Some changes for ARM

Prepare the arm cluster
2023-11-05 16:16:24 +01:00 · 2023-10-18 16:51:42 +02:00
33 changed files with 337 additions and 480 deletions
--- a/.woodpecker/.cdh.yml
+++ b/.woodpecker/.cdh.yml
@ -1,34 +0,0 @@
 # ----------------------------------------------
 # -- Check da helm pipeline
 # ----------------------------------------------
 when:
  - event: cron
    cron: nightly
 steps:
  check badhouseplants:
    image: ghcr.io/allanger/check-da-helm-helmfile-secrets:stable
    secrets:
      - sops_age_key
    environment:
      RUST_LOG: info
    commands:
      - cdh --kind helmfile -p $CI_WORKSPACE/helmfile.yaml --helmfile-environment badhouseplants -o --output html >> result.html
  notification:
    image: deblan/woodpecker-email
    settings:
      from: woody@badhouseplants.net
      host: badhouseplants.net
      skip_verify: true
      no_starttls: false
      username:
        from_secret: smtp_username
      password:
        from_secret: smtp_password
      recipients:
        - allanger@badhouseplants.net
      subject: CDH result
      target: main
      recipients_only: true
      attachment: result.html
    when:
      - status: [success, failure]
--- a/.woodpecker/.helmfile.yml
+++ b/.woodpecker/.helmfile.yml
@ -1,29 +0,0 @@
 when:
  event: push
 matrix:
  ENVIRONMENT:
    - badhouseplants
    - etersoft
 steps:
  diff:
    image: ghcr.io/helmfile/helmfile:canary
    secrets: [sops_age_key, kubeconfig_content]
    when:
      - branch:
          exclude:
            - main
    commands:
      - mkdir $HOME/.kube
      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
    - helmfile -e $ENVIRONMENT diff --suppress-secrets
  apply:
    image: ghcr.io/helmfile/helmfile:canary
    secrets: [sops_age_key, kubeconfig_content]
    when:
      - branch:
          include:
            - main
    commands:
      - mkdir $HOME/.kube
      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
      - helmfile -e $ENVIRONMENT apply
--- a/1
+++ b/1
@ -2,3 +2,4 @@ create_crb:
 	kubectl create clusterrolebinding drone-deployer-workaround \
 		--clusterrole=cluster-admin  \
  	--serviceaccount=drone-service:default
--- a/badhouseplants/helmfile.yaml
+++ b/badhouseplants/helmfile.yaml
@ -5,42 +5,42 @@ releases:
  - <<: *drone
    installed: true
    namespace: drone-service
-    createNamespace: false
+    createNamespace: true
  - <<: *drone-runner-docker
    installed: true
    namespace: drone-service
-    createNamespace: false
+    createNamespace: true
  - <<: *longhorn
-    installed: true
+    installed: false
    namespace: longhorn-system
-    createNamespace: false
+    createNamespace: true
  - <<: *argocd
    installed: true
    namespace: argo-system
-    createNamespace: false
+    createNamespace: true
  - <<: *nrodionov
    installed: true
    namespace: nrodionov-application
-    createNamespace: false
+    createNamespace: true
  - <<: *minecraft
    installed: true
    namespace: minecraft-application
-    createNamespace: false
+    createNamespace: true
  - <<: *gitea
    installed: true
    namespace: gitea-service
-    createNamespace: false
+    createNamespace: true
  - <<: *funkwhale
    installed: true
    namespace: funkwhale-application
-    createNamespace: false
+    createNamespace: true
  - <<: *prometheus
    installed: true
@ -48,17 +48,17 @@ releases:
    createNamespace: true
  - <<: *loki
-    installed: true
+    installed: false
    namespace: monitoring-system
-    createNamespace: false
+    createNamespace: true
  - <<: *promtail
-    installed: true
+    installed: false
    namespace: monitoring-system
-    createNamespace: false
+    createNamespace: true
  - <<: *bitwarden
-    installed: false
+    installed: true
    namespace: bitwarden-application
    createNamespace: true
@ -83,7 +83,7 @@ releases:
    createNamespace: true
  - <<: *mysql
-    installed: false
+    installed: true
    namespace: database-service
