1 Commits

Author SHA1 Message Date
unkinben a84d299aed feat: updates for artifactapi
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline failed
- remove replicas (rely on horizontal-pod-scaler)
- add raw.githubusercontent.com remote
2026-03-07 00:36:48 +11:00
165 changed files with 85 additions and 5785 deletions
+2 -1
View File
@@ -3,6 +3,7 @@ when:
steps:
- name: kubeconform
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
image: git.unkin.net/unkin/almalinux9-base:latest
commands:
- dnf install make kustomize kubeconform helm -y
- make kubeconform
+2 -1
View File
@@ -3,6 +3,7 @@ when:
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-base:20260308
image: git.unkin.net/unkin/almalinux9-base:latest
commands:
- dnf install uv make -y
- uvx pre-commit run --all-files
@@ -1,94 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: artifact-keeper-postgres
namespace: artifact-keeper
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: artifact_registry
encoding: UTF8
localeCType: C
localeCollate: C
owner: registry
secret:
name: postgres-credentials
postInitSQL:
- CREATE DATABASE dependency_track OWNER registry;
- GRANT ALL PRIVILEGES ON DATABASE dependency_track TO registry;
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 20Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
@@ -1,33 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: artifact-keeper-postgres-pooler
namespace: artifact-keeper
spec:
cluster:
name: artifact-keeper-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: artifact-keeper-pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- artifact-keeper-pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
@@ -1,20 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
BIND_ADDRESS: "0.0.0.0:8080"
LOG_LEVEL: "info,artifact_keeper=debug"
STORAGE_BACKEND: "s3"
MEILISEARCH_URL: "http://meilisearch:7700"
TRIVY_URL: "http://trivy:8090"
DEPENDENCY_TRACK_URL: "http://dtrack:8080"
DEPENDENCY_TRACK_ENABLED: "true"
SCAN_WORKSPACE_PATH: "/scan-workspace"
PLUGINS_DIR: "/data/plugins"
@@ -1,15 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: s3-env
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
S3_ENDPOINT: "https://radosgw.service.consul"
S3_BUCKET: "artifact-keeper"
S3_REGION: "ap-southeast-2"
S3_PATH_STYLE: "true"
@@ -1,171 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
spec:
serviceAccountName: backend
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- backend
topologyKey: kubernetes.io/hostname
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
- name: wait-for-meilisearch
image: alpine:3.20
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for Meilisearch..."
until wget -qO- http://meilisearch:7700/health >/dev/null 2>&1; do
sleep 3
done
echo "Meilisearch is ready"
containers:
- name: backend
image: "ghcr.io/artifact-keeper/artifact-keeper-backend:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/bin/sh", "-c"]
args:
- |
if [ -f /shared/dtrack-api-key ] && [ -s /shared/dtrack-api-key ]; then
export DEPENDENCY_TRACK_API_KEY="$(cat /shared/dtrack-api-key)"
fi
exec /usr/local/bin/artifact-keeper
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: grpc
containerPort: 9090
protocol: TCP
envFrom:
- configMapRef:
name: config
- configMapRef:
name: s3-env
- secretRef:
name: s3-credentials
- secretRef:
name: app-secrets
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
livenessProbe:
httpGet:
path: /livez
port: http
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: storage
mountPath: /data/storage
subPath: storage
- name: storage
mountPath: /data/backups
subPath: backups
- name: storage
mountPath: /data/plugins
subPath: plugins
- name: scan-workspace
mountPath: /scan-workspace
- name: shared-config
mountPath: /shared
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: storage
persistentVolumeClaim:
claimName: storage
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -1,111 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
containers:
- name: dtrack-api
image: "dependencytrack/apiserver:4.11.4"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: ALPINE_DATABASE_MODE
value: "external"
- name: ALPINE_DATABASE_URL
value: "jdbc:postgresql://artifact-keeper-postgres-pooler:5432/dependency_track"
- name: ALPINE_DATABASE_DRIVER
value: "org.postgresql.Driver"
- name: ALPINE_DATABASE_USERNAME
value: "registry"
- name: ALPINE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: ALPINE_DATA_DIRECTORY
value: "/data"
- name: ALPINE_ENFORCE_AUTHENTICATION
value: "true"
- name: ALPINE_CORS_ENABLED
value: "true"
- name: ALPINE_CORS_ALLOW_ORIGIN
value: "*"
- name: JAVA_OPTIONS
value: "-Xmx4g"
resources:
limits:
cpu: "2"
memory: 6Gi
requests:
cpu: 250m
memory: 4Gi
volumeMounts:
- name: dtrack-data
mountPath: /data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: dtrack-data
persistentVolumeClaim:
claimName: dtrack
@@ -1,154 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: fix-ownership
image: busybox:1.37
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- CHOWN
- FOWNER
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["sh", "-c", "chown -R 1000:1000 /meili_data"]
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: version-guard
image: busybox:1.37
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["sh", "-c"]
args:
- |
EXPECTED="v1.12"
VERSION_FILE="/meili_data/data.ms/VERSION"
if [ ! -f "$VERSION_FILE" ]; then
echo "No existing database, fresh start"
exit 0
fi
CURRENT=$(cat "$VERSION_FILE" 2>/dev/null || echo "unknown")
echo "Current DB version: $CURRENT, expected image: $EXPECTED"
if echo "$CURRENT" | grep -qv "$(echo $EXPECTED | sed 's/^v//')"; then
echo "Version mismatch — wiping data.ms for clean re-index"
rm -rf /meili_data/data.ms
echo "Done. Backend will re-index automatically."
