Compare commits
201 Commits
cc7a50eca5
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| ce8ebc71ce | |||
| 7c9a697452 | |||
| 6affc5d8f4 | |||
| de123af1b1 | |||
| 649ed07ab0 | |||
| dbb5ad4f86 | |||
| 4b8f9313c8 | |||
| bb330a0365 | |||
| 15225433e9 | |||
| bbb9acba36 | |||
| 48f32a044d | |||
| 7f1444fb38 | |||
| 784c3b5de1 | |||
| cfca1e5278 | |||
| 99a95f4e57 | |||
| feaec2c8a9 | |||
| d1cc467455 | |||
| 0e9ac4d390 | |||
| 722ced3256 | |||
| 92e6f0f13b | |||
| 825c46c91b | |||
| 2c9c79d8f1 | |||
| f695657d9d | |||
| 5dee768170 | |||
| f120f3b426 | |||
| f6d60bd02d | |||
| aac1b654bb | |||
| 1c6e087116 | |||
| 9e6efb7c78 | |||
| cae42b4896 | |||
| 349dc5fd01 | |||
| 8cbd645332 | |||
| ad2cdd3b63 | |||
| 17782d716c | |||
| 188c39f85d | |||
| 0b7819bda3 | |||
| 3c6330ebfd | |||
| a3a56d0c2b | |||
| 4b1fbe1fe1 | |||
| 666f3d055c | |||
| 3dc8801070 | |||
| 60f1f3130b | |||
| b6f8cb0633 | |||
| f11ec1056d | |||
| ed7feaf19a | |||
| 4d594fbde7 | |||
| 1b781e0885 | |||
| ede25a3858 | |||
| f5f713fe86 | |||
| 3990fbfe06 | |||
| d358098fff | |||
| 201e601737 | |||
| d230d87ec9 | |||
| 6497dab25e | |||
| f403c6b05d | |||
| ac8b8212bd | |||
| dd282f59fb | |||
| 1890dd4bda | |||
| 6815b66010 | |||
| 7cbec33588 | |||
| 3756208ccd | |||
| 6ce92e8ead | |||
| af79d86db6 | |||
| 5f4c9225bb | |||
| cbc2c1cb9f | |||
| c6f9893804 | |||
| e43fb742ad | |||
| 11ac2ae91e | |||
| d2be521878 | |||
| bcd4c1a722 | |||
| 6d9530b1ee | |||
| dcea768c15 | |||
| e05f9bfd83 | |||
| 445d8b6e7e | |||
| c2637da068 | |||
| 90ddd932fe | |||
| 2c6d88aa6b | |||
| 58368948d9 | |||
| 4f5c3f7ea0 | |||
| fd87cb96b5 | |||
| d619f9195e | |||
| 1944dbbfcd | |||
| 0940cc20f8 | |||
| 20ce2b1b92 | |||
| 64dc5a0242 | |||
| 57c14d32c0 | |||
| 2df359c4a9 | |||
| f53a2dc4f8 | |||
| c5dd3cc5cb | |||
| 462b2b3f4f | |||
| 73c9b3f603 | |||
| 9a01a9ef19 | |||
| 53553ddcfd | |||
| 5d3ff3a0f4 | |||
| c3002dc3c1 | |||
| 27db33536a | |||
| 8a7068a1c4 | |||
| 1cefd3b78e | |||
| 842d774fc3 | |||
| 4c8827ce35 | |||
| 5e03215f4d | |||
| 02ee82da1e | |||
| 18c519f979 | |||
| dd0e297c14 | |||
| 6fb98d66b0 | |||
| bcea7df925 | |||
| f45194282b | |||
| 260b2d4364 | |||
| 156b545249 | |||
| 0883f327e9 | |||
| 04b7c04366 | |||
| 9914186fd5 | |||
| f55b7065f1 | |||
| 87a5a271c3 | |||
| 8e7bc289f6 | |||
| e156cd10bd | |||
| fe714694bf | |||
| 6138afb98b | |||
| 949ddb76e4 | |||
| 5372914803 | |||
| 67bb54f092 | |||
| fc568dc8b5 | |||
| 1c2c18697d | |||
| f2af65bc92 | |||
| fdca69d99a | |||
| f80be18220 | |||
| 3a6d93bc3c | |||
| 7535d655fe | |||
| 3fc9cfa41a | |||
| 7d555cd31a | |||
| f0bdc0231a | |||
| b100f3034e | |||
| c3a145acbf | |||
| 181bc152e7 | |||
| 5bcbd7e1ba | |||
| 02195e6235 | |||
| 95c9302aa8 | |||
| e269220228 | |||
| 1388875685 | |||
| 49224d4a1b | |||
| 28dc8dc238 | |||
| 33420e1286 | |||
| 0fc1268c51 | |||
| c0d95b71a7 | |||
| 2a96d9e948 | |||
| b49e8d3647 | |||
| 5f227939bc | |||
| ffc861daa7 | |||
| 47bd341371 | |||
| ee9ec23f6f | |||
| 3f355bbfd3 | |||
| 00cbb6a817 | |||
| f474c5c530 | |||
| c1ea6e1e81 | |||
| 3553e9f6dd | |||
| 6decc45e65 | |||
| c2d23aaeae | |||
| f25117ab7f | |||
| 47b894c450 | |||
| 059992f6a3 | |||
| 6ffb0898a4 | |||
| 30d56030b5 | |||
| 504d4ae7c9 | |||
| 24d09744e3 | |||
| 301f8dcc1a | |||
| dfbb315522 | |||
| d641f630e9 | |||
| c157774033 | |||
| 90f793464b | |||
| 06a8f98b5c | |||
| 0bf6e80d6f | |||
| ed300fabed | |||
| 656aedfc53 | |||
| ea71ebb55b | |||
| 5255c78927 | |||
| 8207935d36 | |||
| 3f282fbdc2 | |||
| 3961fe4e68 | |||
| e86cd7a6ae | |||
| 88fe895409 | |||
| 687a7f1ffd | |||
| 64fb4da04c | |||
| 35f00858ae | |||
| 276d8c1d78 | |||
| df1b9a5685 | |||
| 13de81a192 | |||
| 02877b6385 | |||
| b4d6fede98 | |||
| 14e3946d4b | |||
| 68b753d7fa | |||
| d7b661a619 | |||
| 2f6a56d15e | |||
| 563b81c5d2 | |||
| e2ada738f8 | |||
| 61b3546c2c | |||
| 05a88459a5 | |||
| 0894e51ad5 | |||
| f9a8dca060 | |||
| 46e11dd05e | |||
| 244d1b5baa | |||
| dbd8914013 |
@@ -0,0 +1,273 @@
|
|||||||
|
---
|
||||||
|
description: Pull master, read open issues, pick one, branch, implement, test, commit, PR, and comment.
|
||||||
|
---
|
||||||
|
|
||||||
|
# Solve a Gitea Issue
|
||||||
|
|
||||||
|
## Current repo state
|
||||||
|
|
||||||
|
```!
|
||||||
|
git status --short
|
||||||
|
echo "Current branch: $(git branch --show-current)"
|
||||||
|
echo "Remote: $(git remote get-url origin 2>/dev/null || echo 'none')"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Open issues (with full body)
|
||||||
|
|
||||||
|
```!
|
||||||
|
echo "Fetching open issues..."
|
||||||
|
issue_ids=$(tea issues list --output simple 2>/dev/null | awk 'NF && $1 ~ /^[0-9]+$/ {print $1}')
|
||||||
|
if [ -z "$issue_ids" ]; then
|
||||||
|
echo "No open issues found (or tea is not logged in)."
|
||||||
|
else
|
||||||
|
for id in $issue_ids; do
|
||||||
|
echo ""
|
||||||
|
echo "══════════════════════════════════════"
|
||||||
|
tea issues view "$id" --fields index,title,body 2>/dev/null \
|
||||||
|
|| tea issue "$id" 2>/dev/null \
|
||||||
|
|| echo " (could not read issue #$id)"
|
||||||
|
echo "══════════════════════════════════════"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Your task
|
||||||
|
|
||||||
|
Follow these steps **in order**. Do not skip steps.
|
||||||
|
|
||||||
|
### 1 — Choose an issue
|
||||||
|
|
||||||
|
Present the issues above to the user as a numbered list (index, one-line title). Ask which one to work on. Wait for the answer before continuing.
|
||||||
|
|
||||||
|
### 2 — Sync master
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout master
|
||||||
|
git pull
|
||||||
|
```
|
||||||
|
|
||||||
|
Confirm you are on master and up to date.