    createNamespace: true
@ -92,20 +92,6 @@ releases:
    namespace: mail-service
    createNamespace: true
  - <<: *istio-gateway-resources
    installed: true
    namespace: istio-system
    createNamespace: false
  - <<: *vaultwarden
    createNamespace: true
    installed: true
    namespace: vaultwarden-application
  - <<: *woodpecker-ci
    installed: true
    namespace: woodpecker-ci
    createNamespace: true
 bases:
  - ../environments.yaml
--- a/badhouseplants/values/secrets.vaultwarden.yaml
+++ b/badhouseplants/values/secrets.vaultwarden.yaml
@ -1,27 +0,0 @@
 vaultwarden:
    smtp:
        username: ENC[AES256_GCM,data:6kAu3et5PmRgZ7B/qQQKA/hwsubozpBEcuzA,iv:cqNO3VWKFRWqBRAFTf2AyMQskuZvcDghseT2PWEsCjA=,tag:nkzugvJTJ/KhLuldXxdBrg==,type:str]
        password:
            value: ENC[AES256_GCM,data:9PJzeGeXiNN50GrWMxU1ho9+jHs=,iv:wOrU8g/xBBKFRYvDB1G/I+VG3lpvFdMirgJmP01PbhQ=,tag:dlDq9S+SQmlb4SZIGYhrlQ==,type:str]
    adminToken:
        value: ENC[AES256_GCM,data:PT62LcyiNqW1NVeuZ5+HTj8fzwSwuD1av/Z8S2GnR6j62+F8/aibhW/ATFG92chw++w=,iv:LnaRBem4dsggV4u4IlNjlWY301ajAHot2D259Y383m0=,tag:f24QDtGrtNJFA95Qo6Umqg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL0RuQitFb0dPajRpSHRo
            WnhUa3BOazVHSTE5STRNMGQ2eWUxaXhvNEJVCmtpMjE2Q3hyQzhDSTBObUgwQXV3
            dmhvYmUvL05QUGd6Umx5QjRhMVFmcHMKLS0tIEtkTDc1ZVcxOWRqRzlzdTM1WG5a
            U25tMkxQS1gzcyt6R2NkZnVLRVVoOWMKZSaIZxzTlYim2kmiHrQcgRu9XmWelRkT
            HZZmSa0L9yEdksUCK3+iqjCZhQBYc/6qJHRYvuAaJ+/hs5RxuLUr8g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-20T07:01:25Z"
    mac: ENC[AES256_GCM,data:Oa6UiHJR5U8Tquo/FmKM2LNR1l7Tdc95T55sl8IbC80ywC5hmJcpOdYXSeVzAdEtr2EauEH74FAwyFtjeFHpneRjkl8Hx0Vann3qBMJ1laxYEQhKESqeyJTcMv15Hu61aUQ+OhW9hP9xkcRCNmkXHa0KeoCXy1aloTWc3u7Ls8E=,iv:SsywMpg5KQvfsFbIRiZkEadtQ7Ce2AqjM9+zeaG/ZaM=,tag:X426dGhxmeMqDJnRs4Qhww==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/badhouseplants/values/secrets.woodpecker-agent.yaml
+++ b/badhouseplants/values/secrets.woodpecker-agent.yaml
@ -1,23 +0,0 @@
 env:
    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:cJoxJw6c6FYZ337i5P6dGUzLmgUn9Z+/Ed9aUK76WYnB8m0D9h5IlAlOfCQ=,iv:1BgxKsaI3dhhPNkZbpHKBn6GXadn1RD+3Q4RwKLfmcU=,tag:y8qLWwpVAwKrOWN1cC2ulw==,type:str]
    WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:VdWASwxPurzmfSjb2h8wBw3XbZSfG9UG0jmXSbTBPreZ+l7UQblI/wqr8Tw=,iv:APNuiqimA/ofCWsvywj+SJedQBMgRoCd65Gd3Ps2/fw=,tag:ATLGT4ACZ2GR46qD9ABUng==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRFNvdnBsSHFBcjlGcGl1
            RnU1NEpZekpucTNCZHBGcXdBakhkU1drb2dZClVYZ2xMVUJiOXV2enlBbm1TS2Mz
            ZnZ0UHpsVHVUU2ZkSGtwUXNMM0R6VjQKLS0tIFR4NEdTTGRIY3QycTFhRzJNSEY0
            SEs0Z3VjaTN2Y3Z0QmtEUEdQdmtwYnMKxQ3z1p2GulSOklUEolWeH20JeFwNpZqY
            870x5UtCJNVTMrIDgwMQK3hn+yywxPdgSRhkW3bqH4PJDxi78UUpXw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-05T08:06:51Z"
    mac: ENC[AES256_GCM,data:pc4n/3MEP0GhmZ+wdbOiK2gj7ah/9IJ2hoXRtM1sAGy3UPNBrF5VE7hxnAi393YpWBank7crDTvg2aJjhVt7XqB8zcjiHtNMlcpxL6fJ+uWxeH4uVj/NBfSvoO410oYbtPuKMjZpPU7KACmTJ9tzVIZdZOScXx7fLQxNUq01Hu8=,iv:18MqueG9MHrTcXmu14Q8LPnMFT9lolDkCbXjjA2P1qg=,tag:6ETPd8vZ0CCGEUP5u8ZxNA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.0
--- a/badhouseplants/values/secrets.woodpecker-ci.yaml
+++ b/badhouseplants/values/secrets.woodpecker-ci.yaml
@ -1,27 +0,0 @@
 server:
    env:
        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str]
        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str]
 agent:
    env:
        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5
            QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn
            bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4
            WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8
            ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-11-18T17:43:53Z"
    mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/badhouseplants/values/values.db-instances.yaml
