73 Commits

Author SHA1 Message Date
unkinben 2254a39d77 feat: add artifact-keeper
- converted the artifact-keeper helm-chart into kustomization manifests
- converted postgres to cnpg
- moved secrets to vault
2026-04-19 18:43:56 +10:00
unkinben 7d555cd31a feat: migrate purelb to ArgoCD (#84)
Migrate PureLB load balancer from Terragrunt to ArgoCD/Kustomize.
Deploys purelb v0.13.0 with two LBNodeAgent and two ServiceGroup CRs
(common: 198.18.200.0/24, dmz: 198.18.199.0/24).
Adds LBNodeAgent and ServiceGroup to kubeconform skip list (no CRD catalog schema).

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #84
2026-04-07 19:52:17 +10:00
unkinben f0bdc0231a feat: migrate vso-system to ArgoCD (#81)
Migrate Vault Secrets Operator from Terragrunt to ArgoCD/Kustomize.
Deploys vault-secrets-operator v1.2.0 with 3 replicas, plus ClusterRole,
ClusterRoleBindings, and vault-admin ServiceAccount.

Note: static service account tokens (kubernetes.io/service-account-token)
cannot be stored in git; create manually or via Vault after deployment.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #81
2026-04-07 19:33:50 +10:00
unkinben b100f3034e feat: migrate observability to ArgoCD (#82)
Migrate Victoria Metrics cluster and agent from Terragrunt to ArgoCD/Kustomize.
Creates new observability AppProject and ApplicationSet.
Deploys victoria-metrics-cluster v0.33.0 (vmselect/vminsert/vmstorage with
HPA, PDB, ingress) and victoria-metrics-agent v0.30.0 (3 replicas, k8s scrape
configs) in the observability namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #82
2026-04-07 19:15:45 +10:00
unkinben c3a145acbf feat: remove jfrog container registry (#83)
its not used and never really installed correctly. going to change to
artifact-keeper which promises to have the same capabilities and is open
source.

Reviewed-on: #83
2026-04-07 19:03:32 +10:00
unkinben 181bc152e7 feat: migrate vm-system to ArgoCD (#80)
Migrate Victoria Metrics operator from Terragrunt to ArgoCD/Kustomize.
Deploys victoria-metrics-operator v0.57.1 with 2 replicas in vm-system.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #80
2026-03-27 17:04:15 +11:00
unkinben 5bcbd7e1ba feat: migrate elastic-system to ArgoCD (#79)
Migrate ECK operator from Terragrunt to ArgoCD/Kustomize.
Deploys eck-operator v3.2.0 with 2 replicas and PodDisruptionBudget
in the elastic-system namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #79
2026-03-27 17:00:05 +11:00
unkinben 02195e6235 feat: migrate reposync to ArgoCD (#78)
Migrate repository sync cronjobs from Terragrunt to ArgoCD/Kustomize.
Adds four daily CronJobs (almalinux9-baseos, almalinux9-appstream, epel9,
openvox7) with associated PVCs and ConfigMaps in the reposync namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #78
2026-03-27 16:26:35 +11:00
unkinben 95c9302aa8 feat: enable downloading tea (#77)
- enable downloading the tea prebuilt binaries

Reviewed-on: #77
2026-03-26 14:02:15 +11:00
unkinben e269220228 fix: clone r10k config to /tmp/r10k-config instead of /shared (#76)
The g10k-code cronjob was failing with "Permission denied" because the
container (running as uid 999, non-root) attempted to create /shared in
the container root filesystem, which is not writable. Clone to /tmp
which is always writable by unprivileged users.

Reviewed-on: #76
2026-03-24 19:25:06 +11:00
unkinben 1388875685 fix: remove shared-config PVC from g10k cronjob, clone r10k config directly (#75)
The RWO puppetserver-shared-config PVC caused multi-attach errors when
the cronjob pod was scheduled on a different node than the previous run,
stalling the init container indefinitely. Since the config only needs to
exist for the duration of the job, remove the init container and PVC
entirely and clone the r10k config directly into /shared within the main
container before running g10k.

Reviewed-on: #75
2026-03-24 18:54:58 +11:00
unkinben 49224d4a1b fix: increase generate-types memory limit and remove invalid JVM env var (#74)
The container was OOMKilled on every run because the 256Mi limit was far
too low for `puppet generate types`. Remove PUPPETSERVER_JAVA_ARGS (only
relevant to the puppetserver JVM, not the puppet CLI) and raise the
memory limit to 1Gi / request 512Mi.

Reviewed-on: #74
2026-03-24 18:51:46 +11:00
unkinben 28dc8dc238 feat: update gems for puppet (#73)
- add deep_merge, ipaddr, and hiera-eyaml gems
- pin intel-device-plugins to 0.35.0

Reviewed-on: #73
2026-03-24 18:33:03 +11:00
unkinben 33420e1286 revert: remove filemapper gem install (#72)
filemapper is not available on RubyGems under that name and was causing
puppetserver-compiler to crash loop. The interfaces provider that
requires puppetx/filemapper is Debian-specific and should not be loaded
on RedHat-based puppetservers.

Reviewed-on: #72
2026-03-24 18:22:23 +11:00
unkinben 0fc1268c51 fix: install filemapper gem and deploy generate-types cronjob (#71)
The network module's interfaces provider requires puppetx/filemapper
which was not installed, causing catalog compilation failures with
"no such file to load -- puppetx/filemapper".

Adds filemapper to additional-ruby-gems.sh for puppetserver/compiler
pods, installs it directly in the generate-types cronjob (which has no
access to that script), and adds cronjob_generate-types.yaml to the
kustomization so the CronJob is actually deployed.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #71
2026-03-22 00:03:33 +11:00
unkinben c0d95b71a7 fix: connect puppetboard to puppetdb over SSL on port 8081 (#70)
Puppetboard was connecting to PuppetDB on port 8080 (plain HTTP), causing
403 Forbidden errors on the /metrics/v2 Jolokia endpoint which requires
HTTPS with a Puppet certificate. Also replaced the invalid
PUPPETDB_SSL_SKIP_VERIFY var with the correct PUPPETDB_SSL_VERIFY,
PUPPETDB_CERT, and PUPPETDB_KEY pointing to the certs already generated
by the cert-generator init container.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #70
2026-03-22 00:01:54 +11:00
unkinben 2a96d9e948 feat: add PuppetDB read-only database user and pooler (#69)
PuppetDB requires a separate read-only database user for its read pool.
Without it, it refuses to use the write user for read queries and all
/pdb/query/v4 calls fail with a 500.

- Add puppetdb_read role via CNPG managed.roles with password sourced
  from a new postgres-read-credentials Vault secret
- Grant CONNECT, USAGE, SELECT and default privileges to puppetdb_read
  via postInitApplicationSQL (must also be run manually on existing cluster)
- Add puppet-postgres-pooler-ro Pooler (type: ro) routing to replicas
- Add puppetdb-read-database-conf ConfigMap with read-database.conf
  mounted into /etc/puppetlabs/puppetdb/conf.d/ in the PuppetDB deployment
- Wire OPENVOXDB_READ_POSTGRES_* env vars from the new secret

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #69
2026-03-21 23:31:01 +11:00
unkinben b49e8d3647 chore: change back to puppetdb:8081 (#68)
- puppetdb requires access via 8081 from puppetservers
- puppetservers do not trust the certificate via ingress

Reviewed-on: #68
2026-03-21 22:50:46 +11:00
unkinben 5f227939bc feat: add CronJob to generate Puppet types for all environments (#67)
- add kubernetes CronJob that runs every 5 minutes to automaticall generate Puppet types for all environments in the code directory.

Reviewed-on: #67
2026-03-21 17:39:03 +11:00
unkinben ffc861daa7 fix: update puppet.conf with main/server/user (#66)
- master config section is not used
- server containes all setting specifically for a server (puppet, puppet ca)
- user is for all puppet <command> tooling, like 'puppet generate'

Reviewed-on: #66
2026-03-21 17:16:15 +11:00
unkinben 47bd341371 chore: tidy initContainers (#65)
- make initcontainers easier to read/follow

Reviewed-on: #65
2026-03-21 17:16:07 +11:00
unkinben ee9ec23f6f chore: use docker not container (#64)
was referencing the main branch of upstream container, not the one I am
actually using. s/container/docker/

Reviewed-on: #64
2026-03-21 16:47:02 +11:00
unkinben 3f355bbfd3 feat: add custom entrypoint script for additional Ruby gems (#63)
Add support for installing additional Ruby gems via custom entrypoint script.
The script is mounted as a ConfigMap into /container-custom-entrypoint.d/
and will be executed during Puppetserver container startup.

Reviewed-on: #63
2026-03-21 16:01:46 +11:00
unkinben 00cbb6a817 fix: update ENC script CA certificate path (#62)
- Mount vault-ca-cert secret at /opt/vault-ca-cert.crt in both deployments
- Update cobbler-enc script to use correct CA certificate path
- Resolves OSError about missing TLS CA certificate bundle

Reviewed-on: #62
2026-03-20 23:05:35 +11:00
unkinben f474c5c530 feat: add shared bins volume for uv and cobbler-enc (#61)
- Add puppet-shared-bins PVC (10GB) for shared binaries
- Mount /opt/bin in both compiler and master deployments
- Add init container to install uv binary and cobbler script to shared volume
- Update cobbler-enc to use absolute path and uv cache directory
- Configure puppet.conf to reference cobbler-enc from /opt/bin

Reviewed-on: #61
2026-03-20 22:49:31 +11:00
unkinben c1ea6e1e81 fix: update puppet.conf to point to enc (#60)
enc script is in /etc/puppetlabs/puppet to ensure its copied during the init container phase

Reviewed-on: #60
2026-03-20 21:34:40 +11:00
unkinben 3553e9f6dd refactor: simplify DNS alt names for puppetserver compiler (#59)
Remove individual compiler pod DNS names and use generic puppetserver-compiler name instead.