|
||||||
|
|
||||||
|
### 3 — Create a branch
|
||||||
|
|
||||||
|
Name the branch `benvin/issue-<N>-<short-slug>` where `<short-slug>` is 2–4 kebab-case words from the issue title.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout -b benvin/issue-<N>-<slug>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 4 — Read the issue in full
|
||||||
|
|
||||||
|
Re-read the full issue body shown above. If any part is ambiguous, state your interpretation before coding.
|
||||||
|
|
||||||
|
**If you discover other problems while working:** do NOT solve them inline. Create a new Gitea issue with `tea issues create --title "..." --description "..."` and stay focused on the assigned issue.
|
||||||
|
|
||||||
|
### 5 — Implement the solution
|
||||||
|
|
||||||
|
Make the code changes needed to resolve the issue. Follow the conventions already in the repo:
|
||||||
|
- `main.py` route handlers each contain a single function call; logic lives in submodules.
|
||||||
|
- No comments unless the WHY is non-obvious.
|
||||||
|
- No new files unless the issue or architecture requires it.
|
||||||
|
- Security: no command injection, XSS, SQL injection, or secrets in code.
|
||||||
|
- **For performance improvements:** implement at the most generic call site possible so the fix applies to all current and future implementations, not just the one being tested.
|
||||||
|
|
||||||
|
### 6 — Update tests
|
||||||
|
|
||||||
|
Add or update tests that cover the new behaviour. Tests live in `tests/`. Check existing test structure before writing new ones — mirror the style and fixture patterns already in use.
|
||||||
|
|
||||||
|
### 7 — Update README
|
||||||
|
|
||||||
|
If the feature introduces new config keys, endpoints, or user-facing behaviour, document it in `README.md`. Keep additions concise — follow the existing section style.
|
||||||
|
|
||||||
|
### 8 — Run the full test suite
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make test
|
||||||
|
```
|
||||||
|
|
||||||
|
All tests must pass. If any fail, fix them before proceeding. Do not skip or suppress failing tests.
|
||||||
|
|
||||||
|
### 9 — Live Docker test (new package type only)
|
||||||
|
|
||||||
|
**Skip this step if the issue does not add a new remote package type.**
|
||||||
|
|
||||||
|
If the issue adds a new package type (e.g. `deb`, `conda`, `cargo`, `rubygems`, or any type not already in `remotes.yaml`), do the following before committing.
|
||||||
|
|
||||||
|
#### 9a — Add a real test remote to remotes.yaml
|
||||||
|
|
||||||
|
Append a valid, publicly accessible remote of the new type to `remotes.yaml`. Use a real upstream URL and patterns that cover both an immutable file (versioned artifact) and a mutable file (index/metadata). Add a comment explaining which URLs to use for manual testing.
|
||||||
|
|
||||||
|
#### 9b — Start the stack
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up
|
||||||
|
```
|
||||||
|
|
||||||
|
Wait until `curl -s http://localhost:8000/health` returns `{"status":"healthy"}`.
|
||||||
|
|
||||||
|
#### 9c — Test a mutable file (first fetch — cache miss)
|
||||||
|
|
||||||
|
Download the index or metadata file for the new remote. Confirm:
|
||||||
|
- HTTP 200
|
||||||
|
- `X-Artifact-Source: remote` header (or equivalent log line confirming a cache miss)
|
||||||
|
- Content looks correct (not empty, not an error page)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9d — Test a mutable file (second fetch — cache hit)
|
||||||
|
|
||||||
|
Repeat the exact same request. Confirm:
|
||||||
|
- HTTP 200
|
||||||
|
- `X-Artifact-Source: cache`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<mutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9e — Test an immutable file (first fetch — cache miss)
|
||||||
|
|
||||||
|
Download a versioned/immutable artifact. Confirm HTTP 200 and a cache-miss log line.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sv "http://localhost:8000/api/v1/remote/<new-remote>/<immutable-path>" 2>&1 | grep -E "< HTTP|X-Artifact"
|
||||||
|
```
|
||||||
|
|
||||||
|
#### 9f — Test an immutable file (second fetch — cache hit)
|
||||||
|
|
||||||
|
Repeat. Confirm `X-Artifact-Source: cache`.
|
||||||
|
|
||||||
|
#### 9g — Check container logs
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-logs
|
||||||
|
```
|
||||||
|
|
||||||
|
Scan for:
|
||||||
|
- `Cache MISS` on first fetches, `Cache HIT` on second fetches
|
||||||
|
- `Cache ADD SUCCESS` with correct sizes
|
||||||
|
- No unhandled exceptions or ERROR lines
|
||||||
|
|
||||||
|
#### 9h — Exercise package-type tooling against the proxy
|
||||||
|
|
||||||
|
Use the native tooling for this package type to verify end-to-end behaviour. Examples:
|
||||||
|
|
||||||
|
| Package type | Command |
|
||||||
|
|---|---|
|
||||||
|
| `pypi` | `uv run --index-url http://localhost:8000/api/v1/remote/<remote>/simple <tool>` |
|
||||||
|
| `npm` | `npm install --registry http://localhost:8000/api/v1/remote/<remote>/ <pkg>` |
|
||||||
|
| `helm` | `helm repo add test http://localhost:8000/api/v1/remote/<remote> && helm search repo test && helm template test/<chart>` |
|
||||||
|
| `alpine` | `apk fetch --repository http://localhost:8000/api/v1/remote/<remote>/<branch>/<arch> <pkg>` |
|
||||||
|
| `rpm` | `dnf install --repofrompath ... <pkg>` or `repoquery` |
|
||||||
|
| `generic` | `curl` / `wget` as appropriate |
|
||||||
|
|
||||||
|
Confirm the tool resolves and downloads correctly through the proxy.
|
||||||
|
|
||||||
|
#### 9i — Tear down
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-down
|
||||||
|
```
|
||||||
|
|
||||||
|
Fix any failures found during 9b–9h before moving on.
|
||||||
|
|
||||||
|
### 9.5 — Performance issues: measure before/after and gate the PR
|
||||||
|
|
||||||
|
**Skip this step if the issue is not a performance improvement.**
|
||||||
|
|
||||||
|
For performance issues, a PR is only warranted if there is a measurable gain. Use the Docker stack to compare before and after.
|
||||||
|
|
||||||
|
#### 9.5a — Baseline measurement (before)
|
||||||
|
|
||||||
|
Start the stack with the **unmodified** code (temporarily revert your change):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up
|
||||||
|
```
|
||||||
|
|
||||||
|
Warm or clear the cache as appropriate, then measure the relevant metric — e.g. concurrent request latency during a slow operation, response time for a specific endpoint, or throughput. Record the numbers.
|
||||||
|
|
||||||
|
#### 9.5b — Apply your change and rebuild
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-up # rebuilds the image
|
||||||
|
```
|
||||||
|
|
||||||
|
Repeat exactly the same measurement. Record the numbers.
|
||||||
|
|
||||||
|
#### 9.5c — Decide
|
||||||
|
|
||||||
|
If the improvement is not clearly measurable, **do not open a PR**. Instead:
|
||||||
|
1. Update the issue with your findings.
|
||||||
|
2. Note any conditions under which the improvement would be observable.
|
||||||
|
3. Skip steps 11–14.
|
||||||
|
|
||||||
|
If the improvement is clear, proceed with the commit and PR. Include the before/after numbers in the PR description and the issue comment.
|
||||||
|
|
||||||
|
#### 9.5d — Tear down
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make docker-down
|
||||||
|
```
|
||||||
|
|
||||||
|
### 10 — Build the wheel (smoke check)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
uv build --wheel
|
||||||
|
```
|
||||||
|
|
||||||
|
Confirm the build succeeds.
|
||||||
|
|
||||||
|
### 11 — Stage and commit
|
||||||
|
|
||||||
|
Stage only the files you changed. Do not use `git add -A` or `git add .` — list files explicitly. Run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git add <file1> <file2> ...
|
||||||
|
git commit
|
||||||
|
```
|
||||||
|
|
||||||
|
The commit message must:
|
||||||
|
- Start with a conventional-commit prefix (`feat:`, `fix:`, `refactor:`, `chore:`, etc.)
|
||||||
|
- Summarise the change in ≤ 72 characters on the first line
|
||||||
|
- Optionally include a short body explaining *why* (not *what*)
|
||||||
|
|
||||||
|
If the pre-commit hook auto-fixes files, re-stage the fixed files and commit again.
