Compare commits

..

1 Commits

Author SHA1 Message Date
unkinben 2e8bbc5ec6 feat: artifactapi route change
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
complete cutover to artifactapi 3
2026-06-26 22:46:05 +10:00
367 changed files with 322 additions and 160069 deletions
-2
View File
@@ -7,7 +7,6 @@ repos:
- id: check-json - id: check-json
- id: check-added-large-files - id: check-added-large-files
args: ['--maxkb=500'] args: ['--maxkb=500']
exclude: '^schemas/'
- id: check-merge-conflict - id: check-merge-conflict
- id: check-shebang-scripts-are-executable - id: check-shebang-scripts-are-executable
- id: check-symlinks - id: check-symlinks
@@ -20,7 +19,6 @@ repos:
- id: end-of-file-fixer - id: end-of-file-fixer
- id: forbid-new-submodules - id: forbid-new-submodules
- id: pretty-format-json - id: pretty-format-json
args: ['--autofix']
- id: trailing-whitespace - id: trailing-whitespace
# YAML linting # YAML linting
+1 -5
View File
@@ -1,4 +1,4 @@
.PHONY: build clean schemas .PHONY: build clean
# Build a kustomization path to manifests directory # Build a kustomization path to manifests directory
# Usage: make build clusters/au-syd1/bootstrap # Usage: make build clusters/au-syd1/bootstrap
@@ -6,10 +6,6 @@ build:
@mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS)) @mkdir -p manifests/$(filter-out $@,$(MAKECMDGOALS))
@kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS)) @kustomize build --enable-helm $(filter-out $@,$(MAKECMDGOALS)) --output manifests/$(filter-out $@,$(MAKECMDGOALS))
# Generate JSON schemas from CRDs and Kubernetes swagger spec (run manually, results committed)
schemas:
@ci/generate-schemas.sh schemas
# kubeconform # kubeconform
kubeconform: kubeconform:
@ci/validate-apps.sh && \ @ci/validate-apps.sh && \
-45
View File
@@ -1,45 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: age-api
namespace: age-api
spec:
replicas: 1
selector:
matchLabels:
app: age-api
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: age-api
spec:
containers:
- name: age-api
image: git.unkin.net/unkin/age-api:v0.1.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: CONFIG_PATH
value: /etc/age-api/config.yaml
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 10m
memory: 32Mi
volumeMounts:
- mountPath: /etc/age-api/config.yaml
name: config
subPath: config.yaml
restartPolicy: Always
volumes:
- name: config
configMap:
name: age-api-config
-37
View File
@@ -1,37 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: age-api.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: age-api.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: age-api
namespace: age-api
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: age-api.k8s.syd1.au.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: age-api.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: age-api-tls
mode: Terminate
-49
View File
@@ -1,49 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: age-api-http-redirect
namespace: age-api
spec:
hostnames:
- age-api.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: age-api
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: age-api
namespace: age-api
spec:
hostnames:
- age-api.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: age-api
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: age-api
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- gateway.yaml
- httproute.yaml
- namespace.yaml
- service.yaml
configMapGenerator:
- name: age-api-config
files:
- config.yaml=resources/config.yaml
options:
disableNameSuffixHash: true
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: age-api
-7
View File
@@ -1,7 +0,0 @@
people:
- name: jaidi
birthtime: 1773135720
- name: ben
birthtime: 559663200
- name: sudaporn
birthtime: 686757600
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: age-api
namespace: age-api
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: age-api
sessionAffinity: None
type: ClusterIP
+2 -2
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs mountPath: /combined-certs
containers: containers:
- name: api - name: api
image: git.unkin.net/unkin/artifactapi:v3.7.6 image: git.unkin.net/unkin/artifactapi:v3.5.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 8000 - containerPort: 8000
@@ -46,7 +46,7 @@ spec:
name: api-env name: api-env
optional: false optional: false
- secretRef: - secretRef:
name: environment name: environment2
optional: false optional: false
volumeMounts: volumeMounts:
- name: combined-certs - name: combined-certs
+10 -10
View File
@@ -37,22 +37,22 @@ spec:
name: artifactapi name: artifactapi
sectionName: https sectionName: https
rules: rules:
- backendRefs:
- group: ""
kind: Service
name: ui
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /ui
- backendRefs: - backendRefs:
- group: "" - group: ""
kind: Service kind: Service
name: artifactapi name: artifactapi
port: 80 port: 80
weight: 1 weight: 1
matches:
- path:
type: PathPrefix
value: /api
- backendRefs:
- group: ""
kind: Service
name: ui
port: 80
weight: 1
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
+3 -3
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: ui - name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.7.6 image: git.unkin.net/unkin/artifactapi-ui:v3.5.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 80 - containerPort: 80
@@ -31,7 +31,7 @@ spec:
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
path: /ui path: /
port: http port: http
scheme: HTTP scheme: HTTP
initialDelaySeconds: 15 initialDelaySeconds: 15
@@ -41,7 +41,7 @@ spec:
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
path: /ui path: /
port: http port: http
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5 initialDelaySeconds: 5
-91
View File
@@ -1,91 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres
namespace: authentik
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: authentik
encoding: UTF8
localeCType: C
localeCollate: C
owner: authentik
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 20Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-66
View File
@@ -1,66 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: postgres-pooler-rw
namespace: authentik
spec:
cluster:
name: postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-rw
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-rw
topologyKey: kubernetes.io/hostname
containers: []
type: rw
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: postgres-pooler-ro
namespace: authentik
spec:
cluster:
name: postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler-ro
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler-ro
topologyKey: kubernetes.io/hostname
containers: []
type: ro
-57
View File
@@ -1,57 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: identity.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: authentik
namespace: authentik
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: identity.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: identity.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: authentik-tls
mode: Terminate
- allowedRoutes:
namespaces:
from: Same
hostname: identity.k8s.syd1.au.unkin.net
name: http-internal
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: identity.k8s.syd1.au.unkin.net
name: https-internal
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: authentik-tls
mode: Terminate
-59
View File
@@ -1,59 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik-http-redirect
namespace: authentik
spec:
hostnames:
- identity.unkin.net
- identity.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: http
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: http-internal
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik
namespace: authentik
spec:
hostnames:
- identity.unkin.net
- identity.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: https
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik
sectionName: https-internal
rules:
- backendRefs:
- group: ""
kind: Service
name: authentik-server
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
-19
View File
@@ -1,19 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- gateway.yaml
- httproute.yaml
- ldap-gateway.yaml
- ldap-httproute.yaml
- ldap-service.yaml
- ldap-tlsroute.yaml
- namespace.yaml
- redis-deployment.yaml
- redis-pvc.yaml
- redis-service.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
-47
View File
@@ -1,47 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: authentik-ldap
namespace: authentik
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.k8s.syd1.au.unkin.net
name: ldaps-internal
port: 636
protocol: TLS
tls:
mode: Passthrough
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.main.unkin.net
name: ldaps-main
port: 636
protocol: TLS
tls:
mode: Passthrough
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.k8s.syd1.au.unkin.net
name: http-dns
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: ldap.main.unkin.net
name: http-dns-main
port: 80
protocol: HTTP
-32
View File
@@ -1,32 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authentik-ldap-dns
namespace: authentik
annotations:
external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
hostnames:
- ldap.k8s.syd1.au.unkin.net
- ldap.main.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: http-dns
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: http-dns-main
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: authentik-ldap
namespace: authentik
spec:
internalTrafficPolicy: Cluster
ports:
- name: ldaps
port: 6636
protocol: TCP
targetPort: 6636
selector:
app.kubernetes.io/name: authentik
