Compare commits

..

15 Commits

Author SHA1 Message Date
unkinben 3ab8bcc34b Restrict authoritative queries to internal networks (#227)
Mirrors the puppet authoritative `master-zones` view (match-clients `acl-main.unkin.net`, recursion no) — restricting who can query bind-authoritative.

## Changes
- add `auth-acl-main` BindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29)
- `allow-query { auth-acl-main; 10.42.0.0/16; }` on bind-authoritative via extraOptions

## Notes
- Implemented as a global `allow-query` rather than a BindView: dynamic *primary* zones inside a view would need per-view `allow-new-zones` (an operator gap). Functionally equivalent for the single master-zones view.
- `10.42.0.0/16` (pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks.
- Works on the current operator (no HOLD).

## Caveat
The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict *external* clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted.

Reviewed-on: #227
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-04 22:15:43 +10:00
unkinben c8d61205ce Configure resolvers like puppet (openforwarder view + forward zones) (#226)
## Why
`dig google.com @198.18.200.7` was refused: the resolver never set allow-recursion, so BIND defaulted to localnets/localhost. This mirrors the puppet resolver (/etc/named/views.conf + acls.conf) exactly.

## Changes
- `openforwarder` BindView: `match-clients` = the 4 internal ACLs, recursion yes, allow-recursion/allow-query `any` (match-clients gates)
- 4 BindACLs from puppet acls.conf (acl-main.unkin.net/acl-dmz/acl-common/acl-nomad-jobs)
- 26 conditional forward zones in the view (unkin→198.18.19.15, consul→.14, k8s→.20, dmz/network/prod + 10.10.x reverse → 10.10.16.32/33)
- global forwarders 8.8.8.8/1.1.1.1
- operator image → v0.1.4

## Note
Forward-zone upstreams point at the **puppet anycast** servers (still authoritative during migration); flip to the in-cluster authoritative/externaldns LBs once zone data is migrated.

## Validated
kustomize build (59 docs), kubeconform clean.

Reviewed-on: #226
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-04 21:55:33 +10:00
unkinben ce8ebc71ce Consolidate BIND DNS into one bind-internal namespace (#225)
**HOLD until v0.1.3 is tagged/built** (operator #4 merged + tagged) — this PR bumps the operator to v0.1.3, whose CRD adds the `clusterRef` field these keys use.

## Why
Put all BIND DNS services in one `bind-internal` namespace and name the StatefulSets clearly.

## Changes
- 3 clusters consolidated into `bind-internal`, StatefulSets renamed **bind-authoritative** / **bind-resolvers** / **bind-externaldns**; LBs kept on 198.18.200.6/.7/.8; external-dns hostnames renamed to match
- `clusterRef` added to `transfer-key` (→ bind-authoritative) and `externaldns-key` (→ bind-externaldns) so keys are scoped per cluster
- removed the old `ns-auth`/`ns-resolver`/`ns-externaldns` apps; ApplicationSet + AppProject now list `bind-internal`
- bumped `bind-system` operator to **v0.1.3** (CRD link + image)
- operator stays in `bind-system`

## Deploy impact
ArgoCD prunes the old ns-* namespaces (StatefulSets/PVCs — data is only seed SOA+NS, no migrated records yet) and creates the renamed clusters in bind-internal.

## Validated
`kustomize build` → 28 docs (3 BindCluster, 20 BindZone, 2 catalog, 2 keys, ns); kubeconform clean.

Reviewed-on: #225
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-04 00:35:43 +10:00
unkinben 7c9a697452 Deploy binddns-externaldns (RFC2136 dynamic cluster) (#222)
Part of the bind rollout split. **Merge #219 (bind-operator) first** — stacked on it; diff reduces to the binddns-externaldns files once #219 merges.

## Why
The external-dns tier (replaces 3x Puppet external-dns servers): an authoritative cluster whose zones accept RFC2136 TSIG updates from external-dns.

## Changes
- `apps/base/binddns-externaldns`: authoritative `BindCluster` (3 replicas, LoadBalancer/PureLB), `BindTSIGKey` for RFC2136, namespace
- au-syd1 `binddns-externaldns` overlay

## Deploy impact
Creates the `binddns-externaldns` StatefulSet + LoadBalancer once merged.

Reviewed-on: #222
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 23:09:36 +10:00
unkinben 6affc5d8f4 Deploy binddns-resolver (recursive resolver cluster) (#221)
Part of the bind rollout split. **Merge #219 (bind-operator) first** — stacked on it; diff reduces to the binddns-resolver files once #219 merges.

