when logging in. +# Default value: admin +#MICROBIN_ADMIN_USERNAME=admin + +# Enables administrator interface at yourserver.com/admin/ +# if set, disables it if unset. Will not have any affect +# unless admin username is also set. If admin username is +# set but admin password is not, just leave the password +# field empty when logging in. +# Default value: m1cr0b1n +#MICROBIN_ADMIN_PASSWORD=m1cr0b1n + +# Enables editable pastas. You will still be able to make +# finalised pastas but there will be an extra checkbox to +# make your new pasta editable from the pasta list or the +# pasta view page. +# Default value: true +MICROBIN_EDITABLE=true + +# Replaces the default footer text with your own. If you +# want to hide the footer, use the hide footer option instead. +# Note that you can also embed HTML here, so you may want to escape +# '<', '>' and so on. +#MICROBIN_FOOTER_TEXT= + +# Hides the navigation bar on every page. +# Default value: false +MICROBIN_HIDE_HEADER=false + +# Hides the footer on every page. +# Default value: false +MICROBIN_HIDE_FOOTER=false + +# Hides the MicroBin logo from the navigation bar on every +# page. +# Default value: false +MICROBIN_HIDE_LOGO=false + +# Disables the /pastalist endpoint, essentially making all +# pastas private. +# Default value: false +MICROBIN_NO_LISTING=false + +# Enables syntax highlighting support. When creating a new +# pasta, a new dropdown selector will be added where you can +# select your pasta's syntax, or just leave it empty for no +# highlighting. +MICROBIN_HIGHLIGHTSYNTAX=true + +# Sets the port for the server will be listening on. +# Default value: 8080 +MICROBIN_PORT=8080 + +# Sets the bind address for the server will be listening on. +# Both ipv4 and ipv6 are supported. Default value: 0.0.0.0". +MICROBIN_BIND=0.0.0.0 + +# Enables private pastas. Adds a new checkbox to make your +# pasta private, which then won't show up on the pastalist +# page. With the URL to your pasta, it will still be +# accessible. +# Default value: true +MICROBIN_PRIVATE=true + +# DEPRECATED: Will be removed soon. If you want to change styling (incl. removal), use custom CSS variable instead. +# Disables main CSS styling, just uses a few in-line +# stylings for the layout. With this option you will lose +# dark-mode support. +MICROBIN_PURE_HTML=false + +# Sets the name of the directory where MicroBin creates +# its database and stores attachments. +# Default value: microbin_data +MICROBIN_DATA_DIR=microbin_data + +# Enables storing pasta data (not attachments and files) in +# a JSON file instead of the SQLite database. +MICROBIN_JSON_DB=false + +# Add the given public path prefix to all urls. This allows +# you to host MicroBin behind a reverse proxy on a subpath. +# Note that MicroBin itself still expects all routes to be +# as without this option, and thus is unsuited if you are +# running MicroBin directly. Default value: unset. +MICROBIN_PUBLIC_PATH=https://microbin.svc.pt.soeren.cloud + +# Sets a shortened path to use when the user copies URL from +# the application. This will also use shorter endpoints, +# such as /p/ instead if /pasta/. +#MICROBIN_SHORT_PATH: + +# The password required for uploading, if read-only mode is enabled +# Default value: unset +# MICROBIN_UPLOADER_PASSWORD= + +# If set to true, authentication required for uploading +# Default value: false +MICROBIN_READONLY=false + +# Enables showing read count on pasta pages. +MICROBIN_SHOW_READ_STATS=true + +# Adds your title of choice to the +# navigation bar. +#MICROBIN_TITLE= + +# Number of workers MicroBin is allowed to have. Increase +# this to the number of CPU cores you have if you want to go +# beast mode, but for personal use one worker is enough. +MICROBIN_THREADS=1 + +# Sets the garbage collector time limit. Pastas not accessed +# for N days are removed even if they are set to never +# expire. +MICROBIN_GC_DAYS=90 + +# Enables or disables the Burn after function +MICROBIN_ENABLE_BURN_AFTER=true + +# Sets the default burn after setting on the main screen. +MICROBIN_DEFAULT_BURN_AFTER=0 + +# Changes the maximum width of the UI from 720 pixels to +# 1080 pixels. +MICROBIN_WIDE=false + +# Enables generating QR codes for pastas. Requires +# the public path to also be set. +MICROBIN_QR=true + +# Toggles Never expiry settings for pastas. Default +MICROBIN_ETERNAL_PASTA=false + +# Enables Read-only uploads. These are unlisted and +# unencrypted, but can be viewed without password if you +# have the URL. Editing and removing requires password. +MICROBIN_ENABLE_READONLY=true + +# Sets the default expiry time setting on the main screen. +MICROBIN_DEFAULT_EXPIRY=24hour + +# Disables and hides the file upload option in the UI. +MICROBIN_NO_FILE_UPLOAD=false + +# Replaced the built-in water.css stylesheet with the URL +# you provide. Default value: unset. +#MICROBIN_CUSTOM_CSS= + +# Use short hash strings in the URLs instead of animal names +# to make URLs shorter. Does not change the underlying data +# stored, just how pastas are recalled. +MICROBIN_HASH_IDS=false + +# Enables server-side encryption. This will add private +# privacy level, where the user sends plain unencrypted data +# (still secure, because you use HTTPS, right?), but the +# server sees everything that the user submits, therefore +# the user does not have complete and absolute protection. +MICROBIN_ENCRYPTION_CLIENT_SIDE=true + +# Enables client-side encryption. This will add the secret +# privacy level where the user's browser encrypts all data +# with JavaScript before sending it over to MicroBin, which +# encrypt the data once again on server side. +MICROBIN_ENCRYPTION_SERVER_SIDE=true + +# Limit the maximum file size users can upload without +# encryption. +MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB=256 + +# Limit the maximum file size users can upload with +# encryption (more strain on your server than without +# encryption, so the limit should be lower. Secrets tend to +# be tiny files usually anyways.) +MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB=2048 + +# Disables the feature that checks for available updates +# when opening the admin screen. +MICROBIN_DISABLE_UPDATE_CHECKING=true + +# Disables telemetry if set to true. +# Telemetry includes your configuration and helps development. +# It does not include any sensitive data. +MICROBIN_DISABLE_TELEMETRY=true + +# Enables listing your server in the public MicroBin server list. +MICROBIN_LIST_SERVER=false diff --git a/clusters/svc.pt.soeren.cloud/microbin/namespace.yaml b/clusters/svc.pt.soeren.cloud/microbin/namespace.yaml new file mode 100644 index 0000000..bb62edb --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: microbin + labels: + name: microbin diff --git a/clusters/svc.pt.soeren.cloud/microbin/pvc.yaml b/clusters/svc.pt.soeren.cloud/microbin/pvc.yaml new file mode 100644 index 0000000..e4eaed5 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/pvc.yaml @@ -0,0 +1,13 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: microbin + namespace: microbin +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: local-storage diff --git a/clusters/svc.pt.soeren.cloud/microbin/sops-secret-credentials.yaml b/clusters/svc.pt.soeren.cloud/microbin/sops-secret-credentials.yaml new file mode 100644 index 0000000..6533720 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/sops-secret-credentials.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +data: + MICROBIN_ADMIN_PASSWORD: ENC[AES256_GCM,data:qc9BN1SWYU8=,iv:N/Y7SVHvm2Lx9LYqrxevE+JiaKWDkYNgDEfzLErUT+U=,tag:/8MMfeHR4h7qOtc7NppnJg==,type:str] + MICROBIN_ADMIN_USERNAME: ENC[AES256_GCM,data:Cw210zSgTOE=,iv:XzVYZYzwwWRvv/PTLDXbdlMgBsZWncaax/UNx0fihno=,tag:V/Zy79yPdoQCkR/8RAPpQw==,type:str] + MICROBIN_BASIC_AUTH_PASSWORD: "" + MICROBIN_BASIC_AUTH_USERNAME: "" +kind: Secret +metadata: + creationTimestamp: null + name: microbin + namespace: microbin +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17e2d0c5aeavmpfahyzwrsm76ujla9flv7wdn7u5ssc3wqznw7p9seecsd2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxN0FRcUhMaEs4R1puNXJy + YzM3UE4yTHNuVkViMk9hd2F6MUF0REl4YkJFCklBNzcxc3lpOTVPMzFEU1NUZ083 + VWlVSXpZaXpvTEdLL3QzT3lYMTU3N1kKLS0tIHMyenZiSlJtM2tVTnd4Zk9Da1I5 + TUpucTYwdjR5M2FjUFlFZVlKZVJWZFUKp0Il2yjsdK+adaoJHM9rzWVp7opkG04N + dL1sKRSYIgYoGuEb1bG34kgZvaRig3Wd6+7PqtHlnQEqc9+a/7q3IQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-30T17:52:40Z" + mac: ENC[AES256_GCM,data:e+Thxk/CHbxP6wM7eXrBARceQrOrUHLStgubZBYIcsFJzAYW91ABbzEqo+OcqDkbrS8zMCxQd3fq+goMIFr8OZTyxmefltEUW/5WEjJ6UvPN19XG+5qwCFKnEsd6I5cWhNmekSAPPeLG/fnnX/DSlvmU0Xe1y5+pS3LvdXsnOEU=,iv:U32GDl/WnQS4vLaSirJohf5/BdB4VZ6s5YzpLDuDXAU=,tag:s7ZZFvaDGH7tJkmPx6ZqDA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.pt.soeren.cloud/microbin/upsert-secret-microbin.sh b/clusters/svc.pt.soeren.cloud/microbin/upsert-secret-microbin.sh new file mode 120000 index 0000000..9a62a6a --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/upsert-secret-microbin.sh @@ -0,0 +1 @@ +../../../apps/microbin/upsert-secret-microbin.sh \ No newline at end of file diff --git a/clusters/svc.pt.soeren.cloud/microbin/upsert-secrets.sh b/clusters/svc.pt.soeren.cloud/microbin/upsert-secrets.sh new file mode 100755 index 0000000..012cb9a --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/upsert-secrets.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +SECRET_NAME="microbin" +SECRET_FILE_NAME="sops-secret-credentials.yaml" +NAMESPACE=microbin +echo "Upserting secret ${SECRET_NAME}" + + +PASS_PREFIX="k8s/prd/microbin" + +MICROBIN_ADMIN=soeren +MICROBIN_ADMIN_PASS=secret +MICROBIN_BASIC_AUTH_USERNAME="" +MICROBIN_BASIC_AUTH_PASS="" + +kubectl create secret generic "${SECRET_NAME}" \ + --namespace="${NAMESPACE}" \ + --from-literal=MICROBIN_ADMIN_USERNAME="${MICROBIN_ADMIN}" \ + --from-literal=MICROBIN_BASIC_AUTH_USERNAME="${MICROBIN_BASIC_AUTH_USERNAME}" \ + --from-literal=MICROBIN_ADMIN_PASSWORD="${MICROBIN_ADMIN_PASS}" \ + --from-literal=MICROBIN_BASIC_AUTH_PASSWORD="${MICROBIN_BASIC_AUTH_PASS}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin diff --git a/clusters/svc.pt.soeren.cloud/microbin/virtualservice.yaml b/clusters/svc.pt.soeren.cloud/microbin/virtualservice.yaml new file mode 100644 index 0000000..fb79acd --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/microbin/virtualservice.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: microbin + namespace: microbin +spec: + hosts: + - microbin.svc.pt.soeren.cloud + gateways: + - istio-system/gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: microbin + port: + number: 80 diff --git a/clusters/svc.pt.soeren.cloud/reloader/kustomization.yaml b/clusters/svc.pt.soeren.cloud/reloader/kustomization.yaml new file mode 100644 index 0000000..7c04773 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/reloader/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: reloader +resources: + - ../../../apps/reloader + - namespace.yaml diff --git a/clusters/svc.pt.soeren.cloud/reloader/namespace.yaml b/clusters/svc.pt.soeren.cloud/reloader/namespace.yaml new file mode 100644 index 0000000..0ea8932 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/reloader/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: reloader +spec: {} +status: {} diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/github/kustomization.yaml b/clusters/svc.pt.soeren.cloud/renovatebot/github/kustomization.yaml new file mode 100644 index 0000000..15052ed --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/github/kustomization.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/renovatebot +patches: + - target: + kind: CronJob + name: renovate-bot + patch: |- + - op: replace + path: /metadata/name + value: "renovate-github" + - op: replace + path: /spec/schedule + value: "0 1 * * *" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_HOST_RULES" + valueFrom: + secretKeyRef: + name: tokens + key: "RENOVATE_HOST_RULES" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: github-token + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/envFrom + value: + - configMapRef: + name: renovate-github-config +configMapGenerator: + - name: renovate-github-config + behavior: create + envs: + - renovate.properties diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/github/renovate.properties b/clusters/svc.pt.soeren.cloud/renovatebot/github/renovate.properties new file mode 100644 index 0000000..3d0701f --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/github/renovate.properties @@ -0,0 +1,8 @@ +RENOVATE_ASSIGNEES=["soerenschneider"] +RENOVATE_PLATFORM=github +RENOVATE_REPOSITORIES=["soerenschneider/bootstrap","soerenschneider/k8s-gitops"] +RENOVATE_AUTODISCOVER=false +RENOVATE_PR_CONCURRENT_LIMIT=50 +RENOVATE_BRANCH_CONCURRENT_LIMIT=0 +RENOVATE_PR_HOURLY_LIMIT=0 +LOG_LEVEL=info diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/github/upsert-secret-renovate.sh b/clusters/svc.pt.soeren.cloud/renovatebot/github/upsert-secret-renovate.sh new file mode 120000 index 0000000..f64f15d --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/github/upsert-secret-renovate.sh @@ -0,0 +1 @@ +../../../../apps/renovatebot/upsert-secret-renovate.sh \ No newline at end of file diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/kustomization.yaml b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/kustomization.yaml new file mode 100644 index 0000000..f5ea767 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/kustomization.