Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| fea2177391 |
@@ -1,273 +0,0 @@
|
|||||||
---
|
|
||||||
description: Pull master, read open issues, pick one, branch, implement, test, commit, PR, and comment.
|
|
||||||
---
|
|
||||||
|
|
||||||
# Solve a Gitea Issue
|
|
||||||
|
|
||||||
## Current repo state
|
|
||||||
|
|
||||||
```!
|
|
||||||
git status --short
|
|
||||||
echo "Current branch: $(git branch --show-current)"
|
|
||||||
echo "Remote: $(git remote get-url origin 2>/dev/null || echo 'none')"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Open issues (with full body)
|
|
||||||
|
|
||||||
```!
|
|
||||||
echo "Fetching open issues..."
|
|
||||||
issue_ids=$(tea issues list --output simple 2>/dev/null | awk 'NF && $1 ~ /^[0-9]+$/ {print $1}')
|
|
||||||
if [ -z "$issue_ids" ]; then
|
|
||||||
echo "No open issues found (or tea is not logged in)."
|
|
||||||
else
|
|
||||||
for id in $issue_ids; do
|
|
||||||
echo ""
|
|
||||||
echo "══════════════════════════════════════"
|
|
||||||
tea issues view "$id" --fields index,title,body 2>/dev/null \
|
|
||||||
|| tea issue "$id" 2>/dev/null \
|
|
||||||
|| echo " (could not read issue #$id)"
|
|
||||||
echo "══════════════════════════════════════"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Your task
|
|
||||||
|
|
||||||
Follow these steps **in order**. Do not skip steps.
|
|
||||||
|
|
||||||
### 1 — Choose an issue
|
|
||||||
|
|
||||||
Present the issues above to the user as a numbered list (index, one-line title). Ask which one to work on. Wait for the answer before continuing.
|
|
||||||
|
|
||||||
### 2 — Sync master
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git checkout master
|
|
||||||
git pull
|
|
||||||
```
|
|
||||||
|
|
||||||
Confirm you are on master and up to date.
|
|
||||||
|
|
||||||
### 3 — Create a branch
|
|
||||||
|
|
||||||
Name the branch `benvin/issue-<N>-<short-slug>` where `<short-slug>` is 2–4 kebab-case words from the issue title.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git checkout -b benvin/issue-<N>-<slug>
|
|
||||||
```
|
|
||||||
|
|
||||||
### 4 — Read the issue in full
|
|
||||||
|
|
||||||
Re-read the full issue body shown above. If any part is ambiguous, state your interpretation before coding.
|
|
||||||
|
|
||||||
**If you discover other problems while working:** do NOT solve them inline. Create a new Gitea issue with `tea issues create --title "..." --description "..."` and stay focused on the assigned issue.
|
|
||||||
|
|
||||||
### 5 — Implement the solution
|
|
||||||
|
|
||||||
Make the code changes needed to resolve the issue. Follow the conventions already in the repo:
|
|
||||||
- `main.py` route handlers each contain a single function call; logic lives in submodules.
|
|
||||||
- No comments unless the WHY is non-obvious.
|
|
||||||
- No new files unless the issue or architecture requires it.
|
|
||||||
- Security: no command injection, XSS, SQL injection, or secrets in code.
|
|
||||||
- **For performance improvements:** implement at the most generic call site possible so the fix applies to all current and future implementations, not just the one being tested.
|
|
||||||
|
|
||||||
### 6 — Update tests
|
|
||||||
|
|
||||||
Add or update tests that cover the new behaviour. Tests live in `tests/`. Check existing test structure before writing new ones — mirror the style and fixture patterns already in use.
|
|
||||||
|
|
||||||
### 7 — Update README
|
|
||||||
|
|
||||||
If the feature introduces new config keys, endpoints, or user-facing behaviour, document it in `README.md`. Keep additions concise — follow the existing section style.
|
|
||||||
|
|
||||||
### 8 — Run the full test suite
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make test
|
|
||||||
```
|
|
||||||
|
|
||||||
All tests must pass. If any fail, fix them before proceeding. Do not skip or suppress failing tests.
|
|
||||||
|
|
||||||
### 9 — Live Docker test (new package type only)
|
|
||||||
|
|
||||||
**Skip this step if the issue does not add a new remote package type.**
|
|
||||||
|
|
||||||
If the issue adds a new package type (e.g. `deb`, `conda`, `cargo`, `rubygems`, or any type not already in `remotes.yaml`), do the following before committing.
|
|
||||||
|
|
||||||
#### 9a — Add a real test remote to remotes.yaml
|
|
||||||
|
|
||||||
Append a valid, publicly accessible remote of the new type to `remotes.yaml`. Use a real upstream URL and patterns that cover both an immutable file (versioned artifact) and a mutable file (index/metadata). Add a comment explaining which URLs to use for manual testing.
|
|
||||||
|
|
||||||
#### 9b — Start the stack
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-up
|
|
||||||
```
|
|
||||||
|
|
||||||
Wait until `curl -s http://localhost:8000/health` returns `{"status":"healthy"}`.
|
|
||||||
|
|
||||||
#### 9c — Test a mutable file (first fetch — cache miss)
|
|
||||||
|
|
||||||
Download the index or metadata file for the new remote. Confirm:
|
|
||||||
- HTTP 200
|
|
||||||
- `X-Artifact-Source: remote` header (or equivalent log line confirming a cache miss)
|
|
||||||
- Content looks correct (not empty, not an error page)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 9d — Test a mutable file (second fetch — cache hit)
|
|
||||||
|
|
||||||
Repeat the exact same request. Confirm:
|
|
||||||
- HTTP 200
|
|
||||||
- `X-Artifact-Source: cache`
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 9e — Test an immutable file (first fetch — cache miss)
|
|
||||||
|
|
||||||
Download a versioned/immutable artifact. Confirm HTTP 200 and a cache-miss log line.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<immutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 9f — Test an immutable file (second fetch — cache hit)
|
|
||||||
|
|
||||||
Repeat. Confirm `X-Artifact-Source: cache`.
|
|
||||||
|
|
||||||
#### 9g — Check container logs
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-logs
|
|
||||||
```
|
|
||||||
|
|
||||||
Scan for:
|
|
||||||
- `Cache MISS` on first fetches, `Cache HIT` on second fetches
|
|
||||||
- `Cache ADD SUCCESS` with correct sizes
|
|
||||||
- No unhandled exceptions or ERROR lines
|
|
||||||
|
|
||||||
#### 9h — Exercise package-type tooling against the proxy
|
|
||||||
|
|
||||||
Use the native tooling for this package type to verify end-to-end behaviour. Examples:
|
|
||||||
|
|
||||||
| Package type | Command |
|
|
||||||
|---|---|
|
|
||||||
| `pypi` | `uv run --index-url http://localhost:8000/api/v1/remote/<remote>/simple <tool>` |
|
|
||||||
| `npm` | `npm install --registry http://localhost:8000/api/v1/remote/<remote>/ <pkg>` |
|
|
||||||
| `helm` | `helm repo add test http://localhost:8000/api/v1/remote/<remote> && helm search repo test && helm template test/<chart>` |
|
|
||||||
| `alpine` | `apk fetch --repository http://localhost:8000/api/v1/remote/<remote>/<branch>/<arch> <pkg>` |
|
|
||||||
| `rpm` | `dnf install --repofrompath ... <pkg>` or `repoquery` |
|
|
||||||
| `generic` | `curl` / `wget` as appropriate |
|
|
||||||
|
|
||||||
Confirm the tool resolves and downloads correctly through the proxy.
|
|
||||||
|
|
||||||
#### 9i — Tear down
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-down
|
|
||||||
```
|
|
||||||
|
|
||||||
Fix any failures found during 9b–9h before moving on.
|
|
||||||
|
|
||||||
### 9.5 — Performance issues: measure before/after and gate the PR
|
|
||||||
|
|
||||||
**Skip this step if the issue is not a performance improvement.**
|
|
||||||
|
|
||||||
For performance issues, a PR is only warranted if there is a measurable gain. Use the Docker stack to compare before and after.
|
|
||||||
|
|
||||||
#### 9.5a — Baseline measurement (before)
|
|
||||||
|
|
||||||
Start the stack with the **unmodified** code (temporarily revert your change):
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-up
|
|
||||||
```
|
|
||||||
|
|
||||||
Warm or clear the cache as appropriate, then measure the relevant metric — e.g. concurrent request latency during a slow operation, response time for a specific endpoint, or throughput. Record the numbers.
|
|
||||||
|
|
||||||
#### 9.5b — Apply your change and rebuild
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-up # rebuilds the image
|
|
||||||
```
|
|
||||||
|
|
||||||
Repeat exactly the same measurement. Record the numbers.
|
|
||||||
|
|
||||||
#### 9.5c — Decide
|
|
||||||
|
|
||||||
If the improvement is not clearly measurable, **do not open a PR**. Instead:
|
|
||||||
1. Update the issue with your findings.
|
|
||||||
2. Note any conditions under which the improvement would be observable.
|
|
||||||
3. Skip steps 11–14.
|
|
||||||
|
|
||||||
If the improvement is clear, proceed with the commit and PR. Include the before/after numbers in the PR description and the issue comment.
|
|
||||||
|
|
||||||
#### 9.5d — Tear down
|
|
||||||
|
|
||||||
```bash
|
|
||||||
make docker-down
|
|
||||||
```
|
|
||||||
|
|
||||||
### 10 — Build the wheel (smoke check)
|
|
||||||
|
|
||||||
```bash
|
|
||||||
uv build --wheel
|
|
||||||
```
|
|
||||||
|
|
||||||
Confirm the build succeeds.
|
|
||||||
|
|
||||||
### 11 — Stage and commit
|
|
||||||
|
|
||||||
Stage only the files you changed. Do not use `git add -A` or `git add .` — list files explicitly. Run:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git add <file1> <file2> ...
|
|
||||||
git commit
|
|
||||||
```
|
|
||||||
|
|
||||||
The commit message must:
|
|
||||||
- Start with a conventional-commit prefix (`feat:`, `fix:`, `refactor:`, `chore:`, etc.)
|
|
||||||
- Summarise the change in ≤ 72 characters on the first line
|
|
||||||
- Optionally include a short body explaining *why* (not *what*)
|
|
||||||
|
|
||||||
If the pre-commit hook auto-fixes files, re-stage the fixed files and commit again.
|
|
||||||
|
|
||||||
### 12 — Push the branch
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git push origin <branch-name>
|
|
||||||
```
|
|
||||||
|
|
||||||
### 13 — Open a pull request
|
|
||||||
|
|
||||||
```bash
|
|
||||||
tea pulls create \
|
|
||||||
--base master \
|
|
||||||
--head <branch-name> \
|
|
||||||
--title "<same as commit subject>" \
|
|
||||||
--description "Closes #<N>\n\n## Summary\n<bullet points>\n\n## Test plan\n<what was verified>"
|
|
||||||
```
|
|
||||||
|
|
||||||
### 14 — Comment on the issue
|
|
||||||
|
|
||||||
```bash
|
|
||||||
tea comment <N> "<resolution comment>"
|
|
||||||
```
|
|
||||||
|
|
||||||
The comment must cover:
|
|
||||||
- **How it was resolved** — what changed and why
|
|
||||||
- **Issues encountered** — any non-obvious problems hit during implementation
|
|
||||||
- **Potential future improvements** — what could be done next
|
|
||||||
|
|
||||||
### 15 — Return to master
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git checkout master
|
|
||||||
```
|
|
||||||
|
|
||||||
Report the PR URL and a one-sentence summary to the user.
|
|
||||||
@@ -7,7 +7,6 @@ repos:
|
|||||||
- id: check-json
|
- id: check-json
|
||||||
- id: check-added-large-files
|
- id: check-added-large-files
|
||||||
args: ['--maxkb=500']
|
args: ['--maxkb=500']
|
||||||
exclude: '^schemas/'
|
|
||||||
- id: check-merge-conflict
|
- id: check-merge-conflict
|
||||||
- id: check-shebang-scripts-are-executable
|
- id: check-shebang-scripts-are-executable
|
||||||
- id: check-symlinks
|
- id: check-symlinks
|
||||||
@@ -20,7 +19,6 @@ repos:
|
|||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
- id: forbid-new-submodules
|
- id: forbid-new-submodules
|
||||||
- id: pretty-format-json
|
- id: pretty-format-json
|
||||||
args: ['--autofix']
|
|
||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
|
|
||||||
# YAML linting
|
# YAML linting
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: kubeconform
|
- name: kubeconform
|
||||||
image: git.unkin.net/unkin/almalinux9-kubetest:20260606
|
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
|
||||||
commands:
|
commands:
|
||||||
- make kubeconform
|
- make kubeconform
|
||||||
backend_options:
|
backend_options:
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: pre-commit
|
- name: pre-commit
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260606
|
image: git.unkin.net/unkin/almalinux9-base:20260308
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files
|
- uvx pre-commit run --all-files
|
||||||
backend_options:
|
backend_options:
|
||||||
|
|||||||
@@ -1,261 +0,0 @@
|
|||||||
# AGENTS.md
|
|
||||||
|
|
||||||
## Project Overview
|
|
||||||
|
|
||||||
This is an **ArgoCD GitOps repository** that manages Kubernetes applications for the `au-syd1` cluster using a Kustomize + Helm pattern. Applications are deployed via ArgoCD ApplicationSets that watch directory patterns in this repo.
|
|
||||||
|
|
||||||
The migration pattern for this repo is: **Terragrunt/Terraform → ArgoCD** (see `migration.md` for full guide).