Reviewed-on: #59
2026-03-20 21:27:04 +11:00
unkinben 6decc45e65 fix: use http port for puppetdb (#58)
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): puppetdb:8081
ERROR:pypuppetdb.api.base:Could not reach PuppetDB on puppetdb:8081 over HTTP.

- puppetdb_host assumes HTTP when not verifying ssl

Reviewed-on: #58
2026-03-20 21:26:52 +11:00
unkinben c2d23aaeae refactor: convert puppetserver compilers to deployment with configmap integration (#57)
- Convert StatefulSet to Deployment for better scaling flexibility
- Add initContainer to copy configmaps to shared RWX volume (10GB)
- Integrate puppetserver-compiler-config configmap for environment variables
- Configure configMapGenerator with stable names (disableNameSuffixHash)
- Update HPA to target Deployment instead of StatefulSet
- Simplify puppetboard SSL config to skip verification for internal connections

Reviewed-on: #57
2026-03-20 20:47:36 +11:00
unkinben f25117ab7f testing via ingress for puppetdb (#56)
Reviewed-on: #56
2026-03-20 00:00:41 +11:00
unkinben 47b894c450 enable debugging for puppetboard (#55)
Reviewed-on: #55
2026-03-19 23:56:49 +11:00
unkinben 059992f6a3 fix: external access to puppetdb (#53) (#54)
- use vault cert for puppetdb ingress

Reviewed-on: #53

Reviewed-on: #54
2026-03-19 23:32:27 +11:00
unkinben 6ffb0898a4 fix: external access to puppetdb (#53)
- use vault cert for puppetdb ingress

Reviewed-on: #53
2026-03-19 23:26:02 +11:00
unkinben 30d56030b5 fix: increase number of cnpg_pooler_connections (#52)
in previous puppet installs, the puppetdb api service opens MANY
connections. we need to increase the number to greater than 300.

Reviewed-on: #52
2026-03-19 18:37:03 +11:00
unkinben 504d4ae7c9 fix: enable PuppetDB HTTPS support with automatic SSL certificate generation (#51)
This enables secure HTTPS communication to PuppetDB, required for other puppet related services

- make use of USE_OPENVOXSERVER flag

Reviewed-on: #51
2026-03-19 17:06:49 +11:00
unkinben 24d09744e3 git commit -m "fix: configure PuppetDB HTTPS connections and add Puppetboard SSL support (#50)
- Update PuppetDB connections from HTTP (8080) to HTTPS (8081)
- Add automatic certificate generation for Puppetboard using Puppet CA
- Implement initContainers for proper certificate provisioning before app start
- Add dedicated PVC for Puppetboard certificates with RWX access
- Configure SSL verification and client authentication for secure PuppetDB access

Reviewed-on: #50
2026-03-19 16:34:41 +11:00
unkinben 301f8dcc1a fix: add NodeFeatureRule and Intel device plugin permissions to platform project (#49)
- Add nfd.k8s-sigs.io/NodeFeatureRule for node-feature-discovery
- Add deviceplugin.intel.com/* for Intel device plugins (GpuDevicePlugin, etc.)
- Add cert-manager.io resources (Certificate, Issuer) for Intel device plugins

Reviewed-on: #49
2026-03-19 02:20:32 +11:00
unkinben dfbb315522 feat: migrate node-feature-discovery and inteldeviceplugins-system to platform project (#48)
- Add node-feature-discovery and inteldeviceplugins-system to platform project
- Convert intel-nfd-rules from local Helm chart to static NodeFeatureRule manifests
- Add required Helm repositories (NFD OCI registry and Intel charts)
- Create base configurations with Helm charts and overlay structures
- Update platform ApplicationSet and project permissions

Reviewed-on: #48
2026-03-19 02:14:45 +11:00
unkinben d641f630e9 fix: change puppet compilers to use HTTP for internal puppetdb connections (#47)
This resolves SSL certificate verification failures preventing puppetdb access

- Update OPENVOXDB_SERVER_URLS from https://puppetdb:8081 to http://puppetdb:8080
- External access to puppetdb will still use HTTPS via ingress
- Internal cluster communication does not require encryption

Reviewed-on: #47
2026-03-19 01:51:11 +11:00
unkinben c157774033 fix: enable ServerSideApply for ArgoCD ApplicationSets (#46)
- resolve CRD annotation size limit errors by enabling server-side apply
- add storage ApplicationSet and project to kustomization files

Reviewed-on: #46
2026-03-19 01:37:56 +11:00
unkinben 90f793464b feat: migrate CSI drivers to dedicated storage project (#45)
- Migrate csi-cephfs from Terraform to ArgoCD
- Migrate csi-cephrbd from Terraform to ArgoCD
- Create dedicated storage project and ApplicationSet for CSI drivers
- Add csi-* pattern matching in storage ApplicationSet
- Remove CSI apps from platform project to separate concerns

Reviewed-on: #45
2026-03-19 01:29:31 +11:00
unkinben 06a8f98b5c feat: migrate cnpg-system from Terraform to ArgoCD (#44)
- Add cnpg-system base ArgoCD application with namespace
- Create cnpg-system overlay for au-syd1 with CloudNativePG Helm chart
- Update platform ApplicationSet to include cnpg-system deployment
- Configure cloudnative-pg operator v0.27.0 with HA and resource limits
- Maintain one-to-one migration from Terraform configuration

Reviewed-on: #44
2026-03-19 01:25:50 +11:00
unkinben 0bf6e80d6f feat: migrate externaldns from Terraform to ArgoCD (#43)
- Add externaldns base ArgoCD application with namespace and Vault integration
- Create externaldns overlay for au-syd1 with Helm chart configuration
- Update platform ApplicationSet to include externaldns deployment
- Configure external-dns v1.19.0 with RFC2136 provider for DNS updates
- Maintain one-to-one migration from Terraform configuration including TSIG secrets

Reviewed-on: #43
2026-03-19 01:22:39 +11:00
unkinben ed300fabed feat: migrate cert-manager from Terraform to ArgoCD (#42)
- Add cert-manager base ArgoCD application with namespace, RBAC resources
- Create cert-manager overlay for au-syd1 with Helm chart configuration
- Update platform ApplicationSet to include cert-manager deployment
- Configure cert-manager v1.19.2 with jetstack Helm repository
- Maintain one-to-one migration from Terraform configuration

Reviewed-on: #42
2026-03-19 01:18:19 +11:00
unkinben 656aedfc53 fix: enable unscoped permissions (#41)
- add access to create priorityclass resourcees in platform applicationset

Reviewed-on: #41
2026-03-19 01:03:54 +11:00
unkinben ea71ebb55b feat: migrate cattle-system (Rancher) from Terraform to ArgoCD (#39)
- Add cattle-system base ArgoCD application with namespace, Vault integration, and ingress
- Create cattle-system overlay for au-syd1 with Rancher Helm chart configuration
- Update platform ApplicationSet to include cattle-system deployment
- Update platform project to include Rancher Helm repository as source
- Configure Rancher v2.13.1 with HA, TLS, audit logging, and bootstrap secret from Vault
- Maintain one-to-one migration from Terraform configuration

Reviewed-on: #39
2026-03-19 00:56:39 +11:00
unkinben 5255c78927 chore: bump kubetest container (#40)
unkin/packer-images#43

Error: Error: chart requires kubeVersion: < 1.35.0-0 which is incompatible with Kubernetes v1.35.0

Reviewed-on: #40
2026-03-19 00:55:30 +11:00
unkinben 8207935d36 fix: cannot write to certificates namespace (#38)
- enable the platform application to write to certificates namespace

Reviewed-on: #38
2026-03-19 00:20:39 +11:00
unkinben 3f282fbdc2 feat: migrate certificates from Terraform to ArgoCD (#37)
- Add certificates base ArgoCD application with namespace and Vault CA certificate secret
- Create certificates overlay for au-syd1 with static certificate configuration
- Update platform ApplicationSet to include certificates deployment
- Configure Vault CA certificate with reflector annotations for cross-namespace replication
- Maintain one-to-one migration from Terraform configuration

Note: Skip no_plain_secrets hook as this is a public CA certificate that needs
to be replicated via reflector, not a sensitive secret

Reviewed-on: #37
2026-03-19 00:16:33 +11:00
unkinben 3961fe4e68 fix: annotations, not labels (#36)
<picard face palm gif>

- purelb requires annotations not labels

Reviewed-on: #36
2026-03-18 15:17:58 +11:00
unkinben e86cd7a6ae feat: ensure puppet is available externally (#35)
- change puppet/puppetca -> LoadBalancer
- dedicate ip's for puppet and puppetca loadbalancers
- name the puppetserver port
- remove puppet/puppetca ingress

Reviewed-on: #35
2026-03-18 15:07:25 +11:00
unkinben 88fe895409 fix: puppetboard port issues (#34)
service / ingres / deployment mismatch, attempt 2