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../apps/renovatebot +patches: + - target: + kind: CronJob + name: renovate-bot + patch: |- + - op: replace + path: /metadata/name + value: "renovate-gitlab" + - op: replace + path: /spec/schedule + value: "0 18 * * *" + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/env + value: + - name: "RENOVATE_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: gitlab-token + - name: "GITHUB_COM_TOKEN" + valueFrom: + secretKeyRef: + name: tokens + key: github-token + - op: add + path: /spec/jobTemplate/spec/template/spec/containers/0/envFrom + value: + - configMapRef: + name: renovate-gitlab-config +configMapGenerator: + - name: renovate-gitlab-config + behavior: create + envs: + - renovate.properties diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/renovate.properties b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/renovate.properties new file mode 100644 index 0000000..0a51230 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/renovate.properties @@ -0,0 +1,8 @@ +RENOVATE_ASSIGNEES=["soerenschneider"] +RENOVATE_PLATFORM=gitlab +RENOVATE_REPOSITORIES=soerenschneider/playbooks +RENOVATE_AUTODISCOVER=false +RENOVATE_PR_CONCURRENT_LIMIT=50 +RENOVATE_BRANCH_CONCURRENT_LIMIT=0 +RENOVATE_PR_HOURLY_LIMIT=0 +LOG_LEVEL=info diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/upsert-secret-renovate.sh b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/upsert-secret-renovate.sh new file mode 120000 index 0000000..f64f15d --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/gitlab/upsert-secret-renovate.sh @@ -0,0 +1 @@ +../../../../apps/renovatebot/upsert-secret-renovate.sh \ No newline at end of file diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/kustomization.yaml b/clusters/svc.pt.soeren.cloud/renovatebot/kustomization.yaml new file mode 100644 index 0000000..ce674b7 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate +resources: + - github + - gitlab + - namespace.yaml + - sops-secret-tokens.yaml diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/namespace.yaml b/clusters/svc.pt.soeren.cloud/renovatebot/namespace.yaml new file mode 100644 index 0000000..35c46b2 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/namespace.yaml @@ -0,0 +1,7 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: renovate + labels: + name: renovate diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/sops-secret-tokens.yaml b/clusters/svc.pt.soeren.cloud/renovatebot/sops-secret-tokens.yaml new file mode 100644 index 0000000..d0426ea --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/sops-secret-tokens.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +data: + RENOVATE_HOST_RULES: ENC[AES256_GCM,data:sJ6ifA0aNT95aWl3Sr5+JNclwfsPINKhMKxxEk9++AZmizUq84Cf2ze/Ng0mtJKY/WaMogw0W0dCmRZTLuRgKv+S6b70HPjL/jan3px0DCqEjzaKeITNq+pE/KIpn9wAv/a236Eo4Ri3Ee96y6tSdocysx0HgH+D2yCHwACj/Ia2E17XDL7JOUFdixcMOW+wyppwCfnoR+/iRkn/O6Mx33hX41+OheRjZ8OTeMEpDLc=,iv:UjBV8JkG1sRLrTTiQUcXgoqj+iEi45jxn8PtYl4ddYE=,tag:V2Zu88jArtDe0BGtrtXmUQ==,type:str] + github-token: ENC[AES256_GCM,data:pEMzZkkMb5Oxk9xFxxadSeTG6RAwaGBHSnlkx4/lQeYepDDFjcfr7U38V2KEN5PvOB4XpGxPTE0=,iv:up5WOI/QJOJHFegUM000UeBHoBp9TXzXqlfdcaYHz6Q=,tag:3c4e4sNbPBDuXbID8LzhfQ==,type:str] + gitlab-token: ENC[AES256_GCM,data:m4VJ9qeGwnstiOXkEwUta7wUUFHyzpnwVfiw/626w2nYpNVe,iv:gxy2bDBHW9pGfUNtIZejsGig3NDwVKrFK0xGAKqJttE=,tag:2A2i0n2kgO/hlz3cObqZgA==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: tokens +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17e2d0c5aeavmpfahyzwrsm76ujla9flv7wdn7u5ssc3wqznw7p9seecsd2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYkdrekRoS0dpZnhCelVD + U2hsUHNUdGJWRTcrVXhBcGlXeVl2TTFoR1YwCjBnYldFYlNPeHRtVFBHb2Z3T2VP + TnJ6UmF6dWtCOU1rdS9rSTVCbzdRbjgKLS0tIGpUVGVWTXB2L2cyN2lJVzE0ZzZ6 + cUJSaFlXL3BQTmUyWUhFekEvRnFtY3MKvjrXeffKzTn+3Jb/aPJSdu+gZ5h3UXDU + jR1/2gzriGFIr0VqFrfsTw9fshyuWubQM3Dlt5A2uwgR/Zil9uwauA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-29T23:51:33Z" + mac: ENC[AES256_GCM,data:asgfyjJlJKpnNZftmF7/0r9ENl+0qPdqar5e1NK0lDUBipf7AtOB2vIctE1D8eTHEtEI/NnwLiOEEpkhP1ikyA0DpzYRrPZVaRpL9NX0+tSFheE1F1QtG03DPdFRNj/s68rfXkB4uddQO1iMBBORr1u5cwQsP3iyTEYASwvkjwI=,iv:DZBILaNtmC5kklJlyfygesiPfIYulUJDiu044yIZjoM=,tag:UaHKX075TKAuc7JVVKzs1Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/clusters/svc.pt.soeren.cloud/renovatebot/upsert-secrets.sh b/clusters/svc.pt.soeren.cloud/renovatebot/upsert-secrets.sh new file mode 100755 index 0000000..9842629 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/renovatebot/upsert-secrets.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +set -o pipefail +set -eu + +PASS_PREFIX="k8s/common" +SECRET_NAME_GITLAB="renovatebot-gitlab" +SECRET_NAME_GITHUB="renovatebot-github" +SECRET_NAME_GHCR="cr-ghcr" +SECRET_FILE_NAME="sops-secret-tokens.yaml" + +echo "Upserting secret ${SECRET_NAME_GITLAB}, ${SECRET_NAME_GITHUB}, ${SECRET_NAME_GHCR}" +SECRET_VALUE_GHCR=$(pass ${PASS_PREFIX}/${SECRET_NAME_GHCR}) +SECRET_VALUE_GITLAB=$(pass ${PASS_PREFIX}/${SECRET_NAME_GITLAB}) +SECRET_VALUE_GITHUB=$(pass ${PASS_PREFIX}/${SECRET_NAME_GITHUB}) + +RENOVATE_HOST_RULES='[{"hostType": "docker","matchHost": "ghcr.io","username": "soerenschneider","password": "'"${SECRET_VALUE_GHCR}"'"}]' + +kubectl create secret generic tokens \ + --from-literal=gitlab-token="${SECRET_VALUE_GITLAB}" \ + --from-literal=github-token="${SECRET_VALUE_GITHUB}" \ + --from-literal=RENOVATE_HOST_RULES="${RENOVATE_HOST_RULES}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${SECRET_FILE_NAME}" /dev/stdin + diff --git a/clusters/svc.pt.soeren.cloud/vault-auth/kustomization.yaml b/clusters/svc.pt.soeren.cloud/vault-auth/kustomization.yaml new file mode 100644 index 0000000..d1cb74e --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/vault-auth/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vault-auth +resources: + - ../../../infra/vault-auth diff --git a/clusters/svc.pt.soeren.cloud/vector/configmap.yaml b/clusters/svc.pt.soeren.cloud/vector/configmap.yaml new file mode 100644 index 0000000..151da63 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/vector/configmap.