else
echo "Versions match, keeping existing data"
fi
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
containers:
- name: meilisearch
image: "getmeili/meilisearch:v1.12"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 7700
protocol: TCP
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: app-secrets
key: MEILISEARCH_API_KEY
- name: MEILI_ENV
value: "production"
- name: MEILI_MAX_INDEXING_THREADS
value: "4"
resources:
limits:
cpu: "1"
memory: 8Gi
requests:
cpu: 250m
memory: 512Mi
readinessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: meilisearch-data
persistentVolumeClaim:
claimName: meilisearch
@@ -1,87 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10000
fsGroup: 10000
containers:
- name: trivy
image: "aquasec/trivy:0.62.1"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["trivy"]
args: ["server", "--listen", "0.0.0.0:8090", "--cache-dir", "/home/trivy/.cache"]
ports:
- name: http
containerPort: 8090
protocol: TCP
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
volumeMounts:
- name: trivy-cache
mountPath: /home/trivy/.cache
- name: tmp
mountPath: /tmp
- name: scan-workspace
mountPath: /scan-workspace
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: trivy-cache
persistentVolumeClaim:
claimName: trivy-cache
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
@@ -1,98 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- web
topologyKey: kubernetes.io/hostname
containers:
- name: web
image: "ghcr.io/artifact-keeper/artifact-keeper-web:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 3000
protocol: TCP
env:
- name: NEXT_PUBLIC_API_URL
value: ""
- name: BACKEND_URL
value: "http://backend:8080"
- name: NODE_ENV
value: "production"
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 20
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: nextjs-cache
mountPath: /app/.next/cache
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: nextjs-cache
emptyDir:
sizeLimit: 1Gi
-286
View File
@@ -1,286 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: artifact-keeper
namespace: artifact-keeper
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 10g
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifacts.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifacts.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
ingressClassName: nginx
rules:
- host: artifacts.k8s.syd1.au.unkin.net
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /health
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /ready
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /maven
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /npm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pypi
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /nuget
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cargo
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /gems
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /go
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /helm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /debian
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /rpm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /alpine
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /composer
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conan
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conda
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /swift
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /terraform
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cocoapods
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /hex
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pub
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /lfs
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ivy
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /chef
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /puppet
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ansible
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cran
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /huggingface
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /jetbrains
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /vscode
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /proto
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /incus
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ext
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /dtrack
pathType: Prefix
backend:
service:
name: dtrack
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 3000
tls:
- hosts:
- artifacts.k8s.syd1.au.unkin.net
secretName: artifacts-tls
@@ -1,70 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: dtrack-init
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
backoffLimit: 3
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
restartPolicy: OnFailure
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: dtrack-init
image: alpine:3.20
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 32Mi
ephemeral-storage: 64Mi
limits:
cpu: 200m
memory: 128Mi
ephemeral-storage: 128Mi
command: ["/bin/sh", "-c"]
args:
- |
apk add --no-cache curl jq >/dev/null 2>&1
/bin/sh /scripts/init-dtrack.sh
env:
- name: DEPENDENCY_TRACK_URL
value: "http://dtrack:8080"
- name: DEPENDENCY_TRACK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: DEPENDENCY_TRACK_ADMIN_PASSWORD
volumeMounts:
- name: init-script
mountPath: /scripts
readOnly: true
- name: shared-config
mountPath: /shared
volumes:
- name: init-script
configMap:
name: dtrack-init
defaultMode: 0755
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -1,33 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_backend.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_app-config.yaml
- configmap_s3-env.yaml
- persistentvolumeclaims.yaml
- service_backend.yaml
- service_dtrack.yaml
- service_meilisearch.yaml
- service_trivy.yaml
- service_web.yaml
- deployment_backend.yaml
- deployment_dtrack.yaml
- deployment_meilisearch.yaml
- deployment_trivy.yaml
- deployment_web.yaml
- job_dtrack-init.yaml
- ingress.yaml
configMapGenerator:
- name: dtrack-init
files:
- resources/init-dtrack.sh
options:
disableNameSuffixHash: true
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
@@ -1,78 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: storage
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scan-workspace
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: shared-config
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dtrack
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: meilisearch
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-cache
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
@@ -1,43 +0,0 @@
#!/bin/sh
set -e
DT_URL="${DEPENDENCY_TRACK_URL:-http://ak-artifact-keeper-dtrack:8080}"
DT_ADMIN_USER="admin"
DT_DEFAULT_PASS="admin"
DT_NEW_PASS="${DEPENDENCY_TRACK_ADMIN_PASSWORD}"
API_KEY_FILE="/shared/dtrack-api-key"
echo "[dtrack-init] Waiting for Dependency-Track at $DT_URL ..."
