Compare commits
52 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 649ed07ab0 | |||
| dbb5ad4f86 | |||
| 4b8f9313c8 | |||
| bb330a0365 | |||
| 15225433e9 | |||
| bbb9acba36 | |||
| 48f32a044d | |||
| 7f1444fb38 | |||
| 784c3b5de1 | |||
| cfca1e5278 | |||
| 99a95f4e57 | |||
| feaec2c8a9 | |||
| d1cc467455 | |||
| 0e9ac4d390 | |||
| 722ced3256 | |||
| 92e6f0f13b | |||
| 825c46c91b | |||
| 2c9c79d8f1 | |||
| f695657d9d | |||
| 5dee768170 | |||
| f120f3b426 | |||
| f6d60bd02d | |||
| aac1b654bb | |||
| 1c6e087116 | |||
| 9e6efb7c78 | |||
| cae42b4896 | |||
| 349dc5fd01 | |||
| 8cbd645332 | |||
| ad2cdd3b63 | |||
| 17782d716c | |||
| 188c39f85d | |||
| 0b7819bda3 | |||
| 3c6330ebfd | |||
| a3a56d0c2b | |||
| 4b1fbe1fe1 | |||
| 666f3d055c | |||
| 3dc8801070 | |||
| 60f1f3130b | |||
| b6f8cb0633 | |||
| f11ec1056d | |||
| ed7feaf19a | |||
| 4d594fbde7 | |||
| 1b781e0885 | |||
| ede25a3858 | |||
| f5f713fe86 | |||
| 3990fbfe06 | |||
| d358098fff | |||
| 201e601737 | |||
| d230d87ec9 | |||
| 6497dab25e | |||
| f403c6b05d | |||
| ac8b8212bd |
@@ -0,0 +1,273 @@
|
|||||||
|
---
|
||||||
|
description: Pull master, read open issues, pick one, branch, implement, test, commit, PR, and comment.
|
||||||
|
---
|
||||||
|
|
||||||
|
# Solve a Gitea Issue
|
||||||
|
|
||||||
|
## Current repo state
|
||||||
|
|
||||||
|
```!
|
||||||
|
git status --short
|
||||||
|
echo "Current branch: $(git branch --show-current)"
|
||||||
|
echo "Remote: $(git remote get-url origin 2>/dev/null || echo 'none')"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Open issues (with full body)
|
||||||
|
|
||||||
|
```!
|
||||||
|
echo "Fetching open issues..."
|
||||||
|
issue_ids=$(tea issues list --output simple 2>/dev/null | awk 'NF && $1 ~ /^[0-9]+$/ {print $1}')
|
||||||
|
if [ -z "$issue_ids" ]; then
|
||||||
|
echo "No open issues found (or tea is not logged in)."
|
||||||
|
else
|
||||||
|
for id in $issue_ids; do
|
||||||
|
echo ""
|
||||||
|
echo "══════════════════════════════════════"
|
||||||
|
tea issues view "$id" --fields index,title,body 2>/dev/null \
|
||||||
|
|| tea issue "$id" 2>/dev/null \
|
||||||
|
|| echo " (could not read issue #$id)"
|
||||||
|
echo "══════════════════════════════════════"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Your task
|
||||||
|
|
||||||
|
Follow these steps **in order**. Do not skip steps.
|
||||||
|
|
||||||
|
### 1 — Choose an issue
|
||||||
|
|
||||||
|
Present the issues above to the user as a numbered list (index, one-line title). Ask which one to work on. Wait for the answer before continuing.
|
||||||
|
|
||||||
|
### 2 — Sync master
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout master
|
||||||
|
git pull
|
||||||
|
```
|
||||||
|
|
||||||
|
Confirm you are on master and up to date.
|
||||||
|
|
||||||
|
### 3 — Create a branch
|
||||||
|
|
||||||
|
Name the branch `benvin/issue-<N>-<short-slug>` where `<short-slug>` is 2–4 kebab-case words from the issue title.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout -b benvin/issue-<N>-<slug>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 4 — Read the issue in full
|
||||||
|
|
||||||
|
Re-read the full issue body shown above. If any part is ambiguous, state your interpretation before coding.
|
||||||
|
|
||||||
|
**If you discover other problems while working:** do NOT solve them inline. Create a new Gitea issue with `tea issues create --title "..." --description "..."` and stay focused on the assigned issue.
|
||||||
|
|
||||||
|
### 5 — Implement the solution
|
||||||
|
|
||||||
|
Make the code changes needed to resolve the issue. Follow the conventions already in the repo:
|
||||||
|
- `main.py` route handlers each contain a single function call; logic lives in submodules.
|
||||||
|
- No comments unless the WHY is non-obvious.
|
||||||
|
- No new files unless the issue or architecture requires it.
|
||||||
|
- Security: no command injection, XSS, SQL injection, or secrets in code.
|
||||||
|
- **For performance improvements:** implement at the most generic call site possible so the fix applies to all current and future implementations, not just the one being tested.
|
||||||
|
|
||||||
|
### 6 — Update tests
|
||||||
|
|
||||||
|
Add or update tests that cover the new behaviour. Tests live in `tests/`. Check existing test structure before writing new ones — mirror the style and fixture patterns already in use.
|
||||||
|
|
||||||
|
### 7 — Update README
|
||||||
|
|
||||||
|
If the feature introduces new config keys, endpoints, or user-facing behaviour, document it in `README.md`. Keep additions concise — follow the existing section style.
|
||||||
|
|
||||||
|
### 8 — Run the full test suite
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make test
|
||||||
|
```
|
||||||
|
|
||||||
|
All tests must pass. If any fail, fix them before proceeding. Do not skip or suppress failing tests.
|
||||||
|
|
||||||
|
### 9 — Live Docker test (new package type only)
|
||||||
|
|
||||||
|
**Skip this step if the issue does not add a new remote package type.**
|
||||||
|
|
||||||
|
If the issue adds a new package type (e.g. `deb`, `conda`, `cargo`, `rubygems`, or any type not already in `remotes.yaml`), do the following before committing.
|
||||||
|
|
||||||
|
#### 9a — Add a real test remote to remotes.yaml
|
||||||
|
|
||||||
|
Append a valid, publicly accessible remote of the new type to `remotes.yaml`. Use a real upstream URL and patterns that cover both an immutable file (versioned artifact) and a mutable file (index/metadata). Add a comment explaining which URLs to use for manual testing.
|
||||||
|
|
||||||
|
#### 9b — Start the stack
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up
|
||||||
|
```
|
||||||
|
|
||||||
|
Wait until `curl -s http://localhost:8000/health` returns `{"status":"healthy"}`.
|
||||||
|
|
||||||
|
#### 9c — Test a mutable file (first fetch — cache miss)
|
||||||
|
|
||||||
|
Download the index or metadata file for the new remote. Confirm:
|
||||||
|
- HTTP 200
|
||||||
|
- `X-Artifact-Source: remote` header (or equivalent log line confirming a cache miss)
|
||||||
|
- Content looks correct (not empty, not an error page)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9d — Test a mutable file (second fetch — cache hit)
|
||||||
|
|
||||||
|
Repeat the exact same request. Confirm:
|
||||||
|
- HTTP 200
|
||||||
|
- `X-Artifact-Source: cache`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9e — Test an immutable file (first fetch — cache miss)
|
||||||
|
|
||||||
|
Download a versioned/immutable artifact. Confirm HTTP 200 and a cache-miss log line.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<immutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9f — Test an immutable file (second fetch — cache hit)
|
||||||
|
|
||||||
|
Repeat. Confirm `X-Artifact-Source: cache`.
|
||||||
|
|
||||||
|
#### 9g — Check container logs
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-logs
|
||||||
|
```
|
||||||
|
|
||||||
|
Scan for:
|
||||||
|
- `Cache MISS` on first fetches, `Cache HIT` on second fetches
|
||||||
|
- `Cache ADD SUCCESS` with correct sizes
|
||||||
|
- No unhandled exceptions or ERROR lines
|
||||||
|
|
||||||
|
#### 9h — Exercise package-type tooling against the proxy
|
||||||
|
|
||||||
|
Use the native tooling for this package type to verify end-to-end behaviour. Examples:
|
||||||
|
|
||||||
|
| Package type | Command |
|
||||||
|
|---|---|
|
||||||
|
| `pypi` | `uv run --index-url http://localhost:8000/api/v1/remote/<remote>/simple <tool>` |
|
||||||
|
| `npm` | `npm install --registry http://localhost:8000/api/v1/remote/<remote>/ <pkg>` |
|
||||||
|
| `helm` | `helm repo add test http://localhost:8000/api/v1/remote/<remote> && helm search repo test && helm template test/<chart>` |
|
||||||
|
| `alpine` | `apk fetch --repository http://localhost:8000/api/v1/remote/<remote>/<branch>/<arch> <pkg>` |
|
||||||
|
| `rpm` | `dnf install --repofrompath ... <pkg>` or `repoquery` |
|
||||||
|
| `generic` | `curl` / `wget` as appropriate |
|
||||||
|
|
||||||
|
Confirm the tool resolves and downloads correctly through the proxy.
|
||||||
|
|
||||||
|
#### 9i — Tear down
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-down
|
||||||
|
```
|
||||||
|
|
||||||
|
Fix any failures found during 9b–9h before moving on.
|
||||||
|
|
||||||
|
### 9.5 — Performance issues: measure before/after and gate the PR
|
||||||
|
|
||||||
|
**Skip this step if the issue is not a performance improvement.**
|
||||||
|
|
||||||
|
For performance issues, a PR is only warranted if there is a measurable gain. Use the Docker stack to compare before and after.
|
||||||
|
|
||||||
|
#### 9.5a — Baseline measurement (before)
|
||||||
|
|
||||||
|
Start the stack with the **unmodified** code (temporarily revert your change):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up
|
||||||
|
```
|
||||||
|
|
||||||
|
Warm or clear the cache as appropriate, then measure the relevant metric — e.g. concurrent request latency during a slow operation, response time for a specific endpoint, or throughput. Record the numbers.
|
||||||
|
|
||||||
|
#### 9.5b — Apply your change and rebuild
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up # rebuilds the image
|
||||||
|
```
|
||||||
|
|
||||||
|
Repeat exactly the same measurement. Record the numbers.
|
||||||
|
|
||||||
|
#### 9.5c — Decide
|
||||||
|
|
||||||
|
If the improvement is not clearly measurable, **do not open a PR**. Instead:
|
||||||
|
1. Update the issue with your findings.
|
||||||
|
2. Note any conditions under which the improvement would be observable.
|
||||||
|
3. Skip steps 11–14.
|
||||||
|
|
||||||
|
If the improvement is clear, proceed with the commit and PR. Include the before/after numbers in the PR description and the issue comment.
|
||||||
|
|
||||||
|
#### 9.5d — Tear down
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-down
|
||||||
|
```
|
||||||
|
|
||||||
|
### 10 — Build the wheel (smoke check)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
uv build --wheel
|
||||||
|
```
|
||||||
|
|
||||||
|
Confirm the build succeeds.
|
||||||
|
|
||||||
|
### 11 — Stage and commit
|
||||||
|
|
||||||
|
Stage only the files you changed. Do not use `git add -A` or `git add .` — list files explicitly. Run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git add <file1> <file2> ...
|
||||||
|
git commit
|
||||||
|
```
|
||||||
|
|
||||||
|
The commit message must:
|
||||||
|
- Start with a conventional-commit prefix (`feat:`, `fix:`, `refactor:`, `chore:`, etc.)
|
||||||
|
- Summarise the change in ≤ 72 characters on the first line
|
||||||
|
- Optionally include a short body explaining *why* (not *what*)
|
||||||
|
|
||||||
|
If the pre-commit hook auto-fixes files, re-stage the fixed files and commit again.
|
||||||
|
|
||||||
|
### 12 — Push the branch
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git push origin <branch-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 13 — Open a pull request
|
||||||
|
|
||||||
|
```bash
|
||||||
|
tea pulls create \
|
||||||
|
--base master \
|
||||||
|
--head <branch-name> \
|
||||||
|
--title "<same as commit subject>" \
|
||||||
|
--description "Closes #<N>\n\n## Summary\n<bullet points>\n\n## Test plan\n<what was verified>"
|
||||||
|
```
|
||||||
|
|
||||||
|
### 14 — Comment on the issue
|
||||||
|
|
||||||
|
```bash
|
||||||
|
tea comment <N> "<resolution comment>"
|
||||||
|
```
|
||||||
|
|
||||||
|
The comment must cover:
|
||||||
|
- **How it was resolved** — what changed and why
|
||||||
|
- **Issues encountered** — any non-obvious problems hit during implementation
|
||||||
|
- **Potential future improvements** — what could be done next
|
||||||
|
|
||||||
|
### 15 — Return to master
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout master
|
||||||
|
```
|
||||||
|
|
||||||
|
Report the PR URL and a one-sentence summary to the user.