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Essential Commands
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# Build and render manifests for a path (outputs to manifests/<path>/)
|
|
||||||
make build apps/overlays/au-syd1/<app-name>
|
|
||||||
make build clusters/au-syd1/bootstrap
|
|
||||||
|
|
||||||
# Validate all apps and clusters with kubeconform
|
|
||||||
make kubeconform
|
|
||||||
|
|
||||||
# Clean generated manifests
|
|
||||||
make clean
|
|
||||||
|
|
||||||
# Quick build + inspect without persisting output
|
|
||||||
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
|
||||||
|
|
||||||
# Check all resource kinds produced by an overlay
|
|
||||||
kustomize build --enable-helm apps/overlays/au-syd1/<app-name> | grep "^kind:" | sort | uniq -c
|
|
||||||
|
|
||||||
# Run pre-commit checks against all files
|
|
||||||
uvx pre-commit run --all-files
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Directory Structure
|
|
||||||
|
|
||||||
```
|
|
||||||
argocd-apps/
|
|
||||||
├── argocd/
|
|
||||||
│ ├── applicationsets/ # ArgoCD ApplicationSet definitions (platform.yaml, storage.yaml)
|
|
||||||
│ └── projects/ # ArgoCD AppProject definitions (platform.yaml, storage.yaml)
|
|
||||||
├── apps/
|
|
||||||
│ ├── base/ # Base Kustomize resources per app (no cluster-specific config)
|
|
||||||
│ │ └── <app-name>/
|
|
||||||
│ │ ├── kustomization.yaml
|
|
||||||
│ │ ├── namespace.yaml
|
|
||||||
│ │ ├── vaultauth.yaml # (if Vault-managed secrets)
|
|
||||||
│ │ └── vaultstaticsecret.yaml
|
|
||||||
│ └── overlays/
|
|
||||||
│ └── au-syd1/ # Cluster-specific overlays
|
|
||||||
│ └── <app-name>/
|
|
||||||
│ ├── kustomization.yaml # references base + helmCharts
|
|
||||||
│ └── values.yaml # Helm values for this cluster
|
|
||||||
├── clusters/
|
|
||||||
│ └── au-syd1/
|
|
||||||
│ ├── apps/ # Entry point: references apps/base (ArgoCD app-of-apps)
|
|
||||||
│ └── bootstrap/ # ArgoCD install + initial Application manifest
|
|
||||||
├── ci/
|
|
||||||
│ ├── validate-apps.sh # kubeconform over apps/overlays/*/kustomization.yaml
|
|
||||||
│ ├── validate-clusters.sh # kubeconform over clusters/*/kustomization.yaml
|
|
||||||
│ └── validate-no-secrets.sh # pre-commit hook: blocks plain Kubernetes Secrets
|
|
||||||
└── sources/ # Reference sources (Terraform configs, upstream charts, etc.)
|
|
||||||
└── terraform-k8s/ # Original Terraform configs — reference when migrating
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Adding a New Application
|
|
||||||
|
|
||||||
Follow these 10 steps (detailed in `migration.md`):
|
|
||||||
|
|
||||||
### 1. Create base resources
|
|
||||||
```
|
|
||||||
apps/base/<app-name>/
|
|
||||||
├── kustomization.yaml
|
|
||||||
├── namespace.yaml
|
|
||||||
├── vaultauth.yaml # if needed
|
|
||||||
└── vaultstaticsecret.yaml # if needed
|
|
||||||
```
|
|
||||||
|
|
||||||
### 2. Create cluster overlay
|
|
||||||
```
|
|
||||||
apps/overlays/au-syd1/<app-name>/
|
|
||||||
├── kustomization.yaml
|
|
||||||
└── values.yaml
|
|
||||||
```
|
|
||||||
|
|
||||||
**Overlay kustomization.yaml pattern:**
|
|
||||||
```yaml
|
|
||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- ../../../base/<app-name>
|
|
||||||
|
|
||||||
helmCharts:
|
|
||||||
- name: <chart-name>
|
|
||||||
repo: <helm-repo-url>
|
|
||||||
version: "<version>"
|
|
||||||
releaseName: <release-name>
|
|
||||||
namespace: <namespace>
|
|
||||||
valuesFile: values.yaml
|
|
||||||
```
|
|
||||||
|
|
||||||
### 3. Register in ApplicationSet
|
|
||||||
Add a directory entry to `argocd/applicationsets/platform.yaml` (or `storage.yaml` for `csi-*` apps):
|
|
||||||
```yaml
|
|
||||||
- path: apps/overlays/*/<app-name>
|
|
||||||
```
|
|
||||||
|
|
||||||
### 4. Update AppProject
|
|
||||||
In `argocd/projects/platform.yaml` (or `storage.yaml`):
|
|
||||||
- Add the Helm repo URL to `sourceRepos`
|
|
||||||
- Add the namespace to `destinations`
|
|
||||||
- Add any required cluster-scoped resource types to `clusterResourceWhitelist`
|
|
||||||
|
|
||||||
### 5. Validate
|
|
||||||
```bash
|
|
||||||
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
|
||||||
make kubeconform
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Secret Management
|
|
||||||
|
|
||||||
**Plain Kubernetes `Secret` objects are blocked** by the pre-commit hook. Use Vault Operator CRDs instead:
|
|
||||||
|
|
||||||
### VaultAuth template
|
|
||||||
```yaml
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultAuth
|
|
||||||
metadata:
|
|
||||||
name: default
|
|
||||||
namespace: <namespace>
|
|
||||||
spec:
|
|
||||||
method: kubernetes
|
|
||||||
mount: k8s/au/syd1
|
|
||||||
vaultConnectionRef: vso-system/default
|
|
||||||
allowedNamespaces:
|
|
||||||
- <namespace>
|
|
||||||
kubernetes:
|
|
||||||
role: <role>
|
|
||||||
serviceAccount: <service-account>
|
|
||||||
audiences:
|
|
||||||
- vault
|
|
||||||
tokenExpirationSeconds: 600
|
|
||||||
```
|
|
||||||
|
|
||||||
### VaultStaticSecret template
|
|
||||||
```yaml
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: <secret-name>
|
|
||||||
namespace: <namespace>
|
|
||||||
spec:
|
|
||||||
vaultAuthRef: default
|
|
||||||
mount: kv
|
|
||||||
type: kv-v2
|
|
||||||
path: kubernetes/namespace/<namespace>/default/<secret-name>
|
|
||||||
refreshAfter: 5m
|
|
||||||
destination:
|
|
||||||
name: <k8s-secret-name>
|
|
||||||
create: true
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## YAML Conventions
|
|
||||||
|
|
||||||
- **2-space indentation** (enforced by yamllint)
|
|
||||||
- All files must end with a newline (`end-of-file-fixer`)
|
|
||||||
- No trailing whitespace
|
|
||||||
- YAML linting uses relaxed rules with `line-length: disable` (long base64/URLs are fine)
|
|
||||||
- yamllint ignores `chart` directories (vendored Helm charts)
|
|
||||||
- `---` document separator at top of every YAML file
|
|
||||||
- Multiple documents in one file are allowed (e.g., `vaultstaticsecret.yaml` often contains multiple secrets)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Kubernetes Labels Pattern
|
|
||||||
|
|
||||||
Use standard `app.kubernetes.io/*` labels consistently:
|
|
||||||
```yaml
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/component: <component>
|
|
||||||
app.kubernetes.io/instance: <release-name>
|
|
||||||
app.kubernetes.io/name: <app-name>
|
|
||||||
app.kubernetes.io/version: <version>
|
|
||||||
```
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Resource Naming Conventions
|
|
||||||
|
|
||||||
Files in `apps/base/<app-name>/` follow the pattern:
|
|
||||||
```
|
|
||||||
<kind>_<name>.yaml
|
|
||||||
```
|
|
||||||
Examples:
|
|
||||||
- `deployment_puppetserver-master.yaml`
|
|
||||||
- `cronjob_g10k-code.yaml`
|
|
||||||
- `configmap_puppetboard-config.yaml`
|
|
||||||
- `horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml`
|
|
||||||
- `service_puppet-headless.yaml`
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Helm Chart Vendoring
|
|
||||||
|
|
||||||
Some overlays vendor Helm charts locally under `apps/overlays/au-syd1/<app-name>/charts/<chart-name>/`. When a chart is vendored, the overlay's `kustomization.yaml` references the local path. When not vendored, it references the OCI or HTTP repo directly.
|
|
||||||
|
|
||||||
Current Kubernetes target version: **1.33.7** (used by kubeconform in CI).
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Project Boundaries
|
|
||||||
|
|
||||||
| Project | ApplicationSet | App pattern |
|
|
||||||
|------------|---------------------------|--------------------------|
|
|
||||||
| `platform` | `argocd/applicationsets/platform.yaml` | Named apps (cert-manager, puppet, woodpecker, etc.) |
|
|
||||||
| `storage` | `argocd/applicationsets/storage.yaml` | `csi-*` apps |
|
|
||||||
|
|
||||||
The `clusters/au-syd1/apps/` entry-point is deployed as a standalone ArgoCD `Application` (not an ApplicationSet) called `au-syd1-apps`.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## CI / Pre-commit Hooks
|
|
||||||
|
|
||||||
Runs on every PR via Woodpecker CI (`.woodpecker/`):
|
|
||||||
|
|
||||||
| Check | Tool | Trigger |
|
|
||||||
|---|---|---|
|
|
||||||
| YAML lint + general file checks | `pre-commit` (yamllint + pre-commit-hooks) | PR |
|
|
||||||
| No plain Secrets | `ci/validate-no-secrets.sh` | PR (staged files) |
|
|
||||||
| Kubernetes manifest validation | `kubeconform` via `make kubeconform` | PR |
|
|
||||||
|
|
||||||
kubeconform skips: `CustomResourceDefinition`, `GpuDevicePlugin` (for apps validation).
