badhouseplants/k8s-cluster-config
Archived
4
0
Fork 0
Code Issues 6 Pull Requests 1 Actions Packages Projects Releases Activity

Huge upgraqde to everything

Browse Source
This commit is contained in:
Nikolai Rodionov 2024-06-15 12:20:06 +02:00
parent 10d7936625
commit 6c83d67c9c
Signed by: allanger
GPG Key ID: 0AA46A90E25592AD
27 changed files with 619 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
badhouseplants/helmfile.yaml
View File

@ -10,20 +10,13 @@ releases:
installed: true
- <<: *cilium
installed: true
- <<: *local-path-provisioner
- <<: *zot
installed: true
- <<: *chartmuseum
installed: false
- <<: *keel
- <<: *drone
installed: true
namespace: drone-service
createNamespace: false
- <<: *drone-runner-docker
installed: true
namespace: drone-service
createNamespace: false
- <<: *traefik
- <<: *argocd
installed: true
@ -45,21 +38,6 @@ releases:
namespace: funkwhale-application
createNamespace: false
- <<: *prometheus
installed: true
namespace: monitoring-system
createNamespace: true
- <<: *loki
installed: false
namespace: monitoring-system
createNamespace: false
- <<: *promtail
installed: true
namespace: monitoring-system
createNamespace: false
- <<: *bitwarden
installed: false
namespace: bitwarden-application
@ -95,16 +73,15 @@ releases:
namespace: woodpecker-ci
createNamespace: true
- <<: *istio-gateway-resources
installed: true
namespace: istio-system
createNamespace: false
- <<: *vaultwarden
createNamespace: true
installed: true
namespace: vaultwarden-application
- <<: *vaultwardentest
createNamespace: false
installed: true
namespace: applications
- <<: *openvpn-xor
installed: true
@ -113,12 +90,7 @@ releases:
- <<: *docker-mailserver
installed: true
namespace: mail-service
createNamespace: true
- <<: *tandoor
installed: false
namespace: tandoor-application
namespace: applications
createNamespace: true
- <<: *mailu

27
badhouseplants/values/secrets.vaultwardentest.yaml Normal file
View File

@ -0,0 +1,27 @@
vaultwarden:
smtp:
username: ENC[AES256_GCM,data:9bEvyZkXadW7Hx2iW6ByPDdnuIFPkeoUjoOyoQ==,iv:Y5M/16L16AWXeaWyKCSsV/c/l9JXmNzx/IsLBmMJuGg=,tag:nFN1ZssjtqZOG8Gvka9f3A==,type:str]
password:
value: ENC[AES256_GCM,data:CF2VgDpxlwHmvCDJhx0GDLT/yyw=,iv:t8JwQFeK9Te2zVdg+gPdMlh1E5g0vMG+ApAGKbGZ4WI=,tag:7UJuxFqS/hUTVunv0CJcTw==,type:str]
adminToken:
value: ENC[AES256_GCM,data:lrb99F1zn7AWlAttShQGGyMz5Ds=,iv:nas5hzd/XMQWFA2pTaTDkqXReoToBulf6s7tZraxM3s=,tag:UH/AXIWKbZOmu/W8XyuWNw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhLzVRdW5ITFJmWHE5dkRr
R3pGbTh3UmFTTXR4VVVGRjlSUURudmxwM1hjCk16U3BKYkZTcmdwaFZtcTZNYk9C
M0ZBZk52bDBuNWZwa21SMU1mSnhmWEUKLS0tIGZVV01KQ3Z6OGltN1RFSks5MVJI
a2xWUGZpMmovY1Qya05nVXRZVUFDTFEKhF34OSdGZizs1/Rs9qvUOVtomQBvOFbS
hRsK3Orwig4HJdzj1UOZd8UMGwj6Mzhw+aKUJKL67igMwxbxVcaU1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-06T15:15:43Z"
mac: ENC[AES256_GCM,data:9GsJoDWT1Onv6f8aUcwkbeTcpr0vF2MIgtJjKTbvvPHhzVeVev4FPFZ5R0YQXD1CmQycu/rnElktohgu9Xwum3j4hfs8Ga2qDqOk6heleBcptXDYwcBUAxg8QD5NNAkefsq5oJi+QsdD0nOeRjG6o5XYRccyoFiucTcpT9eASzw=,iv:7UJzUShRD+tzhIEeKygZlgaWHOYOS+L2Io69K0xW2MM=,tag:alOPQPbM6cex7kgQv8mqQQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

