diff --git a/badhouseplants/helmfile.yaml b/badhouseplants/helmfile.yaml index 25de42b..05f6226 100644 --- a/badhouseplants/helmfile.yaml +++ b/badhouseplants/helmfile.yaml @@ -10,20 +10,13 @@ releases: installed: true - <<: *cilium installed: true + + - <<: *local-path-provisioner + - <<: *zot installed: true - - <<: *chartmuseum - installed: false - <<: *keel - - <<: *drone - installed: true - namespace: drone-service - createNamespace: false - - - <<: *drone-runner-docker - installed: true - namespace: drone-service - createNamespace: false + - <<: *traefik - <<: *argocd installed: true @@ -45,21 +38,6 @@ releases: namespace: funkwhale-application createNamespace: false - - <<: *prometheus - installed: true - namespace: monitoring-system - createNamespace: true - - - <<: *loki - installed: false - namespace: monitoring-system - createNamespace: false - - - <<: *promtail - installed: true - namespace: monitoring-system - createNamespace: false - - <<: *bitwarden installed: false namespace: bitwarden-application @@ -95,16 +73,15 @@ releases: namespace: woodpecker-ci createNamespace: true - - - <<: *istio-gateway-resources - installed: true - namespace: istio-system - createNamespace: false - - <<: *vaultwarden createNamespace: true installed: true namespace: vaultwarden-application + + - <<: *vaultwardentest + createNamespace: false + installed: true + namespace: applications - <<: *openvpn-xor installed: true @@ -113,12 +90,7 @@ releases: - <<: *docker-mailserver installed: true - namespace: mail-service - createNamespace: true - - - <<: *tandoor - installed: false - namespace: tandoor-application + namespace: applications createNamespace: true - <<: *mailu diff --git a/badhouseplants/values/secrets.vaultwardentest.yaml b/badhouseplants/values/secrets.vaultwardentest.yaml new file mode 100644 index 0000000..39b3c9b --- /dev/null +++ b/badhouseplants/values/secrets.vaultwardentest.yaml @@ -0,0 +1,27 @@ +vaultwarden: + smtp: + username: ENC[AES256_GCM,data:9bEvyZkXadW7Hx2iW6ByPDdnuIFPkeoUjoOyoQ==,iv:Y5M/16L16AWXeaWyKCSsV/c/l9JXmNzx/IsLBmMJuGg=,tag:nFN1ZssjtqZOG8Gvka9f3A==,type:str] + password: + value: ENC[AES256_GCM,data:CF2VgDpxlwHmvCDJhx0GDLT/yyw=,iv:t8JwQFeK9Te2zVdg+gPdMlh1E5g0vMG+ApAGKbGZ4WI=,tag:7UJuxFqS/hUTVunv0CJcTw==,type:str] + adminToken: + value: ENC[AES256_GCM,data:lrb99F1zn7AWlAttShQGGyMz5Ds=,iv:nas5hzd/XMQWFA2pTaTDkqXReoToBulf6s7tZraxM3s=,tag:UH/AXIWKbZOmu/W8XyuWNw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhLzVRdW5ITFJmWHE5dkRr + R3pGbTh3UmFTTXR4VVVGRjlSUURudmxwM1hjCk16U3BKYkZTcmdwaFZtcTZNYk9C + M0ZBZk52bDBuNWZwa21SMU1mSnhmWEUKLS0tIGZVV01KQ3Z6OGltN1RFSks5MVJI + a2xWUGZpMmovY1Qya05nVXRZVUFDTFEKhF34OSdGZizs1/Rs9qvUOVtomQBvOFbS + hRsK3Orwig4HJdzj1UOZd8UMGwj6Mzhw+aKUJKL67igMwxbxVcaU1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-06T15:15:43Z" + mac: ENC[AES256_GCM,data:9GsJoDWT1Onv6f8aUcwkbeTcpr0vF2MIgtJjKTbvvPHhzVeVev4FPFZ5R0YQXD1CmQycu/rnElktohgu9Xwum3j4hfs8Ga2qDqOk6heleBcptXDYwcBUAxg8QD5NNAkefsq5oJi+QsdD0nOeRjG6o5XYRccyoFiucTcpT9eASzw=,iv:7UJzUShRD+tzhIEeKygZlgaWHOYOS+L2Io69K0xW2MM=,tag:alOPQPbM6cex7kgQv8mqQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/badhouseplants/values/values.argocd.yaml b/badhouseplants/values/values.argocd.yaml index 0acc84b..71cf854 100644 --- a/badhouseplants/values/values.argocd.yaml +++ b/badhouseplants/values/values.argocd.yaml @@ -1,18 +1,4 @@ --- -# ------------------------------------------ -# -- Istio extenstion. Just because I'm -# -- not using ingress nginx -# ------------------------------------------ -istio: - enabled: true - istio: - - name: argocd-http - gateway: istio-system/badhouseplants-net - kind: http - hostname: argo.badhouseplants.net - service: argocd-server - port: 80 - controller: resources: limits: @@ -48,18 +34,35 @@ dex: enabled: false serviceMonitor: enabled: false + redis: metrics: enabled: false serviceMonitor: enabled: false + +global: + domain: argo.badhouseplants.net + server: + ingress: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + ingressClassName: traefik + tls: true metrics: enabled: true serviceMonitor: enabled: false extraArgs: - --insecure + servicePort: + servicePortHttp: 80 + servicePortHttps: 80 repoServer: metrics: @@ -71,6 +74,8 @@ repoServer: - name: regcred configs: + params: + server.insecure: true rbac: policy.default: role:readonly scopes: "[email, group]" diff --git a/badhouseplants/values/values.docker-mailserver.yaml b/badhouseplants/values/values.docker-mailserver.yaml index 47d6a99..45b25ef 100644 --- a/badhouseplants/values/values.docker-mailserver.yaml +++ b/badhouseplants/values/values.docker-mailserver.yaml @@ -1,125 +1,67 @@ -istio-gateway: +traefik: enabled: true - gateways: - - name: badhouseplants-email - servers: - - hosts: - - "*" - port: - name: smtp - number: 25 - protocol: TCP - - hosts: - - "*" - port: - name: pop3 - number: 110 - protocol: TCP - - hosts: - - "*" - port: - name: imap - number: 143 - protocol: TCP - - hosts: - - "*" - port: - name: smtps - number: 465 - protocol: TCP - - hosts: - - "*" - port: - name: submission - number: 587 - protocol: TCP - - hosts: - - "*" - port: - name: imaps - number: 993 - protocol: TCP - - hosts: - - "*" - port: - name: pop3s - number: 995 - protocol: TCP -istio: - enabled: true - istio: - - name: docker-mailserver-smpt - kind: tcp - gateway: badhouseplants-email + tcpRoutes: + - name: docker-mailserver-smtp service: docker-mailserver - hostname: badhouseplants.net - port_match: 25 + match: HostSNI(`*`) + entrypoint: smtp port: 25 - - name: docker-mailserver-smpts - kind: tcp - gateway: badhouseplants-email - port_match: 465 - hostname: badhouseplants.net + - name: docker-mailserver-smtps + match: HostSNI(`*`) service: docker-mailserver + entrypoint: smtps port: 465 - name: docker-mailserver-smpt-startls - kind: tcp - gateway: badhouseplants-email - hostname: badhouseplants.net - port_match: 587 + match: HostSNI(`*`) service: docker-mailserver + entrypoint: smtp-startls port: 587 - name: docker-mailserver-imap - kind: tcp - hostname: badhouseplants.net - gateway: badhouseplants-email - port_match: 143 + match: HostSNI(`*`) service: docker-mailserver + entrypoint: imap port: 143 - name: docker-mailserver-imaps - kind: tcp - gateway: badhouseplants-email - hostname: badhouseplants.net - port_match: 993 + match: HostSNI(`*`) service: docker-mailserver + entrypoint: imaps port: 993 - name: docker-mailserver-pop3 - kind: tcp - gateway: badhouseplants-email - port_match: 110 - hostname: badhouseplants.net + match: HostSNI(`*`) service: docker-mailserver + entrypoint: pop3 port: 110 - name: docker-mailserver-pop3s - kind: tcp - gateway: badhouseplants-email - port_match: 993 - hostname: badhouseplants.net + match: HostSNI(`*`) service: docker-mailserver + entrypoint: pop3s port: 993 - - name: docker-mailserver-rainloop - kind: http - gateway: istio-system/badhouseplants-net - hostname: mail.badhouseplants.net - service: docker-mailserver-rainloop - port: 80 rainloop: enabled: true ingress: - enabled: false + enabled: true + hosts: + - mail.badhouseplants.net + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + tls: + - secretName: mail-tls-secret + hosts: + - mail.badhouseplants.net + demoMode: enabled: false domains: - badhouseplants.net - mail.badhouseplants.net ssl: - issuer: - name: badhouseplants-issuer - kind: ClusterIssuer - dnsname: badhouseplants.net - dns01provider: cloudflare - useExisting: false + useExisting: true + existingName: mail-tls-secret pod: dockermailserver: enable_fail2ban: "0" diff --git a/badhouseplants/values/values.funkwhale.yaml b/badhouseplants/values/values.funkwhale.yaml index e5aeb81..16d0606 100644 --- a/badhouseplants/values/values.funkwhale.yaml +++ b/badhouseplants/values/values.funkwhale.yaml @@ -30,6 +30,22 @@ celery: requests: cpu: 10m memory: 75Mi +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + host: funkwhale.badhouseplants.net + protocol: http + + tls: + - secretName: funkwhale-tls-secret + hosts: + - funkwhale.badhouseplants.net + extraEnv: FUNKWHALE_HOSTNAME: funkwhale.badhouseplants.net FUNKWHALE_PROTOCOL: https @@ -39,8 +55,7 @@ persistence: size: 10Gi s3: enabled: false -ingress: - enabled: false + postgresql: enabled: false host: postgres16-postgresql.database-service.svc.cluster.local diff --git a/badhouseplants/values/values.gitea.yaml b/badhouseplants/values/values.gitea.yaml index 4fb3a9d..607d4bd 100644 --- a/badhouseplants/values/values.gitea.yaml +++ b/badhouseplants/values/values.gitea.yaml @@ -1,25 +1,5 @@ --- # ------------------------------------------ -# -- Istio extenstion. Just because I'm -# -- not using ingress nginx -# ------------------------------------------ -istio: - enabled: true - istio: - - name: gitea-http - kind: http - gateway: istio-system/badhouseplants-net - hostname: git.badhouseplants.net - service: gitea-http - port: 3000 - - name: gitea-ssh - kind: tcp - gateway: istio-system/badhouseplants-ssh - hostname: "*" - port_match: 22 - service: gitea-ssh - port: 22 -# ------------------------------------------ # -- Database extension is used to manage # -- database with db-operator # ------------------------------------------ @@ -27,9 +7,27 @@ ext-database: enabled: true name: gitea-postgres16 instance: postgres16 + # ------------------------------------------ # -- Kubernetes related values # ------------------------------------------ +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: git.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: gitea-tls-secret + hosts: + - git.badhouseplants.net replicaCount: 1 clusterDomain: cluster.local @@ -47,8 +45,6 @@ persistence: accessModes: - ReadWriteOnce -ingress: - enabled: false # ------------------------------------------ # -- Main Gitea settings # ------------------------------------------ @@ -125,3 +121,21 @@ postgresql-ha: enabled: false redis-cluster: enabled: false + +extraDeploy: + - | + {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }} + apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: {{ include "gitea.fullname" . }}-ssh + spec: + entryPoints: + - git-ssh + routes: + - match: HostSNI(`git.badhouseplants.net`) + services: + - name: "{{ include "gitea.fullname" . }}-ssh" + port: 22 + nativeLB: true + {{- end }} diff --git a/badhouseplants/values/values.local-path-provisioner.yaml b/badhouseplants/values/values.local-path-provisioner.yaml new file mode 100644 index 0000000..aa1d3e2 --- /dev/null +++ b/badhouseplants/values/values.local-path-provisioner.yaml @@ -0,0 +1,3 @@ +storageClass: + create: true + defaultClass: false diff --git a/badhouseplants/values/values.mailu.yaml b/badhouseplants/values/values.mailu.yaml index aba9e11..966fbac 100644 --- a/badhouseplants/values/values.mailu.yaml +++ b/badhouseplants/values/values.mailu.yaml @@ -1,81 +1,64 @@ --- -certificate: +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: enabled: true - certificate: - - name: mailu - secretName: mailu-certificate - issuer: - kind: ClusterIssuer - name: badhouseplants-issuer - dnsNames: - - badhouseplants.net - - "email.badhouseplants.net" + name: mailu-postgres16 + instance: postgres16 + extraDatabase: + enabled: true + name: roundcube-postgres16 + instance: postgres16 + # ------------------------------------------ # -- Istio extenstion. Just because I'm # -- not using ingress nginx # ------------------------------------------ -istio: +traefik: enabled: true - istio: - - name: mailu-web - kind: http - gateway: istio-system/badhouseplants-net - hostname: email.badhouseplants.net + tcpRoutes: + - name: mailu-smtp service: mailu-front - port: 80 - - name: mailu-smpt - kind: tcp - gateway: badhouseplants-mail - service: mailu-front - hostname: email.badhousplants.net - port_match: 25 + match: HostSNI(`*`) + entrypoint: smtp port: 25 - - name: mailu-smpts - kind: tcp - gateway: badhouseplants-mail - port_match: 465 - hostname: email.badhousplants.net + - name: mailu-smtps + match: HostSNI(`*`) service: mailu-front + entrypoint: smtps port: 465 - name: mailu-smpt-startls - kind: tcp - gateway: badhouseplants-mail - hostname: email.badhousplants.net - port_match: 587 + match: HostSNI(`*`) service: mailu-front + entrypoint: smtp-startls port: 587 - name: mailu-imap - kind: tcp - hostname: email.badhousplants.net - gateway: badhouseplants-mail - port_match: 143 + match: HostSNI(`*`) service: mailu-front + entrypoint: imap port: 143 - name: mailu-imaps - kind: tcp - gateway: badhouseplants-mail - hostname: email.badhousplants.net - port_match: 993 + match: HostSNI(`*`) service: mailu-front + entrypoint: imaps port: 993 - name: mailu-pop3 - kind: tcp - gateway: badhouseplants-mail - port_match: 