1 Commits

Author SHA1 Message Date
unkinben 32dce4a76c feat: ensure puppet is available externally
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
- change puppet/puppetca -> LoadBalancer
- dedicate ip's for puppet and puppetca loadbalancers
- name the puppetserver port
- remove puppet/puppetca ingress
2026-03-18 15:05:35 +11:00
178 changed files with 514 additions and 4836 deletions
+1 -11
View File
@@ -3,16 +3,6 @@ when:
steps:
- name: kubeconform
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
image: git.unkin.net/unkin/almalinux9-kubetest:20260308
commands:
- make kubeconform
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
-10
View File
@@ -6,13 +6,3 @@ steps:
image: git.unkin.net/unkin/almalinux9-base:20260308
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 1Gi
cpu: 1
@@ -19,8 +19,8 @@ spec:
automountServiceAccountToken: true
containers:
- name: artifactapi
image: git.unkin.net/unkin/artifactapi:v2.7.2
imagePullPolicy: IfNotPresent
image: git.unkin.net/unkin/almalinux9-artifactapi:latest
imagePullPolicy: Always
ports:
- containerPort: 8000
name: http
@@ -60,30 +60,10 @@ spec:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /etc/artifactapi/conf.d/config.yaml
- mountPath: /app/remotes.yaml
mountPropagation: None
name: remotes-config
subPath: config.yaml
- mountPath: /etc/artifactapi/conf.d/local-generic.yaml
name: remotes-config
subPath: local-generic.yaml
- mountPath: /etc/artifactapi/conf.d/remote-alpine.yaml
name: remotes-config
subPath: remote-alpine.yaml
- mountPath: /etc/artifactapi/conf.d/remote-docker.yaml
name: remotes-config
subPath: remote-docker.yaml
- mountPath: /etc/artifactapi/conf.d/remote-generic.yaml
name: remotes-config
subPath: remote-generic.yaml
- mountPath: /etc/artifactapi/conf.d/remote-helm.yaml
name: remotes-config
subPath: remote-helm.yaml
- mountPath: /etc/artifactapi/conf.d/remote-rpm.yaml
name: remotes-config
subPath: remote-rpm.yaml
- mountPath: /etc/artifactapi/conf.d/virtual-helm.yaml
name: remotes-config
subPath: virtual-helm.yaml
subPath: remotes.yaml
restartPolicy: Always
volumes:
- configMap:
+1 -1
View File
@@ -5,7 +5,7 @@ metadata:
name: artifactapi-env
namespace: artifactapi
data:
CONFIG_PATH: /etc/artifactapi/conf.d/
CONFIG_PATH: /app/remotes.yaml
DBHOST: postgres-service
DBNAME: artifacts
DBPORT: "5432"
+1 -8
View File
@@ -18,13 +18,6 @@ resources:
configMapGenerator:
- name: remotes-config
files:
- resources/conf.d/config.yaml
- resources/conf.d/local-generic.yaml
- resources/conf.d/remote-generic.yaml
- resources/conf.d/remote-alpine.yaml
- resources/conf.d/remote-rpm.yaml
- resources/conf.d/remote-docker.yaml
- resources/conf.d/remote-helm.yaml
- resources/conf.d/virtual-helm.yaml
- resources/remotes.yaml
options:
disableNameSuffixHash: true
@@ -1,3 +0,0 @@
# Global artifactapi configuration.
# S3, Redis, and database connection settings are injected via environment variables.
# Add any top-level overrides here if needed.
@@ -1,7 +0,0 @@
locals:
local-generic:
package: "generic"
description: "Local generic file repository"
cache:
immutable_ttl: 0
mutable_ttl: 0
@@ -1,10 +0,0 @@
remotes:
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
package: "alpine"
description: "Alpine Linux APK package repository"
immutable_patterns:
- ".*/x86_64/.*\\.apk$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,96 +0,0 @@
remotes:
ghcr:
base_url: "https://ghcr.io"
package: "docker"
description: "GitHub Container Registry"
immutable_patterns:
- "^cloudnative-pg/cloudnative-pg"
- "^emberstack/helm-charts"
- "^openvoxproject/"
- "^stakater/reloader"
- "^voxpupuli/puppetboard"
- "^woodpecker-ci/helm"
cache:
immutable_ttl: 0
mutable_ttl: 300
dockerhub:
base_url: "https://registry-1.docker.io"
package: "docker"
description: "Docker Hub registry"
immutable_patterns:
- "^library/almalinux"
- "^library/busybox"
- "^library/debian"
- "^library/fedora"
- "^library/nginx"
- "^library/postgres"
- "^library/redis"
- "^beats/filebeat"
- "^bitnami/"
- "^curlimages/curl"
- "^emberstack/kubernetes-reflector"
- "^hashicorp/vault-secrets-operator"
- "^jfrog/"
- "^rancher/"
- "^traefik/"
- "^ubi9/ubi-minimal"
- "^victoriametrics/"
- "^woodpeckerci/"
cache:
immutable_ttl: 0
mutable_ttl: 300
quay:
base_url: "https://quay.io"
package: "docker"
description: "Quay.io container registry"
immutable_patterns:
- "^brancz/kube-rbac-proxy"
- "^cephcsi/cephcsi"
- "^jetstack/cert-manager-"
cache:
immutable_ttl: 0
mutable_ttl: 300
k8s-registry:
base_url: "https://registry.k8s.io"
package: "docker"
description: "Kubernetes container registry"
immutable_patterns:
- "^external-dns/external-dns"
- "^sig-storage/"
cache:
immutable_ttl: 0
mutable_ttl: 300
gitlab:
base_url: "https://registry.gitlab.com"
package: "docker"
description: "GitLab container registry"
immutable_patterns:
- "^purelb/purelb"
cache:
immutable_ttl: 0
mutable_ttl: 300
elastic:
base_url: "https://docker.elastic.co"
package: "docker"
description: "Elastic container registry"
immutable_patterns:
- "^eck/eck-operator"
cache:
immutable_ttl: 0
mutable_ttl: 300
gcr:
base_url: "https://gcr.io"
package: "docker"
description: "Google Container Registry"
immutable_patterns:
- "^k8s-staging-nfd/charts"
- "^k8s-staging-nfd/node-feature-discovery"
cache:
immutable_ttl: 0
mutable_ttl: 300
@@ -1,130 +0,0 @@
remotes:
github:
base_url: "https://github.com"
package: "generic"
description: "GitHub releases and files"
mutable_patterns:
- ".*/archive/refs/heads/.*.tar.gz$"
immutable_patterns:
- ".*/archive/refs/tags/.*.tar.gz$"
- "ahmetb/kubectx/.*/kubectx_.*_linux_x86_64.tar.gz$"
- "ahmetb/kubectx/.*/kubens_.*_linux_x86_64.tar.gz$"
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
- "coder/code-server/.*/code-server-.*-amd64.rpm$"
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
- "dandavison/delta/.*/delta-.*-x86_64-unknown-linux-musl.tar.gz$"
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
- "getsops/sops/.*/sops-v.*\\.linux\\.amd64$"
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
- "hadolint/hadolint/.*/hadolint-linux-x86_64$"
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
- "kubecolor/kubecolor/.*/kubecolor_.*_linux_amd64.tar.gz$"
- "kubernetes-sigs/gateway-api/.*/standard-install.yaml$"
- "kubernetes-sigs/kustomize/.*/kustomize_.*_linux_amd64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "mikefarah/yq/.*/yq_linux_amd64$"
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
- "neovim/neovim/.*/nvim-linux-x86_64.tar.gz$"
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
- "starship/starship/.*/starship-x86_64-unknown-linux-musl.tar.gz$"
- "stern/stern/.*/stern_.*_linux_amd64.tar.gz$"
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
- "yannh/kubeconform/.*/kubeconform-linux-amd64.tar.gz$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