app.kubernetes.io/component: ldap
sessionAffinity: None
type: ClusterIP
-26
View File
@@ -1,26 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: authentik-ldaps
namespace: authentik
spec:
hostnames:
- ldap.k8s.syd1.au.unkin.net
- ldap.main.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: ldaps-internal
- group: gateway.networking.k8s.io
kind: Gateway
name: authentik-ldap
sectionName: ldaps-main
rules:
- backendRefs:
- group: ""
kind: Service
name: authentik-ldap
port: 6636
weight: 1
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: authentik
-58
View File
@@ -1,58 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: authentik
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
args:
- --save
- "20"
- "1"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- mountPath: /data
name: redis-data
volumes:
- name: redis-data
persistentVolumeClaim:
claimName: redis-data
-13
View File
@@ -1,13 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-data
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: cephrbd-fast-delete
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: authentik
spec:
internalTrafficPolicy: Cluster
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app: redis
sessionAffinity: None
type: ClusterIP
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: authentik
spec:
allowedNamespaces:
- authentik
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -1,51 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: authentik
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: authentik-credentials
namespace: authentik
spec:
destination:
create: true
name: authentik-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/authentik-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: s3-credentials
namespace: authentik
spec:
destination:
create: true
name: s3-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/authentik/default/s3-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -1,26 +0,0 @@
---
# Internal client networks allowed to query the authoritative servers,
# mirrored from the puppet authoritative /etc/named/acls.conf
# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own,
# differently-scoped acl-main.unkin.net in the same namespace.
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: auth-acl-main
namespace: bind-internal
spec:
clusterRef: bind-authoritative
entries:
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.24.0/24
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
@@ -1,49 +0,0 @@
---
# Authoritative masters (replaces the 3x Puppet authoritative servers).
# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-authoritative
namespace: bind-internal
spec:
mode: authoritative
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 2Gi
# Restrict queries to internal networks (puppet acl-main.unkin.net).
# 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh
# from the primary during catalog replication.
extraOptions:
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
service:
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.6
external-dns.alpha.kubernetes.io/hostname: bind-authoritative.k8s.syd1.au.unkin.net
primaryService:
type: LoadBalancer
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.9
external-dns.alpha.kubernetes.io/hostname: bind-authoritative-primary.k8s.syd1.au.unkin.net
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
---
# Catalog zone so new BindZones auto-provision onto the secondaries.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone
metadata:
name: bind-authoritative-catalog
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: catalog.internal
transferKeyRef: transfer-key
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- tsigkey.yaml
- zones.yaml
- acls.yaml
@@ -1,11 +0,0 @@
---
# Zone-transfer / catalog key. The operator generates the material into a
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: transfer-key
namespace: bind-internal
spec:
clusterRef: bind-authoritative
algorithm: hmac-sha256
@@ -1,204 +0,0 @@
# Authoritative zones migrated from puppet-prod
# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml).
# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header.
# Record data is populated by PuppetDB exported resources upstream, so it is
# NOT in this repo — migrate it into these zones (AXFR from the current masters,
# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: unkin-net
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: main-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: main.unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 13-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 13.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 14-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 14.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 15-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 15.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 16-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 16.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 17-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 17.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 19-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 19.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 20-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 20.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 21-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 21.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 22-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 22.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 23-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 23.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 24-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 24.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 25-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 25.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 26-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 26.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 27-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 27.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 28-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 28.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 29-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-authoritative
zoneName: 29.18.198.in-addr.arpa
type: primary
defaultTTL: 600
@@ -1,42 +0,0 @@
---
# external-dns tier (replaces the 3x Puppet external-dns servers). An ordinary
# authoritative cluster; external-dns writes to its zones via RFC2136 because
# those BindZones set dynamicUpdate (allow-update { key externaldns-key; }).
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-externaldns
namespace: bind-internal
spec:
mode: authoritative
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 1Gi
service:
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.8
external-dns.alpha.kubernetes.io/hostname: bind-externaldns.k8s.syd1.au.unkin.net
primaryService:
type: ClusterIP
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
---
# Catalog zone so the dynamic zones replicate onto the cluster's secondaries
# (external-dns writes to the primary; secondaries IXFR the result).
apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone
metadata:
name: bind-externaldns-catalog
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: catalog.externaldns.internal
transferKeyRef: externaldns-key
@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- tsigkey.yaml
- zones.yaml
@@ -1,11 +0,0 @@
---
# Key that external-dns (and DNSRecord objects) use to send RFC2136 dynamic
# updates to the primary. The operator generates the material into a Secret.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: externaldns-key
namespace: bind-internal
spec:
clusterRef: bind-externaldns
algorithm: hmac-sha256
@@ -1,34 +0,0 @@
# k8s external-dns zones migrated from puppet-prod
# (externaldns::k8s_zones in hieradata/roles/infra/dns/externaldns.yaml).
# Primary + dynamicUpdate: the Kubernetes external-dns controller writes
# records here via RFC2136 authenticated with externaldns-key.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: k8s-syd1-au-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: k8s.syd1.au.unkin.net
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 200-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-externaldns
zoneName: 200.18.198.in-addr.arpa
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- authoritative
- resolvers
- externaldns
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: bind-internal
@@ -1,65 +0,0 @@
# Internal client ACLs, mirrored from puppet /etc/named/acls.conf.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-main.unkin.net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.1.10/32
- 198.18.2.160/27
- 198.18.21.160/27
- 198.18.2.192/27
- 198.18.21.192/27
- 198.18.13.0/24
- 198.18.14.0/24
- 198.18.15.0/24
- 198.18.16.0/24
- 198.18.17.0/24
- 198.18.18.0/24
- 198.18.19.0/24
- 198.18.20.0/24
- 198.18.21.0/24
- 198.18.22.0/24
- 198.18.23.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-dmz
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.24.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-common
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.25.0/24
- 198.18.26.0/24
- 198.18.27.0/24
- 198.18.28.0/24
- 198.18.29.0/24
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindACL
metadata:
name: acl-nomad-jobs
namespace: bind-internal
spec:
clusterRef: bind-resolvers
entries:
- 198.18.64.0/24
- 198.18.65.0/24
- 198.18.66.0/24
- 198.18.67.0/24
- 198.18.68.0/24
- 198.18.69.0/24
@@ -1,30 +0,0 @@
---
# Recursive resolvers (replaces the 3x Puppet only-resolver servers).
# Three identical recursive servers; no zone replication.
apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster
metadata:
name: bind-resolvers
namespace: bind-internal
spec:
mode: resolver
replicas: 3
storageClassName: cephrbd-fast-delete
storageSize: 1Gi
service:
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
purelb.io/service-group: common
purelb.io/addresses: 198.18.200.7
external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net
forwarders:
- 8.8.8.8
- 1.1.1.1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "1"
memory: 512Mi
@@ -1,284 +0,0 @@
# Conditional forward zones, from the puppet openforwarder view.
# Upstreams: unkin authoritative 198.18.200.6, consul 198.18.19.14, k8s 198.18.200.8.
# k8s -> in-cluster bind-externaldns 198.18.200.8.
# (Zones that forwarded to 10.10.16.x were dropped; consul left as-is.)
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-main-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: main.unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-consul
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: consul
type: forward
catalog: false
forwarders:
- 198.18.19.14
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-k8s-syd1-au-unkin-net
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: k8s.syd1.au.unkin.net
type: forward
catalog: false
forwarders:
- 198.18.200.8
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-13-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 13.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-14-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 14.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-15-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 15.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-16-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 16.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-17-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 17.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-19-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 19.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-20-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 20.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-21-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 21.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-22-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 22.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-23-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 23.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-24-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 24.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-25-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 25.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-26-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 26.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-27-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 27.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-28-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 28.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: fwd-29-18-198-in-addr-arpa
namespace: bind-internal
spec:
clusterRef: bind-resolvers
viewRef: openforwarder
zoneName: 29.18.198.in-addr.arpa
type: forward
catalog: false
forwarders:
- 198.18.200.6
@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster.yaml
- acls.yaml
- view.yaml
- forward-zones.yaml
@@ -1,23 +0,0 @@
---
# openforwarder view, mirrored from puppet /etc/named/views.conf.
# match-clients gates access to internal networks; recursion/query are 'any'
# within the view since match-clients already restricts who reaches it.
apiVersion: bind.unkin.net/v1alpha1
kind: BindView
metadata:
name: openforwarder
namespace: bind-internal
spec:
clusterRef: bind-resolvers
order: 100
matchClients:
- acl-main.unkin.net
- acl-nomad-jobs
- acl-common
- acl-dmz
recursion: true
allowQuery:
- any
extraOptions:
- "allow-recursion { any; }"
- "allow-query-cache { any; }"
-57
View File
@@ -1,57 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bind-operator
namespace: bind-system
labels:
app.kubernetes.io/name: bind-operator
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: bind-operator
template:
metadata:
labels:
app.kubernetes.io/name: bind-operator
spec:
serviceAccountName: bind-operator
securityContext:
runAsNonRoot: true
containers:
- name: operator
image: git.unkin.net/unkin/bind-operator:v0.1.5
args:
- --metrics-bind-address=:8080
- --health-probe-bind-address=:8081
- --leader-elect
ports:
- containerPort: 8080
name: metrics
- containerPort: 8081
name: health
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
-11
View File
@@ -1,11 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
# CRDs are pulled from the bind-operator repo at the matching tag rather than
# vendored here, so they never drift from the operator.
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.1.5/config/crd/install.yaml
- rbac.yaml
- deployment.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: bind-system
-46
View File
@@ -1,46 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bind-operator
namespace: bind-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bind-operator
rules:
- apiGroups: ["bind.unkin.net"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["services", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "get"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-operator
subjects:
- kind: ServiceAccount
name: bind-operator
namespace: bind-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bind-operator
-91
View File
@@ -1,91 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres
namespace: encapi
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: encapi
encoding: UTF8
localeCType: C
localeCollate: C
owner: encapi
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
-33
View File
@@ -1,33 +0,0 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: postgres-pooler
namespace: encapi
spec:
cluster:
name: postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
-13
View File
@@ -1,13 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: encapi-env
namespace: encapi
data:
LISTEN_ADDR: ":8000"
DBHOST: postgres-pooler
DBNAME: encapi
DBPORT: "5432"
DBUSER: encapi
DBSSL: require
-64
View File
@@ -1,64 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: encapi
namespace: encapi
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 2
selector:
matchLabels:
app: encapi
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: encapi
spec:
automountServiceAccountToken: true
containers:
- name: encapi
image: git.unkin.net/unkin/encapi:v0.1.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
name: http
protocol: TCP
envFrom:
# DBHOST/DBNAME/DBPORT/DBUSER/DBSSL/LISTEN_ADDR
- configMapRef:
name: encapi-env
optional: false
# DBPASS + ENCAPI_WRITE_TOKEN (seeded in Vault, see cutover notes)
- secretRef:
name: environment
optional: false
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
failureThreshold: 3
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
restartPolicy: Always
-37
View File
@@ -1,37 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: encapi.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: encapi.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: encapi
namespace: encapi
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: encapi.k8s.syd1.au.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: encapi.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: encapi-tls
mode: Terminate
-49
View File
@@ -1,49 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: encapi-http-redirect
namespace: encapi
spec:
hostnames:
- encapi.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: encapi
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: encapi
namespace: encapi
spec:
hostnames:
- encapi.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: encapi
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: encapi
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
-15
View File
@@ -1,15 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- configmap.yaml
- deployment.yaml
- service.yaml
- gateway.yaml
- httproute.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: encapi
-17
View File
@@ -1,17 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: encapi
namespace: encapi
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: encapi
sessionAffinity: None
type: ClusterIP
-18
View File
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: encapi
spec:
allowedNamespaces:
- encapi
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
-34
View File
@@ -1,34 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: encapi
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/encapi/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: environment
namespace: encapi
spec:
destination:
create: true
name: environment
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/encapi/default/environment
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
-7
View File
@@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: grafana-system
name: grafana-system
-117
View File
@@ -1,117 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: vmselect
namespace: observability
labels:
app.kubernetes.io/name: vmselect
app.kubernetes.io/instance: victoria-metrics
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmselect.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmselect.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: vmselect.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: vmselect.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: vmselect-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: vminsert
namespace: observability
labels:
app.kubernetes.io/name: vminsert
app.kubernetes.io/instance: victoria-metrics
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vminsert.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vminsert.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: vminsert.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: vminsert.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: vminsert-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: vmagent
namespace: observability
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/instance: victoria-metrics
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmagent.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmagent.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: vmagent.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: vmagent.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: vmagent-tls
-165
View File
@@ -1,165 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vmselect-http-redirect
namespace: observability
labels:
app.kubernetes.io/name: vmselect
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vmselect.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vmselect
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vmselect
namespace: observability
labels:
app.kubernetes.io/name: vmselect
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vmselect.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vmselect
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: vmselect-main
port: 8481
weight: 1
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vminsert-http-redirect
namespace: observability
labels:
app.kubernetes.io/name: vminsert
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vminsert.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vminsert
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vminsert
namespace: observability
labels:
app.kubernetes.io/name: vminsert
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vminsert.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vminsert
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: vminsert-main
port: 8480
weight: 1
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vmagent-http-redirect
namespace: observability
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vmagent.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vmagent
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vmagent
namespace: observability
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/instance: victoria-metrics
spec:
hostnames:
- vmagent.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: vmagent
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: vmagent-main
port: 8429
weight: 1
matches:
- path:
type: PathPrefix
value: /
@@ -4,7 +4,3 @@ kind: Kustomization
resources: resources:
- namespace.yaml - namespace.yaml
- vmcluster.yaml
- vmagent.yaml
- gateway.yaml
- httproute.yaml
-122
View File
@@ -1,122 +0,0 @@
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAgent
metadata:
name: main
namespace: observability
spec:
replicaCount: 2
scrapeInterval: 15s
# Also consume VMServiceScrape / VMPodScrape / VMNodeScrape from every namespace
# (the operator auto-converts Prometheus ServiceMonitors -> VMServiceScrape).
selectAllByDefault: true
extraArgs:
loggerFormat: json
remoteWrite:
- url: http://vminsert-main.observability.svc.cluster.local:8480/insert/0/prometheus/
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: "1"
memory: 2Gi
# Reflected Vault intermediate CA (unkin.net) for verifying puppet Consul + metrics targets.
volumes:
- name: vault-ca
secret:
secretName: vault-ca-cert
volumeMounts:
- name: vault-ca
mountPath: /etc/vmagent-tls
readOnly: true
inlineScrapeConfig: |
- job_name: vmagent
static_configs:
- targets: ["localhost:8429"]
- job_name: "kubernetes-apiservers"
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
- __meta_kubernetes_namespace
- __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name
action: keep
regex: default;kubernetes;https
- job_name: "kubernetes-nodes"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- job_name: "kubernetes-nodes-cadvisor"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
metrics_path: /metrics/cadvisor
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- source_labels: [__metrics_path__]
target_label: metrics_path
metric_relabel_configs:
- action: replace
source_labels: [pod]
regex: '(.+)'
target_label: pod_name
replacement: '${1}'
- action: replace
source_labels: [container]
regex: '(.+)'
target_label: container_name
replacement: '${1}'
- action: replace
target_label: name
replacement: k8s_stub
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: '${1}'
# puppet-prod Consul service discovery (same targets as the puppet vmagent).
# consul.service.consul resolves to the puppet Consul from in-cluster pods.
- job_name: consul
consul_sd_configs:
- server: consul.service.consul:443
scheme: https
tls_config:
ca_file: /etc/vmagent-tls/ca.crt
relabel_configs:
- source_labels: [__meta_consul_tagpresent_metrics]
regex: "true"
action: keep
- source_labels: [__meta_consul_node, __meta_consul_service_port]
separator: ":"
target_label: __address__
replacement: "${1}:${2}"
action: replace
- source_labels: [__meta_consul_tag_metrics_scheme]
target_label: __scheme__
action: replace
- target_label: __metrics_path__
replacement: /metrics
- source_labels: [__meta_consul_tag_metrics_job]
target_label: job
action: replace
tls_config:
ca_file: /etc/vmagent-tls/ca.crt
-115
View File
@@ -1,115 +0,0 @@
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMCluster
metadata:
name: main
namespace: observability
spec:
retentionPeriod: "180d"
replicationFactor: 2
vmstorage:
replicaCount: 2
extraArgs:
dedup.minScrapeInterval: 15s
loggerFormat: json
storage:
volumeClaimTemplate:
spec:
storageClassName: cephrbd-fast-delete
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
resources:
requests:
cpu: "1"
memory: 2Gi
limits:
cpu: "2"
memory: 8Gi
vmselect:
replicaCount: 2
extraArgs:
dedup.minScrapeInterval: 15s
loggerFormat: json
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 1024Mi
hpa:
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
vminsert:
replicaCount: 2
extraArgs:
loggerFormat: json
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 1024Mi
hpa:
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
-4
View File
@@ -7,11 +7,7 @@ resources:
- cnpg_cluster.yaml - cnpg_cluster.yaml
- cnpg_pooler.yaml - cnpg_pooler.yaml
- serviceaccount_terraform_artifactapi.yaml - serviceaccount_terraform_artifactapi.yaml
- serviceaccount_terraform_authentik.yaml
- serviceaccount_terraform_git.yaml - serviceaccount_terraform_git.yaml
- serviceaccount_terraform_prowlarr.yaml
- serviceaccount_terraform_radarr.yaml
- serviceaccount_terraform_sonarr.yaml
- serviceaccount_terraform_vault.yaml - serviceaccount_terraform_vault.yaml
- vaultauth.yaml - vaultauth.yaml
- vaultstaticsecret.yaml - vaultstaticsecret.yaml
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-authentik
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-prowlarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-radarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-sonarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/age-api
@@ -1,14 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/authentik
helmCharts:
- name: authentik
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "2026.5.3"
releaseName: authentik
namespace: authentik
valuesFile: values.yaml
-105
View File
@@ -1,105 +0,0 @@
global:
env:
# PostgreSQL primary (via pooler)
- name: AUTHENTIK_POSTGRESQL__HOST
value: postgres-pooler-rw
- name: AUTHENTIK_POSTGRESQL__PORT
value: "5432"
- name: AUTHENTIK_POSTGRESQL__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
# PostgreSQL read replica (via pooler)
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
value: postgres-pooler-ro
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
value: "5432"
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
# PostgreSQL pooler settings
- name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS
value: "true"
- name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE
value: "0"
- name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS
value: "true"
# Redis
- name: AUTHENTIK_REDIS__HOST
value: redis
- name: AUTHENTIK_REDIS__PORT
value: "6379"
# S3 storage
- name: AUTHENTIK_STORAGE__BACKEND
value: s3
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
value: https://radosgw.service.consul/
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
value: authentik
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
value: path
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: AUTHENTIK_STORAGE__S3__ACCESS_KEY
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: AUTHENTIK_STORAGE__S3__SECRET_KEY
# Secret key
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-credentials
key: AUTHENTIK_SECRET_KEY
server:
replicas: 3
annotations:
reloader.stakater.com/auto: "true"
ingress:
enabled: false
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
worker:
replicas: 2
annotations:
reloader.stakater.com/auto: "true"
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
postgresql:
enabled: false
redis:
enabled: false
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/bind-internal
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/bind-system
@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/encapi
@@ -1,16 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: grafana-system
resources:
- ../../../base/grafana-system
helmCharts:
- name: grafana-operator
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "5.24.0"