+++ b/badhouseplants/values/values.db-instances.yaml
@ -18,7 +18,7 @@ dbinstances:
      Namespace: database-service
    engine: postgres
    generic:
-      host: postgres16-postgresql.database-service.svc.cluster.local
+      host: postgres16-postgresql
      port: 5432
  mysql:
    monitoring:
--- a/badhouseplants/values/values.gitea.yaml
+++ b/badhouseplants/values/values.gitea.yaml
@ -43,7 +43,7 @@ resources:
 persistence:
  enabled: true
-  size: 10Gi
+  size: 8Gi
  accessModes:
    - ReadWriteOnce
@ -108,11 +108,6 @@ gitea:
      SMTP_ADDR: badhouseplants.net
      SMTP_PORT: 587
      USER: overlord@badhouseplants.net
    indexer:
      REPO_INDEXER_ENABLED: true
      REPO_INDEXER_PATH: indexers/repos.bleve
      MAX_FILE_SIZE: 1048576
      REPO_INDEXER_EXCLUDE: resources/bin/**
 service:
  ssh:
    type: ClusterIP
--- a/badhouseplants/values/values.istio-gateway-resources.yaml
+++ b/badhouseplants/values/values.istio-gateway-resources.yaml
@ -1,22 +1,3 @@
 certificate:
  enabled: true
  certificate: 
    - name: nrodionov-wildcard
      secretName: nrodionov-wildcard-tls
      issuer:
        kind: ClusterIssuer
        name: badhouseplants-issuer
      dnsNames:
        - nrodionov.info
        - "*.nrodionov.info"
    - name: badhouseplants-wildcard
      secretName: badhouseplants-wildcard-tls
      issuer:
        kind: ClusterIssuer
        name: badhouseplants-issuer
      dnsNames:
        - badhouseplants.net
        - "*.badhouseplants.net"
 istio-gateway:
  enabled: true
  gateways:
@ -51,7 +32,7 @@ istio-gateway:
            number: 80
            protocol: HTTP2
          tls:
-            httpsRedirect: true
+            httpsRedirect: false
        - hosts:
          - nrodionov.info
          - dev.nrodionov.info
--- a/badhouseplants/values/values.istio-ingressgateway.yaml
+++ b/badhouseplants/values/values.istio-ingressgateway.yaml
@ -21,10 +21,6 @@ service:
      port: 1194
      protocol: TCP
      targetPort: 1194
    - name: tcp
      port: 25
      protocol: TCP
      targetPort: 25
    # -----------
    # -- Email
    # -----------
--- a/badhouseplants/values/values.loki.yaml
+++ b/badhouseplants/values/values.loki.yaml
@ -1,22 +1,11 @@
 ---
 singleBinary:
  replicas: 1
  persistence:
    size: 5Gi
 loki:
  auth_enabled: false
  commonConfig:
    replication_factor: 1
  storage:
    type: 'filesystem'
 monitoring:
  selfMonitoring:
    enabled: false
  lokiCanary:
    enabled: false
 test:
  enabled: false
 compactor:
  retention_enabled: true
 limits_config:
-  retention_period: 14d
+  retention_period: 2d
--- a/badhouseplants/values/values.longhorn.yaml
+++ b/badhouseplants/values/values.longhorn.yaml
@ -5,9 +5,9 @@ defaultSettings:
  guaranteedReplicaManagerCPU: 6
  storageOverProvisioningPercentage: 300
  storageMinimalAvailablePercentage: 5
-  defaultDataPath: /media-longhorn
+  defaultDataPath: /media/longhorn
 csi:
-  kubeletRootDir: /var/snap/microk8s/common/var/lib/kubelet
+  kubeletRootDir: /var/lib/kubelet
 persistence:
-  defaultClassReplicaCount: 1
+  defaultClassReplicaCount: 3
 enablePSP: false
--- a/badhouseplants/values/values.metallb-resources.yaml
+++ b/badhouseplants/values/values.metallb-resources.yaml
@ -0,0 +1,4 @@
 ext-ipaddresspool:
  enabled: true
  name: badhouseplants-addresspool
  addresses: 195.201.250.50-195.201.250.50
--- a/badhouseplants/values/values.minio.yaml
+++ b/badhouseplants/values/values.minio.yaml
@ -64,6 +64,11 @@ buckets:
  - name: allanger-music
    policy: download
    purge: false
    versioning: false
  - name: badhouseplants-brew
    policy: download
    purge: false
    versioning: false
 metrics:
  serviceMonitor:
    enabled: false
--- a/badhouseplants/values/values.openvpn.yaml
+++ b/badhouseplants/values/values.openvpn.yaml
@ -17,7 +17,7 @@ istio:
 image:
  tag: v2.6.5-xor-4.0.0beta08
 storage:
-  class: longhorn
+  class: default
  size: 512Mi
 openvpn:
--- a/badhouseplants/values/values.prometheus.yaml