|
||||||
@@ -7,6 +7,7 @@ repos:
|
|||||||
- id: check-json
|
- id: check-json
|
||||||
- id: check-added-large-files
|
- id: check-added-large-files
|
||||||
args: ['--maxkb=500']
|
args: ['--maxkb=500']
|
||||||
|
exclude: '^schemas/'
|
||||||
- id: check-merge-conflict
|
- id: check-merge-conflict
|
||||||
- id: check-shebang-scripts-are-executable
|
- id: check-shebang-scripts-are-executable
|
||||||
- id: check-symlinks
|
- id: check-symlinks
|
||||||
@@ -19,6 +20,7 @@ repos:
|
|||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
- id: forbid-new-submodules
|
- id: forbid-new-submodules
|
||||||
- id: pretty-format-json
|
- id: pretty-format-json
|
||||||
|
args: ['--autofix']
|
||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
|
|
||||||
# YAML linting
|
# YAML linting
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: kubeconform
|
- name: kubeconform
|
||||||
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
|
image: git.unkin.net/unkin/almalinux9-kubetest:20260606
|
||||||
commands:
|
commands:
|
||||||
- make kubeconform
|
- make kubeconform
|
||||||
backend_options:
|
backend_options:
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: pre-commit
|
- name: pre-commit
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260308
|
image: git.unkin.net/unkin/almalinux9-base:20260606
|
||||||
commands:
|
commands:
|
||||||
- uvx pre-commit run --all-files
|
- uvx pre-commit run --all-files
|
||||||
backend_options:
|
backend_options:
|
||||||
|
|||||||
@@ -0,0 +1,261 @@
|
|||||||
|
# AGENTS.md
|
||||||
|
|
||||||
|
## Project Overview
|
||||||
|
|
||||||
|
This is an **ArgoCD GitOps repository** that manages Kubernetes applications for the `au-syd1` cluster using a Kustomize + Helm pattern. Applications are deployed via ArgoCD ApplicationSets that watch directory patterns in this repo.
|
||||||
|
|
||||||
|
The migration pattern for this repo is: **Terragrunt/Terraform → ArgoCD** (see `migration.md` for full guide).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Essential Commands
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Build and render manifests for a path (outputs to manifests/<path>/)
|
||||||
|
make build apps/overlays/au-syd1/<app-name>
|
||||||
|
make build clusters/au-syd1/bootstrap
|
||||||
|
|
||||||
|
# Validate all apps and clusters with kubeconform
|
||||||
|
make kubeconform
|
||||||
|
|
||||||
|
# Clean generated manifests
|
||||||
|
make clean
|
||||||
|
|
||||||
|
# Quick build + inspect without persisting output
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
||||||
|
|
||||||
|
# Check all resource kinds produced by an overlay
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name> | grep "^kind:" | sort | uniq -c
|
||||||
|
|
||||||
|
# Run pre-commit checks against all files
|
||||||
|
uvx pre-commit run --all-files
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Directory Structure
|
||||||
|
|
||||||
|
```
|
||||||
|
argocd-apps/
|
||||||
|
├── argocd/
|
||||||
|
│ ├── applicationsets/ # ArgoCD ApplicationSet definitions (platform.yaml, storage.yaml)
|
||||||
|
│ └── projects/ # ArgoCD AppProject definitions (platform.yaml, storage.yaml)
|
||||||
|
├── apps/
|
||||||
|
│ ├── base/ # Base Kustomize resources per app (no cluster-specific config)
|
||||||
|
│ │ └── <app-name>/
|
||||||
|
│ │ ├── kustomization.yaml
|
||||||
|
│ │ ├── namespace.yaml
|
||||||
|
│ │ ├── vaultauth.yaml # (if Vault-managed secrets)
|
||||||
|
│ │ └── vaultstaticsecret.yaml
|
||||||
|
│ └── overlays/
|
||||||
|
│ └── au-syd1/ # Cluster-specific overlays
|
||||||
|
│ └── <app-name>/
|
||||||
|
│ ├── kustomization.yaml # references base + helmCharts
|
||||||
|
│ └── values.yaml # Helm values for this cluster
|
||||||
|
├── clusters/
|
||||||
|
│ └── au-syd1/
|
||||||
|
│ ├── apps/ # Entry point: references apps/base (ArgoCD app-of-apps)
|
||||||
|
│ └── bootstrap/ # ArgoCD install + initial Application manifest
|
||||||
|
├── ci/
|
||||||
|
│ ├── validate-apps.sh # kubeconform over apps/overlays/*/kustomization.yaml
|
||||||
|
│ ├── validate-clusters.sh # kubeconform over clusters/*/kustomization.yaml
|
||||||
|
│ └── validate-no-secrets.sh # pre-commit hook: blocks plain Kubernetes Secrets
|
||||||
|
└── sources/ # Reference sources (Terraform configs, upstream charts, etc.)
|
||||||
|
└── terraform-k8s/ # Original Terraform configs — reference when migrating
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Adding a New Application
|
||||||
|
|
||||||
|
Follow these 10 steps (detailed in `migration.md`):
|
||||||
|
|
||||||
|
### 1. Create base resources
|
||||||
|
```
|
||||||
|
apps/base/<app-name>/
|
||||||
|
├── kustomization.yaml
|
||||||
|
├── namespace.yaml
|
||||||
|
├── vaultauth.yaml # if needed
|
||||||
|
└── vaultstaticsecret.yaml # if needed
|
||||||
|
```
|
||||||
|
|
||||||
|
### 2. Create cluster overlay
|
||||||
|
```
|
||||||
|
apps/overlays/au-syd1/<app-name>/
|
||||||
|
├── kustomization.yaml
|
||||||
|
└── values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
**Overlay kustomization.yaml pattern:**
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/<app-name>
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: <chart-name>
|
||||||
|
repo: <helm-repo-url>
|
||||||
|
version: "<version>"
|
||||||
|
releaseName: <release-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
valuesFile: values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### 3. Register in ApplicationSet
|
||||||
|
Add a directory entry to `argocd/applicationsets/platform.yaml` (or `storage.yaml` for `csi-*` apps):
|
||||||
|
```yaml
|
||||||
|
- path: apps/overlays/*/<app-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 4. Update AppProject
|
||||||
|
In `argocd/projects/platform.yaml` (or `storage.yaml`):
|
||||||
|
- Add the Helm repo URL to `sourceRepos`
|
||||||
|
- Add the namespace to `destinations`
|
||||||
|
- Add any required cluster-scoped resource types to `clusterResourceWhitelist`
|
||||||
|
|
||||||
|
### 5. Validate
|
||||||
|
```bash
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
||||||
|
make kubeconform
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Secret Management
|
||||||
|
|
||||||
|
**Plain Kubernetes `Secret` objects are blocked** by the pre-commit hook. Use Vault Operator CRDs instead:
|
||||||
|
|
||||||
|
### VaultAuth template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- <namespace>
|
||||||
|
kubernetes:
|
||||||
|
role: <role>
|
||||||
|
serviceAccount: <service-account>
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
```
|
||||||
|
|
||||||
|
### VaultStaticSecret template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: <secret-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: kubernetes/namespace/<namespace>/default/<secret-name>
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: <k8s-secret-name>
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## YAML Conventions
|
||||||
|
|
||||||
|
- **2-space indentation** (enforced by yamllint)
|
||||||
|
- All files must end with a newline (`end-of-file-fixer`)
|
||||||
|
- No trailing whitespace
|
||||||
|
- YAML linting uses relaxed rules with `line-length: disable` (long base64/URLs are fine)
|
||||||
|
- yamllint ignores `chart` directories (vendored Helm charts)
|
||||||
|
- `---` document separator at top of every YAML file
|
||||||
|
- Multiple documents in one file are allowed (e.g., `vaultstaticsecret.yaml` often contains multiple secrets)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Kubernetes Labels Pattern
|
||||||
|
|
||||||
|
Use standard `app.kubernetes.io/*` labels consistently:
|
||||||
|
```yaml
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: <component>
|
||||||
|
app.kubernetes.io/instance: <release-name>
|
||||||
|
app.kubernetes.io/name: <app-name>
|
||||||
|
app.kubernetes.io/version: <version>
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Resource Naming Conventions
|
||||||
|
|
||||||
|
Files in `apps/base/<app-name>/` follow the pattern:
|
||||||
|
```
|
||||||
|
<kind>_<name>.yaml
|
||||||
|
```
|
||||||
|
Examples:
|
||||||
|
- `deployment_puppetserver-master.yaml`
|
||||||
|
- `cronjob_g10k-code.yaml`
|
||||||
|
- `configmap_puppetboard-config.yaml`
|
||||||
|
- `horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml`
|
||||||
|
- `service_puppet-headless.yaml`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Helm Chart Vendoring
|
||||||
|
|
||||||
|
Some overlays vendor Helm charts locally under `apps/overlays/au-syd1/<app-name>/charts/<chart-name>/`. When a chart is vendored, the overlay's `kustomization.yaml` references the local path. When not vendored, it references the OCI or HTTP repo directly.