github_user:
base_url: "https://raw.githubusercontent.com"
package: "generic"
description: "GitHub User Content"
immutable_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
gitea-dl:
base_url: "https://dl.gitea.com"
package: "generic"
description: "Gitea download site"
immutable_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
- "tea/.*/tea-.*-linux-amd64$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
hashicorp-releases:
base_url: "https://releases.hashicorp.com"
package: "generic"
description: "HashiCorp product releases"
immutable_patterns:
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
- "vault/.*vault_.*_linux_amd64\\.zip$"
- "vault/.*vault_.*_windows_amd64\\.zip$"
- "vault/.*vault_.*_darwin_amd64\\.zip$"
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
- "consul/.*/consul_.*_linux_amd64\\.zip$"
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
- "packer/.*/packer_.*_linux_amd64\\.zip$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
rarlab:
base_url: "https://www.rarlab.com"
package: "generic"
description: "RARLab"
immutable_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
immutable_ttl: 0
mutable_ttl: 7200
claude-ai:
base_url: "https://downloads.claude.ai"
package: "generic"
description: "Anthropic Claude Code binary releases"
mutable_patterns:
- "claude-code-releases/.*/manifest.json$"
immutable_patterns:
- "claude-code-releases/.*/linux-x64/claude$"
- "claude-code-releases/.*/linux-arm64/claude$"
- "claude-code-releases/.*/linux-x64-musl/claude$"
- "claude-code-releases/.*/linux-arm64-musl/claude$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,143 +0,0 @@
remotes:
ceph-csi:
base_url: "https://ceph.github.io/csi-charts"
package: "helm"
description: "Ceph CSI driver Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
cnpg:
base_url: "https://cloudnative-pg.github.io/charts"
package: "helm"
description: "CloudNativePG operator Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
elastic-helm:
base_url: "https://helm.elastic.co"
package: "helm"
description: "Elastic stack Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
external-dns:
base_url: "https://kubernetes-sigs.github.io/external-dns/"
package: "helm"
description: "ExternalDNS Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
hashicorp-helm:
base_url: "https://helm.releases.hashicorp.com"
package: "helm"
description: "HashiCorp Helm charts (Vault Secrets Operator, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
intel-helm:
base_url: "https://intel.github.io/helm-charts/"
package: "helm"
description: "Intel Helm charts (device plugins)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
jetstack:
base_url: "https://charts.jetstack.io"
package: "helm"
description: "Jetstack Helm charts (cert-manager)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
purelb:
base_url: "https://gitlab.com/api/v4/projects/20400619/packages/helm/stable"
package: "helm"
description: "PureLB load balancer Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
rancher-stable:
base_url: "https://releases.rancher.com/server-charts/stable"
package: "helm"
description: "Rancher stable Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
stakater:
base_url: "https://stakater.github.io/stakater-charts"
package: "helm"
description: "Stakater Helm charts (Reloader)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
traefik:
base_url: "https://traefik.github.io/charts"
package: "helm"
description: "Traefik Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
victoriametrics:
base_url: "https://victoriametrics.github.io/helm-charts/"
package: "helm"
description: "VictoriaMetrics observability Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
argo-helm:
base_url: "https://argoproj.github.io/argo-helm"
package: "helm"
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -1,154 +0,0 @@
remotes:
almalinux:
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
package: "rpm"
description: "AlmaLinux RPM package repository"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- ".*/install.img"
- ".*/squashfs.img"
- ".*/updates.img"
- ".*/RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-reef:
base_url: "https://download.ceph.com/rpm-reef/"
package: "rpm"
description: "Ceph Reef 18"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-squid:
base_url: "https://download.ceph.com/rpm-squid/"
package: "rpm"
description: "Ceph Squid 19"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-tentacle:
base_url: "https://download.ceph.com/rpm-tentacle/"
package: "rpm"
description: "Ceph Tentacle 20"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
epel:
base_url: "https://gsl-syd.mm.fcix.net/epel"
package: "rpm"
description: "EPEL (Extra Packages for Enterprise Linux)"
immutable_patterns:
- ".*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- "RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
fedora:
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
package: "rpm"
description: "Fedora Linux RPM package repository"
immutable_patterns:
- "releases/.*/Everything/x86_64/.*\\.rpm$"
- "updates/.*/Everything/x86_64/.*\\.rpm$"
- "development/.*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
frr:
base_url: "https://rpm.frrouting.org/repo"
package: "rpm"
description: "FRR RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
mariadb:
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
package: "rpm"
description: "MariaDB RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
openvox:
base_url: "https://yum.voxpupuli.org"
package: "rpm"
description: "OpenVox RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
postgresql:
base_url: "https://download.postgresql.org/pub/repos/yum"
package: "rpm"
description: "PostgreSQL RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
- ".*/PGDG-RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
rke2:
base_url: "https://rpm.rancher.io"
package: "rpm"
description: "RKE2 RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "public.key$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
zfs:
base_url: "http://download.zfsonlinux.org"
package: "rpm"
description: "ZFS RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,18 +0,0 @@
virtuals:
helm:
package: "helm"
description: "Virtual repository merging all helm remotes — member order is priority order for duplicate chart+version"
members:
- ceph-csi
- cnpg
- elastic-helm
- external-dns
- hashicorp-helm
- intel-helm
- jetstack
- purelb
- rancher-stable
- stakater
- traefik
- victoriametrics
- argo-helm
@@ -0,0 +1,286 @@
remotes:
github:
base_url: "https://github.com"
type: "remote"
package: "generic"
description: "GitHub releases and files"
include_patterns:
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
cache:
file_ttl: 0
index_ttl: 0
github_user:
base_url: "https://raw.githubusercontent.com"
type: "remote"
package: "generic"
description: "GitHub User Content"
include_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
file_ttl: 0
index_ttl: 0
gitea-dl:
base_url: "https://dl.gitea.com"
type: "remote"
package: "generic"
description: "Gitea download site"
include_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
cache:
file_ttl: 0
index_ttl: 0
hashicorp-releases:
base_url: "https://releases.hashicorp.com"
type: "remote"
package: "generic"
description: "HashiCorp product releases"
include_patterns:
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
- "vault/.*vault_.*_linux_amd64\\.zip$"
- "vault/.*vault_.*_windows_amd64\\.zip$"
- "vault/.*vault_.*_darwin_amd64\\.zip$"
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
- "consul/.*/consul_.*_linux_amd64\\.zip$"
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
- "packer/.*/packer_.*_linux_amd64\\.zip$"
cache:
file_ttl: 0
index_ttl: 0
rarlab:
base_url: "https://www.rarlab.com"
type: "remote"
package: "generic"
description: "RARLab"
include_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
file_ttl: 0
index_ttl: 0
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
type: "remote"
package: "alpine"
description: "Alpine Linux APK package repository"
include_patterns:
- ".*/x86_64/.*\\.apk$"
cache:
file_ttl: 0
index_ttl: 7200
almalinux:
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
type: "remote"
package: "rpm"
description: "AlmaLinux RPM package repository"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- ".*/install.img"
- ".*/squashfs.img"
- ".*/updates.img"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-reef:
base_url: "https://download.ceph.com/rpm-reef/"
type: "remote"
package: "rpm"
description: "Ceph Reef 18"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-squid:
base_url: "https://download.ceph.com/rpm-squid/"
type: "remote"
package: "rpm"
description: "Ceph Squid 19"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-tentacle:
base_url: "https://download.ceph.com/rpm-tentacle/"
type: "remote"
package: "rpm"
description: "Ceph Tentacle 20"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
epel:
base_url: "https://gsl-syd.mm.fcix.net/epel"
type: "remote"
package: "rpm"
description: "EPEL (Extra Packages for Enterprise Linux)"
include_patterns:
- ".*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- "RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
fedora:
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
type: "remote"
package: "rpm"
description: "Fedora Linux RPM package repository"
include_patterns:
- "releases/.*/Everything/x86_64/.*\\.rpm$"
- "updates/.*/Everything/x86_64/.*\\.rpm$"
- "development/.*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
frr:
base_url: "https://rpm.frrouting.org/repo"
type: "remote"
package: "rpm"
description: "FRR RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
mariadb:
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
type: "remote"
package: "rpm"
description: "MariaDB RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
openvox:
base_url: "https://yum.voxpupuli.org"
type: "remote"
package: "rpm"
description: "OpenVox RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
postgresql:
base_url: "https://download.postgresql.org/pub/repos/yum"
type: "remote"
package: "rpm"
description: "PostgreSQL RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
- ".*/PGDG-RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
rke2:
base_url: "https://rpm.rancher.io"
type: "remote"
package: "rpm"
description: "RKE2 RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "public.key$"
cache:
file_ttl: 0
index_ttl: 7200
zfs:
base_url: "http://download.zfsonlinux.org"
type: "remote"
package: "rpm"
description: "ZFS RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
local-generic:
type: "local"
package: "generic"
description: "Local generic file repository"
cache:
file_ttl: 0
index_ttl: 0
-29
View File
@@ -1,29 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: "198.18.200.4"
name: rancher
namespace: cattle-system
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: rancher.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- kind: Secret
name: rancher-tls
mode: Terminate
-20
View File
@@ -1,20 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: rancher
namespace: cattle-system
spec:
hostnames:
- rancher.k8s.syd1.au.unkin.net
parentRefs:
- name: rancher
sectionName: https
rules:
- backendRefs:
- name: rancher
port: 80
matches:
- path:
type: PathPrefix
value: /
@@ -1,10 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- gateway.yaml
- httproute.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: rancher
namespace: cattle-system
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- cattle-system
kubernetes:
role: rancher
serviceAccount: rancher
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: rancher-bootstrap-secret
namespace: cattle-system
spec:
vaultAuthRef: rancher
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/rancher/bootstrap-password
refreshAfter: 5m
destination:
name: rancher-bootstrap-secret
create: true
-12
View File
@@ -1,12 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
@@ -1,16 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-vault-token-creator
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- clusterrole.yaml
- clusterrolebinding.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
@@ -1,11 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-issuer
namespace: cert-manager
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
app.kubernetes.io/component: "vault-issuer"
automountServiceAccountToken: true
@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vault-ca-cert.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: certificates
-59
View File
@@ -1,59 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: vault-ca-cert
namespace: certificates
labels:
app.kubernetes.io/name: vault-ca-cert
app.kubernetes.io/part-of: vault-secrets-operator
annotations:
description: "Vault CA certificate replicated to all namespaces"
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy
NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s
E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z
vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc
sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx
VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0
xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT
mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc
v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr
aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV
HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br
aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5
muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03
4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U
DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU
eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN
Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy
NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m
2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v
Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK
8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd
lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i
tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp
r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1
UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe
xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1
zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p
UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US
EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb
4gqd
-----END CERTIFICATE-----
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cnpg-system
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephfs
-83
View File
@@ -1,83 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-cephfs
namespace: csi-cephfs
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephfs
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-cephfs-csi-cephfs-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-cephfs-secret
namespace: csi-cephfs
spec:
vaultAuthRef: ceph-csi-cephfs
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-cephfs-secret
refreshAfter: 5m
destination:
name: csi-cephfs-secret
create: true
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephrbd
-39
View File
@@ -1,39 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-delete
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: rbd.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-retain
provisioner: rbd.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-rbd
namespace: csi-cephrbd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephrbd
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-rbd-csi-rbd-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,15 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-rbd-secret
namespace: csi-cephrbd
spec:
vaultAuthRef: ceph-csi-rbd
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-rbd-secret
refreshAfter: 5m
destination:
name: csi-rbd-secret
create: true
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: elastic-system
name: elastic-system
-8
View File
@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: externaldns
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: externaldns
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- externaldns
kubernetes:
role: externaldns
serviceAccount: externaldns
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: externaldns-tsig
namespace: externaldns
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/externaldns/tsig
refreshAfter: 5m
destination:
name: externaldns-tsig
create: true
rolloutRestartTargets:
- kind: Deployment
name: externaldns
@@ -1,19 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
helmCharts:
- name: intel-device-plugins-operator
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.35.0"
releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.34.1"
releaseName: intel-gpu-plugin
namespace: inteldeviceplugins-system
valuesFile: values-gpu-plugin.yaml
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: inteldeviceplugins-system
@@ -1,13 +0,0 @@
---
name: intel-gpu-device-plugin
sharedDevNum: 4
logLevel: 2
enableMonitoring: true
allocationPolicy: "none"
image:
hub: intel
tag: "" # Use latest from chart
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'
nodeFeatureRule: true
tolerations: []
@@ -2,4 +2,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: litellm
name: jfrog
-91
View File
@@ -1,91 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: litellm-postgres
namespace: litellm
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: litellm
encoding: UTF8
localeCType: C
localeCollate: C
owner: litellm
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-33
View File
@@ -1,33 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: litellm-postgres-pooler
namespace: litellm
spec:
cluster:
name: litellm-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
-71
View File
@@ -1,71 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: litellm
namespace: litellm
spec:
selector:
matchLabels:
app: litellm
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: litellm
spec:
containers:
- name: litellm
image: docker.litellm.ai/berriai/litellm-database:main-stable
imagePullPolicy: Always
args:
- --config
- /app/config.yaml
- --port
- "4000"
- --num_workers
- "8"
ports:
- containerPort: 4000
name: http
protocol: TCP
envFrom:
- secretRef:
name: litellm-credentials
- configMapRef:
name: litellm-env
livenessProbe:
httpGet:
path: /health/liveliness
port: 4000
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health/readiness
port: 4000
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "2"
memory: 6Gi
requests:
cpu: 250m
memory: 2Gi
volumeMounts:
- mountPath: /app/config.yaml
name: config
subPath: config.yaml
restartPolicy: Always
volumes:
- name: config
configMap:
name: litellm-config
-41
View File
@@ -1,41 +0,0 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: litellm-hpa
namespace: litellm
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: litellm
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
-29
View File
@@ -1,29 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: litellm
namespace: litellm
spec:
rules:
- host: litellm.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: litellm
port:
number: 4000
path: /
pathType: Prefix
tls:
- hosts:
- litellm.k8s.syd1.au.unkin.net
secretName: litellm-tls
-28
View File
@@ -1,28 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- deployment.yaml
- hpa.yaml
- ingress.yaml
- namespace.yaml
- redis-deployment.yaml
- redis-pvc.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
configMapGenerator:
- name: litellm-config
files:
- config.yaml=resources/config.yaml
options:
disableNameSuffixHash: true
- name: litellm-env
literals:
- STORE_MODEL_IN_DB=True
options:
disableNameSuffixHash: true
-67
View File
@@ -1,67 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: litellm
spec:
replicas: 1
selector:
matchLabels:
app: redis
strategy:
type: Recreate
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
- --save
- "20"
- "1"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /data
mountPropagation: None
name: data
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: litellm-redis-data
-14
View File
@@ -1,14 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: litellm-redis-data