## Why
The recursive-resolver tier (replaces 3x Puppet only-resolver servers): 3 identical recursive servers with upstream forwarders.

## Changes
- `apps/base/binddns-resolver`: resolver `BindCluster` (3 replicas, forwarders, LoadBalancer/PureLB), namespace
- au-syd1 `binddns-resolver` overlay

## Deploy impact
Creates the `binddns-resolver` StatefulSet + LoadBalancer once merged.

Reviewed-on: #221
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 23:08:06 +10:00
unkinben de123af1b1 Bump bind-operator image to v0.1.2 (#224)
**HOLD until v0.1.2 is tagged/built** (bind-operator #3 merged + tagged).

Picks up the zone-provisioning fix (seed glue A record + IP-based primaries + Pod watch) so the clusters stop failing to load their zones.

- `apps/base/bind-system/deployment.yaml`: image v0.1.1 -> v0.1.2

Reviewed-on: #224
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 23:03:37 +10:00
unkinben 649ed07ab0 Deploy binddns-auth (authoritative BIND cluster) (#220)
Part of the bind rollout split. **Merge #219 (bind-operator) first** — this PR is stacked on it, so its diff will reduce to just the binddns-auth files once #219 merges.

## Why
The authoritative masters tier (replaces 3x Puppet authoritative servers): pod-0 primary + 2 secondaries replicating via the catalog zone + AXFR/IXFR.

## Changes
- `apps/base/binddns-auth`: authoritative `BindCluster` (3 replicas, LoadBalancer/PureLB), `BindCatalogZone`, transfer `BindTSIGKey`, namespace
- au-syd1 `binddns-auth` overlay

## Deploy impact
Creates the `binddns-auth` StatefulSet + LoadBalancer once merged.

Reviewed-on: #220
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 21:23:25 +10:00
unkinben dbb5ad4f86 Rename bind DNS namespaces to ns-* (#223)
Renames the three BIND DNS app namespaces `binddns-{auth,resolver,externaldns}` -> `ns-{auth,resolver,externaldns}`.

## Why
Shorter, clearer namespace names for the DNS tiers.

## Changes
- `argocd/applicationsets/platform.yaml`: overlay path registrations renamed (the ApplicationSet derives each app's namespace from its overlay dir name)
- `argocd/projects/platform.yaml`: destination namespaces renamed

## Coupled with
The per-tier PRs (#220/#221/#222) rename the overlay dirs + namespaces + external-dns hostnames to match. No app deploys to a renamed namespace until both this and the tier PR are merged (harmless before then — the ApplicationSet only instantiates apps for existing dirs).

Reviewed-on: #223
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 21:16:24 +10:00
unkinben 4b8f9313c8 Deploy bind-operator (operator + CRDs) (#219)
First of a 4-PR split of the bind rollout (was #216). Deploys just the operator control plane so it can be verified before any DNS clusters exist.

## Why
Roll out incrementally: operator + CRDs first, then each BIND tier as its own PR.

## Changes
- `apps/base/bind-system`: operator Deployment (`git.unkin.net/unkin/bind-operator:v0.1.1`), RBAC, namespace; CRDs pulled from the operator repo by raw URL (`config/crd/install.yaml` @ v0.1.1)
- au-syd1 `bind-system` overlay
- register all four bind apps in `argocd/applicationsets/platform.yaml` (DNS overlays instantiate only when their dirs land in the follow-up PRs)
- add `binddns-*` namespaces to `argocd/projects/platform.yaml`
- add `schemas/bind.unkin.net/*.json` for kubeconform

## Deploy impact
Operator pod + CRDs only. No DNS services yet — the operator is idle until BindClusters exist.

## Follow-ups (merge after this)
binddns-auth, binddns-resolver, binddns-externaldns — one PR each.

Reviewed-on: #219
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 20:04:57 +10:00
unkinben bb330a0365 chore(artifactapi): deploy v3.7.4 (#218)
## Why

artifactapi `v3.7.4` images are built and pushed; au-syd1 is on `v3.7.3`. This rolls forward to ship the terraform provider registry.

## Changes

- `api-deployment`: `artifactapi` `v3.7.3` → `v3.7.4`
- `ui-deployment`: `artifactapi-ui` `v3.7.3` → `v3.7.4`

## What's new in v3.7.4

- Local terraform repos are now a real provider registry: `/.well-known/terraform.json` + `providers.v1` versions/download with GPG-signed SHA256SUMS (#102).
- The signing key self-provisions in the DB (`signing_keys` table) — no K8s secret to mount, so no deployment wiring needed.

