Compare commits

..

1 Commits

Author SHA1 Message Date
unkinben da548a227c fix: external access to puppetdb (#53)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
- use vault cert for puppetdb ingress

Reviewed-on: #53
2026-03-19 23:31:43 +11:00
106 changed files with 533 additions and 2807 deletions
-10
View File
@@ -6,13 +6,3 @@ steps:
image: git.unkin.net/unkin/almalinux9-kubetest:20260319 image: git.unkin.net/unkin/almalinux9-kubetest:20260319
commands: commands:
- make kubeconform - make kubeconform
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
-10
View File
@@ -6,13 +6,3 @@ steps:
image: git.unkin.net/unkin/almalinux9-base:20260308 image: git.unkin.net/unkin/almalinux9-base:20260308
commands: commands:
- uvx pre-commit run --all-files - uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 1Gi
cpu: 1
@@ -19,8 +19,8 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: artifactapi - name: artifactapi
image: git.unkin.net/unkin/artifactapi:v2.7.1 image: git.unkin.net/unkin/almalinux9-artifactapi:latest
imagePullPolicy: IfNotPresent imagePullPolicy: Always
ports: ports:
- containerPort: 8000 - containerPort: 8000
name: http name: http
@@ -60,30 +60,10 @@ spec:
cpu: 100m cpu: 100m
memory: 256Mi memory: 256Mi
volumeMounts: volumeMounts:
- mountPath: /etc/artifactapi/conf.d/config.yaml - mountPath: /app/remotes.yaml
mountPropagation: None
name: remotes-config name: remotes-config
subPath: config.yaml subPath: remotes.yaml
- mountPath: /etc/artifactapi/conf.d/local-generic.yaml
name: remotes-config
subPath: local-generic.yaml
- mountPath: /etc/artifactapi/conf.d/remote-alpine.yaml
name: remotes-config
subPath: remote-alpine.yaml
- mountPath: /etc/artifactapi/conf.d/remote-docker.yaml
name: remotes-config
subPath: remote-docker.yaml
- mountPath: /etc/artifactapi/conf.d/remote-generic.yaml
name: remotes-config
subPath: remote-generic.yaml
- mountPath: /etc/artifactapi/conf.d/remote-helm.yaml
name: remotes-config
subPath: remote-helm.yaml
- mountPath: /etc/artifactapi/conf.d/remote-rpm.yaml
name: remotes-config
subPath: remote-rpm.yaml
- mountPath: /etc/artifactapi/conf.d/virtual-helm.yaml
name: remotes-config
subPath: virtual-helm.yaml
restartPolicy: Always restartPolicy: Always
volumes: volumes:
- configMap: - configMap:
+1 -1
View File
@@ -5,7 +5,7 @@ metadata:
name: artifactapi-env name: artifactapi-env
namespace: artifactapi namespace: artifactapi
data: data:
CONFIG_PATH: /etc/artifactapi/conf.d/ CONFIG_PATH: /app/remotes.yaml
DBHOST: postgres-service DBHOST: postgres-service
DBNAME: artifacts DBNAME: artifacts
DBPORT: "5432" DBPORT: "5432"
+1 -8
View File
@@ -18,13 +18,6 @@ resources:
configMapGenerator: configMapGenerator:
- name: remotes-config - name: remotes-config
files: files:
- resources/conf.d/config.yaml - resources/remotes.yaml
- resources/conf.d/local-generic.yaml
- resources/conf.d/remote-generic.yaml
- resources/conf.d/remote-alpine.yaml
- resources/conf.d/remote-rpm.yaml
- resources/conf.d/remote-docker.yaml
- resources/conf.d/remote-helm.yaml
- resources/conf.d/virtual-helm.yaml
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
@@ -1,3 +0,0 @@
# Global artifactapi configuration.
# S3, Redis, and database connection settings are injected via environment variables.
# Add any top-level overrides here if needed.
@@ -1,7 +0,0 @@
locals:
local-generic:
package: "generic"
description: "Local generic file repository"
cache:
immutable_ttl: 0
mutable_ttl: 0
@@ -1,10 +0,0 @@
remotes:
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
package: "alpine"
description: "Alpine Linux APK package repository"
immutable_patterns:
- ".*/x86_64/.*\\.apk$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,92 +0,0 @@
remotes:
ghcr:
base_url: "https://ghcr.io"
package: "docker"
description: "GitHub Container Registry"
immutable_patterns:
- "^cloudnative-pg/cloudnative-pg"
- "^emberstack/helm-charts"
- "^openvoxproject/"
- "^stakater/reloader"
- "^voxpupuli/puppetboard"
- "^woodpecker-ci/helm"
cache:
immutable_ttl: 0
mutable_ttl: 300
dockerhub:
base_url: "https://registry-1.docker.io"
package: "docker"
description: "Docker Hub registry"
immutable_patterns:
- "^library/busybox"
- "^library/nginx"
- "^library/postgres"
- "^library/redis"
- "^beats/filebeat"
- "^bitnami/"
- "^curlimages/curl"
- "^emberstack/kubernetes-reflector"
- "^hashicorp/vault-secrets-operator"
- "^jfrog/"
- "^rancher/"
- "^ubi9/ubi-minimal"
- "^victoriametrics/"
- "^woodpeckerci/"
cache:
immutable_ttl: 0
mutable_ttl: 300
quay:
base_url: "https://quay.io"
package: "docker"
description: "Quay.io container registry"
immutable_patterns:
- "^brancz/kube-rbac-proxy"
- "^cephcsi/cephcsi"
- "^jetstack/cert-manager-"
cache:
immutable_ttl: 0
mutable_ttl: 300
k8s-registry:
base_url: "https://registry.k8s.io"
package: "docker"
description: "Kubernetes container registry"
immutable_patterns:
- "^external-dns/external-dns"
- "^sig-storage/"
cache:
immutable_ttl: 0
mutable_ttl: 300
gitlab:
base_url: "https://registry.gitlab.com"
package: "docker"
description: "GitLab container registry"
immutable_patterns:
- "^purelb/purelb"
cache:
immutable_ttl: 0
mutable_ttl: 300
elastic:
base_url: "https://docker.elastic.co"
package: "docker"
description: "Elastic container registry"
immutable_patterns:
- "^eck/eck-operator"
cache:
immutable_ttl: 0
mutable_ttl: 300
gcr:
base_url: "https://gcr.io"
package: "docker"
description: "Google Container Registry"
immutable_patterns:
- "^k8s-staging-nfd/charts"
- "^k8s-staging-nfd/node-feature-discovery"
cache:
immutable_ttl: 0
mutable_ttl: 300
@@ -1,126 +0,0 @@
remotes:
github:
base_url: "https://github.com"
package: "generic"
description: "GitHub releases and files"
mutable_patterns:
- ".*/archive/refs/heads/.*.tar.gz$"
immutable_patterns:
- ".*/archive/refs/tags/.*.tar.gz$"
- "ahmetb/kubectx/.*/kubectx_.*_linux_x86_64.tar.gz$"
- "ahmetb/kubectx/.*/kubens_.*_linux_x86_64.tar.gz$"
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
- "coder/code-server/.*/code-server-.*-amd64.rpm$"
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
- "dandavison/delta/.*/delta-.*-x86_64-unknown-linux-musl.tar.gz$"
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
- "getsops/sops/.*/sops-v.*\\.linux\\.amd64$"
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
- "hadolint/hadolint/.*/hadolint-linux-x86_64$"
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "mikefarah/yq/.*/yq_linux_amd64$"
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
- "neovim/neovim/.*/nvim-linux-x86_64.tar.gz$"
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
- "starship/starship/.*/starship-x86_64-unknown-linux-musl.tar.gz$"
- "stern/stern/.*/stern_.*_linux_amd64.tar.gz$"
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
github_user:
base_url: "https://raw.githubusercontent.com"
package: "generic"
description: "GitHub User Content"
immutable_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
gitea-dl:
base_url: "https://dl.gitea.com"
package: "generic"
