Dreaded_X/flux-infra
1
0
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Dreaded_X:feature/lldap_bootstrap
Branches Tags
Dreaded_X:master Dreaded_X:feature/lldap_bootstrap
...
compare: Dreaded_X:1d7a06b111f9b4fdc3f0f5fba24d0822915faef2
Branches Tags
Dreaded_X:master Dreaded_X:feature/lldap_bootstrap

77 Commits
feature/ll ... 1d7a06b111

Author SHA1 Message Date
Dreaded_X
1d7a06b111 TESTING 2025-04-22 14:05:56 +02:00
Dreaded_X
daaef595e5 Update siranga commit status based on reconcile status 2025-04-22 14:01:34 +02:00
Dreaded_X
b5a587e664 Added notification controller to bootstrap 2025-04-22 12:59:46 +02:00
Flux
77cf518f83 Add Flux v2.5.1 component manifests 2025-04-22 12:03:24 +02:00
Dreaded_X
f62e9b5c40 Split of values into seperate files for the remaining infra (#12) 2025-04-22 11:16:06 +02:00
Dreaded_X
9068fc25ae Get ldap bind_dn from credentials secret 2025-04-22 01:01:28 +02:00
Dreaded_X
2a339c6ce5 Switch to authelia-controller 2025-04-18 03:40:41 +02:00
Dreaded_X
4dad3f261e Adjusted dependencies 2025-04-18 03:28:37 +02:00
Dreaded_X
1428632409 Renamed tunnel -> siranga 2025-04-17 15:59:58 +02:00
Dreaded_X
1a18f843ed Updated kube-vip 2025-04-16 15:55:45 +02:00
Dreaded_X
8c524a27f7 Enable kube-vip upnp 2025-04-16 03:24:25 +02:00
Dreaded_X
5505217c3b Updated cert-manager 2025-04-14 23:55:58 +02:00
Dreaded_X
7ceedeca77 Fixed cloudflare token secret name 2025-04-14 23:25:53 +02:00
Dreaded_X
bd005aa4e2 Added tunnel 2025-04-14 23:03:32 +02:00
Dreaded_X
8618624b24 Enable authelia debug logging 2025-04-07 15:16:19 +02:00
Dreaded_X
e2b30d2f41 Use lldap service users in authelia and grafana 2025-03-22 01:32:17 +01:00
Dreaded_X
60a63fff7e Update pre-commit hooks 2025-03-22 00:33:38 +01:00
Dreaded_X
6edd6a1474 Replace lldap-bootstrap with lldap-controller 2025-03-22 00:06:52 +01:00
Dreaded_X
ed47feaa93 Reorganized lldap 2025-03-07 00:54:04 +01:00
Dreaded_X
00a9f25d5c Restart authelia on acl config update 2025-03-01 06:49:36 +01:00
Dreaded_X
4ae76d668e Moved authelia ACL rules to seperate ConfigMaps 2025-03-01 06:19:32 +01:00
Dreaded_X
c7229f1112 Allow authelia ACLs to be configured through ConfigMaps 2025-03-01 06:11:41 +01:00
Dreaded_X
fff27a4b1b Added permissions to allow kyverno to create secrets 2025-03-01 02:32:52 +01:00
Dreaded_X
2d0ded00eb Added NodeFeatureRule to automatically add network adapter label to nodes 2025-02-26 03:27:54 +01:00
Dreaded_X
4058ff5287 Use kyverno to add annotation to kube-vip pods 2025-02-26 03:27:21 +01:00
Dreaded_X
b7bc05beb7 Added kyverno 2025-02-25 23:58:44 +01:00
Dreaded_X
b604a20973 Update pre-commit hooks 2025-02-25 23:43:26 +01:00
Dreaded_X
456d52bdff Changed network adapter label 2025-02-25 04:28:08 +01:00
Dreaded_X
945bfca237 Improvement to akri demo 2025-02-25 03:46:01 +01:00
Dreaded_X
1a0001b708 Namespace cleanup 2025-02-24 05:23:29 +01:00
Dreaded_X
d021f81b7b Removed old infrastructure kustomizations 2025-02-24 05:17:41 +01:00
Dreaded_X
d7ba1d85f0 Use helm chart for node-feature-discovery 2025-02-24 04:16:44 +01:00
Dreaded_X
4929d43f7c Reorganized node-feature-discovery and intel-device-plugins 2025-02-24 03:24:56 +01:00
Dreaded_X
27960b00dc Reorganized descheduler 2025-02-23 07:37:28 +01:00
Dreaded_X
9479771665 Reorganized external snapshotter 2025-02-23 07:31:20 +01:00
Dreaded_X
ef2e12f84c Reorganized dragonfly operator 2025-02-23 07:22:42 +01:00
Dreaded_X
5d38d90552 Reorganized authelia and split values into seperate file 2025-02-23 07:15:36 +01:00
Dreaded_X
ab389f65f4 Reorganized akri 2025-02-23 06:26:04 +01:00
Dreaded_X
c3bc982336 Added test-app for testing deployment using OCIRepository 2025-02-23 06:26:04 +01:00
Dreaded_X
dad086a9bd Added flux helm values pre-commit check 2025-02-23 06:26:04 +01:00
Dreaded_X
b531e22011 Added pre-commit 2025-02-23 06:26:04 +01:00
Dreaded_X
e275bfb41c Renamed ldap toml file so it actually has the toml extension 2025-02-23 06:26:04 +01:00
Dreaded_X
2da31d9ac5 Use https:// address in kustomziation 2025-02-23 06:26:04 +01:00
Dreaded_X
da10dddf41 There is not really a reason to use components at the moment 2025-02-23 06:26:04 +01:00
Dreaded_X
a976596e9d Fixed manifests 2025-02-23 06:26:02 +01:00
Dreaded_X
474a765472 Adjusted interval/timeouts/dependencies 2025-02-23 06:25:28 +01:00
Dreaded_X
ae9bb78e2a Reorganized cnpg 2025-02-23 06:25:28 +01:00
Dreaded_X
0a0d7f7a65 Reorganized ceph 2025-02-23 06:25:28 +01:00
Dreaded_X
6e428ed757 Reorganized topolvm 2025-02-23 06:25:28 +01:00
Dreaded_X
4e71d50b40 Gave kube-vip entire cidr range and fix traefik static ip 2025-02-23 06:25:27 +01:00
Dreaded_X
c2b7d0db2e Reorganized traefik 2025-02-23 06:25:27 +01:00
Dreaded_X
86c9ecaffc Run repo maintainance once a day 2025-02-23 06:25:27 +01:00
Dreaded_X
b2a9236083 Fixed topologySpreadConstraints 2025-02-23 06:25:23 +01:00
Dreaded_X
11cdc405f7 Add back kustomization.yaml files 2025-02-15 22:45:22 +01:00
Dreaded_X
936f4bdb5f Fixed certificates 2025-02-15 22:31:50 +01:00
Dreaded_X
aa66dea6d0 Added wait: true to all flux Kustomizations 2025-02-15 22:29:59 +01:00
Dreaded_X
f072d17e47 Reorganized velero 2025-02-15 22:29:59 +01:00
Dreaded_X
e2872c4dbc Changed some namespace things 2025-02-15 22:29:58 +01:00
Dreaded_X
cd97b968a9 Load domain substitutions from ConfigMap 2025-02-15 22:28:54 +01:00
Dreaded_X
8775cbde8d Moved kube-vip to new organization + version update 2025-02-15 22:28:50 +01:00
Dreaded_X
e9d54563d6 Start repo reorganization with cert-manager 2025-02-15 22:24:59 +01:00
Dreaded_X
9dc3eeb57f WIP: Testing better error pages 2025-02-13 04:29:03 +01:00
Dreaded_X
3d020782d4 Enable ingress for ceph dashboard 2025-02-13 04:08:20 +01:00
Dreaded_X
5aed410550 Also keep local snapshots 2025-02-13 02:58:58 +01:00
Dreaded_X
c7a6703dfa Disabled cloudnative-pg backup and switched to using the crd directly 2025-02-13 01:43:38 +01:00
Dreaded_X
9db5e65250 Enabled VolumeSnapshotClasses 2025-02-11 02:57:15 +01:00
Dreaded_X
8370098b2f Removed suspend again as it does not work how I had hoped 2025-02-09 02:02:28 +01:00
Dreaded_X
343b098453 Added topolvm for node local storage 2025-02-09 01:39:26 +01:00
Dreaded_X
8248e913b0 Switch from piraeus to ceph 2025-02-09 01:22:08 +01:00
Dreaded_X
24c1451d54 Suspend anything but the controllers by default 2025-02-09 00:19:14 +01:00
Dreaded_X
112cdab762 Adjusted bootstrap scripts with velero in mind 2025-02-09 00:18:55 +01:00
Dreaded_X
6732d8a074 Added backblaze as default backup location 2025-02-07 01:18:48 +01:00
Dreaded_X
e761a10135 Let velero upload the content of volume snapshots 2025-02-05 01:41:53 +01:00
Dreaded_X
1764fd05ae Remove lvm snapshots from local machine after backup 2025-02-04 01:37:08 +01:00
Dreaded_X
4b3e4d32a3 Setup linstor for velero volume snapshots 2025-02-01 00:28:29 +01:00
Dreaded_X
4bdd559213 Added velero 2025-02-01 00:23:09 +01:00
Dreaded_X
90624f9b6c Added snapshot controller 2025-01-30 01:18:06 +01:00
167 changed files with 3988 additions and 1851 deletions
Expand all files Collapse all files