for i in $(seq 1 60); do
if curl -sf "$DT_URL/api/version" > /dev/null 2>&1; then break; fi
if [ "$i" -eq 60 ]; then echo "[dtrack-init] ERROR: timeout"; exit 1; fi
sleep 5
done
if [ -f "$API_KEY_FILE" ] && [ -s "$API_KEY_FILE" ]; then
echo "[dtrack-init] API key already provisioned -- skipping"
exit 0
fi
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
if [ -z "$TOKEN" ] || echo "$TOKEN" | grep -qi "FORCE_PASSWORD_CHANGE"; then
curl -sf -o /dev/null -X POST "$DT_URL/api/v1/user/forceChangePassword" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_DEFAULT_PASS}&newPassword=${DT_NEW_PASS}&confirmPassword=${DT_NEW_PASS}"
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
fi
if [ -z "$TOKEN" ]; then echo "[dtrack-init] ERROR: auth failed"; exit 1; fi
API_KEY=$(curl -sf "$DT_URL/api/v1/team" \
-H "Authorization: Bearer $TOKEN" | \
jq -r '.[] | select(.name == "Automation") | .apiKeys[0].key // empty')
if [ -z "$API_KEY" ]; then echo "[dtrack-init] ERROR: no API key"; exit 1; fi
echo "$API_KEY" > "$API_KEY_FILE"
echo "[dtrack-init] Done"
@@ -1,26 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
- name: grpc
port: 9090
targetPort: grpc
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
@@ -1,22 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
@@ -1,22 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
@@ -1,22 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
@@ -1,22 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
@@ -1,11 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: artifact-keeper
spec:
allowedNamespaces:
- artifact-keeper
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -1,51 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: app-secrets
namespace: artifact-keeper
spec:
destination:
create: true
name: app-secrets
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/app-secrets
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: s3-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: s3-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/s3-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -49,7 +49,6 @@ remotes:
package: "generic"
description: "GitHub User Content"
include_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
@@ -63,7 +62,6 @@ remotes:
description: "Gitea download site"
include_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
- "tea/.*/tea-.*-linux-amd64$"
cache:
file_ttl: 0
index_ttl: 0
@@ -89,17 +87,6 @@ remotes:
file_ttl: 0
index_ttl: 0
rarlab:
base_url: "https://www.rarlab.com"
type: "remote"
package: "generic"
description: "RARLab"
include_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
file_ttl: 0
index_ttl: 0
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
type: "remote"
-29
View File
@@ -1,29 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
namespace: cattle-system
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
spec:
ingressClassName: nginx
tls:
- hosts:
- rancher.k8s.syd1.au.unkin.net
secretName: rancher-tls
rules:
- host: rancher.k8s.syd1.au.unkin.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 80
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- ingress.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: rancher
namespace: cattle-system
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- cattle-system
kubernetes:
role: rancher
serviceAccount: rancher
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: rancher-bootstrap-secret
namespace: cattle-system
spec:
vaultAuthRef: rancher
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/rancher/bootstrap-password
refreshAfter: 5m
destination:
name: rancher-bootstrap-secret
create: true
-12
View File
@@ -1,12 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
@@ -1,16 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-vault-token-creator
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- clusterrole.yaml
- clusterrolebinding.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
@@ -1,11 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-issuer
namespace: cert-manager
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
app.kubernetes.io/component: "vault-issuer"
automountServiceAccountToken: true
@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vault-ca-cert.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: certificates
-59
View File
@@ -1,59 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: vault-ca-cert
namespace: certificates
labels:
app.kubernetes.io/name: vault-ca-cert
app.kubernetes.io/part-of: vault-secrets-operator
annotations:
description: "Vault CA certificate replicated to all namespaces"
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy
NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s
E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z
vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc
sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx
VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0
xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT
mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc
v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr
aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV
HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br
aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5
muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03
4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U
DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU
eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN
Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy
NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m
2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v
Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK
8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd
lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i
tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp
r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1
UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe
xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1
zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p
UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US
EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb
4gqd
-----END CERTIFICATE-----
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cnpg-system
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephfs
-83
View File
@@ -1,83 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-cephfs
namespace: csi-cephfs
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephfs
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-cephfs-csi-cephfs-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-cephfs-secret
namespace: csi-cephfs
spec:
vaultAuthRef: ceph-csi-cephfs
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-cephfs-secret
refreshAfter: 5m
destination:
name: csi-cephfs-secret
create: true
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephrbd
-39
View File
@@ -1,39 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-delete
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: rbd.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-retain
provisioner: rbd.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-rbd
namespace: csi-cephrbd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephrbd
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-rbd-csi-rbd-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-rbd-secret
namespace: csi-cephrbd
spec:
vaultAuthRef: ceph-csi-rbd
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-rbd-secret
refreshAfter: 5m
destination:
name: csi-rbd-secret
create: true
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: elastic-system
name: elastic-system
-8
View File
@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: externaldns
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: externaldns
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- externaldns
kubernetes:
role: externaldns
serviceAccount: externaldns
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: externaldns-tsig
namespace: externaldns
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/externaldns/tsig
refreshAfter: 5m
destination:
name: externaldns-tsig
create: true
rolloutRestartTargets:
- kind: Deployment
name: externaldns
@@ -1,19 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
helmCharts:
- name: intel-device-plugins-operator
repo: https://intel.github.io/helm-charts/
version: "0.35.0"
releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu
repo: https://intel.github.io/helm-charts/
version: "0.34.1"
releaseName: intel-gpu-plugin
namespace: inteldeviceplugins-system
valuesFile: values-gpu-plugin.yaml
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: inteldeviceplugins-system
@@ -1,13 +0,0 @@
---
name: intel-gpu-device-plugin
sharedDevNum: 4
logLevel: 2
enableMonitoring: true
allocationPolicy: "none"
image:
hub: intel
tag: "" # Use latest from chart
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'
nodeFeatureRule: true
tolerations: []
@@ -2,4 +2,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: puppet
name: jfrog
@@ -1,152 +0,0 @@
---
apiVersion: nfd.k8s-sigs.io/v1alpha1
kind: NodeFeatureRule
metadata:
name: intel-dp-devices
namespace: node-feature-discovery
spec:
rules:
- name: "intel.dlb"
labels:
"intel.feature.node.kubernetes.io/dlb": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["2710"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
dlb2: {op: Exists}
- name: "intel.dsa"
labels:
"intel.feature.node.kubernetes.io/dsa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0b25", "11fb", "1212"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.fpga-arria10"
labels:
"intel.feature.node.kubernetes.io/fpga-arria10": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["09c4"]}
class: {op: In, value: ["1200"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
dfl_pci: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_fpga_pci: {op: Exists}
- name: "intel.gpu"
labels:
"intel.feature.node.kubernetes.io/gpu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["0300", "0380"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
xe: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
xe: {op: Exists}
- name: "intel.iaa"
labels:
"intel.feature.node.kubernetes.io/iaa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0cfe", "1216"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.qat"
labels:
"intel.feature.node.kubernetes.io/qat": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["37c8", "4940", "4942", "4944", "4946", "4948"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
intel_qat: {op: Exists}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
vfio_pci: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
vfio-pci: {op: Exists}
- name: "intel.sgx"
labels:
"intel.feature.node.kubernetes.io/sgx": "true"
extendedResources:
sgx.intel.com/epc: "@cpu.security.sgx.epc"
matchFeatures:
- feature: cpu.cpuid
matchExpressions:
SGX: {op: Exists}
SGXLC: {op: Exists}
- feature: cpu.security
matchExpressions:
sgx.enabled: {op: IsTrue}