+++ b/badhouseplants/values/values.prometheus.yaml
@ -64,8 +64,7 @@ defaultRules:
 prometheus:
  prometheusSpec:
    enableAdminAPI: true
-    retentionSize: 7GB
+    retentionSize: 10GB
    retention: 20d
    podMonitorNamespaceSelector:
      any: true
    podMonitorSelector: {}
@ -84,7 +83,7 @@ prometheus:
          accessModes: ["ReadWriteOnce"]
          resources:
            requests:
-              storage: 12Gi
+              storage: 10Gi
 grafana:
  persistence:
--- a/badhouseplants/values/values.promtail.yaml
+++ b/badhouseplants/values/values.promtail.yaml
@ -3,9 +3,3 @@ config:
  clients:
    #    - url: http://loki.monitoring-system:3100
    - url: http://loki-gateway/loki/api/v1/push
  snippets:
    pipelineStages:
      - match:
          pipeline_name: "drop-all"
          selector: '{namespace!~"mail-service|woodpecker"}'
          action: drop
--- a/badhouseplants/values/values.rook-ceph-cluster.yaml
+++ b/badhouseplants/values/values.rook-ceph-cluster.yaml
@ -0,0 +1,144 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 # -- Namespace of the main rook operator
 operatorNamespace: rook-ceph
 # -- The metadata.name of the CephCluster CR
 # @default -- The same as the namespace
 clusterName:
 # -- Optional override of the target kubernetes version
 kubeVersion:
 # -- Cluster ceph.conf override
 configOverride:
 # configOverride: |
 #   [global]
 #   mon_allow_pool_delete = true
 #   osd_pool_default_size = 3
 #   osd_pool_default_min_size = 2
 # Installs a debugging toolbox deployment
 toolbox:
  # -- Enable Ceph debugging pod deployment. See [toolbox](../Troubleshooting/ceph-toolbox.md)
  enabled: false
  # -- Toolbox image, defaults to the image used by the Ceph cluster
  image: #quay.io/ceph/ceph:v17.2.6
  # -- Toolbox tolerations
  tolerations: []
  # -- Toolbox affinity
  affinity: {}
  # -- Toolbox container security context
  containerSecurityContext:
    runAsNonRoot: true
    runAsUser: 2016
    runAsGroup: 2016
    capabilities:
      drop: ["ALL"]
  # -- Toolbox resources
  resources:
    limits:
      cpu: "500m"
      memory: "1Gi"
    requests:
      cpu: "100m"
      memory: "128Mi"
  # -- Set the priority class for the toolbox if desired
  priorityClassName:
 monitoring:
  # -- Enable Prometheus integration, will also create necessary RBAC rules to allow Operator to create ServiceMonitors.
  # Monitoring requires Prometheus to be pre-installed
  enabled: false
  # -- Whether to create the Prometheus rules for Ceph alerts
  createPrometheusRules: false
  # -- The namespace in which to create the prometheus rules, if different from the rook cluster namespace.
  # If you have multiple rook-ceph clusters in the same k8s cluster, choose the same namespace (ideally, namespace with prometheus
  # deployed) to set rulesNamespaceOverride for all the clusters. Otherwise, you will get duplicate alerts with multiple alert definitions.
  rulesNamespaceOverride:
  # Monitoring settings for external clusters:
  # externalMgrEndpoints: <list of endpoints>
  # externalMgrPrometheusPort: <port>
  # allow adding custom labels and annotations to the prometheus rule
  prometheusRule:
    # -- Labels applied to PrometheusRule
    labels: {}
    # -- Annotations applied to PrometheusRule
    annotations: {}
 # -- Create & use PSP resources. Set this to the same value as the rook-ceph chart.
 pspEnable: false
 # imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
 # imagePullSecrets:
 # - name: my-registry-secret
 # All values below are taken from the CephCluster CRD
 # -- Cluster configuration.
 # @default -- See [below](#ceph-cluster-spec)
 cephClusterSpec:
  resources:
    mgr:
      limits:
        memory: "1Gi"
      requests:
        cpu: "200m"
        memory: "512Mi"
    mon:
      limits:
        memory: "2Gi"
      requests:
        cpu: "250m"
        memory: "1Gi"
    osd:
      requests:
        cpu: "200m"
        memory: "4Gi"
    prepareosd:
      # limits: It is not recommended to set limits on the OSD prepare job
      #         since it's a one-time burst for memory that must be allowed to
      #         complete without an OOM kill.  Note however that if a k8s
      #         limitRange guardrail is defined external to Rook, the lack of
      #         a limit here may result in a sync failure, in which case a
      #         limit should be added.  1200Mi may suffice for up to 15Ti
      #         OSDs ; for larger devices 2Gi may be required.
      #         cf. https://github.com/rook/rook/pull/11103
      requests:
        cpu: "500m"
        memory: "50Mi"
    mgr-sidecar:
      limits:
        cpu: "500m"
        memory: "100Mi"
      requests:
        cpu: "100m"
        memory: "40Mi"
    crashcollector:
      limits:
        cpu: "500m"
        memory: "60Mi"
      requests:
        cpu: "100m"
        memory: "60Mi"
    logcollector:
      limits:
        cpu: "500m"
        memory: "1Gi"
      requests:
        cpu: "100m"
        memory: "100Mi"
    cleanup:
      limits:
        cpu: "500m"
        memory: "1Gi"
      requests:
        cpu: "500m"
        memory: "100Mi"
    exporter:
      limits:
        cpu: "250m"
        memory: "128Mi"
      requests:
        cpu: "50m"
        memory: "50Mi"
--- a/badhouseplants/values/values.vaultwarden.yaml
+++ b/badhouseplants/values/values.vaultwarden.yaml
@ -1,63 +0,0 @@
 ---
 # ------------------------------------------
 # -- Istio extenstion. Just because I'm
 # --  not using ingress nginx
 # ------------------------------------------
 istio:
  enabled: true
  istio:
    - name: vaultwarden-http
      kind: http
      gateway: istio-system/badhouseplants-net
      hostname: vault.badhouseplants.net
      service: vaultwarden
      port: 8080
 # ------------------------------------------
 # -- Database extension is used to manage
 # --  database with db-operator
 # ------------------------------------------
 ext-database:
  enabled: true
  name: vaultwarden-postgres16
  instance: postgres16
 service: 
  port: 8080
 vaultwarden:
  smtp:
    host: badhouseplants.net
    security: "starttls"
    port: 587
    from: vaultwarden@badhouseplants.net
    fromName: Vault Warden
    authMechanism: "Plain"
    acceptInvalidHostnames: "false"
    acceptInvalidCerts: "false"
    debug: false
  domain: https://vault.badhouseplants.net
  websocket:
    enabled: true
    address: "0.0.0.0"
    port: 3012
  rocket:
    port: "8080"
    workers: "10"
  webVaultEnabled: "true"
  signupsAllowed: false
  invitationsAllowed: true
  signupDomains: "https://vault.badhouseplants.com"
  signupsVerify: "true"
  showPassHint: "false"
  database:
    existingSecret: vaultwarden-postgres16-creds
    existingSecretKey: CONNECTION_STRING
    connectionRetries: 15
    maxConnections: 10
  storage:
    enabled: false
    size: 1Gi
    class: default
    dataDir: /data
  logging:
    enabled: false
    logfile: "/data/vaultwarden.log"
    loglevel: "warn"
--- a/badhouseplants/values/values.woodpecker-ci.yaml
+++ b/badhouseplants/values/values.woodpecker-ci.yaml
@ -1,55 +0,0 @@
 # ------------------------------------------
 # -- Istio extenstion. Just because I'm
 # --  not using ingress nginx
 # ------------------------------------------
 istio:
  enabled: true
  istio:
    - name: woodpecker-server-http
      gateway: istio-system/badhouseplants-net
      kind: http
      hostname: ci.badhouseplants.net
      service: woodpecker-ci-server
      port: 80
 ext-database:
  enabled: true
  name: woodpecker-postgres16
  instance: postgres16
  credentials:
    WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
 server:
  enabled: true
  env:
    WOODPECKER_GITEA: true
    WOODPECKER_GITEA_URL: https://git.badhouseplants.net
    WOODPECKER_DATABASE_DRIVER: postgres
    WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634
    WOODPECKER_OPEN: true
    WOODPECKER_ADMIN: "woodpecker,allanger"
    WOODPECKER_HOST: "https://ci.badhouseplants.net"
    WOODPECKER_ESCALATE: true
    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
  extraSecretNamesForEnvFrom: 
    - woodpecker-postgres16-creds
 agent:
  image:
    # -- The image registry
    registry: git.badhouseplants.net
    # -- The image repository
    repository: allanger/woodpecker-agent
    # -- The pull policy for the image
    pullPolicy: Always
    # -- Overrides the image tag whose default is the chart appVersion.
    tag: dev
  enabled: true
  extraSecretNamesForEnvFrom: []
  env:
    WOODPECKER_SERVER: woodpecker-ci-server:9000
    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 3Gi
    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
  serviceAccount:
    create: true
  rbac:
    create: true
--- a/common/values.database.yaml
+++ b/common/values.database.yaml
@ -14,12 +14,3 @@ ext-database:
          backup:
            enable: false
            cron: 0 0 * * *