releaseName: grafana-operator
namespace: grafana-system
valuesFile: values.yaml
@@ -1,16 +0,0 @@
# Watches all namespaces by default (namespaceScope: false) so it can manage the
# Grafana instance + dashboards/datasources in the `grafana` namespace.
#
# Render the CRDs as normal templated manifests (instead of the helm `crds/`
# subchart, which `helm template`/kustomize skip) so ArgoCD installs and manages
# them alongside the operator.
crds:
immutable: false
replicas: 1
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
@@ -6,3 +6,17 @@ namespace: observability
resources: resources:
- ../../../base/observability - ../../../base/observability
helmCharts:
- name: victoria-metrics-cluster
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.33.0"
releaseName: victoria-metrics-cluster
namespace: observability
valuesFile: values-vmcluster.yaml
- name: victoria-metrics-agent
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.30.0"
releaseName: victoria-metrics-agent
namespace: observability
valuesFile: values-vmagent.yaml
@@ -0,0 +1,102 @@
image:
repository: victoriametrics/vmagent
pullPolicy: IfNotPresent
global:
scrape_interval: 15s
podDisruptionBudget:
enabled: true
maxUnavailable: 1
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
replicaCount: 3
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8429
service:
enabled: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmagent.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmagent.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmagent.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmagent.k8s.syd1.au.unkin.net
secretName: vmagent-tls
ingressClassName: nginx
remoteWrite:
- url: http://victoria-metrics-cluster-vminsert.observability.svc.cluster.local:8480/insert/0/prometheus/
scrape_configs:
- job_name: vmagent
static_configs:
- targets: ["localhost:8429"]
- job_name: "kubernetes-apiservers"
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
- __meta_kubernetes_namespace
- __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name
action: keep
regex: default;kubernetes;https
- job_name: "kubernetes-nodes"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- job_name: "kubernetes-nodes-cadvisor"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
metrics_path: /metrics/cadvisor
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- source_labels: [__metrics_path__]
target_label: metrics_path
metric_relabel_configs:
- action: replace
source_labels: [pod]
regex: '(.+)'
target_label: pod_name
replacement: '${1}'
- action: replace
source_labels: [container]
regex: '(.+)'
target_label: container_name
replacement: '${1}'
- action: replace
target_label: name
replacement: k8s_stub
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: '${1}'
@@ -0,0 +1,185 @@
vmselect:
enabled: true
image:
repository: victoriametrics/vmselect
pullPolicy: IfNotPresent
variant: cluster
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8481
dedup.minScrapeInterval: 15s
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmselect.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmselect.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmselect.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmselect.k8s.syd1.au.unkin.net
secretName: vmselect-tls
ingressClassName: nginx
vminsert:
enabled: true
image:
repository: victoriametrics/vminsert
variant: cluster
pullPolicy: IfNotPresent
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8480
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8480"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vminsert.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vminsert.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
hosts:
- name: vminsert.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vminsert.k8s.syd1.au.unkin.net
secretName: vminsert-tls
ingressClassName: nginx
vmstorage:
enabled: true
image:
repository: victoriametrics/vmstorage
variant: cluster
pullPolicy: IfNotPresent
retentionPeriod: 180d
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8482
dedup.minScrapeInterval: 15s
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8482"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
persistentVolume:
enabled: true
name: vmstorage-volume
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
mountPath: /storage
size: 200Gi
replicaCount: 3
podManagementPolicy: OrderedReady
-6
View File
@@ -10,20 +10,14 @@ spec:
repoURL: https://git.unkin.net/unkin/argocd-apps repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD revision: HEAD
directories: directories:
- path: apps/overlays/*/authentik
- path: apps/overlays/*/artifactapi - path: apps/overlays/*/artifactapi
- path: apps/overlays/*/bind-system
- path: apps/overlays/*/bind-internal
- path: apps/overlays/*/age-api
- path: apps/overlays/*/cattle-system - path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager - path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates - path: apps/overlays/*/certificates
- path: apps/overlays/*/cnpg-system - path: apps/overlays/*/cnpg-system
- path: apps/overlays/*/consul - path: apps/overlays/*/consul
- path: apps/overlays/*/elastic-system - path: apps/overlays/*/elastic-system
- path: apps/overlays/*/encapi
- path: apps/overlays/*/externaldns - path: apps/overlays/*/externaldns
- path: apps/overlays/*/grafana-system
- path: apps/overlays/*/inteldeviceplugins-system - path: apps/overlays/*/inteldeviceplugins-system
- path: apps/overlays/*/jfrog - path: apps/overlays/*/jfrog
- path: apps/overlays/*/kanidm - path: apps/overlays/*/kanidm
-8
View File
@@ -17,20 +17,12 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'artifactapi' - namespace: 'artifactapi'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'age-api'
server: https://kubernetes.default.svc
- namespace: 'authentik'
server: https://kubernetes.default.svc
- namespace: 'bind-internal'
server: https://kubernetes.default.svc
- namespace: 'cert-manager' - namespace: 'cert-manager'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'certificates' - namespace: 'certificates'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'consul' - namespace: 'consul'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'encapi'
server: https://kubernetes.default.svc
- namespace: 'externaldns' - namespace: 'externaldns'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'jfrog' - namespace: 'jfrog'
-50
View File
@@ -1,50 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
SCHEMA_DIR="${1:-schemas}"
rm -rf "$SCHEMA_DIR"
mkdir -p "$SCHEMA_DIR"
echo "==> Fetching CRDs from cluster..." >&2
kubectl get crds -o json | python3 -c "
import sys, json, os
def write_schema(schema, schema_dir, group, kind, version):
def strip_descriptions(obj):
if isinstance(obj, dict):
return {k: strip_descriptions(v) for k, v in obj.items() if k != 'description'}
if isinstance(obj, list):
return [strip_descriptions(i) for i in obj]
return obj
schema = strip_descriptions(schema)
group_dir = os.path.join(schema_dir, group)
os.makedirs(group_dir, exist_ok=True)
fname = f'{kind}_{version}.json'.lower()
with open(os.path.join(group_dir, fname), 'w') as f:
json.dump(schema, f, indent=2, sort_keys=True)
f.write('\n')
print(f' Generated: {group}/{fname}', file=sys.stderr)
data = json.load(sys.stdin)
for crd in data.get('items', []):
spec = crd.get('spec', {})
group = spec.get('group', '')
kind = spec.get('names', {}).get('kind', '')
for ver in spec.get('versions', []):
version = ver.get('name', '')
openapi = ver.get('schema', {}).get('openAPIV3Schema', {})