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Git Workflow
|
|
||||||
|
|
||||||
- Branch naming: `benvin/<app-name>` (user prefix)
|
|
||||||
- **Never `git add .`** — add only relevant files explicitly
|
|
||||||
- If pre-commit modifies files, `git add -u` then `git commit --amend --no-edit`
|
|
||||||
- Use `git push --force-with-lease` after amending
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## Security Policies
|
|
||||||
|
|
||||||
- `reloader.stakater.com/auto: "true"` annotation triggers rolling restarts on ConfigMap/Secret changes
|
|
||||||
- Security contexts follow least-privilege: `drop: [all]` then add only required capabilities
|
|
||||||
- `fsGroup: 999` on pod security context for Puppet workloads
|
|
||||||
- `runAsUser: 0` is used only for init containers that need to set file permissions, then regular containers run as non-root
|
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
.PHONY: build clean schemas
|
.PHONY: build clean
|
||||||
|
|
||||||
# Build a kustomization path to manifests directory
|
# Build a kustomization path to manifests directory
|
||||||
# Usage: make build clusters/au-syd1/bootstrap
|
# Usage: make build clusters/au-syd1/bootstrap
|
||||||
@@ -6,10 +6,6 @@ build:
|
|||||||
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
|
|
||||||
# Generate JSON schemas from CRDs and Kubernetes swagger spec (run manually, results committed)
|
|
||||||
schemas:
|
|
||||||
@ci/generate-schemas.sh schemas
|
|
||||||
|
|
||||||
# kubeconform
|
# kubeconform
|
||||||
kubeconform:
|
kubeconform:
|
||||||
@ci/validate-apps.sh && \
|
@ci/validate-apps.sh && \
|
||||||
|
|||||||
@@ -1,45 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: age-api
|
|
||||||
namespace: age-api
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: age-api
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
labels:
|
|
||||||
app: age-api
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: age-api
|
|
||||||
image: git.unkin.net/unkin/age-api:v0.1.0
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
ports:
|
|
||||||
- containerPort: 8080
|
|
||||||
name: http
|
|
||||||
protocol: TCP
|
|
||||||
env:
|
|
||||||
- name: CONFIG_PATH
|
|
||||||
value: /etc/age-api/config.yaml
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 64Mi
|
|
||||||
requests:
|
|
||||||
cpu: 10m
|
|
||||||
memory: 32Mi
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /etc/age-api/config.yaml
|
|
||||||
name: config
|
|
||||||
subPath: config.yaml
|
|
||||||
restartPolicy: Always
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: age-api-config
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: age-api.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: age-api.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
name: age-api
|
|
||||||
namespace: age-api
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: age-api.k8s.syd1.au.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: age-api.k8s.syd1.au.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: age-api-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: age-api-http-redirect
|
|
||||||
namespace: age-api
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- age-api.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: age-api
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: age-api
|
|
||||||
namespace: age-api
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- age-api.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: age-api
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: age-api
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- deployment.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
- namespace.yaml
|
|
||||||
- service.yaml
|
|
||||||
|
|
||||||
configMapGenerator:
|
|
||||||
- name: age-api-config
|
|
||||||
files:
|
|
||||||
- config.yaml=resources/config.yaml
|
|
||||||
options:
|
|
||||||
disableNameSuffixHash: true
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: age-api
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
people:
|
|
||||||
- name: jaidi
|
|
||||||
birthtime: 1773135720
|
|
||||||
- name: ben
|
|
||||||
birthtime: 559663200
|
|
||||||
- name: sudaporn
|
|
||||||
birthtime: 686757600
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: age-api
|
|
||||||
namespace: age-api
|
|
||||||
spec:
|
|
||||||
internalTrafficPolicy: Cluster
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: 80
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: http
|
|
||||||
selector:
|
|
||||||
app: age-api
|
|
||||||
sessionAffinity: None
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -1,110 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: api
|
|
||||||
namespace: artifactapi
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: api
|
|
||||||
strategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxUnavailable: 1
|
|
||||||
type: RollingUpdate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: api
|
|
||||||
spec:
|
|
||||||
automountServiceAccountToken: true
|
|
||||||
initContainers:
|
|
||||||
- name: combine-certs
|
|
||||||
image: alpine:3
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -c
|
|
||||||
- cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt
|
|
||||||
volumeMounts:
|
|
||||||
- name: vault-ca-cert
|
|
||||||
mountPath: /custom-ca
|
|
||||||
readOnly: true
|
|
||||||
- name: combined-certs
|
|
||||||
mountPath: /combined-certs
|
|
||||||
containers:
|
|
||||||
- name: api
|
|
||||||
image: git.unkin.net/unkin/artifactapi:v3.7.3
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
ports:
|
|
||||||
- containerPort: 8000
|
|
||||||
name: http
|
|
||||||
protocol: TCP
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: api-env
|
|
||||||
optional: false
|
|
||||||
- secretRef:
|
|
||||||
name: environment
|
|
||||||
optional: false
|
|
||||||
env:
|
|
||||||
# Terraform provider registry signing. The secret is mounted
|
|
||||||
# optional, so the pod runs before it exists; artifactapi keeps the
|
|
||||||
# registry disabled until a readable key is present.
|
|
||||||
- name: TF_SIGNING_KEY_PATH
|
|
||||||
value: /etc/artifactapi/tf-signing/private-key.asc
|
|
||||||
- name: TF_SIGNING_KEY_PASSPHRASE
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: artifactapi-tf-signing
|
|
||||||
key: passphrase
|
|
||||||
optional: true
|
|
||||||
volumeMounts:
|
|
||||||
- name: combined-certs
|
|
||||||
mountPath: /etc/ssl/combined
|
|
||||||
readOnly: true
|
|
||||||
- name: tf-signing-key
|
|
||||||
mountPath: /etc/artifactapi/tf-signing
|
|
||||||
readOnly: true
|
|
||||||
livenessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
port: http
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 30
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
readinessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /health
|
|
||||||
port: http
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
periodSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: "1"
|
|
||||||
memory: 4Gi
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 256Mi
|
|
||||||
volumes:
|
|
||||||
- name: vault-ca-cert
|
|
||||||
secret:
|
|
||||||
secretName: vault-ca-cert
|
|
||||||
items:
|
|
||||||
- key: ca.crt
|
|
||||||
path: ca.crt
|
|
||||||
- name: combined-certs
|
|
||||||
emptyDir: {}
|
|
||||||
- name: tf-signing-key
|
|
||||||
secret:
|
|
||||||
secretName: artifactapi-tf-signing
|
|
||||||
optional: true
|
|
||||||
restartPolicy: Always
|
|
||||||
@@ -0,0 +1,92 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: artifactapi-deployment
|
||||||
|
namespace: artifactapi
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: artifactapi
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- name: artifactapi
|
||||||
|
image: git.unkin.net/unkin/artifactapi:v2.7.1
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 8000
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: artifactapi-env
|
||||||
|
optional: false
|
||||||
|
- secretRef:
|
||||||
|
name: environment
|
||||||
|
optional: false
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 5
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 4Gi
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/config.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: config.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/local-generic.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: local-generic.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/remote-alpine.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: remote-alpine.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/remote-docker.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: remote-docker.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/remote-generic.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: remote-generic.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/remote-helm.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: remote-helm.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/remote-rpm.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: remote-rpm.yaml
|
||||||
|
- mountPath: /etc/artifactapi/conf.d/virtual-helm.yaml
|
||||||
|
name: remotes-config
|
||||||
|
subPath: virtual-helm.yaml
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- configMap:
|
||||||
|
name: remotes-config
|
||||||
|
optional: false
|
||||||
|
name: remotes-config
|
||||||
@@ -2,13 +2,13 @@
|
|||||||
apiVersion: autoscaling/v2
|
apiVersion: autoscaling/v2
|
||||||
kind: HorizontalPodAutoscaler
|
kind: HorizontalPodAutoscaler
|
||||||
metadata:
|
metadata:
|
||||||
name: api-hpa
|
name: artifactapi-hpa
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
scaleTargetRef:
|
scaleTargetRef:
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: api
|
name: artifactapi-deployment
|
||||||
minReplicas: 2
|
minReplicas: 2
|
||||||
maxReplicas: 10
|
maxReplicas: 10
|
||||||
metrics:
|
metrics:
|
||||||
@@ -1,91 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Cluster
|
|
||||||
metadata:
|
|
||||||
name: postgres
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinityType: preferred
|
|
||||||
bootstrap:
|
|
||||||
initdb:
|
|
||||||
database: artifacts
|
|
||||||
encoding: UTF8
|
|
||||||
localeCType: C
|
|
||||||
localeCollate: C
|
|
||||||
owner: artifacts
|
|
||||||
secret:
|
|
||||||
name: postgres-credentials
|
|
||||||
enablePDB: true
|
|
||||||
enableSuperuserAccess: false
|
|
||||||
failoverDelay: 0
|
|
||||||
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
|
||||||
instances: 3
|
|
||||||
logLevel: info
|
|
||||||
maxSyncReplicas: 0
|
|
||||||
minSyncReplicas: 0
|
|
||||||
monitoring:
|
|
||||||
customQueriesConfigMap:
|
|
||||||
- key: queries
|
|
||||||
name: cnpg-default-monitoring
|
|
||||||
disableDefaultQueries: false
|
|
||||||
enablePodMonitor: false
|
|
||||||
postgresql:
|
|
||||||
parameters:
|
|
||||||
archive_mode: "on"
|
|
||||||
archive_timeout: 5min
|
|
||||||
dynamic_shared_memory_type: posix
|
|
||||||
effective_cache_size: 256MB
|
|
||||||
full_page_writes: "on"
|
|
||||||
log_destination: csvlog
|
|
||||||
log_directory: /controller/log
|
|
||||||
log_filename: postgres
|
|
||||||
log_rotation_age: "0"
|
|
||||||
log_rotation_size: "0"
|
|
||||||
log_truncate_on_rotation: "false"
|
|
||||||
logging_collector: "on"
|
|
||||||
max_connections: "200"
|
|
||||||
max_parallel_workers: "16"
|
|
||||||
max_replication_slots: "16"
|
|
||||||
max_worker_processes: "16"
|
|
||||||
shared_buffers: 128MB
|
|
||||||
shared_memory_type: mmap
|
|
||||||
ssl_max_protocol_version: TLSv1.3
|
|
||||||
ssl_min_protocol_version: TLSv1.3
|
|
||||||
wal_keep_size: 256MB
|
|
||||||
wal_level: logical
|
|
||||||
wal_log_hints: "on"
|
|
||||||
wal_receiver_timeout: 5s
|
|
||||||
wal_sender_timeout: 5s
|
|
||||||
syncReplicaElectionConstraint:
|
|
||||||
enabled: false
|
|
||||||
primaryUpdateMethod: restart
|
|
||||||
primaryUpdateStrategy: unsupervised
|
|
||||||
probes:
|
|
||||||
liveness:
|
|
||||||
isolationCheck:
|
|
||||||
connectionTimeout: 1000
|
|
||||||
enabled: true
|
|
||||||
requestTimeout: 1000
|
|
||||||
replicationSlots:
|
|
||||||
highAvailability:
|
|
||||||
enabled: true
|
|
||||||
slotPrefix: _cnpg_
|
|
||||||
synchronizeReplicas:
|
|
||||||
enabled: true
|
|
||||||
updateInterval: 30
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 250m
|
|
||||||
memory: 256Mi
|
|
||||||
smartShutdownTimeout: 180
|
|
||||||
startDelay: 3600
|
|
||||||
stopDelay: 1800
|
|
||||||
storage:
|
|
||||||
resizeInUseVolumes: true
|
|
||||||
size: 20Gi
|
|
||||||
storageClass: cephrbd-fast-delete
|
|
||||||
switchoverDelay: 3600
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Pooler
|
|
||||||
metadata:
|
|
||||||
name: postgres-pooler
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
cluster:
|
|
||||||
name: postgres
|
|
||||||
instances: 2
|
|
||||||
pgbouncer:
|
|
||||||
parameters:
|
|
||||||
default_pool_size: "100"
|
|
||||||
max_client_conn: "400"
|
|
||||||
paused: false
|
|
||||||
poolMode: session
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: pooler
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- pooler
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
containers: []
|
|
||||||
type: rw
|
|
||||||
@@ -2,15 +2,26 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: api-env
|
name: artifactapi-env
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
data:
|
data:
|
||||||
DBHOST: postgres-pooler
|
CONFIG_PATH: /etc/artifactapi/conf.d/
|
||||||
|
DBHOST: postgres-service
|
||||||
DBNAME: artifacts
|
DBNAME: artifacts
|
||||||
DBPORT: "5432"
|
DBPORT: "5432"
|
||||||
DBUSER: artifacts
|
DBUSER: artifacts
|
||||||
MINIO_BUCKET: artifactapi-prod-k8s-syd1-au
|
MINIO_BUCKET: artifactapi
|
||||||
MINIO_ENDPOINT: radosgw.service.consul
|
MINIO_ENDPOINT: radosgw.service.consul
|
||||||
MINIO_SECURE: "true"
|
MINIO_SECURE: "true"
|
||||||
REDIS_URL: redis://redis:6379
|
REDIS_URL: redis://redis-service:6379
|
||||||
SSL_CERT_FILE: /etc/ssl/combined/ca-certificates.crt
|
REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
SSL_CERT_FILE: /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: postgres-env
|
||||||
|
namespace: artifactapi
|
||||||
|
data:
|
||||||
|
POSTGRES_DB: artifacts
|
||||||
|
POSTGRES_USER: artifacts
|
||||||
|
|||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
name: artifactapi
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: artifactapi-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -1,59 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: http-redirect
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: artifactapi
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: api-route
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- artifactapi.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: artifactapi
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: ui
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /ui
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: artifactapi
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.0
|
||||||
|
nginx.ingress.kubernetes.io/proxy-body-size: 10g
|
||||||
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||||
|
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||||
|
name: artifactapi-ingress
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
ingressClassName: nginx
|
||||||
|
rules:
|
||||||
|
- host: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
service:
|
||||||
|
name: artifactapi-api
|
||||||
|
port:
|
||||||
|
number: 80
|
||||||
|
path: /
|
||||||
|
pathType: Prefix
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
secretName: artifactapi-tls
|
||||||
@@ -3,17 +3,28 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- api-deployment.yaml
|
- artifactapi-deployment.yaml
|
||||||
- api-hpa.yaml
|
- artifactapi-hpa.yaml
|
||||||
- configmap.yaml
|
- configmap.yaml
|
||||||
- cnpg_cluster.yaml
|
- ingress.yaml
|
||||||
- cnpg_pooler.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
|
- postgres-deployment.yaml
|
||||||
|
- pvc.yaml
|
||||||
- redis-deployment.yaml
|
- redis-deployment.yaml
|
||||||
- services.yaml
|
- services.yaml
|
||||||
- ui-deployment.yaml
|
|
||||||
- ui-hpa.yaml
|
|
||||||
- vaultauth.yaml
|
- vaultauth.yaml
|
||||||
- vaultstaticsecret.yaml
|
- vaultstaticsecret.yaml
|
||||||
|
|
||||||
|
configMapGenerator:
|
||||||
|
- name: remotes-config
|
||||||
|
files:
|
||||||
|
- resources/conf.d/config.yaml
|
||||||
|
- resources/conf.d/local-generic.yaml
|
||||||
|
- resources/conf.d/remote-generic.yaml
|
||||||
|
- resources/conf.d/remote-alpine.yaml
|
||||||
|
- resources/conf.d/remote-rpm.yaml
|
||||||
|
- resources/conf.d/remote-docker.yaml
|
||||||
|
- resources/conf.d/remote-helm.yaml
|
||||||
|
- resources/conf.d/virtual-helm.yaml
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
|
|||||||
@@ -0,0 +1,76 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: postgres-deployment
|
||||||
|
namespace: artifactapi
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: postgres
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- name: postgres
|
||||||
|
image: postgres:15-alpine
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 5432
|
||||||
|
name: postgres
|
||||||
|
protocol: TCP
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: postgres-env
|
||||||
|
optional: false
|
||||||
|
- secretRef:
|
||||||
|
name: postgres-password
|
||||||
|
optional: false
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- pg_isready
|
||||||
|
- -U
|
||||||
|
- artifacts
|
||||||
|
- -d
|
||||||
|
- artifacts
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- pg_isready
|
||||||
|
- -U
|
||||||
|
- artifacts
|
||||||
|
- -d
|
||||||
|
- artifacts
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 1Gi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /var/lib/postgresql/data
|
||||||
|
mountPropagation: None
|
||||||
|
name: pgdata
|
||||||
|
subPath: pgdata
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: pgdata
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: artifactapi-postgres-pgdata
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: artifactapi-postgres-pgdata
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 10Gi
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
volumeMode: Filesystem
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: artifactapi-redis-data
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
volumeMode: Filesystem
|
||||||
@@ -2,21 +2,23 @@
|
|||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: redis
|
annotations:
|
||||||
|
deployment.kubernetes.io/revision: "1"
|
||||||
|
name: redis-deployment
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: redis
|
app: redis
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
template:
|
template:
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: redis
|
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: redis
|
- name: redis
|
||||||
image: redis:7-alpine
|
image: redis:7-alpine
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- redis-server
|
- redis-server
|
||||||
- --save
|
- --save
|
||||||
@@ -26,13 +28,6 @@ spec:
|
|||||||
- containerPort: 6379
|
- containerPort: 6379
|
||||||
name: redis
|
name: redis
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
exec:
|
exec:
|
||||||
command:
|
command:
|
||||||
@@ -53,4 +48,19 @@ spec:
|
|||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /data
|
||||||
|
mountPropagation: None
|
||||||
|
name: data
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: artifactapi-redis-data
|
||||||
|
|||||||
@@ -0,0 +1,3 @@
|
|||||||
|
# Global artifactapi configuration.
|
||||||
|
# S3, Redis, and database connection settings are injected via environment variables.
|
||||||
|
# Add any top-level overrides here if needed.
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
locals:
|
||||||
|
local-generic:
|
||||||
|
package: "generic"
|
||||||
|
description: "Local generic file repository"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 0
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
remotes:
|
||||||
|
alpine:
|
||||||
|
base_url: "https://dl-cdn.alpinelinux.org"
|
||||||
|
package: "alpine"
|
||||||
|
description: "Alpine Linux APK package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/x86_64/.*\\.apk$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
@@ -0,0 +1,92 @@
|
|||||||
|
remotes:
|
||||||
|
ghcr:
|
||||||
|
base_url: "https://ghcr.io"
|
||||||
|
package: "docker"
|
||||||
|
description: "GitHub Container Registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^cloudnative-pg/cloudnative-pg"
|
||||||
|
- "^emberstack/helm-charts"
|
||||||
|
- "^openvoxproject/"
|
||||||
|
- "^stakater/reloader"
|
||||||
|
- "^voxpupuli/puppetboard"
|
||||||
|
- "^woodpecker-ci/helm"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
dockerhub:
|
||||||
|
base_url: "https://registry-1.docker.io"
|
||||||
|
package: "docker"
|
||||||
|
description: "Docker Hub registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^library/busybox"
|
||||||
|
- "^library/nginx"
|
||||||
|
- "^library/postgres"
|
||||||
|
- "^library/redis"
|
||||||
|
- "^beats/filebeat"
|
||||||
|
- "^bitnami/"
|
||||||
|
- "^curlimages/curl"
|
||||||
|
- "^emberstack/kubernetes-reflector"
|
||||||
|
- "^hashicorp/vault-secrets-operator"
|
||||||
|
- "^jfrog/"
|
||||||
|
- "^rancher/"
|
||||||
|
- "^ubi9/ubi-minimal"
|
||||||
|
- "^victoriametrics/"
|
||||||
|
- "^woodpeckerci/"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
quay:
|
||||||
|
base_url: "https://quay.io"
|
||||||
|
package: "docker"
|
||||||
|
description: "Quay.io container registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^brancz/kube-rbac-proxy"
|
||||||
|
- "^cephcsi/cephcsi"
|
||||||
|
- "^jetstack/cert-manager-"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
k8s-registry:
|
||||||
|
base_url: "https://registry.k8s.io"
|
||||||
|
package: "docker"
|
||||||
|
description: "Kubernetes container registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^external-dns/external-dns"
|
||||||
|
- "^sig-storage/"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
gitlab:
|
||||||
|
base_url: "https://registry.gitlab.com"
|
||||||
|
package: "docker"
|
||||||
|
description: "GitLab container registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^purelb/purelb"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
elastic:
|
||||||
|
base_url: "https://docker.elastic.co"
|
||||||
|
package: "docker"
|
||||||
|
description: "Elastic container registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^eck/eck-operator"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
|
|
||||||
|
gcr:
|
||||||
|
base_url: "https://gcr.io"
|
||||||
|
package: "docker"
|
||||||
|
description: "Google Container Registry"
|
||||||
|
immutable_patterns:
|
||||||
|
- "^k8s-staging-nfd/charts"
|
||||||
|
- "^k8s-staging-nfd/node-feature-discovery"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 300
|
||||||
@@ -0,0 +1,126 @@
|
|||||||
|
remotes:
|
||||||
|
github:
|
||||||
|
base_url: "https://github.com"
|
||||||
|
package: "generic"
|
||||||
|
description: "GitHub releases and files"
|
||||||
|
mutable_patterns:
|
||||||
|
- ".*/archive/refs/heads/.*.tar.gz$"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/archive/refs/tags/.*.tar.gz$"
|
||||||
|
- "ahmetb/kubectx/.*/kubectx_.*_linux_x86_64.tar.gz$"
|
||||||
|
- "ahmetb/kubectx/.*/kubens_.*_linux_x86_64.tar.gz$"
|
||||||
|
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
|
||||||
|
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
|
||||||
|
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
|
||||||
|
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "coder/code-server/.*/code-server-.*-amd64.rpm$"
|
||||||
|
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
|
||||||
|
- "dandavison/delta/.*/delta-.*-x86_64-unknown-linux-musl.tar.gz$"
|
||||||
|
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
|
||||||
|
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
|
||||||
|
- "getsops/sops/.*/sops-v.*\\.linux\\.amd64$"
|
||||||
|
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
|
||||||
|
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
|
||||||
|
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
|
||||||
|
- "hadolint/hadolint/.*/hadolint-linux-x86_64$"
|
||||||
|
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
|
||||||
|
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
|
||||||
|
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
|
||||||
|
- "lxc/incus/.*.tar.gz$"
|
||||||
|
- "mikefarah/yq/.*/yq_linux_amd64$"
|
||||||
|
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
|
||||||
|
- "neovim/neovim/.*/nvim-linux-x86_64.tar.gz$"
|
||||||
|
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
|
||||||
|
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
|
||||||
|
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
|
||||||
|
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
|
||||||
|
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
|
||||||
|
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
|
||||||
|
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
|
||||||
|
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
|
||||||
|
- "starship/starship/.*/starship-x86_64-unknown-linux-musl.tar.gz$"
|
||||||
|
- "stern/stern/.*/stern_.*_linux_amd64.tar.gz$"
|
||||||
|
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
|
||||||
|
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
|
||||||
|
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
|
||||||
|
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
github_user:
|
||||||
|
base_url: "https://raw.githubusercontent.com"
|
||||||
|
package: "generic"
|
||||||
|
description: "GitHub User Content"
|
||||||
|
immutable_patterns:
|
||||||
|
- "argoproj/argo-cd/.*.yaml$"
|
||||||
|
- "yannh/kubernetes-json-schema/master/.*.json$"
|
||||||
|
- "datreeio/CRDs-catalog/main/.*.json$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
gitea-dl:
|
||||||
|
base_url: "https://dl.gitea.com"
|
||||||
|
package: "generic"
|
||||||
|
description: "Gitea download site"
|
||||||
|
immutable_patterns:
|
||||||
|
- "act_runner/.*/act_runner-.*-linux-amd64$"
|
||||||
|
- "tea/.*/tea-.*-linux-amd64$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
hashicorp-releases:
|
||||||
|
base_url: "https://releases.hashicorp.com"
|
||||||
|
package: "generic"
|
||||||
|
description: "HashiCorp product releases"
|
||||||
|
immutable_patterns:
|
||||||
|
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
|
||||||
|
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
|
||||||
|
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
|
||||||
|
- "vault/.*vault_.*_linux_amd64\\.zip$"
|
||||||
|
- "vault/.*vault_.*_windows_amd64\\.zip$"
|
||||||
|
- "vault/.*vault_.*_darwin_amd64\\.zip$"
|
||||||
|
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
|
||||||
|
- "consul/.*/consul_.*_linux_amd64\\.zip$"
|
||||||
|
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
|
||||||
|
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
|
||||||
|
- "packer/.*/packer_.*_linux_amd64\\.zip$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
rarlab:
|
||||||
|
base_url: "https://www.rarlab.com"
|
||||||
|
package: "generic"
|
||||||
|
description: "RARLab"
|
||||||
|
immutable_patterns:
|
||||||
|
- "rar/rarlinux-x64-.*.tar.gz"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
claude-ai:
|
||||||
|
base_url: "https://downloads.claude.ai"
|
||||||
|
package: "generic"
|
||||||
|
description: "Anthropic Claude Code binary releases"
|
||||||
|
mutable_patterns:
|
||||||
|
- "claude-code-releases/.*/manifest.json$"
|
||||||
|
immutable_patterns:
|
||||||
|
- "claude-code-releases/.*/linux-x64/claude$"
|
||||||
|
- "claude-code-releases/.*/linux-arm64/claude$"
|
||||||
|
- "claude-code-releases/.*/linux-x64-musl/claude$"
|
||||||
|
- "claude-code-releases/.*/linux-arm64-musl/claude$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
@@ -0,0 +1,121 @@
|
|||||||
|
remotes:
|
||||||
|
ceph-csi:
|
||||||
|
base_url: "https://ceph.github.io/csi-charts"
|
||||||
|
package: "helm"
|
||||||
|
description: "Ceph CSI driver Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
cnpg:
|
||||||
|
base_url: "https://cloudnative-pg.github.io/charts"
|
||||||
|
package: "helm"
|
||||||
|
description: "CloudNativePG operator Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
elastic-helm:
|
||||||
|
base_url: "https://helm.elastic.co"
|
||||||
|
package: "helm"
|
||||||
|
description: "Elastic stack Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
external-dns:
|
||||||
|
base_url: "https://kubernetes-sigs.github.io/external-dns/"
|
||||||
|
package: "helm"
|
||||||
|
description: "ExternalDNS Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
hashicorp-helm:
|
||||||
|
base_url: "https://helm.releases.hashicorp.com"
|
||||||
|
package: "helm"
|
||||||
|
description: "HashiCorp Helm charts (Vault Secrets Operator, etc.)"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
intel-helm:
|
||||||
|
base_url: "https://intel.github.io/helm-charts/"
|
||||||
|
package: "helm"
|
||||||
|
description: "Intel Helm charts (device plugins)"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
jetstack:
|
||||||
|
base_url: "https://charts.jetstack.io"
|
||||||
|
package: "helm"
|
||||||
|
description: "Jetstack Helm charts (cert-manager)"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
purelb:
|
||||||
|
base_url: "https://gitlab.com/api/v4/projects/20400619/packages/helm/stable"
|
||||||
|
package: "helm"
|
||||||
|
description: "PureLB load balancer Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
rancher-stable:
|
||||||
|
base_url: "https://releases.rancher.com/server-charts/stable"
|
||||||
|
package: "helm"
|
||||||
|
description: "Rancher stable Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
stakater:
|
||||||
|
base_url: "https://stakater.github.io/stakater-charts"
|
||||||
|
package: "helm"
|
||||||
|
description: "Stakater Helm charts (Reloader)"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
|
|
||||||
|
victoriametrics:
|
||||||
|
base_url: "https://victoriametrics.github.io/helm-charts/"
|
||||||
|
package: "helm"
|
||||||
|
description: "VictoriaMetrics observability Helm charts"
|
||||||
|
check_mutable_updates: true
|
||||||
|
immutable_patterns:
|
||||||
|
- "\\.tgz$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 3600
|
||||||
@@ -0,0 +1,154 @@
|
|||||||
|
remotes:
|
||||||
|
almalinux:
|
||||||
|
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
|
||||||
|
package: "rpm"
|
||||||
|
description: "AlmaLinux RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.sqlite.*$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- ".*/repodata/.*\\.yaml.*$"
|
||||||
|
- ".*/install.img"
|
||||||
|
- ".*/squashfs.img"
|
||||||
|
- ".*/updates.img"
|
||||||
|
- ".*/RPM-GPG-KEY-.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
ceph-reef:
|
||||||
|
base_url: "https://download.ceph.com/rpm-reef/"
|
||||||
|
package: "rpm"
|
||||||
|
description: "Ceph Reef 18"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