Once synced, `terraform init` against `source = "artifactapi.k8s.syd1.au.unkin.net/<repo>/<type>"` works.

Reviewed-on: #218
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 19:40:38 +10:00
unkinben 15225433e9 chore(artifactapi): deploy v3.7.3 (#215)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
## Why

artifactapi images \`v3.7.3\` are built and pushed to the registry, but au-syd1 is still running \`v3.6.5\`. This rolls the deployment forward to pick up the recent fixes.

## Changes

- \`api-deployment\`: \`artifactapi\` \`v3.6.5\` → \`v3.7.3\`
- \`ui-deployment\`: \`artifactapi-ui\` \`v3.6.5\` → \`v3.7.3\`

Included in v3.7.x since v3.6.5:
- Local-repo files now appear in the cached-objects UI (#99).
- Evicting a local RPM prunes its repodata metadata (#100).
- The bare domain redirects to the web UI at /ui (#101).

Reviewed-on: #215
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 15:14:28 +10:00
unkinben bbb9acba36 feat: add woodpecker service accounts for media terraform repos (#214)
Add Kubernetes ServiceAccounts in the woodpecker namespace for terraform-sonarr, terraform-radarr, and terraform-prowlarr CI pipelines.

Reviewed-on: #214
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:04:33 +10:00
benvin 48f32a044d fix: update TLSRoute to v1 (#213)
TLSRoutes are now in standard, no longer experimental

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #213
2026-06-28 17:50:27 +10:00
unkinben 7f1444fb38 Add Authentik identity provider deployment (#211)
## Summary
- Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3
- CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net)
- TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation
- Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials
- S3 storage via RadosGW (bucket: authentik)
- 3 server replicas, 2 worker replicas
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated

## Dependencies
- terraform-git #15 (merged) — repo definition
- terraform-vault #78 (merged) — auth roles and Consul ACL

## Vault secrets needed before deploy
Write to `kv/kubernetes/namespace/authentik/default/`:
- `postgres-credentials`: username + password
- `authentik-credentials`: AUTHENTIK_SECRET_KEY
- `s3-credentials`: S3 access key + secret key

Reviewed-on: #211
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 17:42:49 +10:00
unkinben 784c3b5de1 Add JSON schema generation for kubeconform CRD validation (#212)
## Summary
- New `ci/generate-schemas.sh` script that generates JSON schemas from three sources:
  1. Live cluster CRDs via `kubectl get crds`
  2. Offline CRD manifests (ArgoCD v3.3.2, Gateway API v1.5.1)
  3. Kubernetes v1.33.7 swagger spec for native types
- Schemas follow Datree catalog convention (`<group>/<Kind>_<version>.json`)
- `validate-apps.sh` and `validate-clusters.sh` check local schemas first, falling back to remote
- Fixes TLSRoute (and other CRD) schema validation failures in kubeconform

## Sources
- ArgoCD: `artifactapi.../argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml`
- Gateway API: `artifactapi.../kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml`
- Kubernetes: `artifactapi.../kubernetes/kubernetes/refs/tags/v1.33.7/api/openapi-spec/swagger.json`