description: "Gitea download site"
immutable_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
- "tea/.*/tea-.*-linux-amd64$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
hashicorp-releases:
base_url: "https://releases.hashicorp.com"
package: "generic"
description: "HashiCorp product releases"
immutable_patterns:
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
- "vault/.*vault_.*_linux_amd64\\.zip$"
- "vault/.*vault_.*_windows_amd64\\.zip$"
- "vault/.*vault_.*_darwin_amd64\\.zip$"
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
- "consul/.*/consul_.*_linux_amd64\\.zip$"
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
- "packer/.*/packer_.*_linux_amd64\\.zip$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
rarlab:
base_url: "https://www.rarlab.com"
package: "generic"
description: "RARLab"
immutable_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
immutable_ttl: 0
mutable_ttl: 7200
claude-ai:
base_url: "https://downloads.claude.ai"
package: "generic"
description: "Anthropic Claude Code binary releases"
mutable_patterns:
- "claude-code-releases/.*/manifest.json$"
immutable_patterns:
- "claude-code-releases/.*/linux-x64/claude$"
- "claude-code-releases/.*/linux-arm64/claude$"
- "claude-code-releases/.*/linux-x64-musl/claude$"
- "claude-code-releases/.*/linux-arm64-musl/claude$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,121 +0,0 @@
remotes:
ceph-csi:
base_url: "https://ceph.github.io/csi-charts"
package: "helm"
description: "Ceph CSI driver Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
cnpg:
base_url: "https://cloudnative-pg.github.io/charts"
package: "helm"
description: "CloudNativePG operator Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
elastic-helm:
base_url: "https://helm.elastic.co"
package: "helm"
description: "Elastic stack Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
external-dns:
base_url: "https://kubernetes-sigs.github.io/external-dns/"
package: "helm"
description: "ExternalDNS Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
hashicorp-helm:
base_url: "https://helm.releases.hashicorp.com"
package: "helm"
description: "HashiCorp Helm charts (Vault Secrets Operator, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
intel-helm:
base_url: "https://intel.github.io/helm-charts/"
package: "helm"
description: "Intel Helm charts (device plugins)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
jetstack:
base_url: "https://charts.jetstack.io"
package: "helm"
description: "Jetstack Helm charts (cert-manager)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
purelb:
base_url: "https://gitlab.com/api/v4/projects/20400619/packages/helm/stable"
package: "helm"
description: "PureLB load balancer Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
rancher-stable:
base_url: "https://releases.rancher.com/server-charts/stable"
package: "helm"
description: "Rancher stable Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
stakater:
base_url: "https://stakater.github.io/stakater-charts"
package: "helm"
description: "Stakater Helm charts (Reloader)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
victoriametrics:
base_url: "https://victoriametrics.github.io/helm-charts/"
package: "helm"
description: "VictoriaMetrics observability Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -1,154 +0,0 @@
remotes:
almalinux:
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
package: "rpm"
description: "AlmaLinux RPM package repository"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- ".*/install.img"
- ".*/squashfs.img"
- ".*/updates.img"
- ".*/RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-reef:
base_url: "https://download.ceph.com/rpm-reef/"
package: "rpm"
description: "Ceph Reef 18"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-squid:
base_url: "https://download.ceph.com/rpm-squid/"
package: "rpm"
description: "Ceph Squid 19"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
ceph-tentacle:
base_url: "https://download.ceph.com/rpm-tentacle/"
package: "rpm"
description: "Ceph Tentacle 20"
immutable_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
epel:
base_url: "https://gsl-syd.mm.fcix.net/epel"
package: "rpm"
description: "EPEL (Extra Packages for Enterprise Linux)"
immutable_patterns:
- ".*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- "RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
fedora:
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
package: "rpm"
description: "Fedora Linux RPM package repository"
immutable_patterns:
- "releases/.*/Everything/x86_64/.*\\.rpm$"
- "updates/.*/Everything/x86_64/.*\\.rpm$"
- "development/.*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
frr:
base_url: "https://rpm.frrouting.org/repo"
package: "rpm"
description: "FRR RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
mariadb:
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
package: "rpm"
description: "MariaDB RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
openvox:
base_url: "https://yum.voxpupuli.org"
package: "rpm"
description: "OpenVox RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
postgresql:
base_url: "https://download.postgresql.org/pub/repos/yum"
package: "rpm"
description: "PostgreSQL RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
- ".*/PGDG-RPM-GPG-KEY-.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
rke2:
base_url: "https://rpm.rancher.io"
package: "rpm"
description: "RKE2 RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "public.key$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
zfs:
base_url: "http://download.zfsonlinux.org"
package: "rpm"
description: "ZFS RPM package repository"
immutable_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -1,16 +0,0 @@
virtuals:
helm:
package: "helm"
description: "Virtual repository merging all helm remotes — member order is priority order for duplicate chart+version"
members:
- ceph-csi
- cnpg
- elastic-helm
- external-dns
- hashicorp-helm
- intel-helm
- jetstack
- purelb
- rancher-stable
- stakater
- victoriametrics
@@ -0,0 +1,286 @@
remotes:
github:
base_url: "https://github.com"
type: "remote"
package: "generic"
description: "GitHub releases and files"
include_patterns:
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
cache:
file_ttl: 0
index_ttl: 0
github_user:
base_url: "https://raw.githubusercontent.com"
type: "remote"
package: "generic"
description: "GitHub User Content"
include_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
file_ttl: 0
index_ttl: 0
gitea-dl:
base_url: "https://dl.gitea.com"
type: "remote"
package: "generic"
description: "Gitea download site"
include_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
cache:
file_ttl: 0
index_ttl: 0
hashicorp-releases:
base_url: "https://releases.hashicorp.com"
type: "remote"
package: "generic"
description: "HashiCorp product releases"
include_patterns:
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
- "vault/.*vault_.*_linux_amd64\\.zip$"
- "vault/.*vault_.*_windows_amd64\\.zip$"