1
.kcignore Normal file
View File

@@ -0,0 +1 @@
.sops.yaml

27
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,27 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
args:
- --allow-multiple-documents
- id: check-added-large-files
- id: check-merge-conflict
- repo: https://github.com/crate-ci/typos
rev: v1.30.2
hooks:
- id: typos
args: ["--force-exclude"]
- repo: git@huizinga.dev:Dreaded_X/cluster-crds.git
rev: 951a61836937c443aa9a8d49d973cfc23dd6d219
hooks:
- id: kubeconform
- repo: https://github.com/tarioch/flux-check-hook
rev: v0.8.0
hooks:
- id: check-flux-helm-values

10
.typos.toml Normal file
View File

@@ -0,0 +1,10 @@
[default]
# Ignore
extend-ignore-re = [
"-{5}BEGIN PGP MESSAGE-{5}(?:$|[^-]{63,}-{5}END PGP MESSAGE-{5})",
"-{5}BEGIN PGP PUBLIC KEY BLOCK-{5}(?:$|[^-]{63,}-{5}END PGP PUBLIC KEY BLOCK-{5})",
]
[files]
# Ignore generated files
extend-exclude = ["gotk-components.yaml", "gotk-sync.yaml"]

3
apps/akri-demo.yaml
View File

@@ -16,3 +16,6 @@ spec:
containers: containers:
- name: akri-demo - name: akri-demo
image: traefik/whoami image: traefik/whoami
resources:
limits:
"{{PLACEHOLDER}}": "1"

12
apps/authelia/kustomization.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: authelia
resources:
- ./namespace.yaml
- ./repository.yaml
- ./release.yaml
- ./lldap.yaml
components:
- ../../common/postgres
- ../../common/dragonflydb

60
apps/authelia/lldap.yaml
View File

@@ -1,60 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: authelia-lldap
type: Opaque
stringData:
password: ENC[AES256_GCM,data:t9dCqqJrS0mhJMBXLKTKUgbOpwI3LGN134OlGmIaOsZg1bzWSV4sU0YAQMU=,iv:Bp2hO34VNtqy+7ZnWtqvmUNe2GKUh7KPZmRgXzyFqqA=,tag:qJ8iV6OyuNlVmnrPs13LNg==,type:str]
user-configs.json: ENC[AES256_GCM,data:7bhp9uWOM1NcfJ8DnnUdYCIFMZeCvmGr8S5gJPzw0kzXfXQfRbI2xfq4X5GdAbOCn9HHM1F+xJLaF6tno1ZmH26NN7FkXUZQCtqK9+yZgjHY8MZYsUZHdZlV40BcaYSCk7qtefGsCrITN2X/DAjrmedNeh0CF9rdov3ZKsi8nSGWGUeLpKcouhOpvbfLRSoEEfYUyUF1r5GscTuunh9uZ8DtoCJvBf8iyQ==,iv:3YuaXKKIHUgzWL07yItqR6rgI+YXbaoTVc4xdiZ/hWU=,tag:hyObOlrQVXgRHgDxcV/R0g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-11-22T04:09:11Z"
mac: ENC[AES256_GCM,data:3o1AYP26QEIMjCUZ4y6AH+CXevoJoJ+rX3ioMLRf8KAGy0mSOtacaSY9xRdDIjATu9aJgHmFbSw9CHTBpXxmaISZxQdMPMHQAmRxHnSuQiofPRkVtD1TlvCFcDTSgITWbvG3dpUoLdM57Mgd3z7KpI/+gEoDebYfryDaYXCoH3c=,iv:1C8QMJCJtvnGVPpLJE+l0U3hOknEC3XiWTQrPAQsHKc=,tag:fn+cMj1NImJSvNiuyzX5pQ==,type:str]
pgp:
- created_at: "2024-11-22T04:09:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7pKPTYH5bqOAQ/+MgqnLWwHCWPxacANbHEEYsPENOyIywmYJnSnRqRLWhAn
9K0/udCxwO30rnvo+p6/YLF2VSqFfz7pUm/z+MH6ypyY1B83HjCkjsaTQhPR5Q0K
CmhTR7TrQBNfa/flawhebWOjvmUJ9lJ9uqCnAB16S03Sn+PqDYlGTE6CMJ0oJuSr
VpxdvdvFZ1gfR7hlVrsKqvn47T3XIYDJohp9l819nQ1O2adTPfevZEN/JLwaWSLT
YtwJyg+6ogKD3q6UBv7hyyXH9ZlMHFxGWxmo1OXAA3E/vMvOacgmFW6pqoGMqwGU
D9Ch2x1MBobD342ZPPmsQNiI+34Q5cl+hVJJgL5jWk2kML67itM8pMUTyn+5NtWO
wWo6zu5q5IfqREwuerZtisocctrLB9QKPVGcjVihWfoenvlkf4yfCRDFzOPSAb0o
e2K+3fZknZlnb3Qb/rgD7XRiBhcif1zIHZxUQDv/Lq9GyuCM7dk8YKUVCtyeixQ4
C+WFmp9ED8xzv1jR9lPcQhD+I2Cb7/9jlTXEetFHSzl4riYpKPjhKQedUWZ0YY1A
u0ORTBaLzcmrXTjGz24PxmWZDBjhV4Kgvn76rchqLrS8lvi1EbXoZB6ERhuhlz5Y
bm1FwUBxDRG04gFCPwWKV0AvMmhd+hOdyo4KeQbZCO+w3QqXnp/y6b3TtpEeQnPU
aAEJAhCMqxSAESN99AcEtW56mJsZmRCCi3NsRLwllDczeDfUznF2CSTCnJRDmjsU
bLf8jVjawLxfRnKmRyKX/cCYbuz9OmIFkOAWoSNVb/teiMrYYFq96kRDLHR1Llxr
EuX0poghRPqU
=tI6a
-----END PGP MESSAGE-----
fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
- created_at: "2024-11-22T04:09:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA51kG++kLewoARAA15aOcSEfAIpEXXhmF4YToynn1NM9OsANHc3PR2uVzAPv
C4Wi8R1PNhGdV3aTuRN5WpSjkJEE3GNR0kA0Etao7Ip0d1UgXzg1wtwEd1Yyvtdh
ccK2/z0a4UJu8SMczChT1P18IASNksaxSAm+TOLFGcZeJFwQepsBaQIEfXYO3+hR
Jw+zcPmFaOzKoqdbAAWzvYhLxD2ocjZl7iiIOhz8fBSqWLO2oeJRp5Lk8Q14olTZ
708BQ+aLlsVJyLkiV7SzlKfEDIymMDZSe7Q3i4JqOFOyHRIkIM5ZPOLoelqRNcY2
zQphsk1U/MFp7LsR/d+5IKWBkqV5DYJWFunw+NRFHLg1/6+zmGnGbZ2gZfohvnKV
5GUrYfWCBACIclpxY7PlVQ7d/aTDf3jdR0iVV3Jh+8Lvze1msPvI+BF67oDNMsTu
EIbRa6eHzxgSqrq3Za5eeUXd9Gxfg2g4KdkbG+FA9qQI6f5Y1q0tE9cFfOElTiBk
xTAckrBMHOMGozvx4/6xXHMmAxd80tX0ZjVyBsPBeb64oZGlsGuRngWT1Ob9gF4Q
sDfyd74kpQ9fHhIYs9XSLrPbH6yzVIFF/sHpMGgri43PCMW6vvnfP4JQgdMNdXRw
U+RWDxA6BOkP7XvNfGADiumeSGQ+PE/KP0TuUqMD7gr9X/VGH+/1e6zbI1iruhPS
XgFoSamAXKfYrYz94J9u0vA8D8ne9EKa8Ls6ybicyyZlGLri/qnoHNJAVhLWKdId
h68ksrI5l25Z1MkAcKVR1xlHUnRCwb2Xdbag0vV07So00wxAl1XNhtPeuQrykk0=
=V4Gd
-----END PGP MESSAGE-----
fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
encrypted_regex: ^(data|stringData)$
version: 3.9.0

87
apps/authelia/release.yaml
View File

@@ -1,87 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: authelia
spec:
chart:
spec:
chart: authelia
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: authelia
version: 0.9.9
interval: 15m
values:
pod:
replicas: 2
ingress:
enabled: true
tls:
enabled: true
secret: ${domain//./-}-tls
traefikCRD:
enabled: true
entryPoints:
- websecure
secret:
additionalSecrets:
authelia-db-cluster-app:
key: authelia-db-cluster-app
authelia-lldap:
key: authelia-lldap
configMap:
authentication_backend:
ldap:
enabled: true
implementation: custom
address: ldap://lldap.lldap.svc.cluster.local:3890
base_dn: dc=huizinga,dc=dev
additional_users_dn: ou=people
users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
attributes:
display_name: displayName
username: uid
group_name: cn
mail: mail
user: uid=authelia,ou=people,dc=huizinga,dc=dev
password:
secret_name: authelia-lldap
path: password
session:
cookies:
- subdomain: login${subdomain}
domain: ${topdomain}
redis:
enabled: true
host: dragonflydb.authelia
storage:
postgres:
enabled: true
address: tcp://authelia-db-cluster-rw.authelia:5432
database: app
username: app
password:
secret_name: authelia-db-cluster-app
path: password
notifier:
filesystem:
enabled: true
access_control:
rules:
- domain: traefik.${domain}
policy: one_factor
subject: "group:lldap_admin"
- domain: grafana.${domain}
policy: one_factor
# Deny by default, mainly a placeholder to allow patching in other rules
- domain: "*"
policy: deny

7
apps/grafana/access-control-rule.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: authelia.huizinga.dev/v1
kind: AccessControlRule
metadata:
name: grafana
spec:
domain: grafana.${domain}
policy: one_factor