Reviewed-on: #212
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 17:26:08 +10:00
362 changed files with 3634 additions and 7593 deletions
+1 -1
View File
@@ -1,4 +1,4 @@
.PHONY: build clean .PHONY: build clean schemas
# Build a kustomization path to manifests directory # Build a kustomization path to manifests directory
# Usage: make build clusters/au-syd1/bootstrap # Usage: make build clusters/au-syd1/bootstrap
+1 -1
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs mountPath: /combined-certs
containers: containers:
- name: api - name: api
image: git.unkin.net/unkin/artifactapi:v3.6.5 image: git.unkin.net/unkin/artifactapi:v3.7.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 8000 - containerPort: 8000
+1 -1
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: ui - name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.6.5 image: git.unkin.net/unkin/artifactapi-ui:v3.7.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 80 - containerPort: 80
+91
View File
@@ -0,0 +1,91 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres
namespace: authentik
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: authentik
encoding: UTF8
localeCType: C
localeCollate: C
owner: authentik
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 20Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
+66
View File
@@ -0,0 +1,66 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: postgres-pooler-rw
namespace: authentik
spec:
cluster:
name: postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-rw
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-rw
topologyKey: kubernetes.io/hostname
containers: []
type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: postgres-pooler-ro
namespace: authentik
spec:
cluster:
name: postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
+57
View File
@@ -0,0 +1,57 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: identity.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: authentik
namespace: authentik
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: identity.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: identity.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: authentik-tls
mode: Terminate
- allowedRoutes:
namespaces:
from: Same
hostname: identity.k8s.syd1.au.unkin.net
name: http-internal
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: identity.k8s.syd1.au.unkin.net
name: https-internal
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: authentik-tls
mode: Terminate
+59
View File
@@ -0,0 +1,59 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik-http-redirect
namespace: authentik
spec:
hostnames:
- identity.unkin.net
- identity.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: http
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: http-internal
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik
namespace: authentik
spec:
hostnames:
- identity.unkin.net
- identity.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: https
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: https-internal
rules:
- backendRefs:
- group: ""
kind: Service
name: authentik-server
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
+19
View File
@@ -0,0 +1,19 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- gateway.yaml
- httproute.yaml
- ldap-gateway.yaml
- ldap-httproute.yaml
- ldap-service.yaml
- ldap-tlsroute.yaml
- namespace.yaml
- redis-deployment.yaml
- redis-pvc.yaml
- redis-service.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+47
View File
@@ -0,0 +1,47 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: authentik-ldap
namespace: authentik
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.k8s.syd1.au.unkin.net
name: ldaps-internal
port: 636
protocol: TLS
tls:
mode: Passthrough
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.main.unkin.net
name: ldaps-main
port: 636
protocol: TLS
tls:
mode: Passthrough
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.k8s.syd1.au.unkin.net
name: http-dns
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.main.unkin.net
name: http-dns-main
port: 80
protocol: HTTP
+32
View File
@@ -0,0 +1,32 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik-ldap-dns
namespace: authentik
annotations:
external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
hostnames:
- ldap.k8s.syd1.au.unkin.net
- ldap.main.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: http-dns
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: http-dns-main
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: v1
kind: Service
metadata:
name: authentik-ldap
namespace: authentik
spec:
internalTrafficPolicy: Cluster
ports:
- name: ldaps
port: 6636
protocol: TCP
targetPort: 6636
selector:
app.kubernetes.io/name: authentik
app.kubernetes.io/component: ldap
sessionAffinity: None
type: ClusterIP
+26
View File
@@ -0,0 +1,26 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: authentik-ldaps
namespace: authentik
spec:
hostnames:
- ldap.k8s.syd1.au.unkin.net
- ldap.main.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: ldaps-internal
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: ldaps-main
rules:
- backendRefs:
- group: ""
kind: Service
name: authentik-ldap
port: 6636
weight: 1
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: authentik
+58
View File
@@ -0,0 +1,58 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: authentik
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
args:
- --save
- "20"
- "1"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /data
name: redis-data
volumes:
- name: redis-data
persistentVolumeClaim:
claimName: redis-data
+13
View File
@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-data
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: cephrbd-fast-delete
+17
View File
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: authentik
spec:
internalTrafficPolicy: Cluster
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app: redis
sessionAffinity: None
type: ClusterIP
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: authentik
spec:
allowedNamespaces:
- authentik
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,51 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: authentik
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: authentik-credentials
namespace: authentik
spec:
destination:
create: true
name: authentik-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/authentik-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: s3-credentials
namespace: authentik
spec:
destination:
create: true