Reviewed-on: #34
2026-03-18 14:31:43 +11:00
unkinben 687a7f1ffd fix: svc/puppetboard forwarding to wrong port (#33)
puppetboard uses `PUPPETBOARD_PORT` to specify the port, otherwise it
listens on tcp/80

```
ENV PUPPETBOARD_PORT 80
ENV PUPPETBOARD_HOST 0.0.0.0
ENV PUPPETBOARD_STATUS_ENDPOINT /status
ENV PUPPETBOARD_SETTINGS docker_settings.py
EXPOSE 80
```

- change svc/puppetboard to use tcp/80

Reviewed-on: #33
2026-03-18 14:25:00 +11:00
unkinben 64fb4da04c fix: puppetboard tcp is not a valid port (#32)
puppetdb_port has tcp:// in it, even though we pass the correct variable
in from a configmap.

```
ben@metabox ~/s/p/argocd-apps> kubectl --context admin run debug-pod --image=busybox --rm -it --restart=Never -n puppet -- env | grep -i puppetdb_port
PUPPETDB_PORT_8081_TCP_PORT=8081
PUPPETDB_PORT_8081_TCP_PROTO=tcp
PUPPETDB_PORT=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP=tcp://10.43.101.142:8080
PUPPETDB_PORT_8080_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8081_TCP=tcp://10.43.101.142:8081
PUPPETDB_PORT_8080_TCP_PROTO=tcp
PUPPETDB_PORT_8081_TCP_ADDR=10.43.101.142
PUPPETDB_PORT_8080_TCP_PORT=8080
```

Reviewed-on: #32
2026-03-18 12:51:54 +11:00
unkinben 35f00858ae fix: puppet-compiler cant find ca (#31)
the puppetca is not pointing to the puppetmasters which prevents the
puppet-compilers from starting, preventing puppetdb/puppetboard from
starting.

- point puppetca service -> puppetserver-master

Reviewed-on: #31
2026-03-18 12:39:38 +11:00
unkinben 276d8c1d78 fix: update service names and references (#30)
updating all the names of services and their respective filenames to
better match the way puppet infra is used in my lab.

- puppet -> the compilers
- puppetca -> the master(s)
- puppetdb -> the puppetdb
- puppetboard -> puppetboard

updated references to these services in all other definitions I could find

note: need a good way to test these changes with argocd

Reviewed-on: #30
2026-03-18 12:19:57 +11:00
unkinben df1b9a5685 feat: complete puppet infrastructure (#29)
complete the implementation of puppet in kubernetes, taking many
features from the openvox helm chart and improving on them. changes from
helm are:
- using vault for storing secrets
- using g10k instead of r10k
- using a single shared g10k cronjob for all masters/compilers
- using a single shared /etc/puppetlabs/code directory (shared, cephfs)

changes:
- deploy puppet master and compiler servers with statefulset/deployment
- deploy puppetdb with postgresql backend, taking advantage of cnpg cluster and pooler
- deploy puppetboard
- all supporting configmaps, services, ingresses, and hpas
- added vaultstaticsecret for eyaml private keys
- configured secure mounting of eyaml keys at /var/lib/puppet/keys/
- updated base kustomization to include all 23 new puppet resource files

Reviewed-on: #29
2026-03-17 20:25:11 +11:00
unkinben 13de81a192 chore: cleanup r10k cache (#28)
g10k hardlinks, so reqires that the cache and code be in the same pvc.
updated r10k repository with cachedir in same pvc, and so now I can
remove these unused pvcs from argo.

unkin/puppet-r10k#4

Reviewed-on: #28
2026-03-17 19:05:21 +11:00
unkinben 02877b6385 fix: include puppet pvc yaml (#27)
- ensure the persistentvolumeclaims.yaml is included in kustomize

Reviewed-on: #27
2026-03-09 01:33:40 +11:00
unkinben b4d6fede98 chore: use specific images for ci tests (#26)
- kubetest contains required rpms
- base contains uv/make

Reviewed-on: #26
2026-03-09 01:13:33 +11:00
unkinben 14e3946d4b feat: initial puppet deployment (#25)
working towards a larger, redundant, autoscaling and simple puppet
implementation in kubernetes. this was originally based on the openvox
helm chart with several improvements (not all in this pr)

- use of cnpg instead of single bitnamilegacy postgres container
- use for g10k instead of r10k
- run one instance of g10k per namespace, instead of per-pod
- store only keep one copy of the environments/branches (instead of per-pod)
- change g10k to native cronjob instead of hacky implementation
- use vault secrets

part one adds:

- cnpg puppetdb pgsql cluster
- cnpg puppetdb pgpooler
- persistent volume claims for puppet, puppetdb, the code repository, etc

Reviewed-on: #25
2026-03-09 01:10:30 +11:00
unkinben 68b753d7fa chore: reload woodpecker (#24)
- add reloader annotations to woodpecker agent/server

Reviewed-on: #24
2026-03-07 16:02:39 +11:00
unkinben d7b661a619 chore: set WOODPECKER_ADMIN (#23)
- enable admin features for myself

Reviewed-on: #23
2026-03-07 15:47:42 +11:00
unkinben 2f6a56d15e chore: add rarlab remote (#22)
- cache rarlab packages
- found they disappear when a new release is available

Reviewed-on: #22
2026-03-07 12:14:04 +11:00
unkinben 563b81c5d2 feat: updates for artifactapi (#21)
- remove replicas (rely on horizontal-pod-scaler)
- add raw.githubusercontent.com remote

Reviewed-on: #21
2026-03-07 00:49:30 +11:00
unkinben e2ada738f8 fix: remove configmap hash (#20)
prevent the automatic hashing of configmaps

Reviewed-on: #20
2026-03-06 22:11:11 +11:00
unkinben 61b3546c2c fix: copy/paste error (#19)
- use correct role for artifactapi to access vault

Reviewed-on: #19
2026-03-06 21:46:01 +11:00
unkinben 05a88459a5 chore: migrate artifactapi to kustomize (#18)
- migrate terraform deployment to kustomize

Reviewed-on: #18
2026-03-06 21:35:47 +11:00
unkinben 0894e51ad5 feat: manage woodpecker-agent-secret in vault (#17)
- unkin/terraform-vault#60

Reviewed-on: #17
2026-03-06 18:33:21 +11:00
unkinben f9a8dca060 chore: change max workflows to string (#16)
WOODPECKER_MAX_WORKFLOWS shows no value in the pods environment, trying
as a string instead

Reviewed-on: #16
2026-03-03 23:14:05 +11:00
unkinben 46e11dd05e chore: increase agents to 3 (#15)
- increase woodpecker agents to 3 for parallel jobs

Reviewed-on: #15
2026-03-03 23:02:15 +11:00
unkinben 244d1b5baa fix: remove revision for pooler (#14)
- artifact from migrating yaml from k8s to argocd

Reviewed-on: #14
2026-03-03 22:50:45 +11:00
unkinben dbd8914013 feat: migrate woodpecker to argocd (#13)
- move woodpecker helm chart deployment to argocd
- move cnpg resources
- move vault resources