7
apps/grafana/kustomization.yaml
View File

@@ -5,9 +5,8 @@ resources:
- ./namespace.yaml - ./namespace.yaml
- ./repository.yaml - ./repository.yaml
- ./release.yaml - ./release.yaml
- ./lldap.yaml - ./service-user.yaml
- ./access-control-rule.yaml
components:
- ../../common/postgres - ../../common/postgres
- ../../common/dragonflydb - ../../common/dragonflydb
@@ -17,4 +16,4 @@ configurations:
secretGenerator: secretGenerator:
- name: grafana-ldap-toml - name: grafana-ldap-toml
files: files:
- ldap-toml - ldap-toml=ldap.toml

4
apps/grafana/ldap-toml → apps/grafana/ldap.toml
View File

@@ -20,10 +20,10 @@ ssl_skip_verify = false
# client_key = "/path/to/client.key" # client_key = "/path/to/client.key"
# Search user bind dn # Search user bind dn
bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev" bind_dn = "${BIND_DN}"
# Search user bind password # Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = """${LDAP_ADMIN_PASSWORD}""" bind_password = "${LDAP_PASSWORD}"
# User search filter # User search filter
search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))" search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))"

60
apps/grafana/lldap.yaml
View File

@@ -1,60 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: grafana-lldap
type: Opaque
stringData:
password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str]
user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-12-30T03:11:38Z"
mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str]
pgp:
- created_at: "2024-12-30T03:06:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti
CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU
QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2
GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG
omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq
U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/
kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW
mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij
92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58
psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT
07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU
aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5
E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj
8PqQ49TpHxYC
=eBq+
-----END PGP MESSAGE-----
fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
- created_at: "2024-12-30T03:06:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll
tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi
/mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9
gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU
LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr
wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH
qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop
el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN
R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8
IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9
2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S
XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4
FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM=
=9p2Q
-----END PGP MESSAGE-----
fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
encrypted_regex: ^(data|stringData)$
version: 3.9.1

14
apps/grafana/release.yaml
View File

@@ -23,13 +23,17 @@ spec:
- secretName: ${domain//./-}-tls - secretName: ${domain//./-}-tls
annotations: annotations:
traefik.ingress.kubernetes.io/router.entryPoints: "websecure" traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls: "true"
envValueFrom: envValueFrom:
LDAP_ADMIN_PASSWORD: BIND_DN:
secretKeyRef: secretKeyRef:
name: grafana-lldap name: grafana-lldap-credentials
key: bind_dn
LDAP_PASSWORD:
secretKeyRef:
name: grafana-lldap-credentials
key: password key: password
grafana.ini: grafana.ini:
@@ -62,8 +66,8 @@ spec:
existingSecret: grafana-ldap-toml existingSecret: grafana-ldap-toml
extraSecretMounts: extraSecretMounts:
- name: grafana-db-cluster-app-mount - name: postgres-app-mount
secretName: grafana-db-cluster-app secretName: postgres-app
defaultMode: 0440 defaultMode: 0440
mountPath: /etc/secrets/db mountPath: /etc/secrets/db
readOnly: true readOnly: true

5
apps/grafana/service-user.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: lldap.huizinga.dev/v1
kind: ServiceUser
metadata:
name: grafana
spec: {}

3
apps/kustomization.yaml
View File

@@ -1,10 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./lldap
- ./authelia
- ./grafana - ./grafana
- ./traefik-dashboard
- ./whoami.yaml - ./whoami.yaml
- ./akri-demo.yaml - ./akri-demo.yaml

83
apps/lldap/bootstrap/bootstrap-job.yaml
View File

@@ -1,83 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: lldap-bootstrap
annotations:
kustomize.toolkit.fluxcd.io/force: enabled
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: lldap-bootstrap
image: lldap/lldap:v0.5.0
command:
- /bootstrap/bootstrap.sh
env:
- name: LLDAP_URL
value: "http://lldap:17170"
- name: LLDAP_ADMIN_USERNAME
value: admin
- name: LLDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: lldap-credentials
key: lldap-ldap-user-pass
- name: DO_CLEANUP
value: "true"
volumeMounts:
- name: bootstrap
mountPath: /bootstrap/bootstrap.sh
readOnly: true
subPath: bootstrap.sh
- name: user-configs
mountPath: /bootstrap/user-configs
readOnly: true
- name: group-configs
mountPath: /bootstrap/group-configs
readOnly: true
volumes:
- name: bootstrap
configMap:
name: bootstrap
defaultMode: 0555
items:
- key: bootstrap.sh
path: bootstrap.sh
- name: user-configs
projected:
sources:
- secret:
name: lldap-bootstrap-configs
items:
- key: user-configs.json
path: user-configs.json
- secret:
name: authelia-lldap
items:
- key: user-configs.json
path: authelia-configs.json
- secret:
name: grafana-lldap
items:
- key: user-configs.json
path: grafana-configs.json
- name: group-configs
projected:
sources:
- secret:
name: lldap-bootstrap-configs
items:
- key: group-configs.json
path: group-configs.json