name: s3-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/s3-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -0,0 +1,26 @@
---
# Internal client networks allowed to query the authoritative servers,
# mirrored from the puppet authoritative /etc/named/acls.conf
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
# differently-scoped acl-main.unkin.net in the same namespace.
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: auth-acl-main
namespace: bind-internal
spec:
clusterRef: bind-authoritative
entries:
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.24.0/24
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
@@ -0,0 +1,42 @@
---
# Authoritative masters (replaces the 3x Puppet authoritative servers).
# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-authoritative
namespace: bind-internal
spec:
mode: authoritative
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 2Gi
# Restrict queries to internal networks (puppet acl-main.unkin.net).
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
# from the primary during catalog replication.
extraOptions:
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
service:
type: LoadBalancer
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.6
external-dns.alpha.kubernetes.io/hostname: bind-authoritative.k8s.syd1.au.unkin.net
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
---
# Catalog zone so new BindZones auto-provision onto the secondaries.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone
metadata:
name: bind-authoritative-catalog
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: catalog.internal
transferKeyRef: transfer-key
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- tsigkey.yaml
- zones.yaml
- acls.yaml
@@ -0,0 +1,11 @@
---
# Zone-transfer / catalog key. The operator generates the material into a
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: transfer-key
namespace: bind-internal
spec:
clusterRef: bind-authoritative
algorithm: hmac-sha256
@@ -0,0 +1,204 @@
# Authoritative zones migrated from puppet-prod
# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml).
# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header.
# Record data is populated by PuppetDB exported resources upstream, so it is
# NOT in this repo — migrate it into these zones (AXFR from the current masters,
# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: unkin-net
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: main-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: main.unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 13-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 13.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 14-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 14.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 15-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 15.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 16-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 16.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 17-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 17.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 19-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 19.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 20-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 20.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 21-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 21.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 22-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 22.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 23-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 23.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 24-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 24.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 25-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 25.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 26-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 26.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 27-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 27.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 28-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 28.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 29-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 29.18.198.in-addr.arpa
type: primary
defaultTTL: 600
@@ -0,0 +1,39 @@
---
# external-dns tier (replaces the 3x Puppet external-dns servers). An ordinary
# authoritative cluster; external-dns writes to its zones via RFC2136 because
# those BindZones set dynamicUpdate (allow-update { key externaldns-key; }).
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-externaldns
namespace: bind-internal
spec:
mode: authoritative
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 1Gi
service:
type: LoadBalancer
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.8
external-dns.alpha.kubernetes.io/hostname: bind-externaldns.k8s.syd1.au.unkin.net
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
---
# Catalog zone so the dynamic zones replicate onto the cluster's secondaries
# (external-dns writes to the primary; secondaries IXFR the result).
apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone
metadata:
name: bind-externaldns-catalog
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: catalog.externaldns.internal
transferKeyRef: externaldns-key
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- tsigkey.yaml
- zones.yaml
@@ -0,0 +1,11 @@
---
# Key that external-dns (and DNSRecord objects) use to send RFC2136 dynamic
# updates to the primary. The operator generates the material into a Secret.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: externaldns-key
namespace: bind-internal
spec:
clusterRef: bind-externaldns
algorithm: hmac-sha256
@@ -0,0 +1,34 @@
# k8s external-dns zones migrated from puppet-prod
# (externaldns::k8s_zones in hieradata/roles/infra/dns/externaldns.yaml).
# Primary + dynamicUpdate: the Kubernetes external-dns controller writes
# records here via RFC2136 authenticated with externaldns-key.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: k8s-syd1-au-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: k8s.syd1.au.unkin.net
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 200-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: 200.18.198.in-addr.arpa
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- authoritative
- resolvers
- externaldns
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: bind-internal
@@ -0,0 +1,65 @@