- "vault/.*vault_.*_darwin_amd64\\.zip$"
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
- "consul/.*/consul_.*_linux_amd64\\.zip$"
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
- "packer/.*/packer_.*_linux_amd64\\.zip$"
cache:
file_ttl: 0
index_ttl: 0
rarlab:
base_url: "https://www.rarlab.com"
type: "remote"
package: "generic"
description: "RARLab"
include_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
file_ttl: 0
index_ttl: 0
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
type: "remote"
package: "alpine"
description: "Alpine Linux APK package repository"
include_patterns:
- ".*/x86_64/.*\\.apk$"
cache:
file_ttl: 0
index_ttl: 7200
almalinux:
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
type: "remote"
package: "rpm"
description: "AlmaLinux RPM package repository"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- ".*/install.img"
- ".*/squashfs.img"
- ".*/updates.img"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-reef:
base_url: "https://download.ceph.com/rpm-reef/"
type: "remote"
package: "rpm"
description: "Ceph Reef 18"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-squid:
base_url: "https://download.ceph.com/rpm-squid/"
type: "remote"
package: "rpm"
description: "Ceph Squid 19"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-tentacle:
base_url: "https://download.ceph.com/rpm-tentacle/"
type: "remote"
package: "rpm"
description: "Ceph Tentacle 20"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
epel:
base_url: "https://gsl-syd.mm.fcix.net/epel"
type: "remote"
package: "rpm"
description: "EPEL (Extra Packages for Enterprise Linux)"
include_patterns:
- ".*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- "RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
fedora:
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
type: "remote"
package: "rpm"
description: "Fedora Linux RPM package repository"
include_patterns:
- "releases/.*/Everything/x86_64/.*\\.rpm$"
- "updates/.*/Everything/x86_64/.*\\.rpm$"
- "development/.*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
frr:
base_url: "https://rpm.frrouting.org/repo"
type: "remote"
package: "rpm"
description: "FRR RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
mariadb:
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
type: "remote"
package: "rpm"
description: "MariaDB RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
openvox:
base_url: "https://yum.voxpupuli.org"
type: "remote"
package: "rpm"
description: "OpenVox RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
postgresql:
base_url: "https://download.postgresql.org/pub/repos/yum"
type: "remote"
package: "rpm"
description: "PostgreSQL RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
- ".*/PGDG-RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
rke2:
base_url: "https://rpm.rancher.io"
type: "remote"
package: "rpm"
description: "RKE2 RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "public.key$"
cache:
file_ttl: 0
index_ttl: 7200
zfs:
base_url: "http://download.zfsonlinux.org"
type: "remote"
package: "rpm"
description: "ZFS RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
local-generic:
type: "local"
package: "generic"
description: "Local generic file repository"
cache:
file_ttl: 0
index_ttl: 0
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: elastic-system
name: elastic-system
@@ -8,7 +8,6 @@ resources:
helmCharts: helmCharts:
- name: intel-device-plugins-operator - name: intel-device-plugins-operator
repo: https://intel.github.io/helm-charts/ repo: https://intel.github.io/helm-charts/
version: "0.35.0"
releaseName: intel-device-plugins-operator releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu - name: intel-device-plugins-gpu
@@ -2,4 +2,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: litellm name: jfrog
-91
View File
@@ -1,91 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: litellm-postgres
namespace: litellm
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: litellm
encoding: UTF8
localeCType: C
localeCollate: C
owner: litellm
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-33
View File
@@ -1,33 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: litellm-postgres-pooler
namespace: litellm
spec:
cluster:
name: litellm-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
-67
View File
@@ -1,67 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: litellm
namespace: litellm
spec:
selector:
matchLabels:
app: litellm
template:
metadata:
labels:
app: litellm
spec:
containers:
- name: litellm
image: docker.litellm.ai/berriai/litellm-database:main-stable
imagePullPolicy: Always
args:
- --config
- /app/config.yaml
- --port
- "4000"
- --num_workers
- "8"
ports:
- containerPort: 4000
name: http
protocol: TCP
envFrom:
- secretRef:
name: litellm-credentials
livenessProbe:
httpGet:
path: /health/liveliness
port: 4000
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health/readiness
port: 4000
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
volumeMounts:
- mountPath: /app/config.yaml
name: config
subPath: config.yaml
restartPolicy: Always
volumes:
- name: config
configMap:
name: litellm-config
-41
View File
@@ -1,41 +0,0 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: litellm-hpa
namespace: litellm
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: litellm
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
-29
View File
@@ -1,29 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: litellm
namespace: litellm
spec:
rules:
- host: litellm.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: litellm
port:
number: 4000
path: /
pathType: Prefix
tls:
- hosts:
- litellm.k8s.syd1.au.unkin.net
secretName: litellm-tls
-23
View File
@@ -1,23 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- deployment.yaml
- hpa.yaml
- ingress.yaml
- namespace.yaml
- redis-deployment.yaml
- redis-pvc.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
configMapGenerator:
- name: litellm-config
files:
- config.yaml=resources/config.yaml
options:
disableNameSuffixHash: true
-67
View File
@@ -1,67 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: litellm
spec:
replicas: 1
selector:
matchLabels:
app: redis
strategy:
type: Recreate
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
- --save
- "20"
- "1"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /data
mountPropagation: None
name: data
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: litellm-redis-data
-14
View File
@@ -1,14 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: litellm-redis-data
namespace: litellm
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: cephrbd-fast-delete
volumeMode: Filesystem
-15
View File
@@ -1,15 +0,0 @@
model_list: []
router_settings:
redis_host: redis-service
redis_port: 6379
general_settings:
use_redis_transaction_buffer: true
litellm_settings:
cache: true
cache_params:
type: redis
host: redis-service
port: 6379
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: litellm
namespace: litellm