606
apps/lldap/bootstrap/bootstrap.sh
View File

@@ -1,606 +0,0 @@
#!/usr/bin/env bash
set -e
set -o pipefail
LLDAP_URL="${LLDAP_URL:-http://localhost:17170}"
LLDAP_ADMIN_USERNAME="${LLDAP_ADMIN_USERNAME:-admin}"
LLDAP_ADMIN_PASSWORD="${LLDAP_ADMIN_PASSWORD:-password}"
USER_SCHEMAS_DIR="${USER_SCHEMAS_DIR:-/bootstrap/user-schemas}"
GROUP_SCHEMAS_DIR="${GROUP_SCHEMAS_DIR:-/bootstrap/group-schemas}"
USER_CONFIGS_DIR="${USER_CONFIGS_DIR:-/bootstrap/user-configs}"
GROUP_CONFIGS_DIR="${GROUP_CONFIGS_DIR:-/bootstrap/group-configs}"
LLDAP_SET_PASSWORD_PATH="${LLDAP_SET_PASSWORD_PATH:-/app/lldap_set_password}"
DO_CLEANUP="${DO_CLEANUP:-false}"
# Fallback to support legacy defaults
if [[ ! -d $USER_CONFIGS_DIR ]] && [[ -d "/user-configs" ]]; then
USER_CONFIGS_DIR="/user-configs"
fi
if [[ ! -d $GROUP_CONFIGS_DIR ]] && [[ -d "/group-configs" ]]; then
GROUP_CONFIGS_DIR="/group-configs"
fi
check_install_dependencies() {
local commands=('curl' 'jq' 'jo')
local commands_not_found='false'
if ! hash "${commands[@]}" 2>/dev/null; then
if hash 'apk' 2>/dev/null && [[ $EUID -eq 0 ]]; then
apk add "${commands[@]}"
elif hash 'apt' 2>/dev/null && [[ $EUID -eq 0 ]]; then
apt update -yqq
apt install -yqq "${commands[@]}"
else
local command=''
for command in "${commands[@]}"; do
if ! hash "$command" 2>/dev/null; then
printf 'Command not found "%s"\n' "$command"
fi
done
commands_not_found='true'
fi
fi
if [[ "$commands_not_found" == 'true' ]]; then
return 1
fi
}
check_required_env_vars() {
local env_var_not_specified='false'
local dual_env_vars_list=(
'LLDAP_URL'
'LLDAP_ADMIN_USERNAME'
'LLDAP_ADMIN_PASSWORD'
)
local dual_env_var_name=''
for dual_env_var_name in "${dual_env_vars_list[@]}"; do
local dual_env_var_file_name="${dual_env_var_name}_FILE"
if [[ -z "${!dual_env_var_name}" ]] && [[ -z "${!dual_env_var_file_name}" ]]; then
printf 'Please specify "%s" or "%s" variable!\n' "$dual_env_var_name" "$dual_env_var_file_name" >&2
env_var_not_specified='true'
else
if [[ -n "${!dual_env_var_file_name}" ]]; then
declare -g "$dual_env_var_name"="$(cat "${!dual_env_var_file_name}")"
fi
fi
done
if [[ "$env_var_not_specified" == 'true' ]]; then
return 1
fi
}
check_configs_validity() {
local config_file='' config_invalid='false'
for config_file in "$@"; do
local error=''
if ! error="$(jq '.' -- "$config_file" 2>&1 >/dev/null)"; then
printf '%s: %s\n' "$config_file" "$error"
config_invalid='true'
fi
done
if [[ "$config_invalid" == 'true' ]]; then
return 1
fi
}
auth() {
local url="$1" admin_username="$2" admin_password="$3"
local response
response="$(curl --silent --request POST \
--url "$url/auth/simple/login" \
--header 'Content-Type: application/json' \
--data "$(jo -- username="$admin_username" password="$admin_password")")"
TOKEN="$(printf '%s' "$response" | jq --raw-output .token)"
}
make_query() {
local query_file="$1" variables_file="$2"
curl --silent --request POST \
--url "$LLDAP_URL/api/graphql" \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data @<(jq --slurpfile variables "$variables_file" '. + {"variables": $variables[0]}' "$query_file")
}
get_group_list() {
local query='{"query":"query GetGroupList {groups {id displayName}}","operationName":"GetGroupList"}'
make_query <(printf '%s' "$query") <(printf '{}')
}
get_group_array() {
get_group_list | jq --raw-output '.data.groups[].displayName'
}
group_exists() {
if [[ "$(get_group_list | jq --raw-output --arg displayName "$1" '.data.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
return 0
else
return 1
fi
}
get_group_id() {
get_group_list | jq --raw-output --arg displayName "$1" '.data.groups[] | if .displayName == $displayName then .id else empty end'
}
create_group() {
local group_name="$1"
if group_exists "$group_name"; then
printf 'Group "%s" (%s) already exists\n' "$group_name" "$(get_group_id "$group_name")"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation CreateGroup($name: String!) {createGroup(name: $name) {id displayName}}","operationName":"CreateGroup"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- name="$group_name"))"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'Group "%s" (%s) successfully created\n' "$group_name" "$(printf '%s' "$response" | jq --raw-output '.data.createGroup.id')"
fi
}
delete_group() {
local group_name="$1" id=''
if ! group_exists "$group_name"; then
printf '[WARNING] Group "%s" does not exist\n' "$group_name"
return
fi
id="$(get_group_id "$group_name")"
# shellcheck disable=SC2016
local query='{"query":"mutation DeleteGroupQuery($groupId: Int!) {deleteGroup(groupId: $groupId) {ok}}","operationName":"DeleteGroupQuery"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- groupId="$id"))"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'Group "%s" (%s) successfully deleted\n' "$group_name" "$id"
fi
}
get_user_details() {
local id="$1"
# shellcheck disable=SC2016
local query='{"query":"query GetUserDetails($id: String!) {user(userId: $id) {id email displayName firstName lastName creationDate uuid groups {id displayName}}}","operationName":"GetUserDetails"}'
make_query <(printf '%s' "$query") <(jo -- id="$id")
}
user_in_group() {
local user_id="$1" group_name="$2"
if ! group_exists "$group_name"; then
printf '[WARNING] Group "%s" does not exist\n' "$group_name"
return
fi
if ! user_exists "$user_id"; then
printf 'User "%s" is not exists\n' "$user_id"
return
fi
if [[ "$(get_user_details "$user_id" | jq --raw-output --arg displayName "$group_name" '.data.user.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
return 0
else
return 1
fi
}
add_user_to_group() {
local user_id="$1" group_name="$2" group_id=''
if ! group_exists "$group_name"; then
printf '[WARNING] Group "%s" does not exist\n' "$group_name"
return
fi
group_id="$(get_group_id "$group_name")"
if user_in_group "$user_id" "$group_name"; then
printf 'User "%s" already in group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation AddUserToGroup($user: String!, $group: Int!) {addUserToGroup(userId: $user, groupId: $group) {ok}}","operationName":"AddUserToGroup"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User "%s" successfully added to the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
fi
}
remove_user_from_group() {
local user_id="$1" group_name="$2" group_id=''
if ! group_exists "$group_name"; then
printf '[WARNING] Group "%s" does not exist\n' "$group_name"
return
fi
group_id="$(get_group_id "$group_name")"
# shellcheck disable=SC2016
local query='{"operationName":"RemoveUserFromGroup","query":"mutation RemoveUserFromGroup($user: String!, $group: Int!) {removeUserFromGroup(userId: $user, groupId: $group) {ok}}"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User "%s" successfully removed from the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
fi
}
get_users_list() {
# shellcheck disable=SC2016
local query='{"query": "query ListUsersQuery($filters: RequestFilter) {users(filters: $filters) {id email displayName firstName lastName creationDate}}","operationName": "ListUsersQuery"}'
make_query <(printf '%s' "$query") <(jo -- filters=null)
}
user_exists() {
if [[ "$(get_users_list | jq --raw-output --arg id "$1" '.data.users | any(.[]; .id == $id)')" == 'true' ]]; then
return 0
else
return 1
fi
}
delete_user() {
local id="$1"
if ! user_exists "$id"; then
printf 'User "%s" is not exists\n' "$id"
return
fi
# shellcheck disable=SC2016
local query='{"query": "mutation DeleteUserQuery($user: String!) {deleteUser(userId: $user) {ok}}","operationName": "DeleteUserQuery"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- user="$id"))"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User "%s" successfully deleted\n' "$id"
fi
}
get_group_property_list() {
local query='{"query":"query GetGroupAttributesSchema { schema { groupSchema { attributes { name }}}}","operationName":"GetGroupAttributesSchema"}'
make_query <(printf '%s' "$query") <(printf '{}')
}
group_property_exists() {
if [[ "$(get_group_property_list | jq --raw-output --arg name "$1" '.data.schema.groupSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
return 0
else
return 1
fi
}
create_group_schema_property() {
local name="$1"
local attributeType="$2"
local isEditable="$3"
local isList="$4"
local isVisible="$5"
if group_property_exists "$name"; then
printf 'Group property "%s" already exists\n' "$name"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation CreateGroupAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addGroupAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateGroupAttribute"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'Group attribute "%s" successfully created\n' "$name"
fi
}
get_user_property_list() {
local query='{"query":"query GetUserAttributesSchema { schema { userSchema { attributes { name }}}}","operationName":"GetUserAttributesSchema"}'
make_query <(printf '%s' "$query") <(printf '{}')
}
user_property_exists() {
if [[ "$(get_user_property_list | jq --raw-output --arg name "$1" '.data.schema.userSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
return 0
else
return 1
fi
}
create_user_schema_property() {
local name="$1"
local attributeType="$2"
local isEditable="$3"
local isList="$4"
local isVisible="$5"
if user_property_exists "$name"; then
printf 'User property "%s" already exists\n' "$name"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation CreateUserAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addUserAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateUserAttribute"}'
local response='' error=''
response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User attribute "%s" successfully created\n' "$name"
fi
}
__common_user_mutation_query() {
local \
query="$1" \
id="${2:-null}" \
email="${3:-null}" \
displayName="${4:-null}" \
firstName="${5:-null}" \
lastName="${6:-null}" \
avatar_file="${7:-null}" \
avatar_url="${8:-null}" \
gravatar_avatar="${9:-false}" \
weserv_avatar="${10:-false}"
local variables_arr=(
'-s' "id=$id"
'-s' "email=$email"
'-s' "displayName=$displayName"
'-s' "firstName=$firstName"
'-s' "lastName=$lastName"
)
local temp_avatar_file=''
if [[ "$gravatar_avatar" == 'true' ]]; then
avatar_url="https://gravatar.com/avatar/$(printf '%s' "$email" | sha256sum | cut -d ' ' -f 1)?size=512"
fi
if [[ "$avatar_url" != 'null' ]]; then
temp_avatar_file="${TMP_AVATAR_DIR}/$(printf '%s' "$avatar_url" | md5sum | cut -d ' ' -f 1)"
if ! [[ -f "$temp_avatar_file" ]]; then
if [[ "$weserv_avatar" == 'true' ]]; then
avatar_url="https://wsrv.nl/?url=$avatar_url&output=jpg"
fi
curl --silent --location --output "$temp_avatar_file" "$avatar_url"
fi
avatar_file="$temp_avatar_file"
fi
if [[ "$avatar_file" == 'null' ]]; then
variables_arr+=('-s' 'avatar=null')
else
variables_arr+=("avatar=%$avatar_file")
fi
make_query <(printf '%s' "$query") <(jo -- user=:<(jo -- "${variables_arr[@]}"))
}
create_user() {
local id="$1"
if user_exists "$id"; then
printf 'User "%s" already exists\n' "$id"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation CreateUser($user: CreateUserInput!) {createUser(user: $user) {id creationDate}}","operationName":"CreateUser"}'
local response='' error=''
response="$(__common_user_mutation_query "$query" "$@")"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User "%s" successfully created\n' "$id"
fi
}
update_user() {
local id="$1"
if ! user_exists "$id"; then
printf 'User "%s" is not exists\n' "$id"
return
fi
# shellcheck disable=SC2016
local query='{"query":"mutation UpdateUser($user: UpdateUserInput!) {updateUser(user: $user) {ok}}","operationName":"UpdateUser"}'
local response='' error=''
response="$(__common_user_mutation_query "$query" "$@")"
error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
if [[ -n "$error" ]]; then
printf '%s\n' "$error"
else
printf 'User "%s" successfully updated\n' "$id"
fi
}
create_update_user() {
local id="$1"
if user_exists "$id"; then
update_user "$@"
else
create_user "$@"
fi
}
main() {
check_install_dependencies
check_required_env_vars
local user_config_files=("${USER_CONFIGS_DIR}"/*.json)
local group_config_files=("${GROUP_CONFIGS_DIR}"/*.json)
local user_schema_files=()
local group_schema_files=()
local file=''
[[ -d "$USER_SCHEMAS_DIR" ]] && for file in "${USER_SCHEMAS_DIR}"/*.json; do
user_schema_files+=("$file")
done
[[ -d "$GROUP_SCHEMAS_DIR" ]] && for file in "${GROUP_SCHEMAS_DIR}"/*.json; do
group_schema_files+=("$file")
done
if ! check_configs_validity "${group_config_files[@]}" "${user_config_files[@]}" "${group_schema_files[@]}" "${user_schema_files[@]}"; then
exit 1
fi
until curl --silent -o /dev/null "$LLDAP_URL"; do
printf 'Waiting lldap to start...\n'
sleep 10
done
auth "$LLDAP_URL" "$LLDAP_ADMIN_USERNAME" "$LLDAP_ADMIN_PASSWORD"
printf -- '\n--- group schemas ---\n'
local group_schema_config_row=''
[[ ${#group_schema_files[@]} -gt 0 ]] && while read -r group_schema_config_row; do
local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
declare "$field"="$(printf '%s' "$group_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
done
create_group_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
done < <(jq --compact-output '.[]' -- "${group_schema_files[@]}")
printf -- '--- group schemas ---\n'
printf -- '\n--- user schemas ---\n'
local user_schema_config_row=''
[[ ${#user_schema_files[@]} -gt 0 ]] && while read -r user_schema_config_row; do
local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
declare "$field"="$(printf '%s' "$user_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
done
create_user_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
done < <(jq --compact-output '.[]' -- "${user_schema_files[@]}")
printf -- '--- user schemas ---\n'
local redundant_groups=''
redundant_groups="$(get_group_list | jq '[ .data.groups[].displayName ]' | jq --compact-output '. - ["lldap_admin","lldap_password_manager","lldap_strict_readonly"]')"
printf -- '\n--- groups ---\n'
local group_config=''
while read -r group_config; do
local group_name=''
group_name="$(printf '%s' "$group_config" | jq --raw-output '.name')"
create_group "$group_name"
redundant_groups="$(printf '%s' "$redundant_groups" | jq --compact-output --arg name "$group_name" '. - [$name]')"
done < <(jq --compact-output '.' -- "${group_config_files[@]}")
printf -- '--- groups ---\n'
printf -- '\n--- redundant groups ---\n'
if [[ "$redundant_groups" == '[]' ]]; then
printf 'There are no redundant groups\n'
else
local group_name=''
while read -r group_name; do
if [[ "$DO_CLEANUP" == 'true' ]]; then
delete_group "$group_name"
else
printf '[WARNING] Group "%s" is not declared in config files\n' "$group_name"
fi
done < <(printf '%s' "$redundant_groups" | jq --raw-output '.[]')
fi
printf -- '--- redundant groups ---\n'
local redundant_users=''
redundant_users="$(get_users_list | jq '[ .data.users[].id ]' | jq --compact-output --arg admin_id "$LLDAP_ADMIN_USERNAME" '. - [$admin_id]')"
TMP_AVATAR_DIR="$(mktemp -d)"
local user_config=''
while read -r user_config; do
local field='' id='' email='' displayName='' firstName='' lastName='' avatar_file='' avatar_url='' gravatar_avatar='' weserv_avatar='' password=''
for field in 'id' 'email' 'displayName' 'firstName' 'lastName' 'avatar_file' 'avatar_url' 'gravatar_avatar' 'weserv_avatar' 'password'; do
declare "$field"="$(printf '%s' "$user_config" | jq --raw-output --arg field "$field" '.[$field]')"
done
printf -- '\n--- %s ---\n' "$id"
create_update_user "$id" "$email" "$displayName" "$firstName" "$lastName" "$avatar_file" "$avatar_url" "$gravatar_avatar" "$weserv_avatar"
redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
if [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
"$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
fi
local redundant_user_groups=''
redundant_user_groups="$(get_user_details "$id" | jq '[ .data.user.groups[].displayName ]')"
local group=''
while read -r group; do
if [[ -n "$group" ]]; then
add_user_to_group "$id" "$group"
redundant_user_groups="$(printf '%s' "$redundant_user_groups" | jq --compact-output --arg group "$group" '. - [$group]')"
fi
done < <(printf '%s' "$user_config" | jq --raw-output '.groups | if . == null then "" else .[] end')
local user_group_name=''
while read -r user_group_name; do
if [[ "$DO_CLEANUP" == 'true' ]]; then
remove_user_from_group "$id" "$user_group_name"
else
printf '[WARNING] User "%s" is not declared as member of the "%s" group in the config files\n' "$id" "$user_group_name"
fi
done < <(printf '%s' "$redundant_user_groups" | jq --raw-output '.[]')
printf -- '--- %s ---\n' "$id"
done < <(jq --compact-output '.' -- "${user_config_files[@]}")
rm -r "$TMP_AVATAR_DIR"
printf -- '\n--- redundant users ---\n'
if [[ "$redundant_users" == '[]' ]]; then
printf 'There are no redundant users\n'
else
local id=''
while read -r id; do
if [[ "$DO_CLEANUP" == 'true' ]]; then
delete_user "$id"
else
printf '[WARNING] User "%s" is not declared in config files\n' "$id"
fi
done < <(printf '%s' "$redundant_users" | jq --raw-output '.[]')
fi
printf -- '--- redundant users ---\n'
}
main "$@"