33
badhouseplants/values/values.argocd.yaml
View File

@ -1,18 +1,4 @@
---
# ------------------------------------------
# -- Istio extenstion. Just because I'm
# -- not using ingress nginx
# ------------------------------------------
istio:
enabled: true
istio:
- name: argocd-http
gateway: istio-system/badhouseplants-net
kind: http
hostname: argo.badhouseplants.net
service: argocd-server
port: 80
controller:
resources:
limits:
@ -48,18 +34,35 @@ dex:
enabled: false
serviceMonitor:
enabled: false
redis:
metrics:
enabled: false
serviceMonitor:
enabled: false
global:
domain: argo.badhouseplants.net
server:
ingress:
enabled: true
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
ingressClassName: traefik
tls: true
metrics:
enabled: true
serviceMonitor:
enabled: false
extraArgs:
- --insecure
servicePort:
servicePortHttp: 80
servicePortHttps: 80
repoServer:
metrics:
@ -71,6 +74,8 @@ repoServer:
- name: regcred
configs:
params:
server.insecure: true
rbac:
policy.default: role:readonly
scopes: "[email, group]"

126
badhouseplants/values/values.docker-mailserver.yaml
View File

@ -1,125 +1,67 @@
istio-gateway:
traefik:
enabled: true
gateways:
- name: badhouseplants-email
servers:
- hosts:
- "*"
port:
name: smtp
number: 25
protocol: TCP
- hosts:
- "*"
port:
name: pop3
number: 110
protocol: TCP
- hosts:
- "*"
port:
name: imap
number: 143
protocol: TCP
- hosts:
- "*"
port:
name: smtps
number: 465
protocol: TCP
- hosts:
- "*"
port:
name: submission
number: 587
protocol: TCP
- hosts:
- "*"
port:
name: imaps
number: 993
protocol: TCP
- hosts:
- "*"
port:
name: pop3s
number: 995
protocol: TCP
istio:
enabled: true
istio:
- name: docker-mailserver-smpt
kind: tcp
gateway: badhouseplants-email
tcpRoutes:
- name: docker-mailserver-smtp
service: docker-mailserver
hostname: badhouseplants.net
port_match: 25
match: HostSNI(`*`)
entrypoint: smtp
port: 25
- name: docker-mailserver-smpts
kind: tcp
gateway: badhouseplants-email
port_match: 465
hostname: badhouseplants.net
- name: docker-mailserver-smtps
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: smtps
port: 465
- name: docker-mailserver-smpt-startls
kind: tcp
gateway: badhouseplants-email
hostname: badhouseplants.net
port_match: 587
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: smtp-startls
port: 587
- name: docker-mailserver-imap
kind: tcp
hostname: badhouseplants.net
gateway: badhouseplants-email
port_match: 143
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: imap
port: 143
- name: docker-mailserver-imaps
kind: tcp
gateway: badhouseplants-email
hostname: badhouseplants.net
port_match: 993
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: imaps
port: 993
- name: docker-mailserver-pop3
kind: tcp
gateway: badhouseplants-email
port_match: 110
hostname: badhouseplants.net
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: pop3
port: 110
- name: docker-mailserver-pop3s
kind: tcp
gateway: badhouseplants-email
port_match: 993
hostname: badhouseplants.net
match: HostSNI(`*`)
service: docker-mailserver
entrypoint: pop3s
port: 993
- name: docker-mailserver-rainloop
kind: http
gateway: istio-system/badhouseplants-net
hostname: mail.badhouseplants.net
service: docker-mailserver-rainloop
port: 80
rainloop:
enabled: true
ingress:
enabled: false
enabled: true
hosts:
- mail.badhouseplants.net
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
tls:
- secretName: mail-tls-secret
hosts:
- mail.badhouseplants.net
demoMode:
enabled: false
domains:
- badhouseplants.net
- mail.badhouseplants.net
ssl:
issuer:
name: badhouseplants-issuer
kind: ClusterIssuer
dnsname: badhouseplants.net
dns01provider: cloudflare
useExisting: false
useExisting: true
existingName: mail-tls-secret
pod:
dockermailserver:
enable_fail2ban: "0"

