badhouseplants/k8s-deployment
4
0
Fork 0
Code Issues 3 Pull Requests 7 Actions Packages Projects Releases Activity

Onboard the etersoft cluster #96

Merged
allanger merged 1 commits from bootstrap-etersoft-cluster into main 2024-10-14 06:17:05 +00:00
Conversation 0 Commits 1 Files Changed 12 +195 -173
12 changed files with 195 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common/environments.yaml
View File

@ -8,6 +8,10 @@ environments:
enabled: true
- backups:
enabled: false
- localpath:
enabled: false
- openebs:
enabled: true
etersoft:
kubeContext: etersoft
values:
@ -19,3 +23,5 @@ environments:
enabled: true
- openebs:
enabled: false
- localpath:
enabled: true

0
installations/applications/helmfile.yaml → installations/applications/helmfile-badhouseplants.yaml
View File

26
installations/applications/helmfile-etersoft.yaml Normal file
View File

@ -0,0 +1,26 @@
bases:
- ../../common/environments.yaml
- ../../common/templates.yaml
repositories:
- name: allangers-charts
url: ghcr.io/allanger/allangers-charts
oci: true
- name: gabe565
url: ghcr.io/gabe565/charts
oci: true
releases:
- name: openvpn
chart: allangers-charts/openvpn
version: 0.0.2
namespace: applications
inherit:
- template: default-env-values
- template: ext-tcp-routes
- name: qbittorrent
chart: gabe565/qbittorrent
version: 0.3.7
namespace: applications
inherit:
- template: default-env-values
- template: ext-secret
- template: ext-traefik-middleware

4
installations/platform/helmfile.yaml
View File

@ -66,6 +66,7 @@ releases:
version: 2024.8.3
namespace: platform
createNamespace: false
condition: workload.enabled
needs:
- platform/db-operator
inherit:
@ -82,12 +83,14 @@ releases:
- name: kyverno
chart: kyverno/kyverno
namespace: kyverno
condition: workload.enabled
labels:
bootstrap: true
version: 3.2.7
- name: kyverno-policies
chart: kyverno/kyverno-policies
namespace: kyverno
condition: workload.enabled
labels:
bootstrap: true
version: 3.2.6
@ -96,6 +99,7 @@ releases:
- name: custom-kyverno-policies
chart: ../../kustomizations/kyverno/
namespace: kyverno
condition: workload.enabled
labels:
bootstrap: true
needs:

11
installations/system/helmfile.yaml
View File

@ -24,6 +24,8 @@ repositories:
url: https://vmware-tanzu.github.io/helm-charts/
- name: openebs
url: https://openebs.github.io/openebs
- name: local-path-provisioner
url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
releases:
- name: namespaces
chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
@ -131,3 +133,12 @@ releases:
- kube-system/cilium
inherit:
- template: default-env-values
# -- Not versions since it's installed from git
- name: local-path-provisioner
chart: local-path-provisioner/local-path-provisioner
condition: localpath.enabled
namespace: kube-system
needs:
- kube-system/cilium
inherit:
- template: default-env-values

4
manifests/debug.yaml
View File

@ -1,11 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app.kubernetes.io/instance: server-xray-public
app.kubernetes.io/name: server-xray
name: debug
namespace: public-xray
spec:
containers:
- args:

22
values/badhouseplants/secrets.velero.yaml
View File

@ -1,8 +1,8 @@
credentials:
useSecret: ENC[AES256_GCM,data:jaRt6g==,iv:tFJ1xXlSvzdmGk32IxNoygKkOTYg1uhWiTQ+Fb4vxho=,tag:w7eY7ByCOnR2yx5hnoeL7Q==,type:bool]
name: ENC[AES256_GCM,data:iXPmDVTNHwQKNpUbqjWI,iv:6ykrI3VcYPKInFAPsYl0TzynEdl/PQvCKQp0UCtytXM=,tag:LuTomLPweH/e5Ubr4O8LOw==,type:str]
useSecret: ENC[AES256_GCM,data:aeEoxA==,iv:OGb9hAy+LJuH2ZPVVAyEkLUXpiqsYat1vFvHfxnnz+k=,tag:DLkOF+a4QWcjiNnDmQsrNg==,type:bool]
name: ENC[AES256_GCM,data:f68NZYuDiN4uQUGA6JFl,iv:ugx3j6xxplh9nD/gWo56FfZ7UNB3m2Ta5vXpuvJTOhs=,tag:we/ZrIa6wYicsfhDL2seqQ==,type:str]
secretContents:
data: ENC[AES256_GCM,data:DC9XGNH0Q1PYEs2AesQWsYCIUS8iXWc7UsU+Y6e2Mt04vWFNpPMHxFUgMVHU4X7BChoyW/vXF3EPPORga99Xdf8q4+LprOZ4,iv:+poyt47TO3+lVzkK8L32OJreylYPJlZslBGpnNlO+aE=,tag:5qzH/6FHcIsMI7SKLadSgA==,type:str]
data: ENC[AES256_GCM,data:I+of51MXK+TXvGODqqk3xJ4yLFf516Acvr5HjfBJ1RNQKLP8kJ2w/6djOz6iF57WThl12Q3Nj68P8+uC6ZZ8uyS9P/AD5UVeDCeeTF0bSBdDoK0=,iv:+LdjdMyFB8xN61DxD5zEUGFbTJsGX5rRsqtZB+xwJno=,tag:ANV7UaZ839PIh+frj1UGkQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -12,14 +12,14 @@ sops:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZG1RaForN3gwd081UzM5
SkZCVVNjVjFMRzRLbmI0VGV3QlZUdk9pT3hJCklsL0dIcDg1d0xsL2tYTlZBNDVY
Ykp6THppMERGNm5FTUg5NFgyMkRBN1EKLS0tIE1Uclk0bnZibko1aHI0WXlpSFFQ
WjVKZ1RCQzJwM04rYmQ5Q0x5SHJrdjQK/Y3T0XyH6JKG8OXip25W4EJBQlF6obbe
GPv/C5IfnquKv4rGwrLxZuIKYBHmHrwmu5fj/5ls9i+Mr4FbaJt9NA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZVREdnRXcm1KSXFXR1Zx
VTlNMnFyTy8waDZuVTJ3ckphcFdxQ1pZNEFBCm1TcTlDTWhjMFdnZWN2RXNhN1RH
QmNJTWRneko4Ui9IMlExYVJMZlExZ1UKLS0tIDhLcytJY3NJR1g0MTQ3dlNtU2M3
dWFFUWt0UnAyTTBxNVVhNGxQY01XWnMKPSBtx7LUUX/hRkCvJHn2d42M8FaNtUPY
0hUgS8ySUx7avpijvvBQYxLhGj9qzpMdfEX/4jQzM9Q5E9LviOA63w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-11T12:09:20Z"
mac: ENC[AES256_GCM,data:o6jRT/fyR25ChKrfWnx5AapVpiPxJYLJy9NbOTv/CBv0iO9/CKTh0HpeHkvkechPuBlQexI06f1bjqXUkKNFefrh/EIS82it0WGHpUwL+UUsh+g0ZfvZ23NvhFvYCUzxG48E+VxXV2Pt3VsqwxczNb4LCCBf6Nv2ljE4T0eezlA=,iv:5Ed9ZjdotnlWLq6cos3zwmvxRdibYPmXifKwj4eiDY0=,tag:Ct9fbr9aLz3jXl16Sk9LaQ==,type:str]
lastmodified: "2024-10-11T12:28:10Z"
mac: ENC[AES256_GCM,data:f3KDO0lqWydj2RS36Ak3Ml6IixNUvSbwDboFGsg7GDju839xIAJFS1RzoW9As67MBL0YLSh9t9uI0566oPmRr0SEW1/sWQpp0BXA3EQB2jzejnnPRbZnWesFJZL5qNSOGIXmacWXMDzNNAD83mxUsRj2DxfIiKJuI4fKFgmCzCg=,iv:XlFo8+wJtjBaGcM7EW1I1lRTttcijq1u/gE2dX3x2iw=,tag:6kkMBGG8UQy4e7jMcBCBFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.9.1