0
apps/lldap/bootstrap/group-configs.json
View File

20
apps/lldap/bootstrap/kustomization.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./bootstrap-job.yaml
- ../../authelia/lldap.yaml
- ../../grafana/lldap.yaml
configMapGenerator:
- name: bootstrap
options:
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled
files:
- bootstrap.sh
secretGenerator:
- name: lldap-bootstrap-configs
files:
- user-configs.json
- group-configs.json

8
apps/lldap/bootstrap/user-configs.json
View File

@@ -1,8 +0,0 @@
{
"id": "dreaded_x",
"email": "tim@huizinga.dev",
"password": "JustATest",
"displayName": "Tim Huizinga",
"firstName": "Tim",
"lastName": "Huizinga"
}

19
apps/traefik-dashboard/ingress.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.${domain}`)
kind: Rule
middlewares:
- name: forwardauth-authelia
namespace: authelia
services:
- name: api@internal
kind: TraefikService
tls:
secretName: ${domain//./-}-tls

14
apps/whoami.yaml
View File

@@ -8,13 +8,6 @@ metadata:
spec: spec:
replicas: 2 replicas: 2
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
type: dummy
selector: selector:
matchLabels: matchLabels:
app: whoami app: whoami
@@ -23,6 +16,13 @@ spec:
labels: labels:
app: whoami app: whoami
spec: spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: whoami
containers: containers:
- name: whoami - name: whoami
image: traefik/whoami image: traefik/whoami

19
clusters/titan.lan.huizinga.dev/apps.yaml
View File

@@ -5,7 +5,14 @@ metadata:
namespace: flux-system namespace: flux-system
spec: spec:
dependsOn: dependsOn:
- name: infra-configs - name: traefik
- name: authelia-controller
- name: lldap-controller
- name: cnpg
- name: dragonflydb
- name: rook-ceph-cluster
- name: akri
- name: lldap
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:
@@ -16,11 +23,11 @@ spec:
kind: GitRepository kind: GitRepository
name: flux-system name: flux-system
postBuild: postBuild:
substitute: substituteFrom:
domain: staging.huizinga.dev - kind: ConfigMap
# Specifically for authelia name: domain-vars
subdomain: .staging
topdomain: huizinga.dev
path: ./apps path: ./apps
prune: true prune: true
wait: true wait: true
# Uncomment this in case of disaster recovery
# suspend: true

62
clusters/titan.lan.huizinga.dev/apps/siranga.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: siranga
namespace: flux-system
spec:
interval: 1m0s
url: oci://git.huizinga.dev/dreaded_x/siranga/manifests
ref:
tag: edge
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: siranga
namespace: flux-system
spec:
interval: 15m
dependsOn:
- name: traefik
- name: letsencrypt
- name: lldap-controller
- name: authelia-controller
prune: true
timeout: 2m
sourceRef:
kind: OCIRepository
name: siranga
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars
decryption:
provider: sops
secretRef:
name: sops-gpg
---
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: siranga
namespace: flux-system
spec:
type: github
address: https://git.huizinga.dev/dreaded_x/siranga
secretRef:
name: gitea
---
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: siranga
namespace: flux-system
spec:
providerRef:
name: siranga
eventSeverity: info
eventSources:
- kind: Kustomization
name: siranga
namespace: flux-system

30
clusters/titan.lan.huizinga.dev/apps/test-app.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: test-app
namespace: flux-system
spec:
interval: 1m0s
url: oci://git.huizinga.dev/dreaded_x/test-app/manifests
ref:
tag: latest
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: test-app
namespace: flux-system
spec:
interval: 15m
dependsOn:
- name: traefik
prune: true
timeout: 2m
sourceRef:
kind: OCIRepository
name: test-app
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars

10
clusters/titan.lan.huizinga.dev/config-map-domain-vars.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: domain-vars
namespace: flux-system
data:
domain: staging.huizinga.dev
# Specifically for authelia
subdomain: .staging
topdomain: huizinga.dev

2089
clusters/titan.lan.huizinga.dev/flux-system/gotk-components.yaml
View File

File diff suppressed because it is too large Load Diff

14
clusters/titan.lan.huizinga.dev/infra/akri.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: akri
namespace: flux-system
spec:
interval: 15m
path: ./infra/akri
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

24
clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: authelia-controller
namespace: flux-system
spec:
interval: 1m0s
url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
ref:
tag: edge
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authelia-controller
namespace: flux-system
spec:
interval: 15m
prune: true
timeout: 2m
sourceRef:
kind: OCIRepository
name: authelia-controller
wait: true

28
clusters/titan.lan.huizinga.dev/infra/authelia.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authelia
namespace: flux-system
spec:
interval: 15m
path: ./infra/authelia
dependsOn:
- name: traefik
- name: cnpg
- name: dragonflydb
- name: kyverno-policies
- name: lldap-controller
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars
decryption:
provider: sops
secretRef:
name: sops-gpg

14
clusters/titan.lan.huizinga.dev/infra/cert-manager.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: flux-system
spec:
interval: 15m
path: ./infra/cert-manager
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

16
clusters/titan.lan.huizinga.dev/infra/cnpg.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cnpg
namespace: flux-system
spec:
interval: 15m
path: ./infra/cnpg
dependsOn:
- name: topolvm
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

25
clusters/titan.lan.huizinga.dev/infra/descheduler.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: descheduler
namespace: flux-system
spec:
interval: 15m0s
ref:
tag: v0.32.2
url: https://github.com/kubernetes-sigs/descheduler
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: descheduler
namespace: flux-system
spec:
interval: 15m
path: ./kubernetes/cronjob
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: descheduler
wait: true

28
clusters/titan.lan.huizinga.dev/infra/dragonflydb.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: dragonflydb
namespace: flux-system
spec:
interval: 15m0s
ref:
tag: v1.1.8
url: https://github.com/dragonflydb/dragonfly-operator
ignore: |
/*
!/manifests/dragonfly-operator.yaml
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dragonflydb
namespace: flux-system
spec:
interval: 15m
path: ./manifests
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: dragonflydb
wait: true