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 4000
protocol: TCP
targetPort: http
selector:
app: litellm
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: redis-service
namespace: litellm
spec:
internalTrafficPolicy: Cluster
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app: redis
sessionAffinity: None
type: ClusterIP
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: litellm
spec:
allowedNamespaces:
- litellm
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: litellm
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/litellm/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: litellm-credentials
namespace: litellm
spec:
destination:
create: true
name: litellm-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/litellm/default/litellm-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: observability
name: observability
-18
View File
@@ -19,24 +19,6 @@ spec:
postInitApplicationSQL: postInitApplicationSQL:
- CREATE EXTENSION IF NOT EXISTS pg_trgm; - CREATE EXTENSION IF NOT EXISTS pg_trgm;
- CREATE EXTENSION IF NOT EXISTS pgcrypto; - CREATE EXTENSION IF NOT EXISTS pgcrypto;
- GRANT CONNECT ON DATABASE puppetdb TO puppetdb_read;
- GRANT USAGE ON SCHEMA public TO puppetdb_read;
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO puppetdb_read;
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO puppetdb_read;
managed:
roles:
- name: puppetdb_read
ensure: present
comment: PuppetDB read-only database user
login: true
superuser: false
createdb: false
createrole: false
inherit: true
replication: false
connectionLimit: -1
passwordSecret:
name: postgres-read-credentials
enablePDB: true enablePDB: true
enableSuperuserAccess: false enableSuperuserAccess: false
failoverDelay: 0 failoverDelay: 0
-33
View File
@@ -31,36 +31,3 @@ spec:
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
containers: [] containers: []
type: rw type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler-ro
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
@@ -13,9 +13,9 @@ data:
PUPPETDB_HOST: "puppetdb" PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081" PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem" PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key" PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
LOGLEVEL: "debug" PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
LOGLEVEL: "info"
PUPPETDB_TIMEOUT: "20" PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3" UNRESPONSIVE_HOURS: "3"
ENABLE_CATALOG: "False" ENABLE_CATALOG: "False"
@@ -17,7 +17,4 @@ data:
OPENVOXDB_POSTGRES_HOSTNAME: "puppet-postgres-pooler" OPENVOXDB_POSTGRES_HOSTNAME: "puppet-postgres-pooler"
OPENVOXDB_POSTGRES_DATABASE: "puppetdb" OPENVOXDB_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_POSTGRES_PORT: "5432" OPENVOXDB_POSTGRES_PORT: "5432"
OPENVOXDB_READ_POSTGRES_HOSTNAME: "puppet-postgres-pooler-ro"
OPENVOXDB_READ_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_READ_POSTGRES_PORT: "5432"
PUPPETDB_JAVA_ARGS: "" PUPPETDB_JAVA_ARGS: ""
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-read-database-conf
namespace: puppet
data:
read-database.conf: |
read-database: {
subname: "//"${OPENVOXDB_READ_POSTGRES_HOSTNAME}":"${OPENVOXDB_READ_POSTGRES_PORT}"/"${OPENVOXDB_READ_POSTGRES_DATABASE}
username: ${OPENVOXDB_READ_POSTGRES_USER}
password: ${OPENVOXDB_READ_POSTGRES_PASSWORD}
}
@@ -11,7 +11,7 @@ metadata:
namespace: puppet namespace: puppet
data: data:
OPENVOXSERVER_PORT: "8140" OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppetserver-compiler,puppet,puppet.k8s.syd1.au.unkin.net" DNS_ALT_NAMES: "puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081" OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ENABLED: "false" CA_ENABLED: "false"
CA_HOSTNAME: "puppetca" CA_HOSTNAME: "puppetca"
+41 -9
View File
@@ -26,6 +26,38 @@ spec:
spec: spec:
hostname: g10k-code hostname: g10k-code
imagePullSecrets: null imagePullSecrets: null
initContainers:
- name: fetch-config
image: alpine/git:latest
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/config
cp /tmp/config/r10k.yaml /shared/r10k.yaml
echo "r10k.yaml fetched successfully"
command:
- /bin/sh
- -c
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /shared
name: shared-config
containers: containers:
- name: g10k-code - name: g10k-code
image: git.unkin.net/unkin/almalinux9-g10k:20260308 image: git.unkin.net/unkin/almalinux9-g10k:20260308
@@ -37,16 +69,11 @@ spec:
limits: limits:
cpu: 200m cpu: 200m
memory: 256Mi memory: 256Mi
command:
- /bin/sh
- -c
args: args:
- | - -config
set -e - /shared/r10k.yaml
echo "Cloning r10k config repository..." command:
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/r10k-config - /usr/bin/g10k
echo "Running g10k..."
/usr/bin/g10k -config /tmp/r10k-config/r10k.yaml
envFrom: null envFrom: null
env: [] env: []
securityContext: securityContext:
@@ -60,6 +87,8 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /etc/puppetlabs/code/ - mountPath: /etc/puppetlabs/code/
name: puppet-code-volume name: puppet-code-volume
- mountPath: /shared
name: shared-config
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext: securityContext:
fsGroup: 999 fsGroup: 999
@@ -67,3 +96,6 @@ spec:
- name: puppet-code-volume - name: puppet-code-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppetserver-code-shared claimName: puppetserver-code-shared
- name: shared-config
persistentVolumeClaim:
claimName: puppetserver-shared-config
@@ -1,85 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: generate-types
namespace: puppet
spec:
schedule: "*/5 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: generate-types
imagePullSecrets: null
containers:
- name: generate-types
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
/opt/puppetlabs/puppet/bin/gem install deep_merge ipaddr hiera-eyaml toml
find /etc/puppetlabs/code/environments -mindepth 1 -maxdepth 1 -type d | while read -r envdir; do
env="$(basename "$envdir")"
echo "Generating types for $env"
puppet generate types --environment "$env"
done
env: []
resources:
limits:
cpu: 300m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
+17 -38
View File
@@ -59,16 +59,6 @@ spec:
secretKeyRef: secretKeyRef:
key: username key: username
name: postgres-credentials name: postgres-credentials
- name: OPENVOXDB_READ_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-read-credentials
- name: OPENVOXDB_READ_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-read-credentials
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -88,17 +78,18 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb - mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage name: puppetdb-storage
- mountPath: /etc/puppetlabs/puppetdb/conf.d/read-database.conf
name: puppetdb-read-database-conf
subPath: read-database.conf
initContainers: initContainers:
- name: create-log-dir - name: create-log-dir
image: docker.io/busybox:1.37 image: docker.io/busybox:1.37
command: command:
- sh - sh
- -c - -c
args:
- mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs - mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
securityContext:
runAsUser: 0
resources: resources:
limits: limits:
cpu: 20m cpu: 20m
@@ -106,25 +97,18 @@ spec:
requests: requests:
cpu: 20m cpu: 20m
memory: 32Mi memory: 32Mi
securityContext: - command:
runAsUser: 0
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- name: pgchecker
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
command:
- sh - sh
- -c - -c
args:
- | - |
echo 'Waiting for PostgreSQL to become ready...' echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do
sleep 2; sleep 2;
done; done;
echo 'PostgreSQL OK ✓' echo 'PostgreSQL OK ✓'
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
name: pgchecker
resources: resources:
limits: limits:
cpu: 20m cpu: 20m
@@ -133,24 +117,22 @@ spec:
cpu: 20m cpu: 20m
memory: 32Mi memory: 32Mi
securityContext: securityContext:
runAsUser: 1000 allowPrivilegeEscalation: false
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
allowPrivilegeEscalation: false runAsUser: 1000
- command:
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh - sh
- -c - -c
args:
- | - |
echo 'Waiting for puppetserver to become ready...' echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2; sleep 2;
done; done;
echo 'Puppetserver OK ✓' echo 'Puppetserver OK ✓'
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
name: wait-puppetserver
resources: resources:
limits: limits:
cpu: 20m cpu: 20m
@@ -159,14 +141,11 @@ spec:
cpu: 20m cpu: 20m
memory: 32Mi memory: 32Mi
securityContext: securityContext:
runAsUser: 1000 allowPrivilegeEscalation: false
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
allowPrivilegeEscalation: false runAsUser: 1000
volumes: volumes:
- name: puppetdb-storage - name: puppetdb-storage
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppetserver-puppetdb-claim claimName: puppetserver-puppetdb-claim
- name: puppetdb-read-database-conf
configMap:
name: puppetdb-read-database-conf
@@ -93,34 +93,28 @@ spec:
- mountPath: /var/lib/puppet/keys/ - mountPath: /var/lib/puppet/keys/
name: eyaml-keys name: eyaml-keys
readOnly: true readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers: initContainers:
- name: perms-and-dirs - args:
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main - mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
imagePullPolicy: IfNotPresent cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh;
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh;
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh;
bash /etc/puppetlabs/puppet/check_for_masters.sh;
mkdir -p /etc/puppetlabs/code/environments;
mkdir -p /etc/puppetlabs/puppet/manifests;
chown -R puppet:puppet /etc/puppetlabs;
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/;
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde;
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/;
command: command:
- sh - sh
- -c - -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh
bash /etc/puppetlabs/puppet/check_for_masters.sh
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
envFrom: envFrom:
- configMapRef: - configMapRef:
name: puppetserver-init-config name: puppetserver-init-config
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
name: perms-and-dirs
resources: resources:
limits: limits:
cpu: 300m cpu: 300m
@@ -129,8 +123,6 @@ spec:
cpu: 200m cpu: 200m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities: capabilities:
add: add:
- CAP_CHOWN - CAP_CHOWN
@@ -147,6 +139,8 @@ spec:
- FOWNER - FOWNER
drop: drop:
- all - all
runAsNonRoot: false
runAsUser: 0
volumeMounts: volumeMounts:
- mountPath: /etc/puppetlabs/puppet/ - mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage name: puppet-puppet-storage
@@ -169,9 +163,3 @@ spec:
secret: secret:
secretName: eyaml-keys secretName: eyaml-keys
defaultMode: 0600 defaultMode: 0600
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
@@ -11,7 +11,7 @@ metadata:
spec: spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: StatefulSet
name: puppetserver-compiler name: puppetserver-compiler
minReplicas: 2 minReplicas: 2
maxReplicas: 5 maxReplicas: 5
+1 -30
View File
@@ -7,13 +7,11 @@ resources:
- cnpg_cluster.yaml - cnpg_cluster.yaml
- cnpg_pooler.yaml - cnpg_pooler.yaml
- cronjob_g10k-code.yaml - cronjob_g10k-code.yaml
- cronjob_generate-types.yaml
- persistentvolumeclaims.yaml - persistentvolumeclaims.yaml
- vaultauth.yaml - vaultauth.yaml
- vaultstaticsecret.yaml - vaultstaticsecret.yaml
- configmap_puppetboard-config.yaml - configmap_puppetboard-config.yaml
- configmap_puppetdb-config.yaml - configmap_puppetdb-config.yaml
- configmap_puppetdb-read-database.yaml
- configmap_puppetserver-compiler-config.yaml - configmap_puppetserver-compiler-config.yaml
- configmap_puppetserver-init-config.yaml - configmap_puppetserver-init-config.yaml
- configmap_puppetserver-init-masters-config.yaml - configmap_puppetserver-init-masters-config.yaml
@@ -33,31 +31,4 @@ resources:
- service_puppetca.yaml - service_puppetca.yaml
- service_puppetboard.yaml - service_puppetboard.yaml
- service_puppetdb.yaml - service_puppetdb.yaml
- deployment_puppetserver-compiler.yaml - statefulset_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
- name: additional-ruby-gems
files:
- resources/additional-ruby-gems.sh
options:
disableNameSuffixHash: true
+18 -36
View File
@@ -73,6 +73,24 @@ spec:
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: r10k-shared-config
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-shared-config
namespace: puppet
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
labels: labels:
app.kubernetes.io/component: puppetboard app.kubernetes.io/component: puppetboard
@@ -88,39 +106,3 @@ spec:
requests: requests:
storage: 1Gi storage: 1Gi
storageClassName: cephfs-raid6-delete storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config-shared
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: puppet-shared-bins
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 0.9.20
name: puppet-shared-bins
namespace: puppet
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-raid6-delete
@@ -1,9 +0,0 @@
#!/bin/bash
set -e
echo "Installing additional Ruby gems..."
/opt/puppetlabs/puppet/bin/gem install deep_merge
/opt/puppetlabs/puppet/bin/gem install ipaddr
/opt/puppetlabs/puppet/bin/gem install hiera-eyaml
/opt/puppetlabs/puppet/bin/gem install toml
echo "Additional Ruby gems installed successfully"
-50
View File
@@ -1,50 +0,0 @@
#!/usr/bin/env -S /opt/bin/uv run --quiet --cache-dir /opt/bin/.cache/uv --script
# /// script
# requires-python = ">=3.11"
# dependencies = ['pyyaml','requests']
# ///
"""
External Node Classifier (ENC) for Puppet.
If the environment specified in the YAML file is 'testing',
the environment is not included in the output.
"""
import sys
import yaml
import requests
def fetch_enc_data(cobbler_url: str, hostname: str) -> str:
"""
Fetches and modifies ENC data from a given URL to ensure classes are in list format.