19
badhouseplants/values/values.funkwhale.yaml
View File

@ -30,6 +30,22 @@ celery:
requests:
cpu: 10m
memory: 75Mi
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
host: funkwhale.badhouseplants.net
protocol: http
tls:
- secretName: funkwhale-tls-secret
hosts:
- funkwhale.badhouseplants.net
extraEnv:
FUNKWHALE_HOSTNAME: funkwhale.badhouseplants.net
FUNKWHALE_PROTOCOL: https
@ -39,8 +55,7 @@ persistence:
size: 10Gi
s3:
enabled: false
ingress:
enabled: false
postgresql:
enabled: false
host: postgres16-postgresql.database-service.svc.cluster.local

58
badhouseplants/values/values.gitea.yaml
View File

@ -1,25 +1,5 @@
---
# ------------------------------------------
# -- Istio extenstion. Just because I'm
# -- not using ingress nginx
# ------------------------------------------
istio:
enabled: true
istio:
- name: gitea-http
kind: http
gateway: istio-system/badhouseplants-net
hostname: git.badhouseplants.net
service: gitea-http
port: 3000
- name: gitea-ssh
kind: tcp
gateway: istio-system/badhouseplants-ssh
hostname: "*"
port_match: 22
service: gitea-ssh
port: 22
# ------------------------------------------
# -- Database extension is used to manage
# -- database with db-operator
# ------------------------------------------
@ -27,9 +7,27 @@ ext-database:
enabled: true
name: gitea-postgres16
instance: postgres16
# ------------------------------------------
# -- Kubernetes related values
# ------------------------------------------
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
hosts:
- host: git.badhouseplants.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls-secret
hosts:
- git.badhouseplants.net
replicaCount: 1
clusterDomain: cluster.local
@ -47,8 +45,6 @@ persistence:
accessModes:
- ReadWriteOnce
ingress:
enabled: false
# ------------------------------------------
# -- Main Gitea settings
# ------------------------------------------
@ -125,3 +121,21 @@ postgresql-ha:
enabled: false
redis-cluster:
enabled: false
extraDeploy:
- |
{{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ include "gitea.fullname" . }}-ssh
spec:
entryPoints:
- git-ssh
routes:
- match: HostSNI(`git.badhouseplants.net`)
services:
- name: "{{ include "gitea.fullname" . }}-ssh"
port: 22
nativeLB: true
{{- end }}