- feature: kernel.config
matchExpressions:
X86_SGX: {op: Exists}
- name: "intel.npu"
labels:
"intel.feature.node.kubernetes.io/npu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["1200"]}
device: {
op: In,
value: ["7e4c", "643e", "ad1d", "7d1d"]
}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_vpu: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
intel_vpu: {op: Exists}
@@ -1,14 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- intel-nodefeaturerules.yaml
helmCharts:
- name: node-feature-discovery
repo: oci://gcr.io/k8s-staging-nfd/charts
version: "0.0.0-master"
releaseName: node-feature-discovery
namespace: node-feature-discovery
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: node-feature-discovery
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: observability
name: observability
-112
View File
@@ -1,112 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: puppet-postgres
namespace: puppet
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: puppetdb
encoding: UTF8
localeCType: C
localeCollate: C
owner: puppetdb
secret:
name: postgres-credentials
postInitApplicationSQL:
- CREATE EXTENSION IF NOT EXISTS pg_trgm;
- CREATE EXTENSION IF NOT EXISTS pgcrypto;
- GRANT CONNECT ON DATABASE puppetdb TO puppetdb_read;
- GRANT USAGE ON SCHEMA public TO puppetdb_read;
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO puppetdb_read;
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO puppetdb_read;
managed:
roles:
- name: puppetdb_read
ensure: present
comment: PuppetDB read-only database user
login: true
superuser: false
createdb: false
createrole: false
inherit: true
replication: false
connectionLimit: -1
passwordSecret:
name: postgres-read-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-66
View File
@@ -1,66 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler-ro
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
@@ -1,26 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard-config
namespace: puppet
data:
PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
LOGLEVEL: "debug"
PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3"
ENABLE_CATALOG: "False"
ENABLE_QUERY: "True"
LOCALISE_TIMESTAMP: "True"
OFFLINE_MODE: "True"
DEFAULT_ENVIRONMENT: "*"
REPORTS_COUNT: "40"
@@ -1,23 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-config
namespace: puppet
data:
USE_OPENVOXSERVER: "true"
OPENVOXSERVER_HOSTNAME: "puppetca"
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "openvoxdb,puppetdb,puppetdb.k8s.syd1.au.unkin.net,puppetdb.puppet.svc.cluster.local"
OPENVOXDB_POSTGRES_HOSTNAME: "puppet-postgres-pooler"
OPENVOXDB_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_POSTGRES_PORT: "5432"
OPENVOXDB_READ_POSTGRES_HOSTNAME: "puppet-postgres-pooler-ro"
OPENVOXDB_READ_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_READ_POSTGRES_PORT: "5432"
PUPPETDB_JAVA_ARGS: ""
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-read-database-conf
namespace: puppet
data:
read-database.conf: |
read-database: {
subname: "//"${OPENVOXDB_READ_POSTGRES_HOSTNAME}":"${OPENVOXDB_READ_POSTGRES_PORT}"/"${OPENVOXDB_READ_POSTGRES_DATABASE}
username: ${OPENVOXDB_READ_POSTGRES_USER}
password: ${OPENVOXDB_READ_POSTGRES_PASSWORD}
}
@@ -1,19 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config
namespace: puppet
data:
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppetserver-compiler,puppet,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ENABLED: "false"
CA_HOSTNAME: "puppetca"
CA_PORT: "8140"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
@@ -1,15 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver-init
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-init-config
namespace: puppet
data:
PUPPET_DATA_DIR: "/etc/puppetlabs/code/environments"
PUPPET_SSL_DIR: "/etc/puppetlabs/puppet/ssl/certs"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
@@ -1,28 +0,0 @@
apiVersion: v1
data:
check_for_masters.sh: |
#!/usr/bin/env bash
if [[ -d "$PUPPET_SSL_DIR" ]]; then
ls -la /etc/puppetlabs/puppet/ssl/certs/
echo "A Puppetserver master has already started running."
echo "Waiting to finish the generation of the Puppet SSL certs..."
sleep 5
while ! [[ -n "$(find /etc/puppetlabs/puppet/ssl/certs -name 'puppet*.pem' | head -1)" ]];
do
echo "Still waiting..."
sleep 5
done
sleep 15
echo "Puppet SSL certs have been generated. Continuing..."
else
echo "No other Puppetserver master is running. Continuing..."
fi
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-init-masters-config
namespace: puppet
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-master-config
namespace: puppet
data:
OPENVOXSERVER_HOSTNAME: "puppet"
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppet,puppetserver-agents-to-puppet,puppetca,puppet-headless,puppetca.k8s.syd1.au.unkin.net,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ALLOW_SUBJECT_ALT_NAMES: "true"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
-69
View File
@@ -1,69 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: r10k-code
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: g10k-code
namespace: puppet
spec:
schedule: "*/1 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: g10k-code
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: g10k-code
imagePullSecrets: null
containers:
- name: g10k-code
image: git.unkin.net/unkin/almalinux9-g10k:20260308
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
command:
- /bin/sh
- -c
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/r10k-config
echo "Running g10k..."