# Internal client ACLs, mirrored from puppet /etc/named/acls.conf.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-main.unkin.net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.1.10/32
- 198.18.2.160/27
- 198.18.21.160/27
- 198.18.2.192/27
- 198.18.21.192/27
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.18.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.21.0/24
- 198.18.22.0/24
- 198.18.23.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-dmz
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.24.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-common
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-nomad-jobs
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.64.0/24
- 198.18.65.0/24
- 198.18.66.0/24
- 198.18.67.0/24
- 198.18.68.0/24
- 198.18.69.0/24
@@ -0,0 +1,29 @@
---
# Recursive resolvers (replaces the 3x Puppet only-resolver servers).
# Three identical recursive servers; no zone replication.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-resolvers
namespace: bind-internal
spec:
mode: resolver
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 1Gi
service:
type: LoadBalancer
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.7
external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net
forwarders:
- 8.8.8.8
- 1.1.1.1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
@@ -0,0 +1,284 @@
# Conditional forward zones, from the puppet openforwarder view.
# Upstreams: unkin authoritative 198.18.200.6, consul 198.18.19.14, k8s 198.18.200.8.
# k8s -> in-cluster bind-externaldns 198.18.200.8.
# (Zones that forwarded to 10.10.16.x were dropped; consul left as-is.)
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-main-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: main.unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-consul
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: consul
type: forward
catalog: false
forwarders:
- 198.18.19.14
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-k8s-syd1-au-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: k8s.syd1.au.unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.8
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-13-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 13.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-14-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 14.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-15-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 15.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-16-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 16.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-17-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 17.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-19-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 19.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-20-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 20.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-21-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 21.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-22-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 22.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-23-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 23.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-24-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 24.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-25-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 25.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-26-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 26.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-27-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 27.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-28-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 28.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-29-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 29.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- acls.yaml
- view.yaml
- forward-zones.yaml
@@ -0,0 +1,23 @@
---
# openforwarder view, mirrored from puppet /etc/named/views.conf.
# match-clients gates access to internal networks; recursion/query are 'any'
# within the view since match-clients already restricts who reaches it.
apiVersion: bind.unkin.net/v1alpha1
kind: BindView
metadata:
name: openforwarder
namespace: bind-internal
spec:
clusterRef: bind-resolvers
order: 100
matchClients:
- acl-main.unkin.net
- acl-nomad-jobs
- acl-common
- acl-dmz
recursion: true
allowQuery:
- any
extraOptions:
- "allow-recursion { any; }"
- "allow-query-cache { any; }"
+57
View File
@@ -0,0 +1,57 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bind-operator
namespace: bind-system
labels:
app.kubernetes.io/name: bind-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: bind-operator
template:
metadata:
labels:
app.kubernetes.io/name: bind-operator
spec:
serviceAccountName: bind-operator
securityContext:
runAsNonRoot: true
containers:
- name: operator
image: git.unkin.net/unkin/bind-operator:v0.1.4
args:
- --metrics-bind-address=:8080
- --health-probe-bind-address=:8081
- --leader-elect
ports:
- containerPort: 8080
name: metrics
- containerPort: 8081
name: health
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
+11
View File
@@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
# CRDs are pulled from the bind-operator repo at the matching tag rather than
# vendored here, so they never drift from the operator.
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.3/config/crd/install.yaml
- rbac.yaml
- deployment.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: bind-system
+46
View File
@@ -0,0 +1,46 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bind-operator
namespace: bind-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bind-operator
rules:
- apiGroups: ["bind.unkin.net"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["services", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "get"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-operator
subjects:
- kind: ServiceAccount
name: bind-operator
namespace: bind-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bind-operator
+4
View File
@@ -7,7 +7,11 @@ resources:
- cnpg_cluster.yaml - cnpg_cluster.yaml
- cnpg_pooler.yaml - cnpg_pooler.yaml
- serviceaccount_terraform_artifactapi.yaml - serviceaccount_terraform_artifactapi.yaml
- serviceaccount_terraform_authentik.yaml
- serviceaccount_terraform_git.yaml - serviceaccount_terraform_git.yaml
- serviceaccount_terraform_prowlarr.yaml
- serviceaccount_terraform_radarr.yaml