namespace: litellm
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: cephrbd-fast-delete
volumeMode: Filesystem
-15
View File
@@ -1,15 +0,0 @@
model_list: []
router_settings:
redis_host: redis-service
redis_port: 6379
general_settings:
use_redis_transaction_buffer: true
litellm_settings:
cache: true
cache_params:
type: redis
host: redis-service
port: 6379
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: litellm
namespace: litellm
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 4000
protocol: TCP
targetPort: http
selector:
app: litellm
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: redis-service
namespace: litellm
spec:
internalTrafficPolicy: Cluster
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app: redis
sessionAffinity: None
type: ClusterIP
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: litellm
spec:
allowedNamespaces:
- litellm
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: litellm
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/litellm/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: litellm-credentials
namespace: litellm
spec:
destination:
create: true
name: litellm-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/litellm/default/litellm-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -1,152 +0,0 @@
---
apiVersion: nfd.k8s-sigs.io/v1alpha1
kind: NodeFeatureRule
metadata:
name: intel-dp-devices
namespace: node-feature-discovery
spec:
rules:
- name: "intel.dlb"
labels:
"intel.feature.node.kubernetes.io/dlb": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["2710"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
dlb2: {op: Exists}
- name: "intel.dsa"
labels:
"intel.feature.node.kubernetes.io/dsa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0b25", "11fb", "1212"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.fpga-arria10"
labels:
"intel.feature.node.kubernetes.io/fpga-arria10": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["09c4"]}
class: {op: In, value: ["1200"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
dfl_pci: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_fpga_pci: {op: Exists}
- name: "intel.gpu"
labels:
"intel.feature.node.kubernetes.io/gpu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["0300", "0380"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
xe: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
xe: {op: Exists}
- name: "intel.iaa"
labels:
"intel.feature.node.kubernetes.io/iaa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0cfe", "1216"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.qat"
labels:
"intel.feature.node.kubernetes.io/qat": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["37c8", "4940", "4942", "4944", "4946", "4948"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
intel_qat: {op: Exists}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
vfio_pci: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
vfio-pci: {op: Exists}
- name: "intel.sgx"
labels:
"intel.feature.node.kubernetes.io/sgx": "true"
extendedResources:
sgx.intel.com/epc: "@cpu.security.sgx.epc"
matchFeatures:
- feature: cpu.cpuid
matchExpressions:
SGX: {op: Exists}
SGXLC: {op: Exists}
- feature: cpu.security
matchExpressions:
sgx.enabled: {op: IsTrue}
- feature: kernel.config
matchExpressions:
X86_SGX: {op: Exists}
- name: "intel.npu"
labels:
"intel.feature.node.kubernetes.io/npu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["1200"]}
device: {
op: In,
value: ["7e4c", "643e", "ad1d", "7d1d"]
}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_vpu: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
intel_vpu: {op: Exists}
@@ -1,14 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- intel-nodefeaturerules.yaml
helmCharts:
- name: node-feature-discovery
repo: oci://gcr.io/k8s-staging-nfd/charts
version: "0.0.0-master"
releaseName: node-feature-discovery
namespace: node-feature-discovery
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: node-feature-discovery
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: observability
name: observability
-91
View File
@@ -1,91 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: paperclip-postgres
namespace: paperclip
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: paperclip
encoding: UTF8
localeCType: C
localeCollate: C
owner: paperclip
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-33
View File
@@ -1,33 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: paperclip-pooler-rw
namespace: paperclip
spec:
cluster:
name: paperclip-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
-108
View File
@@ -1,108 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: paperclip
namespace: paperclip
spec:
selector:
matchLabels:
app: paperclip
template:
metadata:
labels:
app: paperclip
spec:
containers:
- name: paperclip
image: ghcr.io/paperclipai/paperclip:latest
imagePullPolicy: Always
ports:
- containerPort: 3100
name: http
protocol: TCP
env:
- name: PORT
value: "3100"
- name: PAPERCLIP_BIND
value: custom
- name: PAPERCLIP_BIND_HOST
value: 0.0.0.0
- name: PAPERCLIP_API_URL
value: https://paperclip.k8s.syd1.au.unkin.net
- name: BETTER_AUTH_BASE_URL
value: https://paperclip.k8s.syd1.au.unkin.net
- name: PAPERCLIP_ALLOWED_HOSTNAMES
value: paperclip.k8s.syd1.au.unkin.net,localhost
- name: PAPERCLIP_HOME
value: /paperclip
- name: PAPERCLIP_INSTANCE_ID
value: default
- name: PAPERCLIP_DEPLOYMENT_MODE
value: authenticated
- name: PAPERCLIP_DEPLOYMENT_EXPOSURE
value: private
- name: SERVE_UI
value: "true"
- name: HEARTBEAT_SCHEDULER_ENABLED
value: "true"
- name: PAPERCLIP_MIGRATION_AUTO_APPLY
value: "true"
- name: PAPERCLIP_STORAGE_PROVIDER
value: s3
- name: PAPERCLIP_STORAGE_S3_BUCKET
value: paperclip
- name: PAPERCLIP_STORAGE_S3_REGION
value: us-east-1
- name: PAPERCLIP_STORAGE_S3_ENDPOINT
value: https://radosgw.service.consul
- name: PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE
value: "true"
- name: NODE_EXTRA_CA_CERTS
value: /etc/ssl/paperclip/ca.crt
envFrom:
- secretRef:
name: paperclip-credentials
volumeMounts:
- name: vault-ca-cert
mountPath: /etc/ssl/paperclip
readOnly: true
livenessProbe:
httpGet:
path: /api/health
port: 3100
httpHeaders:
- name: Host
value: localhost
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /api/health
port: 3100
httpHeaders:
- name: Host
value: localhost
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
volumes:
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
items:
- key: ca.crt
path: ca.crt
restartPolicy: Always
-29
View File
@@ -1,29 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: paperclip
namespace: paperclip
spec:
rules:
- host: paperclip.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: paperclip
port:
number: 3100
path: /