ceph-squid:
|
||||||
|
base_url: "https://download.ceph.com/rpm-squid/"
|
||||||
|
package: "rpm"
|
||||||
|
description: "Ceph Squid 19"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
ceph-tentacle:
|
||||||
|
base_url: "https://download.ceph.com/rpm-tentacle/"
|
||||||
|
package: "rpm"
|
||||||
|
description: "Ceph Tentacle 20"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
epel:
|
||||||
|
base_url: "https://gsl-syd.mm.fcix.net/epel"
|
||||||
|
package: "rpm"
|
||||||
|
description: "EPEL (Extra Packages for Enterprise Linux)"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*/Everything/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.sqlite.*$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- ".*/repodata/.*\\.yaml.*$"
|
||||||
|
- "RPM-GPG-KEY-.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
fedora:
|
||||||
|
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
|
||||||
|
package: "rpm"
|
||||||
|
description: "Fedora Linux RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- "releases/.*/Everything/x86_64/.*\\.rpm$"
|
||||||
|
- "updates/.*/Everything/x86_64/.*\\.rpm$"
|
||||||
|
- "development/.*/Everything/x86_64/.*\\.rpm$"
|
||||||
|
- ".*/noarch/.*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
frr:
|
||||||
|
base_url: "https://rpm.frrouting.org/repo"
|
||||||
|
package: "rpm"
|
||||||
|
description: "FRR RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
mariadb:
|
||||||
|
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
|
||||||
|
package: "rpm"
|
||||||
|
description: "MariaDB RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- ".*/RPM-GPG-KEY-.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
openvox:
|
||||||
|
base_url: "https://yum.voxpupuli.org"
|
||||||
|
package: "rpm"
|
||||||
|
description: "OpenVox RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- "GPG-KEY-.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
postgresql:
|
||||||
|
base_url: "https://download.postgresql.org/pub/repos/yum"
|
||||||
|
package: "rpm"
|
||||||
|
description: "PostgreSQL RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- ".*/RPM-GPG-KEY-.*$"
|
||||||
|
- ".*/PGDG-RPM-GPG-KEY-.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
rke2:
|
||||||
|
base_url: "https://rpm.rancher.io"
|
||||||
|
package: "rpm"
|
||||||
|
description: "RKE2 RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
- "public.key$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
|
|
||||||
|
zfs:
|
||||||
|
base_url: "http://download.zfsonlinux.org"
|
||||||
|
package: "rpm"
|
||||||
|
description: "ZFS RPM package repository"
|
||||||
|
immutable_patterns:
|
||||||
|
- ".*\\.rpm$"
|
||||||
|
- ".*/repodata/.*\\.xml.*$"
|
||||||
|
cache:
|
||||||
|
immutable_ttl: 0
|
||||||
|
mutable_ttl: 7200
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
virtuals:
|
||||||
|
helm:
|
||||||
|
package: "helm"
|
||||||
|
description: "Virtual repository merging all helm remotes — member order is priority order for duplicate chart+version"
|
||||||
|
members:
|
||||||
|
- ceph-csi
|
||||||
|
- cnpg
|
||||||
|
- elastic-helm
|
||||||
|
- external-dns
|
||||||
|
- hashicorp-helm
|
||||||
|
- intel-helm
|
||||||
|
- jetstack
|
||||||
|
- purelb
|
||||||
|
- rancher-stable
|
||||||
|
- stakater
|
||||||
|
- victoriametrics
|
||||||
@@ -2,7 +2,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi
|
name: artifactapi-api
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
@@ -12,31 +12,31 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
targetPort: http
|
targetPort: http
|
||||||
selector:
|
selector:
|
||||||
app: api
|
app: artifactapi
|
||||||
sessionAffinity: None
|
sessionAffinity: None
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: ui
|
name: postgres-service
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: postgres
|
||||||
port: 80
|
port: 5432
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
targetPort: http
|
targetPort: postgres
|
||||||
selector:
|
selector:
|
||||||
app: ui
|
app: postgres
|
||||||
sessionAffinity: None
|
sessionAffinity: None
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: redis
|
name: redis-service
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
|
|||||||
@@ -1,58 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: ui
|
|
||||||
namespace: artifactapi
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: ui
|
|
||||||
strategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxUnavailable: 1
|
|
||||||
type: RollingUpdate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: ui
|
|
||||||
spec:
|
|
||||||
automountServiceAccountToken: true
|
|
||||||
containers:
|
|
||||||
- name: ui
|
|
||||||
image: git.unkin.net/unkin/artifactapi-ui:v3.7.3
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
ports:
|
|
||||||
- containerPort: 80
|
|
||||||
name: http
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /ui
|
|
||||||
port: http
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 15
|
|
||||||
periodSeconds: 30
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
readinessProbe:
|
|
||||||
failureThreshold: 3
|
|
||||||
httpGet:
|
|
||||||
path: /ui
|
|
||||||
port: http
|
|
||||||
scheme: HTTP
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
restartPolicy: Always
|
|
||||||
@@ -1,41 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: autoscaling/v2
|
|
||||||
kind: HorizontalPodAutoscaler
|
|
||||||
metadata:
|
|
||||||
name: ui-hpa
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
scaleTargetRef:
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: ui
|
|
||||||
minReplicas: 2
|
|
||||||
maxReplicas: 10
|
|
||||||
metrics:
|
|
||||||
- type: Resource
|
|
||||||
resource:
|
|
||||||
name: cpu
|
|
||||||
target:
|
|
||||||
type: Utilization
|
|
||||||
averageUtilization: 60
|
|
||||||
behavior:
|
|
||||||
scaleUp:
|
|
||||||
stabilizationWindowSeconds: 0
|
|
||||||
selectPolicy: Max
|
|
||||||
policies:
|
|
||||||
- type: Percent
|
|
||||||
value: 100
|
|
||||||
periodSeconds: 30
|
|
||||||
- type: Pods
|
|
||||||
value: 4
|
|
||||||
periodSeconds: 30
|
|
||||||
scaleDown:
|
|
||||||
stabilizationWindowSeconds: 300
|
|
||||||
selectPolicy: Min
|
|
||||||
policies:
|
|
||||||
- type: Percent
|
|
||||||
value: 10
|
|
||||||
periodSeconds: 60
|
|
||||||
- type: Pods
|
|
||||||
value: 2
|
|
||||||
periodSeconds: 60
|
|
||||||
@@ -10,7 +10,7 @@ spec:
|
|||||||
kubernetes:
|
kubernetes:
|
||||||
audiences:
|
audiences:
|
||||||
- vault
|
- vault
|
||||||
role: default
|
role: artifactapi
|
||||||
serviceAccount: default
|
serviceAccount: default
|
||||||
tokenExpirationSeconds: 600
|
tokenExpirationSeconds: 600
|
||||||
method: kubernetes
|
method: kubernetes
|
||||||
|
|||||||
@@ -1,23 +1,6 @@
|
|||||||
---
|
---
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
kind: VaultStaticSecret
|
kind: VaultStaticSecret
|
||||||
metadata:
|
|
||||||
name: postgres-credentials
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: postgres-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/artifactapi/default/postgres-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
metadata:
|
||||||
name: environment
|
name: environment
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
@@ -25,10 +8,27 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
create: true
|
create: true
|
||||||
name: environment
|
name: environment
|
||||||
overwrite: true
|
overwrite: false
|
||||||
hmacSecretData: true
|
hmacSecretData: true
|
||||||
mount: kv
|
mount: kv
|
||||||
path: kubernetes/namespace/artifactapi/default/environment
|
path: service/artifactapi/environment
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: postgres-password
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: postgres-password
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: service/artifactapi/postgres-password
|
||||||
refreshAfter: 5m
|
refreshAfter: 5m
|
||||||
type: kv-v2
|
type: kv-v2
|
||||||
vaultAuthRef: default
|
vaultAuthRef: default
|
||||||
|
|||||||
@@ -1,91 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Cluster
|
|
||||||
metadata:
|
|
||||||
name: postgres
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinityType: preferred
|
|
||||||
bootstrap:
|
|
||||||
initdb:
|
|
||||||
database: authentik
|
|
||||||
encoding: UTF8
|
|
||||||
localeCType: C
|
|
||||||
localeCollate: C
|
|
||||||
owner: authentik
|
|
||||||
secret:
|
|
||||||
name: postgres-credentials
|
|
||||||
enablePDB: true
|
|
||||||
enableSuperuserAccess: false
|
|
||||||
failoverDelay: 0
|
|
||||||
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
|
||||||
instances: 3
|
|
||||||
logLevel: info
|
|
||||||
maxSyncReplicas: 0
|
|
||||||
minSyncReplicas: 0
|
|
||||||
monitoring:
|
|
||||||
customQueriesConfigMap:
|
|
||||||
- key: queries
|
|
||||||
name: cnpg-default-monitoring
|
|
||||||
disableDefaultQueries: false
|
|
||||||
enablePodMonitor: false
|
|
||||||
postgresql:
|
|
||||||
parameters:
|
|
||||||
archive_mode: "on"
|
|
||||||
archive_timeout: 5min
|
|
||||||
dynamic_shared_memory_type: posix
|
|
||||||
effective_cache_size: 256MB
|
|
||||||
full_page_writes: "on"
|
|
||||||
log_destination: csvlog
|
|
||||||
log_directory: /controller/log
|
|
||||||
log_filename: postgres
|
|
||||||
log_rotation_age: "0"
|
|
||||||
log_rotation_size: "0"
|
|
||||||
log_truncate_on_rotation: "false"
|
|
||||||
logging_collector: "on"
|
|
||||||
max_connections: "200"
|
|
||||||
max_parallel_workers: "16"
|
|
||||||
max_replication_slots: "16"
|
|
||||||
max_worker_processes: "16"
|
|
||||||
shared_buffers: 128MB
|
|
||||||
shared_memory_type: mmap
|
|
||||||
ssl_max_protocol_version: TLSv1.3
|
|
||||||
ssl_min_protocol_version: TLSv1.3
|
|
||||||
wal_keep_size: 256MB
|
|
||||||
wal_level: logical
|
|
||||||
wal_log_hints: "on"
|
|
||||||
wal_receiver_timeout: 5s
|
|
||||||
wal_sender_timeout: 5s
|
|
||||||
syncReplicaElectionConstraint:
|
|
||||||
enabled: false
|
|
||||||
primaryUpdateMethod: restart
|
|
||||||
primaryUpdateStrategy: unsupervised
|
|
||||||
probes:
|
|
||||||
liveness:
|
|
||||||
isolationCheck:
|
|
||||||
connectionTimeout: 1000
|
|
||||||
enabled: true
|
|
||||||
requestTimeout: 1000
|
|
||||||
replicationSlots:
|
|
||||||
highAvailability:
|
|
||||||
enabled: true
|
|
||||||
slotPrefix: _cnpg_
|
|
||||||
synchronizeReplicas:
|
|
||||||
enabled: true
|
|
||||||
updateInterval: 30
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 250m
|
|
||||||
memory: 256Mi
|
|
||||||
smartShutdownTimeout: 180
|
|
||||||
startDelay: 3600
|
|
||||||
stopDelay: 1800
|
|
||||||
storage:
|
|
||||||
resizeInUseVolumes: true
|
|
||||||
size: 20Gi
|
|
||||||
storageClass: cephrbd-fast-delete
|
|
||||||
switchoverDelay: 3600
|
|
||||||
@@ -1,66 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Pooler
|
|
||||||
metadata:
|
|
||||||
name: postgres-pooler-rw
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
cluster:
|
|
||||||
name: postgres
|
|
||||||
instances: 2
|
|
||||||
pgbouncer:
|
|
||||||
parameters:
|
|
||||||
default_pool_size: "100"
|
|
||||||
max_client_conn: "400"
|
|
||||||
paused: false
|
|
||||||
poolMode: session
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: pooler-rw
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- pooler-rw
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
containers: []
|
|
||||||
type: rw
|
|
||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Pooler
|
|
||||||
metadata:
|
|
||||||
name: postgres-pooler-ro
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
cluster:
|
|
||||||
name: postgres
|
|
||||||
instances: 2
|
|
||||||
pgbouncer:
|
|
||||||
parameters:
|
|
||||||
default_pool_size: "100"
|
|
||||||
max_client_conn: "400"
|
|
||||||
paused: false
|
|
||||||
poolMode: session
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: pooler-ro
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- pooler-ro