          {{- if .Values.credentials }}
          credentials:
            templates:
              {{- range $key, $value := .Values.credentials }}
              - name: {{ $key }}
                template: {{ $value }}
                secret: true
              {{- end }}
          {{- end }}
--- a/common/values.ipaddresspool.yaml
+++ b/common/values.ipaddresspool.yaml
@ -0,0 +1,14 @@
 ---
 ext-ipaddresspool:
  templates:
    - |
        ---
        apiVersion: metallb.io/v1beta1
        kind: IPAddressPool
        metadata:
          name: "{{ .Values.name }}"
        spec:
          addresses:
            - "{{ .Values.addresses }}"
          autoAssign: true
          avoidBuggyIPs: false
--- a/environments.yaml
+++ b/environments.yaml
@ -1,5 +1,5 @@
 environments:
  badhouseplants:
-    kubeContext: badhouseplants
+    kubeContext: badhouseplants-arm
  etersoft:
    kubeContext: etersoft
--- a/etersoft/values/secrets.minio.yaml
+++ b/etersoft/values/secrets.minio.yaml
@ -9,8 +9,8 @@ users:
 oidc:
    enabled: ENC[AES256_GCM,data:AJwlxQ==,iv:e8Y4xI9VW7R64o5y2TYrMRnL92+RCzFaoF9v4wHDTlc=,tag:T0iZj9cCBxaF444+xuvKuA==,type:bool]
    configUrl: ENC[AES256_GCM,data:UHLEsZwSGwNEV9r6wpiw4lLsMOLxJ6QfHKrrP2oduJE+YG7hImEljrO+/kPSUOgWMGgtXIjT/VLYw7xhW+TL,iv:v6bXPeKMho108y+kErL71RvqlfL0YEUtAaexITN6arY=,tag:r/oglMJVU2J2s3mEgjP+dA==,type:str]
-    clientId: ENC[AES256_GCM,data:6vU3UzdsBjCoxa+H3V87UeNyGt7IYsYMkjEZGFhMfCVWVxxB,iv:4J21E9eskroCTmUFbnt4K4v4tgD+Bjq5j2wT+1q1NE0=,tag:bBDqviaFjnQNDSwTzmpCtw==,type:str]
+    clientId: ENC[AES256_GCM,data:39mFCS47/yw1lGxvDs7nLkk941qPaHUMgGBgtcqmJukGMfJK,iv:rfE/1ukQAO8geJVIJQOQaXmn37DfhDMR/t7Ghwd093A=,tag:SDz4TVKiMY+bXAtfrm17/Q==,type:str]
-    clientSecret: ENC[AES256_GCM,data:G0OChA212NVb7utdsx4kJRS8BQ0V6igeteOo3Q+PvFTd0U7IVt27YB2u0BUGkt4/Go+wByf8joI=,iv:7khUct7Iln7pi7ET7FBLI51Zc+aFTjLpj92EV5q4Sjc=,tag:vMZtRxTDpphKRW4dN3OVfA==,type:str]
+    clientSecret: ENC[AES256_GCM,data:KcamhnHBTErbSS6dR7W+suwV5q13yXqZAUBYhKJ5Kj3t14dp6VDHoYc1Dwyt+hebFz0BYYbRA9g=,iv:hOhGu/lRjsEsEz4f6Wnkds6HNq3DnvM+GsJOAz1fOds=,tag:aQ4+xPDgg/2op+NQl7jhSg==,type:str]
    claimName: ENC[AES256_GCM,data:UUrHhIFP,iv:dKg4zBykxhEKeG40a1eSWRYTyzpb5kBmzhEaULFgSII=,tag:3vfbgsoKkNF2Tmwx3Wi56w==,type:str]
    redirectUri: ENC[AES256_GCM,data:evZK5yq5syKOsTqeqICTWLTq96AXTKftwDdbPYP9Na67N7I12P+jK8k1zKswHQY=,iv:L5AmYGkO2lyU4ytjyMOmuWDg4GtbeoTzcEdZF7WP+es=,tag:BF8AZUJ39+xICfrdNsY9iQ==,type:str]
    comment: ENC[AES256_GCM,data:4h455QlIXewffU2bSKihkg==,iv:p5WRTZfAUgqbF/XpIlaLuUIhQhMWxgs0MW6cqNOiOtg=,tag:yk6CHXx7E8XBY3dath9ezQ==,type:str]
@ -31,8 +31,8 @@ sops:
            UmdLL0NqWVpuNXBYRENEeTltdFVLREUKrwPN2daokcqABFVXjYCbNyCA0zdMCYh6
            vzTTtNV718OAPQKgl3Ho2c5nhhQcWy5YlWPfGMUklZhocXsAvMXS/g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-04T19:00:41Z"
+    lastmodified: "2023-03-26T11:56:18Z"
-    mac: ENC[AES256_GCM,data:jhZqJDZuHXpb50aI4f9Otj5y7lHzb1JadZqccju0No2PGUVO1Le3X/Zc51YIm3di+UV8bZSDUosYA7mWz4zNsyMwK0ikB0zUb12Wv1M0ESe4sJQR3mlQSa6fBe1EUGSAtjtmo/HlKaWvprEo3knTZJrxN8pZdTaPOTSA/Akr8m0=,iv:oUbuW1FL1qFbByt5DKqgCWVv/0D2ByWXs2dyUSuB3Uc=,tag:19MFSo0Y1AfB+kFk0sfW2g==,type:str]
+    mac: ENC[AES256_GCM,data:oiaqwWDTTSvdGZxcLqAJrLkF+jNL2PfOOrTFtO2Arry1LehiGeXqNiqlHTd5IvnB/LrU9vGv5SjDrq+FRycfceai8O5hW8aGBXqCSZANIx7cpCJqtm1ErNAm8yw+K5rq/WeRKEySszNx7QtSZiM9ufo/GIAZMZgcd/bqFdm6oXE=,iv:s+uHg40NPT3kjwHnRIu3udkbm3gE36JMzPFhM6NdT/4=,tag:Q97lA8fRcPr5kGZEUbmhxQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3
--- a/etersoft/values/values.metallb-resources.yaml
+++ b/etersoft/values/values.metallb-resources.yaml
@ -0,0 +1,4 @@
 ext-ipaddresspool:
  enabled: true
  name: etersoft-addresspool
  addresses: 91.232.225.63-91.232.225.63
--- a/etersoft/values/values.minio.yaml
+++ b/etersoft/values/values.minio.yaml
@ -73,8 +73,6 @@ policies:
        - 'arn:aws:s3:::longhorn'
        - 'arn:aws:s3:::restic/*'
        - 'arn:aws:s3:::restic'
        - 'arn:aws:s3:::etcd/*'
        - 'arn:aws:s3:::etcd'
      actions:
        - "s3:DeleteObject"
        - "s3:GetObject"
@ -89,10 +87,6 @@ buckets:
    policy: none
    purge: false
    versioning: false
  - name: etcd
    policy: none
    versioning: false
    purge: false
 metrics:
  serviceMonitor:
    enabled: false
--- a/etersoft/values/values.openvpn.yaml
+++ b/etersoft/values/values.openvpn.yaml
@ -14,8 +14,6 @@ istio:
      service: openvpn
      port: 1194
 image:
  tag: v2.6.5-xor-4.0.0beta08
 storage:
  class: microk8s-hostpath
  size: 5Gi
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -7,44 +7,53 @@ bases:
 releases:
  - <<: *metrics-server
-    installed: true
+    installed: false
    namespace: kube-system
-    createNamespace: false
+    createNamespace: true
  - <<: *istio-base
    installed: true
    namespace: istio-system
-    createNamespace: false
+    createNamespace: true
  - <<: *istio-gateway
    installed: true
    namespace: istio-system
-    createNamespace: false
+    createNamespace: true