Reviewed-on: #13
2026-03-03 22:24:17 +11:00
185 changed files with 6807 additions and 85 deletions
+1 -2
View File
@@ -3,7 +3,6 @@ when:
steps:
- name: kubeconform
image: git.unkin.net/unkin/almalinux9-base:latest
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
commands:
- dnf install make kustomize kubeconform helm -y
- make kubeconform
+1 -2
View File
@@ -3,7 +3,6 @@ when:
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-base:latest
image: git.unkin.net/unkin/almalinux9-base:20260308
commands:
- dnf install uv make -y
- uvx pre-commit run --all-files
@@ -0,0 +1,94 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: artifact-keeper-postgres
namespace: artifact-keeper
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: artifact_registry
encoding: UTF8
localeCType: C
localeCollate: C
owner: registry
secret:
name: postgres-credentials
postInitSQL:
- CREATE DATABASE dependency_track OWNER registry;
- GRANT ALL PRIVILEGES ON DATABASE dependency_track TO registry;
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 20Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
@@ -0,0 +1,33 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: artifact-keeper-postgres-pooler
namespace: artifact-keeper
spec:
cluster:
name: artifact-keeper-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: artifact-keeper-pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- artifact-keeper-pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
@@ -0,0 +1,20 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
BIND_ADDRESS: "0.0.0.0:8080"
LOG_LEVEL: "info,artifact_keeper=debug"
STORAGE_BACKEND: "s3"
MEILISEARCH_URL: "http://meilisearch:7700"
TRIVY_URL: "http://trivy:8090"
DEPENDENCY_TRACK_URL: "http://dtrack:8080"
DEPENDENCY_TRACK_ENABLED: "true"
SCAN_WORKSPACE_PATH: "/scan-workspace"
PLUGINS_DIR: "/data/plugins"
@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: s3-env
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
S3_ENDPOINT: "https://radosgw.service.consul"
S3_BUCKET: "artifact-keeper"
S3_REGION: "ap-southeast-2"
S3_PATH_STYLE: "true"
@@ -0,0 +1,171 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
spec:
serviceAccountName: backend
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- backend
topologyKey: kubernetes.io/hostname
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
- name: wait-for-meilisearch
image: alpine:3.20
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for Meilisearch..."
until wget -qO- http://meilisearch:7700/health >/dev/null 2>&1; do
sleep 3
done
echo "Meilisearch is ready"
containers:
- name: backend
image: "ghcr.io/artifact-keeper/artifact-keeper-backend:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/bin/sh", "-c"]
args:
- |
if [ -f /shared/dtrack-api-key ] && [ -s /shared/dtrack-api-key ]; then
export DEPENDENCY_TRACK_API_KEY="$(cat /shared/dtrack-api-key)"
fi
exec /usr/local/bin/artifact-keeper
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: grpc
containerPort: 9090
protocol: TCP
envFrom:
- configMapRef:
name: config
- configMapRef:
name: s3-env
- secretRef:
name: s3-credentials
- secretRef:
name: app-secrets
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
livenessProbe:
httpGet:
path: /livez
port: http
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: storage
mountPath: /data/storage
subPath: storage
- name: storage
mountPath: /data/backups
subPath: backups
- name: storage
mountPath: /data/plugins
subPath: plugins
- name: scan-workspace
mountPath: /scan-workspace
- name: shared-config
mountPath: /shared
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: storage
persistentVolumeClaim:
claimName: storage
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -0,0 +1,111 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
containers:
- name: dtrack-api
image: "dependencytrack/apiserver:4.11.4"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: ALPINE_DATABASE_MODE
value: "external"
- name: ALPINE_DATABASE_URL
value: "jdbc:postgresql://artifact-keeper-postgres-pooler:5432/dependency_track"
- name: ALPINE_DATABASE_DRIVER
value: "org.postgresql.Driver"
- name: ALPINE_DATABASE_USERNAME
value: "registry"
- name: ALPINE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: ALPINE_DATA_DIRECTORY
value: "/data"
- name: ALPINE_ENFORCE_AUTHENTICATION
value: "true"
- name: ALPINE_CORS_ENABLED
value: "true"
- name: ALPINE_CORS_ALLOW_ORIGIN
value: "*"
- name: JAVA_OPTIONS
value: "-Xmx4g"
resources:
limits:
cpu: "2"
memory: 6Gi
requests:
cpu: 250m
memory: 4Gi
volumeMounts:
- name: dtrack-data
mountPath: /data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: dtrack-data
persistentVolumeClaim:
claimName: dtrack
@@ -0,0 +1,154 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: fix-ownership
image: busybox:1.37
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- CHOWN
- FOWNER
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["sh", "-c", "chown -R 1000:1000 /meili_data"]
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: version-guard
image: busybox:1.37
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["sh", "-c"]
args:
- |
EXPECTED="v1.12"
VERSION_FILE="/meili_data/data.ms/VERSION"
if [ ! -f "$VERSION_FILE" ]; then
echo "No existing database, fresh start"
exit 0
fi
CURRENT=$(cat "$VERSION_FILE" 2>/dev/null || echo "unknown")
echo "Current DB version: $CURRENT, expected image: $EXPECTED"
if echo "$CURRENT" | grep -qv "$(echo $EXPECTED | sed 's/^v//')"; then
echo "Version mismatch — wiping data.ms for clean re-index"
rm -rf /meili_data/data.ms
echo "Done. Backend will re-index automatically."
else
echo "Versions match, keeping existing data"
fi
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
containers:
- name: meilisearch
image: "getmeili/meilisearch:v1.12"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 7700
protocol: TCP
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: app-secrets
key: MEILISEARCH_API_KEY
- name: MEILI_ENV
value: "production"
- name: MEILI_MAX_INDEXING_THREADS
value: "4"
resources:
limits:
cpu: "1"
memory: 8Gi
requests:
cpu: 250m
memory: 512Mi
readinessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: meilisearch-data
persistentVolumeClaim:
claimName: meilisearch
@@ -0,0 +1,87 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10000
fsGroup: 10000
containers:
- name: trivy
image: "aquasec/trivy:0.62.1"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["trivy"]
args: ["server", "--listen", "0.0.0.0:8090", "--cache-dir", "/home/trivy/.cache"]
ports:
- name: http
containerPort: 8090
protocol: TCP
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
volumeMounts:
- name: trivy-cache
mountPath: /home/trivy/.cache
- name: tmp
mountPath: /tmp
- name: scan-workspace
mountPath: /scan-workspace
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: trivy-cache
persistentVolumeClaim:
claimName: trivy-cache
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
@@ -0,0 +1,98 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- web
topologyKey: kubernetes.io/hostname
containers:
- name: web
image: "ghcr.io/artifact-keeper/artifact-keeper-web:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 3000
protocol: TCP
env:
- name: NEXT_PUBLIC_API_URL
value: ""
- name: BACKEND_URL
value: "http://backend:8080"
- name: NODE_ENV
value: "production"
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 20
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: nextjs-cache
mountPath: /app/.next/cache
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: nextjs-cache
emptyDir:
sizeLimit: 1Gi
+286
View File
@@ -0,0 +1,286 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: artifact-keeper
namespace: artifact-keeper
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 10g
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifacts.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifacts.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
ingressClassName: nginx
rules:
- host: artifacts.k8s.syd1.au.unkin.net
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /health
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /ready
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /maven
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /npm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pypi
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /nuget
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cargo
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /gems
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /go
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /helm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /debian
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /rpm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /alpine
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /composer
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conan
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conda
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /swift
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /terraform
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cocoapods
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /hex
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pub
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /lfs
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ivy
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /chef
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /puppet
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ansible
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cran
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /huggingface
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /jetbrains
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /vscode
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /proto
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /incus
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ext
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /dtrack
pathType: Prefix
backend:
service:
name: dtrack
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 3000
tls:
- hosts:
- artifacts.k8s.syd1.au.unkin.net
secretName: artifacts-tls
@@ -0,0 +1,70 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: dtrack-init
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
backoffLimit: 3
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
restartPolicy: OnFailure
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: dtrack-init
image: alpine:3.20
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 32Mi
ephemeral-storage: 64Mi
limits:
cpu: 200m
memory: 128Mi
ephemeral-storage: 128Mi
command: ["/bin/sh", "-c"]
args:
- |
apk add --no-cache curl jq >/dev/null 2>&1
/bin/sh /scripts/init-dtrack.sh
env:
- name: DEPENDENCY_TRACK_URL
value: "http://dtrack:8080"
- name: DEPENDENCY_TRACK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: DEPENDENCY_TRACK_ADMIN_PASSWORD
volumeMounts:
- name: init-script
mountPath: /scripts
readOnly: true
- name: shared-config
mountPath: /shared
volumes:
- name: init-script
configMap:
name: dtrack-init
defaultMode: 0755
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -0,0 +1,33 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_backend.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_app-config.yaml
- configmap_s3-env.yaml
- persistentvolumeclaims.yaml
- service_backend.yaml
- service_dtrack.yaml
- service_meilisearch.yaml
- service_trivy.yaml
- service_web.yaml