|
||||||
|
|
||||||
|
### 12 — Push the branch
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git push origin <branch-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 13 — Open a pull request
|
||||||
|
|
||||||
|
```bash
|
||||||
|
tea pulls create \
|
||||||
|
--base master \
|
||||||
|
--head <branch-name> \
|
||||||
|
--title "<same as commit subject>" \
|
||||||
|
--description "Closes #<N>\n\n## Summary\n<bullet points>\n\n## Test plan\n<what was verified>"
|
||||||
|
```
|
||||||
|
|
||||||
|
### 14 — Comment on the issue
|
||||||
|
|
||||||
|
```bash
|
||||||
|
tea comment <N> "<resolution comment>"
|
||||||
|
```
|
||||||
|
|
||||||
|
The comment must cover:
|
||||||
|
- **How it was resolved** — what changed and why
|
||||||
|
- **Issues encountered** — any non-obvious problems hit during implementation
|
||||||
|
- **Potential future improvements** — what could be done next
|
||||||
|
|
||||||
|
### 15 — Return to master
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git checkout master
|
||||||
|
```
|
||||||
|
|
||||||
|
Report the PR URL and a one-sentence summary to the user.
|
||||||
@@ -7,6 +7,7 @@ repos:
|
|||||||
- id: check-json
|
- id: check-json
|
||||||
- id: check-added-large-files
|
- id: check-added-large-files
|
||||||
args: ['--maxkb=500']
|
args: ['--maxkb=500']
|
||||||
|
exclude: '^schemas/'
|
||||||
- id: check-merge-conflict
|
- id: check-merge-conflict
|
||||||
- id: check-shebang-scripts-are-executable
|
- id: check-shebang-scripts-are-executable
|
||||||
- id: check-symlinks
|
- id: check-symlinks
|
||||||
@@ -19,6 +20,7 @@ repos:
|
|||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
- id: forbid-new-submodules
|
- id: forbid-new-submodules
|
||||||
- id: pretty-format-json
|
- id: pretty-format-json
|
||||||
|
args: ['--autofix']
|
||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
|
|
||||||
# YAML linting
|
# YAML linting
|
||||||
|
|||||||
@@ -3,7 +3,16 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: kubeconform
|
- name: kubeconform
|
||||||
image: git.unkin.net/unkin/almalinux9-base:latest
|
image: git.unkin.net/unkin/almalinux9-kubetest:20260606
|
||||||
commands:
|
commands:
|
||||||
- dnf install make kustomize kubeconform helm -y
|
|
||||||
- make kubeconform
|
- make kubeconform
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: default
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 512Mi
|
||||||
|
cpu: 1
|
||||||
|
limits:
|
||||||
|
memory: 2Gi
|
||||||
|
cpu: 2
|
||||||
|
|||||||
@@ -3,7 +3,16 @@ when:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: pre-commit
|
- name: pre-commit
|
||||||
image: git.unkin.net/unkin/almalinux9-base:latest
|
image: git.unkin.net/unkin/almalinux9-base:20260606
|
||||||
commands:
|
commands:
|
||||||
- dnf install uv make -y
|
|
||||||
- uvx pre-commit run --all-files
|
- uvx pre-commit run --all-files
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: default
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 256Mi
|
||||||
|
cpu: 250m
|
||||||
|
limits:
|
||||||
|
memory: 1Gi
|
||||||
|
cpu: 1
|
||||||
|
|||||||
@@ -0,0 +1,261 @@
|
|||||||
|
# AGENTS.md
|
||||||
|
|
||||||
|
## Project Overview
|
||||||
|
|
||||||
|
This is an **ArgoCD GitOps repository** that manages Kubernetes applications for the `au-syd1` cluster using a Kustomize + Helm pattern. Applications are deployed via ArgoCD ApplicationSets that watch directory patterns in this repo.
|
||||||
|
|
||||||
|
The migration pattern for this repo is: **Terragrunt/Terraform → ArgoCD** (see `migration.md` for full guide).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Essential Commands
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Build and render manifests for a path (outputs to manifests/<path>/)
|
||||||
|
make build apps/overlays/au-syd1/<app-name>
|
||||||
|
make build clusters/au-syd1/bootstrap
|
||||||
|
|
||||||
|
# Validate all apps and clusters with kubeconform
|
||||||
|
make kubeconform
|
||||||
|
|
||||||
|
# Clean generated manifests
|
||||||
|
make clean
|
||||||
|
|
||||||
|
# Quick build + inspect without persisting output
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
||||||
|
|
||||||
|
# Check all resource kinds produced by an overlay
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name> | grep "^kind:" | sort | uniq -c
|
||||||
|
|
||||||
|
# Run pre-commit checks against all files
|
||||||
|
uvx pre-commit run --all-files
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Directory Structure
|
||||||
|
|
||||||
|
```
|
||||||
|
argocd-apps/
|
||||||
|
├── argocd/
|
||||||
|
│ ├── applicationsets/ # ArgoCD ApplicationSet definitions (platform.yaml, storage.yaml)
|
||||||
|
│ └── projects/ # ArgoCD AppProject definitions (platform.yaml, storage.yaml)
|
||||||
|
├── apps/
|
||||||
|
│ ├── base/ # Base Kustomize resources per app (no cluster-specific config)
|
||||||
|
│ │ └── <app-name>/
|
||||||
|
│ │ ├── kustomization.yaml
|
||||||
|
│ │ ├── namespace.yaml
|
||||||
|
│ │ ├── vaultauth.yaml # (if Vault-managed secrets)
|
||||||
|
│ │ └── vaultstaticsecret.yaml
|
||||||
|
│ └── overlays/
|
||||||
|
│ └── au-syd1/ # Cluster-specific overlays
|
||||||
|
│ └── <app-name>/
|
||||||
|
│ ├── kustomization.yaml # references base + helmCharts
|
||||||
|
│ └── values.yaml # Helm values for this cluster
|
||||||
|
├── clusters/
|
||||||
|
│ └── au-syd1/
|
||||||
|
│ ├── apps/ # Entry point: references apps/base (ArgoCD app-of-apps)
|
||||||
|
│ └── bootstrap/ # ArgoCD install + initial Application manifest
|
||||||
|
├── ci/
|
||||||
|
│ ├── validate-apps.sh # kubeconform over apps/overlays/*/kustomization.yaml
|
||||||
|
│ ├── validate-clusters.sh # kubeconform over clusters/*/kustomization.yaml
|
||||||
|
│ └── validate-no-secrets.sh # pre-commit hook: blocks plain Kubernetes Secrets
|
||||||
|
└── sources/ # Reference sources (Terraform configs, upstream charts, etc.)