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: vector + namespace: vector + labels: + app.kubernetes.io/name: vector + app.kubernetes.io/instance: vector + app.kubernetes.io/component: agent +data: + agent.yaml: | + data_dir: /vector-data-dir + sources: + kubernetes_logs: + type: kubernetes_logs + internal_metrics: + type: internal_metrics + transforms: + k8s: + type: remap + inputs: + - kubernetes_logs + source: | + if exists(.kubernetes.pod_labels."app") { + .app = .kubernetes.pod_labels."app" + } else if exists(.kubernetes.pod_labels."app.kubernetes.io/name") { + .app = .kubernetes.pod_labels."app.kubernetes.io/name" + } else if exists(.kubernetes.pod_labels."k8s-app") { + .app = .kubernetes.pod_labels."k8s-app" + } + if exists(.kubernetes.pod_labels."app.kubernetes.io/instance") { + .instance = .kubernetes.pod_labels."app.kubernetes.io/instance" + } + sinks: + prometheus: + type: prometheus_exporter + inputs: + - internal_metrics + loki: + type: loki + inputs: + - k8s + encoding: + codec: json + endpoint: "http://loki.loki:3100" + out_of_order_action: accept + tenant_id: soeren + labels: + datacenter: pt + cluster: svc.pt.soeren.cloud + app: "{{ .app }}" diff --git a/clusters/svc.pt.soeren.cloud/vector/kustomization.yaml b/clusters/svc.pt.soeren.cloud/vector/kustomization.yaml new file mode 100644 index 0000000..2c32d6b --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/vector/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vector +resources: + - ../../../apps/vector + - configmap.yaml + - namespace.yaml diff --git a/clusters/svc.pt.soeren.cloud/vector/namespace.yaml b/clusters/svc.pt.soeren.cloud/vector/namespace.yaml new file mode 100644 index 0000000..99acb20 --- /dev/null +++ b/clusters/svc.pt.soeren.cloud/vector/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vector diff --git a/infra/cert-manager/components/letsencrypt-clusterissuer/clusterissuer.yaml b/infra/cert-manager/components/letsencrypt-clusterissuer/clusterissuer.yaml new file mode 100644 index 0000000..c77db82 --- /dev/null +++ b/infra/cert-manager/components/letsencrypt-clusterissuer/clusterissuer.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns-prod + namespace: cert-manager +spec: + acme: + email: letsencrypt@soerensoerensen.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key-route53 + solvers: + - selector: + dnsZones: + - "please edit" + dns01: + route53: + region: us-east-1 + hostedZoneID: "please edit" + accessKeyIDSecretRef: + name: route53-credentials + key: access-key-id + secretAccessKeySecretRef: + name: route53-credentials + key: access-key-secret diff --git a/infra/cert-manager/components/letsencrypt-clusterissuer/kustomization.yaml b/infra/cert-manager/components/letsencrypt-clusterissuer/kustomization.yaml new file mode 100644 index 0000000..bec88c9 --- /dev/null +++ b/infra/cert-manager/components/letsencrypt-clusterissuer/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: cert-manager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers-only" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/infra/cert-manager/components/letsencrypt-clusterissuer/upsert-secret-cert-manager.sh b/infra/cert-manager/components/letsencrypt-clusterissuer/upsert-secret-cert-manager.sh new file mode 100755 index 0000000..1511016 --- /dev/null +++ b/infra/cert-manager/components/letsencrypt-clusterissuer/upsert-secret-cert-manager.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +TF_VALUE=$(terraform -chdir=../../../contrib/terraform/route53-credentials output -json cert-manager | jq -r '.["cert-manager-'${CLUSTER_NAME}'"]') +AWS_SECRET_ACCESS_KEY=$(echo $TF_VALUE |jq -r '.access_key_secret') +AWS_ACCESS_KEY_ID=$(echo $TF_VALUE |jq -r '.access_key_id') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=access-key-secret="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=access-key-id="${AWS_ACCESS_KEY_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/infra/cert-manager/components/recursive-dns/kustomization.yaml b/infra/cert-manager/components/recursive-dns/kustomization.yaml new file mode 100644 index 0000000..bec88c9 --- /dev/null +++ b/infra/cert-manager/components/recursive-dns/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: cert-manager + patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers-only" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/infra/cert-manager/kustomization.yaml b/infra/cert-manager/kustomization.yaml new file mode 100644 index 0000000..5a72a8f --- /dev/null +++ b/infra/cert-manager/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.yaml" +namespace: "cert-manager" +patches: + - target: + kind: "Deployment" + name: "cert-manager" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--dns01-recursive-nameservers-only" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53" diff --git a/infra/cert-manager/upsert-secrets.sh b/infra/cert-manager/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/infra/cert-manager/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/infra/csi-smb/components/k0s/kustomization.yaml b/infra/csi-smb/components/k0s/kustomization.yaml new file mode 100644 index 0000000..9557e3b --- /dev/null +++ b/infra/csi-smb/components/k0s/kustomization.