/usr/bin/g10k -config /tmp/r10k-config/r10k.yaml
envFrom: null
env: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
@@ -1,85 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: generate-types
namespace: puppet
spec:
schedule: "*/5 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: generate-types
imagePullSecrets: null
containers:
- name: generate-types
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
/opt/puppetlabs/puppet/bin/gem install deep_merge ipaddr hiera-eyaml toml
find /etc/puppetlabs/code/environments -mindepth 1 -maxdepth 1 -type d | while read -r envdir; do
env="$(basename "$envdir")"
echo "Generating types for $env"
puppet generate types --environment "$env"
done
env: []
resources:
limits:
cpu: 300m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
@@ -1,170 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
enableServiceLinks: false
initContainers:
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
- name: cert-generator
image: git.unkin.net/unkin/almalinux9-base:20260308
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
set -e
# Set the hostname for the certificate
HOSTNAME="puppetboard"
CERT_DIR="/opt/puppetboard/ssl"
# Create certificate directory
mkdir -p ${CERT_DIR}
# Check if certificates already exist
if [ -f "${CERT_DIR}/${HOSTNAME}.pem" ] && [ -f "${CERT_DIR}/${HOSTNAME}.key" ] && [ -f "${CERT_DIR}/ca.pem" ]; then
echo "Certificates already exist for ${HOSTNAME}, skipping generation"
exit 0
fi
# Request certificate from Puppet CA for Puppetboard
echo "Requesting certificate for ${HOSTNAME} from puppetca service"
# Generate private key
openssl genrsa -out ${CERT_DIR}/${HOSTNAME}.key 2048
# Create certificate signing request (CSR)
openssl req -new -key ${CERT_DIR}/${HOSTNAME}.key \
-out /tmp/${HOSTNAME}.csr \
-subj "/CN=${HOSTNAME}"
# Submit CSR to Puppet CA
echo "Submitting certificate request to Puppet CA..."
curl -X PUT \
--insecure \
--data-binary @/tmp/${HOSTNAME}.csr \
-H "Content-Type: text/plain" \
https://puppetca:8140/puppet-ca/v1/certificate_request/${HOSTNAME}
# Wait for certificate to be signed (poll the CA)
echo "Waiting for certificate to be signed..."
for i in {1..30}; do
if curl --insecure -f -s https://puppetca:8140/puppet-ca/v1/certificate/${HOSTNAME} > ${CERT_DIR}/${HOSTNAME}.pem; then
echo "Certificate received for ${HOSTNAME}"
break
fi
echo "Attempt $i: Certificate not ready yet, waiting 10 seconds..."
sleep 10
done
# Verify we got the certificate
if [ ! -f "${CERT_DIR}/${HOSTNAME}.pem" ] || [ ! -s "${CERT_DIR}/${HOSTNAME}.pem" ]; then
echo "Failed to obtain certificate for ${HOSTNAME}"
exit 1
fi
# Get CA certificate
curl --insecure -f https://puppetca:8140/puppet-ca/v1/certificate/ca > ${CERT_DIR}/ca.pem
# Set appropriate permissions
chmod 644 ${CERT_DIR}/${HOSTNAME}.pem
chmod 600 ${CERT_DIR}/${HOSTNAME}.key
chmod 644 ${CERT_DIR}/ca.pem
# Change ownership to puppetboard user (1000:1000)
chown -R 1000:1000 ${CERT_DIR}
echo "Certificate generation completed for ${HOSTNAME}"
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
containers:
- name: puppetboard
image: ghcr.io/voxpupuli/puppetboard:7.0.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: puppetboard
envFrom:
- configMapRef:
name: puppetboard-config
- secretRef:
name: puppetboard-secrets
resources:
requests:
memory: 350Mi
cpu: 100m
limits:
memory: 1024Mi
cpu: 500m
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
readOnly: true
volumes:
- name: puppetboard-certs
persistentVolumeClaim:
claimName: puppetboard-certs
-172
View File
@@ -1,172 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppetdb
imagePullSecrets: null
containers:
- name: puppetdb
image: ghcr.io/openvoxproject/openvoxdb:8.9.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 1
memory: 1536Mi
requests:
cpu: 250m
memory: 512Mi
ports:
- containerPort: 8080
name: pdb-http
- containerPort: 8081
name: pdb-https
envFrom:
- configMapRef:
name: puppetdb-config
env:
- name: OPENVOXDB_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-credentials
- name: OPENVOXDB_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-credentials
- name: OPENVOXDB_READ_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-read-credentials
- name: OPENVOXDB_READ_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-read-credentials
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_FOWNER
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
drop:
- all
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- mountPath: /etc/puppetlabs/puppetdb/conf.d/read-database.conf
name: puppetdb-read-database-conf
subPath: read-database.conf
initContainers:
- name: create-log-dir
image: docker.io/busybox:1.37
command:
- sh
- -c
args:
- mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- name: pgchecker
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do
sleep 2;
done;
echo 'PostgreSQL OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
volumes:
- name: puppetdb-storage
persistentVolumeClaim:
claimName: puppetserver-puppetdb-claim
- name: puppetdb-read-database-conf
configMap:
name: puppetdb-read-database-conf
@@ -1,248 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
template:
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppetserver-compiler
imagePullSecrets: null
containers:
- name: puppetserver
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
memory: 3072Mi
requests:
cpu: 500m
memory: 1024Mi
ports:
- containerPort: 8140
name: puppetserver
envFrom:
- configMapRef:
name: puppetserver-compiler-config
env:
- name: OPENVOXSERVER_HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
livenessProbe:
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
tcpSocket:
port: 8140
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/v1/simple
port: 8140
scheme: HTTPS
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 20
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
startupProbe:
failureThreshold: 30
periodSeconds: 15
tcpSocket:
port: 8140
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
- mountPath: /docker-custom-entrypoint.d/post-startup/additional-ruby-gems.sh
name: additional-ruby-gems
subPath: additional-ruby-gems.sh
initContainers:
- name: copy-configmaps
image: busybox:1.35
command:
- sh
- -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
env:
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- name: setup-shared-bins
image: git.unkin.net/unkin/almalinux9-base:20260308
command:
- sh
- -c
args:
- |
echo "Setting up shared binaries..."