110 - hostname: email.badhousplants.net + match: HostSNI(`*`) service: mailu-front + entrypoint: pop3 port: 110 - name: mailu-pop3s - kind: tcp - gateway: badhouseplants-mail - port_match: 993 - hostname: email.badhousplants.net + match: HostSNI(`*`) service: mailu-front + entrypoint: pop3s port: 993 subnet: 10.244.0.0/16 sessionCookieSecure: true hostnames: - - post.badhouseplants.net + - badhouseplants.net + - email.badhouseplants.net domain: badhouseplants.net persistence: single_pvc: false @@ -85,13 +68,17 @@ limits: tls: outboundLevel: secure ingress: - enabled: false - tls: false + enabled: true + ingressClassName: traefik + tls: true + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 tlsFlavorOverride: mail - selfSigned: false - existingSecret: mailu-certificate - realIpFrom: istio-ingressgateway.istio-system.svc.cluster.local - realIpHeader: "X-Envoy-External-Address" + realIpFrom: traefik.kube-system.svc.cluster.local + realIpHeader: "X-Real-IP" front: hostPort: enabled: false @@ -150,16 +137,18 @@ roundcube: mysql: enabled: false postgresql: + enabled: false +## If using the built-in MariaDB or PostgreSQL, the `roundcube` database will be created automatically. +externalDatabase: + ## @param externalDatabase.enabled Set to true to use an external database enabled: true - auth: - enablePostgresUser: true - username: mailu - database: mailu - persistence: - enabled: false - storageClass: "" - accessMode: ReadWriteOnce - size: 2Gi + type: postgresql + existingSecret: mailu-postgres16-creds + existingSecretDatabaseKey: POSTGRES_DB + existingSecretUsernameKey: POSTGRES_USER + existingSecretPasswordKey: POSTGRES_PASSWORD + host: postgres16-postgresql.database-service.svc.cluster.local + port: 5432 rspamd: resources: requests: @@ -181,3 +170,10 @@ webmail: accessModes: [ReadWriteOnce] claimNameOverride: "" annotations: {} +global: + database: + roundcube: + database: applications-roundcube-postgres16 + username: applications-roundcube-postgres16 + existingSecret: roundcube-postgres16-creds + existingSecretPasswordKey: POSTGRES_PASSWORD diff --git a/badhouseplants/values/values.minio.yaml b/badhouseplants/values/values.minio.yaml index ef99a67..19b39a0 100644 --- a/badhouseplants/values/values.minio.yaml +++ b/badhouseplants/values/values.minio.yaml @@ -19,6 +19,39 @@ istio: service: minio port: 9000 +ingress: + enabled: true + ingressClassName: ~ + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + path: / + hosts: + - s3.badhouseplants.net + tls: + - secretName: s3-tls-secret + hosts: + - s3.badhouseplants.net +consoleIngress: + enabled: true + ingressClassName: ~ + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + path: / + hosts: + - minio.badhouseplants.net + tls: + - secretName: minio-tls-secret + hosts: + - minio.badhouseplants.net + rootUser: 'overlord' replicas: 1 mode: standalone diff --git a/badhouseplants/values/values.namespaces.yaml b/badhouseplants/values/values.namespaces.yaml index b10de2e..7dd45d2 100644 --- a/badhouseplants/values/values.namespaces.yaml +++ b/badhouseplants/values/values.namespaces.yaml @@ -1,10 +1,6 @@ namespaces: - name: longhorn-system - - name: cert-manager - name: minio-service - - name: metallb-system - - name: reflector-system - - name: drone-service - name: argo-system - name: nrodionov-application - name: minecraft-application @@ -15,18 +11,16 @@ namespaces: https://ci.badhouseplants.net/repos/15 - name: gitea-service - name: funkwhale-application - - name: monitoring-system - name: bitwarden-application - name: database-service - name: mail-service - - name: istio-system - name: vaultwarden-application - name: woodpecker-ci - name: openvpn-service - - name: tandoor-application - name: badhouseplants-main labels: istio-injection: enabled - name: badhouseplants-preview - name: mailu-application - name: kube-services + - name: applications \ No newline at end of file diff --git a/badhouseplants/values/values.nrodionov.yaml b/badhouseplants/values/values.nrodionov.yaml index 14d1b8c..3582f47 100644 --- a/badhouseplants/values/values.nrodionov.yaml +++ b/badhouseplants/values/values.nrodionov.yaml @@ -17,7 +17,20 @@ ext-database: enabled: true name: nrodionov-mysql instance: mysql - +ingress: + enabled: true + pathType: ImplementationSpecific + hostname: dev.nrodionov.info + path: / + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + tls: true + tlsWwwPrefix: false + selfSigned: false wordpressBlogName: Николай Николаевич Родионов wordpressUsername: admin wordpressFirstName: Nikolai diff --git a/badhouseplants/values/values.openvpn-xor.yaml b/badhouseplants/values/values.openvpn-xor.yaml index 9b9171b..5827bde 100644 --- a/badhouseplants/values/values.openvpn-xor.yaml +++ b/badhouseplants/values/values.openvpn-xor.yaml @@ -3,17 +3,26 @@ # -- Istio extenstion. Just because I'm # -- not using ingress nginx # ------------------------------------------ -istio: - enabled: true - istio: - - name: openvpn-tcp-xor - gateway: istio-system/badhouseplants-vpn - kind: tcp - port_match: 1194 - hostname: "*" - service: openvpn-xor - port: 1194 +# istio: + # enabled: true + # istio: + # - name: openvpn-tcp-xor + # gateway: istio-system/badhouseplants-vpn + # kind: tcp + # port_match: 1194 + # hostname: "*" + # service: openvpn-xor + # port: 1194 # ------------------------------------------ +traefik: + enabled: true + tcpRoutes: + - name: openvpn-xor + service: openvpn-xor + match: HostSNI(`*`) + entrypoint: openvpn + port: 1194 + storage: class: longhorn size: 512Mi diff --git a/badhouseplants/values/values.traefik.yaml b/badhouseplants/values/values.traefik.yaml new file mode 100644 index 0000000..fb92321 --- /dev/null +++ b/badhouseplants/values/values.traefik.yaml @@ -0,0 +1,78 @@ +globalArguments: + - "--serversTransport.insecureSkipVerify=true" +service: + spec: + externalTrafficPolicy: Local +ports: + git-ssh: + port: 22 + expose: + default: true + exposedPort: 22 + protocol: TCP + openvpn: + port: 1194 + expose: + default: true + exposedPort: 1194 + protocol: TCP + valve-server: + port: 27015 + expose: + default: true + exposedPort: 27015 + protocol: UDP + valve-rcon: + port: 27015 + expose: + default: true + exposedPort: 27015 + protocol: TCP + smtp: + port: 25 + protocol: TCP + exposedPort: 25 + expose: + default: true + smtps: + port: 465 + protocol: TCP + exposedPort: 465 + expose: + default: true + smtp-startls: + port: 587 + protocol: TCP + exposedPort: 587 + expose: + default: true + imap: + port: 143 + protocol: TCP + exposedPort: 143 + expose: + default: true + imaps: + port: 993 + protocol: TCP + exposedPort: 993 + expose: + default: true + pop3: + port: 110 + protocol: TCP + exposedPort: 110 + expose: + default: true + pop3s: + port: 995 + protocol: TCP + exposedPort: 995 + expose: + default: true + minecraft: + port: 25565 + protocol: TCP + exposedPort: 25565 + expose: + default: true diff --git a/badhouseplants/values/values.vaultwarden.yaml b/badhouseplants/values/values.vaultwarden.yaml index b4afad8..8114432 100644 --- a/badhouseplants/values/values.vaultwarden.yaml +++ b/badhouseplants/values/values.vaultwarden.yaml @@ -61,3 +61,20 @@ vaultwarden: enabled: false logfile: "/data/vaultwarden.log" loglevel: "warn" +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: vault.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: vault-tls-secret + hosts: + - vault.badhouseplants.net diff --git a/badhouseplants/values/values.vaultwardentest.yaml b/badhouseplants/values/values.vaultwardentest.yaml new file mode 100644 index 0000000..da8b043 --- /dev/null +++ b/badhouseplants/values/values.vaultwardentest.yaml @@ -0,0 +1,58 @@ +service: + port: 8080 +vaultwarden: + smtp: + host: mail.badhouseplants.net + security: "starttls" + port: 587 + from: vaulttest@badhouseplants.net + fromName: Vault Warden + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" + debug: false + domain: https://vaulttest.badhouseplants.net + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + rocket: + port: "8080" + workers: "10" + webVaultEnabled: "true" + signupsAllowed: false + invitationsAllowed: true + signupDomains: "https://vaulttest.badhouseplants.net" + signupsVerify: "true" + showPassHint: "false" + # database: + # existingSecret: vaultwarden-postgres16-creds + # existingSecretKey: CONNECTION_STRING + # connectionRetries: 15 + # maxConnections: 10 + storage: + enabled: false + # size: 1Gi + # class: longhorn + # dataDir: /data + logging: + enabled: false + logfile: "/data/vaultwarden.log" + loglevel: "warn" +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: vaulttest.