3
badhouseplants/values/values.local-path-provisioner.yaml Normal file
View File

@ -0,0 +1,3 @@
storageClass:
create: true
defaultClass: false

124
badhouseplants/values/values.mailu.yaml
View File

@ -1,81 +1,64 @@
---
certificate:
# ------------------------------------------
# -- Database extension is used to manage
# -- database with db-operator
# ------------------------------------------
ext-database:
enabled: true
certificate:
- name: mailu
secretName: mailu-certificate
issuer:
kind: ClusterIssuer
name: badhouseplants-issuer
dnsNames:
- badhouseplants.net
- "email.badhouseplants.net"
name: mailu-postgres16
instance: postgres16
extraDatabase:
enabled: true
name: roundcube-postgres16
instance: postgres16
# ------------------------------------------
# -- Istio extenstion. Just because I'm
# -- not using ingress nginx
# ------------------------------------------
istio:
traefik:
enabled: true
istio:
- name: mailu-web
kind: http
gateway: istio-system/badhouseplants-net
hostname: email.badhouseplants.net
tcpRoutes:
- name: mailu-smtp
service: mailu-front
port: 80
- name: mailu-smpt
kind: tcp
gateway: badhouseplants-mail
service: mailu-front
hostname: email.badhousplants.net
port_match: 25
match: HostSNI(`*`)
entrypoint: smtp
port: 25
- name: mailu-smpts
kind: tcp
gateway: badhouseplants-mail
port_match: 465
hostname: email.badhousplants.net
- name: mailu-smtps
match: HostSNI(`*`)
service: mailu-front
entrypoint: smtps
port: 465
- name: mailu-smpt-startls
kind: tcp
gateway: badhouseplants-mail
hostname: email.badhousplants.net
port_match: 587
match: HostSNI(`*`)
service: mailu-front
entrypoint: smtp-startls
port: 587
- name: mailu-imap
kind: tcp
hostname: email.badhousplants.net
gateway: badhouseplants-mail
port_match: 143
match: HostSNI(`*`)
service: mailu-front
entrypoint: imap
port: 143
- name: mailu-imaps
kind: tcp
gateway: badhouseplants-mail
hostname: email.badhousplants.net
port_match: 993
match: HostSNI(`*`)
service: mailu-front
entrypoint: imaps
port: 993
- name: mailu-pop3
kind: tcp
gateway: badhouseplants-mail
port_match: 110
hostname: email.badhousplants.net
match: HostSNI(`*`)
service: mailu-front
entrypoint: pop3
port: 110
- name: mailu-pop3s
kind: tcp
gateway: badhouseplants-mail
port_match: 993
hostname: email.badhousplants.net
match: HostSNI(`*`)
service: mailu-front
entrypoint: pop3s
port: 993
subnet: 10.244.0.0/16
sessionCookieSecure: true
hostnames:
- post.badhouseplants.net
- badhouseplants.net
- email.badhouseplants.net
domain: badhouseplants.net
persistence:
single_pvc: false
@ -85,13 +68,17 @@ limits:
tls:
outboundLevel: secure
ingress:
enabled: false
tls: false
enabled: true
ingressClassName: traefik
tls: true
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
tlsFlavorOverride: mail
selfSigned: false
existingSecret: mailu-certificate
realIpFrom: istio-ingressgateway.istio-system.svc.cluster.local
realIpHeader: "X-Envoy-External-Address"
realIpFrom: traefik.kube-system.svc.cluster.local
realIpHeader: "X-Real-IP"
front:
hostPort:
enabled: false
@ -150,16 +137,18 @@ roundcube:
mysql:
enabled: false
postgresql:
enabled: false
## If using the built-in MariaDB or PostgreSQL, the `roundcube` database will be created automatically.
externalDatabase:
## @param externalDatabase.enabled Set to true to use an external database
enabled: true
auth:
enablePostgresUser: true
username: mailu
database: mailu
persistence:
enabled: false
storageClass: ""
accessMode: ReadWriteOnce
size: 2Gi
type: postgresql
existingSecret: mailu-postgres16-creds
existingSecretDatabaseKey: POSTGRES_DB
existingSecretUsernameKey: POSTGRES_USER
existingSecretPasswordKey: POSTGRES_PASSWORD
host: postgres16-postgresql.database-service.svc.cluster.local
port: 5432
rspamd:
resources:
requests:
@ -181,3 +170,10 @@ webmail:
accessModes: [ReadWriteOnce]
claimNameOverride: ""
annotations: {}
global:
database:
roundcube:
database: applications-roundcube-postgres16
username: applications-roundcube-postgres16
existingSecret: roundcube-postgres16-creds
existingSecretPasswordKey: POSTGRES_PASSWORD

33
badhouseplants/values/values.minio.yaml
View File

@ -19,6 +19,39 @@ istio:
service: minio
port: 9000
ingress:
enabled: true
ingressClassName: ~
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
path: /
hosts:
- s3.badhouseplants.net
tls:
- secretName: s3-tls-secret
hosts:
- s3.badhouseplants.net
consoleIngress:
enabled: true
ingressClassName: ~
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
path: /
hosts:
- minio.badhouseplants.net
tls:
- secretName: minio-tls-secret
hosts:
- minio.badhouseplants.net
rootUser: 'overlord'
replicas: 1
mode: standalone