38
values/etersoft/secrets.minio.yaml Normal file
View File

@ -0,0 +1,38 @@
rootPassword: ENC[AES256_GCM,data:JF0ZjTiuvYzO9Ol7ma268WS/VugWW/2Jaw==,iv:VBxzVeCLB74en8BiybMZHvrB9FIyssrGtDpsaXqCtBQ=,tag:DOhQwg7D+tEqcikrcv88FQ==,type:str]
users:
- accessKey: ENC[AES256_GCM,data:4vsyrmk6clo=,iv:lcDiS+AFB3yAzsrKbfyDQnYuT2twGpd0kC/z7YhpsbQ=,tag:fpBGkAVPNiTrxDCE1pXR3A==,type:str]
secretKey: ENC[AES256_GCM,data:3kqn1s4wqGLURlfrhNYMGjaoZAw+HF4rwg==,iv:0xLW4f6N0g3h8FfOUGfbVOhnSTKLsy71Ubt+2z4dSC0=,tag:HkEJ/LSbn+8RfGF8FAYqHQ==,type:str]
policy: ENC[AES256_GCM,data:FJEdDNqZA30=,iv:ZI7Nbzwi3RtIuadt3/UBA5AbQJjjiB2M/uoj2AFA/10=,tag:U3BZ6cFRS09fnKkA7kROJA==,type:str]
- accessKey: ENC[AES256_GCM,data:0poCmmka,iv:O51Mx43yigleqadiR7b8i7uxOT+38C88efa/TUbYBj0=,tag:r9ZwW5pxvPxLSyQTezAN1Q==,type:str]
secretKey: ENC[AES256_GCM,data:fRpbe2HbTNactZx+60jtd0YL1pCmhWMYgw==,iv:tmZbhzQxx8+Tyxpx+jQ0YCXBVfR74BM3yGlai8IXZHE=,tag:xk9l8Rse9Hnj0Qcmnm/cmA==,type:str]
policy: ENC[AES256_GCM,data:oxr+5V8C,iv:EHFqChAYnZP9PqejnpA9coJIlO9s9VllMIXUM1HLSpY=,tag:/Al9G92TUtxWAcwkTaQJCA==,type:str]
oidc:
enabled: ENC[AES256_GCM,data:lMx4vU8=,iv:J2/vLve9rjzAS6IGFEMixfSTa+0bRTxKcy8iRUuhvSY=,tag:Xz5/xmyUgLmW9YLXRc/D4A==,type:bool]
configUrl: ENC[AES256_GCM,data:eGE12HZTCzRkC4I+chRrk/GZjN4uBf6BEkrfgj4w3AKoe/zRfn5fbfOeZcYswJxmemf5jV0/Z8Xf7qRAOfogF0j/oAGPr6Ljf1xmJ37W72Giz9AJGBOWOnk=,iv:Fxwb59KoX/+xsbAJ4Gimxs5EbFaJf47KIosexsg6+xw=,tag:hWh/HbR8Re0F79amQhprmw==,type:str]
clientId: ENC[AES256_GCM,data:HV3Na7c=,iv:J+zpkI6f24cjnETRcIIv9M7ZcYf59TSIui05TOQJvJU=,tag:F3nmBGoW2lZ8GR09hRZ6YQ==,type:str]
clientSecret: ENC[AES256_GCM,data:gIGqUq1CAl+Y6EBBhWW8qjsUnUpuril/eH+gZBWG9J3O8dJjX3Z4MA8Q4HZPVdz5Q+6cZlIQ8nf5xbDQsGKFJgE0IqlM2B+pLd+toCpstP2irwHbx5z1RSHo8az70al87AaAKeAlWF0xVbVhpN5JrAQcjALOUbgeBg72QLQZOUw=,iv:bwc677iXUyX4R37j25iuKS37H8hwwEleEIArrQLNfhU=,tag:guPzIqsD+4s51rTK61fx2A==,type:str]
claimName: ENC[AES256_GCM,data:wXZh3m5M,iv:0iuETRNlJeiAwgeMbXuECh1EYuHQ+FI+++aL7jgMU9s=,tag:BBwQbNfPmwnjx5Hrk68sZQ==,type:str]
redirectUri: ENC[AES256_GCM,data:FSeRB5+TscUcZCwJhpaDHGbpUa49yF/eW4vjN036hfCJ2r0jdSiDrU2CjVTqcl8=,iv:4ap8l61BRye4K0imsF34zXiEmN13uwe86PTxcnTOEm0=,tag:k62A6DGt0n1Ra/NJoss+FQ==,type:str]
comment: ENC[AES256_GCM,data:U9F6nifLDU9DkfVXoCOHUJC7H2M=,iv:xR4P03dfn1OXGD4zx3OXOPwHGh4/rJHVqDp0Qn+Oacw=,tag:AXfM+5M2ZdtNJ6oJgeyqZw==,type:str]
claimPrefix: ""
scopes: ENC[AES256_GCM,data:rkal2ggLfUTsMu739T5aXWM7MF4ny+k6m6D5,iv:Xl1siRhxvWlqlAcZzV5N1hZTH3hg+HsEujwn9kLFovM=,tag:LKza7MMkC2x6ZeYVKIop5w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMHA0bUNTVnlHWU03UWhn
eHJ0Y2xzREVxTlhWbk5GRzhSa3RoV2lValY0CkcxbEZyc1VQNnozcTRteVlVQXNy
cUlyNDFtMTRPMnF1TmNIRjB4RkdZK28KLS0tIFBJdG05MklnV3IyYVJ5VDF6VE9n
VkVEQitNb0VOa1BJNkZ5d0E2czNtRXcKby+2hCLGWWKVsQeb5rLdl/LOvh9zQOyr
c1Spv2k7duos1MNnbQvRtRbJyYCRdo9Q7ZjbXiJL+Wb5//MGCfJi0w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-14T05:40:46Z"
mac: ENC[AES256_GCM,data:yFMVr4gztundDVhLKENNfn+/WS/n8kJFXJ52aF7vAZtJ3UYibUBJh88BWYQn2euBUiPZXu2xNp0/SBUTKocJE9a9g9O+mjLemTzCOsHD7mMmKwHc9BSUnzPpKne+hdfNaWW8V0LP5hnlDeIT+75dcqu9f4I/v/ipsOk+C1WeKU4=,iv:gkDc7bqtoFrz6GG7NiBY8PUn1etWEAomhI8mf9b5jD0=,tag:1m2Ysku6FMlceILUisK5bw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