|
||||||
|
|
||||||
|
Current Kubernetes target version: **1.33.7** (used by kubeconform in CI).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Project Boundaries
|
||||||
|
|
||||||
|
| Project | ApplicationSet | App pattern |
|
||||||
|
|------------|---------------------------|--------------------------|
|
||||||
|
| `platform` | `argocd/applicationsets/platform.yaml` | Named apps (cert-manager, puppet, woodpecker, etc.) |
|
||||||
|
| `storage` | `argocd/applicationsets/storage.yaml` | `csi-*` apps |
|
||||||
|
|
||||||
|
The `clusters/au-syd1/apps/` entry-point is deployed as a standalone ArgoCD `Application` (not an ApplicationSet) called `au-syd1-apps`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## CI / Pre-commit Hooks
|
||||||
|
|
||||||
|
Runs on every PR via Woodpecker CI (`.woodpecker/`):
|
||||||
|
|
||||||
|
| Check | Tool | Trigger |
|
||||||
|
|---|---|---|
|
||||||
|
| YAML lint + general file checks | `pre-commit` (yamllint + pre-commit-hooks) | PR |
|
||||||
|
| No plain Secrets | `ci/validate-no-secrets.sh` | PR (staged files) |
|
||||||
|
| Kubernetes manifest validation | `kubeconform` via `make kubeconform` | PR |
|
||||||
|
|
||||||
|
kubeconform skips: `CustomResourceDefinition`, `GpuDevicePlugin` (for apps validation).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Git Workflow
|
||||||
|
|
||||||
|
- Branch naming: `benvin/<app-name>` (user prefix)
|
||||||
|
- **Never `git add .`** — add only relevant files explicitly
|
||||||
|
- If pre-commit modifies files, `git add -u` then `git commit --amend --no-edit`
|
||||||
|
- Use `git push --force-with-lease` after amending
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Security Policies
|
||||||
|
|
||||||
|
- `reloader.stakater.com/auto: "true"` annotation triggers rolling restarts on ConfigMap/Secret changes
|
||||||
|
- Security contexts follow least-privilege: `drop: [all]` then add only required capabilities
|
||||||
|
- `fsGroup: 999` on pod security context for Puppet workloads
|
||||||
|
- `runAsUser: 0` is used only for init containers that need to set file permissions, then regular containers run as non-root
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
.PHONY: build clean
|
.PHONY: build clean schemas
|
||||||
|
|
||||||
# Build a kustomization path to manifests directory
|
# Build a kustomization path to manifests directory
|
||||||
# Usage: make build clusters/au-syd1/bootstrap
|
# Usage: make build clusters/au-syd1/bootstrap
|
||||||
@@ -6,6 +6,10 @@ build:
|
|||||||
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
|
|
||||||
|
# Generate JSON schemas from CRDs and Kubernetes swagger spec (run manually, results committed)
|
||||||
|
schemas:
|
||||||
|
@ci/generate-schemas.sh schemas
|
||||||
|
|
||||||
# kubeconform
|
# kubeconform
|
||||||
kubeconform:
|
kubeconform:
|
||||||
@ci/validate-apps.sh && \
|
@ci/validate-apps.sh && \
|
||||||
|
|||||||
@@ -0,0 +1,45 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: age-api
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
labels:
|
||||||
|
app: age-api
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: age-api
|
||||||
|
image: git.unkin.net/unkin/age-api:v0.1.0
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
env:
|
||||||
|
- name: CONFIG_PATH
|
||||||
|
value: /etc/age-api/config.yaml
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 32Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /etc/age-api/config.yaml
|
||||||
|
name: config
|
||||||
|
subPath: config.yaml
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: age-api-config
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: age-api.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: age-api-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: age-api-http-redirect
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- age-api.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: age-api
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- age-api.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: age-api
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: age-api
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- deployment.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- service.yaml
|
||||||
|
|
||||||
|
configMapGenerator:
|
||||||
|
- name: age-api-config
|
||||||
|
files:
|
||||||
|
- config.yaml=resources/config.yaml
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
people:
|
||||||
|
- name: jaidi
|
||||||
|
birthtime: 1773135720
|
||||||
|
- name: ben
|
||||||
|
birthtime: 559663200
|
||||||
|
- name: sudaporn
|
||||||
|
birthtime: 686757600
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: http
|
||||||
|
selector:
|
||||||
|
app: age-api
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
+34
-35
@@ -2,24 +2,40 @@
|
|||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi-deployment
|
name: api
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
annotations:
|
annotations:
|
||||||
reloader.stakater.com/auto: "true"
|
reloader.stakater.com/auto: "true"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: artifactapi
|
app: api
|
||||||
strategy:
|
strategy:
|
||||||
rollingUpdate:
|
rollingUpdate:
|
||||||
maxUnavailable: 1
|
maxUnavailable: 1
|
||||||
type: RollingUpdate
|
type: RollingUpdate
|
||||||
template:
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: api
|
||||||
spec:
|
spec:
|
||||||
automountServiceAccountToken: true
|
automountServiceAccountToken: true
|
||||||
|
initContainers:
|
||||||
|
- name: combine-certs
|
||||||
|
image: alpine:3
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt
|
||||||
|
volumeMounts:
|
||||||
|
- name: vault-ca-cert
|
||||||
|
mountPath: /custom-ca
|
||||||
|
readOnly: true
|
||||||
|
- name: combined-certs
|
||||||
|
mountPath: /combined-certs
|
||||||
containers:
|
containers:
|
||||||
- name: artifactapi
|
- name: api
|
||||||
image: git.unkin.net/unkin/artifactapi:v2.7.2
|
image: git.unkin.net/unkin/artifactapi:v3.7.4
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8000
|
- containerPort: 8000
|
||||||
@@ -27,11 +43,15 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: artifactapi-env
|
name: api-env
|
||||||
optional: false
|
optional: false
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: environment
|
name: environment
|
||||||
optional: false
|
optional: false
|
||||||
|
volumeMounts:
|
||||||
|
- name: combined-certs
|
||||||
|
mountPath: /etc/ssl/combined
|
||||||
|
readOnly: true
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
httpGet:
|
httpGet:
|
||||||
@@ -59,34 +79,13 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 256Mi
|
memory: 256Mi
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/config.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: config.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/local-generic.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: local-generic.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/remote-alpine.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: remote-alpine.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/remote-docker.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: remote-docker.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/remote-generic.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: remote-generic.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/remote-helm.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: remote-helm.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/remote-rpm.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: remote-rpm.yaml
|
|
||||||
- mountPath: /etc/artifactapi/conf.d/virtual-helm.yaml
|
|
||||||
name: remotes-config
|
|
||||||
subPath: virtual-helm.yaml
|
|
||||||
restartPolicy: Always
|
|
||||||
volumes:
|
volumes:
|
||||||
- configMap:
|
- name: vault-ca-cert
|
||||||
name: remotes-config
|
secret:
|
||||||
optional: false
|
secretName: vault-ca-cert
|
||||||
name: remotes-config
|
items:
|
||||||
|
- key: ca.crt
|
||||||
|
path: ca.crt
|
||||||
|
- name: combined-certs
|
||||||
|
emptyDir: {}
|
||||||
|
restartPolicy: Always
|
||||||
@@ -2,13 +2,13 @@
|
|||||||
apiVersion: autoscaling/v2
|
apiVersion: autoscaling/v2
|
||||||
kind: HorizontalPodAutoscaler
|
kind: HorizontalPodAutoscaler
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi-hpa
|
name: api-hpa
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
scaleTargetRef:
|
scaleTargetRef:
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: artifactapi-deployment
|
name: api
|
||||||
minReplicas: 2
|
minReplicas: 2
|
||||||
maxReplicas: 10
|
maxReplicas: 10
|
||||||
metrics:
|
metrics:
|
||||||
@@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Cluster
|
||||||
|
metadata:
|
||||||
|
name: postgres
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinityType: preferred
|
||||||
|
bootstrap:
|
||||||
|
initdb:
|
||||||
|
database: artifacts
|
||||||
|
encoding: UTF8
|
||||||
|
localeCType: C
|
||||||
|
localeCollate: C
|
||||||
|
owner: artifacts
|
||||||
|
secret:
|
||||||
|
name: postgres-credentials
|
||||||
|
enablePDB: true
|
||||||
|
enableSuperuserAccess: false
|
||||||
|
failoverDelay: 0
|
||||||
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
||||||
|
instances: 3
|
||||||
|
logLevel: info
|
||||||
|
maxSyncReplicas: 0
|
||||||
|
minSyncReplicas: 0
|
||||||
|
monitoring:
|
||||||
|
customQueriesConfigMap:
|
||||||
|
- key: queries
|
||||||
|
name: cnpg-default-monitoring
|
||||||
|
disableDefaultQueries: false
|
||||||
|
enablePodMonitor: false
|
||||||
|
postgresql:
|
||||||
|
parameters:
|
||||||
|
archive_mode: "on"
|
||||||
|
archive_timeout: 5min
|
||||||
|
dynamic_shared_memory_type: posix
|
||||||
|
effective_cache_size: 256MB
|
||||||
|
full_page_writes: "on"
|
||||||
|
log_destination: csvlog
|
||||||
|
log_directory: /controller/log
|
||||||
|
log_filename: postgres
|
||||||
|
log_rotation_age: "0"
|
||||||
|
log_rotation_size: "0"
|
||||||
|
log_truncate_on_rotation: "false"
|
||||||
|
logging_collector: "on"
|
||||||
|
max_connections: "200"
|
||||||
|
max_parallel_workers: "16"
|
||||||
|
max_replication_slots: "16"
|
||||||
|
max_worker_processes: "16"
|
||||||
|
shared_buffers: 128MB
|
||||||
|
shared_memory_type: mmap
|
||||||
|
ssl_max_protocol_version: TLSv1.3
|
||||||
|
ssl_min_protocol_version: TLSv1.3
|
||||||
|
wal_keep_size: 256MB
|
||||||
|
wal_level: logical
|
||||||
|
wal_log_hints: "on"
|
||||||
|
wal_receiver_timeout: 5s
|
||||||
|
wal_sender_timeout: 5s
|
||||||
|
syncReplicaElectionConstraint:
|
||||||
|
enabled: false
|
||||||
|
primaryUpdateMethod: restart
|
||||||
|
primaryUpdateStrategy: unsupervised
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
isolationCheck:
|
||||||
|
connectionTimeout: 1000
|
||||||
|
enabled: true
|
||||||
|
requestTimeout: 1000
|
||||||
|
replicationSlots:
|
||||||
|
highAvailability:
|
||||||
|
enabled: true
|
||||||
|
slotPrefix: _cnpg_
|
||||||
|
synchronizeReplicas:
|
||||||
|
enabled: true
|
||||||
|
updateInterval: 30
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 256Mi
|
||||||
|
smartShutdownTimeout: 180
|
||||||
|
startDelay: 3600
|
||||||
|
stopDelay: 1800
|
||||||
|
storage:
|
||||||
|
resizeInUseVolumes: true
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: cephrbd-fast-delete
|
||||||
|
switchoverDelay: 3600
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: rw
|
||||||
@@ -2,26 +2,15 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi-env
|
name: api-env
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
data:
|
data:
|
||||||
CONFIG_PATH: /etc/artifactapi/conf.d/
|
DBHOST: postgres-pooler
|
||||||
DBHOST: postgres-service
|
|
||||||
DBNAME: artifacts
|
DBNAME: artifacts
|
||||||
DBPORT: "5432"
|
DBPORT: "5432"
|
||||||
DBUSER: artifacts
|
DBUSER: artifacts
|
||||||
MINIO_BUCKET: artifactapi
|
MINIO_BUCKET: artifactapi-prod-k8s-syd1-au
|
||||||
MINIO_ENDPOINT: radosgw.service.consul
|
MINIO_ENDPOINT: radosgw.service.consul
|
||||||
MINIO_SECURE: "true"
|
MINIO_SECURE: "true"
|
||||||
REDIS_URL: redis://redis-service:6379
|
REDIS_URL: redis://redis:6379
|
||||||
REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt
|
SSL_CERT_FILE: /etc/ssl/combined/ca-certificates.crt
|
||||||
SSL_CERT_FILE: /etc/pki/tls/certs/ca-bundle.crt
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: postgres-env
|
|
||||||
namespace: artifactapi
|
|
||||||
data:
|
|
||||||
POSTGRES_DB: artifacts
|
|
||||||
POSTGRES_USER: artifacts
|
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi-http-redirect
|
name: http-redirect
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
hostnames:
|
hostnames:
|
||||||
@@ -26,7 +26,7 @@ spec:
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi
|
name: api-route
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
hostnames:
|
hostnames:
|
||||||
@@ -40,7 +40,17 @@ spec:
|
|||||||
- backendRefs:
|
- backendRefs:
|
||||||
- group: ""
|
- group: ""
|
||||||
kind: Service
|
kind: Service
|
||||||
name: artifactapi-api
|
name: ui
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /ui
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: artifactapi
|
||||||
port: 80
|
port: 80
|
||||||
weight: 1
|
weight: 1
|
||||||
matches:
|
matches:
|
||||||
|
|||||||
@@ -3,29 +3,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- artifactapi-deployment.yaml
|
- api-deployment.yaml
|
||||||
- artifactapi-hpa.yaml
|
- api-hpa.yaml
|
||||||
- configmap.yaml
|
- configmap.yaml
|
||||||
|
- cnpg_cluster.yaml
|
||||||
|
- cnpg_pooler.yaml
|
||||||
- gateway.yaml
|
- gateway.yaml
|
||||||
- httproute.yaml
|
- httproute.yaml
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- postgres-deployment.yaml
|
|
||||||
- pvc.yaml
|
|
||||||
- redis-deployment.yaml
|
- redis-deployment.yaml
|
||||||
- services.yaml
|
- services.yaml
|
||||||
|
- ui-deployment.yaml
|
||||||
|
- ui-hpa.yaml
|
||||||
- vaultauth.yaml
|
- vaultauth.yaml
|
||||||
- vaultstaticsecret.yaml
|
- vaultstaticsecret.yaml
|
||||||
|
|
||||||
configMapGenerator:
|
|
||||||
- name: remotes-config
|
|
||||||
files:
|
|
||||||
- resources/conf.d/config.yaml
|
|
||||||
- resources/conf.d/local-generic.yaml
|
|
||||||
- resources/conf.d/remote-generic.yaml
|
|
||||||
- resources/conf.d/remote-alpine.yaml
|
|
||||||
- resources/conf.d/remote-rpm.yaml
|
|
||||||
- resources/conf.d/remote-docker.yaml
|
|
||||||
- resources/conf.d/remote-helm.yaml
|
|
||||||
- resources/conf.d/virtual-helm.yaml
|
|
||||||
options:
|
|
||||||
disableNameSuffixHash: true
|
|
||||||
|
|||||||
@@ -1,76 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: postgres-deployment
|
|
||||||
namespace: artifactapi
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: postgres
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
automountServiceAccountToken: true
|
|
||||||
containers:
|
|
||||||
- name: postgres
|
|
||||||
image: postgres:15-alpine
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
ports:
|
|
||||||
- containerPort: 5432
|
|
||||||
name: postgres
|
|
||||||
protocol: TCP
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: postgres-env
|
|
||||||
optional: false
|
|
||||||
- secretRef:
|
|
||||||
name: postgres-password
|
|
||||||
optional: false
|
|
||||||
readinessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- pg_isready
|
|
||||||
- -U
|
|
||||||
- artifacts
|
|
||||||
- -d
|
|
||||||
- artifacts
|
|
||||||
failureThreshold: 3
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- pg_isready
|
|
||||||
- -U
|
|
||||||
- artifacts
|
|
||||||
- -d
|
|
||||||
- artifacts
|
|
||||||
failureThreshold: 3
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 30
|
|
||||||
successThreshold: 1
|
|
||||||
timeoutSeconds: 5
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 1Gi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /var/lib/postgresql/data
|
|
||||||
mountPropagation: None
|
|
||||||
name: pgdata
|
|
||||||
subPath: pgdata
|
|
||||||
restartPolicy: Always
|
|
||||||
volumes:
|
|
||||||
- name: pgdata
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: artifactapi-postgres-pgdata
|
|
||||||
@@ -1,28 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: artifactapi-postgres-pgdata
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteOnce
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 10Gi
|
|
||||||
storageClassName: cephrbd-fast-delete
|
|
||||||
volumeMode: Filesystem
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: artifactapi-redis-data
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteOnce
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 5Gi
|
|
||||||
storageClassName: cephrbd-fast-delete
|
|
||||||
volumeMode: Filesystem
|
|
||||||
@@ -2,23 +2,21 @@
|
|||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
name: redis
|
||||||
deployment.kubernetes.io/revision: "1"
|
|
||||||
name: redis-deployment
|
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: redis
|
app: redis
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: redis
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: redis
|
- name: redis
|
||||||
image: redis:7-alpine
|
image: redis:7-alpine
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
command:
|
command:
|
||||||
- redis-server
|
- redis-server
|
||||||
- --save
|
- --save
|
||||||
@@ -28,6 +26,13 @@ spec:
|
|||||||
- containerPort: 6379
|
- containerPort: 6379
|
||||||
name: redis
|
name: redis
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
exec:
|
exec:
|
||||||
command:
|
command:
|
||||||
@@ -48,19 +53,4 @@ spec:
|
|||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 512Mi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /data
|
|
||||||
mountPropagation: None
|
|
||||||
name: data
|
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
volumes:
|
|
||||||
- name: data
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: artifactapi-redis-data
|
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
# Global artifactapi configuration.
|
|
||||||
# S3, Redis, and database connection settings are injected via environment variables.
|
|
||||||
# Add any top-level overrides here if needed.
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
locals:
|
|
||||||
local-generic:
|
|
||||||
package: "generic"
|
|
||||||
description: "Local generic file repository"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 0
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
remotes:
|
|
||||||
alpine:
|
|
||||||
base_url: "https://dl-cdn.alpinelinux.org"
|
|
||||||
package: "alpine"
|
|
||||||
description: "Alpine Linux APK package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/x86_64/.*\\.apk$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
@@ -1,102 +0,0 @@
|
|||||||
remotes:
|
|
||||||
ghcr:
|
|
||||||
base_url: "https://ghcr.io"
|
|
||||||
package: "docker"
|
|
||||||
description: "GitHub Container Registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^cloudnative-pg/cloudnative-pg"
|
|
||||||
- "^emberstack/helm-charts"
|
|
||||||
- "^openvoxproject/"
|
|
||||||
- "^stakater/reloader"
|
|
||||||
- "^stalwartlabs/stalwart"
|
|
||||||
- "^voxpupuli/puppetboard"
|
|
||||||
- "^woodpecker-ci/helm"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
dockerhub:
|
|
||||||
base_url: "https://registry-1.docker.io"
|
|
||||||
package: "docker"
|
|
||||||
description: "Docker Hub registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^library/almalinux"
|
|
||||||
- "^library/busybox"
|
|
||||||
- "^library/debian"
|
|
||||||
- "^library/fedora"
|
|
||||||
- "^library/nginx"
|
|
||||||
- "^library/postgres"
|
|
||||||
- "^library/redis"
|
|
||||||
- "^beats/filebeat"
|
|
||||||
- "^bitnami/"
|
|
||||||
- "^curlimages/curl"
|
|
||||||
- "^emberstack/kubernetes-reflector"
|
|
||||||
- "^hashicorp/consul"
|
|
||||||
- "^hashicorp/vault"
|
|
||||||
- "^jfrog/"
|
|
||||||
- "^kanidm/"
|
|
||||||
- "^rancher/"
|
|
||||||
- "^rspamd/rspamd"
|
|
||||||
- "^tozd/postfix"
|
|
||||||
- "^traefik/"
|
|
||||||
- "^valkey/valkey"
|
|
||||||
- "^ubi9/ubi-minimal"
|
|
||||||
- "^victoriametrics/"
|
|
||||||
- "^woodpeckerci/"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
quay:
|
|
||||||
base_url: "https://quay.io"
|
|
||||||
package: "docker"
|
|
||||||
description: "Quay.io container registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^brancz/kube-rbac-proxy"
|
|
||||||
- "^cephcsi/cephcsi"
|
|
||||||
- "^jetstack/cert-manager-"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
k8s-registry:
|
|
||||||
base_url: "https://registry.k8s.io"
|
|
||||||
package: "docker"
|
|
||||||
description: "Kubernetes container registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^external-dns/external-dns"
|
|
||||||
- "^sig-storage/"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
gitlab:
|
|
||||||
base_url: "https://registry.gitlab.com"
|
|
||||||
package: "docker"
|
|
||||||
description: "GitLab container registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^purelb/purelb"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
elastic:
|
|
||||||
base_url: "https://docker.elastic.co"
|
|
||||||
package: "docker"
|
|
||||||
description: "Elastic container registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^eck/eck-operator"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
|
|
||||||
gcr:
|
|
||||||
base_url: "https://gcr.io"
|
|
||||||
package: "docker"
|
|
||||||
description: "Google Container Registry"
|
|
||||||
immutable_patterns:
|
|
||||||
- "^k8s-staging-nfd/charts"
|
|
||||||
- "^k8s-staging-nfd/node-feature-discovery"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 300
|
|
||||||
@@ -1,131 +0,0 @@
|
|||||||
remotes:
|
|
||||||
github:
|
|
||||||
base_url: "https://github.com"
|
|
||||||
package: "generic"
|
|
||||||
description: "GitHub releases and files"
|
|
||||||
mutable_patterns:
|
|
||||||
- ".*/archive/refs/heads/.*.tar.gz$"
|
|
||||||
- "stalwartlabs/webadmin/releases/latest/download/webadmin.zip$"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/archive/refs/tags/.*.tar.gz$"
|
|
||||||
- "ahmetb/kubectx/.*/kubectx_.*_linux_x86_64.tar.gz$"
|
|
||||||
- "ahmetb/kubectx/.*/kubens_.*_linux_x86_64.tar.gz$"
|
|
||||||
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
|
|
||||||
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
|
|
||||||
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
|
|
||||||
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "coder/code-server/.*/code-server-.*-amd64.rpm$"
|
|
||||||
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
|
|
||||||
- "dandavison/delta/.*/delta-.*-x86_64-unknown-linux-musl.tar.gz$"
|
|
||||||
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
|
|
||||||
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
|
|
||||||
- "getsops/sops/.*/sops-v.*\\.linux\\.amd64$"
|
|
||||||
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
|
|
||||||
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
|
|
||||||
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
|
|
||||||
- "hadolint/hadolint/.*/hadolint-linux-x86_64$"
|
|
||||||
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
|
|
||||||
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
|
|
||||||
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
|
|
||||||
- "kubecolor/kubecolor/.*/kubecolor_.*_linux_amd64.tar.gz$"
|
|
||||||
- "kubernetes-sigs/gateway-api/.*/standard-install.yaml$"
|
|
||||||
- "kubernetes-sigs/kustomize/.*/kustomize_.*_linux_amd64.tar.gz$"
|
|
||||||
- "lxc/incus/.*.tar.gz$"
|
|
||||||
- "mikefarah/yq/.*/yq_linux_amd64$"
|
|
||||||
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
|
|
||||||
- "neovim/neovim/.*/nvim-linux-x86_64.tar.gz$"
|
|
||||||
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
|
|
||||||
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
|
|
||||||
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
|
|
||||||
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
|
|
||||||
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
|
|
||||||
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
|
|
||||||
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
|
|
||||||
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
|
|
||||||
- "starship/starship/.*/starship-x86_64-unknown-linux-musl.tar.gz$"
|
|
||||||
- "stern/stern/.*/stern_.*_linux_amd64.tar.gz$"
|
|
||||||
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
|
|
||||||
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
|
|
||||||
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
|
|
||||||
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
|
|
||||||
- "yannh/kubeconform/.*/kubeconform-linux-amd64.tar.gz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
github_user:
|
|
||||||
base_url: "https://raw.githubusercontent.com"
|
|
||||||
package: "generic"
|
|
||||||
description: "GitHub User Content"
|
|
||||||
immutable_patterns:
|
|
||||||
- "argoproj/argo-cd/.*.yaml$"
|
|
||||||
- "yannh/kubernetes-json-schema/master/.*.json$"
|
|
||||||
- "datreeio/CRDs-catalog/main/.*.json$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
gitea-dl:
|
|
||||||
base_url: "https://dl.gitea.com"
|
|
||||||
package: "generic"
|
|
||||||
description: "Gitea download site"
|
|
||||||
immutable_patterns:
|
|
||||||
- "act_runner/.*/act_runner-.*-linux-amd64$"
|
|
||||||
- "tea/.*/tea-.*-linux-amd64$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
hashicorp-releases:
|
|
||||||
base_url: "https://releases.hashicorp.com"
|
|
||||||
package: "generic"
|
|
||||||
description: "HashiCorp product releases"
|
|
||||||
immutable_patterns:
|
|
||||||
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
|
|
||||||
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
|
|
||||||
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
|
|
||||||
- "vault/.*vault_.*_linux_amd64\\.zip$"
|
|
||||||
- "vault/.*vault_.*_windows_amd64\\.zip$"
|
|
||||||
- "vault/.*vault_.*_darwin_amd64\\.zip$"
|
|
||||||
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
|
|
||||||
- "consul/.*/consul_.*_linux_amd64\\.zip$"
|
|
||||||
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
|
|
||||||
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
|
|
||||||
- "packer/.*/packer_.*_linux_amd64\\.zip$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
rarlab:
|
|
||||||
base_url: "https://www.rarlab.com"
|
|
||||||
package: "generic"
|
|
||||||
description: "RARLab"
|
|
||||||
immutable_patterns:
|
|
||||||
- "rar/rarlinux-x64-.*.tar.gz"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
claude-ai:
|
|
||||||
base_url: "https://downloads.claude.ai"
|
|
||||||
package: "generic"
|
|
||||||
description: "Anthropic Claude Code binary releases"
|
|
||||||
mutable_patterns:
|
|
||||||
- "claude-code-releases/.*/manifest.json$"
|
|
||||||
immutable_patterns:
|
|
||||||
- "claude-code-releases/.*/linux-x64/claude$"
|
|
||||||
- "claude-code-releases/.*/linux-arm64/claude$"
|
|
||||||
- "claude-code-releases/.*/linux-x64-musl/claude$"
|
|
||||||
- "claude-code-releases/.*/linux-arm64-musl/claude$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
@@ -1,143 +0,0 @@
|
|||||||
remotes:
|
|
||||||
ceph-csi:
|
|
||||||
base_url: "https://ceph.github.io/csi-charts"
|
|
||||||
package: "helm"
|
|
||||||
description: "Ceph CSI driver Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
cnpg:
|
|
||||||
base_url: "https://cloudnative-pg.github.io/charts"
|
|
||||||
package: "helm"
|
|
||||||
description: "CloudNativePG operator Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
elastic-helm:
|
|
||||||
base_url: "https://helm.elastic.co"
|
|
||||||
package: "helm"
|
|
||||||
description: "Elastic stack Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
external-dns:
|
|
||||||
base_url: "https://kubernetes-sigs.github.io/external-dns/"
|
|
||||||
package: "helm"
|
|
||||||
description: "ExternalDNS Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
hashicorp-helm:
|
|
||||||
base_url: "https://helm.releases.hashicorp.com"
|
|
||||||
package: "helm"
|
|
||||||
description: "HashiCorp Helm charts (Vault Secrets Operator, etc.)"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
intel-helm:
|
|
||||||
base_url: "https://intel.github.io/helm-charts/"
|
|
||||||
package: "helm"
|
|
||||||
description: "Intel Helm charts (device plugins)"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
jetstack:
|
|
||||||
base_url: "https://charts.jetstack.io"
|
|
||||||
package: "helm"
|
|
||||||
description: "Jetstack Helm charts (cert-manager)"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
purelb:
|
|
||||||
base_url: "https://gitlab.com/api/v4/projects/20400619/packages/helm/stable"
|
|
||||||
package: "helm"
|
|
||||||
description: "PureLB load balancer Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
rancher-stable:
|
|
||||||
base_url: "https://releases.rancher.com/server-charts/stable"
|
|
||||||
package: "helm"
|
|
||||||
description: "Rancher stable Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
stakater:
|
|
||||||
base_url: "https://stakater.github.io/stakater-charts"
|
|
||||||
package: "helm"
|
|
||||||
description: "Stakater Helm charts (Reloader)"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
traefik:
|
|
||||||
base_url: "https://traefik.github.io/charts"
|
|
||||||
package: "helm"
|
|
||||||
description: "Traefik Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
victoriametrics:
|
|
||||||
base_url: "https://victoriametrics.github.io/helm-charts/"
|
|
||||||
package: "helm"
|
|
||||||
description: "VictoriaMetrics observability Helm charts"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
|
|
||||||
argo-helm:
|
|
||||||
base_url: "https://argoproj.github.io/argo-helm"
|
|
||||||
package: "helm"
|
|
||||||
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
|
|
||||||
check_mutable_updates: true
|
|
||||||
immutable_patterns:
|
|
||||||
- "\\.tgz$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 3600
|
|
||||||
@@ -1,154 +0,0 @@
|
|||||||
remotes:
|
|
||||||
almalinux:
|
|
||||||
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
|
|
||||||
package: "rpm"
|
|
||||||
description: "AlmaLinux RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.sqlite.*$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- ".*/repodata/.*\\.yaml.*$"
|
|
||||||
- ".*/install.img"
|
|
||||||
- ".*/squashfs.img"
|
|
||||||
- ".*/updates.img"
|
|
||||||
- ".*/RPM-GPG-KEY-.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
ceph-reef:
|
|
||||||
base_url: "https://download.ceph.com/rpm-reef/"
|
|
||||||
package: "rpm"
|
|
||||||
description: "Ceph Reef 18"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
ceph-squid:
|
|
||||||
base_url: "https://download.ceph.com/rpm-squid/"
|
|
||||||
package: "rpm"
|
|
||||||
description: "Ceph Squid 19"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
ceph-tentacle:
|
|
||||||
base_url: "https://download.ceph.com/rpm-tentacle/"
|
|
||||||
package: "rpm"
|
|
||||||
description: "Ceph Tentacle 20"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
epel:
|
|
||||||
base_url: "https://gsl-syd.mm.fcix.net/epel"
|
|
||||||
package: "rpm"
|
|
||||||
description: "EPEL (Extra Packages for Enterprise Linux)"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*/Everything/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.sqlite.*$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- ".*/repodata/.*\\.yaml.*$"
|
|
||||||
- "RPM-GPG-KEY-.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
fedora:
|
|
||||||
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
|
|
||||||
package: "rpm"
|
|
||||||
description: "Fedora Linux RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- "releases/.*/Everything/x86_64/.*\\.rpm$"
|
|
||||||
- "updates/.*/Everything/x86_64/.*\\.rpm$"
|
|
||||||
- "development/.*/Everything/x86_64/.*\\.rpm$"
|
|
||||||
- ".*/noarch/.*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
frr:
|
|
||||||
base_url: "https://rpm.frrouting.org/repo"
|
|
||||||
package: "rpm"
|
|
||||||
description: "FRR RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
mariadb:
|
|
||||||
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
|
|
||||||
package: "rpm"
|
|
||||||
description: "MariaDB RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- ".*/RPM-GPG-KEY-.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
openvox:
|
|
||||||
base_url: "https://yum.voxpupuli.org"
|
|
||||||
package: "rpm"
|
|
||||||
description: "OpenVox RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- "GPG-KEY-.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
postgresql:
|
|
||||||