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "DaemonSet" + name: "csi-smb-node" + patch: |- + - op: "test" + path: "/spec/template/spec/containers/2/name" + value: "smb" + - op: "test" + path: "/spec/template/spec/containers/2/volumeMounts/1/name" + value: "mountpoint-dir" + - op: "replace" + path: "/spec/template/spec/containers/2/volumeMounts/1" + value: + mountPath: "/var/lib/k0s/kubelet/" + mountPropagation: "Bidirectional" + name: "mountpoint-dir" + - patch: |- + apiVersion: "apps/v1" + kind: "DaemonSet" + metadata: + name: "csi-smb-node" + namespace: "kube-system" + spec: + template: + spec: + containers: + - name: "node-driver-registrar" + env: + - name: "DRIVER_REG_SOCK_PATH" + value: "/var/lib/k0s/kubelet/plugins/smb.csi.k8s.io/csi.sock" + volumes: + - hostPath: + path: "/var/lib/k0s/kubelet/plugins/smb.csi.k8s.io" + type: "DirectoryOrCreate" + name: "socket-dir" + - hostPath: + path: "/var/lib/k0s/kubelet/" + type: "DirectoryOrCreate" + name: "mountpoint-dir" + - hostPath: + path: "/var/lib/k0s/kubelet/plugins_registry/" + type: "DirectoryOrCreate" + name: "registration-dir" + target: + kind: "DaemonSet" + name: "csi-smb-node" diff --git a/infra/csi-smb/kustomization.yaml b/infra/csi-smb/kustomization.yaml new file mode 100644 index 0000000..e6b6a98 --- /dev/null +++ b/infra/csi-smb/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +commonLabels: + app: "csi-smb-node" +resources: + - "csi-smb-controller.yaml" + - "csi-smb-driver.yaml" + - "csi-smb-node.yaml" + - "rbac-csi-smb.yaml" diff --git a/infra/external-dns/components/aws/kustomization.yaml b/infra/external-dns/components/aws/kustomization.yaml new file mode 100644 index 0000000..2990b41 --- /dev/null +++ b/infra/external-dns/components/aws/kustomization.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "Deployment" + name: "external-dns" + patch: |- + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--provider=aws" + - op: "add" + path: "/spec/template/spec/containers/0/args/-" + value: "--aws-zone-type=public" + - op: "replace" + path: "/spec/template/spec/containers/0/env" + value: + - name: "AWS_ACCESS_KEY_ID" + valueFrom: + secretKeyRef: + name: "route53-credentials" + key: "access-key-id" + - name: "AWS_SECRET_ACCESS_KEY" + valueFrom: + secretKeyRef: + name: "route53-credentials" + key: "access-key-secret" diff --git a/infra/external-dns/components/aws/upsert-secret-external-dns.sh b/infra/external-dns/components/aws/upsert-secret-external-dns.sh new file mode 100755 index 0000000..e0f014d --- /dev/null +++ b/infra/external-dns/components/aws/upsert-secret-external-dns.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +K8S_SECRET_NAME=route53-credentials +K8S_SECRET_FILE_NAME=sops-secret-route53-credentials.yaml +TF_VALUE=$(terraform -chdir=../../../contrib/terraform/route53-credentials output -json external-dns | jq -r '.["external-dns-'${K8S_CLUSTER_NAME}'"]') +AWS_SECRET_ACCESS_KEY=$(echo ${TF_VALUE} | jq -r '.access_key_secret') +AWS_ACCESS_KEY_ID=$(echo ${TF_VALUE} | jq -r '.access_key_id') + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=access-key-secret="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=access-key-id="${AWS_ACCESS_KEY_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin diff --git a/infra/external-dns/components/common/kustomization.yaml b/infra/external-dns/components/common/kustomization.yaml new file mode 100644 index 0000000..138185a --- /dev/null +++ b/infra/external-dns/components/common/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: Deployment + name: external-dns + patch: |- + - op: add + path: /spec/template/spec/priorityClassName + value: system + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--publish-internal-services" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--source=service" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--registry=txt" + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--policy=upsert-only" diff --git a/infra/external-dns/components/istio/kustomization.yaml b/infra/external-dns/components/istio/kustomization.yaml new file mode 100644 index 0000000..9d328be --- /dev/null +++ b/infra/external-dns/components/istio/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + kind: ClusterRole + name: external-dns + patch: |- + - op: add + path: /rules/- + value: + apiGroups: ["networking.istio.io"] + resources: ["gateways", "virtualservices"] + verbs: ["get","watch","list"] + - target: + kind: Deployment + name: external-dns + patch: |- + - op: add + path: /spec/template/spec/containers/0/args + value: + - --source=istio-gateway + - --source=istio-virtualservice diff --git a/infra/external-dns/kustomization.yaml b/infra/external-dns/kustomization.yaml new file mode 100644 index 0000000..7c2bb02 --- /dev/null +++ b/infra/external-dns/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "https://github.com/kubernetes-sigs/external-dns/kustomize?ref=v0.14.2" +patches: + - target: + kind: "Deployment" + name: "external-dns" + patch: |- + - op: "add" + path: "/metadata/annotations" + value: + reloader.stakater.com/auto: "true" + - op: "add" + path: "/spec/template/metadata/annotations" + value: + prometheus.io/scrape: "true" + prometheus.io/port: "7979" diff --git a/infra/external-dns/upsert-secrets.sh b/infra/external-dns/upsert-secrets.sh new file mode 100755 index 0000000..1bb3177 --- /dev/null +++ b/infra/external-dns/upsert-secrets.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +bash "$(git rev-parse --show-toplevel)/contrib/upsert-secrets.sh" diff --git a/infra/external-secrets/vault.yaml b/infra/external-secrets/vault.yaml new file mode 100644 index 0000000..80c4f20 --- /dev/null +++ b/infra/external-secrets/vault.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: "external-secrets.io/v1beta1" +kind: "ClusterSecretStore" +metadata: + name: "vault" + namespace: "external-secrets" +spec: + provider: + vault: + server: "https://vault.ha.soeren.cloud" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "svc.dd.soeren.cloud" + role: "external-secrets" diff --git a/infra/local-storageclass/components/mark-default-storageclass/kustomization.yaml b/infra/local-storageclass/components/mark-default-storageclass/kustomization.yaml new file mode 100644 index 0000000..7eaa2f2 --- /dev/null +++ b/infra/local-storageclass/components/mark-default-storageclass/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1alpha1" +kind: "Component" +patches: + - target: + kind: "StorageClass" + name: "local-storage" + patch: |- + apiVersion: "storage.k8s.io/v1" + kind: "StorageClass" + metadata: + name: "local-storage" + annotations: + storageclass.kubernetes.io/is-default-class: "true" diff --git a/infra/local-storageclass/kustomization.yaml b/infra/local-storageclass/kustomization.yaml new file mode 100644 index 0000000..7a86f8a --- /dev/null +++ b/infra/local-storageclass/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "local-storageclass.yaml" diff --git a/infra/local-storageclass/local-storageclass.yaml b/infra/local-storageclass/local-storageclass.yaml new file mode 100644 index 0000000..66dbef3 --- /dev/null +++ b/infra/local-storageclass/local-storageclass.yaml @@ -0,0 +1,7 @@ +--- +kind: "StorageClass" +apiVersion: "storage.k8s.io/v1" +metadata: + name: "local-storage" +provisioner: "kubernetes.io/no-provisioner" +volumeBindingMode: "WaitForFirstConsumer" diff --git a/infra/metallb/kustomization.yaml b/infra/metallb/kustomization.yaml new file mode 100644 index 0000000..b730c92 --- /dev/null +++ b/infra/metallb/kustomization.