Keep migrating things

2025-03-29 14:16:34 +01:00 · 2025-03-29 14:16:34 +01:00 · dbd69180e4
commit dbd69180e4
parent 992463b8cd
12 changed files with 293 additions and 0 deletions
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -3,3 +3,4 @@ bases:
  - ./common/templates.yaml
  - ./helmfiles/base.yaml
  - ./helmfiles/system.yaml
+  - ./helmfiles/platform.yaml
--- a/helmfiles/platform.yaml
+++ b/helmfiles/platform.yaml
@ -0,0 +1,50 @@
+repositories:
+  - name: keel
+    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: minio-standalone
+    url: https://charts.min.io/
+releases:
+  - name: external-dns
+    chart: external-dns/external-dns
+    labels:
+      layer: platform
+    version: 1.15.2
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    labels:
+      layer: platform
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
--- a/values/common/platform/external-dns/values.gotmpl
+++ b/values/common/platform/external-dns/values.gotmpl
@ -0,0 +1,7 @@
+
+global:
+  imagePullSecrets:
+    - name: regcred
+
+image:
+  repository: {{ .Values.registry}}/external-dns/external-dns
--- a/values/common/platform/keel/values.gotmpl
+++ b/values/common/platform/keel/values.gotmpl
@ -0,0 +1,6 @@
+
+image:
+  repository: {{ .Values.registry }}/keelhq/keel
+
+imagePullSecrets:
+  - name: regcred
--- a/values/common/platform/minio/values.gotmpl
+++ b/values/common/platform/minio/values.gotmpl
@ -0,0 +1,9 @@
+
+image:
+  repository: {{ .Values.registry }}/minio/minio
+
+imagePullSecrets:
+  - name: regcred
+
+mcImage:
+  repository: {{ .Values.registry }}/minio/mc
--- a/values/common/platform/uptime-kuma/values.gotmpl
+++ b/values/common/platform/uptime-kuma/values.gotmpl
@ -0,0 +1,6 @@
+
+image:
+  repository: {{ .Values.registry }}/louislam/uptime-kuma
+
+imagePullSecrets:
+  - name: regcred
--- a/values/etersoft/kube-system/namespaces/values.yaml
+++ b/values/etersoft/kube-system/namespaces/values.yaml
@ -4,5 +4,6 @@ namespaces:
    defaultRegcred: true
  - name: applications
  - name: platform
+    defaultRegcred: true
  - name: kyverno
    defaultRegcred: true
--- a/values/etersoft/platform/external-dns/secrets.yaml
+++ b/values/etersoft/platform/external-dns/secrets.yaml
@ -0,0 +1,23 @@
+env:
+    - name: ENC[AES256_GCM,data:I+XVWWOUmm7Cd4mQ,iv:rfUzb5HMPVyNfzkCP2frVDxD+v4lTPzILRifcS3uG6s=,tag:1sXONdAjMZ85S8abMVZM1A==,type:str]
+      value: ENC[AES256_GCM,data:h8sYBvFfm7uFoklqXE7QLNkikl1ihHz/KN4uYiZlRJBZkiUBbTk/Vg==,iv:/y6RdHVWwwBym5HiBaxEatTWG7I/gNY9ZIaQc4bk9h0=,tag:PytkOjvY3fy6XeLNmGPrXA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBra0RUWVFDUXN0ejAxemE2
+            VFlRcEtLNDJUblA3ZmoyMExPWWpjZzlVYjJzCnZVZDNSbnpjcFRUQ0hOMWxLNUZi
+            RTg5Z2JVZzVoVFVYSVErcWdnbHVvVVkKLS0tIHdZMjVsc3lHRzlJODRWSEh0Wm8w
+            M09rOXZ3OHZVUUVlWWIwaTN0Z2RqRmcKe1ny6FJIFwR6Un0HBFZK2KXkzUQA63rU
+            JR7mpEzr2h2oXxOmyc7HeFFi2R66zendFzfhNcvSlm2L5td2Pnxyxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-16T14:21:42Z"