|
||||||
|
└── terraform-k8s/ # Original Terraform configs — reference when migrating
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Adding a New Application
|
||||||
|
|
||||||
|
Follow these 10 steps (detailed in `migration.md`):
|
||||||
|
|
||||||
|
### 1. Create base resources
|
||||||
|
```
|
||||||
|
apps/base/<app-name>/
|
||||||
|
├── kustomization.yaml
|
||||||
|
├── namespace.yaml
|
||||||
|
├── vaultauth.yaml # if needed
|
||||||
|
└── vaultstaticsecret.yaml # if needed
|
||||||
|
```
|
||||||
|
|
||||||
|
### 2. Create cluster overlay
|
||||||
|
```
|
||||||
|
apps/overlays/au-syd1/<app-name>/
|
||||||
|
├── kustomization.yaml
|
||||||
|
└── values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
**Overlay kustomization.yaml pattern:**
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/<app-name>
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: <chart-name>
|
||||||
|
repo: <helm-repo-url>
|
||||||
|
version: "<version>"
|
||||||
|
releaseName: <release-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
valuesFile: values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### 3. Register in ApplicationSet
|
||||||
|
Add a directory entry to `argocd/applicationsets/platform.yaml` (or `storage.yaml` for `csi-*` apps):
|
||||||
|
```yaml
|
||||||
|
- path: apps/overlays/*/<app-name>
|
||||||
|
```
|
||||||
|
|
||||||
|
### 4. Update AppProject
|
||||||
|
In `argocd/projects/platform.yaml` (or `storage.yaml`):
|
||||||
|
- Add the Helm repo URL to `sourceRepos`
|
||||||
|
- Add the namespace to `destinations`
|
||||||
|
- Add any required cluster-scoped resource types to `clusterResourceWhitelist`
|
||||||
|
|
||||||
|
### 5. Validate
|
||||||
|
```bash
|
||||||
|
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>
|
||||||
|
make kubeconform
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Secret Management
|
||||||
|
|
||||||
|
**Plain Kubernetes `Secret` objects are blocked** by the pre-commit hook. Use Vault Operator CRDs instead:
|
||||||
|
|
||||||
|
### VaultAuth template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- <namespace>
|
||||||
|
kubernetes:
|
||||||
|
role: <role>
|
||||||
|
serviceAccount: <service-account>
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
```
|
||||||
|
|
||||||
|
### VaultStaticSecret template
|
||||||
|
```yaml
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: <secret-name>
|
||||||
|
namespace: <namespace>
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: kubernetes/namespace/<namespace>/default/<secret-name>
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: <k8s-secret-name>
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## YAML Conventions
|
||||||
|
|
||||||
|
- **2-space indentation** (enforced by yamllint)
|
||||||
|
- All files must end with a newline (`end-of-file-fixer`)
|
||||||
|
- No trailing whitespace
|
||||||
|
- YAML linting uses relaxed rules with `line-length: disable` (long base64/URLs are fine)
|
||||||
|
- yamllint ignores `chart` directories (vendored Helm charts)
|
||||||
|
- `---` document separator at top of every YAML file
|
||||||
|
- Multiple documents in one file are allowed (e.g., `vaultstaticsecret.yaml` often contains multiple secrets)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Kubernetes Labels Pattern
|
||||||
|
|
||||||
|
Use standard `app.kubernetes.io/*` labels consistently:
|
||||||
|
```yaml
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: <component>
|
||||||
|
app.kubernetes.io/instance: <release-name>
|
||||||
|
app.kubernetes.io/name: <app-name>
|
||||||
|
app.kubernetes.io/version: <version>
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Resource Naming Conventions
|
||||||
|
|
||||||
|
Files in `apps/base/<app-name>/` follow the pattern:
|
||||||
|
```
|
||||||
|
<kind>_<name>.yaml
|
||||||
|
```
|
||||||
|
Examples:
|
||||||
|
- `deployment_puppetserver-master.yaml`
|
||||||
|
- `cronjob_g10k-code.yaml`
|
||||||
|
- `configmap_puppetboard-config.yaml`
|
||||||
|
- `horizontalpodautoscaler_puppetserver-compilers-autoscaler.yaml`
|
||||||
|
- `service_puppet-headless.yaml`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Helm Chart Vendoring
|
||||||
|
|
||||||
|
Some overlays vendor Helm charts locally under `apps/overlays/au-syd1/<app-name>/charts/<chart-name>/`. When a chart is vendored, the overlay's `kustomization.yaml` references the local path. When not vendored, it references the OCI or HTTP repo directly.
|
||||||
|
|
||||||
|
Current Kubernetes target version: **1.33.7** (used by kubeconform in CI).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Project Boundaries
|
||||||
|
|
||||||
|
| Project | ApplicationSet | App pattern |
|
||||||
|
|------------|---------------------------|--------------------------|
|
||||||
|
| `platform` | `argocd/applicationsets/platform.yaml` | Named apps (cert-manager, puppet, woodpecker, etc.) |
|
||||||
|
| `storage` | `argocd/applicationsets/storage.yaml` | `csi-*` apps |
|
||||||
|
|
||||||
|
The `clusters/au-syd1/apps/` entry-point is deployed as a standalone ArgoCD `Application` (not an ApplicationSet) called `au-syd1-apps`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## CI / Pre-commit Hooks
|
||||||
|
|
||||||
|
Runs on every PR via Woodpecker CI (`.woodpecker/`):
|
||||||
|
|
||||||
|
| Check | Tool | Trigger |
|
||||||
|
|---|---|---|
|
||||||
|
| YAML lint + general file checks | `pre-commit` (yamllint + pre-commit-hooks) | PR |
|
||||||
|
| No plain Secrets | `ci/validate-no-secrets.sh` | PR (staged files) |
|
||||||
|
| Kubernetes manifest validation | `kubeconform` via `make kubeconform` | PR |
|
||||||
|
|
||||||
|
kubeconform skips: `CustomResourceDefinition`, `GpuDevicePlugin` (for apps validation).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Git Workflow
|
||||||
|
|
||||||
|
- Branch naming: `benvin/<app-name>` (user prefix)
|
||||||
|
- **Never `git add .`** — add only relevant files explicitly
|
||||||
|
- If pre-commit modifies files, `git add -u` then `git commit --amend --no-edit`
|
||||||
|
- Use `git push --force-with-lease` after amending
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Security Policies
|
||||||
|
|
||||||
|
- `reloader.stakater.com/auto: "true"` annotation triggers rolling restarts on ConfigMap/Secret changes
|
||||||
|
- Security contexts follow least-privilege: `drop: [all]` then add only required capabilities
|
||||||
|
- `fsGroup: 999` on pod security context for Puppet workloads
|
||||||
|
- `runAsUser: 0` is used only for init containers that need to set file permissions, then regular containers run as non-root
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
.PHONY: build clean
|
.PHONY: build clean schemas
|
||||||
|
|
||||||
# Build a kustomization path to manifests directory
|
# Build a kustomization path to manifests directory
|
||||||
# Usage: make build clusters/au-syd1/bootstrap
|
# Usage: make build clusters/au-syd1/bootstrap
|
||||||
@@ -6,6 +6,10 @@ build:
|
|||||||
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
|
||||||
|
|
||||||
|
# Generate JSON schemas from CRDs and Kubernetes swagger spec (run manually, results committed)
|
||||||
|
schemas:
|
||||||
|
@ci/generate-schemas.sh schemas
|
||||||
|
|
||||||
# kubeconform
|
# kubeconform
|
||||||
kubeconform:
|
kubeconform:
|
||||||
@ci/validate-apps.sh && \
|
@ci/validate-apps.sh && \
|
||||||
|
|||||||
@@ -0,0 +1,45 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: age-api
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
labels:
|
||||||
|
app: age-api
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: age-api
|
||||||
|
image: git.unkin.net/unkin/age-api:v0.1.0
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
env:
|
||||||
|
- name: CONFIG_PATH
|
||||||
|
value: /etc/age-api/config.yaml
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 32Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /etc/age-api/config.yaml
|
||||||
|
name: config
|
||||||
|
subPath: config.yaml
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: age-api-config
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: age-api.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: age-api.k8s.syd1.au.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: age-api-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: age-api-http-redirect
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- age-api.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: age-api
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- age-api.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: age-api
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: age-api
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- deployment.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- service.yaml
|
||||||
|
|
||||||
|
configMapGenerator:
|
||||||
|
- name: age-api-config
|
||||||
|
files:
|
||||||
|
- config.yaml=resources/config.yaml
|
||||||
|
options:
|
||||||
|
disableNameSuffixHash: true
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
people:
|
||||||
|
- name: jaidi
|
||||||
|
birthtime: 1773135720
|
||||||
|
- name: ben
|
||||||
|
birthtime: 559663200
|
||||||
|
- name: sudaporn
|
||||||
|
birthtime: 686757600
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: age-api
|
||||||
|
namespace: age-api
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: http
|
||||||
|
selector:
|
||||||
|
app: age-api
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: api
|
||||||
|
namespace: artifactapi
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: api
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: api
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
initContainers:
|
||||||
|
- name: combine-certs
|
||||||
|
image: alpine:3
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- cat /etc/ssl/certs/ca-certificates.crt /custom-ca/ca.crt > /combined-certs/ca-certificates.crt
|
||||||
|
volumeMounts:
|
||||||
|
- name: vault-ca-cert
|
||||||
|
mountPath: /custom-ca
|
||||||
|
readOnly: true
|
||||||
|
- name: combined-certs
|
||||||
|
mountPath: /combined-certs
|
||||||
|
containers:
|
||||||
|
- name: api
|
||||||
|
image: git.unkin.net/unkin/artifactapi:v3.7.4
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 8000