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
containers: []
|
|
||||||
type: ro
|
|
||||||
@@ -1,57 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: identity.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
name: authentik
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: identity.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: identity.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: authentik-tls
|
|
||||||
mode: Terminate
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: identity.k8s.syd1.au.unkin.net
|
|
||||||
name: http-internal
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: identity.k8s.syd1.au.unkin.net
|
|
||||||
name: https-internal
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: authentik-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -1,59 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: authentik-http-redirect
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- identity.unkin.net
|
|
||||||
- identity.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik
|
|
||||||
sectionName: http
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik
|
|
||||||
sectionName: http-internal
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: authentik
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- identity.unkin.net
|
|
||||||
- identity.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik
|
|
||||||
sectionName: https
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik
|
|
||||||
sectionName: https-internal
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: authentik-server
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- cnpg_cluster.yaml
|
|
||||||
- cnpg_pooler.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
- ldap-gateway.yaml
|
|
||||||
- ldap-httproute.yaml
|
|
||||||
- ldap-service.yaml
|
|
||||||
- ldap-tlsroute.yaml
|
|
||||||
- namespace.yaml
|
|
||||||
- redis-deployment.yaml
|
|
||||||
- redis-pvc.yaml
|
|
||||||
- redis-service.yaml
|
|
||||||
- vaultauth.yaml
|
|
||||||
- vaultstaticsecret.yaml
|
|
||||||
@@ -1,47 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
name: authentik-ldap
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: ldap.k8s.syd1.au.unkin.net
|
|
||||||
name: ldaps-internal
|
|
||||||
port: 636
|
|
||||||
protocol: TLS
|
|
||||||
tls:
|
|
||||||
mode: Passthrough
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: ldap.main.unkin.net
|
|
||||||
name: ldaps-main
|
|
||||||
port: 636
|
|
||||||
protocol: TLS
|
|
||||||
tls:
|
|
||||||
mode: Passthrough
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: ldap.k8s.syd1.au.unkin.net
|
|
||||||
name: http-dns
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: ldap.main.unkin.net
|
|
||||||
name: http-dns-main
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
@@ -1,32 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: authentik-ldap-dns
|
|
||||||
namespace: authentik
|
|
||||||
annotations:
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- ldap.k8s.syd1.au.unkin.net
|
|
||||||
- ldap.main.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik-ldap
|
|
||||||
sectionName: http-dns
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik-ldap
|
|
||||||
sectionName: http-dns-main
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: authentik-ldap
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
internalTrafficPolicy: Cluster
|
|
||||||
ports:
|
|
||||||
- name: ldaps
|
|
||||||
port: 6636
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: 6636
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/name: authentik
|
|
||||||
app.kubernetes.io/component: ldap
|
|
||||||
sessionAffinity: None
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: TLSRoute
|
|
||||||
metadata:
|
|
||||||
name: authentik-ldaps
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- ldap.k8s.syd1.au.unkin.net
|
|
||||||
- ldap.main.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik-ldap
|
|
||||||
sectionName: ldaps-internal
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: authentik-ldap
|
|
||||||
sectionName: ldaps-main
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: authentik-ldap
|
|
||||||
port: 6636
|
|
||||||
weight: 1
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: authentik
|
|
||||||
@@ -1,58 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: redis
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: redis
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: redis
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: redis
|
|
||||||
image: redis:7-alpine
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
args:
|
|
||||||
- --save
|
|
||||||
- "20"
|
|
||||||
- "1"
|
|
||||||
ports:
|
|
||||||
- containerPort: 6379
|
|
||||||
name: redis
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- redis-cli
|
|
||||||
- ping
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
readinessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- redis-cli
|
|
||||||
- ping
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /data
|
|
||||||
name: redis-data
|
|
||||||
volumes:
|
|
||||||
- name: redis-data
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: redis-data
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: redis-data
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteOnce
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 5Gi
|
|
||||||
storageClassName: cephrbd-fast-delete
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: redis
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
internalTrafficPolicy: Cluster
|
|
||||||
ports:
|
|
||||||
- name: redis
|
|
||||||
port: 6379
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: redis
|
|
||||||
selector:
|
|
||||||
app: redis
|
|
||||||
sessionAffinity: None
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultAuth
|
|
||||||
metadata:
|
|
||||||
name: default
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
allowedNamespaces:
|
|
||||||
- authentik
|
|
||||||
kubernetes:
|
|
||||||
audiences:
|
|
||||||
- vault
|
|
||||||
role: default
|
|
||||||
serviceAccount: default
|
|
||||||
tokenExpirationSeconds: 600
|
|
||||||
method: kubernetes
|
|
||||||
mount: k8s/au/syd1
|
|
||||||
vaultConnectionRef: vso-system/default
|
|
||||||
@@ -1,51 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: postgres-credentials
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: postgres-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/authentik/default/postgres-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: authentik-credentials
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: authentik-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/authentik/default/authentik-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: s3-credentials
|
|
||||||
namespace: authentik
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: s3-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/authentik/default/s3-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: "198.18.200.4"
|
|
||||||
name: rancher
|
|
||||||
namespace: cattle-system
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: rancher.k8s.syd1.au.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: rancher.k8s.syd1.au.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: rancher-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: rancher-http-redirect
|
|
||||||
namespace: cattle-system
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- rancher.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: rancher
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: rancher
|
|
||||||
namespace: cattle-system
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- rancher.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: rancher
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: rancher
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
|
||||||
|
spec:
|
||||||
|
ingressClassName: nginx
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- rancher.k8s.syd1.au.unkin.net
|
||||||
|
secretName: rancher-tls
|
||||||
|
rules:
|
||||||
|
- host: rancher.k8s.syd1.au.unkin.net
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: rancher
|
||||||
|
port:
|
||||||
|
number: 80
|
||||||
@@ -6,5 +6,4 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- vaultauth.yaml
|
- vaultauth.yaml
|
||||||
- vaultstaticsecret.yaml
|
- vaultstaticsecret.yaml
|
||||||
- gateway.yaml
|
- ingress.yaml
|
||||||
- httproute.yaml
|
|
||||||
|
|||||||
@@ -1,53 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: consul
|
|
||||||
namespace: consul
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: consul
|
|
||||||
app.kubernetes.io/instance: consul
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
cert-manager.io/alt-names: consul.service.consul
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
hostname: consul.k8s.syd1.au.unkin.net
|
|
||||||
allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
- name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
hostname: consul.k8s.syd1.au.unkin.net
|
|
||||||
allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
tls:
|
|
||||||
mode: Terminate
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: consul-tls
|
|
||||||
- name: consul-svc
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
hostname: consul.service.consul
|
|
||||||
allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
tls:
|
|
||||||
mode: Terminate
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: consul-tls
|
|
||||||
@@ -1,83 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: consul-http-redirect
|
|
||||||
namespace: consul
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: consul
|
|
||||||
app.kubernetes.io/instance: consul
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- consul.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: consul
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: consul
|
|
||||||
namespace: consul
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: consul
|
|
||||||
app.kubernetes.io/instance: consul
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- consul.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: consul
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: consul-ui
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: consul-svc
|
|
||||||
namespace: consul
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: consul
|
|
||||||
app.kubernetes.io/instance: consul
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- consul.service.consul
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: consul
|
|
||||||
sectionName: consul-svc
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: consul-ui
|
|
||||||
port: 80
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- namespace.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: consul
|
|
||||||
@@ -7,12 +7,12 @@ resources:
|
|||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
- name: intel-device-plugins-operator
|
- name: intel-device-plugins-operator
|
||||||
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
repo: https://intel.github.io/helm-charts/
|
||||||
version: "0.35.0"
|
version: "0.35.0"
|
||||||
releaseName: intel-device-plugins-operator
|
releaseName: intel-device-plugins-operator
|
||||||
namespace: inteldeviceplugins-system
|
namespace: inteldeviceplugins-system
|
||||||
- name: intel-device-plugins-gpu
|
- name: intel-device-plugins-gpu
|
||||||
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
repo: https://intel.github.io/helm-charts/
|
||||||
version: "0.34.1"
|
version: "0.34.1"
|
||||||
releaseName: intel-gpu-plugin
|
releaseName: intel-gpu-plugin
|
||||||
namespace: inteldeviceplugins-system
|
namespace: inteldeviceplugins-system
|
||||||
|
|||||||
@@ -1,51 +0,0 @@
|
|||||||
# kanidm
|
|
||||||
|
|
||||||
Three-replica kanidm identity server with Vault-managed replication certificates.