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: vault-tls-secret + hosts: + - vaulttest.badhouseplants.net diff --git a/badhouseplants/values/values.woodpecker-ci.yaml b/badhouseplants/values/values.woodpecker-ci.yaml index 202daca..62ced72 100644 --- a/badhouseplants/values/values.woodpecker-ci.yaml +++ b/badhouseplants/values/values.woodpecker-ci.yaml @@ -18,6 +18,22 @@ ext-database: credentials: WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable" server: + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: ci.badhouseplants.net + paths: + - path: / + tls: + - secretName: woodpecker-tls-secret + hosts: + - ci.badhouseplants.net #image: # registry: git.badhouseplants.net # repository: allanger/woodpecker-server diff --git a/badhouseplants/values/values.zot.yaml b/badhouseplants/values/values.zot.yaml index e7afd09..753b7ae 100644 --- a/badhouseplants/values/values.zot.yaml +++ b/badhouseplants/values/values.zot.yaml @@ -1,12 +1,21 @@ -istio: +ingress: enabled: true - istio: - - name: zot - kind: http - gateway: istio-system/badhouseplants-net - hostname: registry.badhouseplants.net - service: zot - port: 5000 + className: ~ + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + pathtype: ImplementationSpecific + hosts: + - host: registry.badhouseplants.net + paths: + - path: / + tls: + - secretName: zot-secret-tls + hosts: + - registry.badhouseplants.net strategy: type: Recreate service: diff --git a/common/values.database.yaml b/common/values.database.yaml index 6685015..eba45ae 100644 --- a/common/values.database.yaml +++ b/common/values.database.yaml @@ -23,3 +23,28 @@ ext-database: secret: true {{- end }} {{- end }} + + - | + {{- if (.Values.extraDatabase).enabled }} + --- + apiVersion: kinda.rocks/v1beta1 + kind: Database + metadata: + name: "{{ .Values.extraDatabase.name }}" + spec: + secretName: "{{ .Values.extraDatabase.name }}-creds" + instance: "{{ .Values.extraDatabase.instance }}" + deletionProtected: true + backup: + enable: false + cron: 0 0 * * * + {{- if .Values.extraDatabase.credentials }} + credentials: + templates: + {{- range $key, $value := .Values.extraDatabase.credentials }} + - name: {{ $key }} + template: {{ $value }} + secret: true + {{- end }} + {{- end }} + {{- end }} diff --git a/common/values.tcp-route.yaml b/common/values.tcp-route.yaml new file mode 100644 index 0000000..b995d25 --- /dev/null +++ b/common/values.tcp-route.yaml @@ -0,0 +1,20 @@ +--- +traefik: + templates: + - | + {{ range .Values.tcpRoutes }} + --- + apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: {{ .name }} + spec: + entryPoints: + - {{ .entrypoint }} + routes: + - match: {{ .match }} + services: + - name: {{ .service }} + nativeLB: true + port: {{ .port }} + {{- end }} \ No newline at end of file diff --git a/common/values.tcproute.yaml b/common/values.tcproute.yaml new file mode 100644 index 0000000..05e0d89 --- /dev/null +++ b/common/values.tcproute.yaml @@ -0,0 +1,13 @@ +--- +tcproute: + templates: + - | + --- + {{ range .Values.routes }} + apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: {{ printf "%s-%s" .Release.Name .name }} + spec: + {{ tpl (.routes | toYaml | indent 2 | toString) $ }} + {{ end }} diff --git a/etersoft/helmfile.yaml b/etersoft/helmfile.yaml index d861bbd..677999c 100644 --- a/etersoft/helmfile.yaml +++ b/etersoft/helmfile.yaml @@ -7,6 +7,21 @@ releases: namespace: openvpn-service createNamespace: false + - <<: *istio-base + installed: true + namespace: istio-system + createNamespace: false + + - <<: *istio-gateway + installed: true + namespace: istio-system + createNamespace: false + + - <<: *istiod + installed: true + namespace: istio-system + createNamespace: false + bases: - ../environments.yaml - ../repositories.yaml diff --git a/etersoft/values/values.minio.yaml b/etersoft/values/values.minio.yaml index deefdb1..ba51cc3 100644 --- a/etersoft/values/values.minio.yaml +++ b/etersoft/values/values.minio.yaml @@ -95,6 +95,10 @@ buckets: policy: none purge: false versioning: false + - name: velero-test + policy: none + purge: false + versioning: false - name: restic policy: none purge: false diff --git a/helmfile.yaml b/helmfile.yaml index de9aa6b..735e9ba 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -11,24 +11,9 @@ releases: namespace: kube-system createNamespace: false - - <<: *istio-base - installed: true - namespace: istio-system - createNamespace: false - - - <<: *istio-gateway - installed: true - namespace: istio-system - createNamespace: false - - - <<: *istiod - installed: true - namespace: istio-system - createNamespace: false - - <<: *cert-manager installed: true - namespace: cert-manager + namespace: kube-system createNamespace: false - <<: *minio @@ -38,17 +23,17 @@ releases: - <<: *metallb installed: true - namespace: metallb-system - createNamespace: true + namespace: kube-system + createNamespace: false - <<: *reflector installed: true - namespace: reflector-system - createNamespace: true + namespace: kube-system + createNamespace: false - <<: *metallb-resources installed: true - namespace: metallb-system + namespace: kube-system createNamespace: false helmfiles: diff --git a/manifests/debug/istio/httpbin.yaml b/manifests/debug/istio/httpbin.yaml index f6d57f9..bc5f0b1 100644 --- a/manifests/debug/istio/httpbin.yaml +++ b/manifests/debug/istio/httpbin.yaml @@ -31,7 +31,7 @@ metadata: namespace: debug spec: rules: - - host: httpbin.rocks + - host: "httpbin.badhouseplants.net" http: paths: - path: / diff --git a/manifests/httpo1-cluster-issuer.yaml b/manifests/httpo1-cluster-issuer.yaml new file mode 100644 index 0000000..547b892 --- /dev/null +++ b/manifests/httpo1-cluster-issuer.yaml @@ -0,0 +1,18 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + labels: + app.kubernetes.io/instance: cluster-issuer + app.kubernetes.io/name: acme-cluster-issuer + name: badhouseplants-issuer-http01 +spec: + acme: + email: allanger@zohomail.com + preferredChain: "" + privateKeySecretRef: + name: badhouseplants-issuer-htt01-account-key + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + ingressClassName: traefik diff --git a/releases.yaml b/releases.yaml index ac52cdf..c8797c2 100644 --- a/releases.yaml +++ b/releases.yaml @@ -1,4 +1,3 @@ ---- templates: # --------------------------- # -- Hooks @@ -49,6 +48,14 @@ templates: values: - '{{ requiredEnv "PWD" }}/common/values.istio-gateway.yaml' + ext-tcp-routes: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: traefik + values: + - '{{ requiredEnv "PWD" }}/common/values.tcp-route.yaml' + ext-istio-resource: dependencies: - chart: bedag/raw @@ -56,6 +63,7 @@ templates: alias: istio values: - '{{ requiredEnv "PWD" }}/common/values.istio.yaml' + ext-certificate: dependencies: - chart: bedag/raw @@ -137,25 +145,24 @@ templates: cert-manager: &cert-manager name: cert-manager chart: jetstack/cert-manager - version: 1.14.5 + version: 1.15.0 set: - name: installCRDs value: true longhorn: &longhorn name: longhorn chart: longhorn/longhorn - version: 1.6.1 + version: 1.6.2 inherit: - template: default-env-values argocd: &argocd name: argocd chart: argo/argo-cd - version: 6.9.3 + version: 7.1.3 inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource monitoring-common: labels: @@ -170,7 +177,6 @@ templates: - template: default-env-values - template: default-env-secrets - template: crd-management-hook - - template: ext-istio-resource loki: &loki name: loki @@ -231,10 +237,10 @@ templates: openvpn-xor: &openvpn-xor name: openvpn-xor chart: allanger-gitea/openvpn-xor - version: 1.3.0 + version: 1.2.0 inherit: - template: default-env-values - - template: ext-istio-resource + - template: ext-tcp-routes openvpn: &openvpn name: openvpn @@ -242,7 +248,6 @@ templates: version: 1.2.0 inherit: - template: default-env-values - - template: ext-istio-resource # ---------------------------- # -- Drone # ---------------------------- @@ -256,7 +261,6 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: drone-common drone-runner-docker: &drone-runner-docker @@ -271,21 +275,19 @@ templates: woodpecker-ci: &woodpecker-ci name: woodpecker-ci chart: woodpecker/woodpecker - version: 1.3.0 + version: 1.4.0 inherit: - template: ext-database - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource nrodionov: &nrodionov