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: api-env
|
||||||
|
optional: false
|
||||||
|
- secretRef:
|
||||||
|
name: environment
|
||||||
|
optional: false
|
||||||
|
volumeMounts:
|
||||||
|
- name: combined-certs
|
||||||
|
mountPath: /etc/ssl/combined
|
||||||
|
readOnly: true
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /health
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 5
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 4Gi
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
volumes:
|
||||||
|
- name: vault-ca-cert
|
||||||
|
secret:
|
||||||
|
secretName: vault-ca-cert
|
||||||
|
items:
|
||||||
|
- key: ca.crt
|
||||||
|
path: ca.crt
|
||||||
|
- name: combined-certs
|
||||||
|
emptyDir: {}
|
||||||
|
restartPolicy: Always
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
apiVersion: autoscaling/v2
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: api-hpa
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: api
|
||||||
|
minReplicas: 2
|
||||||
|
maxReplicas: 10
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: 60
|
||||||
|
behavior:
|
||||||
|
scaleUp:
|
||||||
|
stabilizationWindowSeconds: 0
|
||||||
|
selectPolicy: Max
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 100
|
||||||
|
periodSeconds: 30
|
||||||
|
- type: Pods
|
||||||
|
value: 4
|
||||||
|
periodSeconds: 30
|
||||||
|
scaleDown:
|
||||||
|
stabilizationWindowSeconds: 300
|
||||||
|
selectPolicy: Min
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 10
|
||||||
|
periodSeconds: 60
|
||||||
|
- type: Pods
|
||||||
|
value: 2
|
||||||
|
periodSeconds: 60
|
||||||
@@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Cluster
|
||||||
|
metadata:
|
||||||
|
name: postgres
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinityType: preferred
|
||||||
|
bootstrap:
|
||||||
|
initdb:
|
||||||
|
database: artifacts
|
||||||
|
encoding: UTF8
|
||||||
|
localeCType: C
|
||||||
|
localeCollate: C
|
||||||
|
owner: artifacts
|
||||||
|
secret:
|
||||||
|
name: postgres-credentials
|
||||||
|
enablePDB: true
|
||||||
|
enableSuperuserAccess: false
|
||||||
|
failoverDelay: 0
|
||||||
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
||||||
|
instances: 3
|
||||||
|
logLevel: info
|
||||||
|
maxSyncReplicas: 0
|
||||||
|
minSyncReplicas: 0
|
||||||
|
monitoring:
|
||||||
|
customQueriesConfigMap:
|
||||||
|
- key: queries
|
||||||
|
name: cnpg-default-monitoring
|
||||||
|
disableDefaultQueries: false
|
||||||
|
enablePodMonitor: false
|
||||||
|
postgresql:
|
||||||
|
parameters:
|
||||||
|
archive_mode: "on"
|
||||||
|
archive_timeout: 5min
|
||||||
|
dynamic_shared_memory_type: posix
|
||||||
|
effective_cache_size: 256MB
|
||||||
|
full_page_writes: "on"
|
||||||
|
log_destination: csvlog
|
||||||
|
log_directory: /controller/log
|
||||||
|
log_filename: postgres
|
||||||
|
log_rotation_age: "0"
|
||||||
|
log_rotation_size: "0"
|
||||||
|
log_truncate_on_rotation: "false"
|
||||||
|
logging_collector: "on"
|
||||||
|
max_connections: "200"
|
||||||
|
max_parallel_workers: "16"
|
||||||
|
max_replication_slots: "16"
|
||||||
|
max_worker_processes: "16"
|
||||||
|
shared_buffers: 128MB
|
||||||
|
shared_memory_type: mmap
|
||||||
|
ssl_max_protocol_version: TLSv1.3
|
||||||
|
ssl_min_protocol_version: TLSv1.3
|
||||||
|
wal_keep_size: 256MB
|
||||||
|
wal_level: logical
|
||||||
|
wal_log_hints: "on"
|
||||||
|
wal_receiver_timeout: 5s
|
||||||
|
wal_sender_timeout: 5s
|
||||||
|
syncReplicaElectionConstraint:
|
||||||
|
enabled: false
|
||||||
|
primaryUpdateMethod: restart
|
||||||
|
primaryUpdateStrategy: unsupervised
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
isolationCheck:
|
||||||
|
connectionTimeout: 1000
|
||||||
|
enabled: true
|
||||||
|
requestTimeout: 1000
|
||||||
|
replicationSlots:
|
||||||
|
highAvailability:
|
||||||
|
enabled: true
|
||||||
|
slotPrefix: _cnpg_
|
||||||
|
synchronizeReplicas:
|
||||||
|
enabled: true
|
||||||
|
updateInterval: 30
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 256Mi
|
||||||
|
smartShutdownTimeout: 180
|
||||||
|
startDelay: 3600
|
||||||
|
stopDelay: 1800
|
||||||
|
storage:
|
||||||
|
resizeInUseVolumes: true
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: cephrbd-fast-delete
|
||||||
|
switchoverDelay: 3600
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: rw
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: api-env
|
||||||
|
namespace: artifactapi
|
||||||
|
data:
|
||||||
|
DBHOST: postgres-pooler
|
||||||
|
DBNAME: artifacts
|
||||||
|
DBPORT: "5432"
|
||||||
|
DBUSER: artifacts
|
||||||
|
MINIO_BUCKET: artifactapi-prod-k8s-syd1-au
|
||||||
|
MINIO_ENDPOINT: radosgw.service.consul
|
||||||
|
MINIO_SECURE: "true"
|
||||||
|
REDIS_URL: redis://redis:6379
|
||||||
|
SSL_CERT_FILE: /etc/ssl/combined/ca-certificates.crt
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
name: artifactapi
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: artifactapi-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: http-redirect
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: artifactapi
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: api-route
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- artifactapi.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: artifactapi
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: ui
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /ui
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: artifactapi
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- api-deployment.yaml
|
||||||
|
- api-hpa.yaml
|
||||||
|
- configmap.yaml
|
||||||
|
- cnpg_cluster.yaml
|
||||||
|
- cnpg_pooler.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- redis-deployment.yaml
|
||||||
|
- services.yaml
|
||||||
|
- ui-deployment.yaml
|
||||||
|
- ui-hpa.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: artifactapi
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: redis
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: redis
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: redis
|
||||||
|
image: redis:7-alpine
|
||||||
|
command:
|
||||||
|
- redis-server
|
||||||
|
- --save
|
||||||
|
- "20"
|
||||||
|
- "1"
|
||||||
|
ports:
|
||||||
|
- containerPort: 6379
|
||||||
|
name: redis
|
||||||
|
protocol: TCP
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
restartPolicy: Always
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: artifactapi
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: http
|
||||||
|
selector:
|
||||||
|
app: api
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: ui
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: http
|
||||||
|
selector:
|
||||||
|
app: ui
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: redis
|
||||||
|
port: 6379
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: redis
|
||||||
|
selector:
|
||||||
|
app: redis
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: ui
|
||||||
|
namespace: artifactapi
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: ui
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: ui
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- name: ui
|
||||||
|
image: git.unkin.net/unkin/artifactapi-ui:v3.7.4
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
ports:
|
||||||
|
- containerPort: 80
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /ui
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
httpGet:
|
||||||
|
path: /ui
|
||||||
|
port: http
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 5
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
restartPolicy: Always
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
apiVersion: autoscaling/v2
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: ui-hpa
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: ui
|
||||||
|
minReplicas: 2
|
||||||
|
maxReplicas: 10
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
target:
|
||||||
|
type: Utilization
|
||||||
|
averageUtilization: 60
|
||||||
|
behavior:
|
||||||
|
scaleUp:
|
||||||
|
stabilizationWindowSeconds: 0
|
||||||
|
selectPolicy: Max
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 100
|
||||||
|
periodSeconds: 30
|
||||||
|
- type: Pods
|
||||||
|
value: 4
|
||||||
|
periodSeconds: 30
|
||||||
|
scaleDown:
|
||||||
|
stabilizationWindowSeconds: 300
|
||||||
|
selectPolicy: Min
|
||||||
|
policies:
|
||||||
|
- type: Percent
|
||||||
|
value: 10
|
||||||
|
periodSeconds: 60
|
||||||
|
- type: Pods
|
||||||
|
value: 2
|
||||||
|
periodSeconds: 60
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
allowedNamespaces:
|
||||||
|
- artifactapi
|
||||||
|
kubernetes:
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
role: default
|
||||||
|
serviceAccount: default
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: postgres-credentials
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: postgres-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/artifactapi/default/postgres-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: environment
|
||||||
|
namespace: artifactapi
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: environment
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/artifactapi/default/environment
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
@@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Cluster
|
||||||
|
metadata:
|
||||||
|
name: postgres
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinityType: preferred
|
||||||
|
bootstrap:
|
||||||
|
initdb:
|
||||||
|
database: authentik
|
||||||
|
encoding: UTF8
|
||||||
|
localeCType: C
|
||||||
|
localeCollate: C
|
||||||
|
owner: authentik
|
||||||
|
secret:
|
||||||
|
name: postgres-credentials
|
||||||
|
enablePDB: true
|
||||||
|
enableSuperuserAccess: false
|
||||||
|
failoverDelay: 0
|
||||||
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
||||||
|
instances: 3
|
||||||
|
logLevel: info
|
||||||
|
maxSyncReplicas: 0
|
||||||
|
minSyncReplicas: 0
|
||||||
|
monitoring:
|
||||||
|
customQueriesConfigMap:
|
||||||
|
- key: queries
|
||||||
|
name: cnpg-default-monitoring
|
||||||
|
disableDefaultQueries: false
|
||||||
|
enablePodMonitor: false
|
||||||
|
postgresql:
|
||||||
|
parameters:
|
||||||
|
archive_mode: "on"
|
||||||
|
archive_timeout: 5min
|
||||||
|