- deployment_backend.yaml
- deployment_dtrack.yaml
- deployment_meilisearch.yaml
- deployment_trivy.yaml
- deployment_web.yaml
- job_dtrack-init.yaml
- ingress.yaml
configMapGenerator:
- name: dtrack-init
files:
- resources/init-dtrack.sh
options:
disableNameSuffixHash: true
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
@@ -0,0 +1,78 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: storage
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scan-workspace
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: shared-config
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dtrack
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: meilisearch
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-cache
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
+43
View File
@@ -0,0 +1,43 @@
#!/bin/sh
set -e
DT_URL="${DEPENDENCY_TRACK_URL:-http://ak-artifact-keeper-dtrack:8080}"
DT_ADMIN_USER="admin"
DT_DEFAULT_PASS="admin"
DT_NEW_PASS="${DEPENDENCY_TRACK_ADMIN_PASSWORD}"
API_KEY_FILE="/shared/dtrack-api-key"
echo "[dtrack-init] Waiting for Dependency-Track at $DT_URL ..."
for i in $(seq 1 60); do
if curl -sf "$DT_URL/api/version" > /dev/null 2>&1; then break; fi
if [ "$i" -eq 60 ]; then echo "[dtrack-init] ERROR: timeout"; exit 1; fi
sleep 5
done
if [ -f "$API_KEY_FILE" ] && [ -s "$API_KEY_FILE" ]; then
echo "[dtrack-init] API key already provisioned -- skipping"
exit 0
fi
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
if [ -z "$TOKEN" ] || echo "$TOKEN" | grep -qi "FORCE_PASSWORD_CHANGE"; then
curl -sf -o /dev/null -X POST "$DT_URL/api/v1/user/forceChangePassword" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_DEFAULT_PASS}&newPassword=${DT_NEW_PASS}&confirmPassword=${DT_NEW_PASS}"
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
fi
if [ -z "$TOKEN" ]; then echo "[dtrack-init] ERROR: auth failed"; exit 1; fi
API_KEY=$(curl -sf "$DT_URL/api/v1/team" \
-H "Authorization: Bearer $TOKEN" | \
jq -r '.[] | select(.name == "Automation") | .apiKeys[0].key // empty')
if [ -z "$API_KEY" ]; then echo "[dtrack-init] ERROR: no API key"; exit 1; fi
echo "$API_KEY" > "$API_KEY_FILE"
echo "[dtrack-init] Done"
@@ -0,0 +1,26 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
- name: grpc
port: 9090
targetPort: grpc
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: artifact-keeper
spec:
allowedNamespaces:
- artifact-keeper
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,51 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: app-secrets
namespace: artifact-keeper
spec:
destination:
create: true
name: app-secrets
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/app-secrets
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: s3-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: s3-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/s3-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -0,0 +1,72 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: artifactapi-deployment
namespace: artifactapi
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: artifactapi
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
spec:
automountServiceAccountToken: true
containers:
- name: artifactapi
image: git.unkin.net/unkin/almalinux9-artifactapi:latest
imagePullPolicy: Always
ports:
- containerPort: 8000
name: http
protocol: TCP
envFrom:
- configMapRef:
name: artifactapi-env
optional: false
- secretRef:
name: environment
optional: false
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 4Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /app/remotes.yaml
mountPropagation: None
name: remotes-config
subPath: remotes.yaml
restartPolicy: Always
volumes:
- configMap:
name: remotes-config
optional: false
name: remotes-config
@@ -0,0 +1,41 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: artifactapi-hpa
namespace: artifactapi
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: artifactapi-deployment
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
+27
View File
@@ -0,0 +1,27 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: artifactapi-env
namespace: artifactapi
data:
CONFIG_PATH: /app/remotes.yaml
DBHOST: postgres-service
DBNAME: artifacts
DBPORT: "5432"
DBUSER: artifacts
MINIO_BUCKET: artifactapi
MINIO_ENDPOINT: radosgw.service.consul
MINIO_SECURE: "true"
REDIS_URL: redis://redis-service:6379
REQUESTS_CA_BUNDLE: /etc/pki/tls/certs/ca-bundle.crt
SSL_CERT_FILE: /etc/pki/tls/certs/ca-bundle.crt
---
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-env
namespace: artifactapi
data:
POSTGRES_DB: artifacts
POSTGRES_USER: artifacts
+32
View File
@@ -0,0 +1,32 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/proxy-body-size: 10g
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: artifactapi-ingress
namespace: artifactapi
spec:
ingressClassName: nginx
rules:
- host: artifactapi.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: artifactapi-api
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- artifactapi.k8s.syd1.au.unkin.net
secretName: artifactapi-tls
+23
View File
@@ -0,0 +1,23 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- artifactapi-deployment.yaml
- artifactapi-hpa.yaml
- configmap.yaml
- ingress.yaml
- namespace.yaml
- postgres-deployment.yaml
- pvc.yaml
- redis-deployment.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
configMapGenerator:
- name: remotes-config
files:
- resources/remotes.yaml
options:
disableNameSuffixHash: true
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: artifactapi
@@ -0,0 +1,76 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment
namespace: artifactapi
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: postgres
strategy:
type: Recreate
template:
spec:
automountServiceAccountToken: true
containers:
- name: postgres
image: postgres:15-alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5432
name: postgres
protocol: TCP
envFrom:
- configMapRef:
name: postgres-env
optional: false
- secretRef:
name: postgres-password
optional: false
readinessProbe:
exec:
command:
- pg_isready
- -U
- artifacts
- -d
- artifacts
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
livenessProbe:
exec:
command:
- pg_isready
- -U
- artifacts
- -d
- artifacts
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/postgresql/data
mountPropagation: None
name: pgdata
subPath: pgdata
restartPolicy: Always
volumes:
- name: pgdata
persistentVolumeClaim:
claimName: artifactapi-postgres-pgdata
+28
View File
@@ -0,0 +1,28 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: artifactapi-postgres-pgdata
namespace: artifactapi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: artifactapi-redis-data
namespace: artifactapi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: cephrbd-fast-delete
volumeMode: Filesystem
@@ -0,0 +1,66 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
name: redis-deployment
namespace: artifactapi
spec:
replicas: 1
selector:
matchLabels:
app: redis
strategy:
type: Recreate
template:
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
- --save
- "20"
- "1"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
exec:
command:
- redis-cli
- ping
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /data
mountPropagation: None
name: data
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: artifactapi-redis-data
@@ -0,0 +1,287 @@
remotes:
github:
base_url: "https://github.com"
type: "remote"
package: "generic"
description: "GitHub releases and files"
include_patterns:
- "apple/foundationdb/.*/libfdb_c.x86_64.so$"
- "astral-sh/ruff/.*/ruff-x86_64-unknown-linux-gnu.tar.gz$"
- "astral-sh/uv/.*/uv-x86_64-unknown-linux-gnu.tar.gz$"
- "camptocamp/prometheus-puppetdb-exporter/.*/prometheus-puppetdb-exporter-.*.linux-amd64.tar.gz$"
- "containernetworking/plugins/.*/cni-plugins-linux-amd64-.*.tgz"
- "ducaale/xh/.*/xh-.*-x86_64-unknown-linux-musl.tar.gz$"
- "etcd-io/etcd/.*/etcd-.*-linux-amd64.tar.gz$"
- "grafana/jsonnet-language-server/.*/jsonnet-language-server_.*_linux_amd64$"
- "gruntwork-io/boilerplate/.*/boilerplate_linux_amd64$"
- "gruntwork-io/terragrunt/.*terragrunt_linux_amd64.*"
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "nzbgetcom/nzbget/.*/nzbget-.*.x86_64.rpm$"
- "onedr0p/exportarr/.*/exportarr_.*_linux_amd64.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-consul_linux_amd64_.*.tar.gz$"
- "openbao/openbao-plugins/.*/openbao-plugin-secrets-nomad_linux_amd64_.*.tar.gz$"
- "prometheus/node_exporter/.*/node_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/bind_exporter/.*/bind_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/pgbouncer_exporter/.*/pgbouncer_exporter-.*.linux-amd64.tar.gz$"
- "prometheus-community/postgres_exporter/.*/postgres_exporter-.*.linux-amd64.tar.gz$"
- "rancher/rke2/.*/rke2-images.linux-amd64.tar.zst$"
- "stalwartlabs/stalwart/.*/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-foundationdb-x86_64-unknown-linux-gnu.tar.gz$"
- "stalwartlabs/stalwart/.*/stalwart-x86_64-unknown-linux-gnu.tar.gz$"
- "terraform-linters/tflint/.*/tflint_linux_amd64.zip$"
- "tynany/frr_exporter/.*/frr_exporter-.*.linux-amd64.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaLogs/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-logs-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/victoria-metrics-linux-amd64-.*-cluster.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
cache:
file_ttl: 0
index_ttl: 0
github_user:
base_url: "https://raw.githubusercontent.com"
type: "remote"
package: "generic"
description: "GitHub User Content"
include_patterns:
- "argoproj/argo-cd/.*.yaml$"
- "yannh/kubernetes-json-schema/master/.*.json$"
- "datreeio/CRDs-catalog/main/.*.json$"
cache:
file_ttl: 0
index_ttl: 0
gitea-dl:
base_url: "https://dl.gitea.com"
type: "remote"
package: "generic"
description: "Gitea download site"
include_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$"
- "tea/.*/tea-.*-linux-amd64$"
cache:
file_ttl: 0
index_ttl: 0
hashicorp-releases:
base_url: "https://releases.hashicorp.com"
type: "remote"
package: "generic"
description: "HashiCorp product releases"
include_patterns:
- "terraform/.*terraform_.*_linux_amd64\\.zip$"
- "terraform/.*terraform_.*_windows_amd64\\.zip$"
- "terraform/.*terraform_.*_darwin_amd64\\.zip$"
- "vault/.*vault_.*_linux_amd64\\.zip$"
- "vault/.*vault_.*_windows_amd64\\.zip$"
- "vault/.*vault_.*_darwin_amd64\\.zip$"
- "consul-cni/.*/consul-cni_.*_linux_amd64\\.zip$"
- "consul/.*/consul_.*_linux_amd64\\.zip$"
- "nomad-autoscaler/.*/nomad-autoscaler_.*_linux_amd64\\.zip$"
- "nomad/.*/nomad_.*_linux_amd64\\.zip$"
- "packer/.*/packer_.*_linux_amd64\\.zip$"
cache:
file_ttl: 0
index_ttl: 0
rarlab:
base_url: "https://www.rarlab.com"
type: "remote"
package: "generic"
description: "RARLab"
include_patterns:
- "rar/rarlinux-x64-.*.tar.gz"
cache:
file_ttl: 0
index_ttl: 0
alpine:
base_url: "https://dl-cdn.alpinelinux.org"
type: "remote"
package: "alpine"
description: "Alpine Linux APK package repository"
include_patterns:
- ".*/x86_64/.*\\.apk$"
cache:
file_ttl: 0
index_ttl: 7200
almalinux:
base_url: "https://gsl-syd.mm.fcix.net/almalinux"
type: "remote"
package: "rpm"
description: "AlmaLinux RPM package repository"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- ".*/install.img"
- ".*/squashfs.img"
- ".*/updates.img"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-reef:
base_url: "https://download.ceph.com/rpm-reef/"
type: "remote"
package: "rpm"
description: "Ceph Reef 18"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-squid:
base_url: "https://download.ceph.com/rpm-squid/"