  - <<: *istio-gateway-resources
    installed: true
    namespace: istio-system
    createNamespace: true
  - <<: *istiod
    installed: true
    namespace: istio-system
-    createNamespace: false
+    createNamespace: true
  - <<: *cert-manager
    installed: true
    namespace: cert-manager
-    createNamespace: false
+    createNamespace: true
  - <<: *minio
    installed: true
    namespace: minio-service
-    createNamespace: false
+    createNamespace: true
  - <<: *openvpn
    installed: true
    namespace: openvpn-service
-    createNamespace: false
+    createNamespace: true
  - <<: *metallb
    installed: true
    namespace: metallb-system
    createNamespace: true
  - <<: *metallb-resources
    installed: true
    namespace: metallb-system
 helmfiles:
  - path: {{.Environment.Name }}/helmfile.yaml
--- a/manifests/badhouseplants/namespace-creator-binding.yaml
+++ b/manifests/badhouseplants/namespace-creator-binding.yaml
@ -1,12 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: namespace-manager
 subjects:
  - kind: User
    name: badhousplants
    apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
  name: namespace-manager
  apiGroup: rbac.authorization.k8s.io
--- a/manifests/badhouseplants/namespace-creator-role.yaml
+++ b/manifests/badhouseplants/namespace-creator-role.yaml
@ -1,8 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: namespace-manager
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "watch", "list", "create", "delete"]
--- a/releases.yaml
+++ b/releases.yaml
@ -87,41 +87,122 @@ templates:
      alias: ext-database
    values:
      - '{{ requiredEnv "PWD" }}/common/values.database.yaml'
-  # ----------------------------
+
  ext-ipaddresspool:
    dependencies:
    - chart: bedag/raw
      version: 2.0.0
      alias: ext-ipaddresspool
    values:
      - '{{ requiredEnv "PWD" }}/common/values.ipaddresspool.yaml'
  # -------------------------------------------------------------------
  # -- Releases
-  # ----------------------------
+  # -------------------------------------------------------------------
  # -- System
-  # ----------------------------
+  # -- This is what has to be installed first. Without those releases
  # --  cluster can't function
  # -------------------------------------------------------------------
  common-system:
    labels:
      layer: system
  metrics-server: &metrics-server
    name: metrics-server
    chart: metrics-server/metrics-server
    version: 3.11.0
    inherit:
      - template: common-system
    values:
      - common/values.{{ .Release.Name }}.yaml
  metallb: &metallb
    name: metallb
    chart: metallb/metallb
-    version: 0.13.12
+    version: 0.13.11
    inherit:
      - template: common-system
  metallb-resources: &metallb-resources
    name: metallb-resources
    chart: bedag/raw
    version: 2.0.0
    needs: 
      - metallb
    inherit: 
      - template: default-env-values
      - template: ext-ipaddresspool
      - template: common-system
  cert-manager: &cert-manager
    name: cert-manager
    chart: jetstack/cert-manager
-    version: 1.13.3
+    version: 1.13.1
    inherit: 
      - template: common-system
    set:
      - name: installCRDs
        value: true
  longhorn: &longhorn
    name: longhorn
    chart: longhorn/longhorn
-    version: 1.5.3
+    version: 1.5.1
    inherit:
      - template: default-env-values
      - template: common-system
  # ----------------------------
  # -- Istio
  # ----------------------------
  common-istio:
    labels:
      bundle: istio
    version: 1.19.3
    inherit: 
      - template: common-system
  istio-base: &istio-base
    name: istio-base
    chart: istio/base
    inherit:
      - template: crd-management-hook
      - template: common-istio
  istio-gateway: &istio-gateway
    name: istio-ingressgateway
    chart: istio/gateway
    needs:
      - istio-base
      - metallb-system/metallb-resources
    inherit:
      - template: common-istio
      - template: default-env-values
  istiod: &istiod
    name: istiod
    chart: istio/istiod
    needs:
      - istio-base
    inherit:
      - template: common-istio
      - template: default-env-values
  istio-gateway-resources: &istio-gateway-resources
    name: istio-gateway-resources
    chart: bedag/raw
    version: 2.0.0
    needs:
      - istio-base
    inherit:
      - template: ext-istio-gateway
      - template: default-env-values
      - template: common-system
  argocd: &argocd
    name: argocd
    chart: argo/argo-cd
-    version: 5.51.6
+    version: 5.46.8
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -134,7 +215,7 @@ templates:
  prometheus: &prometheus
    name: prometheus
    chart: prometheus-community/kube-prometheus-stack
-    version: 55.3.1
+    version: 51.6.1
    inherit:
      - template: monitoring-common
      - template: default-env-values
@ -145,7 +226,7 @@ templates:
  loki: &loki
    name: loki
    chart: grafana/loki
-    version: 5.41.1