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system +resources: + - github.com/metallb/metallb/config/native?ref=v0.14.5 +patches: + - target: + kind: DaemonSet + name: speaker + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 64M + cpu: 5m + limits: + memory: 96M + - target: + kind: Deployment + name: controller + patch: |- + - op: add + path: /spec/template/spec/containers/0/resources + value: + requests: + memory: 64M + cpu: 5m + limits: + memory: 96M diff --git a/infra/priority/kustomization.yaml b/infra/priority/kustomization.yaml new file mode 100644 index 0000000..2fcb69c --- /dev/null +++ b/infra/priority/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - pc-00001-best-effort.yaml + - pc-01000-dev-low-prio.yaml + - pc-01500-dev-default-prio.yaml + - pc-02000-dev-high-prio.yaml + - pc-02500-default-prio.yaml + - pc-03000-prod-low-prio.yaml + - pc-04000-prod-default-prio.yaml + - pc-05000-prod-high-prio.yaml + - pc-10000-batch-high-prio.yaml + - pc-20000-system.yaml diff --git a/infra/priority/pc-00001-best-effort.yaml b/infra/priority/pc-00001-best-effort.yaml new file mode 100644 index 0000000..058acc5 --- /dev/null +++ b/infra/priority/pc-00001-best-effort.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: best-effort +value: 1 +globalDefault: false +description: "Best-effort workloads" diff --git a/infra/priority/pc-01000-dev-low-prio.yaml b/infra/priority/pc-01000-dev-low-prio.yaml new file mode 100644 index 0000000..f8e2ddc --- /dev/null +++ b/infra/priority/pc-01000-dev-low-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: dev-low-prio +value: 1000 +globalDefault: false +description: "Development default priority workloads" diff --git a/infra/priority/pc-01500-dev-default-prio.yaml b/infra/priority/pc-01500-dev-default-prio.yaml new file mode 100644 index 0000000..7c75470 --- /dev/null +++ b/infra/priority/pc-01500-dev-default-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: dev-default-prio +value: 1500 +globalDefault: false +description: "Development default priority workloads" diff --git a/infra/priority/pc-02000-dev-high-prio.yaml b/infra/priority/pc-02000-dev-high-prio.yaml new file mode 100644 index 0000000..f7835eb --- /dev/null +++ b/infra/priority/pc-02000-dev-high-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: dev-high-priority +value: 2000 +globalDefault: false +description: "Development workloads" diff --git a/infra/priority/pc-02500-default-prio.yaml b/infra/priority/pc-02500-default-prio.yaml new file mode 100644 index 0000000..19ad808 --- /dev/null +++ b/infra/priority/pc-02500-default-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: default-priority +value: 2500 +globalDefault: true +description: "Default priority" diff --git a/infra/priority/pc-03000-prod-low-prio.yaml b/infra/priority/pc-03000-prod-low-prio.yaml new file mode 100644 index 0000000..661404e --- /dev/null +++ b/infra/priority/pc-03000-prod-low-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: prod-low-prio +value: 3000 +globalDefault: false +description: "Production low priority workloads" diff --git a/infra/priority/pc-04000-prod-default-prio.yaml b/infra/priority/pc-04000-prod-default-prio.yaml new file mode 100644 index 0000000..fb330c3 --- /dev/null +++ b/infra/priority/pc-04000-prod-default-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: prod-default-prio +value: 4000 +globalDefault: false +description: "Production default priority workloads" diff --git a/infra/priority/pc-05000-prod-high-prio.yaml b/infra/priority/pc-05000-prod-high-prio.yaml new file mode 100644 index 0000000..9fca978 --- /dev/null +++ b/infra/priority/pc-05000-prod-high-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: "prod-high-prio" +value: 5000 +globalDefault: false +description: "Production high priority workloads" diff --git a/infra/priority/pc-10000-batch-high-prio.yaml b/infra/priority/pc-10000-batch-high-prio.yaml new file mode 100644 index 0000000..fee61c9 --- /dev/null +++ b/infra/priority/pc-10000-batch-high-prio.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: batch-high-prio +value: 10000 +globalDefault: false +description: "High-priority batch jobs" diff --git a/infra/priority/pc-20000-system.yaml b/infra/priority/pc-20000-system.yaml new file mode 100644 index 0000000..af0cc64 --- /dev/null +++ b/infra/priority/pc-20000-system.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: system +value: 20000 +globalDefault: false +description: "Used by critical system components" diff --git a/infra/restic-mariadb/kustomization.yaml b/infra/restic-mariadb/kustomization.yaml new file mode 100644 index 0000000..bd8a1b1 --- /dev/null +++ b/infra/restic-mariadb/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - restic-mariadb-backup-cronjob.yaml + - restic-mariadb-networkpolicy.yaml + - restic-mariadb-prune-cronjob.yaml diff --git a/infra/restic-mariadb/restic-mariadb-backup-cronjob.yaml b/infra/restic-mariadb/restic-mariadb-backup-cronjob.yaml new file mode 100644 index 0000000..c1a0585 --- /dev/null +++ b/infra/restic-mariadb/restic-mariadb-backup-cronjob.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-mariadb-backup" +spec: + schedule: "0 6 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/type: "mariadb" + restic/operation: "backup" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + fsGroup: 16523 + runAsNonRoot: true + containers: + - name: "restic-backup" + image: "ghcr.io/soerenschneider/restic:main-20240517191209" + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "RESTIC_CACHE_DIR" + value: "/tmp/restic-cache" + - name: "_RESTIC_TYPE" + value: "mariadb" + envFrom: [] + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-mariadb/restic-mariadb-networkpolicy.yaml b/infra/restic-mariadb/restic-mariadb-networkpolicy.yaml new file mode 100644 index 0000000..b874e98 --- /dev/null +++ b/infra/restic-mariadb/restic-mariadb-networkpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "restic-mariadb" +spec: + podSelector: + matchLabels: + app: "restic" + restic/type: "mariadb" + policyTypes: + - "Ingress" + ingress: [] diff --git a/infra/restic-mariadb/restic-mariadb-prune-cronjob.yaml b/infra/restic-mariadb/restic-mariadb-prune-cronjob.yaml new file mode 100644 index 0000000..3ededd8 --- /dev/null +++ b/infra/restic-mariadb/restic-mariadb-prune-cronjob.