dynamic_shared_memory_type: posix
|
||||||
|
effective_cache_size: 256MB
|
||||||
|
full_page_writes: "on"
|
||||||
|
log_destination: csvlog
|
||||||
|
log_directory: /controller/log
|
||||||
|
log_filename: postgres
|
||||||
|
log_rotation_age: "0"
|
||||||
|
log_rotation_size: "0"
|
||||||
|
log_truncate_on_rotation: "false"
|
||||||
|
logging_collector: "on"
|
||||||
|
max_connections: "200"
|
||||||
|
max_parallel_workers: "16"
|
||||||
|
max_replication_slots: "16"
|
||||||
|
max_worker_processes: "16"
|
||||||
|
shared_buffers: 128MB
|
||||||
|
shared_memory_type: mmap
|
||||||
|
ssl_max_protocol_version: TLSv1.3
|
||||||
|
ssl_min_protocol_version: TLSv1.3
|
||||||
|
wal_keep_size: 256MB
|
||||||
|
wal_level: logical
|
||||||
|
wal_log_hints: "on"
|
||||||
|
wal_receiver_timeout: 5s
|
||||||
|
wal_sender_timeout: 5s
|
||||||
|
syncReplicaElectionConstraint:
|
||||||
|
enabled: false
|
||||||
|
primaryUpdateMethod: restart
|
||||||
|
primaryUpdateStrategy: unsupervised
|
||||||
|
probes:
|
||||||
|
liveness:
|
||||||
|
isolationCheck:
|
||||||
|
connectionTimeout: 1000
|
||||||
|
enabled: true
|
||||||
|
requestTimeout: 1000
|
||||||
|
replicationSlots:
|
||||||
|
highAvailability:
|
||||||
|
enabled: true
|
||||||
|
slotPrefix: _cnpg_
|
||||||
|
synchronizeReplicas:
|
||||||
|
enabled: true
|
||||||
|
updateInterval: 30
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 256Mi
|
||||||
|
smartShutdownTimeout: 180
|
||||||
|
startDelay: 3600
|
||||||
|
stopDelay: 1800
|
||||||
|
storage:
|
||||||
|
resizeInUseVolumes: true
|
||||||
|
size: 20Gi
|
||||||
|
storageClass: cephrbd-fast-delete
|
||||||
|
switchoverDelay: 3600
|
||||||
@@ -0,0 +1,66 @@
|
|||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler-rw
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler-rw
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler-rw
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: rw
|
||||||
|
---
|
||||||
|
apiVersion: postgresql.cnpg.io/v1
|
||||||
|
kind: Pooler
|
||||||
|
metadata:
|
||||||
|
name: postgres-pooler-ro
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
cluster:
|
||||||
|
name: postgres
|
||||||
|
instances: 2
|
||||||
|
pgbouncer:
|
||||||
|
parameters:
|
||||||
|
default_pool_size: "100"
|
||||||
|
max_client_conn: "400"
|
||||||
|
paused: false
|
||||||
|
poolMode: session
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: pooler-ro
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- pooler-ro
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
containers: []
|
||||||
|
type: ro
|
||||||
@@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: identity.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
name: authentik
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: authentik-tls
|
||||||
|
mode: Terminate
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.k8s.syd1.au.unkin.net
|
||||||
|
name: http-internal
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: identity.k8s.syd1.au.unkin.net
|
||||||
|
name: https-internal
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: authentik-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-http-redirect
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- identity.unkin.net
|
||||||
|
- identity.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: http
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: http-internal
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- identity.unkin.net
|
||||||
|
- identity.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: https
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik
|
||||||
|
sectionName: https-internal
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: authentik-server
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cnpg_cluster.yaml
|
||||||
|
- cnpg_pooler.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
|
- ldap-gateway.yaml
|
||||||
|
- ldap-httproute.yaml
|
||||||
|
- ldap-service.yaml
|
||||||
|
- ldap-tlsroute.yaml
|
||||||
|
- namespace.yaml
|
||||||
|
- redis-deployment.yaml
|
||||||
|
- redis-pvc.yaml
|
||||||
|
- redis-service.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
@@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
name: authentik-ldap
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.k8s.syd1.au.unkin.net
|
||||||
|
name: ldaps-internal
|
||||||
|
port: 636
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: Passthrough
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.main.unkin.net
|
||||||
|
name: ldaps-main
|
||||||
|
port: 636
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: Passthrough
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.k8s.syd1.au.unkin.net
|
||||||
|
name: http-dns
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: ldap.main.unkin.net
|
||||||
|
name: http-dns-main
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
@@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldap-dns
|
||||||
|
namespace: authentik
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- ldap.k8s.syd1.au.unkin.net
|
||||||
|
- ldap.main.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: http-dns
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: http-dns-main
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldap
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: ldaps
|
||||||
|
port: 6636
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 6636
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: authentik
|
||||||
|
app.kubernetes.io/component: ldap
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: TLSRoute
|
||||||
|
metadata:
|
||||||
|
name: authentik-ldaps
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- ldap.k8s.syd1.au.unkin.net
|
||||||
|
- ldap.main.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: ldaps-internal
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: authentik-ldap
|
||||||
|
sectionName: ldaps-main
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: authentik-ldap
|
||||||
|
port: 6636
|
||||||
|
weight: 1
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: authentik
|
||||||
@@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: redis
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: redis
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: redis
|
||||||
|
image: redis:7-alpine
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
args:
|
||||||
|
- --save
|
||||||
|
- "20"
|
||||||
|
- "1"
|
||||||
|
ports:
|
||||||
|
- containerPort: 6379
|
||||||
|
name: redis
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- redis-cli
|
||||||
|
- ping
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 512Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 128Mi
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /data
|
||||||
|
name: redis-data
|
||||||
|
volumes:
|
||||||
|
- name: redis-data
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: redis-data
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: redis-data
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: redis
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
internalTrafficPolicy: Cluster
|
||||||
|
ports:
|
||||||
|
- name: redis
|
||||||
|
port: 6379
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: redis
|
||||||
|
selector:
|
||||||
|
app: redis
|
||||||
|
sessionAffinity: None
|
||||||
|
type: ClusterIP
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
allowedNamespaces:
|
||||||
|
- authentik
|
||||||
|
kubernetes:
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
role: default
|
||||||
|
serviceAccount: default
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: postgres-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: postgres-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/postgres-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: authentik-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: authentik-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/authentik-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: s3-credentials
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: s3-credentials
|
||||||
|
overwrite: true
|
||||||
|
hmacSecretData: true
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/authentik/default/s3-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
type: kv-v2
|
||||||
|
vaultAuthRef: default
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
# Authoritative masters (replaces the 3x Puppet authoritative servers).
|
||||||
|
# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCluster
|
||||||
|
metadata:
|
||||||
|
name: bind-authoritative
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
mode: authoritative
|
||||||
|
replicas: 3
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
storageSize: 2Gi
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
purelb.io/service-group: common
|
||||||
|
purelb.io/addresses: 198.18.200.6
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: bind-authoritative.k8s.syd1.au.unkin.net
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 512Mi
|
||||||
|
---
|
||||||
|
# Catalog zone so new BindZones auto-provision onto the secondaries.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCatalogZone
|
||||||
|
metadata:
|
||||||
|
name: bind-authoritative-catalog
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: catalog.internal
|
||||||
|
transferKeyRef: transfer-key
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cluster.yaml
|
||||||
|
- tsigkey.yaml
|
||||||
|
- zones.yaml
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
# Zone-transfer / catalog key. The operator generates the material into a
|
||||||
|
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindTSIGKey
|
||||||
|
metadata:
|
||||||
|
name: transfer-key
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
algorithm: hmac-sha256
|
||||||
@@ -0,0 +1,204 @@
|
|||||||
|
# Authoritative zones migrated from puppet-prod
|
||||||
|
# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml).
|
||||||
|
# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header.
|
||||||
|
# Record data is populated by PuppetDB exported resources upstream, so it is
|
||||||
|
# NOT in this repo — migrate it into these zones (AXFR from the current masters,
|
||||||
|
# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only.