pathType: Prefix
tls:
- hosts:
- paperclip.k8s.syd1.au.unkin.net
secretName: paperclip-tls
-13
View File
@@ -1,13 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- deployment.yaml
- ingress.yaml
- namespace.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: paperclip
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: paperclip
namespace: paperclip
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 3100
protocol: TCP
targetPort: http
selector:
app: paperclip
sessionAffinity: None
type: ClusterIP
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: paperclip
spec:
allowedNamespaces:
- paperclip
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -1,34 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: paperclip
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/paperclip/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: paperclip-credentials
namespace: paperclip
spec:
destination:
create: true
name: paperclip-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/paperclip/default/paperclip-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
-18
View File
@@ -19,24 +19,6 @@ spec:
postInitApplicationSQL:
- CREATE EXTENSION IF NOT EXISTS pg_trgm;
- CREATE EXTENSION IF NOT EXISTS pgcrypto;
- GRANT CONNECT ON DATABASE puppetdb TO puppetdb_read;
- GRANT USAGE ON SCHEMA public TO puppetdb_read;
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO puppetdb_read;
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO puppetdb_read;
managed:
roles:
- name: puppetdb_read
ensure: present
comment: PuppetDB read-only database user
login: true
superuser: false
createdb: false
createrole: false
inherit: true
replication: false
connectionLimit: -1
passwordSecret:
name: postgres-read-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
+2 -35
View File
@@ -10,8 +10,8 @@ spec:
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
default_pool_size: "20"
max_client_conn: "100"
paused: false
poolMode: session
template:
@@ -31,36 +31,3 @@ spec:
topologyKey: kubernetes.io/hostname
containers: []
type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler-ro
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
@@ -11,11 +11,8 @@ metadata:
namespace: puppet
data:
PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
LOGLEVEL: "debug"
PUPPETDB_PORT: "8080"
LOGLEVEL: "info"
PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3"
ENABLE_CATALOG: "False"
@@ -10,14 +10,10 @@ metadata:
name: puppetdb-config
namespace: puppet
data:
USE_OPENVOXSERVER: "true"
OPENVOXSERVER_HOSTNAME: "puppetca"
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "openvoxdb,puppetdb,puppetdb.k8s.syd1.au.unkin.net,puppetdb.puppet.svc.cluster.local"
OPENVOXDB_POSTGRES_HOSTNAME: "puppet-postgres-pooler"
OPENVOXDB_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_POSTGRES_PORT: "5432"
OPENVOXDB_READ_POSTGRES_HOSTNAME: "puppet-postgres-pooler-ro"
OPENVOXDB_READ_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_READ_POSTGRES_PORT: "5432"
PUPPETDB_JAVA_ARGS: ""
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-read-database-conf
namespace: puppet
data:
read-database.conf: |
read-database: {
subname: "//"${OPENVOXDB_READ_POSTGRES_HOSTNAME}":"${OPENVOXDB_READ_POSTGRES_PORT}"/"${OPENVOXDB_READ_POSTGRES_DATABASE}
username: ${OPENVOXDB_READ_POSTGRES_USER}
password: ${OPENVOXDB_READ_POSTGRES_PASSWORD}
}
@@ -11,7 +11,7 @@ metadata:
namespace: puppet
data:
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppetserver-compiler,puppet,puppet.k8s.syd1.au.unkin.net"
DNS_ALT_NAMES: "puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ENABLED: "false"
CA_HOSTNAME: "puppetca"
+41 -9
View File
@@ -26,6 +26,38 @@ spec:
spec:
hostname: g10k-code
imagePullSecrets: null
initContainers:
- name: fetch-config
image: alpine/git:latest
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/config
cp /tmp/config/r10k.yaml /shared/r10k.yaml
echo "r10k.yaml fetched successfully"
command:
- /bin/sh
- -c
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /shared
name: shared-config
containers:
- name: g10k-code
image: git.unkin.net/unkin/almalinux9-g10k:20260308
@@ -37,16 +69,11 @@ spec:
limits:
cpu: 200m
memory: 256Mi
command:
- /bin/sh
- -c
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/r10k-config
echo "Running g10k..."
/usr/bin/g10k -config /tmp/r10k-config/r10k.yaml
- -config
- /shared/r10k.yaml
command:
- /usr/bin/g10k
envFrom: null
env: []
securityContext:
@@ -60,6 +87,8 @@ spec:
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /shared
name: shared-config
restartPolicy: OnFailure
securityContext:
fsGroup: 999
@@ -67,3 +96,6 @@ spec:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: shared-config
persistentVolumeClaim:
claimName: puppetserver-shared-config
@@ -1,85 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: generate-types
namespace: puppet
spec:
schedule: "*/5 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: generate-types
imagePullSecrets: null
containers:
- name: generate-types
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
/opt/puppetlabs/puppet/bin/gem install deep_merge ipaddr hiera-eyaml toml
find /etc/puppetlabs/code/environments -mindepth 1 -maxdepth 1 -type d | while read -r envdir; do
env="$(basename "$envdir")"
echo "Generating types for $env"
puppet generate types --environment "$env"
done
env: []
resources:
limits:
cpu: 300m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
@@ -29,110 +29,6 @@ spec:
app.kubernetes.io/version: 8.8.0
spec:
enableServiceLinks: false
initContainers:
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
- name: cert-generator
image: git.unkin.net/unkin/almalinux9-base:20260308
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
set -e
# Set the hostname for the certificate
HOSTNAME="puppetboard"
CERT_DIR="/opt/puppetboard/ssl"
# Create certificate directory
mkdir -p ${CERT_DIR}
# Check if certificates already exist
if [ -f "${CERT_DIR}/${HOSTNAME}.pem" ] && [ -f "${CERT_DIR}/${HOSTNAME}.key" ] && [ -f "${CERT_DIR}/ca.pem" ]; then
echo "Certificates already exist for ${HOSTNAME}, skipping generation"
exit 0
fi
# Request certificate from Puppet CA for Puppetboard
echo "Requesting certificate for ${HOSTNAME} from puppetca service"
# Generate private key
openssl genrsa -out ${CERT_DIR}/${HOSTNAME}.key 2048
# Create certificate signing request (CSR)
openssl req -new -key ${CERT_DIR}/${HOSTNAME}.key \
-out /tmp/${HOSTNAME}.csr \
-subj "/CN=${HOSTNAME}"
# Submit CSR to Puppet CA
echo "Submitting certificate request to Puppet CA..."
curl -X PUT \
--insecure \
--data-binary @/tmp/${HOSTNAME}.csr \
-H "Content-Type: text/plain" \
https://puppetca:8140/puppet-ca/v1/certificate_request/${HOSTNAME}
# Wait for certificate to be signed (poll the CA)
echo "Waiting for certificate to be signed..."