name: nrodionov chart: bitnami/wordpress - version: 22.2.11 + version: 22.4.10 inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource minio: &minio name: minio @@ -294,16 +296,14 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource gitea: &gitea name: gitea chart: gitea/gitea - version: 10.1.4 + version: 10.2.0 inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: ext-database funkwhale: &funkwhale @@ -313,7 +313,6 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: ext-database bitwarden: &bitwarden @@ -323,12 +322,11 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource redis: &redis name: redis chart: bitnami/redis - version: 19.3.3 + version: 19.5.3 inherit: - template: default-env-values - template: default-env-secrets @@ -336,7 +334,7 @@ templates: postgres16: &postgres16 name: postgres16 chart: bitnami/postgresql - version: 15.3.3 + version: 15.5.5 inherit: - template: default-env-values - template: default-env-secrets @@ -357,7 +355,7 @@ templates: mysql: &mysql name: mysql chart: bitnami/mysql - version: 10.2.4 + version: 11.1.2 inherit: - template: default-env-values - template: default-env-secrets @@ -368,8 +366,7 @@ templates: version: 2.3.1 inherit: - template: default-env-values - - template: ext-istio-gateway - - template: ext-istio-resource + - template: ext-tcp-routes vaultwarden: &vaultwarden name: vaultwarden @@ -378,9 +375,16 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: ext-database + vaultwarden-test: &vaultwardentest + name: vaultwardentest + chart: allanger-gitea/vaultwarden + version: 1.2.0 + inherit: + - template: default-env-values + - template: default-env-secrets + reflector: &reflector name: reflector chart: emberstack/reflector @@ -393,8 +397,9 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: ext-certificate + - template: ext-tcp-routes + - template: ext-database tandoor: &tandoor name: tandoor @@ -403,13 +408,12 @@ templates: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-istio-resource - template: ext-database coredns: &coredns name: coredns chart: coredns/coredns - version: 1.29.0 + version: 1.31.0 namespace: kube-system inherit: - template: default-env-values @@ -417,7 +421,7 @@ templates: cilium: &cilium name: cilium chart: cilium/cilium - version: 1.15.5 + version: 1.15.6 createNamespace: false namespace: kube-system inherit: @@ -426,23 +430,14 @@ templates: zot: &zot name: zot chart: zot/zot - version: 0.1.54 - createNamespace: false - namespace: kube-services - inherit: - - template: default-env-values - - template: default-env-secrets - - template: ext-istio-resource - chartmuseum: &chartmuseum - name: chartmuseum - chart: chartmuseum/chartmuseum - version: 3.10.2 + version: 0.1.56 createNamespace: false namespace: kube-services inherit: - template: default-env-values - template: default-env-secrets - template: ext-istio-resource + keel: &keel name: keel chart: keel/keel @@ -450,4 +445,20 @@ templates: createNamespace: false namespace: kube-system - + traefik: &traefik + name: traefik + chart: traefik/traefik + version: 28.2.0 + createNamespace: false + namespace: kube-system + inherit: + - template: default-env-values + + local-path-provisioner: &local-path-provisioner + name: local-path-provisioner + chart: local-path-provisioner/local-path-provisioner + createNamespace: false + namespace: kube-system + inherit: + - template: default-env-values + diff --git a/repositories.yaml b/repositories.yaml index 2900540..5ffcf86 100644 --- a/repositories.yaml +++ b/repositories.yaml @@ -31,8 +31,8 @@ repositories: url: https://constin.github.io/vaultwarden-helm/ - name: db-operator url: https://db-operator.github.io/charts - - name: allanger-gitea - url: https://git.badhouseplants.net/api/packages/allanger/helm + # - name: allanger-gitea + # url: https://git.badhouseplants.net/api/packages/allanger/helm - name: badhouseplants url: https://badhouseplants.github.io/helm-charts/ - name: woodpecker @@ -59,3 +59,7 @@ repositories: url: https://chartmuseum.github.io/charts - name: keel url: https://charts.keel.sh + - name: traefik + url: https://traefik.github.io/charts + - name: local-path-provisioner + url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.26