"""
url = f"{cobbler_url}/cblr/svc/op/puppet/hostname/{hostname}"
try:
response = requests.get(url, verify='/opt/vault-ca-cert.crt')
response.raise_for_status()
except requests.RequestException as e:
sys.exit(f"Request failed: {e}")
data = yaml.safe_load(response.text)
data["parameters"] = data.get("parameters", {})
# Ensure 'classes' is in the desired list format
if "classes" in data:
if isinstance(data["classes"], dict):
data["parameters"]["enc_role"] = list(data["classes"].keys())
data["classes"] = list(data["classes"].keys())
else:
data["parameters"]["enc_role"] = list(data["classes"])
data["classes"] = list(data["classes"])
if "environment" in data:
data["parameters"]["enc_env"] = data["environment"]
if data["environment"] == "testing":
del data["environment"]
return yaml.dump(data)
if __name__ == "__main__":
if len(sys.argv) != 2:
sys.exit(f"Usage: {sys.argv[0]} <hostname>")
print(fetch_enc_data("https://cobbler.main.unkin.net", sys.argv[1]))
@@ -1,15 +0,0 @@
# Autosign all nodes from these subnets
198.18.13.0/24
198.18.14.0/24
198.18.15.0/24
198.18.16.0/24
198.18.17.0/24
198.18.20.0/24
198.18.24.0/24
198.18.25.0/24
198.18.26.0/24
198.18.27.0/24
198.18.28.0/24
198.18.29.0/24
# Autosign all nodes from these domains
*.main.unkin.net
@@ -1,23 +0,0 @@
[main]
server = puppetserver-compiler
serverport = 8140
dns_alt_names = puppetserver-compiler,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
codedir = /etc/puppetlabs/code
environmentpath = /etc/puppetlabs/code/environments
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
node_terminus = exec
external_nodes = /opt/bin/cobbler-enc
autosign = /etc/puppetlabs/puppet/autosign.conf
storeconfigs = true
storeconfigs_backend = puppetdb
reports = puppetdb
usecacheonfailure = false
[user]
default_manifest = /etc/puppetlabs/code/environments/develop/manifests
default_environment = develop
@@ -1,3 +0,0 @@
[main]
server_urls = https://puppetdb.k8s.syd1.au.unkin.net
soft_write_failure = true
@@ -1,5 +1,5 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: StatefulSet
metadata: metadata:
annotations: annotations:
reloader.stakater.com/auto: "true" reloader.stakater.com/auto: "true"
@@ -11,10 +11,12 @@ metadata:
name: puppetserver-compiler name: puppetserver-compiler
namespace: puppet namespace: puppet
spec: spec:
podManagementPolicy: OrderedReady
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/component: puppetserver-compilers app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver app.kubernetes.io/name: puppetserver
serviceName: puppet-headless
template: template:
metadata: metadata:
labels: labels:
@@ -39,14 +41,26 @@ spec:
ports: ports:
- containerPort: 8140 - containerPort: 8140
name: puppetserver name: puppetserver
envFrom: envFrom: null
- configMapRef:
name: puppetserver-compiler-config
env: env:
- name: OPENVOXSERVER_HOSTNAME - name: OPENVOXSERVER_HOSTNAME
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: OPENVOXSERVER_PORT
value: "8140"
- name: DNS_ALT_NAMES
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
- name: OPENVOXDB_SERVER_URLS
value: https://puppetdb:8081
- name: CA_ENABLED
value: "false"
- name: CA_HOSTNAME
value: puppetca
- name: CA_PORT
value: "8140"
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
periodSeconds: 30 periodSeconds: 30
@@ -94,60 +108,26 @@ spec:
- mountPath: /var/lib/puppet/keys/ - mountPath: /var/lib/puppet/keys/
name: eyaml-keys name: eyaml-keys
readOnly: true readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
- mountPath: /docker-custom-entrypoint.d/post-startup/additional-ruby-gems.sh
name: additional-ruby-gems
subPath: additional-ruby-gems.sh
initContainers: initContainers:
- name: copy-configmaps - args:
image: busybox:1.35 - mkdir -p /etc/puppetlabs/puppet/eyaml/keys;
mkdir -p /etc/puppetlabs/code/environments;
mkdir -p /etc/puppetlabs/puppet/manifests;
chown -R puppet:puppet /etc/puppetlabs;
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml;
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/;
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde;
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/;
command: command:
- sh - sh
- -c - -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
env: env:
- name: PUPPETSERVER_JAVA_ARGS - name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
envFrom: null
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
name: perms-and-dirs
resources: resources:
limits: limits:
cpu: 300m cpu: 300m
@@ -156,8 +136,6 @@ spec:
cpu: 200m cpu: 200m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities: capabilities:
add: add:
- CAP_CHOWN - CAP_CHOWN
@@ -174,75 +152,33 @@ spec:
- FOWNER - FOWNER
drop: drop:
- all - all
runAsNonRoot: false
runAsUser: 0
volumeMounts: volumeMounts:
- mountPath: /etc/puppetlabs/code/ - mountPath: /etc/puppetlabs/code/
name: puppet-code-volume name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/ - mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume name: puppet-puppet-volume
- name: setup-shared-bins
image: git.unkin.net/unkin/almalinux9-base:20260308
command:
- sh
- -c
args:
- |
echo "Setting up shared binaries..."
mkdir -p /opt/bin
mkdir -p /opt/bin/.cache/uv
# Copy cobbler to shared bin volume
cp /configmaps/cobbler-enc /opt/bin/cobbler-enc
chmod +x /opt/bin/cobbler-enc
# Install uv to shared bin volume
cd /tmp
wget -O uv-x86_64-unknown-linux-gnu.tar.gz https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/astral-sh/uv/releases/download/0.9.20/uv-x86_64-unknown-linux-gnu.tar.gz
tar xf uv-x86_64-unknown-linux-gnu.tar.gz
cp uv-x86_64-unknown-linux-gnu/uv /opt/bin/uv
chmod +x /opt/bin/uv
echo "Shared binaries setup completed"
volumeMounts:
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
securityContext: securityContext:
fsGroup: 999 fsGroup: 999
volumes: volumes:
- name: puppet-code-volume - name: puppet-code-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppetserver-code-shared claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys - name: eyaml-keys
secret: secret:
secretName: eyaml-keys secretName: eyaml-keys
defaultMode: 0600 defaultMode: 0600
- name: compiler-puppet-conf updateStrategy:
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
- name: additional-ruby-gems
configMap:
name: additional-ruby-gems
defaultMode: 0755
strategy:
type: RollingUpdate type: RollingUpdate
volumeClaimTemplates:
- metadata:
annotations: null
name: puppet-puppet-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
-17
View File
@@ -35,23 +35,6 @@ spec:
--- ---
apiVersion: secrets.hashicorp.com/v1beta1 apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret kind: VaultStaticSecret
metadata:
name: postgres-read-credentials
namespace: puppet
spec:
destination:
create: true
name: postgres-read-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/puppet/default/postgres-read-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata: metadata:
name: eyaml-keys name: eyaml-keys
namespace: puppet namespace: puppet
-8
View File
@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- lbnodeagents.yaml
- servicegroups.yaml
-28
View File
@@ -1,28 +0,0 @@
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
labels:
app.kubernetes.io/component: lbnodeagent
app.kubernetes.io/name: purelb
name: common
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
labels:
app.kubernetes.io/component: lbnodeagent
app.kubernetes.io/name: purelb
name: dmz
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: purelb
name: purelb
-30
View File
@@ -1,30 +0,0 @@
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
labels:
app.kubernetes.io/component: servicegroup
app.kubernetes.io/name: purelb
name: common
namespace: purelb
spec:
local:
v4pools:
- aggregation: /32
pool: 198.18.200.0/24
subnet: 198.18.200.0/24
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
labels:
app.kubernetes.io/component: servicegroup
app.kubernetes.io/name: purelb
name: dmz
namespace: purelb
spec:
local:
v4pools:
- aggregation: /32
pool: 198.18.199.0/24
subnet: 198.18.199.0/24
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: reposync
app.kubernetes.io/name: reposync
name: dnf-conf
namespace: reposync