|
|
||||||
|
|
||||||
## Architecture
|
|
||||||
|
|
||||||
- Per-pod `server-N.toml` in `resources/` — each has its own replication origin hardcoded
|
|
||||||
- `config-init` busybox init container copies the right config and injects peer certs from the
|
|
||||||
vault-synced `kanidm-repl-certs` Secret at pod startup
|
|
||||||
- `reloader.stakater.com/auto: "true"` triggers a rolling restart when the ConfigMap or Secret changes
|
|
||||||
- Vault path: `kv/kubernetes/namespace/kanidm/default/repl-certs`
|
|
||||||
- Keys: `kanidm-0`, `kanidm-1`, `kanidm-2` — each holds that pod's replication certificate
|
|
||||||
|
|
||||||
## Initial setup
|
|
||||||
|
|
||||||
After the first pod starts, generate the admin credentials:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml admin
|
|
||||||
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml idm_admin
|
|
||||||
```
|
|
||||||
|
|
||||||
## Replication certificate rotation
|
|
||||||
|
|
||||||
When certs need to be renewed, update vault and reloader will roll the StatefulSet:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# Get new cert from a pod
|
|
||||||
kubectl exec -it -n kanidm kanidm-N -- /sbin/kanidmd renew-replication-certificate -c /config/server.toml
|
|
||||||
|
|
||||||
# Write updated cert to vault (reloader triggers restart automatically)
|
|
||||||
vault kv patch kv/kubernetes/namespace/kanidm/default/repl-certs "kanidm-N=<cert>"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Resolving domain UUID mismatch
|
|
||||||
|
|
||||||
If pods initialized independently (each with a different domain UUID), replication will fail with
|
|
||||||
`Consumer Domain UUID does not match`. Fix by resetting kanidm-1 and kanidm-2 to sync from
|
|
||||||
kanidm-0 (the authoritative node):
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# Scale down to avoid split-brain during reset
|
|
||||||
kubectl scale statefulset -n kanidm kanidm --replicas=1
|
|
||||||
|
|
||||||
# Delete the stale PVCs for the replica pods
|
|
||||||
kubectl delete pvc -n kanidm data-kanidm-1 data-kanidm-2
|
|
||||||
|
|
||||||
# Scale back up — replicas start with empty DBs and automatic_refresh=true
|
|
||||||
# will trigger a full sync from kanidm-0 once TLS peer certs are verified
|
|
||||||
kubectl scale statefulset -n kanidm kanidm --replicas=3
|
|
||||||
```
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: kanidm-tls
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
secretName: kanidm-tls
|
|
||||||
issuerRef:
|
|
||||||
kind: ClusterIssuer
|
|
||||||
name: vault-issuer
|
|
||||||
commonName: auth.unkin.net
|
|
||||||
dnsNames:
|
|
||||||
- auth.unkin.net
|
|
||||||
- au.auth.unkin.net
|
|
||||||
- kanidm.k8s.syd1.au.unkin.net
|
|
||||||
- kanidm.kanidm.svc.cluster.local
|
|
||||||
- kanidm-0.kanidm-headless.kanidm.svc.cluster.local
|
|
||||||
- kanidm-1.kanidm-headless.kanidm.svc.cluster.local
|
|
||||||
- kanidm-2.kanidm-headless.kanidm.svc.cluster.local
|
|
||||||
privateKey:
|
|
||||||
algorithm: RSA
|
|
||||||
size: 4096
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: kanidm.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
- name: https-passthrough
|
|
||||||
port: 443
|
|
||||||
protocol: TLS
|
|
||||||
tls:
|
|
||||||
mode: Passthrough
|
|
||||||
allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
@@ -1,29 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: kanidm-http-redirect
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- kanidm.k8s.syd1.au.unkin.net
|
|
||||||
- auth.unkin.net
|
|
||||||
- au.auth.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: kanidm
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,27 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- namespace.yaml
|
|
||||||
- serviceaccount.yaml
|
|
||||||
- vaultauth.yaml
|
|
||||||
- vaultstaticsecret.yaml
|
|
||||||
- certificate.yaml
|
|
||||||
- service.yaml
|
|
||||||
- statefulset.yaml
|
|
||||||
- poddisruptionbudget.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
- tlsroute.yaml
|
|
||||||
|
|
||||||
configMapGenerator:
|
|
||||||
- name: kanidm-config
|
|
||||||
namespace: kanidm
|
|
||||||
options:
|
|
||||||
disableNameSuffixHash: true
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
files:
|
|
||||||
- server-0.toml=resources/server-0.toml
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: policy/v1
|
|
||||||
kind: PodDisruptionBudget
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
maxUnavailable: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: kanidm-repl
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods/exec"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
resourceNames: ["kanidm-repl-certs"]
|
|
||||||
verbs: ["get", "patch"]
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: kanidm-repl
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: kanidm-repl
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
version = "2"
|
|
||||||
|
|
||||||
domain = "auth.unkin.net"
|
|
||||||
origin = "https://auth.unkin.net"
|
|
||||||
bindaddress = "[::]:8443"
|
|
||||||
db_path = "/data/kanidm.db"
|
|
||||||
db_arc_size = 2048
|
|
||||||
tls_chain = "/data/tls/tls.crt"
|
|
||||||
tls_key = "/data/tls/tls.key"
|
|
||||||
log_level = "info"
|
|
||||||
|
|
||||||
[online_backup]
|
|
||||||
path = "/data/backups/"
|
|
||||||
schedule = "0 22 * * *"
|
|
||||||
versions = 7
|
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
type: ClusterIP
|
|
||||||
sessionAffinity: ClientIP
|
|
||||||
sessionAffinityConfig:
|
|
||||||
clientIP:
|
|
||||||
timeoutSeconds: 10800
|
|
||||||
ports:
|
|
||||||
- name: https
|
|
||||||
port: 8443
|
|
||||||
targetPort: https
|
|
||||||
protocol: TCP
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: kanidm-headless
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
type: ClusterIP
|
|
||||||
clusterIP: None
|
|
||||||
ports:
|
|
||||||
- name: https
|
|
||||||
port: 8443
|
|
||||||
targetPort: https
|
|
||||||
protocol: TCP
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
@@ -1,85 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: StatefulSet
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
serviceName: kanidm-headless
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
serviceAccountName: kanidm
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 1000
|
|
||||||
runAsGroup: 1000
|
|
||||||
runAsNonRoot: true
|
|
||||||
fsGroup: 1000
|
|
||||||
containers:
|
|
||||||
- name: kanidm
|
|
||||||
image: kanidm/server:1.10.3
|
|
||||||
command: ["/sbin/kanidmd"]
|
|
||||||
args: ["server", "-c", "/config/server.toml"]
|
|
||||||
ports:
|
|
||||||
- name: https
|
|
||||||
containerPort: 8443
|
|
||||||
protocol: TCP
|
|
||||||
volumeMounts:
|
|
||||||
- name: data
|
|
||||||
mountPath: /data
|
|
||||||
- name: config
|
|
||||||
mountPath: /config/server.toml
|
|
||||||
subPath: server-0.toml
|
|
||||||
readOnly: true
|
|
||||||
- name: tls
|
|
||||||
mountPath: /data/tls
|
|
||||||
readOnly: true
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: 256Mi
|
|
||||||
cpu: 100m
|
|
||||||
limits:
|
|
||||||
memory: 1Gi
|
|
||||||
cpu: 500m
|
|
||||||
readinessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: 8443
|
|
||||||
initialDelaySeconds: 15
|
|
||||||
periodSeconds: 10
|
|
||||||
livenessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: 8443
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 30
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: kanidm-config
|
|
||||||
- name: tls
|
|
||||||
secret:
|
|
||||||
secretName: kanidm-tls
|
|
||||||
volumeClaimTemplates:
|
|
||||||
- metadata:
|
|
||||||
name: data
|
|
||||||
spec:
|
|
||||||
accessModes: [ReadWriteOnce]
|
|
||||||
storageClassName: cephrbd-fast-delete
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 10Gi
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: TLSRoute
|
|
||||||
metadata:
|
|
||||||
name: kanidm
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- kanidm.k8s.syd1.au.unkin.net
|
|
||||||
- auth.unkin.net
|
|
||||||
- au.auth.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: kanidm
|
|
||||||
sectionName: https-passthrough
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: kanidm
|
|
||||||
port: 8443
|
|
||||||
weight: 1
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultAuth
|
|
||||||
metadata:
|
|
||||||
name: default
|
|
||||||
namespace: kanidm
|
|
||||||
spec:
|
|
||||||
allowedNamespaces:
|
|
||||||
- kanidm
|
|
||||||
kubernetes:
|
|
||||||
audiences:
|
|
||||||
- vault
|
|
||||||
role: default
|
|
||||||
serviceAccount: default
|
|
||||||
tokenExpirationSeconds: 600
|
|
||||||
method: kubernetes
|
|
||||||
mount: k8s/au/syd1
|
|
||||||
vaultConnectionRef: vso-system/default
|
|
||||||
@@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: repl-certs
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
spec:
|
|
||||||
vaultAuthRef: default
|
|
||||||
mount: kv
|
|
||||||
type: kv-v2
|
|
||||||
path: kubernetes/namespace/kanidm/default/repl-certs
|
|
||||||
refreshAfter: 5m
|
|
||||||
destination:
|
|
||||||
name: kanidm-repl-certs
|
|
||||||
create: true
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
rolloutRestartTargets:
|
|
||||||
- kind: StatefulSet
|
|
||||||
name: kanidm
|
|
||||||
@@ -76,11 +76,11 @@ spec:
|
|||||||
updateInterval: 30
|
updateInterval: 30
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: "1"
|
cpu: 500m
|
||||||
memory: 1Gi
|
memory: 512Mi
|
||||||
requests:
|
requests:
|
||||||
cpu: 250m
|
cpu: 250m
|
||||||
memory: 512Mi
|
memory: 256Mi
|
||||||
smartShutdownTimeout: 180
|
smartShutdownTimeout: 180
|
||||||
startDelay: 3600
|
startDelay: 3600
|
||||||
stopDelay: 1800
|
stopDelay: 1800
|
||||||
|
|||||||
@@ -10,8 +10,6 @@ spec:
|
|||||||
app: litellm
|
app: litellm
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
labels:
|
labels:
|
||||||
app: litellm
|
app: litellm
|
||||||
spec:
|
spec:
|
||||||
@@ -33,8 +31,6 @@ spec:
|
|||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: litellm-credentials
|
name: litellm-credentials
|
||||||
- configMapRef:
|
|
||||||
name: litellm-env
|
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /health/liveliness
|
path: /health/liveliness
|
||||||
@@ -55,11 +51,11 @@ spec:
|
|||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: "2"
|
cpu: "1"
|
||||||
memory: 8Gi
|
memory: 2Gi
|
||||||
requests:
|
requests:
|
||||||
cpu: 250m
|
cpu: 250m
|
||||||
memory: 6Gi
|
memory: 512Mi
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /app/config.yaml
|
- mountPath: /app/config.yaml
|
||||||
name: config
|
name: config
|
||||||
|
|||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
name: litellm
|
|
||||||
namespace: litellm
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: litellm.k8s.syd1.au.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: litellm.k8s.syd1.au.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: litellm-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -10,14 +10,14 @@ spec:
|
|||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: litellm
|
name: litellm
|
||||||
minReplicas: 2
|
minReplicas: 2
|
||||||
maxReplicas: 4
|
maxReplicas: 10
|
||||||
metrics:
|
metrics:
|
||||||
- type: Resource
|
- type: Resource
|
||||||
resource:
|
resource:
|
||||||
name: cpu
|
name: cpu
|
||||||
target:
|
target:
|
||||||
type: Utilization
|
type: Utilization
|
||||||
averageUtilization: 80
|
averageUtilization: 60
|
||||||
behavior:
|
behavior:
|
||||||
scaleUp:
|
scaleUp:
|
||||||
stabilizationWindowSeconds: 0
|
stabilizationWindowSeconds: 0
|
||||||
@@ -25,7 +25,7 @@ spec:
|
|||||||
policies:
|
policies:
|
||||||
- type: Percent
|
- type: Percent
|
||||||
value: 100
|
value: 100
|
||||||
periodSeconds: 60
|
periodSeconds: 30
|
||||||
- type: Pods
|
- type: Pods
|
||||||
value: 4
|
value: 4
|
||||||
periodSeconds: 30
|
periodSeconds: 30
|
||||||
@@ -34,7 +34,7 @@ spec:
|
|||||||
selectPolicy: Min
|
selectPolicy: Min
|
||||||
policies:
|
policies:
|
||||||
- type: Percent
|
- type: Percent
|
||||||
value: 30
|
value: 10
|
||||||
periodSeconds: 60
|
periodSeconds: 60
|
||||||
- type: Pods
|
- type: Pods
|
||||||
value: 2
|
value: 2
|
||||||
|
|||||||
@@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: litellm-http-redirect
|
|
||||||
namespace: litellm
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- litellm.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: litellm
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: litellm
|
|
||||||
namespace: litellm
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- litellm.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: litellm
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: litellm
|
|
||||||
port: 4000
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: nginx
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.0
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
name: litellm
|
||||||
|
namespace: litellm
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: litellm.k8s.syd1.au.unkin.net
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- backend:
|
||||||
|
service:
|
||||||
|
name: litellm
|
||||||
|
port:
|
||||||
|
number: 4000
|
||||||
|
path: /
|
||||||
|
pathType: Prefix
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- litellm.k8s.syd1.au.unkin.net
|
||||||
|
secretName: litellm-tls
|
||||||
@@ -7,8 +7,7 @@ resources:
|
|||||||
- cnpg_pooler.yaml
|