for i in {1..30}; do
if curl --insecure -f -s https://puppetca:8140/puppet-ca/v1/certificate/${HOSTNAME} > ${CERT_DIR}/${HOSTNAME}.pem; then
echo "Certificate received for ${HOSTNAME}"
break
fi
echo "Attempt $i: Certificate not ready yet, waiting 10 seconds..."
sleep 10
done
# Verify we got the certificate
if [ ! -f "${CERT_DIR}/${HOSTNAME}.pem" ] || [ ! -s "${CERT_DIR}/${HOSTNAME}.pem" ]; then
echo "Failed to obtain certificate for ${HOSTNAME}"
exit 1
fi
# Get CA certificate
curl --insecure -f https://puppetca:8140/puppet-ca/v1/certificate/ca > ${CERT_DIR}/ca.pem
# Set appropriate permissions
chmod 644 ${CERT_DIR}/${HOSTNAME}.pem
chmod 600 ${CERT_DIR}/${HOSTNAME}.key
chmod 644 ${CERT_DIR}/ca.pem
# Change ownership to puppetboard user (1000:1000)
chown -R 1000:1000 ${CERT_DIR}
echo "Certificate generation completed for ${HOSTNAME}"
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
containers:
- name: puppetboard
image: ghcr.io/voxpupuli/puppetboard:7.0.1
@@ -160,11 +56,3 @@ spec:
capabilities:
drop:
- all
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
readOnly: true
volumes:
- name: puppetboard-certs
persistentVolumeClaim:
claimName: puppetboard-certs
+17 -38
View File
@@ -59,16 +59,6 @@ spec:
secretKeyRef:
key: username
name: postgres-credentials
- name: OPENVOXDB_READ_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-read-credentials
- name: OPENVOXDB_READ_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-read-credentials
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -88,17 +78,18 @@ spec:
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- mountPath: /etc/puppetlabs/puppetdb/conf.d/read-database.conf
name: puppetdb-read-database-conf
subPath: read-database.conf
initContainers:
- name: create-log-dir
image: docker.io/busybox:1.37
command:
- sh
- -c
args:
- mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
securityContext:
runAsUser: 0
resources:
limits:
cpu: 20m
@@ -106,25 +97,18 @@ spec:
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- name: pgchecker
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
command:
- command:
- sh
- -c
args:
- |
echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do
sleep 2;
done;
echo 'PostgreSQL OK ✓'
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
name: pgchecker
resources:
limits:
cpu: 20m
@@ -133,24 +117,22 @@ spec:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
runAsUser: 1000
- command:
- sh
- -c
args:
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
name: wait-puppetserver
resources:
limits:
cpu: 20m
@@ -159,14 +141,11 @@ spec:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
runAsUser: 1000
volumes:
- name: puppetdb-storage
persistentVolumeClaim:
claimName: puppetserver-puppetdb-claim
- name: puppetdb-read-database-conf
configMap:
name: puppetdb-read-database-conf
@@ -93,34 +93,28 @@ spec:
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers:
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
- args:
- mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh;
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh;
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh;
bash /etc/puppetlabs/puppet/check_for_masters.sh;
mkdir -p /etc/puppetlabs/code/environments;
mkdir -p /etc/puppetlabs/puppet/manifests;
chown -R puppet:puppet /etc/puppetlabs;
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/;
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde;
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/;
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh
bash /etc/puppetlabs/puppet/check_for_masters.sh
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
envFrom:
- configMapRef:
name: puppetserver-init-config
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
name: perms-and-dirs
resources:
limits:
cpu: 300m
@@ -129,8 +123,6 @@ spec:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
@@ -147,6 +139,8 @@ spec:
- FOWNER
drop:
- all
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage
@@ -169,9 +163,3 @@ spec:
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
@@ -11,7 +11,7 @@ metadata:
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
kind: StatefulSet
name: puppetserver-compiler
minReplicas: 2
maxReplicas: 5
+2 -8
View File
@@ -6,9 +6,7 @@ metadata:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: puppetdb.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: puppetdb.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
@@ -25,10 +23,6 @@ spec:
service:
name: puppetdb
port:
number: 8080
number: 8081
path: /
pathType: Prefix
tls:
- hosts:
- puppetdb.k8s.syd1.au.unkin.net
secretName: puppetdb-tls
+1 -30
View File
@@ -7,13 +7,11 @@ resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- cronjob_g10k-code.yaml
- cronjob_generate-types.yaml
- persistentvolumeclaims.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_puppetboard-config.yaml
- configmap_puppetdb-config.yaml
- configmap_puppetdb-read-database.yaml
- configmap_puppetserver-compiler-config.yaml
- configmap_puppetserver-init-config.yaml
- configmap_puppetserver-init-masters-config.yaml
@@ -33,31 +31,4 @@ resources:
- service_puppetca.yaml
- service_puppetboard.yaml
- service_puppetdb.yaml
- deployment_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
- name: additional-ruby-gems
files:
- resources/additional-ruby-gems.sh
options:
disableNameSuffixHash: true
- statefulset_puppetserver-compiler.yaml
+4 -40
View File
@@ -75,52 +75,16 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/component: r10k-shared-config
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard-certs
name: puppetserver-shared-config
namespace: puppet
spec:
accessModes:
- ReadWriteMany
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppet-shared-bins
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 0.9.20
name: puppet-shared-bins
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
storageClassName: cephrbd-fast-delete
@@ -1,9 +0,0 @@
#!/bin/bash
set -e
echo "Installing additional Ruby gems..."
/opt/puppetlabs/puppet/bin/gem install deep_merge
/opt/puppetlabs/puppet/bin/gem install ipaddr
/opt/puppetlabs/puppet/bin/gem install hiera-eyaml
/opt/puppetlabs/puppet/bin/gem install toml
echo "Additional Ruby gems installed successfully"
-50
View File
@@ -1,50 +0,0 @@
#!/usr/bin/env -S /opt/bin/uv run --quiet --cache-dir /opt/bin/.cache/uv --script
# /// script
# requires-python = ">=3.11"
# dependencies = ['pyyaml','requests']
# ///
"""
External Node Classifier (ENC) for Puppet.