data:
dnf.conf: |
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
max_parallel_downloads=6
@@ -1,17 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: openvox7-openvox-repo
namespace: reposync
data:
openvox.repo: |
[openvox]
name=openvox repository
baseurl=https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/openvox7/el/9/x86_64/
gpgkey=https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/GPG-KEY-openvox.pub
enabled=1
gpgcheck=1
@@ -1,72 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-appstream
app.kubernetes.io/name: reposync
name: reposync-almalinux9-appstream
namespace: reposync
spec:
schedule: "10 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "appstream"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-almalinux9-appstream-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -1,75 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-baseos
app.kubernetes.io/name: reposync
name: reposync-almalinux9-baseos
namespace: reposync
spec:
schedule: "0 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Create repo directory
mkdir -p /data/almalinux/$REPO_TYPE
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data/almalinux/$REPO_TYPE \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "baseos"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-almalinux9-baseos-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -1,72 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-epel9
app.kubernetes.io/name: reposync
name: reposync-epel9
namespace: reposync
spec:
schedule: "20 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "epel"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-epel9-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -1,78 +0,0 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: reposync-openvox7
namespace: reposync
spec:
schedule: "30 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "openvox"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
- name: openvox-repo
mountPath: /etc/yum.repos.d/openvox.repo
subPath: openvox.repo
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-openvox7-repodata
- name: dnf-conf
configMap:
name: dnf-conf
- name: openvox-repo
configMap:
name: openvox7-openvox-repo
-13
View File
@@ -1,13 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- configmap_dnf-conf.yaml
- configmap_openvox-repo.yaml
- persistentvolumeclaims.yaml
- cronjob_reposync-almalinux9-baseos.yaml
- cronjob_reposync-almalinux9-appstream.yaml
- cronjob_reposync-epel9.yaml
- cronjob_reposync-openvox7.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: reposync
name: reposync
@@ -1,64 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-baseos
app.kubernetes.io/name: reposync
name: reposync-almalinux9-baseos-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-appstream
app.kubernetes.io/name: reposync
name: reposync-almalinux9-appstream-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-epel9
app.kubernetes.io/name: reposync
name: reposync-epel9-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 30Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: reposync-openvox7-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
-6
View File
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: vm-system
name: vm-system
@@ -1,12 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: vault-service-account-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-service-account-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
@@ -1,32 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/part-of: vault-secrets-operator
name: vso-system-vault-secrets-operator-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-secrets-operator-controller-manager
namespace: vso-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: vso-system-vault-admin-binding
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vso-system-vault-service-account-admin
subjects:
- kind: ServiceAccount
name: vso-system-vault-admin
namespace: vso-system
-9
View File
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_vault-admin.yaml
- clusterrole_vault-service-account-admin.yaml
- clusterrolebindings.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: vso-system
name: vso-system
@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: vault-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin
namespace: vso-system
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: rancher - name: rancher
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://releases.rancher.com/server-charts/stable
version: "2.13.1" version: "2.13.1"
releaseName: rancher releaseName: rancher
namespace: cattle-system namespace: cattle-system
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: cert-manager - name: cert-manager
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://charts.jetstack.io
version: "v1.19.2" version: "v1.19.2"
releaseName: cert-manager releaseName: cert-manager
namespace: cert-manager namespace: cert-manager
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: cloudnative-pg - name: cloudnative-pg
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://cloudnative-pg.github.io/charts
version: "0.27.0" version: "0.27.0"
releaseName: cloudnative-pg-operator releaseName: cloudnative-pg-operator
namespace: cnpg-system namespace: cnpg-system
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: ceph-csi-cephfs - name: ceph-csi-cephfs
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://ceph.github.io/csi-charts
version: "3.15.0" version: "3.15.0"
releaseName: ceph-csi-cephfs releaseName: ceph-csi-cephfs
namespace: csi-cephfs namespace: csi-cephfs
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: ceph-csi-rbd - name: ceph-csi-rbd
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://ceph.github.io/csi-charts
version: "3.15.1" version: "3.15.1"
releaseName: ceph-csi-rbd releaseName: ceph-csi-rbd
namespace: csi-cephrbd namespace: csi-cephrbd
@@ -1,16 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: elastic-system
resources:
- ../../../base/elastic-system
helmCharts:
- name: eck-operator
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "3.2.0"
releaseName: elastic-operator
namespace: elastic-system
valuesFile: values.yaml
@@ -1,11 +0,0 @@
replicaCount: 2
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 10m
memory: 150Mi
podDisruptionBudget:
enabled: true
minAvailable: 1
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: external-dns - name: external-dns
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://kubernetes-sigs.github.io/external-dns/
version: "1.19.0" version: "1.19.0"
releaseName: externaldns releaseName: externaldns
namespace: externaldns namespace: externaldns
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/jfrog
helmCharts:
- name: artifactory-jcr
repo: https://charts.jfrog.io
version: "107.133.10"
releaseName: artifactory-jcr
namespace: jfrog
valuesFile: values.yaml
+63
View File
@@ -0,0 +1,63 @@
---
artifactory:
## Artifactory
## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
artifactory:
## Default tag is from the artifactory sub-chart in the requirements.yaml
image:
registry: releases-docker.jfrog.io
repository: jfrog/artifactory-jcr
resources: {}
# requests:
# memory: "1Gi"
# cpu: "500m"
# limits:
# memory: "4Gi"
# cpu: "1"
## The following Java options are passed to the java process running Artifactory.
## You should set them according to the resources set above.
## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx.
javaOpts: {}
# xms: "1g"
# xmx: "3g"
# other: ""
installer:
platform: jcr-helm
## Nginx
## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
nginx:
enabled: true
tlsSecretName: ""
service:
type: LoadBalancer
## Ingress
## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
ingress:
enabled: false
tls:
## PostgreSQL
## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
## Configuration values for the PostgreSQL dependency sub-chart
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
postgresql:
enabled: true
## This key is required for upgrades to protect old PostgreSQL chart's breaking changes.
databaseUpgradeReady: "yes"
## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false),
## specify custom database details here or leave empty and Artifactory will use embedded derby.
## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
# database:
jfconnect:
enabled: false
rtfs:
enabled: false
onemodel:
enabled: false
evidence:
enabled: false
apptrust:
enabled: false
unifiedpolicy:
enabled: false
platformfederation:
enabled: false
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/litellm
@@ -1,22 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: observability
resources:
- ../../../base/observability
helmCharts:
- name: victoria-metrics-cluster
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.33.0"
releaseName: victoria-metrics-cluster
namespace: observability
valuesFile: values-vmcluster.yaml
- name: victoria-metrics-agent
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.30.0"
releaseName: victoria-metrics-agent
namespace: observability
valuesFile: values-vmagent.yaml
@@ -1,102 +0,0 @@
image:
repository: victoriametrics/vmagent
pullPolicy: IfNotPresent
global:
scrape_interval: 15s
podDisruptionBudget:
enabled: true
maxUnavailable: 1
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
replicaCount: 3
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8429
service:
enabled: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmagent.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmagent.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmagent.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmagent.k8s.syd1.au.unkin.net
secretName: vmagent-tls
ingressClassName: nginx
remoteWrite:
- url: http://victoria-metrics-cluster-vminsert.observability.svc.cluster.local:8480/insert/0/prometheus/
scrape_configs:
- job_name: vmagent
static_configs:
- targets: ["localhost:8429"]
- job_name: "kubernetes-apiservers"
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
- __meta_kubernetes_namespace
- __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name
action: keep
regex: default;kubernetes;https
- job_name: "kubernetes-nodes"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- job_name: "kubernetes-nodes-cadvisor"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
metrics_path: /metrics/cadvisor
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- source_labels: [__metrics_path__]
target_label: metrics_path
metric_relabel_configs:
- action: replace
source_labels: [pod]
regex: '(.+)'
target_label: pod_name
replacement: '${1}'
- action: replace
source_labels: [container]
regex: '(.+)'
target_label: container_name
replacement: '${1}'
- action: replace
target_label: name
replacement: k8s_stub
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: '${1}'
@@ -1,185 +0,0 @@
vmselect:
enabled: true
image:
repository: victoriametrics/vmselect
pullPolicy: IfNotPresent
variant: cluster
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8481
dedup.minScrapeInterval: 15s
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmselect.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmselect.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmselect.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmselect.k8s.syd1.au.unkin.net
secretName: vmselect-tls
ingressClassName: nginx
vminsert:
enabled: true
image:
repository: victoriametrics/vminsert
variant: cluster
pullPolicy: IfNotPresent
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8480
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8480"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vminsert.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vminsert.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
hosts:
- name: vminsert.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vminsert.k8s.syd1.au.unkin.net
secretName: vminsert-tls
ingressClassName: nginx
vmstorage:
enabled: true
image:
repository: victoriametrics/vmstorage
variant: cluster
pullPolicy: IfNotPresent
retentionPeriod: 180d
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8482
dedup.minScrapeInterval: 15s
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8482"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
persistentVolume:
enabled: true
name: vmstorage-volume
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
mountPath: /storage
size: 200Gi
replicaCount: 3
podManagementPolicy: OrderedReady
@@ -1,16 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: purelb
resources:
- ../../../base/purelb
helmCharts:
- name: purelb
repo: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
version: "v0.13.0"
releaseName: purelb
namespace: purelb
valuesFile: values.yaml
-56
View File
@@ -1,56 +0,0 @@
image:
repository: registry.gitlab.com/purelb/purelb
tag: v0.13.0
pullPolicy: Always
allocator:
securityContext:
runAsNonRoot: true
runAsUser: 65534
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
tolerations: []
lbnodeagent:
extlbint: kube-lb0
localint: default
sendgarp: false
tolerations: []
containerSecurityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 0
runAsUser: 0
defaultAnnouncer: PureLB
serviceGroup:
create: false
name: default
Prometheus:
allocator:
Metrics:
enabled: false
serviceMonitor:
enabled: false
prometheusRules:
enabled: false
lbnodeagent:
Metrics:
enabled: false
serviceMonitor:
enabled: false
prometheusRules:
enabled: false
memberlistSecretKey: 8sb7ikA5qHwQQqxc
@@ -7,7 +7,7 @@ resources:
helmCharts: helmCharts:
- name: reloader - name: reloader
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm repo: https://stakater.github.io/stakater-charts
version: "2.2.8" version: "2.2.8"
releaseName: reloader releaseName: reloader
namespace: reloader-system namespace: reloader-system
@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: reposync
resources:
- ../../../base/reposync
@@ -1,16 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vm-system
resources:
- ../../../base/vm-system
helmCharts:
- name: victoria-metrics-operator
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.57.1"
releaseName: victoria-metrics-operator
namespace: vm-system
valuesFile: values.yaml
@@ -1,9 +0,0 @@
logLevel: "info"
replicaCount: 2
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
@@ -1,24 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vso-system
resources:
- ../../../base/vso-system
helmCharts:
- name: vault-secrets-operator
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "1.2.0"
releaseName: vault-secrets-operator
namespace: vso-system
valuesFile: values.yaml
patches:
- path: patch_vaultauth-remove-namespace.yaml
target:
group: secrets.hashicorp.com
version: v1beta1
kind: VaultAuth
name: default
@@ -1,2 +0,0 @@
- op: remove
path: /spec/namespace
@@ -1,28 +0,0 @@
defaultVaultConnection:
enabled: true
address: "https://vault.service.consul:8200"
skipTLSVerify: false
caCertSecret: "vault-ca-cert"
defaultAuthMethod:
enabled: true
method: "kubernetes"
mount: "k8s/au/syd1"
namespace: ""
kubernetes:
role: "default"
serviceAccount: "vault-secrets-operator-controller-manager"
tokenAudiences: ["vault"]
controller:
replicas: 3
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
globalVaultAuth:
enabled: true
+1 -1
View File
@@ -26,7 +26,7 @@ server:
WOODPECKER_OPEN: "true" WOODPECKER_OPEN: "true"
WOODPECKER_ADMIN: "unkinben" WOODPECKER_ADMIN: "unkinben"
WOODPECKER_DISABLE_USER_AGENT_REGISTRATION: "true" WOODPECKER_DISABLE_USER_AGENT_REGISTRATION: "true"
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,woodpeckerci/plugin-docker-buildx:latest-insecure" WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx:latest-insecure"
extraSecretNamesForEnvFrom: extraSecretNamesForEnvFrom:
- woodpecker-gitea - woodpecker-gitea
- woodpecker-postgres-credentials - woodpecker-postgres-credentials
-31
View File
@@ -1,31 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: aitooling-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/litellm
template:
metadata:
name: 'aitooling-{{path[3]}}'
spec:
project: aitooling
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -3,7 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- aitooling.yaml
- observability.yaml
- platform.yaml - platform.yaml
- storage.yaml - storage.yaml
-31
View File
@@ -1,31 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: observability-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/observability
template:
metadata:
name: 'observability-{{path[3]}}'
spec:
project: observability
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
+3 -8
View File
@@ -12,21 +12,16 @@ spec:
directories: directories:
- path: apps/overlays/*/artifactapi - path: apps/overlays/*/artifactapi
- path: apps/overlays/*/cattle-system - path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates - path: apps/overlays/*/certificates
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/cnpg-system - path: apps/overlays/*/cnpg-system
- path: apps/overlays/*/elastic-system
- path: apps/overlays/*/externaldns - path: apps/overlays/*/externaldns
- path: apps/overlays/*/inteldeviceplugins-system - path: apps/overlays/*/inteldeviceplugins-system
- path: apps/overlays/*/jfrog
- path: apps/overlays/*/node-feature-discovery - path: apps/overlays/*/node-feature-discovery
- path: apps/overlays/*/puppet
- path: apps/overlays/*/purelb
- path: apps/overlays/*/reflector-system - path: apps/overlays/*/reflector-system
- path: apps/overlays/*/reloader-system - path: apps/overlays/*/reloader-system
- path: apps/overlays/*/reposync - path: apps/overlays/*/jfrog
- path: apps/overlays/*/vm-system - path: apps/overlays/*/puppet
- path: apps/overlays/*/vso-system
- path: apps/overlays/*/woodpecker - path: apps/overlays/*/woodpecker
template: template:
metadata: metadata:

Some files were not shown because too many files have changed in this diff Show More