type: "remote"
package: "rpm"
description: "Ceph Squid 19"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
ceph-tentacle:
base_url: "https://download.ceph.com/rpm-tentacle/"
type: "remote"
package: "rpm"
description: "Ceph Tentacle 20"
include_patterns:
- ".*/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
epel:
base_url: "https://gsl-syd.mm.fcix.net/epel"
type: "remote"
package: "rpm"
description: "EPEL (Extra Packages for Enterprise Linux)"
include_patterns:
- ".*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.sqlite.*$"
- ".*/repodata/.*\\.xml.*$"
- ".*/repodata/.*\\.yaml.*$"
- "RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
fedora:
base_url: "https://gsl-syd.mm.fcix.net/fedora/linux"
type: "remote"
package: "rpm"
description: "Fedora Linux RPM package repository"
include_patterns:
- "releases/.*/Everything/x86_64/.*\\.rpm$"
- "updates/.*/Everything/x86_64/.*\\.rpm$"
- "development/.*/Everything/x86_64/.*\\.rpm$"
- ".*/noarch/.*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
frr:
base_url: "https://rpm.frrouting.org/repo"
type: "remote"
package: "rpm"
description: "FRR RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
mariadb:
base_url: "http://mariadb.mirror.digitalpacific.com.au/yum"
type: "remote"
package: "rpm"
description: "MariaDB RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
openvox:
base_url: "https://yum.voxpupuli.org"
type: "remote"
package: "rpm"
description: "OpenVox RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
postgresql:
base_url: "https://download.postgresql.org/pub/repos/yum"
type: "remote"
package: "rpm"
description: "PostgreSQL RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- ".*/RPM-GPG-KEY-.*$"
- ".*/PGDG-RPM-GPG-KEY-.*$"
cache:
file_ttl: 0
index_ttl: 7200
rke2:
base_url: "https://rpm.rancher.io"
type: "remote"
package: "rpm"
description: "RKE2 RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
- "public.key$"
cache:
file_ttl: 0
index_ttl: 7200
zfs:
base_url: "http://download.zfsonlinux.org"
type: "remote"
package: "rpm"
description: "ZFS RPM package repository"
include_patterns:
- ".*\\.rpm$"
- ".*/repodata/.*\\.xml.*$"
cache:
file_ttl: 0
index_ttl: 7200
local-generic:
type: "local"
package: "generic"
description: "Local generic file repository"
cache:
file_ttl: 0
index_ttl: 0
+51
View File
@@ -0,0 +1,51 @@
---
apiVersion: v1
kind: Service
metadata:
name: artifactapi-api
namespace: artifactapi
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: artifactapi
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: postgres-service
namespace: artifactapi
spec:
internalTrafficPolicy: Cluster
ports:
- name: postgres
port: 5432
protocol: TCP
targetPort: postgres
selector:
app: postgres
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: redis-service
namespace: artifactapi
spec:
internalTrafficPolicy: Cluster
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app: redis
sessionAffinity: None
type: ClusterIP
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: artifactapi
spec:
allowedNamespaces:
- artifactapi
kubernetes:
audiences:
- vault
role: artifactapi
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,34 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: environment
namespace: artifactapi
spec:
destination:
create: true
name: environment
overwrite: false
hmacSecretData: true
mount: kv
path: service/artifactapi/environment
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-password
namespace: artifactapi
spec:
destination:
create: true
name: postgres-password
overwrite: true
hmacSecretData: true
mount: kv
path: service/artifactapi/postgres-password
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
namespace: cattle-system
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
spec:
ingressClassName: nginx
tls:
- hosts:
- rancher.k8s.syd1.au.unkin.net
secretName: rancher-tls
rules:
- host: rancher.k8s.syd1.au.unkin.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 80
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- ingress.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: rancher
namespace: cattle-system
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- cattle-system
kubernetes:
role: rancher
serviceAccount: rancher
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: rancher-bootstrap-secret
namespace: cattle-system
spec:
vaultAuthRef: rancher
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/rancher/bootstrap-password
refreshAfter: 5m
destination:
name: rancher-bootstrap-secret
create: true
+12
View File
@@ -0,0 +1,12 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
rules:
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
@@ -0,0 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-vault-token-creator
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-vault-token-creator
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- clusterrole.yaml
- clusterrolebinding.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-issuer
namespace: cert-manager
labels:
app.kubernetes.io/name: "cert-manager-config"
app.kubernetes.io/instance: "cert-manager-config"
app.kubernetes.io/component: "vault-issuer"
automountServiceAccountToken: true
@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vault-ca-cert.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: certificates
+59
View File
@@ -0,0 +1,59 @@
---
apiVersion: v1
kind: Secret
metadata:
name: vault-ca-cert
namespace: certificates
labels:
app.kubernetes.io/name: vault-ca-cert
app.kubernetes.io/part-of: vault-secrets-operator
annotations:
description: "Vault CA certificate replicated to all namespaces"
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
type: Opaque
stringData:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy
NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s
E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z
vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc
sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx
VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0
xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT
mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc
v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr
aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV
HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br
aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5
muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03
4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U
DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU
eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN
Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy
NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m
2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v
Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK
8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd
lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i
tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp
r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1
UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe
xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1
zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p
UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US
EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb
4gqd
-----END CERTIFICATE-----
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cnpg-system
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephfs
+83
View File
@@ -0,0 +1,83 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-cephfs
namespace: csi-cephfs
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephfs
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-cephfs-csi-cephfs-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-cephfs-secret
namespace: csi-cephfs
spec:
vaultAuthRef: ceph-csi-cephfs
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-cephfs-secret
refreshAfter: 5m
destination:
name: csi-cephfs-secret
create: true
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephrbd
+39
View File
@@ -0,0 +1,39 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-delete
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: rbd.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-retain
provisioner: rbd.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-rbd
namespace: csi-cephrbd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephrbd
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-rbd-csi-rbd-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-rbd-secret
namespace: csi-cephrbd
spec:
vaultAuthRef: ceph-csi-rbd
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-rbd-secret
refreshAfter: 5m
destination:
name: csi-rbd-secret
create: true
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: elastic-system
name: elastic-system
+8
View File
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: externaldns
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: externaldns
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- externaldns
kubernetes:
role: externaldns
serviceAccount: externaldns
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: externaldns-tsig
namespace: externaldns
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/externaldns/tsig
refreshAfter: 5m
destination:
name: externaldns-tsig
create: true
rolloutRestartTargets:
- kind: Deployment
name: externaldns
@@ -0,0 +1,19 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
helmCharts:
- name: intel-device-plugins-operator
repo: https://intel.github.io/helm-charts/
version: "0.35.0"
releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu
repo: https://intel.github.io/helm-charts/
version: "0.34.1"
releaseName: intel-gpu-plugin
namespace: inteldeviceplugins-system
valuesFile: values-gpu-plugin.yaml
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: inteldeviceplugins-system
@@ -0,0 +1,13 @@
---
name: intel-gpu-device-plugin
sharedDevNum: 4
logLevel: 2
enableMonitoring: true
allocationPolicy: "none"
image:
hub: intel
tag: "" # Use latest from chart
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'
nodeFeatureRule: true
tolerations: []
@@ -0,0 +1,152 @@
---
apiVersion: nfd.k8s-sigs.io/v1alpha1
kind: NodeFeatureRule
metadata:
name: intel-dp-devices
namespace: node-feature-discovery
spec:
rules:
- name: "intel.dlb"
labels:
"intel.feature.node.kubernetes.io/dlb": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["2710"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
dlb2: {op: Exists}
- name: "intel.dsa"
labels:
"intel.feature.node.kubernetes.io/dsa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0b25", "11fb", "1212"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.fpga-arria10"
labels:
"intel.feature.node.kubernetes.io/fpga-arria10": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["09c4"]}
class: {op: In, value: ["1200"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
dfl_pci: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_fpga_pci: {op: Exists}
- name: "intel.gpu"
labels:
"intel.feature.node.kubernetes.io/gpu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["0300", "0380"]}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
i915: {op: Exists}
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
xe: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
xe: {op: Exists}
- name: "intel.iaa"
labels:
"intel.feature.node.kubernetes.io/iaa": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["0cfe", "1216"]}
class: {op: In, value: ["0880"]}