- serviceaccount_terraform_sonarr.yaml
- serviceaccount_terraform_vault.yaml - serviceaccount_terraform_vault.yaml
- vaultauth.yaml - vaultauth.yaml
- vaultstaticsecret.yaml - vaultstaticsecret.yaml
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-authentik
namespace: woodpecker
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-prowlarr
namespace: woodpecker
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-radarr
namespace: woodpecker
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-sonarr
namespace: woodpecker
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/authentik
helmCharts:
- name: authentik
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "2026.5.3"
releaseName: authentik
namespace: authentik
valuesFile: values.yaml
+105
View File
@@ -0,0 +1,105 @@
global:
env:
# PostgreSQL primary (via pooler)
- name: AUTHENTIK_POSTGRESQL__HOST
value: postgres-pooler-rw
- name: AUTHENTIK_POSTGRESQL__PORT
value: "5432"
- name: AUTHENTIK_POSTGRESQL__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
# PostgreSQL read replica (via pooler)
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
value: postgres-pooler-ro
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
value: "5432"
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
# PostgreSQL pooler settings
- name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS
value: "true"
- name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE
value: "0"
- name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS
value: "true"
# Redis
- name: AUTHENTIK_REDIS__HOST
value: redis
- name: AUTHENTIK_REDIS__PORT
value: "6379"
# S3 storage
- name: AUTHENTIK_STORAGE__BACKEND
value: s3
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
value: https://radosgw.service.consul/
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
value: authentik
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
value: path
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: AUTHENTIK_STORAGE__S3__ACCESS_KEY
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: AUTHENTIK_STORAGE__S3__SECRET_KEY
# Secret key
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-credentials
key: AUTHENTIK_SECRET_KEY
server:
replicas: 3
annotations:
reloader.stakater.com/auto: "true"
ingress:
enabled: false
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
worker:
replicas: 2
annotations:
reloader.stakater.com/auto: "true"
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
postgresql:
enabled: false
redis:
enabled: false
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/bind-internal
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/bind-system
+3
View File
@@ -10,7 +10,10 @@ spec:
repoURL: https://git.unkin.net/unkin/argocd-apps repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD revision: HEAD
directories: directories:
- path: apps/overlays/*/authentik
- path: apps/overlays/*/artifactapi - path: apps/overlays/*/artifactapi
- path: apps/overlays/*/bind-system
- path: apps/overlays/*/bind-internal
- path: apps/overlays/*/age-api - path: apps/overlays/*/age-api
- path: apps/overlays/*/cattle-system - path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager - path: apps/overlays/*/cert-manager
+4
View File
@@ -19,6 +19,10 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'age-api' - namespace: 'age-api'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'authentik'
server: https://kubernetes.default.svc
- namespace: 'bind-internal'
server: https://kubernetes.default.svc
- namespace: 'cert-manager' - namespace: 'cert-manager'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'certificates' - namespace: 'certificates'
+9 -86
View File
@@ -5,40 +5,26 @@ SCHEMA_DIR="${1:-schemas}"
rm -rf "$SCHEMA_DIR" rm -rf "$SCHEMA_DIR"
mkdir -p "$SCHEMA_DIR" mkdir -p "$SCHEMA_DIR"
CRD_URLS=( echo "==> Fetching CRDs from cluster..." >&2
"https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml" kubectl get crds -o json | python3 -c "
"https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml" import sys, json, os
)
SWAGGER_URL="https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/kubernetes/kubernetes/refs/tags/v1.33.7/api/openapi-spec/swagger.json"
write_schema='
import json, os
def write_schema(schema, schema_dir, group, kind, version): def write_schema(schema, schema_dir, group, kind, version):
"""Strip descriptions and write compact JSON with trailing newline."""
def strip_descriptions(obj): def strip_descriptions(obj):
if isinstance(obj, dict): if isinstance(obj, dict):
return {k: strip_descriptions(v) for k, v in obj.items() if k != "description"} return {k: strip_descriptions(v) for k, v in obj.items() if k != 'description'}
if isinstance(obj, list): if isinstance(obj, list):
return [strip_descriptions(i) for i in obj] return [strip_descriptions(i) for i in obj]
return obj return obj
schema = strip_descriptions(schema) schema = strip_descriptions(schema)
group_dir = os.path.join(schema_dir, group) if group else schema_dir group_dir = os.path.join(schema_dir, group)
os.makedirs(group_dir, exist_ok=True) os.makedirs(group_dir, exist_ok=True)
fname = f"{kind}_{version}.json".lower() fname = f'{kind}_{version}.json'.lower()
with open(os.path.join(group_dir, fname), "w") as f: with open(os.path.join(group_dir, fname), 'w') as f:
json.dump(schema, f, indent=2, sort_keys=True) json.dump(schema, f, indent=2, sort_keys=True)
f.write("\n") f.write('\n')
print(f" Generated: {group}/{fname}" if group else f" Generated: {fname}", file=__import__("sys").stderr) print(f' Generated: {group}/{fname}', file=sys.stderr)
'
if command -v kubectl &>/dev/null && kubectl cluster-info &>/dev/null 2>&1; then
echo "==> Fetching CRDs from cluster..." >&2
kubectl get crds -o json | python3 -c "
import sys, json, os
$write_schema
data = json.load(sys.stdin) data = json.load(sys.stdin)
for crd in data.get('items', []): for crd in data.get('items', []):
@@ -59,69 +45,6 @@ for crd in data.get('items', []):
schema['properties'].setdefault('metadata', {'type': 'object'}) schema['properties'].setdefault('metadata', {'type': 'object'})
write_schema(schema, '$SCHEMA_DIR', group, kind, version) write_schema(schema, '$SCHEMA_DIR', group, kind, version)
" "
else
echo "==> kubectl not available, skipping cluster CRDs" >&2
fi
echo "==> Downloading CRD manifests..." >&2
for url in "${CRD_URLS[@]}"; do
echo " Fetching: $url" >&2
curl -sSfL "$url"
done | python3 -c "
import sys, json, yaml, os
$write_schema
for doc in yaml.safe_load_all(sys.stdin):
if doc is None or doc.get('kind') != 'CustomResourceDefinition':
continue
spec = doc.get('spec', {})