if not openapi:
continue
schema = dict(openapi)
schema['\$schema'] = 'http://json-schema.org/draft-07/schema#'
schema['type'] = 'object'
schema.setdefault('properties', {})
schema['properties'].setdefault('apiVersion', {'type': 'string'})
schema['properties'].setdefault('kind', {'type': 'string'})
schema['properties'].setdefault('metadata', {'type': 'object'})
write_schema(schema, '$SCHEMA_DIR', group, kind, version)
"
total=$(find "$SCHEMA_DIR" -name '*.json' | wc -l)
echo "==> Schema generation complete: $total schemas in $SCHEMA_DIR" >&2
+3 -6
View File
@@ -3,12 +3,9 @@ set -euo pipefail
KUBE_VERSION="1.33.7" KUBE_VERSION="1.33.7"
SCHEMA_DIR="${SCHEMA_DIR:-schemas}"
schema_args=( schema_args=(
-schema-location "$SCHEMA_DIR/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" -schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json" -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
) )
while IFS= read -r -d "" k; do while IFS= read -r -d "" k; do
@@ -21,6 +18,6 @@ while IFS= read -r -d "" k; do
-summary \ -summary \
-output pretty \ -output pretty \
-verbose \ -verbose \
-skip CustomResourceDefinition \ -skip CustomResourceDefinition,GpuDevicePlugin,LBNodeAgent,ServiceGroup \
"${schema_args[@]}" "${schema_args[@]}"
done < <(find apps/overlays -name kustomization.yaml -print0) done < <(find apps/overlays -name kustomization.yaml -print0)
+2 -5
View File
@@ -3,12 +3,9 @@ set -euo pipefail
KUBE_VERSION="1.33.7" KUBE_VERSION="1.33.7"
SCHEMA_DIR="${SCHEMA_DIR:-schemas}"
schema_args=( schema_args=(
-schema-location "$SCHEMA_DIR/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" -schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json"
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}-standalone{{.StrictSuffix}}/{{.ResourceKind}}{{.KindSuffix}}.json" -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
-schema-location "https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
) )
while IFS= read -r -d "" k; do while IFS= read -r -d "" k; do
File diff suppressed because it is too large Load Diff
-162
View File
@@ -1,162 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"commonName": {
"type": "string"
},
"dnsNames": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"duration": {
"type": "string"
},
"ipAddresses": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"issuerRef": {
"properties": {
"group": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"name"
],
"type": "object"
},
"profile": {
"type": "string"
},
"request": {
"format": "byte",
"type": "string"
}
},
"required": [
"issuerRef",
"request"
],
"type": "object"
},
"status": {
"properties": {
"authorizations": {
"items": {
"properties": {
"challenges": {
"items": {
"properties": {
"token": {
"type": "string"
},
"type": {
"type": "string"
},
"url": {
"type": "string"
}
},
"required": [
"token",
"type",
"url"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"identifier": {
"type": "string"
},
"initialState": {
"enum": [
"valid",
"ready",
"pending",
"processing",
"invalid",
"expired",
"errored"
],
"type": "string"
},
"url": {
"type": "string"
},
"wildcard": {
"type": "boolean"
}
},
"required": [
"url"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"certificate": {
"format": "byte",
"type": "string"
},
"failureTime": {
"format": "date-time",
"type": "string"
},
"finalizeURL": {
"type": "string"
},
"reason": {
"type": "string"
},
"state": {
"enum": [
"valid",
"ready",
"pending",
"processing",
"invalid",
"expired",
"errored"
],
"type": "string"
},
"url": {
"type": "string"
}
},
"type": "object"
}
},
"required": [
"metadata",
"spec"
],
"type": "object"
}
@@ -1,130 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"clusterSelector": {
"properties": {
"matchExpressions": {
"items": {
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
"key",
"operator"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"resources": {
"items": {
"properties": {
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
},
"type": "array"
},
"strategy": {
"enum": [
"ApplyOnce"
],
"type": "string"
}
},
"required": [
"clusterSelector"
],
"type": "object"
},
"status": {
"properties": {
"conditions": {
"items": {
"properties": {
"lastTransitionTime": {
"format": "date-time",
"type": "string"
},
"message": {
"type": "string"
},
"reason": {
"type": "string"
},
"severity": {
"type": "string"
},
"status": {
"type": "string"
},
"type": {
"type": "string"
}
},
"required": [
"status",
"type"
],
"type": "object"
},
"type": "array"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,130 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"clusterSelector": {
"properties": {
"matchExpressions": {
"items": {
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
"key",
"operator"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"resources": {
"items": {
"properties": {
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
},
"type": "array"
},
"strategy": {
"enum": [
"ApplyOnce"
],
"type": "string"
}
},
"required": [
"clusterSelector"
],
"type": "object"
},
"status": {
"properties": {
"conditions": {
"items": {
"properties": {
"lastTransitionTime": {
"format": "date-time",
"type": "string"
},
"message": {
"type": "string"
},
"reason": {
"type": "string"
},
"severity": {
"type": "string"
},
"status": {
"type": "string"
},
"type": {
"type": "string"
}
},
"required": [
"status",
"type"
],
"type": "object"
},
"type": "array"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,198 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"clusterSelector": {
"properties": {
"matchExpressions": {
"items": {
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
"key",
"operator"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"resources": {
"items": {
"properties": {
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"name": {
"maxLength": 253,
"minLength": 1,
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
},
"maxItems": 100,
"type": "array"
},
"strategy": {
"enum": [
"ApplyOnce",
"Reconcile"
],
"type": "string"
}
},
"required": [
"clusterSelector"
],
"type": "object"
},
"status": {
"properties": {
"conditions": {
"items": {
"properties": {
"lastTransitionTime": {
"format": "date-time",
"type": "string"
},
"message": {
"maxLength": 10240,
"minLength": 1,
"type": "string"
},
"reason": {
"maxLength": 256,
"minLength": 1,
"type": "string"
},
"severity": {
"maxLength": 32,
"type": "string"
},
"status": {
"type": "string"
},
"type": {
"maxLength": 256,
"minLength": 1,
"type": "string"
}
},
"required": [
"lastTransitionTime",
"status",
"type"
],
"type": "object"
},
"type": "array"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
},
"v1beta2": {
"properties": {
"conditions": {
"items": {
"properties": {
"lastTransitionTime": {
"format": "date-time",
"type": "string"
},
"message": {
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object"
},
"maxItems": 32,
"type": "array",
"x-kubernetes-list-map-keys": [
"type"
],
"x-kubernetes-list-type": "map"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,68 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"bindings": {
"items": {
"properties": {
"clusterResourceSetName": {
"type": "string"
},
"resources": {
"items": {
"properties": {
"applied": {
"type": "boolean"
},
"hash": {
"type": "string"
},
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"lastAppliedTime": {
"format": "date-time",
"type": "string"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"applied",
"kind",
"name"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"clusterResourceSetName"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,68 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"bindings": {