28
clusters/titan.lan.huizinga.dev/infra/external-snapshotter.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: external-snapshotter
namespace: flux-system
spec:
interval: 15m0s
ref:
tag: v8.2.0
url: https://github.com/kubernetes-csi/external-snapshotter
ignore: |
/*
!/client/config/crd/*
!/deploy/kubernetes/snapshot-controller/*
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: external-snapshotter
namespace: flux-system
spec:
interval: 15m
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: external-snapshotter
wait: true

48
clusters/titan.lan.huizinga.dev/infra/intel-device-plugins.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: intel-device-plugins
namespace: flux-system
spec:
interval: 15m0s
ref:
tag: v0.32.0
url: https://github.com/intel/intel-device-plugins-for-kubernetes
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: intel-node-feature-rules
namespace: flux-system
spec:
interval: 15m
path: ./deployments/nfd/overlays/node-feature-rules
dependsOn:
- name: node-feature-discovery
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: intel-device-plugins
wait: true
---
apiVersion: v1
kind: Namespace
metadata:
name: intel-device-plugins
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: intel-gpu-plugin
namespace: flux-system
spec:
interval: 15m
path: ./deployments/gpu_plugin/overlays/nfd_labeled_nodes
targetNamespace: intel-device-plugins
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: intel-device-plugins
wait: true

16
clusters/titan.lan.huizinga.dev/infra/kube-vip.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kube-vip
namespace: flux-system
spec:
interval: 15m
path: ./infra/kube-vip
dependsOn:
- name: kyverno-policies
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

16
clusters/titan.lan.huizinga.dev/infra/kyverno-policies.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kyverno-policies
namespace: flux-system
spec:
interval: 15m
path: ./infra/kyverno-policies
dependsOn:
- name: kyverno
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

14
clusters/titan.lan.huizinga.dev/infra/kyverno.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kyverno
namespace: flux-system
spec:
interval: 15m
path: ./infra/kyverno
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

20
clusters/titan.lan.huizinga.dev/infra/letsencrypt.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: letsencrypt
namespace: flux-system
spec:
interval: 15m
path: ./infra/letsencrypt
dependsOn:
- name: cert-manager
prune: true
timeout: 10m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
decryption:
provider: sops
secretRef:
name: sops-gpg

24
clusters/titan.lan.huizinga.dev/infra/lldap-controller.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: lldap-controller
namespace: flux-system
spec:
interval: 1m0s
url: oci://git.huizinga.dev/dreaded_x/lldap-controller/manifests
ref:
tag: edge
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: lldap-controller
namespace: flux-system
spec:
interval: 15m
prune: true
timeout: 2m
sourceRef:
kind: OCIRepository
name: lldap-controller
wait: true

26
clusters/titan.lan.huizinga.dev/infra/lldap.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: lldap
namespace: flux-system
spec:
interval: 15m
path: ./infra/lldap
dependsOn:
- name: traefik
- name: cnpg
- name: kyverno-policies
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars
decryption:
provider: sops
secretRef:
name: sops-gpg

14
clusters/titan.lan.huizinga.dev/infra/node-feature-discovery-rules.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: node-feature-discovery-rules
namespace: flux-system
spec:
interval: 15m
path: ./infra/node-feature-discovery-rules
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

14
clusters/titan.lan.huizinga.dev/infra/node-feature-discovery.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: node-feature-discovery
namespace: flux-system
spec:
interval: 15m
path: ./infra/node-feature-discovery
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

20
clusters/titan.lan.huizinga.dev/infra/rook-ceph-cluster.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: rook-ceph-cluster
namespace: flux-system
spec:
interval: 15m
path: ./infra/rook-ceph-cluster
dependsOn:
- name: rook-ceph
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars

14
clusters/titan.lan.huizinga.dev/infra/rook-ceph.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: rook-ceph
namespace: flux-system
spec:
interval: 15m
path: ./infra/rook-ceph
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

16
clusters/titan.lan.huizinga.dev/infra/topolvm.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: topolvm
namespace: flux-system
spec:
interval: 15m
path: ./infra/topolvm
dependsOn:
- name: cert-manager
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

16
clusters/titan.lan.huizinga.dev/infra/traefik-middleware.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: traefik-middleware
namespace: flux-system
spec:
interval: 15m
path: ./infra/traefik-middleware
dependsOn:
- name: traefik
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true

20
clusters/titan.lan.huizinga.dev/infra/traefik.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: traefik
namespace: flux-system
spec:
interval: 15m
path: ./infra/traefik
dependsOn:
- name: letsencrypt
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
postBuild:
substituteFrom:
- kind: ConfigMap
name: domain-vars

20
clusters/titan.lan.huizinga.dev/infra/velero.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: velero
namespace: flux-system
spec:
interval: 15m
path: ./infra/velero
dependsOn:
- name: external-snapshotter
prune: true
timeout: 2m
sourceRef:
kind: GitRepository
name: flux-system
wait: true
decryption:
provider: sops
secretRef:
name: sops-gpg

50
clusters/titan.lan.huizinga.dev/infrastructure.yaml
View File

@@ -1,50 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-controllers
namespace: flux-system
spec:
decryption:
provider: sops
secretRef:
name: sops-gpg
interval: 1h
retryInterval: 1m
timeout: 5m
sourceRef:
kind: GitRepository
name: flux-system
path: ./infrastructure/controllers
prune: true
wait: true
patches:
- patch: |
- op: add
path: /spec/values/service/spec/loadBalancerIP
value: 10.0.2.2
target:
kind: HelmRelease
name: traefik
namespace: traefik
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-configs
namespace: flux-system
spec:
dependsOn:
- name: infra-controllers
decryption:
provider: sops
secretRef:
name: sops-gpg
interval: 1h
retryInterval: 1m
timeout: 5m
sourceRef:
kind: GitRepository
name: flux-system
path: ./infrastructure/configs
prune: true
wait: true

91
clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp3s0.yaml
View File

@@ -1,91 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/name: kube-vip-ds
app.kubernetes.io/version: v0.8.3
name: kube-vip-ds-enp3s0
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/name: kube-vip-ds
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/name: kube-vip-ds
app.kubernetes.io/version: v0.8.3
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: Exists
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
nodeSelector:
vip_interface: enp3s0
containers:
- args:
- manager
env:
- name: vip_arp
value: "true"
- name: port
value: "6443"
- name: vip_nodename
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: vip_interface
value: enp3s0
- name: vip_cidr
value: "32"
- name: dns_mode
value: first
- name: cp_enable
value: "true"
- name: cp_namespace
value: kube-system
- name: svc_enable
value: "true"
- name: svc_election
value: "true"
- name: svc_leasename
value: plndr-svcs-lock
- name: vip_leaderelection
value: "true"
- name: vip_leasename
value: plndr-cp-lock
- name: vip_leaseduration
value: "5"
- name: vip_renewdeadline
value: "3"
- name: vip_retryperiod
value: "1"
- name: address
value: 10.0.2.1
- name: prometheus_server
value: :2112
image: ghcr.io/kube-vip/kube-vip:v0.8.3
imagePullPolicy: IfNotPresent
name: kube-vip
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
hostNetwork: true
serviceAccountName: kube-vip
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
updateStrategy: {}

9
clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.config.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: kubevip
namespace: kube-system
data:
# 10.0.2.1 is reserved for control plane
# 10.0.2.2 is reserved for traefik
range-global: 10.0.2.3-10.0.2.254

8
clusters/titan.lan.huizinga.dev/kube-vip/kustomization.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- kube-vip.rbac.yaml
- kube-vip.app.enp3s0.yaml
- kube-vip.app.enp2s0.yaml
- https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.10/manifest/kube-vip-cloud-controller.yaml
- kube-vip.config.yaml

54
clusters/titan.lan.huizinga.dev/secret-gitea.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: v1
data:
token: ENC[AES256_GCM,data:Rk5TRkrzTZPQSJ+rpW+VElb2DsEwWeeJ1vY3EI/62dmzZ3lbH9KYOQ==,iv:ZJ9HMSwIuc1nBvTBbWmz1Vw5mqbxAJJhkNXdmpTGGqs=,tag:fGgH+rRlRZ/N8Ch8WVJOVQ==,type:str]
kind: Secret
metadata:
name: gitea
namespace: flux-system
sops:
lastmodified: "2025-04-22T11:56:49Z"
mac: ENC[AES256_GCM,data:rH0bntYg5eZYiDzw3su6Bsv+MwO+fxRVuc45hORJK1WrqxnzRXhCN0I7f7LXZdMRVhcDTa+mCUY1nOM4Ay4Knt+QwBhKyeLXb6EyBokSYiTpjmtg3Lz/A98S10J64VgP7GMqE/zhlyxdCqnEDoYfTfWSEF4olSZaALMyuzLddxg=,iv:dR6TCn9ErLdu/hDNXKp5vPVolOtob7gedpeGAl7+O5c=,tag:s3b4XG+xKc6BpwPQXxBfJA==,type:str]
pgp:
- created_at: "2025-04-22T11:56:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
/2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
P7QnueJTiw==
=AMPG
-----END PGP MESSAGE-----
fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
- created_at: "2025-04-22T11:56:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
=zIA5
-----END PGP MESSAGE-----
fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
encrypted_regex: ^(data|stringData)$
version: 3.10.1

4
common/dragonflydb/kustomization.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Component kind: Kustomization
resources: resources:
- ./database.yaml - ./database.yaml

7
common/name-reference/helm-release.yaml Normal file
View File

@@ -0,0 +1,7 @@
# This makes sure the field in the HelmRelease is recognized as a ConfigMap
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