8
badhouseplants/values/values.namespaces.yaml
View File

@ -1,10 +1,6 @@
namespaces:
- name: longhorn-system
- name: cert-manager
- name: minio-service
- name: metallb-system
- name: reflector-system
- name: drone-service
- name: argo-system
- name: nrodionov-application
- name: minecraft-application
@ -15,18 +11,16 @@ namespaces:
https://ci.badhouseplants.net/repos/15
- name: gitea-service
- name: funkwhale-application
- name: monitoring-system
- name: bitwarden-application
- name: database-service
- name: mail-service
- name: istio-system
- name: vaultwarden-application
- name: woodpecker-ci
- name: openvpn-service
- name: tandoor-application
- name: badhouseplants-main
labels:
istio-injection: enabled
- name: badhouseplants-preview
- name: mailu-application
- name: kube-services
- name: applications

15
badhouseplants/values/values.nrodionov.yaml
View File

@ -17,7 +17,20 @@ ext-database:
enabled: true
name: nrodionov-mysql
instance: mysql
ingress:
enabled: true
pathType: ImplementationSpecific
hostname: dev.nrodionov.info
path: /
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
tls: true
tlsWwwPrefix: false
selfSigned: false
wordpressBlogName: Николай Николаевич Родионов
wordpressUsername: admin
wordpressFirstName: Nikolai

29
badhouseplants/values/values.openvpn-xor.yaml
View File

@ -3,17 +3,26 @@
# -- Istio extenstion. Just because I'm
# -- not using ingress nginx
# ------------------------------------------
istio:
enabled: true
istio:
- name: openvpn-tcp-xor
gateway: istio-system/badhouseplants-vpn
kind: tcp
port_match: 1194
hostname: "*"
service: openvpn-xor
port: 1194
# istio:
# enabled: true
# istio:
# - name: openvpn-tcp-xor
# gateway: istio-system/badhouseplants-vpn
# kind: tcp
# port_match: 1194
# hostname: "*"
# service: openvpn-xor
# port: 1194
# ------------------------------------------
traefik:
enabled: true
tcpRoutes:
- name: openvpn-xor
service: openvpn-xor
match: HostSNI(`*`)
entrypoint: openvpn
port: 1194
storage:
class: longhorn
size: 512Mi

78
badhouseplants/values/values.traefik.yaml Normal file
View File

@ -0,0 +1,78 @@
globalArguments:
- "--serversTransport.insecureSkipVerify=true"
service:
spec:
externalTrafficPolicy: Local
ports:
git-ssh:
port: 22
expose:
default: true
exposedPort: 22
protocol: TCP
openvpn:
port: 1194
expose:
default: true
exposedPort: 1194
protocol: TCP
valve-server:
port: 27015
expose:
default: true
exposedPort: 27015
protocol: UDP
valve-rcon:
port: 27015
expose:
default: true
exposedPort: 27015
protocol: TCP
smtp:
port: 25
protocol: TCP
exposedPort: 25
expose:
default: true
smtps:
port: 465
protocol: TCP
exposedPort: 465
expose:
default: true
smtp-startls:
port: 587
protocol: TCP
exposedPort: 587
expose:
default: true
imap:
port: 143
protocol: TCP
exposedPort: 143
expose:
default: true
imaps:
port: 993
protocol: TCP
exposedPort: 993
expose:
default: true
pop3:
port: 110
protocol: TCP
exposedPort: 110
expose:
default: true
pop3s:
port: 995
protocol: TCP
exposedPort: 995
expose:
default: true
minecraft:
port: 25565
protocol: TCP
exposedPort: 25565
expose:
default: true

17
badhouseplants/values/values.vaultwarden.yaml
View File

@ -61,3 +61,20 @@ vaultwarden:
enabled: false
logfile: "/data/vaultwarden.log"
loglevel: "warn"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
hosts:
- host: vault.badhouseplants.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: vault-tls-secret
hosts:
- vault.badhouseplants.net