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-mariadb-prune" +spec: + schedule: "30 12 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/type: "mariadb" + restic/operation: "prune" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + fsGroup: 16523 + runAsNonRoot: true + containers: + - name: "restic-backup-prune" + image: "ghcr.io/soerenschneider/restic:main-20240517191209" + imagePullPolicy: "IfNotPresent" + command: + - "/usr/local/bin/restic_prune.py" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "RESTIC_CACHE_DIR" + value: "/tmp/restic-cache" + - name: "_RESTIC_TYPE" + value: "mariadb" + envFrom: + - configMapRef: + name: "restic-mariadb" + - secretRef: + name: "restic-mariadb" + optional: true + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-mariadb/upsert-secret-restic-mariadb.sh b/infra/restic-mariadb/upsert-secret-restic-mariadb.sh new file mode 100755 index 0000000..584990f --- /dev/null +++ b/infra/restic-mariadb/upsert-secret-restic-mariadb.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="mealie-postgres" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/infra/restic-postgres/kustomization.yaml b/infra/restic-postgres/kustomization.yaml new file mode 100644 index 0000000..adc3450 --- /dev/null +++ b/infra/restic-postgres/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - restic-postgres-backup-cronjob.yaml + - restic-postgres-networkpolicy.yaml + - restic-postgres-prune-cronjob.yaml diff --git a/infra/restic-postgres/restic-postgres-backup-cronjob.yaml b/infra/restic-postgres/restic-postgres-backup-cronjob.yaml new file mode 100644 index 0000000..dc41a9f --- /dev/null +++ b/infra/restic-postgres/restic-postgres-backup-cronjob.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-postgres-backup" +spec: + schedule: "0 6 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/type: "postgres" + restic/operation: "backup" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + fsGroup: 16523 + runAsNonRoot: true + containers: + - name: "restic-backup" + image: "ghcr.io/soerenschneider/restic-pg16:main-20240225135720" + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "POSTGRES_HOST" + valueFrom: + configMapKeyRef: + name: "mealie-restic-postgres" + key: "POSTGRES_SERVER" + - name: "PGPASSWORD" + valueFrom: + secretKeyRef: + name: "mealie-restic-postgres" + key: "POSTGRES_PASSWORD" + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "RESTIC_CACHE_DIR" + value: "/tmp/restic-cache" + - name: "_RESTIC_TYPE" + value: "postgres" + envFrom: [] + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-postgres/restic-postgres-networkpolicy.yaml b/infra/restic-postgres/restic-postgres-networkpolicy.yaml new file mode 100644 index 0000000..cada3c1 --- /dev/null +++ b/infra/restic-postgres/restic-postgres-networkpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "restic-postgres" +spec: + podSelector: + matchLabels: + app: "restic" + restic/type: "postgres" + policyTypes: + - "Ingress" + ingress: [] diff --git a/infra/restic-postgres/restic-postgres-prune-cronjob.yaml b/infra/restic-postgres/restic-postgres-prune-cronjob.yaml new file mode 100644 index 0000000..39dae29 --- /dev/null +++ b/infra/restic-postgres/restic-postgres-prune-cronjob.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-postgres-prune" +spec: + schedule: "30 12 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/type: "postgres" + restic/operation: "prune" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + fsGroup: 16523 + runAsNonRoot: true + containers: + - name: "restic-backup-prune" + image: "ghcr.io/soerenschneider/restic-pg16:main-20240225135720" + imagePullPolicy: "IfNotPresent" + command: + - "/usr/local/bin/restic_prune.py" + securityContext: + runAsUser: 16523 + runAsGroup: 16523 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "RESTIC_CACHE_DIR" + value: "/tmp/restic-cache" + - name: "_RESTIC_TYPE" + value: "postgres" + envFrom: [] + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-postgres/upsert-secret-mealie-restic-postgres.sh b/infra/restic-postgres/upsert-secret-mealie-restic-postgres.sh new file mode 100755 index 0000000..584990f --- /dev/null +++ b/infra/restic-postgres/upsert-secret-mealie-restic-postgres.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID="mealie-postgres" +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/infra/restic-pvc/kustomization.yaml b/infra/restic-pvc/kustomization.yaml new file mode 100644 index 0000000..07acafc --- /dev/null +++ b/infra/restic-pvc/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "kustomize.config.k8s.io/v1beta1" +kind: "Kustomization" +resources: + - "restic-pvc-backup-cronjob.yaml" + - "restic-pvc-networkpolicy.yaml" + - "restic-pvc-prune-cronjob.yaml" diff --git a/infra/restic-pvc/restic-pvc-backup-cronjob.yaml b/infra/restic-pvc/restic-pvc-backup-cronjob.yaml new file mode 100644 index 0000000..b0501a1 --- /dev/null +++ b/infra/restic-pvc/restic-pvc-backup-cronjob.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-pvc-backup" +spec: + schedule: "15 5 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/operation: "backup" + restic/type: "directory" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + containers: + - name: "restic-pvc-backup" + image: "ghcr.io/soerenschneider/restic:main-20240225135719" + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "RESTIC_CACHE_DIR" + value: "/tmp/restic-cache" + - name: "_RESTIC_TYPE" + value: "directory" + envFrom: [] + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "storage" + readOnly: true + mountPath: "/data" + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "storage" + persistentVolumeClaim: + claimName: "unknown" + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-pvc/restic-pvc-networkpolicy.yaml b/infra/restic-pvc/restic-pvc-networkpolicy.yaml new file mode 100644 index 0000000..2737dc0 --- /dev/null +++ b/infra/restic-pvc/restic-pvc-networkpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: "networking.k8s.io/v1" +kind: "NetworkPolicy" +metadata: + name: "restic-pvc" +spec: + podSelector: + matchLabels: + app: "restic" + restic/type: "directory" + policyTypes: + - Ingress + ingress: [] diff --git a/infra/restic-pvc/restic-pvc-prune-cronjob.yaml b/infra/restic-pvc/restic-pvc-prune-cronjob.yaml new file mode 100644 index 0000000..ece3340 --- /dev/null +++ b/infra/restic-pvc/restic-pvc-prune-cronjob.