"items": {
"properties": {
"clusterResourceSetName": {
"type": "string"
},
"resources": {
"items": {
"properties": {
"applied": {
"type": "boolean"
},
"hash": {
"type": "string"
},
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"lastAppliedTime": {
"format": "date-time",
"type": "string"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"applied",
"kind",
"name"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"clusterResourceSetName"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,80 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"bindings": {
"items": {
"properties": {
"clusterResourceSetName": {
"maxLength": 253,
"minLength": 1,
"type": "string"
},
"resources": {
"items": {
"properties": {
"applied": {
"type": "boolean"
},
"hash": {
"maxLength": 256,
"minLength": 1,
"type": "string"
},
"kind": {
"enum": [
"Secret",
"ConfigMap"
],
"type": "string"
},
"lastAppliedTime": {
"format": "date-time",
"type": "string"
},
"name": {
"maxLength": 253,
"minLength": 1,
"type": "string"
}
},
"required": [
"applied",
"kind",
"name"
],
"type": "object"
},
"maxItems": 100,
"type": "array"
}
},
"required": [
"clusterResourceSetName"
],
"type": "object"
},
"maxItems": 100,
"type": "array"
},
"clusterName": {
"maxLength": 63,
"minLength": 1,
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,693 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"config": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"configRef": {
"properties": {
"secretName": {
"type": "string"
}
},
"type": "object"
},
"daemonSet": {
"properties": {
"podTemplate": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"updateStrategy": {
"properties": {
"rollingUpdate": {
"properties": {
"maxSurge": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
},
"maxUnavailable": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
}
},
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"deployment": {
"properties": {
"podTemplate": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"replicas": {
"format": "int32",
"type": "integer"
},
"strategy": {
"properties": {
"rollingUpdate": {
"properties": {
"maxSurge": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
},
"maxUnavailable": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
}
},
"type": "object"
},
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"elasticsearchRefs": {
"items": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"outputName": {
"type": "string"
},
"secretName": {
"type": "string"
},
"serviceName": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
},
"fleetServerEnabled": {
"type": "boolean"
},
"fleetServerRef": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"secretName": {
"type": "string"
},
"serviceName": {
"type": "string"
}
},
"type": "object"
},
"http": {
"properties": {
"service": {
"properties": {
"metadata": {
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"finalizers": {
"items": {
"type": "string"
},
"type": "array"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"type": "object"
},
"spec": {
"properties": {
"allocateLoadBalancerNodePorts": {
"type": "boolean"
},
"clusterIP": {
"type": "string"
},
"clusterIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalName": {
"type": "string"
},
"externalTrafficPolicy": {
"type": "string"
},
"healthCheckNodePort": {
"format": "int32",
"type": "integer"
},
"internalTrafficPolicy": {
"type": "string"
},
"ipFamilies": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ipFamilyPolicy": {
"type": "string"
},
"loadBalancerClass": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"loadBalancerSourceRanges": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ports": {
"items": {
"properties": {
"appProtocol": {
"type": "string"
},
"name": {
"type": "string"
},
"nodePort": {
"format": "int32",
"type": "integer"
},
"port": {
"format": "int32",
"type": "integer"
},
"protocol": {
"default": "TCP",
"type": "string"
},
"targetPort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
}
},
"required": [
"port"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-map-keys": [
"port",
"protocol"
],
"x-kubernetes-list-type": "map"
},
"publishNotReadyAddresses": {
"type": "boolean"
},
"selector": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"sessionAffinity": {
"type": "string"
},
"sessionAffinityConfig": {
"properties": {
"clientIP": {
"properties": {
"timeoutSeconds": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"trafficDistribution": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"tls": {
"properties": {
"certificate": {
"properties": {
"secretName": {
"type": "string"
}
},
"type": "object"
},
"selfSignedCertificate": {
"properties": {
"disabled": {
"type": "boolean"
},
"subjectAltNames": {
"items": {
"properties": {
"dns": {
"type": "string"
},
"ip": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"image": {
"type": "string"
},
"kibanaRef": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"secretName": {
"type": "string"
},
"serviceName": {
"type": "string"
}
},
"type": "object"
},
"mode": {
"enum": [
"standalone",
"fleet"
],
"type": "string"
},
"policyID": {
"type": "string"
},
"revisionHistoryLimit": {
"format": "int32",
"type": "integer"
},
"secureSettings": {
"items": {
"properties": {
"entries": {
"items": {
"properties": {
"key": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"key"
],
"type": "object"
},
"type": "array"
},
"secretName": {
"type": "string"
}
},
"required": [
"secretName"
],
"type": "object"
},
"type": "array"
},
"serviceAccountName": {
"type": "string"
},
"statefulSet": {
"properties": {
"podManagementPolicy": {
"default": "Parallel",
"enum": [
"OrderedReady",
"Parallel"
],
"type": "string"
},
"podTemplate": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"replicas": {
"format": "int32",
"type": "integer"
},
"serviceName": {
"type": "string"
},
"volumeClaimTemplates": {
"items": {
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"finalizers": {
"items": {
"type": "string"
},
"type": "array"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"type": "object"
},
"spec": {
"properties": {
"accessModes": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"dataSource": {
"properties": {
"apiGroup": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"dataSourceRef": {
"properties": {
"apiGroup": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
},
"resources": {
"properties": {
"limits": {
"additionalProperties": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
},
"type": "object"
},
"requests": {
"additionalProperties": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
},
"type": "object"
}
},
"type": "object"
},
"selector": {
"properties": {
"matchExpressions": {
"items": {
"properties": {
"key": {
"type": "string"
},
"operator": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
}
},
"required": [
"key",
"operator"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"matchLabels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"storageClassName": {
"type": "string"
},
"volumeAttributesClassName": {
"type": "string"
},
"volumeMode": {
"type": "string"
},
"volumeName": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"version": {
"type": "string"
}
},
"required": [
"version"
],
"type": "object"
},
"status": {
"properties": {
"availableNodes": {
"format": "int32",
"type": "integer"
},
"elasticsearchAssociationsStatus": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"expectedNodes": {
"format": "int32",