mkdir -p /opt/bin
mkdir -p /opt/bin/.cache/uv
# Copy cobbler to shared bin volume
cp /configmaps/cobbler-enc /opt/bin/cobbler-enc
chmod +x /opt/bin/cobbler-enc
# Install uv to shared bin volume
cd /tmp
wget -O uv-x86_64-unknown-linux-gnu.tar.gz https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/astral-sh/uv/releases/download/0.9.20/uv-x86_64-unknown-linux-gnu.tar.gz
tar xf uv-x86_64-unknown-linux-gnu.tar.gz
cp uv-x86_64-unknown-linux-gnu/uv /opt/bin/uv
chmod +x /opt/bin/uv
echo "Shared binaries setup completed"
volumeMounts:
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: compiler-puppet-conf
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
- name: additional-ruby-gems
configMap:
name: additional-ruby-gems
defaultMode: 0755
strategy:
type: RollingUpdate
@@ -1,177 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-master
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppet
imagePullSecrets: null
containers:
- name: puppetserver
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
memory: 3500Mi
requests:
cpu: 250m
memory: 1024Mi
ports:
- containerPort: 8140
name: puppetserver
envFrom:
- configMapRef:
name: puppetserver-master-config
livenessProbe:
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
tcpSocket:
port: 8140
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/v1/simple
port: 8140
scheme: HTTPS
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 20
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
startupProbe:
failureThreshold: 30
periodSeconds: 60
tcpSocket:
port: 8140
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage
- mountPath: /etc/puppetlabs/puppetserver/ca/
name: puppet-ca-storage
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers:
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh
bash /etc/puppetlabs/puppet/check_for_masters.sh
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
envFrom:
- configMapRef:
name: puppetserver-init-config
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage
- mountPath: /tmp/puppet/configmap/check_for_masters.sh
name: init-masters-volume
subPath: check_for_masters.sh
securityContext:
fsGroup: 999
volumes:
- name: puppet-ca-storage
persistentVolumeClaim:
claimName: puppetserver-ca-claim
- name: puppet-puppet-storage
persistentVolumeClaim:
claimName: puppetserver-puppet-claim
- configMap:
name: puppetserver-init-masters-config
name: init-masters-volume
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
@@ -1,37 +0,0 @@
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetserver-compiler
minReplicas: 2
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 75
type: Utilization
type: Resource
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 25
periodSeconds: 60
@@ -1,37 +0,0 @@
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-masters-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetserver-master
minReplicas: 2
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 75
type: Utilization
type: Resource
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 25
periodSeconds: 60
@@ -1,44 +0,0 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppetboard-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetboard
minReplicas: 2
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 90
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
@@ -1,44 +0,0 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppetdb-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetdb
minReplicas: 2
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 90
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: puppetboard.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard
namespace: puppet
spec:
rules:
- host: puppetboard.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: puppetboard
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- puppetboard.k8s.syd1.au.unkin.net
secretName: puppetboard-tls
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: puppetdb.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: puppetdb.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb
namespace: puppet
spec:
rules:
- host: puppetdb.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: puppetdb
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- puppetdb.k8s.syd1.au.unkin.net
secretName: puppetdb-tls
-63
View File
@@ -1,63 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- cronjob_g10k-code.yaml
- cronjob_generate-types.yaml
- persistentvolumeclaims.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_puppetboard-config.yaml
- configmap_puppetdb-config.yaml
- configmap_puppetdb-read-database.yaml
- configmap_puppetserver-compiler-config.yaml
- configmap_puppetserver-init-config.yaml
- configmap_puppetserver-init-masters-config.yaml
- configmap_puppetserver-master-config.yaml
- deployment_puppetboard.yaml
- deployment_puppetdb.yaml
- deployment_puppetserver-master.yaml
- horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-masters-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-puppetboard-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-puppetdb-autoscaler.yaml
- ingress_puppetboard.yaml
- ingress_puppetdb.yaml
- service_puppetserver-agents-to-puppet.yaml
- service_puppet-headless.yaml
- service_puppet.yaml
- service_puppetca.yaml
- service_puppetboard.yaml
- service_puppetdb.yaml
- deployment_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
- name: additional-ruby-gems
files:
- resources/additional-ruby-gems.sh
options:
disableNameSuffixHash: true
@@ -1,126 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-ca-claim
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1G
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-code-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 30G
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppet-claim
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1G
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppetdb-claim
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard-certs
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppet-shared-bins
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 0.9.20
name: puppet-shared-bins
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
@@ -1,9 +0,0 @@
#!/bin/bash
set -e
echo "Installing additional Ruby gems..."