58
badhouseplants/values/values.vaultwardentest.yaml Normal file
View File

@ -0,0 +1,58 @@
service:
port: 8080
vaultwarden:
smtp:
host: mail.badhouseplants.net
security: "starttls"
port: 587
from: vaulttest@badhouseplants.net
fromName: Vault Warden
authMechanism: "Plain"
acceptInvalidHostnames: "false"
acceptInvalidCerts: "false"
debug: false
domain: https://vaulttest.badhouseplants.net
websocket:
enabled: true
address: "0.0.0.0"
port: 3012
rocket:
port: "8080"
workers: "10"
webVaultEnabled: "true"
signupsAllowed: false
invitationsAllowed: true
signupDomains: "https://vaulttest.badhouseplants.net"
signupsVerify: "true"
showPassHint: "false"
# database:
# existingSecret: vaultwarden-postgres16-creds
# existingSecretKey: CONNECTION_STRING
# connectionRetries: 15
# maxConnections: 10
storage:
enabled: false
# size: 1Gi
# class: longhorn
# dataDir: /data
logging:
enabled: false
logfile: "/data/vaultwarden.log"
loglevel: "warn"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
hosts:
- host: vaulttest.badhouseplants.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: vault-tls-secret
hosts:
- vaulttest.badhouseplants.net

16
badhouseplants/values/values.woodpecker-ci.yaml
View File

@ -18,6 +18,22 @@ ext-database:
credentials:
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
server:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
hosts:
- host: ci.badhouseplants.net
paths:
- path: /
tls:
- secretName: woodpecker-tls-secret
hosts:
- ci.badhouseplants.net
#image:
# registry: git.badhouseplants.net
# repository: allanger/woodpecker-server

25
badhouseplants/values/values.zot.yaml
View File

@ -1,12 +1,21 @@
istio:
ingress:
enabled: true
istio:
- name: zot
kind: http
gateway: istio-system/badhouseplants-net
hostname: registry.badhouseplants.net
service: zot
port: 5000
className: ~
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
pathtype: ImplementationSpecific
hosts:
- host: registry.badhouseplants.net
paths:
- path: /
tls:
- secretName: zot-secret-tls
hosts:
- registry.badhouseplants.net
strategy:
type: Recreate
service:

25
common/values.database.yaml
View File

@ -23,3 +23,28 @@ ext-database:
secret: true
{{- end }}
{{- end }}
- |
{{- if (.Values.extraDatabase).enabled }}
---
apiVersion: kinda.rocks/v1beta1
kind: Database
metadata:
name: "{{ .Values.extraDatabase.name }}"
spec:
secretName: "{{ .Values.extraDatabase.name }}-creds"
instance: "{{ .Values.extraDatabase.instance }}"
deletionProtected: true
backup:
enable: false
cron: 0 0 * * *
{{- if .Values.extraDatabase.credentials }}
credentials:
templates:
{{- range $key, $value := .Values.extraDatabase.credentials }}
- name: {{ $key }}
template: {{ $value }}
secret: true
{{- end }}
{{- end }}
{{- end }}

20
common/values.tcp-route.yaml Normal file
View File

@ -0,0 +1,20 @@
---
traefik:
templates:
- |
{{ range .Values.tcpRoutes }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ .name }}
spec:
entryPoints:
- {{ .entrypoint }}
routes:
- match: {{ .match }}
services:
- name: {{ .service }}
nativeLB: true
port: {{ .port }}
{{- end }}

13
common/values.tcproute.yaml Normal file
View File

@ -0,0 +1,13 @@
---
tcproute:
templates:
- |
---
{{ range .Values.routes }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ printf "%s-%s" .Release.Name .name }}
spec:
{{ tpl (.routes | toYaml | indent 2 | toString) $ }}
{{ end }}

15
etersoft/helmfile.yaml
View File

@ -7,6 +7,21 @@ releases:
namespace: openvpn-service
createNamespace: false
- <<: *istio-base
installed: true
namespace: istio-system
createNamespace: false
- <<: *istio-gateway
installed: true
namespace: istio-system
createNamespace: false
- <<: *istiod
installed: true
namespace: istio-system
createNamespace: false
bases:
- ../environments.yaml
- ../repositories.yaml