"type": "integer"
},
"fleetServerAssociationStatus": {
"type": "string"
},
"health": {
"type": "string"
},
"kibanaAssociationStatus": {
"type": "string"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
},
"version": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,364 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"config": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"count": {
"format": "int32",
"type": "integer"
},
"elasticsearchRef": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"secretName": {
"type": "string"
},
"serviceName": {
"type": "string"
}
},
"type": "object"
},
"http": {
"properties": {
"service": {
"properties": {
"metadata": {
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"finalizers": {
"items": {
"type": "string"
},
"type": "array"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"type": "object"
},
"spec": {
"properties": {
"allocateLoadBalancerNodePorts": {
"type": "boolean"
},
"clusterIP": {
"type": "string"
},
"clusterIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalName": {
"type": "string"
},
"externalTrafficPolicy": {
"type": "string"
},
"healthCheckNodePort": {
"format": "int32",
"type": "integer"
},
"internalTrafficPolicy": {
"type": "string"
},
"ipFamilies": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ipFamilyPolicy": {
"type": "string"
},
"loadBalancerClass": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"loadBalancerSourceRanges": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ports": {
"items": {
"properties": {
"appProtocol": {
"type": "string"
},
"name": {
"type": "string"
},
"nodePort": {
"format": "int32",
"type": "integer"
},
"port": {
"format": "int32",
"type": "integer"
},
"protocol": {
"default": "TCP",
"type": "string"
},
"targetPort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
}
},
"required": [
"port"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-map-keys": [
"port",
"protocol"
],
"x-kubernetes-list-type": "map"
},
"publishNotReadyAddresses": {
"type": "boolean"
},
"selector": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"sessionAffinity": {
"type": "string"
},
"sessionAffinityConfig": {
"properties": {
"clientIP": {
"properties": {
"timeoutSeconds": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"trafficDistribution": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"tls": {
"properties": {
"certificate": {
"properties": {
"secretName": {
"type": "string"
}
},
"type": "object"
},
"selfSignedCertificate": {
"properties": {
"disabled": {
"type": "boolean"
},
"subjectAltNames": {
"items": {
"properties": {
"dns": {
"type": "string"
},
"ip": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"image": {
"type": "string"
},
"kibanaRef": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"secretName": {
"type": "string"
},
"serviceName": {
"type": "string"
}
},
"type": "object"
},
"podTemplate": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"revisionHistoryLimit": {
"format": "int32",
"type": "integer"
},
"secureSettings": {
"items": {
"properties": {
"entries": {
"items": {
"properties": {
"key": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"key"
],
"type": "object"
},
"type": "array"
},
"secretName": {
"type": "string"
}
},
"required": [
"secretName"
],
"type": "object"
},
"type": "array"
},
"serviceAccountName": {
"type": "string"
},
"version": {
"type": "string"
}
},
"required": [
"version"
],
"type": "object"
},
"status": {
"properties": {
"availableNodes": {
"format": "int32",
"type": "integer"
},
"count": {
"format": "int32",
"type": "integer"
},
"elasticsearchAssociationStatus": {
"type": "string"
},
"health": {
"type": "string"
},
"kibanaAssociationStatus": {
"type": "string"
},
"observedGeneration": {
"format": "int64",
"type": "integer"
},
"secretTokenSecret": {
"type": "string"
},
"selector": {
"type": "string"
},
"service": {
"type": "string"
},
"version": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
@@ -1,15 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
}
},
"type": "object"
}
@@ -1,317 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"apiVersion": {
"type": "string"
},
"kind": {
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"properties": {
"config": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"count": {
"format": "int32",
"type": "integer"
},
"elasticsearchRef": {
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"required": [
"name"
],
"type": "object"
},
"http": {
"properties": {
"service": {
"properties": {
"metadata": {
"properties": {
"annotations": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"finalizers": {
"items": {
"type": "string"
},
"type": "array"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"name": {
"type": "string"
},
"namespace": {
"type": "string"
}
},
"type": "object"
},
"spec": {
"properties": {
"allocateLoadBalancerNodePorts": {
"type": "boolean"
},
"clusterIP": {
"type": "string"
},
"clusterIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalIPs": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"externalName": {
"type": "string"
},
"externalTrafficPolicy": {
"type": "string"
},
"healthCheckNodePort": {
"format": "int32",
"type": "integer"
},
"internalTrafficPolicy": {
"type": "string"
},
"ipFamilies": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ipFamilyPolicy": {
"type": "string"
},
"loadBalancerClass": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"loadBalancerSourceRanges": {
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"ports": {
"items": {
"properties": {
"appProtocol": {
"type": "string"
},
"name": {
"type": "string"
},
"nodePort": {
"format": "int32",
"type": "integer"
},
"port": {
"format": "int32",
"type": "integer"
},
"protocol": {
"default": "TCP",
"type": "string"
},
"targetPort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"x-kubernetes-int-or-string": true
}
},
"required": [
"port"
],
"type": "object"
},
"type": "array",
"x-kubernetes-list-map-keys": [
"port",
"protocol"
],
"x-kubernetes-list-type": "map"
},
"publishNotReadyAddresses": {
"type": "boolean"
},
"selector": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"x-kubernetes-map-type": "atomic"
},
"sessionAffinity": {
"type": "string"
},
"sessionAffinityConfig": {
"properties": {
"clientIP": {
"properties": {
"timeoutSeconds": {
"format": "int32",
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"trafficDistribution": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"tls": {
"properties": {
"certificate": {
"properties": {
"secretName": {
"type": "string"
}
},
"type": "object"
},
"selfSignedCertificate": {
"properties": {
"disabled": {
"type": "boolean"
},
"subjectAltNames": {
"items": {
"properties": {
"dns": {
"type": "string"
},
"ip": {
"type": "string"
}
},
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"image": {
"type": "string"
},
"podTemplate": {
"type": "object",
"x-kubernetes-preserve-unknown-fields": true
},
"secureSettings": {
"items": {
"properties": {
"entries": {
"items": {
"properties": {
"key": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"key"
],
"type": "object"
},
"type": "array"
},
"secretName": {
"type": "string"
}
},
"required": [
"secretName"
],
"type": "object"
},
"type": "array"
},
"version": {
"type": "string"
}
},
"type": "object"
},
"status": {
"properties": {
"associationStatus": {
"type": "string"
},
"availableNodes": {
"format": "int32",
"type": "integer"
},
"health": {
"type": "string"
},
"secretTokenSecret": {
"type": "string"
},
"service": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More