70
values/etersoft/values.minio.yaml
View File

@ -1,9 +1,7 @@
---
ingress:
enabled: true
ingressClassName: ~
ingressClassName: traefik
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
@ -11,16 +9,15 @@ ingress:
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
path: /
hosts:
- s3.3.badhouseplants.net
- s3.e.badhouseplants.net
tls:
- secretName: s3.e.badhouseplants.net
hosts:
- s3.e.badhouseplants.net
consoleIngress:
enabled: true
ingressClassName: ~
ingressClassName: traefik
annotations:
kubernetes.io/ingress.class: traefik
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
@ -28,12 +25,11 @@ consoleIngress:
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
path: /
hosts:
- minio.e.badhouseplants.net
- min.e.badhouseplants.net
tls:
- secretName: minio.e.badhouseplants.net
- secretName: min.e.badhouseplants.net
hosts:
- minio.e.badhouseplants.net
- min.e.badhouseplants.net
rootUser: 'overlord'
replicas: 1
mode: standalone
@ -45,9 +41,12 @@ tls:
publicCrt: public.crt
privateKey: private.key
persistence:
annotations:
volume.kubernetes.io/selected-node: yekaterinburg
storageClass: local-path
enabled: true
accessMode: ReadWriteOnce
size: 100Gi
size: 10Gi
service:
type: ClusterIP
clusterIP: ~
@ -60,25 +59,10 @@ resources:
requests:
memory: 2Gi
buckets:
- name: badhouseplants-net
policy: download
purge: false
versioning: false
- name: badhouseplants-js
policy: download
purge: false
versioning: false
- name: badhouseplants-net-main
policy: download
purge: false
versioning: false
- name: sharing
policy: download
purge: false
versioning: false
- name: allanger-music
policy: download
- name: velero
policy: none
purge: false
versioning: fase
metrics:
serviceMonitor:
enabled: false
@ -97,35 +81,13 @@ policies:
- resources: []
actions:
- "kms:*"
- name: Admins
- name: velero
statements:
- resources:
- 'arn:aws:s3:::*'
actions:
- "s3:*"
- resources: []
actions:
- "admin:*"
- resources: []
actions:
- "kms:*"
- name: DevOps
statements:
- resources:
- 'arn:aws:s3:::badhouseplants-net'
- 'arn:aws:s3:::velero'
actions:
- "s3:*"
- resources:
- 'arn:aws:s3:::badhouseplants-net/*'
actions:
- "s3:*"
- name: sharing
statements:
- resources:
- 'arn:aws:s3:::sharing'
actions:
- "s3:*"
- resources:
- 'arn:aws:s3:::sharing/*'
- 'arn:aws:s3:::velero/*'
actions:
- "s3:*"