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: unkin-net
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: unkin.net
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: main-unkin-net
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: main.unkin.net
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 13-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 13.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 14-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 14.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 15-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 15.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 16-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 16.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 17-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 17.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 19-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 19.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 20-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 20.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 21-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 21.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 22-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 22.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 23-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 23.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 24-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 24.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 25-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 25.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 26-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 26.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 27-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 27.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 28-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 28.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 29-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-authoritative
|
||||||
|
zoneName: 29.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
# external-dns tier (replaces the 3x Puppet external-dns servers). An ordinary
|
||||||
|
# authoritative cluster; external-dns writes to its zones via RFC2136 because
|
||||||
|
# those BindZones set dynamicUpdate (allow-update { key externaldns-key; }).
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCluster
|
||||||
|
metadata:
|
||||||
|
name: bind-externaldns
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
mode: authoritative
|
||||||
|
replicas: 3
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
storageSize: 1Gi
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
purelb.io/service-group: common
|
||||||
|
purelb.io/addresses: 198.18.200.8
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: bind-externaldns.k8s.syd1.au.unkin.net
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 512Mi
|
||||||
|
---
|
||||||
|
# Catalog zone so the dynamic zones replicate onto the cluster's secondaries
|
||||||
|
# (external-dns writes to the primary; secondaries IXFR the result).
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCatalogZone
|
||||||
|
metadata:
|
||||||
|
name: bind-externaldns-catalog
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-externaldns
|
||||||
|
zoneName: catalog.externaldns.internal
|
||||||
|
transferKeyRef: externaldns-key
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cluster.yaml
|
||||||
|
- tsigkey.yaml
|
||||||
|
- zones.yaml
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
# Key that external-dns (and DNSRecord objects) use to send RFC2136 dynamic
|
||||||
|
# updates to the primary. The operator generates the material into a Secret.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindTSIGKey
|
||||||
|
metadata:
|
||||||
|
name: externaldns-key
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-externaldns
|
||||||
|
algorithm: hmac-sha256
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
# k8s external-dns zones migrated from puppet-prod
|
||||||
|
# (externaldns::k8s_zones in hieradata/roles/infra/dns/externaldns.yaml).
|
||||||
|
# Primary + dynamicUpdate: the Kubernetes external-dns controller writes
|
||||||
|
# records here via RFC2136 authenticated with externaldns-key.
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: k8s-syd1-au-unkin-net
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-externaldns
|
||||||
|
zoneName: k8s.syd1.au.unkin.net
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
dynamicUpdate: true
|
||||||
|
updateKeyRef: externaldns-key
|
||||||
|
allowTransfer:
|
||||||
|
- key externaldns-key
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindZone
|
||||||
|
metadata:
|
||||||
|
name: 200-18-198-in-addr-arpa
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
clusterRef: bind-externaldns
|
||||||
|
zoneName: 200.18.198.in-addr.arpa
|
||||||
|
type: primary
|
||||||
|
defaultTTL: 600
|
||||||
|
dynamicUpdate: true
|
||||||
|
updateKeyRef: externaldns-key
|
||||||
|
allowTransfer:
|
||||||
|
- key externaldns-key
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- authoritative
|
||||||
|
- resolvers
|
||||||
|
- externaldns
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: bind-internal
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
# Recursive resolvers (replaces the 3x Puppet only-resolver servers).
|
||||||
|
# Three identical recursive servers; no zone replication.
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: BindCluster
|
||||||
|
metadata:
|
||||||
|
name: bind-resolvers
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
mode: resolver
|
||||||
|
replicas: 3
|
||||||
|
storageClassName: cephrbd-fast-delete
|
||||||
|
storageSize: 1Gi
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
annotations:
|
||||||
|
purelb.io/service-group: common
|
||||||
|
purelb.io/addresses: 198.18.200.7
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net
|
||||||
|
forwarders:
|
||||||
|
- 1.1.1.1
|
||||||
|
- 9.9.9.9
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 512Mi
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- cluster.yaml
|
||||||
@@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: bind-operator
|
||||||
|
spec:
|
||||||
|
serviceAccountName: bind-operator
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
containers:
|
||||||
|
- name: operator
|
||||||
|
image: git.unkin.net/unkin/bind-operator:v0.1.3
|
||||||
|
args:
|
||||||
|
- --metrics-bind-address=:8080
|
||||||
|
- --health-probe-bind-address=:8081
|
||||||
|
- --leader-elect
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: metrics
|
||||||
|
- containerPort: 8081
|
||||||
|
name: health
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 20
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
capabilities:
|
||||||
|
drop: ["ALL"]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 256Mi
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
||||||
|
# vendored here, so they never drift from the operator.
|
||||||
|
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.3/config/crd/install.yaml
|
||||||
|
- rbac.yaml
|
||||||
|
- deployment.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: bind-system
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["bind.unkin.net"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["*"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["services", "configmaps", "secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods/exec"]
|
||||||
|
verbs: ["create", "get"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["statefulsets"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["create", "patch"]
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: bind-operator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: bind-operator
|
||||||
|
namespace: bind-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: bind-operator
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: "198.18.200.4"
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
- allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
tls:
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: rancher-tls
|
||||||
|
mode: Terminate
|
||||||
@@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: rancher-http-redirect
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- rancher.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: rancher
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- rancher.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: rancher
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: rancher
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cattle-system
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- cattle-system
|
||||||
|
kubernetes:
|
||||||
|
role: rancher
|
||||||
|
serviceAccount: rancher
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: rancher-bootstrap-secret
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: rancher
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/rancher/bootstrap-password
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: rancher-bootstrap-secret
|
||||||
|
create: true
|
||||||
@@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts/token"]
|
||||||
|
verbs: ["create"]
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cert-manager-vault-token-creator
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cert-manager
|
||||||
|
namespace: cert-manager
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- serviceaccount.yaml
|
||||||
|
- clusterrole.yaml
|
||||||
|
- clusterrolebinding.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cert-manager
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: vault-issuer
|
||||||
|
namespace: cert-manager
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: "cert-manager-config"
|
||||||
|
app.kubernetes.io/instance: "cert-manager-config"
|
||||||
|
app.kubernetes.io/component: "vault-issuer"
|
||||||
|
automountServiceAccountToken: true
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vault-ca-cert.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: certificates
|
||||||
@@ -0,0 +1,59 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: vault-ca-cert
|
||||||
|
namespace: certificates
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: vault-ca-cert
|
||||||
|
app.kubernetes.io/part-of: vault-secrets-operator
|
||||||
|
annotations:
|
||||||
|
description: "Vault CA certificate replicated to all namespaces"
|
||||||
|
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||||
|
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||||
|
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
ca.crt: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL
|
||||||
|
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy
|
||||||
|
NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
|
||||||
|
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s
|
||||||
|
E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z
|
||||||
|
vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc
|
||||||
|
sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx
|
||||||
|
VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0
|
||||||
|
xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT
|
||||||
|
mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
|
||||||
|
Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc
|
||||||
|
v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr
|
||||||
|
aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV
|
||||||
|
HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br
|
||||||
|
aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5
|
||||||
|
muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03
|
||||||
|
4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U
|
||||||
|
DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU
|
||||||
|
eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN
|
||||||
|
Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL
|
||||||
|