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: "batch/v1" +kind: "CronJob" +metadata: + name: "restic-pvc-prune" +spec: + schedule: "0 23 * * *" + concurrencyPolicy: "Forbid" + jobTemplate: + spec: + template: + metadata: + labels: + app: "restic" + restic/name: "unknown" + restic/operation: "prune" + restic/type: "directory" + sidecar.istio.io/inject: "false" + spec: + restartPolicy: "OnFailure" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + fsGroup: 65535 + runAsNonRoot: true + containers: + - name: "restic-pvc-prune" + image: "ghcr.io/soerenschneider/restic:main-20240225135719" + imagePullPolicy: "IfNotPresent" + command: + - "restic_prune.py" + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - "ALL" + env: + - name: "PUSHGATEWAY_URL" + value: "http://pushgateway.monitoring" + - name: "TMPDIR" + value: "/tmp" + - name: "_RESTIC_TYPE" + value: "directory" + envFrom: [] + resources: + requests: + memory: "256Mi" + cpu: "20m" + limits: + memory: "1G" + volumeMounts: + - name: "tmp" + mountPath: "/tmp" + volumes: + - name: "tmp" + emptyDir: {} diff --git a/infra/restic-pvc/upsert-secret-radicale-restic-pvc.sh b/infra/restic-pvc/upsert-secret-radicale-restic-pvc.sh new file mode 100755 index 0000000..c575bd7 --- /dev/null +++ b/infra/restic-pvc/upsert-secret-radicale-restic-pvc.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +########################################################### +# Copy this header +########################################################### + +set -o pipefail +set -eu + +source "$(git rev-parse --show-toplevel)/contrib/variables.sh" +########################################################### + +BACKUP_ID=radicale +S3_DIR="restic-${BACKUP_ID}" +TF_VALUE=$(terraform -chdir=../../../../tf-aws-s3-backups output -json ids | jq -r '.["'"${S3_DIR}"'"]') +AWS_ACCESS_KEY_ID=$(echo "$TF_VALUE" | jq -r '.id') +AWS_SECRET_ACCESS_KEY=$(echo "$TF_VALUE" | jq -r '.secret') +RESTIC_REPOSITORY="s3:s3.amazonaws.com/soerenschneider-backups/${S3_DIR}" +RESTIC_PASSWORD="$(pass backups/restic/prod/${BACKUP_ID})" + +kubectl create secret generic "${K8S_SECRET_NAME}" \ + --from-literal=AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + --from-literal=AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + --from-literal=RESTIC_REPOSITORY="${RESTIC_REPOSITORY}" \ + --from-literal=RESTIC_PASSWORD="${RESTIC_PASSWORD}" \ + --from-literal=RESTIC_BACKUP_ID="${BACKUP_ID}" \ + --dry-run=client -o yaml | + sops -e --input-type=yaml --output-type=yaml -e \ + --encrypted-regex '^(data|stringData)$' \ + --output "${K8S_SECRET_FILE_NAME}" /dev/stdin \ No newline at end of file diff --git a/infra/vault-auth/cluster-role-binding.yaml b/infra/vault-auth/cluster-role-binding.yaml new file mode 100644 index 0000000..1b8accf --- /dev/null +++ b/infra/vault-auth/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: role-tokenreview-binding + namespace: vault-auth +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault-kubernetes-auth + namespace: vault-auth diff --git a/infra/vault-auth/kustomization.yaml b/infra/vault-auth/kustomization.yaml new file mode 100644 index 0000000..44fc6ab --- /dev/null +++ b/infra/vault-auth/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - service-account.yaml + - cluster-role-binding.yaml + - service-account-token-sec.yaml diff --git a/infra/vault-auth/namespace.yaml b/infra/vault-auth/namespace.yaml new file mode 100644 index 0000000..9e63a5c --- /dev/null +++ b/infra/vault-auth/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vault-auth diff --git a/infra/vault-auth/service-account-token-sec.yaml b/infra/vault-auth/service-account-token-sec.yaml new file mode 100644 index 0000000..b1d08cf --- /dev/null +++ b/infra/vault-auth/service-account-token-sec.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-kubernetes-auth-secret + namespace: vault-auth + annotations: + kubernetes.io/service-account.name: vault-kubernetes-auth +type: kubernetes.io/service-account-token diff --git a/infra/vault-auth/service-account.yaml b/infra/vault-auth/service-account.yaml new file mode 100644 index 0000000..a525eb0 --- /dev/null +++ b/infra/vault-auth/service-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-kubernetes-auth + namespace: vault-auth diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..a8a7181 --- /dev/null +++ b/renovate.json @@ -0,0 +1,53 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base", + ":rebaseStalePrs" + ], + "kubernetes": { + "fileMatch": ["\\.yaml$"] + }, + "ansible": { + "fileMatch": [ + "(^|/)tasks/[^/]+\\.ya?ml$", + "(^|/)playbook.ya?ml$" + ] + }, + "packageRules": [ + { + "description": ["Custom versioning for minio"], + "versioning": "regex:^RELEASE\\.(?\\d+)-(?\\d+)-(?\\d+)T.*Z$", + "matchPackagePatterns": ["minio/minio$"] + }, + { + "matchDatasources": ["kubernetes"], + "updateTypes": [ + "major", + "minor", + "patch" + ] + }, + { + "matchDatasources": ["docker"], + "updateTypes": [ + "minor", + "patch" + ] + } + ], + "regexManagers": [ + { + "fileMatch": ["playbook.ya?ml$"], + "matchStrings": [".+_image: \"(?.*?):(?.*?)\""], + "datasourceTemplate": "docker" + }, + + { + "fileMatch": [".*y[a]?ml$"], + "matchStrings": [ + "# renovate: datasource=(?docker)( versioning=(?.*?))?\\s.+_image: \"(?.*?):(?.*)\"", + "# renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s.*?_version: \"(?.*)\"" + ] + } + ] +} diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..cbd757d --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,18 @@ +--- +quiet: true +ignore: + files: + - clusters/svc.dd.soeren.cloud/argocd/patch.yaml +cache-dir: $HOME/.cache/trivy +exit-code: 1 +scan: + scanners: + - vuln + - secret + - misconfig +ignorefile: .trivyignore.yaml +severity: + - LOW + - MEDIUM + - HIGH + - CRITICAL