60
common/postgres/b2-access-key.yaml
View File

@@ -1,60 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: b2-access-key
type: Opaque
data:
ACCESS_KEY_ID: ENC[AES256_GCM,data:YpYkexRxH4mVyufrS/Blw3PSrU9H1eO3O6urN9tCZvYBenp7,iv:1ka5Otp0u4HJ5WC3yj+YJLAQC0Cy8Y2vWGqxLSaAGfM=,tag:8SKOcUoUuOWLm0Na2r7Hfw==,type:str]
ACCESS_SECRET_KEY: ENC[AES256_GCM,data:8Q2QsCpe/yiWmETVnIROJe0uiY7gMzQF4e8PiaF2vAgqkNq/oT8ku21bWCQ=,iv:635wzxp/XJ0zoxw9n63km38LdqDcebfU/ltLzN/bHPc=,tag:nGfKtpf8qzNyO3bDbbtn/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-11-15T01:21:23Z"
mac: ENC[AES256_GCM,data:K8ATLj5nZfibvMPXR3ls7zXav0IVxSajyeFb/Qs/P3pPfHQ1p5ZRWaWTuNAFST04ynZ5BOcZyZCi9niMSZOGYBnDtOiJQAT1t3RxYS6j2X2HDX+nFTW6e4uDSOZMWk1poLP5lgBRvYxjsaco6X9F0hdvF7T7xvm7IHbHY7HAckg=,iv:C/bCoZKYy8gudmH8D/5R/MWlkC1ORlWZIvntjqt2dRk=,tag:yJsg7jj6p066CDzPXntOzA==,type:str]
pgp:
- created_at: "2024-10-10T22:08:04Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7pKPTYH5bqOAQ/+MJi/46q5TyjE0mqUfgmx90mYGchNQCvOHOdZJT2E2s2Z
DbqyrI5Bx+EauTl4eYhlMS9Xza/mL5I99GX/49FRpgvfmCwbM/aeOdq/CPWE771n
iylxE6uj0VVQGCazcO84Gg8CUxW3+dtNBbIUQYRxmQST6Pbg/lrmlXF5wDUfEueT
5FkfOZA7py3TyxUB4tcFA13e10CRFC1a7KHvfZm4ISs/1L97tsr0aZNgwCmHZodO
5fcm6poWtXEo16N/4XC8CI0z7unqNVRSgvpvVBHCvULkq4abznho2abkForNNkvv
GaN1Zcq8GIclVexMxaSC0M7BFfOdhmCDXuOdkKP/K1etL9UGGBdo7g5WJ7eqAiKN
Xs43VRijJsltIrTui/0s8zVIRzLfxTYGR2JtSnLuFaMGkKAijR34RsC9hXol+OB1
OAxGVzGfAR8wdgmShV9SPSOl3CtT6317YGuzjzkSbryJ2oYqR4zjV9jXgIEtuDZF
r6RITshhvata0w+e6tHSMYmnsF9YD4LbpGQmLm7r/A5ibBsE/2ZoUGBxNrb68YW1
vQmD2Ywv/Soe4f2Vj7vXJewrrJ1F0NPV/43sxl9lZB9JVMC6c8pMv7hndVq7dofn
dbqVXXeGd+Os/5X0P2yjlJYBjrMpFsg2tNi5dA5gUJ9uXqzNtSFx7ma9uJ4sX3zU
ZgEJAhDRzwccDHXa3D3+FBVJFbwN80G30Z6hS225mpIrBXqkElDH8hGs7KGkdIP5
O6CcZKt+j2R+40J0iJIcy1s211qgkzzDgtUaM1yAlVM8t3JpnykjhLp8mMzytOC1
rag4GdeG4Q==
=9TAG
-----END PGP MESSAGE-----
fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
- created_at: "2024-10-10T22:08:04Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA51kG++kLewoAQ//fPw1ZgguXCZSLBnl4J/d4IZok6l4TdnbySDOKTOnZUi0
xyDusr9kdrEdDb4nYUT3PBrxEC2DsKDIJJSwUgLTZB6moIJgHPa51qermyGgqhKU
c4vyYCMKAJyS6rOoU5fsPb+kJS52ltBLEmyO7JndM32CFmfyq4iwphNcheJE7qFW
xBmEtsJBPh4P1ysFQtG0DH8iroAYvsI4HLJw6+pdy/rI3zu3LDmiOnEidGz685BB
gbYj+bJV2gIBGdSWqsjuAJh37dfP9143Hwvz57raA+uqVPtaTaywGuEyDE7E8B7U
LdxATRKDdRp9+ytdn+UBeZQPYolKhv2bOgm4tzBq/VGmm/11nZbXyv69vgooOqnf
YYPg3VGnqpaGmxy94EFuLCWvD0ZO7rMQMOoz0vZRHGNYsye2tUOF/F6eIzhehh3+
AhGSrGDZa5HM41dLsTrNnb8YbzGKqljVJyWvORfIniW6RONIuFrz3/Pe4jjnM+Dm
Y8z033SmAm5JT2Jhc/tb9LvYbVQzfrUWImh9qcVGOU5RqvB13VOCaNHmt33crMjg
KFMhBJ5F3ftqe3JiK+6KOuS9g2wd3M5VM5qLHBLr7qTDb5q/JKsBIY7AcLsVyYNx
T3OynFuAkiYVTe4CuXCSrbVPXd9XkV/dDdQh+5ZR8nxo0/TkpnAwwGdh9hFsOtLS
XAEXagTFsM3Cl3T45ehYSPt6oyfx5dwKkQ8wxaqSWIkrvTla/ofOD9xemsBfYNku
b9vLFfbry8J+p5H9fEtS9/co4xYmajP/Mzq54JflEHqt/ej0MTxnNB5m+a45
=CFmy
-----END PGP MESSAGE-----
fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
encrypted_regex: ^(data|stringData)$
version: 3.9.0

14
common/postgres/cluster.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres
spec:
instances: 2
storage:
size: 8Gi
storageClass: topolvm-provisioner
affinity:
topologyKey: kubernetes.io/hostname
podAntiAffinityType: required

35
common/postgres/database.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: -db
spec:
chart:
spec:
chart: cluster
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: cnpg
namespace: cnpg-system
version: 0.0.11
interval: 1m0s
values:
type: postgresql
mode: standalone
cluster:
instances: 2
affinity:
topologyKey: kubernetes.io/hostname
podAntiAffinityType: required
storage:
storageClass: piraeus-storage
backups:
enabled: true
provider: s3
endpointURL: https://s3.us-west-002.backblazeb2.com
s3:
bucket: titan-k3s-backup
path: /postgres
secret:
create: false
name: b2-access-key

9
common/postgres/kustomization.yaml
View File

@@ -1,7 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Component kind: Kustomization
resources: resources:
- ./database.yaml - ./cluster.yaml
- ./b2-access-key.yaml
replacements:
- path: replacement.yaml

12
common/postgres/replacement.yaml
View File

@@ -1,12 +0,0 @@
source:
kind: Namespace
fieldPath: metadata.name
targets:
- select:
kind: HelmRelease
name: -db
fieldPaths:
- metadata.name
options:
delimiter: "-"
index: 0

18
infra/akri/helm-release.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: akri
spec:
chart:
spec:
chart: akri
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: akri
version: 0.13.8
interval: 15m
timeout: 5m
valuesFrom:
- kind: ConfigMap
name: akri-values

8
infra/akri/helm-repository.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: akri
spec:
interval: 15m
timeout: 2m
url: https://project-akri.github.io/akri/

15
infra/akri/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: akri
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
configurations:
- ../../common/name-reference/helm-release.yaml
configMapGenerator:
- name: akri-values
files:
- ./values.yaml

4
infra/akri/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: akri

3
infra/akri/values.yaml Normal file
View File

@@ -0,0 +1,3 @@
udev:
discovery:
enabled: true

17
infra/authelia/helm-release.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: authelia
spec:
chart:
spec:
chart: authelia
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: authelia
version: 0.9.16
interval: 15m
valuesFrom:
- kind: ConfigMap
name: authelia-values

0
apps/authelia/repository.yaml → infra/authelia/helm-repository.yaml
View File

18
infra/authelia/kustomization.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: authelia
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./service-user.yaml
- ../../common/postgres
- ../../common/dragonflydb
configurations:
- ../../common/name-reference/helm-release.yaml
configMapGenerator:
- name: authelia-values
files:
- ./values.yaml

0
apps/authelia/namespace.yaml → infra/authelia/namespace.yaml
View File

5
infra/authelia/service-user.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: lldap.huizinga.dev/v1
kind: ServiceUser
metadata:
name: authelia
spec: {}

69
infra/authelia/values.yaml Normal file
View File

@@ -0,0 +1,69 @@
pod:
kind: Deployment
replicas: 2
ingress:
enabled: true
tls:
enabled: true
secret: ${domain//./-}-tls
traefikCRD:
enabled: true
entryPoints:
- websecure
secret:
additionalSecrets:
postgres-app:
key: postgres-app
authelia-lldap-credentials:
key: authelia-lldap-credentials
configMap:
log:
level: debug
authentication_backend:
ldap:
enabled: true
implementation: lldap
address: ldap://lldap.lldap.svc.cluster.local:3890
base_dn: dc=huizinga,dc=dev
additional_users_dn: ou=people
users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
attributes:
display_name: displayName
username: uid
group_name: cn
mail: mail
user: uid=authelia.authelia,ou=people,dc=huizinga,dc=dev
password:
secret_name: authelia-lldap-credentials
path: password
session:
cookies:
- subdomain: login${subdomain}
domain: ${topdomain}
redis:
enabled: true
host: dragonflydb.authelia
storage:
postgres:
enabled: true
address: tcp://postgres-rw.authelia:5432
database: app
username: app
password:
secret_name: postgres-app
path: password
notifier:
filesystem:
enabled: true
access_control:
secret:
existingSecret: authelia-acl