64
values/etersoft/values.openvpn.yaml
View File

@ -1,35 +1,47 @@
image:
repository: zot.badhouseplants.net/allanger/container-openvpn
# ------------------------------------------
# -- Istio extenstion. Just because I'm
# -- not using ingress nginx
# ------------------------------------------
# istio:
# enabled: true
# istio:
# - name: openvpn-tcp-xor
# gateway: istio-system/badhouseplants-vpn
# kind: tcp
# port_match: 1194
# hostname: "*"
# service: openvpn-xor
# port: 1194
# ------------------------------------------
traefik:
enabled: true
tcpRoutes:
- name: openvpn
service: openvpn
match: HostSNI(`*`)
entrypoint: openvpn
port: 1194
tcproute:
enabled: false
storage:
class: microk8s-hostpath
size: 5Gi
annotations:
volume.kubernetes.io/selected-node: yekaterinburg
size: 128Mi
openvpn:
proto: tcp
host: 91.232.225.63
easyrsa:
cn: Bad Houseplants
country: Germany
province: Hamburg
city: Hamburg
org: Bad Houseplants
email: allanger@badhouseplants.net.com
service:
type: ClusterIP
port: 1194
targetPort: 1194
protocol: TCP
easyrsa:
cn: Bad Houseplants
country: Germany
province: NRW
city: Duesseldorf
org: Bad Houseplants
email: allanger@zohomail.com
istio-resources:
enabled: true
gateways:
- metadata:
name: etersoft-vpn
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: openvpn
number: 1194
protocol: TCP

45
values/etersoft/values.qbittorrent.yaml Normal file
View File

@ -0,0 +1,45 @@
ext-secret:
enabled: true
name: torrent-basic-auth
data:
users: |
allanger:$apr1$kNwkQ0S.$9q29sib/xWEp3NDp.tquw/
middleware:
enabled: true
middlewares:
- name: torrentauth
spec:
basicAuth:
secret: torrent-basic-auth
ingress:
# -- Enable and configure ingress settings for the chart under this key.
# @default -- See [values.yaml](./values.yaml)
main:
ingressClassName: traefik
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: ""
cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
traefik.ingress.kubernetes.io/router.middlewares: applications-torrentauth@kubernetescrd
enabled: true
hosts:
- host: tor.e.badhouseplants.net
paths:
- path: /
tls:
- secretName: tor.e.badhouseplants.net
hosts:
- tor.e.badhouseplants.net
persistence:
config:
annotations:
volume.kubernetes.io/selected-node: yekaterinburg
enabled: true
size: 1Gi
downloads:
annotations:
volume.kubernetes.io/selected-node: yekaterinburg
enabled: true
size: 10Gi
accessMode: ReadWriteOnce

78
values/etersoft/values.traefik.yaml
View File

@ -4,87 +4,9 @@ ports:
web:
redirectTo:
port: websecure
ssh:
port: 22
expose:
default: true
exposedPort: 22
protocol: TCP
openvpn:
port: 1194
expose:
default: true
exposedPort: 1194
protocol: TCP
# valve-server:
# port: 27015
# expose:
# default: true
# exposedPort: 27015
# protocol: UDP
# valve-rcon:
# port: 27015
# expose:
# default: true
# exposedPort: 27015
# protocol: TCP
smtp:
port: 25
protocol: TCP
exposedPort: 25
expose:
default: true
smtps:
port: 465
protocol: TCP
exposedPort: 465
expose:
default: true
smtp-startls:
port: 587
protocol: TCP
exposedPort: 587
expose:
default: true
imap:
port: 143
protocol: TCP
exposedPort: 143
expose:
default: true
imaps:
port: 993
protocol: TCP
exposedPort: 993
expose:
default: true
pop3:
port: 110
protocol: TCP
exposedPort: 110
expose:
default: true
pop3s:
port: 995
protocol: TCP
exposedPort: 995
expose:
default: true
minecraft:
port: 25565
protocol: TCP
exposedPort: 25565
expose:
default: true
shadowsocks:
port: 8388
protocol: TCP
exposedPort: 8388
expose:
default: true
shadowsocks-udp:
port: 8389
protocol: UDP
exposedPort: 8389
expose:
default: true