base_url: "https://download.postgresql.org/pub/repos/yum"
|
|
||||||
package: "rpm"
|
|
||||||
description: "PostgreSQL RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- ".*/RPM-GPG-KEY-.*$"
|
|
||||||
- ".*/PGDG-RPM-GPG-KEY-.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
rke2:
|
|
||||||
base_url: "https://rpm.rancher.io"
|
|
||||||
package: "rpm"
|
|
||||||
description: "RKE2 RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
- "public.key$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
|
|
||||||
zfs:
|
|
||||||
base_url: "http://download.zfsonlinux.org"
|
|
||||||
package: "rpm"
|
|
||||||
description: "ZFS RPM package repository"
|
|
||||||
immutable_patterns:
|
|
||||||
- ".*\\.rpm$"
|
|
||||||
- ".*/repodata/.*\\.xml.*$"
|
|
||||||
cache:
|
|
||||||
immutable_ttl: 0
|
|
||||||
mutable_ttl: 7200
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
virtuals:
|
|
||||||
helm:
|
|
||||||
package: "helm"
|
|
||||||
description: "Virtual repository merging all helm remotes — member order is priority order for duplicate chart+version"
|
|
||||||
members:
|
|
||||||
- ceph-csi
|
|
||||||
- cnpg
|
|
||||||
- elastic-helm
|
|
||||||
- external-dns
|
|
||||||
- hashicorp-helm
|
|
||||||
- intel-helm
|
|
||||||
- jetstack
|
|
||||||
- purelb
|
|
||||||
- rancher-stable
|
|
||||||
- stakater
|
|
||||||
- traefik
|
|
||||||
- victoriametrics
|
|
||||||
- argo-helm
|
|
||||||
@@ -2,7 +2,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: artifactapi-api
|
name: artifactapi
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
@@ -12,31 +12,31 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
targetPort: http
|
targetPort: http
|
||||||
selector:
|
selector:
|
||||||
app: artifactapi
|
app: api
|
||||||
sessionAffinity: None
|
sessionAffinity: None
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: postgres-service
|
name: ui
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
ports:
|
ports:
|
||||||
- name: postgres
|
- name: http
|
||||||
port: 5432
|
port: 80
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
targetPort: postgres
|
targetPort: http
|
||||||
selector:
|
selector:
|
||||||
app: postgres
|
app: ui
|
||||||
sessionAffinity: None
|
sessionAffinity: None
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: redis-service
|
name: redis
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
spec:
|
spec:
|
||||||
internalTrafficPolicy: Cluster
|
internalTrafficPolicy: Cluster
|
||||||
|
|||||||
@@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: ui
|
||||||
|
namespace: artifactapi
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: ui
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: ui
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- name: ui
|
||||||
|
image: git.unkin.net/unkin/artifactapi-ui:v3.7.4
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 80
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /ui
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /ui
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 5
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
restartPolicy: Always
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
apiVersion: autoscaling/v2
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: ui-hpa
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: ui
|
||||||
|
minReplicas: 2
|
||||||
|
maxReplicas: 10
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: 60
|
||||||
|
behavior:
|
||||||
|
scaleUp:
|
||||||
|
stabilizationWindowSeconds: 0
|
||||||
|
selectPolicy: Max
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 100
|
||||||
|
periodSeconds: 30
|
||||||
|
- type: Pods
|
||||||
|
value: 4
|
||||||
|
periodSeconds: 30
|
||||||
|
scaleDown:
|
||||||
|
stabilizationWindowSeconds: 300
|
||||||
|
selectPolicy: Min
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 10
|
||||||
|
periodSeconds: 60
|
||||||
|
- type: Pods
|
||||||
|
value: 2
|
||||||
|
periodSeconds: 60
|
||||||
@@ -10,7 +10,7 @@ spec:
|
|||||||
kubernetes:
|
kubernetes:
|
||||||
audiences:
|
audiences:
|
||||||
- vault
|
- vault
|
||||||
role: artifactapi
|
role: default
|
||||||
serviceAccount: default
|
serviceAccount: default
|
||||||
tokenExpirationSeconds: 600
|
tokenExpirationSeconds: 600
|
||||||
method: kubernetes
|
method: kubernetes
|
||||||
|
|||||||
@@ -1,6 +1,23 @@
|
|||||||
---
|
---
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
kind: VaultStaticSecret
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: postgres-credentials
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: postgres-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/artifactapi/default/postgres-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
metadata:
|
metadata:
|
||||||
name: environment
|
name: environment
|
||||||
namespace: artifactapi
|
namespace: artifactapi
|
||||||
@@ -8,27 +25,10 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
create: true
|
create: true
|
||||||
name: environment
|
name: environment
|
||||||
overwrite: false
|
|
||||||
hmacSecretData: true
|
|
||||||
mount: kv
|
|
||||||
path: service/artifactapi/environment
|
|
||||||
refreshAfter: 5m
|
|
||||||
type: kv-v2
|
|
||||||
vaultAuthRef: default
|
|
||||||
---
|
|
||||||
apiVersion: secrets.hashicorp.com/v1beta1
|
|
||||||
kind: VaultStaticSecret
|
|
||||||
metadata:
|
|
||||||
name: postgres-password
|
|
||||||
namespace: artifactapi
|
|
||||||
spec:
|
|
||||||
destination:
|
|
||||||
create: true
|
|
||||||
name: postgres-password
|
|
||||||
overwrite: true
|
overwrite: true
|
||||||
hmacSecretData: true
|
hmacSecretData: true
|
||||||
mount: kv
|
mount: kv
|
||||||
path: service/artifactapi/postgres-password
|
path: kubernetes/namespace/artifactapi/default/environment
|
||||||
refreshAfter: 5m
|
refreshAfter: 5m
|
||||||
type: kv-v2
|
type: kv-v2
|
||||||
vaultAuthRef: default
|
vaultAuthRef: default
|
||||||
|
|||||||
@@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Cluster
|
||||||
|
metadata:
|
||||||
|
name: postgres
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinityType: preferred
|
||||||
|
bootstrap:
|
||||||
|
initdb:
|
||||||
|
database: authentik
|
||||||
|
encoding: UTF8
|
||||||
|
localeCType: C
|
||||||
|
localeCollate: C
|
||||||
|
owner: authentik
|
||||||
|
secret:
|
||||||
|
name: postgres-credentials
|
||||||
|
enablePDB: true
|
||||||
|
enableSuperuserAccess: false
|
||||||
|
failoverDelay: 0
|
||||||
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
||||||
|
instances: 3
|
||||||
|
logLevel: info
|
||||||
|
maxSyncReplicas: 0
|
||||||
|
minSyncReplicas: 0
|
||||||
|
monitoring:
|
||||||
|
customQueriesConfigMap:
|
||||||
|
- key: queries
|
||||||
|
name: cnpg-default-monitoring
|
||||||
|
disableDefaultQueries: false
|
||||||
|
enablePodMonitor: false
|
||||||
|
postgresql:
|
||||||
|
parameters:
|
||||||
|
archive_mode: "on"
|
||||||
|
archive_timeout: 5min
|
||||||
|
dynamic_shared_memory_type: posix
|
||||||
|
effective_cache_size: 256MB
|
||||||
|
full_page_writes: "on"
|
||||||
|
log_destination: csvlog
|
||||||
|
log_directory: /controller/log
|
||||||
|
log_filename: postgres
|
||||||
|
log_rotation_age: "0"
|
||||||
|
log_rotation_size: "0"
|
||||||
|
log_truncate_on_rotation: "false"
|
||||||
|
logging_collector: "on"
|
||||||
|
max_connections: "200"
|
||||||
|
max_parallel_workers: "16"
|
||||||
|
max_replication_slots: "16"
|
||||||
|
max_worker_processes: "16"
|
||||||
|
shared_buffers: 128MB
|
||||||
|
shared_memory_type: mmap
|
||||||
|
ssl_max_protocol_version: TLSv1.3
|
||||||
|
ssl_min_protocol_version: TLSv1.3
|
||||||
|
wal_keep_size: 256MB
|
||||||
|
wal_level: logical
|
||||||
|
wal_log_hints: "on"
|
||||||
|
wal_receiver_timeout: 5s
|
||||||
|
wal_sender_timeout: 5s
|
||||||
|
syncReplicaElectionConstraint:
|
||||||
|
enabled: false
|
||||||
|
primaryUpdateMethod: restart
|
||||||
|
primaryUpdateStrategy: unsupervised
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
isolationCheck:
|
||||||
|
connectionTimeout: 1000
|
||||||
|
enabled: true
|
||||||
|
requestTimeout: 1000
|
||||||
|
replicationSlots:
|
||||||
|
highAvailability:
|
||||||
|
enabled: true
|
||||||
|
slotPrefix: _cnpg_
|
||||||
|
synchronizeReplicas:
|
||||||
|
enabled: true
|
||||||
|
updateInterval: 30
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 256Mi
|
||||||
|
smartShutdownTimeout: 180
|
||||||
|
startDelay: 3600
|
||||||
|
stopDelay: 1800
|
||||||
|
storage:
|
||||||
|
resizeInUseVolumes: true
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: cephrbd-fast-delete
|
||||||
|
switchoverDelay: 3600
|
||||||
@@ -0,0 +1,66 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler-rw
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler-rw
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler-rw
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: rw
|
||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler-ro
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler-ro
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler-ro
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: ro
|
||||||
@@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: identity.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
name: authentik
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: authentik-tls
|
||||||
|
mode: Terminate
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.k8s.syd1.au.unkin.net
|
||||||
|
name: http-internal
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.k8s.syd1.au.unkin.net
|
||||||
|
name: https-internal
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: authentik-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-http-redirect
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- identity.unkin.net
|
||||||
|
- identity.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: http
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: http-internal
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- identity.unkin.net
|
||||||
|
- identity.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: https
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: https-internal
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: authentik-server
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cnpg_cluster.yaml
|
||||||
|
- cnpg_pooler.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
|
- ldap-gateway.yaml
|
||||||
|
- ldap-httproute.yaml
|
||||||
|
- ldap-service.yaml
|
||||||
|
- ldap-tlsroute.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- redis-deployment.yaml
|
||||||
|
- redis-pvc.yaml
|
||||||
|
- redis-service.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
name: authentik-ldap
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.k8s.syd1.au.unkin.net
|
||||||
|
name: ldaps-internal
|
||||||
|
port: 636
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: Passthrough
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.main.unkin.net
|
||||||
|
name: ldaps-main
|
||||||
|
port: 636
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: Passthrough
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.k8s.syd1.au.unkin.net
|
||||||
|
name: http-dns
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.main.unkin.net
|
||||||
|
name: http-dns-main
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
@@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldap-dns
|
||||||
|
namespace: authentik
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- ldap.k8s.syd1.au.unkin.net
|
||||||
|
- ldap.main.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: http-dns
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: http-dns-main
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldap
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: ldaps
|
||||||
|
port: 6636
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 6636
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: authentik
|
||||||
|
app.kubernetes.io/component: ldap
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: TLSRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldaps
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- ldap.k8s.syd1.au.unkin.net
|
||||||
|
- ldap.main.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: ldaps-internal
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: ldaps-main
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: authentik-ldap
|
||||||
|
port: 6636
|
||||||
|
weight: 1
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
@@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: redis
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: redis
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: redis
|
||||||
|
image: redis:7-alpine
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
args:
|
||||||
|
- --save
|
||||||
|
- "20"
|
||||||
|
- "1"
|
||||||
|
ports:
|
||||||
|
- containerPort: 6379
|
||||||
|
name: redis
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /data
|
||||||
|
name: redis-data
|
||||||
|
volumes:
|
||||||
|
- name: redis-data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: redis-data
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: redis-data
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: redis
|
||||||
|
port: 6379
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: redis
|
||||||
|
selector:
|
||||||
|
app: redis
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
allowedNamespaces:
|
||||||
|
- authentik
|
||||||
|
kubernetes:
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
role: default
|
||||||
|
serviceAccount: default
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: postgres-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: postgres-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/postgres-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: authentik-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: authentik-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/authentik-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: s3-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: s3-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/s3-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
@@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
spec:
|
||||||
|
serviceAccountName: bind-operator
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
containers:
|
||||||
|
- name: operator
|
||||||
|
image: git.unkin.net/unkin/bind-operator:v0.1.1
|
||||||
|
args:
|
||||||
|
- --metrics-bind-address=:8080
|
||||||
|
- --health-probe-bind-address=:8081
|
||||||
|
- --leader-elect
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: metrics
|
||||||
|
- containerPort: 8081
|
||||||
|
name: health
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 20
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop: ["ALL"]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 256Mi