18
infra/cert-manager/helm-release.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
spec:
chart:
spec:
chart: cert-manager
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: jetstack
version: v1.16.4
interval: 15m
timeout: 5m
valuesFrom:
- kind: ConfigMap
name: cert-manager-values

8
infra/cert-manager/helm-repository.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: jetstack
spec:
interval: 15m
timeout: 2m
url: https://charts.jetstack.io

15
infra/cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
configurations:
- ../../common/name-reference/helm-release.yaml
configMapGenerator:
- name: cert-manager-values
files:
- ./values.yaml

4
infra/cert-manager/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

14
infra/cert-manager/values.yaml Normal file
View File

@@ -0,0 +1,14 @@
installCRDs: true
replicaCount: 2
webhook:
replicaCount: 2
cainjector:
replicaCount: 2
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
- --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
nameservers:
- "1.1.1.1"
- "9.9.9.9"

18
infra/cnpg/helm-release.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cnpg
spec:
chart:
spec:
chart: cloudnative-pg
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: cnpg
version: 0.22.0
interval: 15m
timeout: 5m
valuesFrom:
- kind: ConfigMap
name: cnpg-values

8
infra/cnpg/helm-repository.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cnpg
spec:
interval: 15m
timeout: 2m
url: https://cloudnative-pg.github.io/charts

14
infra/cnpg/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cnpg-system
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
configurations:
- ../../common/name-reference/helm-release.yaml
configMapGenerator:
- name: cnpg-values
files:
- ./values.yaml

4
infra/cnpg/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cnpg-system

1
infra/cnpg/values.yaml Normal file
View File

@@ -0,0 +1 @@
replicaCount: 2

12
infra/kube-vip/cluster-role-binding.yaml Normal file
View File

@@ -0,0 +1,12 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:kube-vip-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-vip-role
subjects:
- kind: ServiceAccount
name: kube-vip
namespace: kube-system

25
clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.rbac.yaml → infra/kube-vip/cluster-role.yaml
View File

@@ -1,9 +1,3 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-vip
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
@@ -16,26 +10,13 @@ rules:
verbs: ["update"] verbs: ["update"]
- apiGroups: [""] - apiGroups: [""]
resources: ["services", "endpoints"] resources: ["services", "endpoints"]
verbs: ["list","get","watch", "update"] verbs: ["list", "get", "watch", "update"]
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
verbs: ["list","get","watch", "update", "patch"] verbs: ["list", "get", "watch", "update", "patch"]
- apiGroups: ["coordination.k8s.io"] - apiGroups: ["coordination.k8s.io"]
resources: ["leases"] resources: ["leases"]
verbs: ["list", "get", "watch", "update", "create"] verbs: ["list", "get", "watch", "update", "create"]
- apiGroups: ["discovery.k8s.io"] - apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"] resources: ["endpointslices"]
verbs: ["list","get","watch", "update"] verbs: ["list", "get", "watch", "update"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:kube-vip-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-vip-role
subjects:
- kind: ServiceAccount
name: kube-vip
namespace: kube-system

7
infra/kube-vip/config-map-kubevip.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: kubevip
data:
# Can't use cidr-range as 10.0.2.1 is reserved for the control plane
range-global: 10.0.2.2-10.0.2.254

32
clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp2s0.yaml → infra/kube-vip/daemon-set.yaml
View File

@@ -1,22 +1,19 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
creationTimestamp: null
labels: labels:
app.kubernetes.io/name: kube-vip-ds app.kubernetes.io/name: kube-vip
app.kubernetes.io/version: v0.8.3 app.kubernetes.io/version: v0.9.0
name: kube-vip-ds-enp2s0 name: kube-vip
namespace: kube-system
spec: spec:
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: kube-vip-ds app.kubernetes.io/name: kube-vip
template: template:
metadata: metadata:
creationTimestamp: null
labels: labels:
app.kubernetes.io/name: kube-vip-ds app.kubernetes.io/name: kube-vip
app.kubernetes.io/version: v0.8.3 app.kubernetes.io/version: v0.9.0
spec: spec:
affinity: affinity:
nodeAffinity: nodeAffinity:
@@ -28,8 +25,9 @@ spec:
- matchExpressions: - matchExpressions:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/control-plane
operator: Exists operator: Exists
nodeSelector: - matchExpressions:
vip_interface: enp2s0 - key: feature.node.kubernetes.io/network-adapter
operator: Exists
containers: containers:
- args: - args:
- manager - manager
@@ -43,8 +41,10 @@ spec:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: vip_interface - name: vip_interface
value: enp2s0 valueFrom:
- name: vip_cidr fieldRef:
fieldPath: metadata.annotations['feature.node.kubernetes.io/network-adapter']
- name: vip_subnet
value: "32" value: "32"
- name: dns_mode - name: dns_mode
value: first value: first
@@ -72,7 +72,9 @@ spec:
value: 10.0.2.1 value: 10.0.2.1
- name: prometheus_server - name: prometheus_server
value: :2112 value: :2112
image: ghcr.io/kube-vip/kube-vip:v0.8.3 - name: enableUPNP
value: "true"
image: ghcr.io/kube-vip/kube-vip:v0.9.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: kube-vip name: kube-vip
resources: {} resources: {}
@@ -81,6 +83,8 @@ spec:
add: add:
- NET_ADMIN - NET_ADMIN
- NET_RAW - NET_RAW
drop:
- ALL
hostNetwork: true hostNetwork: true
serviceAccountName: kube-vip serviceAccountName: kube-vip
tolerations: tolerations:

11
infra/kube-vip/kustomization.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- ./service-account.yaml
- ./cluster-role.yaml
- ./cluster-role-binding.yaml
- ./daemon-set.yaml
- https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.11/manifest/kube-vip-cloud-controller.yaml
- ./config-map-kubevip.yaml

4
infra/kube-vip/service-account.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-vip

37
infra/kyverno-policies/kube-vip-network-adapter.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: kube-vip-network-adapter
annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/title: Kube VIP adapter label
policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.10.0
policies.kyverno.io/minversion: 1.10.0
kyverno.io/kubernetes-version: "1.26"
spec:
background: false
rules:
- name: add-network-adapter-annotation
match:
any:
- resources:
kinds:
- Pod/binding
names:
- kube-vip-*
context:
- name: node
variable:
jmesPath: request.object.target.name
default: ""
- name: adapter
apiCall:
urlPath: "/api/v1/nodes/{{node}}"
jmesPath: 'metadata.labels."feature.node.kubernetes.io/network-adapter" || "empty"'
mutate:
patchStrategicMerge:
metadata:
annotations:
feature.node.kubernetes.io/network-adapter: "{{ adapter }}"

4
infra/kyverno-policies/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./kube-vip-network-adapter.yaml

17
infra/kyverno/helm-release.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: kyverno
spec:
chart:
spec:
chart: kyverno
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: kyverno
version: 3.3.7
interval: 15m
valuesFrom:
- kind: ConfigMap
name: kyverno-values

7
infra/kyverno/helm-repository.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: kyverno
spec:
interval: 15m
url: https://kyverno.github.io/kyverno/

15
infra/kyverno/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kyverno
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
configurations:
- ../../common/name-reference/helm-release.yaml
configMapGenerator:
- name: kyverno-values
files:
- ./values.yaml

4
infra/kyverno/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: kyverno

62
infra/kyverno/values.yaml Normal file
View File

@@ -0,0 +1,62 @@
admissionController:
replicas: 2
rbac:
clusterRole:
extraResources:
- apiGroups:
- ""
resources:
- "nodes"
verbs:
- get
- apiGroups:
- ""
resources:
- "secret"
verbs:
- get
- create
backgroundController:
replicas: 2
rbac:
clusterRole:
extraResources:
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- get
- update
- apiGroups:
- "apps"
resources:
- "deployments"
verbs:
- update
cleanupController:
replicas: 2
reportsController:
replicas: 2
rbac:
clusterRole:
extraResources:
- apiGroups:
- ""
resources:
- "secrets"
- "pods/binding"
verbs:
- get
- list
- watch
config:
webhooks:
namespaceSelector:
matchExpressions: []
resourceFiltersExclude:
- "[Binding,*,*]"
- "[Pod/binding,*,*]"
- "[*/*,kube-system,*]"

14
infra/letsencrypt/certificate-huizinga-dev.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: huizinga-dev
namespace: letsencrypt
spec:
secretName: huizinga-dev-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: "huizinga.dev"
dnsNames:
- "huizinga.dev"
- "*.huizinga.dev"

14
infra/letsencrypt/certificate-staging-huizinga-dev.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: staging-huizinga-dev
namespace: letsencrypt
spec:
secretName: staging-huizinga-dev-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: "staging.huizinga.dev"
dnsNames:
- "staging.huizinga.dev"
- "*.staging.huizinga.dev"

4
infrastructure/configs/cluster-issuers.yaml → infra/letsencrypt/cluster-issuer.yaml
View File

@@ -13,5 +13,5 @@ spec:
cloudflare: cloudflare:
email: tim.huizinga@gmail.com email: tim.huizinga@gmail.com
apiTokenSecretRef: apiTokenSecretRef:
name: cloudflare-token-secret name: cloudflare-token
key: cloudflare-token key: token

8
infra/letsencrypt/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./secret-cloudflare-token.yaml
- ./cluster-issuer.yaml
- ./certificate-staging-huizinga-dev.yaml
- ./certificate-huizinga-dev.yaml

4
infra/letsencrypt/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: letsencrypt

Some files were not shown because too many files have changed in this diff Show More