4
etersoft/values/values.minio.yaml
View File

@ -95,6 +95,10 @@ buckets:
policy: none
purge: false
versioning: false
- name: velero-test
policy: none
purge: false
versioning: false
- name: restic
policy: none
purge: false

27
helmfile.yaml
View File

@ -11,24 +11,9 @@ releases:
namespace: kube-system
createNamespace: false
- <<: *istio-base
installed: true
namespace: istio-system
createNamespace: false
- <<: *istio-gateway
installed: true
namespace: istio-system
createNamespace: false
- <<: *istiod
installed: true
namespace: istio-system
createNamespace: false
- <<: *cert-manager
installed: true
namespace: cert-manager
namespace: kube-system
createNamespace: false
- <<: *minio
@ -38,17 +23,17 @@ releases:
- <<: *metallb
installed: true
namespace: metallb-system
createNamespace: true
namespace: kube-system
createNamespace: false
- <<: *reflector
installed: true
namespace: reflector-system
createNamespace: true
namespace: kube-system
createNamespace: false
- <<: *metallb-resources
installed: true
namespace: metallb-system
namespace: kube-system
createNamespace: false
helmfiles:

2
manifests/debug/istio/httpbin.yaml
View File

@ -31,7 +31,7 @@ metadata:
namespace: debug
spec:
rules:
- host: httpbin.rocks
- host: "httpbin.badhouseplants.net"
http:
paths:
- path: /

18
manifests/httpo1-cluster-issuer.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
labels:
app.kubernetes.io/instance: cluster-issuer
app.kubernetes.io/name: acme-cluster-issuer
name: badhouseplants-issuer-http01
spec:
acme:
email: allanger@zohomail.com
preferredChain: ""
privateKeySecretRef:
name: badhouseplants-issuer-htt01-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: traefik