If the environment specified in the YAML file is 'testing',
the environment is not included in the output.
"""
import sys
import yaml
import requests
def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
"""
Fetches and modifies ENC data from a given URL to ensure classes are in list format.
"""
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try:
response = requests.get(url, verify='/opt/vault-ca-cert.crt')
response.raise_for_status()
except requests.RequestException as e:
sys.exit(f"Request failed: {e}")
data = yaml.safe_load(response.text)
data["parameters"] = data.get("parameters", {})
# Ensure 'classes' is in the desired list format
if "classes" in data:
if isinstance(data["classes"], dict):
data["parameters"]["enc_role"] = list(data["classes"].keys())
data["classes"] = list(data["classes"].keys())
else:
data["parameters"]["enc_role"] = list(data["classes"])
data["classes"] = list(data["classes"])
if "environment" in data:
data["parameters"]["enc_env"] = data["environment"]
if data["environment"] == "testing":
del data["environment"]
return yaml.dump(data)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit(f"Usage: {sys.argv[0]} <hostname>")
print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1]))
@@ -1,15 +0,0 @@
# Autosign all nodes from these subnets
198.18.13.0/24
198.18.14.0/24
198.18.15.0/24
198.18.16.0/24
198.18.17.0/24
198.18.20.0/24
198.18.24.0/24
198.18.25.0/24
198.18.26.0/24
198.18.27.0/24
198.18.28.0/24
198.18.29.0/24
# Autosign all nodes from these domains
*.main.unkin.net
@@ -1,23 +0,0 @@
[main]
server = puppetserver-compiler
serverport = 8140
dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
codedir = /etc/puppetlabs/code
environmentpath = /etc/puppetlabs/code/environments
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
node_terminus = exec
external_nodes = /opt/bin/cobbler-enc
autosign = /etc/puppetlabs/puppet/autosign.conf
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
usecacheonfailure = false
[user]
default_manifest = /etc/puppetlabs/code/environments/develop/manifests
default_environment = develop
@@ -1,3 +0,0 @@
[main]
server_urls = https://puppetdb.k8s.syd1.au.unkin.net
soft_write_failure = true
+1 -2
View File
@@ -1,12 +1,11 @@
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
external-dns.alpha.kubernetes.io/hostname: puppet.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.3
purelb.io/addresses: 198.18.200.3
purelb.io/service-group: common
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
+1 -2
View File
@@ -1,12 +1,11 @@
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
external-dns.alpha.kubernetes.io/hostname: puppetca.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.2
purelb.io/addresses: 198.18.200.2
purelb.io/service-group: common
labels:
app.kubernetes.io/component: puppetserver-master
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: Deployment
kind: StatefulSet
metadata:
annotations:
reloader.stakater.com/auto: "true"
@@ -11,10 +11,12 @@ metadata:
name: puppetserver-compiler
namespace: puppet
spec:
podManagementPolicy: OrderedReady
selector:
matchLabels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
serviceName: puppet-headless
template:
metadata:
labels:
@@ -39,14 +41,26 @@ spec:
ports:
- containerPort: 8140
name: puppetserver
envFrom:
- configMapRef:
name: puppetserver-compiler-config
envFrom: null
env:
- name: OPENVOXSERVER_HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPENVOXSERVER_PORT
value: "8140"
- name: DNS_ALT_NAMES
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
- name: OPENVOXDB_SERVER_URLS
value: https://puppetdb:8081
- name: CA_ENABLED
value: "false"
- name: CA_HOSTNAME
value: puppetca
- name: CA_PORT
value: "8140"
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
livenessProbe:
failureThreshold: 3
periodSeconds: 30
@@ -94,60 +108,26 @@ spec:
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
- mountPath: /docker-custom-entrypoint.d/post-startup/additional-ruby-gems.sh
name: additional-ruby-gems
subPath: additional-ruby-gems.sh
initContainers:
- name: copy-configmaps
image: busybox:1.35
- args:
- mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
mkdir -p /etc/puppetlabs/code/environments;
mkdir -p /etc/puppetlabs/puppet/manifests;
chown -R puppet:puppet /etc/puppetlabs;
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml;
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/;
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde;
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/;
command:
- sh
- -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
env:
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
envFrom: null
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
name: perms-and-dirs
resources:
limits:
cpu: 300m
@@ -156,8 +136,6 @@ spec:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
@@ -174,75 +152,33 @@ spec:
- FOWNER
drop:
- all
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- name: setup-shared-bins
image: git.unkin.net/unkin/almalinux9-base:20260308
command:
- sh
- -c
args:
- |
echo "Setting up shared binaries..."
mkdir -p /opt/bin
mkdir -p /opt/bin/.cache/uv
# Copy cobbler to shared bin volume
cp /configmaps/cobbler-enc /opt/bin/cobbler-enc
chmod +x /opt/bin/cobbler-enc
# Install uv to shared bin volume
cd /tmp
wget -O uv-x86_64-unknown-linux-gnu.tar.gz https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/astral-sh/uv/releases/download/0.9.20/uv-x86_64-unknown-linux-gnu.tar.gz
tar xf uv-x86_64-unknown-linux-gnu.tar.gz
cp uv-x86_64-unknown-linux-gnu/uv /opt/bin/uv
chmod +x /opt/bin/uv
echo "Shared binaries setup completed"
volumeMounts:
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: compiler-puppet-conf
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
- name: additional-ruby-gems
configMap:
name: additional-ruby-gems
defaultMode: 0755
strategy:
updateStrategy:
type: RollingUpdate
volumeClaimTemplates:
- metadata:
annotations: null
name: puppet-puppet-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
-17
View File
@@ -35,23 +35,6 @@ spec:
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-read-credentials
namespace: puppet
spec:
destination:
create: true
name: postgres-read-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/puppet/default/postgres-read-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: eyaml-keys
namespace: puppet

Some files were not shown because too many files have changed in this diff Show More