group = spec.get('group', '')
kind = spec.get('names', {}).get('kind', '')
for ver in spec.get('versions', []):
version = ver.get('name', '')
openapi = ver.get('schema', {}).get('openAPIV3Schema', {})
if not openapi:
continue
group_dir = os.path.join('$SCHEMA_DIR', group)
fname = f'{kind}_{version}.json'.lower()
if os.path.exists(os.path.join(group_dir, fname)):
continue
schema = dict(openapi)
schema['\$schema'] = 'http://json-schema.org/draft-07/schema#'
schema['type'] = 'object'
schema.setdefault('properties', {})
schema['properties'].setdefault('apiVersion', {'type': 'string'})
schema['properties'].setdefault('kind', {'type': 'string'})
schema['properties'].setdefault('metadata', {'type': 'object'})
write_schema(schema, '$SCHEMA_DIR', group, kind, version)
"
echo "==> Downloading Kubernetes swagger spec..." >&2
curl -sSfL "$SWAGGER_URL" | python3 -c "
import sys, json, os
$write_schema
swagger = json.load(sys.stdin)
definitions = swagger.get('definitions', {})
for defn_name, defn in definitions.items():
for gvk in defn.get('x-kubernetes-group-version-kind', []):
group = gvk.get('group', '')
version = gvk.get('version', '')
kind = gvk.get('kind', '')
schema = {
'\$schema': 'http://json-schema.org/draft-07/schema#',
'type': 'object',
'properties': {},
'additionalProperties': True,
}
for prop_name, prop_val in defn.get('properties', {}).items():
prop_copy = {k: v for k, v in prop_val.items() if k != '\$ref'}
if not prop_copy.get('type') and len(prop_copy) > 0:
prop_copy['type'] = 'object'
prop_copy['additionalProperties'] = True
schema['properties'][prop_name] = prop_copy
write_schema(schema, '$SCHEMA_DIR', group, kind, version)
"
total=$(find "$SCHEMA_DIR" -name '*.json' | wc -l) total=$(find "$SCHEMA_DIR" -name '*.json' | wc -l)
echo "==> Schema generation complete: $total schemas in $SCHEMA_DIR" >&2 echo "==> Schema generation complete: $total schemas in $SCHEMA_DIR" >&2
+1 -1
View File
@@ -21,6 +21,6 @@ while IFS= read -r -d "" k; do
-summary \ -summary \
-output pretty \ -output pretty \
-verbose \ -verbose \
\ -skip CustomResourceDefinition \
"${schema_args[@]}" "${schema_args[@]}"
done < <(find apps/overlays -name kustomization.yaml -print0) done < <(find apps/overlays -name kustomization.yaml -print0)
+1 -1
View File
@@ -21,6 +21,6 @@ while IFS= read -r -d "" k; do
-summary \ -summary \
-output pretty \ -output pretty \
-verbose \ -verbose \
\ -skip CustomResourceDefinition \
"${schema_args[@]}" "${schema_args[@]}"
done < <(find clusters -name kustomization.yaml -print0) done < <(find clusters -name kustomization.yaml -print0)
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,21 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,21 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,29 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"webhooks": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhook"
},
"type": "array",
"x-kubernetes-list-map-keys": [
"name"
],
"x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "name",
"x-kubernetes-patch-strategy": "merge"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
},
"status": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
},
"status": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,21 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,21 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,29 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"webhooks": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhook"
},
"type": "array",
"x-kubernetes-list-map-keys": [
"name"
],
"x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "name",
"x-kubernetes-patch-strategy": "merge"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
},
"status": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
-34
View File
@@ -1,34 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
},
"preferredVersion": {
"additionalProperties": true,
"type": "object"
},
"serverAddressByClientCIDRs": {
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"versions": {
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object"
}
-20
View File
@@ -1,20 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"groups": {
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"kind": {
"type": "string"
}
},
"type": "object"
}
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
},
"status": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
@@ -1,14 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"object": {
"additionalProperties": true,
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
-23
View File
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"groupVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"resources": {
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object"
}
-27
View File
@@ -1,27 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"serverAddressByClientCIDRs": {
"items": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"versions": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"type": "object"
}
-25
View File
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"data": {
"additionalProperties": true,
"type": "object"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"revision": {
"format": "int64",
"type": "integer"
}
},
"type": "object"
}
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.apps.v1.ControllerRevision"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
-25
View File
@@ -1,25 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
},
"spec": {
"additionalProperties": true,
"type": "object"
},
"status": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
-23
View File
@@ -1,23 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"items": {
"items": {
"$ref": "#/definitions/io.k8s.api.apps.v1.DaemonSet"
},
"type": "array"
},
"kind": {
"type": "string"
},
"metadata": {
"additionalProperties": true,
"type": "object"
}
},
"type": "object"
}
-37
View File
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}
-37
View File
@@ -1,37 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": true,
"properties": {
"apiVersion": {
"type": "string"
},
"dryRun": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"gracePeriodSeconds": {
"format": "int64",
"type": "integer"
},
"ignoreStoreReadErrorWithClusterBreakingPotential": {
"type": "boolean"
},
"kind": {
"type": "string"
},
"orphanDependents": {
"type": "boolean"
},
"preconditions": {
"additionalProperties": true,
"type": "object"
},
"propagationPolicy": {
"type": "string"
}
},
"type": "object"
}

Some files were not shown because too many files have changed in this diff Show More