93
releases.yaml
View File

@ -1,4 +1,3 @@
---
templates:
# ---------------------------
# -- Hooks
@ -49,6 +48,14 @@ templates:
values:
- '{{ requiredEnv "PWD" }}/common/values.istio-gateway.yaml'
ext-tcp-routes:
dependencies:
- chart: bedag/raw
version: 2.0.0
alias: traefik
values:
- '{{ requiredEnv "PWD" }}/common/values.tcp-route.yaml'
ext-istio-resource:
dependencies:
- chart: bedag/raw
@ -56,6 +63,7 @@ templates:
alias: istio
values:
- '{{ requiredEnv "PWD" }}/common/values.istio.yaml'
ext-certificate:
dependencies:
- chart: bedag/raw
@ -137,25 +145,24 @@ templates:
cert-manager: &cert-manager
name: cert-manager
chart: jetstack/cert-manager
version: 1.14.5
version: 1.15.0
set:
- name: installCRDs
value: true
longhorn: &longhorn
name: longhorn
chart: longhorn/longhorn
version: 1.6.1
version: 1.6.2
inherit:
- template: default-env-values
argocd: &argocd
name: argocd
chart: argo/argo-cd
version: 6.9.3
version: 7.1.3
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
monitoring-common:
labels:
@ -170,7 +177,6 @@ templates:
- template: default-env-values
- template: default-env-secrets
- template: crd-management-hook
- template: ext-istio-resource
loki: &loki
name: loki
@ -231,10 +237,10 @@ templates:
openvpn-xor: &openvpn-xor
name: openvpn-xor
chart: allanger-gitea/openvpn-xor
version: 1.3.0
version: 1.2.0
inherit:
- template: default-env-values
- template: ext-istio-resource
- template: ext-tcp-routes
openvpn: &openvpn
name: openvpn
@ -242,7 +248,6 @@ templates:
version: 1.2.0
inherit:
- template: default-env-values
- template: ext-istio-resource
# ----------------------------
# -- Drone
# ----------------------------
@ -256,7 +261,6 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: drone-common
drone-runner-docker: &drone-runner-docker
@ -271,21 +275,19 @@ templates:
woodpecker-ci: &woodpecker-ci
name: woodpecker-ci
chart: woodpecker/woodpecker
version: 1.3.0
version: 1.4.0
inherit:
- template: ext-database
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
nrodionov: &nrodionov
name: nrodionov
chart: bitnami/wordpress
version: 22.2.11
version: 22.4.10
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
minio: &minio
name: minio
@ -294,16 +296,14 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
gitea: &gitea
name: gitea
chart: gitea/gitea
version: 10.1.4
version: 10.2.0
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: ext-database
funkwhale: &funkwhale
@ -313,7 +313,6 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: ext-database
bitwarden: &bitwarden
@ -323,12 +322,11 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
redis: &redis
name: redis
chart: bitnami/redis
version: 19.3.3
version: 19.5.3
inherit:
- template: default-env-values
- template: default-env-secrets
@ -336,7 +334,7 @@ templates:
postgres16: &postgres16
name: postgres16
chart: bitnami/postgresql
version: 15.3.3
version: 15.5.5
inherit:
- template: default-env-values
- template: default-env-secrets
@ -357,7 +355,7 @@ templates:
mysql: &mysql
name: mysql
chart: bitnami/mysql
version: 10.2.4
version: 11.1.2
inherit:
- template: default-env-values
- template: default-env-secrets
@ -368,8 +366,7 @@ templates:
version: 2.3.1
inherit:
- template: default-env-values
- template: ext-istio-gateway
- template: ext-istio-resource
- template: ext-tcp-routes
vaultwarden: &vaultwarden
name: vaultwarden
@ -378,9 +375,16 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: ext-database
vaultwarden-test: &vaultwardentest
name: vaultwardentest
chart: allanger-gitea/vaultwarden
version: 1.2.0
inherit:
- template: default-env-values
- template: default-env-secrets
reflector: &reflector
name: reflector
chart: emberstack/reflector
@ -393,8 +397,9 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: ext-certificate
- template: ext-tcp-routes
- template: ext-database
tandoor: &tandoor
name: tandoor
@ -403,13 +408,12 @@ templates:
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
- template: ext-database
coredns: &coredns
name: coredns
chart: coredns/coredns
version: 1.29.0
version: 1.31.0
namespace: kube-system
inherit:
- template: default-env-values
@ -417,7 +421,7 @@ templates:
cilium: &cilium
name: cilium
chart: cilium/cilium
version: 1.15.5
version: 1.15.6
createNamespace: false
namespace: kube-system
inherit:
@ -426,23 +430,14 @@ templates:
zot: &zot
name: zot
chart: zot/zot
version: 0.1.54
createNamespace: false
namespace: kube-services
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
chartmuseum: &chartmuseum
name: chartmuseum
chart: chartmuseum/chartmuseum
version: 3.10.2
version: 0.1.56
createNamespace: false
namespace: kube-services
inherit:
- template: default-env-values
- template: default-env-secrets
- template: ext-istio-resource
keel: &keel
name: keel
chart: keel/keel
@ -450,4 +445,20 @@ templates:
createNamespace: false
namespace: kube-system
traefik: &traefik
name: traefik
chart: traefik/traefik
version: 28.2.0
createNamespace: false
namespace: kube-system
inherit:
- template: default-env-values
local-path-provisioner: &local-path-provisioner
name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
createNamespace: false
namespace: kube-system
inherit:
- template: default-env-values

8
repositories.yaml
View File

@ -31,8 +31,8 @@ repositories:
url: https://constin.github.io/vaultwarden-helm/
- name: db-operator
url: https://db-operator.github.io/charts
- name: allanger-gitea
url: https://git.badhouseplants.net/api/packages/allanger/helm
# - name: allanger-gitea
# url: https://git.badhouseplants.net/api/packages/allanger/helm
- name: badhouseplants
url: https://badhouseplants.github.io/helm-charts/
- name: woodpecker
@ -59,3 +59,7 @@ repositories:
url: https://chartmuseum.github.io/charts
- name: keel
url: https://charts.keel.sh
- name: traefik
url: https://traefik.github.io/charts
- name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.26