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
||||||
|
# vendored here, so they never drift from the operator.
|
||||||
|
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.1/config/crd/install.yaml
|
||||||
|
- rbac.yaml
|
||||||
|
- deployment.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: bind-system
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["bind.unkin.net"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["services", "configmaps", "secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods/exec"]
|
||||||
|
verbs: ["create", "get"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["statefulsets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: bind-operator
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
# kanidm
|
||||||
|
|
||||||
|
Three-replica kanidm identity server with Vault-managed replication certificates.
|
||||||
|
|
||||||
|
## Architecture
|
||||||
|
|
||||||
|
- Per-pod `server-N.toml` in `resources/` — each has its own replication origin hardcoded
|
||||||
|
- `config-init` busybox init container copies the right config and injects peer certs from the
|
||||||
|
vault-synced `kanidm-repl-certs` Secret at pod startup
|
||||||
|
- `reloader.stakater.com/auto: "true"` triggers a rolling restart when the ConfigMap or Secret changes
|
||||||
|
- Vault path: `kv/kubernetes/namespace/kanidm/default/repl-certs`
|
||||||
|
- Keys: `kanidm-0`, `kanidm-1`, `kanidm-2` — each holds that pod's replication certificate
|
||||||
|
|
||||||
|
## Initial setup
|
||||||
|
|
||||||
|
After the first pod starts, generate the admin credentials:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml admin
|
||||||
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml idm_admin
|
||||||
|
```
|
||||||
|
|
||||||
|
## Replication certificate rotation
|
||||||
|
|
||||||
|
When certs need to be renewed, update vault and reloader will roll the StatefulSet:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get new cert from a pod
|
||||||
|
kubectl exec -it -n kanidm kanidm-N -- /sbin/kanidmd renew-replication-certificate -c /config/server.toml
|
||||||
|
|
||||||
|
# Write updated cert to vault (reloader triggers restart automatically)
|
||||||
|
vault kv patch kv/kubernetes/namespace/kanidm/default/repl-certs "kanidm-N=<cert>"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Resolving domain UUID mismatch
|
||||||
|
|
||||||
|
If pods initialized independently (each with a different domain UUID), replication will fail with
|
||||||
|
`Consumer Domain UUID does not match`. Fix by resetting kanidm-1 and kanidm-2 to sync from
|
||||||
|
kanidm-0 (the authoritative node):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Scale down to avoid split-brain during reset
|
||||||
|
kubectl scale statefulset -n kanidm kanidm --replicas=1
|
||||||
|
|
||||||
|
# Delete the stale PVCs for the replica pods
|
||||||
|
kubectl delete pvc -n kanidm data-kanidm-1 data-kanidm-2
|
||||||
|
|
||||||
|
# Scale back up — replicas start with empty DBs and automatic_refresh=true
|
||||||
|
# will trigger a full sync from kanidm-0 once TLS peer certs are verified
|
||||||
|
kubectl scale statefulset -n kanidm kanidm --replicas=3
|
||||||
|
```
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: kanidm-config
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
data:
|
|
||||||
server.toml: |
|
|
||||||
version = "2"
|
|
||||||
|
|
||||||
domain = "auth.unkin.net"
|
|
||||||
origin = "https://auth.unkin.net"
|
|
||||||
bindaddress = "[::]:8443"
|
|
||||||
db_path = "/data/kanidm.db"
|
|
||||||
db_arc_size = 2048
|
|
||||||
tls_chain = "/data/tls/tls.crt"
|
|
||||||
tls_key = "/data/tls/tls.key"
|
|
||||||
log_level = "info"
|
|
||||||
|
|
||||||
[online_backup]
|
|
||||||
path = "/data/backups/"
|
|
||||||
schedule = "0 22 * * *"
|
|
||||||
versions = 7
|
|
||||||
|
|
||||||
[replication]
|
|
||||||
origin = "__REPL_ORIGIN__"
|
|
||||||
bindaddress = "[::]:8444"
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: kanidm-repl-certs
|
|
||||||
namespace: kanidm
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
data: {}
|
|
||||||
@@ -5,12 +5,23 @@ kind: Kustomization
|
|||||||
resources:
|
resources:
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- serviceaccount.yaml
|
- serviceaccount.yaml
|
||||||
- rbac.yaml
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
- certificate.yaml
|
- certificate.yaml
|
||||||
- configmap.yaml
|
|
||||||
- service.yaml
|
- service.yaml
|
||||||
- statefulset.yaml
|
- statefulset.yaml
|
||||||
- poddisruptionbudget.yaml
|
- poddisruptionbudget.yaml
|
||||||
- gateway.yaml
|
- gateway.yaml
|
||||||
- httproute.yaml
|
- httproute.yaml
|
||||||
- tlsroute.yaml
|
- tlsroute.yaml
|
||||||
|
|
||||||
|
configMapGenerator:
|
||||||
|
- name: kanidm-config
|
||||||
|
namespace: kanidm
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
|
files:
|
||||||
|
- server-0.toml=resources/server-0.toml
|
||||||
|
|||||||
@@ -0,0 +1,15 @@
|
|||||||
|
version = "2"
|
||||||
|
|
||||||
|
domain = "auth.unkin.net"
|
||||||
|
origin = "https://auth.unkin.net"
|
||||||
|
bindaddress = "[::]:8443"
|
||||||
|
db_path = "/data/kanidm.db"
|
||||||
|
db_arc_size = 2048
|
||||||
|
tls_chain = "/data/tls/tls.crt"
|
||||||
|
tls_key = "/data/tls/tls.key"
|
||||||
|
log_level = "info"
|
||||||
|
|
||||||
|
[online_backup]
|
||||||
|
path = "/data/backups/"
|
||||||
|
schedule = "0 22 * * *"
|
||||||
|
versions = 7
|
||||||
@@ -9,6 +9,10 @@ metadata:
|
|||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
spec:
|
spec:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
|
sessionAffinity: ClientIP
|
||||||
|
sessionAffinityConfig:
|
||||||
|
clientIP:
|
||||||
|
timeoutSeconds: 10800
|
||||||
ports:
|
ports:
|
||||||
- name: https
|
- name: https
|
||||||
port: 8443
|
port: 8443
|
||||||
@@ -34,10 +38,6 @@ spec:
|
|||||||
port: 8443
|
port: 8443
|
||||||
targetPort: https
|
targetPort: https
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- name: replication
|
|
||||||
port: 8444
|
|
||||||
targetPort: replication
|
|
||||||
protocol: TCP
|
|
||||||
selector:
|
selector:
|
||||||
app.kubernetes.io/name: kanidm
|
app.kubernetes.io/name: kanidm
|
||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
|
|||||||
@@ -4,12 +4,14 @@ kind: StatefulSet
|
|||||||
metadata:
|
metadata:
|
||||||
name: kanidm
|
name: kanidm
|
||||||
namespace: kanidm
|
namespace: kanidm
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: kanidm
|
app.kubernetes.io/name: kanidm
|
||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
spec:
|
spec:
|
||||||
serviceName: kanidm-headless
|
serviceName: kanidm-headless
|
||||||
replicas: 3
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: kanidm
|
app.kubernetes.io/name: kanidm
|
||||||
@@ -21,82 +23,11 @@ spec:
|
|||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: kanidm
|
serviceAccountName: kanidm
|
||||||
affinity:
|
|
||||||
podAntiAffinity:
|
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- labelSelector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: kanidm
|
|
||||||
app.kubernetes.io/instance: kanidm
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
fsGroup: 1000
|
fsGroup: 1000
|
||||||
initContainers:
|
|
||||||
- name: config-init
|
|
||||||
image: kanidm/server:1.10.3
|
|
||||||
command: ["/bin/sh", "-c"]
|
|
||||||
args:
|
|
||||||
- |
|
|
||||||
set -e
|
|
||||||
REPL_ORIGIN="repl://${POD_NAME}.kanidm-headless.kanidm.svc.cluster.local:8444"
|
|
||||||
sed "s|__REPL_ORIGIN__|${REPL_ORIGIN}|g" /config-template/server.toml > /config/server.toml
|
|
||||||
for peer in kanidm-0 kanidm-1 kanidm-2; do
|
|
||||||
if [ "${peer}" = "${POD_NAME}" ]; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
cert_file="/repl-certs/${peer}"
|
|
||||||
if [ -s "${cert_file}" ]; then
|
|
||||||
fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local"
|
|
||||||
printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \
|
|
||||||
"${fqdn}" "$(cat ${cert_file})" >> /config/server.toml
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
env:
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
volumeMounts:
|
|
||||||
- name: config-template
|
|
||||||
mountPath: /config-template
|
|
||||||
- name: config
|
|
||||||
mountPath: /config
|
|
||||||
- name: repl-certs
|
|
||||||
mountPath: /repl-certs
|
|
||||||
readOnly: true
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
- name: repl-cert-publisher
|
|
||||||
image: bitnami/kubectl:1.33
|
|
||||||
restartPolicy: Always
|
|
||||||
command: ["/bin/sh", "-c"]
|
|
||||||
args:
|
|
||||||
- |
|
|
||||||
until kubectl exec "${POD_NAME}" -c kanidm -- /sbin/kanidmd renew-replication-certificate 2>/dev/null | grep -q '^# certificate:'; do
|
|
||||||
sleep 30
|
|
||||||
done
|
|
||||||
while true; do
|
|
||||||
cert=$(kubectl exec "${POD_NAME}" -c kanidm -- /sbin/kanidmd renew-replication-certificate 2>/dev/null \
|
|
||||||
| grep '^# certificate:' | sed 's/^# certificate: "\(.*\)"$/\1/')
|
|
||||||
if [ -n "${cert}" ]; then
|
|
||||||
kubectl patch configmap kanidm-repl-certs \
|
|
||||||
--type=merge \
|
|
||||||
-p "{\"data\":{\"${POD_NAME}\":\"${cert}\"}}"
|
|
||||||
fi
|
|
||||||
sleep 3600
|
|
||||||
done
|
|
||||||
env:
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
containers:
|
containers:
|
||||||
- name: kanidm
|
- name: kanidm
|
||||||
image: kanidm/server:1.10.3
|
image: kanidm/server:1.10.3
|
||||||
@@ -106,14 +37,12 @@ spec:
|
|||||||
- name: https
|
- name: https
|
||||||
containerPort: 8443
|
containerPort: 8443
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- name: replication
|
|
||||||
containerPort: 8444
|
|
||||||
protocol: TCP
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /config
|
mountPath: /config/server.toml
|
||||||
|
subPath: server-0.toml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: tls
|
- name: tls
|
||||||
mountPath: /data/tls
|
mountPath: /data/tls
|
||||||
@@ -139,14 +68,9 @@ spec:
|
|||||||
initialDelaySeconds: 30
|
initialDelaySeconds: 30
|
||||||
periodSeconds: 30
|
periodSeconds: 30
|
||||||
volumes:
|
volumes:
|
||||||
- name: config-template
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
name: kanidm-config
|
name: kanidm-config
|
||||||
- name: config
|
|
||||||
emptyDir: {}
|
|
||||||
- name: repl-certs
|
|
||||||
configMap:
|
|
||||||
name: kanidm-repl-certs
|
|
||||||
- name: tls
|
- name: tls
|
||||||
secret:
|
secret:
|
||||||
secretName: kanidm-tls
|
secretName: kanidm-tls
|
||||||
|
|||||||
@@ -13,9 +13,14 @@ spec:
|
|||||||
- auth.unkin.net
|
- auth.unkin.net
|
||||||
- au.auth.unkin.net
|
- au.auth.unkin.net
|
||||||
parentRefs:
|
parentRefs:
|
||||||
- name: kanidm
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: kanidm
|
||||||
sectionName: https-passthrough
|
sectionName: https-passthrough
|
||||||
rules:
|
rules:
|
||||||
- backendRefs:
|
- backendRefs:
|
||||||
- name: kanidm
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: kanidm
|
||||||
port: 8443
|
port: 8443
|
||||||
|
weight: 1
|
||||||
|
|||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: kanidm
|
||||||
|
spec:
|
||||||
|
allowedNamespaces:
|
||||||
|
- kanidm
|
||||||
|
kubernetes:
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
role: default
|
||||||
|
serviceAccount: default
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
@@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: repl-certs
|
||||||
|
namespace: kanidm
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: kubernetes/namespace/kanidm/default/repl-certs
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: kanidm-repl-certs
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
rolloutRestartTargets:
|
||||||
|
- kind: StatefulSet
|
||||||
|
name: kanidm
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
# Authoritative masters (replaces the 3x Puppet authoritative servers).
|
||||||
|
# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCluster
|
||||||
|
metadata:
|
||||||
|
name: auth
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
mode: authoritative
|
||||||
|
replicas: 3
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
storageSize: 2Gi
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
purelb.io/service-group: common
|
||||||
|
purelb.io/addresses: 198.18.200.6
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: ns-auth.k8s.syd1.au.unkin.net
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 512Mi
|
||||||
|
---
|
||||||
|
# Catalog zone so new BindZones auto-provision onto the secondaries.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCatalogZone
|
||||||
|
metadata:
|
||||||
|
name: auth-catalog
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: catalog.internal
|
||||||
|
transferKeyRef: transfer-key
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- tsigkey.yaml
|
||||||
|
- cluster.yaml
|
||||||
|
- zones.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: ns-auth
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
# Zone-transfer / catalog key. The operator generates the material into a
|
||||||
|
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindTSIGKey
|
||||||
|
metadata:
|
||||||
|
name: transfer-key
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
algorithm: hmac-sha256
|
||||||
@@ -0,0 +1,204 @@
|
|||||||
|
# Authoritative zones migrated from puppet-prod
|
||||||
|
# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml).
|
||||||
|
# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header.
|
||||||
|
# Record data is populated by PuppetDB exported resources upstream, so it is
|
||||||
|
# NOT in this repo — migrate it into these zones (AXFR from the current masters,
|
||||||
|
# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only.
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: unkin-net
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: unkin.net
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: main-unkin-net
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: main.unkin.net
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 13-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 13.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 14-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 14.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 15-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 15.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 16-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 16.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 17-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 17.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 19-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 19.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 20-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 20.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 21-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 21.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 22-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 22.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 23-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 23.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 24-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 24.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 25-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 25.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 26-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 26.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 27-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 27.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 28-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 28.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 29-18-198-in-addr-arpa
|
||||||
|
namespace: ns-auth
|
||||||
|
spec:
|
||||||
|
clusterRef: auth
|
||||||
|
zoneName: 29.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- priorityclasses.yaml
|
||||||
@@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: low
|
||||||
|
value: 100
|
||||||
|
preemptionPolicy: Never
|
||||||
|
globalDefault: false
|
||||||
|
description: "Low-importance workloads. Can be evicted under pressure but will not preempt other pods."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: power
|
||||||
|
value: 100
|
||||||
|
preemptionPolicy: Never
|
||||||
|
globalDefault: false
|
||||||
|
description: "Compute-heavy workloads with low scheduling importance. Evictable under pressure."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: medium
|
||||||
|
value: 10000
|
||||||
|
preemptionPolicy: PreemptLowerPriority
|
||||||
|
globalDefault: false
|
||||||
|
description: "Standard workloads. Will preempt low-priority pods if the cluster is under pressure."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: high
|
||||||
|
value: 100000
|
||||||
|
preemptionPolicy: PreemptLowerPriority
|
||||||
|
globalDefault: false
|
||||||
|
description: "High-importance services. Will preempt medium- and low-priority pods if necessary."
|
||||||
@@ -28,7 +28,7 @@ spec:
|
|||||||
imagePullSecrets: null
|
imagePullSecrets: null
|
||||||
containers:
|
containers:
|
||||||
- name: g10k-code
|
- name: g10k-code
|
||||||
image: git.unkin.net/unkin/almalinux9-g10k:20260308
|
image: git.unkin.net/unkin/almalinux9-g10k:20260606
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ spec:
|
|||||||
cpu: 20m
|
cpu: 20m
|
||||||
memory: 32Mi
|
memory: 32Mi
|
||||||
- name: cert-generator
|
- name: cert-generator
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260308
|
image: git.unkin.net/unkin/almalinux9-base:20260606
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
|
|||||||
@@ -181,7 +181,7 @@ spec:
|
|||||||
name: puppet-puppet-volume
|
name: puppet-puppet-volume
|
||||||
|
|
||||||
- name: setup-shared-bins
|
- name: setup-shared-bins
|
||||||
image: git.unkin.net/unkin/almalinux9-base:20260308
|
image: git.unkin.net/unkin/almalinux9-base:20260606
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
|
|||||||
@@ -9,7 +9,6 @@ metadata:
|
|||||||
name: puppetdb
|
name: puppetdb
|
||||||
namespace: puppet
|
namespace: puppet
|
||||||
spec:
|
spec:
|
||||||
clusterIP: null
|
|
||||||
ports:
|
ports:
|
||||||
- name: pdb-http
|
- name: pdb-http
|
||||||
port: 8080
|
port: 8080
|
||||||
|
|||||||
@@ -6,3 +6,4 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- gateway.yaml
|
- gateway.yaml
|
||||||
- httproute.yaml
|
- httproute.yaml
|
||||||
|
- role_k8s-service-registration.yaml
|
||||||
|
|||||||
@@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
namespace: vault
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["get", "update", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
namespace: vault
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: vault-k8s-service-registration
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: vault
|
||||||
|
namespace: vault
|
||||||
@@ -6,6 +6,12 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- cnpg_cluster.yaml
|
- cnpg_cluster.yaml
|
||||||
- cnpg_pooler.yaml
|
- cnpg_pooler.yaml
|
||||||
|
- serviceaccount_terraform_artifactapi.yaml
|
||||||
|
- serviceaccount_terraform_authentik.yaml
|
||||||
|
- serviceaccount_terraform_git.yaml
|
||||||
|
- serviceaccount_terraform_prowlarr.yaml
|
||||||
|
- serviceaccount_terraform_radarr.yaml
|
||||||
|
- serviceaccount_terraform_sonarr.yaml
|
||||||
- serviceaccount_terraform_vault.yaml
|
- serviceaccount_terraform_vault.yaml
|
||||||
- vaultauth.yaml
|
- vaultauth.yaml
|
||||||
- vaultstaticsecret.yaml
|
- vaultstaticsecret.yaml
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-artifactapi
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-authentik
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-git
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-prowlarr
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-radarr
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: terraform-sonarr
|
||||||
|
namespace: woodpecker
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/age-api
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/authentik
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: authentik
|
||||||
|
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
||||||
|
version: "2026.5.3"
|
||||||
|
releaseName: authentik
|
||||||
|
namespace: authentik
|
||||||
|
valuesFile: values.yaml
|
||||||
@@ -0,0 +1,105 @@
|
|||||||
|
global:
|
||||||
|
env:
|
||||||
|
# PostgreSQL primary (via pooler)
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||||
|
value: postgres-pooler-rw
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__PORT
|
||||||
|
value: "5432"
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||||
|
value: authentik
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgres-credentials
|
||||||
|
key: username
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgres-credentials
|
||||||
|
key: password
|
||||||
|
# PostgreSQL read replica (via pooler)
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
|
||||||
|
value: postgres-pooler-ro
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
|
||||||
|
value: "5432"
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
|
||||||
|
value: authentik
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgres-credentials
|
||||||
|
key: username
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: postgres-credentials
|
||||||
|
key: password
|
||||||
|
# PostgreSQL pooler settings
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS
|
||||||
|
value: "true"
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE
|
||||||
|
value: "0"
|
||||||
|
- name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS
|
||||||
|
value: "true"
|
||||||
|
# Redis
|
||||||
|
- name: AUTHENTIK_REDIS__HOST
|
||||||
|
value: redis
|
||||||
|
- name: AUTHENTIK_REDIS__PORT
|
||||||
|
value: "6379"
|
||||||
|
# S3 storage
|
||||||
|
- name: AUTHENTIK_STORAGE__BACKEND
|
||||||
|
value: s3
|
||||||
|
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
|
||||||
|
value: https://radosgw.service.consul/
|
||||||
|
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
|
||||||
|
value: authentik
|
||||||
|
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
|
||||||
|
value: path
|
||||||
|
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: s3-credentials
|
||||||
|
key: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
||||||
|
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: s3-credentials
|
||||||
|
key: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
||||||
|
# Secret key
|
||||||
|
- name: AUTHENTIK_SECRET_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: authentik-credentials
|
||||||
|
key: AUTHENTIK_SECRET_KEY
|
||||||
|
|
||||||
|
server:
|
||||||
|
replicas: 3
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
ingress:
|
||||||
|
enabled: false
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "2"
|
||||||
|
memory: 2Gi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 512Mi
|
||||||
|
|
||||||
|
worker:
|
||||||
|
replicas: 2
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "2"
|
||||||
|
memory: 2Gi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 512Mi
|
||||||
|
|
||||||
|
postgresql:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
redis:
|
||||||
|
enabled: false
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/bind-system
|
||||||
@@ -37,7 +37,7 @@ server:
|
|||||||
cpu: 100m
|
cpu: 100m
|
||||||
limits:
|
limits:
|
||||||
memory: 2Gi
|
memory: 2Gi
|
||||||
cpu: 1000m
|
cpu: "1"
|
||||||
|
|
||||||
client:
|
client:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/ns-auth
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/priority-classes
|
||||||
@@ -40,9 +40,7 @@ server:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
service_registration "consul" {
|
service_registration "kubernetes" {}
|
||||||
address = "consul-server.consul.svc.cluster.local:8500"
|
|
||||||
}
|
|
||||||
|
|
||||||
dataStorage:
|
dataStorage:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -50,6 +48,14 @@ server:
|
|||||||
storageClass: cephrbd-fast-delete
|
storageClass: cephrbd-fast-delete
|
||||||
accessMode: ReadWriteOnce
|
accessMode: ReadWriteOnce
|
||||||
|
|
||||||
|
extraEnv:
|
||||||
|
- name: VAULT_K8S_NAMESPACE
|
||||||
|
value: vault
|
||||||
|
- name: VAULT_K8S_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
|
||||||
statefulSet:
|
statefulSet:
|
||||||
securityContext:
|
securityContext:
|
||||||
container:
|
container:
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ agent:
|
|||||||
replicaCount: 3
|
replicaCount: 3
|
||||||
env:
|
env:
|
||||||
WOODPECKER_MAX_WORKFLOWS: "8"
|
WOODPECKER_MAX_WORKFLOWS: "8"
|
||||||
|
WOODPECKER_BACKEND_K8S_PRIORITY_CLASS: power
|
||||||
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: cephrbd-fast-delete
|
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: cephrbd-fast-delete
|
||||||
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
|
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
|
||||||
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
|
WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
|
||||||
|
|||||||
@@ -10,7 +10,13 @@ spec:
|
|||||||
repoURL: https://git.unkin.net/unkin/argocd-apps
|
repoURL: https://git.unkin.net/unkin/argocd-apps
|
||||||
revision: HEAD
|
revision: HEAD
|
||||||
directories:
|
directories:
|
||||||
|
- path: apps/overlays/*/authentik
|
||||||
- path: apps/overlays/*/artifactapi
|
- path: apps/overlays/*/artifactapi
|
||||||
|
- path: apps/overlays/*/bind-system
|
||||||
|
- path: apps/overlays/*/ns-auth
|
||||||
|
- path: apps/overlays/*/ns-resolver
|
||||||
|
- path: apps/overlays/*/ns-externaldns
|
||||||
|
- path: apps/overlays/*/age-api
|
||||||
- path: apps/overlays/*/cattle-system
|
- path: apps/overlays/*/cattle-system
|
||||||
- path: apps/overlays/*/cert-manager
|
- path: apps/overlays/*/cert-manager
|
||||||
- path: apps/overlays/*/certificates
|
- path: apps/overlays/*/certificates
|
||||||
@@ -22,6 +28,7 @@ spec:
|
|||||||
- path: apps/overlays/*/jfrog
|
- path: apps/overlays/*/jfrog
|
||||||
- path: apps/overlays/*/kanidm
|
- path: apps/overlays/*/kanidm
|
||||||
- path: apps/overlays/*/node-feature-discovery
|
- path: apps/overlays/*/node-feature-discovery
|
||||||
|
- path: apps/overlays/*/priority-classes
|
||||||
- path: apps/overlays/*/puppet
|
- path: apps/overlays/*/puppet
|
||||||
- path: apps/overlays/*/purelb
|
- path: apps/overlays/*/purelb
|
||||||
- path: apps/overlays/*/reflector-system
|
- path: apps/overlays/*/reflector-system
|
||||||
|
|||||||
@@ -17,6 +17,16 @@ spec:
|
|||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'artifactapi'
|
- namespace: 'artifactapi'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'age-api'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'authentik'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'ns-auth'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'ns-resolver'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'ns-externaldns'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'cert-manager'
|
- namespace: 'cert-manager'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'certificates'
|
- namespace: 'certificates'
|
||||||
@@ -31,6 +41,8 @@ spec:
|
|||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'node-feature-discovery'
|
- namespace: 'node-feature-discovery'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'priority-classes'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'purelb'
|
- namespace: 'purelb'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'puppet'
|
- namespace: 'puppet'
|
||||||
|
|||||||
Executable
+50
@@ -0,0 +1,50 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
SCHEMA_DIR="${1:-schemas}"
|
||||||
|
rm -rf "$SCHEMA_DIR"
|
||||||
|
mkdir -p "$SCHEMA_DIR"
|
||||||
|
|
||||||
|
echo "==> Fetching CRDs from cluster..." >&2
|
||||||
|
kubectl get crds -o json | python3 -c "
|
||||||
|
import sys, json, os
|
||||||
|
|
||||||
|
def write_schema(schema, schema_dir, group, kind, version):
|
||||||
|
def strip_descriptions(obj):
|
||||||
|
if isinstance(obj, dict):
|
||||||
|
return {k: strip_descriptions(v) for k, v in obj.items() if k != 'description'}
|
||||||
|
if isinstance(obj, list):
|
||||||
|
return [strip_descriptions(i) for i in obj]
|
||||||
|
return obj
|
||||||
|
|
||||||
|
schema = strip_descriptions(schema)
|
||||||
|
group_dir = os.path.join(schema_dir, group)
|
||||||
|
os.makedirs(group_dir, exist_ok=True)
|
||||||
|
fname = f'{kind}_{version}.json'.lower()
|
||||||
|
with open(os.path.join(group_dir, fname), 'w') as f:
|
||||||
|
json.dump(schema, f, indent=2, sort_keys=True)
|
||||||
|
f.write('\n')
|
||||||
|
print(f' Generated: {group}/{fname}', file=sys.stderr)
|
||||||
|
|
||||||
|
data = json.load(sys.stdin)
|
||||||
|
for crd in data.get('items', []):
|
||||||
|
spec = crd.get('spec', {})
|
||||||
|
group = spec.get('group', '')
|
||||||
|
kind = spec.get('names', {}).get('kind', '')
|
||||||
|
for ver in spec.get('versions', []):
|
||||||
|
version = ver.get('name', '')
|
||||||
|
openapi = ver.get('schema', {}).get('openAPIV3Schema', {})
|
||||||
|
if not openapi:
|
||||||
|
continue
|
||||||
|
schema = dict(openapi)
|
||||||
|
schema['\$schema'] = 'http://json-schema.org/draft-07/schema#'
|
||||||
|
schema['type'] = 'object'
|
||||||
|
schema.setdefault('properties', {})
|
||||||
|
schema['properties'].setdefault('apiVersion', {'type': 'string'})
|
||||||
|
schema['properties'].setdefault('kind', {'type': 'string'})
|
||||||
|
schema['properties'].setdefault('metadata', {'type': 'object'})
|
||||||
|
write_schema(schema, '$SCHEMA_DIR', group, kind, version)
|
||||||
|
"
|
||||||
|
|
||||||
|
total=$(find "$SCHEMA_DIR" -name '*.json' | wc -l)
|
||||||
|
echo "==> Schema generation complete: $total schemas in $SCHEMA_DIR" >&2
|
||||||
+6
-3
@@ -3,9 +3,12 @@ set -euo pipefail
|
|||||||
|
|
||||||
KUBE_VERSION="1.33.7"
|
KUBE_VERSION="1.33.7"
|
||||||
|
|
||||||
|
SCHEMA_DIR="${SCHEMA_DIR:-schemas}"
|
||||||
|
|
||||||
schema_args=(
|
schema_args=(
|
||||||
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
-schema-location "$SCHEMA_DIR/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||||
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
||||||
|
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||||
)
|
)
|
||||||
|
|
||||||
while IFS= read -r -d "" k; do
|
while IFS= read -r -d "" k; do
|
||||||
@@ -18,6 +21,6 @@ while IFS= read -r -d "" k; do
|
|||||||
-summary \
|
-summary \
|
||||||
-output pretty \
|
-output pretty \
|
||||||
-verbose \
|
-verbose \
|
||||||
-skip CustomResourceDefinition,GpuDevicePlugin,LBNodeAgent,ServiceGroup \
|
-skip CustomResourceDefinition \
|
||||||
"${schema_args[@]}"
|
"${schema_args[@]}"
|
||||||
done < <(find apps/overlays -name kustomization.yaml -print0)
|
done < <(find apps/overlays -name kustomization.yaml -print0)
|
||||||
|
|||||||
@@ -3,9 +3,12 @@ set -euo pipefail
|
|||||||
|
|
||||||
KUBE_VERSION="1.33.7"
|
KUBE_VERSION="1.33.7"
|
||||||
|
|
||||||
|
SCHEMA_DIR="${SCHEMA_DIR:-schemas}"
|
||||||
|
|
||||||
schema_args=(
|
schema_args=(
|
||||||
-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
-schema-location "$SCHEMA_DIR/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||||
-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
|
||||||
|
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
|
||||||
)
|
)
|
||||||
|
|
||||||
while IFS= read -r -d "" k; do
|
while IFS= read -r -d "" k; do
|
||||||
|
|||||||
+145
@@ -0,0 +1,145 @@
|
|||||||
|
# Migration Guide: Terragrunt to ArgoCD
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
- Examine existing Terraform configuration in `sources/terraform-k8s/config/<app-name>/`
|
||||||
|
- Identify Helm charts, values, storage classes, secrets, and other resources
|
||||||
|
|
||||||
|
## Migration Steps
|
||||||
|
|
||||||
|
### 1. Branch Creation
|
||||||
|
- Change back to main branch: `git checkout main`
|
||||||
|
- Create new branch: `git checkout -b benvin/<app-name>`
|
||||||
|
|
||||||
|
### 2. Create Base Application Structure
|
||||||
|
- Create directory: `apps/base/<app-name>/`
|
||||||
|
- Create `apps/base/<app-name>/kustomization.yaml` with resources:
|
||||||
|
- `namespace.yaml`
|
||||||
|
- `vaultauth.yaml` (if needed)
|
||||||
|
- `vaultstaticsecret.yaml` (if needed)
|
||||||
|
- Additional resources as required (storageclass.yaml, etc.)
|
||||||
|
|
||||||
|
### 3. Create Namespace
|
||||||
|
- Create `apps/base/<app-name>/namespace.yaml` with app namespace
|
||||||
|
|
||||||
|
### 4. Create Vault Integration (if needed)
|
||||||
|
- Create `apps/base/<app-name>/vaultauth.yaml` from Terraform `vault_auth.yaml`
|
||||||
|
- Convert snake_case to camelCase for Kubernetes
|
||||||
|
- Map Terraform fields to VaultAuth spec
|
||||||
|
- Create `apps/base/<app-name>/vaultstaticsecret.yaml` from `vault_static_secret.yaml`
|
||||||
|
- Convert to VaultStaticSecret spec format
|
||||||
|
|
||||||
|
### 5. Create Additional Resources
|
||||||
|
- Create any additional resources (StorageClass, etc.) from Terraform config
|
||||||
|
- Maintain exact parameter parity with Terraform
|
||||||
|
|
||||||
|
### 6. Create Overlay Structure
|
||||||
|
- Create directory: `apps/overlays/au-syd1/<app-name>/`
|
||||||
|
- Create `apps/overlays/au-syd1/<app-name>/kustomization.yaml`:
|
||||||
|
- Reference base: `../../../base/<app-name>`
|
||||||
|
- Add helmCharts section with repo, version, valuesFile
|
||||||
|
- Create `apps/overlays/au-syd1/<app-name>/values.yaml` from Terraform helm_release values
|
||||||
|
|
||||||
|
### 7. Update Project Configuration
|
||||||
|
- Add Helm repository to appropriate project in `argocd/projects/`
|
||||||
|
- Add namespace to project destinations (if needed)
|
||||||
|
- Add required cluster resource permissions
|
||||||
|
|
||||||
|
### 8. Update ApplicationSet
|
||||||
|
- Add directory pattern to appropriate ApplicationSet in `argocd/applicationsets/`
|
||||||
|
- Use existing patterns like `apps/overlays/*/csi-*` or `apps/overlays/*/<app-name>`
|
||||||
|
|
||||||
|
### 9. Validation
|
||||||
|
- Run `kustomize build --enable-helm apps/overlays/au-syd1/<app-name>` to generate all resources
|
||||||
|
- Check resource types: `kustomize build --enable-helm apps/overlays/au-syd1/<app-name> | grep "^kind:" | sort | uniq -c`
|
||||||
|
- Verify all resource types are permitted in the target project's `clusterResourceWhitelist` and `namespaceResourceWhitelist`
|
||||||
|
- Run `make kubeconform` to validate all resources
|
||||||
|
- Fix any validation errors
|
||||||
|
|
||||||
|
### 10. Git Workflow
|
||||||
|
- Add only created/modified files: `git add apps/base/<app-name>/ apps/overlays/au-syd1/<app-name>/ argocd/projects/<project>.yaml argocd/applicationsets/<project>.yaml`
|
||||||
|
- **Never use `git add .`**
|
||||||
|
- Create commit with descriptive message following existing patterns
|
||||||
|
- Push branch: `git push -u origin benvin/<app-name>`
|
||||||
|
|
||||||
|
## Project Organization
|
||||||
|
|
||||||
|
### Platform Project
|
||||||
|
- Core infrastructure and system components
|
||||||
|
- Examples: cert-manager, external-dns, cnpg-system, reflector-system, etc.
|
||||||
|
|
||||||
|
### Storage Project
|
||||||
|
- Storage-related components
|
||||||
|
- Pattern: `csi-*` applications
|
||||||
|
- Examples: csi-cephfs, csi-cephrbd
|
||||||
|
|
||||||
|
### Application-Specific Projects
|
||||||
|
- Create new projects for logical groupings as needed
|
||||||
|
|
||||||
|
## Common Patterns
|
||||||
|
|
||||||
|
### Helm Chart Integration
|
||||||
|
```yaml
|
||||||
|
helmCharts:
|
||||||
|
- name: <chart-name>
|
||||||
|
repo: <helm-repo-url>
|
||||||
|
version: "<version>"
|
||||||
|
releaseName: <release-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
valuesFile: values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### VaultAuth Template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: <auth-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- <namespace>
|
||||||
|
kubernetes:
|
||||||
|
role: <role>
|
||||||
|
serviceAccount: <service-account>
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
```
|
||||||
|
|
||||||
|
### VaultStaticSecret Template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: <secret-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: <auth-ref>
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: <vault-path>
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: <k8s-secret-name>
|
||||||
|
create: true
|
||||||
|
```
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
|
### Pre-commit Hook Issues
|
||||||
|
- If hooks modify files, add changes: `git add -u`
|
||||||
|
- Amend commit if safe: `git commit --amend --no-edit`
|
||||||
|
- Use `git push --force-with-lease` for amended commits
|
||||||
|
|
||||||
|
### Validation Failures
|
||||||
|
- Check Helm chart compatibility with Kubernetes version
|
||||||
|
- Verify all required fields are present in resources
|
||||||
|
- Ensure proper YAML formatting
|
||||||
|
|
||||||
|
### Missing Permissions
|
||||||
|
- Add required cluster resources to project clusterResourceWhitelist
|
||||||
|
- Add namespaces to project destinations
|
||||||
|
- Verify Helm repository is in project sourceRepos
|
||||||
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user