/opt/puppetlabs/puppet/bin/gem install deep_merge
/opt/puppetlabs/puppet/bin/gem install ipaddr
/opt/puppetlabs/puppet/bin/gem install hiera-eyaml
/opt/puppetlabs/puppet/bin/gem install toml
echo "Additional Ruby gems installed successfully"
-50
View File
@@ -1,50 +0,0 @@
#!/usr/bin/env -S /opt/bin/uv run --quiet --cache-dir /opt/bin/.cache/uv --script
# /// script
# requires-python = ">=3.11"
# dependencies = ['pyyaml','requests']
# ///
"""
External Node Classifier (ENC) for Puppet.
If the environment specified in the YAML file is 'testing',
the environment is not included in the output.
"""
import sys
import yaml
import requests
def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
"""
Fetches and modifies ENC data from a given URL to ensure classes are in list format.
"""
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try:
response = requests.get(url, verify='/opt/vault-ca-cert.crt')
response.raise_for_status()
except requests.RequestException as e:
sys.exit(f"Request failed: {e}")
data = yaml.safe_load(response.text)
data["parameters"] = data.get("parameters", {})
# Ensure 'classes' is in the desired list format
if "classes" in data:
if isinstance(data["classes"], dict):
data["parameters"]["enc_role"] = list(data["classes"].keys())
data["classes"] = list(data["classes"].keys())
else:
data["parameters"]["enc_role"] = list(data["classes"])
data["classes"] = list(data["classes"])
if "environment" in data:
data["parameters"]["enc_env"] = data["environment"]
if data["environment"] == "testing":
del data["environment"]
return yaml.dump(data)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit(f"Usage: {sys.argv[0]} <hostname>")
print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1]))
@@ -1,15 +0,0 @@
# Autosign all nodes from these subnets
198.18.13.0/24
198.18.14.0/24
198.18.15.0/24
198.18.16.0/24
198.18.17.0/24
198.18.20.0/24
198.18.24.0/24
198.18.25.0/24
198.18.26.0/24
198.18.27.0/24
198.18.28.0/24
198.18.29.0/24
# Autosign all nodes from these domains
*.main.unkin.net
@@ -1,23 +0,0 @@
[main]
server = puppetserver-compiler
serverport = 8140
dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
codedir = /etc/puppetlabs/code
environmentpath = /etc/puppetlabs/code/environments
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
node_terminus = exec
external_nodes = /opt/bin/cobbler-enc
autosign = /etc/puppetlabs/puppet/autosign.conf
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
usecacheonfailure = false
[user]
default_manifest = /etc/puppetlabs/code/environments/develop/manifests
default_environment = develop
@@ -1,3 +0,0 @@
[main]
server_urls = https://puppetdb.k8s.syd1.au.unkin.net
soft_write_failure = true
@@ -1,20 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppet-headless
namespace: puppet
spec:
clusterIP: None
ports:
- name: https
port: 443
protocol: TCP
targetPort: 8140
selector:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
-23
View File
@@ -1,23 +0,0 @@
apiVersion: v1
kind: Service
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: puppet.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.3
purelb.io/addresses: 198.18.200.3
purelb.io/service-group: common
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppet
namespace: puppet
spec:
ports:
- name: puppetserver
port: 8140
selector:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
type: LoadBalancer
-21
View File
@@ -1,21 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard
namespace: puppet
spec:
ports:
- name: puppetboard
port: 80
protocol: TCP
targetPort: puppetboard
selector:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/name: puppetserver
type: ClusterIP
-23
View File
@@ -1,23 +0,0 @@
apiVersion: v1
kind: Service
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: puppetca.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.2
purelb.io/addresses: 198.18.200.2
purelb.io/service-group: common
labels:
app.kubernetes.io/component: puppetserver-master
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetca
namespace: puppet
spec:
ports:
- name: puppetserver
port: 8140
selector:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/name: puppetserver
type: LoadBalancer
-23
View File
@@ -1,23 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb
namespace: puppet
spec:
clusterIP: null
ports:
- name: pdb-http
port: 8080
targetPort: pdb-http
- name: pdb-https
port: 8081
targetPort: pdb-https
selector:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/name: puppetserver
type: ClusterIP
@@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-agents-to-puppet
namespace: puppet
spec:
ports:
- name: puppetserver
port: 8140
selector:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/name: puppetserver
type: ClusterIP

Some files were not shown because too many files have changed in this diff Show More