+    mac: ENC[AES256_GCM,data:SNHNvmPCt/6Xwd6xoCh5uHF1erhWpTfzEQ/krTvYtByvT7XvDtXjtslJqAa8RkNPl2QV34epWcj/Ff6xud9tvLdAR4Gj4MPJD8WBLUUFul4rvoXfaHyHhSanYmiOhdF0mArE81qsBY918LFS5fdWMrxCNDrHbDtW76KBoLcDUto=,iv:8/ZxjrER1151RGjSdICVjj8ptyQn60SInakqABXWQZE=,tag:/bQsE3TCXoMbXoAF1UErOw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/values/etersoft/platform/external-dns/values.yaml
+++ b/values/etersoft/platform/external-dns/values.yaml
@ -0,0 +1,13 @@
+provider:
+  name: cloudflare
+domainFilters:
+  - badhouseplants.net
+policy: sync
+txtOwnerId: eter
+txtPrefix: eter-ext-dns-
+logFormat: json
+logLevel: info
+sources:
+  - service
+  - ingress
+  - crd
--- a/values/etersoft/platform/minio/secrets.yaml
+++ b/values/etersoft/platform/minio/secrets.yaml
@ -0,0 +1,38 @@
+rootPassword: ENC[AES256_GCM,data:kxg0YirkjeeTaKueH1G4RijoLjLGxHJP2w==,iv:FM83CGAl7E/xEh9k+GPy/z5apxlAb6/HEhznGcUcu64=,tag:Obw7iPuQltcaWwjZfAh7xQ==,type:str]
+users:
+    - accessKey: ENC[AES256_GCM,data:h01uNoYYTNs=,iv:YkdniZm4pFzcEa+MfXazBClz6RrnYjzAh+3IbnVE0nQ=,tag:SFZ8HnM8N99CNLvEnWBXqA==,type:str]
+      secretKey: ENC[AES256_GCM,data:sr33gCJYEd2k7bbZNHKVgvOmUN235YJoUg==,iv:hGFkM9cS0cv+GOWpxn1YPjDJBqSZl3RHRrUM9TQt0A0=,tag:Uu7ItlGDxayQhG9vmSNp/Q==,type:str]
+      policy: ENC[AES256_GCM,data:QPL12F5ZWVI=,iv:wXBHgWlI6kFvGH6rp5pLEEcT7S2i58K3Pwa4D4407ks=,tag:JckGYguaJfvHK/sgSuKICQ==,type:str]
+    - accessKey: ENC[AES256_GCM,data:oJrvlRNB,iv:RTYdPqj5Q77NvJIUsRw7PA/7yhZ1YzjRWCYfvshXoCU=,tag:5gtdnE9cIUvZWWpQsO+2oA==,type:str]
+      secretKey: ENC[AES256_GCM,data:nZGlehkE2OhNjXLZk/4syI/xKRGmRmzltw==,iv:24Q/OVU2Rtz5ZmUcgJ6ZsOfXv97PXHL9456C5ccsVAA=,tag:xbU/qLleiUwUBzB1dU6/Ew==,type:str]
+      policy: ENC[AES256_GCM,data:eC7ZPjG/,iv:cEbFEZygJ7ntGA174A3p/RXhjK1QFVY1ldLiZFsaJ8M=,tag:cknvoIX5NONoni1mInssgg==,type:str]
+oidc:
+    enabled: ENC[AES256_GCM,data:ZzHQSw==,iv:pAM6Sg5FOqk3OevwXxNz6+HoA+S9JKn3qXKBrvtQOjw=,tag:jIjUzOpsDTrmWXnVQZvOLQ==,type:bool]
+    configUrl: ENC[AES256_GCM,data:wM3MMDLR0hD0moLuOJbVV0FXEAcRpGQCiWZHIRfaer5WzSAnQH/8/PVkOnFy16uzsAf1IFbQIOjaXDw1alv3WxczIKpfXiR8mfNI013fCs+tURdOPCSdziQf9G1+sar9/Fs=,iv:95nxS+kP5Ml3WWbN6kGQxH0E/hLDUMp664OrQVZhH80=,tag:0PvfH+J9SQGwBJ/Kh7zgCA==,type:str]
+    clientId: ENC[AES256_GCM,data:UlETcj+fUPFDh2thR2Q=,iv:EF5QHrfstIqT5MYvrkQkUtcquG9SIsruYKSaR9adz5E=,tag:/yYOxzIIgoCRqsFSHyQanw==,type:str]
+    clientSecret: ENC[AES256_GCM,data:elh+rgMPMxJ3Tf+ufv4FBVQRBY+HeWbaSz4Mjx+CQIGzVBYDw2TaImgZbdIN7X+tVRdKjBUad7Bd4VUZoZt8kIacT4usJRQC9qErhMjnuT+OGzq6mSpXMztAzbGpL76L44S893sRkUkVwDpA6p4vqPSe5vMiaXZZAANIrhIDcRo=,iv:FIr6pRpJ3FlRchQs2Hg25bJu4HFYSy9HFiDhOPDPang=,tag:0pWGuHVwrlm11SqFKYj5ag==,type:str]
+    claimName: ENC[AES256_GCM,data:EOYQcSX7,iv:7ELctRaFlUmE/I9ExsLjMSCOrwLyTrJt5RQeDMqcZXI=,tag:CAEcRcWu0jkHxIdWFwoQvA==,type:str]
+    redirectUri: ENC[AES256_GCM,data:ek2cRHXtOCy9yNRrCyW6GFULz9ql7vzFIYc/7OBBlqQZmzMVEiNJ0B8Wej5TELIJ+do=,iv:IMr3J6Vcs7mT+agAcwaV8av7PUuOtvCdvLOOIKYwN2U=,tag:hLgtwpqtgsyoIF574C8UYA==,type:str]
+    comment: ENC[AES256_GCM,data:io98WZF69zRwoaDz1WXgb3gJ+Ac=,iv:Uw3p8734k25N+GZhQQ225Ye5mJInR4LcJ9LPcppEsgY=,tag:hvx6FxcwajTmC4gQGErWmQ==,type:str]
+    claimPrefix: ""
+    scopes: ENC[AES256_GCM,data:mK8Vczvi5SSVPW6k9pLx2aOaXUdfujXE1G77,iv:M8TxsGfsnvdRyBo94JitBnx366MuRY5Q6vLNmCs0hp8=,tag:YaobqJvS7u6B9x0MN5VMzA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYlFwMzFCaG8wbk5ZcDI4