+    version: 5.29.0
    inherit:
      - template: monitoring-common
      - template: default-env-values
@ -153,47 +234,10 @@ templates:
  promtail: &promtail
    name: promtail
    chart: grafana/promtail
-    version: 6.15.3
+    version: 6.15.2
    inherit:
      - template: monitoring-common
      - template: default-env-values
  # ----------------------------
  # -- Istio
  # ----------------------------
  istio-common:
    labels:
      bundle: istio
    version: 1.20.1
  istio-base: &istio-base
    name: istio-base
    chart: istio/base
    inherit:
      - template: crd-management-hook
      - template: istio-common
  istio-gateway: &istio-gateway
    name: istio-ingressgateway
    chart: istio/gateway
    inherit:
      - template: istio-common
      - template: default-env-values
  istio-gateway-resources: &istio-gateway-resources
    name: istio-gateway-resources
    chart: bedag/raw
    version: 2.0.0
    inherit:
      - template: ext-istio-gateway
      - template: ext-certificate
      - template: default-env-values
  istiod: &istiod
    name: istiod
    chart: istio/istiod
    inherit:
      - template: istio-common
      - template: default-env-values
  # ----------------------------
  # -- Applications
@ -201,7 +245,7 @@ templates:
  openvpn: &openvpn
    name: openvpn
    chart: allanger-gitea/openvpn
-    version: 1.0.7
+    version: 1.0.6
    inherit:
      - template: default-env-values
      - template: ext-istio-resource
@ -224,26 +268,16 @@ templates:
  drone-runner-docker: &drone-runner-docker
    name: drone-runner-docker
    chart: drone/drone-runner-docker
-    version: 0.6.2
+    version: 0.6.1
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: drone-common
  woodpecker-ci: &woodpecker-ci
    name: woodpecker-ci
    chart: woodpecker/woodpecker
    version: 1.0.1
    inherit:
      - template: ext-database
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-istio-resource
  nrodionov: &nrodionov
    name: nrodionov
    chart: bitnami/wordpress
-    version: 18.1.24
+    version: 18.0.4
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -262,7 +296,7 @@ templates:
  minecraft: &minecraft
    name: minecraft
    chart: minecraft-server-charts/minecraft
-    version: 4.12.0
+    version: 4.11.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -271,7 +305,7 @@ templates:
  gitea: &gitea
    name: gitea
    chart: gitea/gitea
-    version: 9.6.1
+    version: 9.5.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -281,13 +315,23 @@ templates:
  funkwhale: &funkwhale
    name: funkwhale
    chart: ananace-charts/funkwhale
-    version: 2.0.5
+    version: 2.0.3
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-istio-resource
      - template: ext-database
  mailu: &mailu
    name: mailu
    chart: mailu/mailu
    version: 1.2.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-istio-resource
      - template: ext-certificate
  bitwarden: &bitwarden
    name: bitwarden
    chart: bitwarden/vaultwarden
@ -300,7 +344,7 @@ templates:
  redis: &redis
    name: redis
    chart: bitnami/redis
-    version: 18.5.0
+    version: 18.1.5
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -308,7 +352,7 @@ templates:
  postgres16: &postgres16
    name: postgres16
    chart: bitnami/postgresql
-    version: 13.2.24
+    version: 13.1.4
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -316,12 +360,12 @@ templates:
  db-operator: &db-operator
    name: db-operator
    chart: db-operator/db-operator
-    version: 1.14.1
+    version: 1.11.1
  db-instances: &db-instances
    name: db-instances
    chart: db-operator/db-instances
-    version: 2.1.1
+    version: 1.4.2
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -329,7 +373,7 @@ templates:
  mysql: &mysql
    name: mysql
    chart: bitnami/mysql
-    version: 9.14.4
+    version: 9.12.5
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -337,18 +381,9 @@ templates:
  docker-mailserver: &docker-mailserver
    name: docker-mailserver
    chart: allanger-gitea/docker-mailserver
-    version: 2.2.0
+    version: 2.1.3
    inherit:
      - template: default-env-values
      - template: ext-istio-gateway
      - template: ext-istio-resource
  vaultwarden: &vaultwarden
    name: vaultwarden
    chart: badhouseplants/vaultwarden
    version: 1.0.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-istio-resource
      - template: ext-database
--- a/repositories.yaml
+++ b/repositories.yaml
@ -36,7 +36,3 @@ repositories:
    url: https://db-operator.github.io/charts
  - name: allanger-gitea
    url:  https://git.badhouseplants.net/api/packages/allanger/helm
  - name: badhouseplants
    url: https://badhouseplants.github.io/helm-charts/
  - name: woodpecker
    url: https://woodpecker-ci.org
Author	SHA1	Message	Date
Nikolai Rodionov	3463f91c77	Some changes for ARM	2023-11-05 16:16:24 +01:00
Nikolai Rodionov	70101a1c3f	Prepare the arm cluster	2023-10-18 16:51:42 +02:00