- feature: kernel.loadedmodule
matchExpressions:
idxd: {op: Exists}
- name: "intel.qat"
labels:
"intel.feature.node.kubernetes.io/qat": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
device: {op: In, value: ["37c8", "4940", "4942", "4944", "4946", "4948"]}
class: {op: In, value: ["0b40"]}
- feature: kernel.loadedmodule
matchExpressions:
intel_qat: {op: Exists}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
vfio_pci: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
vfio-pci: {op: Exists}
- name: "intel.sgx"
labels:
"intel.feature.node.kubernetes.io/sgx": "true"
extendedResources:
sgx.intel.com/epc: "@cpu.security.sgx.epc"
matchFeatures:
- feature: cpu.cpuid
matchExpressions:
SGX: {op: Exists}
SGXLC: {op: Exists}
- feature: cpu.security
matchExpressions:
sgx.enabled: {op: IsTrue}
- feature: kernel.config
matchExpressions:
X86_SGX: {op: Exists}
- name: "intel.npu"
labels:
"intel.feature.node.kubernetes.io/npu": "true"
matchFeatures:
- feature: pci.device
matchExpressions:
vendor: {op: In, value: ["8086"]}
class: {op: In, value: ["1200"]}
device: {
op: In,
value: ["7e4c", "643e", "ad1d", "7d1d"]
}
matchAny:
- matchFeatures:
- feature: kernel.loadedmodule
matchExpressions:
intel_vpu: {op: Exists}
- matchFeatures:
- feature: kernel.enabledmodule
matchExpressions:
intel_vpu: {op: Exists}
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- intel-nodefeaturerules.yaml
helmCharts:
- name: node-feature-discovery
repo: oci://gcr.io/k8s-staging-nfd/charts
version: "0.0.0-master"
releaseName: node-feature-discovery
namespace: node-feature-discovery
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: node-feature-discovery
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: observability
name: observability
+112
View File
@@ -0,0 +1,112 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: puppet-postgres
namespace: puppet
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: puppetdb
encoding: UTF8
localeCType: C
localeCollate: C
owner: puppetdb
secret:
name: postgres-credentials
postInitApplicationSQL:
- CREATE EXTENSION IF NOT EXISTS pg_trgm;
- CREATE EXTENSION IF NOT EXISTS pgcrypto;
- GRANT CONNECT ON DATABASE puppetdb TO puppetdb_read;
- GRANT USAGE ON SCHEMA public TO puppetdb_read;
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO puppetdb_read;
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO puppetdb_read;
managed:
roles:
- name: puppetdb_read
ensure: present
comment: PuppetDB read-only database user
login: true
superuser: false
createdb: false
createrole: false
inherit: true
replication: false
connectionLimit: -1
passwordSecret:
name: postgres-read-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
+66
View File
@@ -0,0 +1,66 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: puppet-postgres-pooler-ro
namespace: puppet
spec:
cluster:
name: puppet-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
@@ -0,0 +1,26 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard-config
namespace: puppet
data:
PUPPETDB_HOST: "puppetdb"
PUPPETDB_PORT: "8081"
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
LOGLEVEL: "debug"
PUPPETDB_TIMEOUT: "20"
UNRESPONSIVE_HOURS: "3"
ENABLE_CATALOG: "False"
ENABLE_QUERY: "True"
LOCALISE_TIMESTAMP: "True"
OFFLINE_MODE: "True"
DEFAULT_ENVIRONMENT: "*"
REPORTS_COUNT: "40"
@@ -0,0 +1,23 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-config
namespace: puppet
data:
USE_OPENVOXSERVER: "true"
OPENVOXSERVER_HOSTNAME: "puppetca"
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "openvoxdb,puppetdb,puppetdb.k8s.syd1.au.unkin.net,puppetdb.puppet.svc.cluster.local"
OPENVOXDB_POSTGRES_HOSTNAME: "puppet-postgres-pooler"
OPENVOXDB_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_POSTGRES_PORT: "5432"
OPENVOXDB_READ_POSTGRES_HOSTNAME: "puppet-postgres-pooler-ro"
OPENVOXDB_READ_POSTGRES_DATABASE: "puppetdb"
OPENVOXDB_READ_POSTGRES_PORT: "5432"
PUPPETDB_JAVA_ARGS: ""
@@ -0,0 +1,18 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb-read-database-conf
namespace: puppet
data:
read-database.conf: |
read-database: {
subname: "//"${OPENVOXDB_READ_POSTGRES_HOSTNAME}":"${OPENVOXDB_READ_POSTGRES_PORT}"/"${OPENVOXDB_READ_POSTGRES_DATABASE}
username: ${OPENVOXDB_READ_POSTGRES_USER}
password: ${OPENVOXDB_READ_POSTGRES_PASSWORD}
}
@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-config
namespace: puppet
data:
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppetserver-compiler,puppet,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ENABLED: "false"
CA_HOSTNAME: "puppetca"
CA_PORT: "8140"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver-init
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-init-config
namespace: puppet
data:
PUPPET_DATA_DIR: "/etc/puppetlabs/code/environments"
PUPPET_SSL_DIR: "/etc/puppetlabs/puppet/ssl/certs"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
@@ -0,0 +1,28 @@
apiVersion: v1
data:
check_for_masters.sh: |
#!/usr/bin/env bash
if [[ -d "$PUPPET_SSL_DIR" ]]; then
ls -la /etc/puppetlabs/puppet/ssl/certs/
echo "A Puppetserver master has already started running."
echo "Waiting to finish the generation of the Puppet SSL certs..."
sleep 5
while ! [[ -n "$(find /etc/puppetlabs/puppet/ssl/certs -name 'puppet*.pem' | head -1)" ]];
do
echo "Still waiting..."
sleep 5
done
sleep 15
echo "Puppet SSL certs have been generated. Continuing..."
else
echo "No other Puppetserver master is running. Continuing..."
fi
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-init-masters-config
namespace: puppet
@@ -0,0 +1,18 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-master-config
namespace: puppet
data:
OPENVOXSERVER_HOSTNAME: "puppet"
OPENVOXSERVER_PORT: "8140"
DNS_ALT_NAMES: "puppet,puppetserver-agents-to-puppet,puppetca,puppet-headless,puppetca.k8s.syd1.au.unkin.net,puppet.k8s.syd1.au.unkin.net"
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
CA_ALLOW_SUBJECT_ALT_NAMES: "true"
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
+69
View File
@@ -0,0 +1,69 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: r10k-code
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: g10k-code
namespace: puppet
spec:
schedule: "*/1 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: g10k-code
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: g10k-code
imagePullSecrets: null
containers:
- name: g10k-code
image: git.unkin.net/unkin/almalinux9-g10k:20260308
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
command:
- /bin/sh
- -c
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/r10k-config
echo "Running g10k..."
/usr/bin/g10k -config /tmp/r10k-config/r10k.yaml
envFrom: null
env: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
@@ -0,0 +1,85 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: generate-types
namespace: puppet
spec:
schedule: "*/5 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app.kubernetes.io/component: generate-types
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: generate-types
imagePullSecrets: null
containers:
- name: generate-types
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
/opt/puppetlabs/puppet/bin/gem install deep_merge ipaddr hiera-eyaml toml
find /etc/puppetlabs/code/environments -mindepth 1 -maxdepth 1 -type d | while read -r envdir; do
env="$(basename "$envdir")"
echo "Generating types for $env"
puppet generate types --environment "$env"
done
env: []
resources:
limits:
cpu: 300m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
restartPolicy: OnFailure
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
@@ -0,0 +1,170 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
enableServiceLinks: false
initContainers:
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
- name: cert-generator
image: git.unkin.net/unkin/almalinux9-base:20260308
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
set -e
# Set the hostname for the certificate
HOSTNAME="puppetboard"
CERT_DIR="/opt/puppetboard/ssl"
# Create certificate directory
mkdir -p ${CERT_DIR}
# Check if certificates already exist
if [ -f "${CERT_DIR}/${HOSTNAME}.pem" ] && [ -f "${CERT_DIR}/${HOSTNAME}.key" ] && [ -f "${CERT_DIR}/ca.pem" ]; then
echo "Certificates already exist for ${HOSTNAME}, skipping generation"
exit 0
fi
# Request certificate from Puppet CA for Puppetboard
echo "Requesting certificate for ${HOSTNAME} from puppetca service"
# Generate private key
openssl genrsa -out ${CERT_DIR}/${HOSTNAME}.key 2048
# Create certificate signing request (CSR)
openssl req -new -key ${CERT_DIR}/${HOSTNAME}.key \
-out /tmp/${HOSTNAME}.csr \
-subj "/CN=${HOSTNAME}"
# Submit CSR to Puppet CA
echo "Submitting certificate request to Puppet CA..."
curl -X PUT \
--insecure \
--data-binary @/tmp/${HOSTNAME}.csr \
-H "Content-Type: text/plain" \
https://puppetca:8140/puppet-ca/v1/certificate_request/${HOSTNAME}
# Wait for certificate to be signed (poll the CA)
echo "Waiting for certificate to be signed..."
for i in {1..30}; do
if curl --insecure -f -s https://puppetca:8140/puppet-ca/v1/certificate/${HOSTNAME} > ${CERT_DIR}/${HOSTNAME}.pem; then
echo "Certificate received for ${HOSTNAME}"
break
fi
echo "Attempt $i: Certificate not ready yet, waiting 10 seconds..."
sleep 10
done
# Verify we got the certificate
if [ ! -f "${CERT_DIR}/${HOSTNAME}.pem" ] || [ ! -s "${CERT_DIR}/${HOSTNAME}.pem" ]; then
echo "Failed to obtain certificate for ${HOSTNAME}"
exit 1
fi
# Get CA certificate
curl --insecure -f https://puppetca:8140/puppet-ca/v1/certificate/ca > ${CERT_DIR}/ca.pem
# Set appropriate permissions
chmod 644 ${CERT_DIR}/${HOSTNAME}.pem
chmod 600 ${CERT_DIR}/${HOSTNAME}.key
chmod 644 ${CERT_DIR}/ca.pem
# Change ownership to puppetboard user (1000:1000)
chown -R 1000:1000 ${CERT_DIR}
echo "Certificate generation completed for ${HOSTNAME}"
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: true
containers:
- name: puppetboard
image: ghcr.io/voxpupuli/puppetboard:7.0.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: puppetboard
envFrom:
- configMapRef:
name: puppetboard-config
- secretRef:
name: puppetboard-secrets
resources:
requests:
memory: 350Mi
cpu: 100m
limits:
memory: 1024Mi
cpu: 500m
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumeMounts:
- name: puppetboard-certs
mountPath: /opt/puppetboard/ssl
readOnly: true
volumes:
- name: puppetboard-certs
persistentVolumeClaim:
claimName: puppetboard-certs
+172
View File
@@ -0,0 +1,172 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppetdb
imagePullSecrets: null
containers:
- name: puppetdb
image: ghcr.io/openvoxproject/openvoxdb:8.9.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 1
memory: 1536Mi
requests:
cpu: 250m
memory: 512Mi
ports:
- containerPort: 8080
name: pdb-http
- containerPort: 8081
name: pdb-https
envFrom:
- configMapRef:
name: puppetdb-config
env:
- name: OPENVOXDB_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-credentials
- name: OPENVOXDB_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-credentials
- name: OPENVOXDB_READ_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-read-credentials
- name: OPENVOXDB_READ_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-read-credentials
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_FOWNER
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
drop:
- all
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- mountPath: /etc/puppetlabs/puppetdb/conf.d/read-database.conf
name: puppetdb-read-database-conf
subPath: read-database.conf
initContainers:
- name: create-log-dir
image: docker.io/busybox:1.37
command:
- sh
- -c
args:
- mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- name: pgchecker
image: docker.io/busybox:1.37
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do
sleep 2;
done;
echo 'PostgreSQL OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
- name: wait-puppetserver
image: curlimages/curl:8.11.1
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
echo 'Waiting for puppetserver to become ready...'
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
sleep 2;
done;
echo 'Puppetserver OK ✓'
resources:
limits:
cpu: 20m
memory: 32Mi
requests:
cpu: 20m
memory: 32Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
volumes:
- name: puppetdb-storage
persistentVolumeClaim:
claimName: puppetserver-puppetdb-claim
- name: puppetdb-read-database-conf
configMap:
name: puppetdb-read-database-conf
@@ -0,0 +1,248 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/name: puppetserver
template:
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppetserver-compiler
imagePullSecrets: null
containers:
- name: puppetserver
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
memory: 3072Mi
requests:
cpu: 500m
memory: 1024Mi
ports:
- containerPort: 8140
name: puppetserver
envFrom:
- configMapRef:
name: puppetserver-compiler-config
env:
- name: OPENVOXSERVER_HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
livenessProbe:
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
tcpSocket:
port: 8140
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/v1/simple
port: 8140
scheme: HTTPS
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 20
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
startupProbe:
failureThreshold: 30
periodSeconds: 15
tcpSocket:
port: 8140
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
- mountPath: /docker-custom-entrypoint.d/post-startup/additional-ruby-gems.sh
name: additional-ruby-gems
subPath: additional-ruby-gems.sh
initContainers:
- name: copy-configmaps
image: busybox:1.35
command:
- sh
- -c
args:
- |
echo "Copying configmap files to shared volume..."
mkdir -p /etc/puppetlabs/puppet
cp /configmaps/puppet.conf /etc/puppetlabs/puppet/puppet.conf
cp /configmaps/puppetdb.conf /etc/puppetlabs/puppet/puppetdb.conf
cp /configmaps/autosign.conf /etc/puppetlabs/puppet/autosign.conf
echo "Configmap files copied successfully"
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- mountPath: /configmaps/puppet.conf
name: compiler-puppet-conf
subPath: puppet.conf
- mountPath: /configmaps/puppetdb.conf
name: compiler-puppetdb-conf
subPath: puppetdb.conf
- mountPath: /configmaps/autosign.conf
name: compiler-autosign-conf
subPath: autosign.conf
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
env:
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/code/
name: puppet-code-volume
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-volume
- name: setup-shared-bins
image: git.unkin.net/unkin/almalinux9-base:20260308
command:
- sh
- -c
args:
- |
echo "Setting up shared binaries..."
mkdir -p /opt/bin
mkdir -p /opt/bin/.cache/uv
# Copy cobbler to shared bin volume
cp /configmaps/cobbler-enc /opt/bin/cobbler-enc
chmod +x /opt/bin/cobbler-enc
# Install uv to shared bin volume
cd /tmp
wget -O uv-x86_64-unknown-linux-gnu.tar.gz https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/astral-sh/uv/releases/download/0.9.20/uv-x86_64-unknown-linux-gnu.tar.gz
tar xf uv-x86_64-unknown-linux-gnu.tar.gz
cp uv-x86_64-unknown-linux-gnu/uv /opt/bin/uv
chmod +x /opt/bin/uv
echo "Shared binaries setup completed"
volumeMounts:
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /configmaps/cobbler-enc
name: puppet-cobbler-enc
subPath: cobbler-enc
securityContext:
fsGroup: 999
volumes:
- name: puppet-code-volume
persistentVolumeClaim:
claimName: puppetserver-code-shared
- name: puppet-puppet-volume
persistentVolumeClaim:
claimName: puppetserver-compiler-config-shared
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: compiler-puppet-conf
configMap:
name: compiler-puppet.conf
- name: compiler-puppetdb-conf
configMap:
name: compiler-puppetdb.conf
- name: compiler-autosign-conf
configMap:
name: compiler-autosign.conf
- name: puppet-cobbler-enc
configMap:
name: puppet-cobbler-enc
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
- name: additional-ruby-gems
configMap:
name: additional-ruby-gems
defaultMode: 0755
strategy:
type: RollingUpdate
@@ -0,0 +1,177 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-master
namespace: puppet
spec:
selector:
matchLabels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/name: puppetserver
strategy:
type: RollingUpdate
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
spec:
hostname: puppet
imagePullSecrets: null
containers:
- name: puppetserver
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
memory: 3500Mi
requests:
cpu: 250m
memory: 1024Mi
ports:
- containerPort: 8140
name: puppetserver
envFrom:
- configMapRef:
name: puppetserver-master-config
livenessProbe:
failureThreshold: 3
periodSeconds: 30
successThreshold: 1
tcpSocket:
port: 8140
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/v1/simple
port: 8140
scheme: HTTPS
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 20
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
startupProbe:
failureThreshold: 30
periodSeconds: 60
tcpSocket:
port: 8140
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage
- mountPath: /etc/puppetlabs/puppetserver/ca/
name: puppet-ca-storage
- mountPath: /var/lib/puppet/keys/
name: eyaml-keys
readOnly: true
- mountPath: /opt/bin/
name: puppet-shared-bins
- mountPath: /opt/vault-ca-cert.crt
name: vault-ca-cert
subPath: ca.crt
initContainers:
- name: perms-and-dirs
image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main
imagePullPolicy: IfNotPresent
command:
- sh
- -c
args:
- |
mkdir -p /etc/puppetlabs/puppet/eyaml/keys
cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh
chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh
chmod +x /etc/puppetlabs/puppet/check_for_masters.sh
bash /etc/puppetlabs/puppet/check_for_masters.sh
mkdir -p /etc/puppetlabs/code/environments
mkdir -p /etc/puppetlabs/puppet/manifests
chown -R puppet:puppet /etc/puppetlabs
mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/
touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde
chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/
envFrom:
- configMapRef:
name: puppetserver-init-config
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 200m
memory: 128Mi
securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
- CAP_DAC_OVERRIDE
- CAP_AUDIT_WRITE
- CAP_FOWNER
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
- FOWNER
drop:
- all
volumeMounts:
- mountPath: /etc/puppetlabs/puppet/
name: puppet-puppet-storage
- mountPath: /tmp/puppet/configmap/check_for_masters.sh
name: init-masters-volume
subPath: check_for_masters.sh
securityContext:
fsGroup: 999
volumes:
- name: puppet-ca-storage
persistentVolumeClaim:
claimName: puppetserver-ca-claim
- name: puppet-puppet-storage
persistentVolumeClaim:
claimName: puppetserver-puppet-claim
- configMap:
name: puppetserver-init-masters-config
name: init-masters-volume
- name: eyaml-keys
secret:
secretName: eyaml-keys
defaultMode: 0600
- name: puppet-shared-bins
persistentVolumeClaim:
claimName: puppet-shared-bins
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
@@ -0,0 +1,37 @@
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetserver-compilers
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-compiler-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetserver-compiler
minReplicas: 2
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 75
type: Utilization
type: Resource
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 25
periodSeconds: 60
@@ -0,0 +1,37 @@
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetserver
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-masters-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetserver-master
minReplicas: 2
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 75
type: Utilization
type: Resource
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 25
periodSeconds: 60
@@ -0,0 +1,44 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppetboard-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetboard
minReplicas: 2
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 90
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
@@ -0,0 +1,44 @@
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-puppetdb-autoscaler
namespace: puppet
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: puppetdb
minReplicas: 2
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 90
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
+34
View File
@@ -0,0 +1,34 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: puppetboard.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
labels:
app.kubernetes.io/component: puppetboard
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetboard
namespace: puppet
spec:
rules:
- host: puppetboard.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: puppetboard
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- puppetboard.k8s.syd1.au.unkin.net
secretName: puppetboard-tls
+34
View File
@@ -0,0 +1,34 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: puppetdb.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: puppetdb.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
labels:
app.kubernetes.io/component: puppetdb
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetdb
namespace: puppet
spec:
rules:
- host: puppetdb.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: puppetdb
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- puppetdb.k8s.syd1.au.unkin.net
secretName: puppetdb-tls
+63
View File
@@ -0,0 +1,63 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- cronjob_g10k-code.yaml
- cronjob_generate-types.yaml
- persistentvolumeclaims.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_puppetboard-config.yaml
- configmap_puppetdb-config.yaml
- configmap_puppetdb-read-database.yaml
- configmap_puppetserver-compiler-config.yaml
- configmap_puppetserver-init-config.yaml
- configmap_puppetserver-init-masters-config.yaml
- configmap_puppetserver-master-config.yaml
- deployment_puppetboard.yaml
- deployment_puppetdb.yaml
- deployment_puppetserver-master.yaml
- horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-masters-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-puppetboard-autoscaler.yaml
- horizontalpodautoscaler_puppetserver-puppetdb-autoscaler.yaml
- ingress_puppetboard.yaml
- ingress_puppetdb.yaml
- service_puppetserver-agents-to-puppet.yaml
- service_puppet-headless.yaml
- service_puppet.yaml
- service_puppetca.yaml
- service_puppetboard.yaml
- service_puppetdb.yaml
- deployment_puppetserver-compiler.yaml
configMapGenerator:
- name: compiler-autosign.conf
files:
- resources/compiler/autosign.conf
options:
disableNameSuffixHash: true
- name: compiler-puppet.conf
files:
- resources/compiler/puppet.conf
options:
disableNameSuffixHash: true
- name: compiler-puppetdb.conf
files:
- resources/compiler/puppetdb.conf
options:
disableNameSuffixHash: true
- name: puppet-cobbler-enc
files:
- resources/cobbler-enc
options:
disableNameSuffixHash: true
- name: additional-ruby-gems
files:
- resources/additional-ruby-gems.sh
options:
disableNameSuffixHash: true
@@ -2,4 +2,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: jfrog
name: puppet

Some files were not shown because too many files have changed in this diff Show More