- cnpg_pooler.yaml
|
||||||
- deployment.yaml
|
- deployment.yaml
|
||||||
- hpa.yaml
|
- hpa.yaml
|
||||||
- gateway.yaml
|
- ingress.yaml
|
||||||
- httproute.yaml
|
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- redis-deployment.yaml
|
- redis-deployment.yaml
|
||||||
- redis-pvc.yaml
|
- redis-pvc.yaml
|
||||||
@@ -22,8 +21,3 @@ configMapGenerator:
|
|||||||
- config.yaml=resources/config.yaml
|
- config.yaml=resources/config.yaml
|
||||||
options:
|
options:
|
||||||
disableNameSuffixHash: true
|
disableNameSuffixHash: true
|
||||||
- name: litellm-env
|
|
||||||
literals:
|
|
||||||
- STORE_MODEL_IN_DB=True
|
|
||||||
options:
|
|
||||||
disableNameSuffixHash: true
|
|
||||||
|
|||||||
@@ -1,91 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Cluster
|
|
||||||
metadata:
|
|
||||||
name: paperclip-postgres
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinityType: preferred
|
|
||||||
bootstrap:
|
|
||||||
initdb:
|
|
||||||
database: paperclip
|
|
||||||
encoding: UTF8
|
|
||||||
localeCType: C
|
|
||||||
localeCollate: C
|
|
||||||
owner: paperclip
|
|
||||||
secret:
|
|
||||||
name: postgres-credentials
|
|
||||||
enablePDB: true
|
|
||||||
enableSuperuserAccess: false
|
|
||||||
failoverDelay: 0
|
|
||||||
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
|
|
||||||
instances: 3
|
|
||||||
logLevel: info
|
|
||||||
maxSyncReplicas: 0
|
|
||||||
minSyncReplicas: 0
|
|
||||||
monitoring:
|
|
||||||
customQueriesConfigMap:
|
|
||||||
- key: queries
|
|
||||||
name: cnpg-default-monitoring
|
|
||||||
disableDefaultQueries: false
|
|
||||||
enablePodMonitor: false
|
|
||||||
postgresql:
|
|
||||||
parameters:
|
|
||||||
archive_mode: "on"
|
|
||||||
archive_timeout: 5min
|
|
||||||
dynamic_shared_memory_type: posix
|
|
||||||
effective_cache_size: 256MB
|
|
||||||
full_page_writes: "on"
|
|
||||||
log_destination: csvlog
|
|
||||||
log_directory: /controller/log
|
|
||||||
log_filename: postgres
|
|
||||||
log_rotation_age: "0"
|
|
||||||
log_rotation_size: "0"
|
|
||||||
log_truncate_on_rotation: "false"
|
|
||||||
logging_collector: "on"
|
|
||||||
max_connections: "200"
|
|
||||||
max_parallel_workers: "16"
|
|
||||||
max_replication_slots: "16"
|
|
||||||
max_worker_processes: "16"
|
|
||||||
shared_buffers: 128MB
|
|
||||||
shared_memory_type: mmap
|
|
||||||
ssl_max_protocol_version: TLSv1.3
|
|
||||||
ssl_min_protocol_version: TLSv1.3
|
|
||||||
wal_keep_size: 256MB
|
|
||||||
wal_level: logical
|
|
||||||
wal_log_hints: "on"
|
|
||||||
wal_receiver_timeout: 5s
|
|
||||||
wal_sender_timeout: 5s
|
|
||||||
syncReplicaElectionConstraint:
|
|
||||||
enabled: false
|
|
||||||
primaryUpdateMethod: restart
|
|
||||||
primaryUpdateStrategy: unsupervised
|
|
||||||
probes:
|
|
||||||
liveness:
|
|
||||||
isolationCheck:
|
|
||||||
connectionTimeout: 1000
|
|
||||||
enabled: true
|
|
||||||
requestTimeout: 1000
|
|
||||||
replicationSlots:
|
|
||||||
highAvailability:
|
|
||||||
enabled: true
|
|
||||||
slotPrefix: _cnpg_
|
|
||||||
synchronizeReplicas:
|
|
||||||
enabled: true
|
|
||||||
updateInterval: 30
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 250m
|
|
||||||
memory: 256Mi
|
|
||||||
smartShutdownTimeout: 180
|
|
||||||
startDelay: 3600
|
|
||||||
stopDelay: 1800
|
|
||||||
storage:
|
|
||||||
resizeInUseVolumes: true
|
|
||||||
size: 10Gi
|
|
||||||
storageClass: cephrbd-fast-delete
|
|
||||||
switchoverDelay: 3600
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Pooler
|
|
||||||
metadata:
|
|
||||||
name: paperclip-pooler-rw
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
cluster:
|
|
||||||
name: paperclip-postgres
|
|
||||||
instances: 2
|
|
||||||
pgbouncer:
|
|
||||||
parameters:
|
|
||||||
default_pool_size: "100"
|
|
||||||
max_client_conn: "400"
|
|
||||||
paused: false
|
|
||||||
poolMode: session
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: pooler
|
|
||||||
spec:
|
|
||||||
affinity:
|
|
||||||
podAntiAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- pooler
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
containers: []
|
|
||||||
type: rw
|
|
||||||
@@ -1,108 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: paperclip
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: paperclip
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: paperclip
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: paperclip
|
|
||||||
image: ghcr.io/paperclipai/paperclip:latest
|
|
||||||
imagePullPolicy: Always
|
|
||||||
ports:
|
|
||||||
- containerPort: 3100
|
|
||||||
name: http
|
|
||||||
protocol: TCP
|
|
||||||
env:
|
|
||||||
- name: PORT
|
|
||||||
value: "3100"
|
|
||||||
- name: PAPERCLIP_BIND
|
|
||||||
value: custom
|
|
||||||
- name: PAPERCLIP_BIND_HOST
|
|
||||||
value: 0.0.0.0
|
|
||||||
- name: PAPERCLIP_API_URL
|
|
||||||
value: https://paperclip.k8s.syd1.au.unkin.net
|
|
||||||
- name: BETTER_AUTH_BASE_URL
|
|
||||||
value: https://paperclip.k8s.syd1.au.unkin.net
|
|
||||||
- name: PAPERCLIP_ALLOWED_HOSTNAMES
|
|
||||||
value: paperclip.k8s.syd1.au.unkin.net,localhost
|
|
||||||
- name: PAPERCLIP_HOME
|
|
||||||
value: /paperclip
|
|
||||||
- name: PAPERCLIP_INSTANCE_ID
|
|
||||||
value: default
|
|
||||||
- name: PAPERCLIP_DEPLOYMENT_MODE
|
|
||||||
value: authenticated
|
|
||||||
- name: PAPERCLIP_DEPLOYMENT_EXPOSURE
|
|
||||||
value: private
|
|
||||||
- name: SERVE_UI
|
|
||||||
value: "true"
|
|
||||||
- name: HEARTBEAT_SCHEDULER_ENABLED
|
|
||||||
value: "true"
|
|
||||||
- name: PAPERCLIP_MIGRATION_AUTO_APPLY
|
|
||||||
value: "true"
|
|
||||||
- name: PAPERCLIP_STORAGE_PROVIDER
|
|
||||||
value: s3
|
|
||||||
- name: PAPERCLIP_STORAGE_S3_BUCKET
|
|
||||||
value: paperclip
|
|
||||||
- name: PAPERCLIP_STORAGE_S3_REGION
|
|
||||||
value: us-east-1
|
|
||||||
- name: PAPERCLIP_STORAGE_S3_ENDPOINT
|
|
||||||
value: https://radosgw.service.consul
|
|
||||||
- name: PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE
|
|
||||||
value: "true"
|
|
||||||
- name: NODE_EXTRA_CA_CERTS
|
|
||||||
value: /etc/ssl/paperclip/ca.crt
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: paperclip-credentials
|
|
||||||
volumeMounts:
|
|
||||||
- name: vault-ca-cert
|
|
||||||
mountPath: /etc/ssl/paperclip
|
|
||||||
readOnly: true
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/health
|
|
||||||
port: 3100
|
|
||||||
httpHeaders:
|
|
||||||
- name: Host
|
|
||||||
value: localhost
|
|
||||||
failureThreshold: 3
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 30
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /api/health
|
|
||||||
port: 3100
|
|
||||||
httpHeaders:
|
|
||||||
- name: Host
|
|
||||||
value: localhost
|
|
||||||
failureThreshold: 3
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
periodSeconds: 10
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: "1"
|
|
||||||
memory: 2Gi
|
|
||||||
requests:
|
|
||||||
cpu: 250m
|
|
||||||
memory: 512Mi
|
|
||||||
volumes:
|
|
||||||
- name: vault-ca-cert
|
|
||||||
secret:
|
|
||||||
secretName: vault-ca-cert
|
|
||||||
items:
|
|
||||||
- key: ca.crt
|
|
||||||
path: ca.crt
|
|
||||||
restartPolicy: Always
|
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
traefik.io/instance: internal
|
|
||||||
annotations:
|
|
||||||
cert-manager.io/cluster-issuer: vault-issuer
|
|
||||||
cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net
|
|
||||||
cert-manager.io/private-key-size: "4096"
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net
|
|
||||||
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
|
||||||
name: paperclip
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
gatewayClassName: traefik-internal
|
|
||||||
listeners:
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: paperclip.k8s.syd1.au.unkin.net
|
|
||||||
name: http
|
|
||||||
port: 80
|
|
||||||
protocol: HTTP
|
|
||||||
- allowedRoutes:
|
|
||||||
namespaces:
|
|
||||||
from: Same
|
|
||||||
hostname: paperclip.k8s.syd1.au.unkin.net
|
|
||||||
name: https
|
|
||||||
port: 443
|
|
||||||
protocol: HTTPS
|
|
||||||
tls:
|
|
||||||
certificateRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Secret
|
|
||||||
name: paperclip-tls
|
|
||||||
mode: Terminate
|
|
||||||
@@ -1,49 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: paperclip-http-redirect
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- paperclip.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: paperclip
|
|
||||||
sectionName: http
|
|
||||||
rules:
|
|
||||||
- filters:
|
|
||||||
- type: RequestRedirect
|
|
||||||
requestRedirect:
|
|
||||||
scheme: https
|
|
||||||
statusCode: 301
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
---
|
|
||||||
apiVersion: gateway.networking.k8s.io/v1
|
|
||||||
kind: HTTPRoute
|
|
||||||
metadata:
|
|
||||||
name: paperclip
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
hostnames:
|
|
||||||
- paperclip.k8s.syd1.au.unkin.net
|
|
||||||
parentRefs:
|
|
||||||
- group: gateway.networking.k8s.io
|
|
||||||
kind: Gateway
|
|
||||||
name: paperclip
|
|
||||||
sectionName: https
|
|
||||||
rules:
|
|
||||||
- backendRefs:
|
|
||||||
- group: ""
|
|
||||||
kind: Service
|
|
||||||
name: paperclip
|
|
||||||
port: 3100
|
|
||||||
weight: 1
|
|
||||||
matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- cnpg_cluster.yaml
|
|
||||||
- cnpg_pooler.yaml
|
|
||||||
- deployment.yaml
|
|
||||||
- gateway.yaml
|
|
||||||
- httproute.yaml
|
|
||||||
- namespace.yaml
|
|
||||||
- services.yaml
|
|
||||||
- vaultauth.yaml
|
|
||||||
- vaultstaticsecret.yaml
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: paperclip
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: paperclip
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
internalTrafficPolicy: Cluster
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: 3100
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: http
|
|
||||||
selector:
|
|
||||||
app: paperclip
|
|
||||||
sessionAffinity: None
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultAuth
|
|
||||||
metadata:
|
|
||||||
name: default
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
allowedNamespaces:
|
|
||||||
- paperclip
|
|
||||||
kubernetes:
|
|
||||||
audiences:
|
|
||||||
- vault
|
|
||||||
role: default
|
|
||||||
serviceAccount: default
|
|
||||||
tokenExpirationSeconds: 600
|
|
||||||
method: kubernetes
|
|
||||||
mount: k8s/au/syd1
|
|
||||||
vaultConnectionRef: vso-system/default
|
|
||||||
@@ -1,34 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: postgres-credentials
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: postgres-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/paperclip/default/postgres-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: paperclip-credentials
|
|
||||||
namespace: paperclip
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: paperclip-credentials
|
|
||||||
overwrite: true
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: kubernetes/namespace/paperclip/default/paperclip-credentials
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- priorityclasses.yaml
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: scheduling.k8s.io/v1
|
|
||||||
kind: PriorityClass
|
|
||||||
metadata:
|
|
||||||
name: low
|
|
||||||
value: 100
|
|
||||||
preemptionPolicy: Never
|
|
||||||
globalDefault: false
|
|
||||||
description: "Low-importance workloads. Can be evicted under pressure but will not preempt other pods."
|
|
||||||
---
|
|
||||||
apiVersion: scheduling.k8s.io/v1
|
|
||||||
kind: PriorityClass
|
|
||||||
metadata:
|
|
||||||
name: power
|
|
||||||
value: 100
|
|
||||||
preemptionPolicy: Never
|
|
||||||
globalDefault: false
|
|
||||||
description: "Compute-heavy workloads with low scheduling importance. Evictable under pressure."
|
|
||||||
---
|
|
||||||
apiVersion: scheduling.k8s.io/v1
|
|
||||||
kind: PriorityClass
|
|
||||||
metadata:
|
|
||||||
name: medium
|
|
||||||
value: 10000
|
|
||||||
preemptionPolicy: PreemptLowerPriority
|
|
||||||
globalDefault: false
|
|
||||||
description: "Standard workloads. Will preempt low-priority pods if the cluster is under pressure."
|
|
||||||
---
|
|
||||||
apiVersion: scheduling.k8s.io/v1
|
|
||||||
kind: PriorityClass
|
|
||||||
metadata:
|
|
||||||
name: high
|
|
||||||
value: 100000
|
|
||||||
preemptionPolicy: PreemptLowerPriority
|
|
||||||
globalDefault: false
|
|
||||||
description: "High-importance services. Will preempt medium- and low-priority pods if necessary."
|
|
||||||
@@ -28,7 +28,7 @@ spec:
|
|||||||
imagePullSecrets: null
|
imagePullSecrets: null
|
||||||
containers:
|
containers:
|
||||||
- name: g10k-code
|
- name: g10k-code
|
||||||
image: git.unkin.net/unkin/almalinux9-g10k:20260606
|
image: git.unkin.net/unkin/almalinux9-g10k:20260308
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ spec:
|
|||||||
cpu: 20m
|
cpu: 20m
|
||||||
memory: 32Mi
|
memory: 32Mi
|
||||||
- name: cert-generator
|
- name: cert-generator
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260606
|
image: git.unkin.net/unkin/almalinux9-base:20260308
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
|
|||||||
@@ -181,7 +181,7 @@ spec:
|
|||||||
name: puppet-puppet-volume
|
name: puppet-puppet-volume
|
||||||
|
|
||||||
- name: setup-shared-bins
|
- name: setup-shared-bins
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260606
|
image: git.unkin.net/unkin/almalinux9-base:20260308
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user