+            OU93MVNoZGNyL0h0WFhRM254eDF6Y2FkZjMwClJEcHNZcFVlaTB4eDlsMm5QaEYy
+            NE0rd3EzUytaVEc5Y3I0MUpJWnI1NkUKLS0tIHBlS1dKMG9kcXpJSHMzbDhXcGJx
+            OXIvTU1uSVFXenF5QU82VHFta3ZmS0UK86P5geFl4PEMgKqBW2AlQfyTjT84TRfE
+            NjjFcpeFsUa3GoSm+NHxjzXbEEWkQsVsLWqS48IAPhOiICyWPwiznA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-20T16:42:14Z"
+    mac: ENC[AES256_GCM,data:DyBFmjgWcRCkEEpuDUL2M4w6DcJ+YiVaUZcCuHReTKZRuE0BcYn8TCKYqaILKM4B0ClLK4aYH194ZNysEMDoAVDnLaTWPa3as8dW8mwpeaPmV80CbnKsRLMajwWJi7T8LBYrHaSSZx8eCRHvXFaB3u8B7t31vmzwutlpu5BKQqc=,iv:RzcPzF0rrSVZNSuG/Juv/gFtSdPqgImU+jO0Z3oQVzQ=,tag:KkEecRrbBDImiTBhn4T0pQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/values/etersoft/platform/minio/values.yaml
+++ b/values/etersoft/platform/minio/values.yaml
@ -0,0 +1,119 @@
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - s3.ru.badhouseplants.net
+  tls:
+    - secretName: s3.ru.badhouseplants.net
+      hosts:
+        - s3.ru.badhouseplants.net
+consoleIngress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - minio.ru.badhouseplants.net
+  tls:
+    - secretName: minio.ru.badhouseplants.net
+      hosts:
+        - minio.ru.badhouseplants.net
+rootUser: "overlord"
+replicas: 1
+mode: standalone
+environment:
+  MINIO_SERVER_URL: "https://s3.ru.badhouseplants.net"
+tls:
+  enabled: false
+  certSecret: ""
+  publicCrt: public.crt
+  privateKey: private.key
+persistence:
+  annotations:
+    volume.kubernetes.io/selected-node: yekaterinburg
+  storageClass: local-path
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 60Gi
+service:
+  type: ClusterIP
+  clusterIP: ~
+  port: "9000"
+consoleService:
+  type: ClusterIP
+  clusterIP: ~
+  port: "9001"
+resources:
+  requests:
+    memory: 2Gi
+buckets:
+  - name: velero
+    policy: none
+    purge: false
+    versioning: false
+  - name: xray-public
+    policy: download
+    purge: false
+    versioning: false
+metrics:
+  serviceMonitor:
+    enabled: false
+    public: true
+    additionalLabels: {}
+policies:
+  - name: allanger
+    statements:
+      - resources:
+          - "arn:aws:s3:::*"
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: velero
+    statements:
+      - resources:
+          - "arn:aws:s3:::velero"
+        actions:
+          - "s3:*"
+      - resources:
+          - "arn:aws:s3:::velero/*"
+        actions:
+          - "s3:*"
+  - name: Admins
+    statements:
+      - resources:
+          - "arn:aws:s3:::*"
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: DevOps
+    statements:
+      - resources:
+          - "arn:aws:s3:::badhouseplants-net"
+        actions:
+          - "s3:*"
+      - resources:
+          - "arn:aws:s3:::badhouseplants-net/*"
+        actions:
+          - "s3:*"
--- a/values/etersoft/platform/uptime-kuma/values.yaml
+++ b/values/etersoft/platform/uptime-kuma/values.yaml
@ -0,0 +1,20 @@
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
+  hosts:
+    - host: uptime.ru.badhouseplants.net
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+
+  tls:
+    - secretName: uptime.ru.badhouseplants.net
+      hosts:
+        - uptime.ru.badhouseplants.net