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy
|
||||||
|
NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
|
||||||
|
AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m
|
||||||
|
2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v
|
||||||
|
Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK
|
||||||
|
8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd
|
||||||
|
lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i
|
||||||
|
tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B
|
||||||
|
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp
|
||||||
|
r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R
|
||||||
|
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1
|
||||||
|
UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe
|
||||||
|
xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1
|
||||||
|
zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p
|
||||||
|
UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US
|
||||||
|
EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb
|
||||||
|
4gqd
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cnpg-system
|
||||||
@@ -0,0 +1,53 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: consul
|
||||||
|
namespace: consul
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: consul
|
||||||
|
app.kubernetes.io/instance: consul
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
cert-manager.io/alt-names: consul.service.consul
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
hostname: consul.k8s.syd1.au.unkin.net
|
||||||
|
allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
hostname: consul.k8s.syd1.au.unkin.net
|
||||||
|
allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
tls:
|
||||||
|
mode: Terminate
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: consul-tls
|
||||||
|
- name: consul-svc
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
hostname: consul.service.consul
|
||||||
|
allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
tls:
|
||||||
|
mode: Terminate
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: consul-tls
|
||||||
@@ -0,0 +1,83 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: consul-http-redirect
|
||||||
|
namespace: consul
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: consul
|
||||||
|
app.kubernetes.io/instance: consul
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- consul.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: consul
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: consul
|
||||||
|
namespace: consul
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: consul
|
||||||
|
app.kubernetes.io/instance: consul
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- consul.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: consul
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: consul-ui
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: consul-svc
|
||||||
|
namespace: consul
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: consul
|
||||||
|
app.kubernetes.io/instance: consul
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- consul.service.consul
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: consul
|
||||||
|
sectionName: consul-svc
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: consul-ui
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- gateway.yaml
|
||||||
|
- httproute.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: consul
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
|
- storageclass.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: csi-cephfs
|
||||||
@@ -0,0 +1,83 @@
|
|||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephfs-raid6-delete
|
||||||
|
provisioner: cephfs.csi.ceph.com
|
||||||
|
reclaimPolicy: Delete
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "cephfs_csi_ssd_ec_6_2"
|
||||||
|
fsName: "cephfs"
|
||||||
|
subVolumeGroup: csi_ssd_ec_6_2
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephfs-raid6-retain
|
||||||
|
provisioner: cephfs.csi.ceph.com
|
||||||
|
reclaimPolicy: Retain
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "cephfs_csi_ssd_ec_6_2"
|
||||||
|
fsName: "cephfs"
|
||||||
|
subVolumeGroup: csi_ssd_ec_6_2
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephfs-raid5-delete
|
||||||
|
provisioner: cephfs.csi.ceph.com
|
||||||
|
reclaimPolicy: Delete
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "cephfs_csi_ssd_ec_4_1"
|
||||||
|
fsName: "cephfs"
|
||||||
|
subVolumeGroup: csi_ssd_ec_4_1
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephfs-raid5-retain
|
||||||
|
provisioner: cephfs.csi.ceph.com
|
||||||
|
reclaimPolicy: Retain
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "cephfs_csi_ssd_ec_4_1"
|
||||||
|
fsName: "cephfs"
|
||||||
|
subVolumeGroup: csi_ssd_ec_4_1
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
|
||||||
|
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: ceph-csi-cephfs
|
||||||
|
namespace: csi-cephfs
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- csi-cephfs
|
||||||
|
kubernetes:
|
||||||
|
role: ceph-csi
|
||||||
|
serviceAccount: ceph-csi-cephfs-csi-cephfs-provisioner
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: csi-cephfs-secret
|
||||||
|
namespace: csi-cephfs
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: ceph-csi-cephfs
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/csi/ceph-cephfs-secret
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: csi-cephfs-secret
|
||||||
|
create: true
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
|
- storageclass.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: csi-cephrbd
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephrbd-fast-delete
|
||||||
|
annotations:
|
||||||
|
storageclass.kubernetes.io/is-default-class: "true"
|
||||||
|
provisioner: rbd.csi.ceph.com
|
||||||
|
reclaimPolicy: Delete
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
|
||||||
|
pool: "kubernetes"
|
||||||
|
imageFeatures: "layering"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: cephrbd-fast-retain
|
||||||
|
provisioner: rbd.csi.ceph.com
|
||||||
|
reclaimPolicy: Retain
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
parameters:
|
||||||
|
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
|
||||||
|
pool: "kubernetes"
|
||||||
|
imageFeatures: "layering"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: ceph-csi-rbd
|
||||||
|
namespace: csi-cephrbd
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- csi-cephrbd
|
||||||
|
kubernetes:
|
||||||
|
role: ceph-csi
|
||||||
|
serviceAccount: ceph-csi-rbd-csi-rbd-provisioner
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: csi-rbd-secret
|
||||||
|
namespace: csi-cephrbd
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: ceph-csi-rbd
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/csi/ceph-rbd-secret
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: csi-rbd-secret
|
||||||
|
create: true
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: elastic-system
|
||||||
|
name: elastic-system
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: externaldns
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: externaldns
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- externaldns
|
||||||
|
kubernetes:
|
||||||
|
role: externaldns
|
||||||
|
serviceAccount: externaldns
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: externaldns-tsig
|
||||||
|
namespace: externaldns
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/externaldns/tsig
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: externaldns-tsig
|
||||||
|
create: true
|
||||||
|
rolloutRestartTargets:
|
||||||
|
- kind: Deployment
|
||||||
|
name: externaldns
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: intel-device-plugins-operator
|
||||||
|
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
||||||
|
version: "0.35.0"
|
||||||
|
releaseName: intel-device-plugins-operator
|
||||||
|
namespace: inteldeviceplugins-system
|
||||||
|
- name: intel-device-plugins-gpu
|
||||||
|
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
||||||
|
version: "0.34.1"
|
||||||
|
releaseName: intel-gpu-plugin
|
||||||
|
namespace: inteldeviceplugins-system
|
||||||
|
valuesFile: values-gpu-plugin.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: inteldeviceplugins-system
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
name: intel-gpu-device-plugin
|
||||||
|
sharedDevNum: 4
|
||||||
|
logLevel: 2
|
||||||
|
enableMonitoring: true
|
||||||
|
allocationPolicy: "none"
|
||||||
|
image:
|
||||||
|
hub: intel
|
||||||
|
tag: "" # Use latest from chart
|
||||||
|
nodeSelector:
|
||||||
|
intel.feature.node.kubernetes.io/gpu: 'true'
|
||||||
|
nodeFeatureRule: true
|
||||||
|
tolerations: []
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
# kanidm
|
||||||
|
|
||||||
|
Three-replica kanidm identity server with Vault-managed replication certificates.
|
||||||
|
|
||||||
|
## Architecture
|
||||||
|
|
||||||
|
- Per-pod `server-N.toml` in `resources/` — each has its own replication origin hardcoded
|
||||||
|
- `config-init` busybox init container copies the right config and injects peer certs from the
|
||||||
|
vault-synced `kanidm-repl-certs` Secret at pod startup
|
||||||
|
- `reloader.stakater.com/auto: "true"` triggers a rolling restart when the ConfigMap or Secret changes
|
||||||
|
- Vault path: `kv/kubernetes/namespace/kanidm/default/repl-certs`
|
||||||
|
- Keys: `kanidm-0`, `kanidm-1`, `kanidm-2` — each holds that pod's replication certificate
|
||||||
|
|
||||||
|
## Initial setup
|
||||||
|
|
||||||
|
After the first pod starts, generate the admin credentials:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml admin
|
||||||
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account -c /config/server.toml idm_admin
|
||||||
|
```
|
||||||
|
|
||||||
|
## Replication certificate rotation
|
||||||
|
|
||||||
|
When certs need to be renewed, update vault and reloader will roll the StatefulSet:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Get new cert from a pod
|
||||||
|
kubectl exec -it -n kanidm kanidm-N -- /sbin/kanidmd renew-replication-certificate -c /config/server.toml
|
||||||
|
|
||||||
|
# Write updated cert to vault (reloader triggers restart automatically)
|
||||||
|
vault kv patch kv/kubernetes/namespace/kanidm/default/repl-certs "kanidm-N=<cert>"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Resolving domain UUID mismatch
|
||||||
|
|
||||||
|
If pods initialized independently (each with a different domain UUID), replication will fail with
|
||||||
|
`Consumer Domain UUID does not match`. Fix by resetting kanidm-1 and kanidm-2 to sync from
|
||||||
|
kanidm-0 (the authoritative node):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Scale down to avoid split-brain during reset
|
||||||
|
kubectl scale statefulset -n kanidm kanidm --replicas=1
|
||||||
|
|
||||||
|
# Delete the stale PVCs for the replica pods
|
||||||
|
kubectl delete pvc -n kanidm data-kanidm-1 data-kanidm-2
|
||||||
|
|
||||||
|
# Scale back up — replicas start with empty DBs and automatic_refresh=true
|
||||||
|
# will trigger a full sync from kanidm-0 once TLS peer certs are verified
|
||||||
|
kubectl scale statefulset -n kanidm kanidm --replicas=3
|
||||||
|
```
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: kanidm-tls
|
||||||
|
namespace: kanidm
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
|
spec:
|
||||||
|
secretName: kanidm-tls
|
||||||
|
issuerRef:
|
||||||
|
kind: ClusterIssuer
|
||||||
|
name: vault-issuer
|
||||||
|
commonName: auth.unkin.net
|
||||||
|
dnsNames:
|
||||||
|
- auth.unkin.net
|
||||||
|
- au.auth.unkin.net
|
||||||
|
- kanidm.k8s.syd1.au.unkin.net
|
||||||
|
- kanidm.kanidm.svc.cluster.local
|
||||||
|
- kanidm-0.kanidm-headless.kanidm.svc.cluster.local
|
||||||
|
- kanidm-1.kanidm-headless.kanidm.svc.cluster.local
|
||||||
|
- kanidm-2.kanidm-headless.kanidm.svc.cluster.local
|
||||||
|
privateKey:
|
||||||
|
algorithm: RSA
|
||||||
|
size: 4096
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user