diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 2c315fc..4d236a3 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -1,4 +1,8 @@ {{- $fullName := include "wg-access-server.fullname" . -}} +{{ $secretName := $fullName }} +{{- if .Values.config.existingSecret -}} +{{ $secretName = .Values.config.existingSecret }} +{{ end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -46,34 +50,43 @@ spec: - name: WG_WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: privateKey {{- end }} {{- if .Values.web.config.adminUsername }} - name: WG_ADMIN_USERNAME valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminUsername {{- end}} {{- if .Values.web.config.adminPassword }} - name: WG_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminPassword {{- end}} + {{- if .Values.config.csiSecretsStore }} + - name: WG_CONFIG + value: /secrets/config.yaml + {{- end}} volumeMounts: - name: tun mountPath: /dev/net/tun - name: data mountPath: /data + {{- if .Values.config.csiSecretsStore }} + - name: config + mountPath: /secrets + {{- else }} - name: config mountPath: /config.yaml subPath: config.yaml + {{- end}} readinessProbe: httpGet: - path: / + path: /health port: http resources: {{- toYaml .Values.resources | nindent 12 }} @@ -90,9 +103,18 @@ spec: {{- if not .Values.persistence.enabled }} emptyDir: {} {{- end }} + {{- if .Values.config.csiSecretsStore }} + - name: config + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: app-secrets + {{- else }} - name: config configMap: name: "{{ $fullName }}" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml new file mode 100644 index 0000000..3ebf5b7 --- /dev/null +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -0,0 +1,13 @@ +--- +{{- if .Values.config.csiSecretsStore -}} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: app-secrets +spec: + provider: {{ .Values.config.csiSecretsStore.providerName | default "1password" }} + parameters: + secrets: | + - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} + path: "config.yaml" +{{- end -}} \ No newline at end of file diff --git a/apps-helm/wg-access-server/values.yaml b/apps-helm/wg-access-server/values.yaml index dccc4e4..4c4d89c 100644 --- a/apps-helm/wg-access-server/values.yaml +++ b/apps-helm/wg-access-server/values.yaml @@ -1,5 +1,9 @@ # wg-access-server config -config: {} +config: + existingSecret: "" + csiSecretsStore: {} +# providerName: 1password +# resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes web: config: diff --git a/apps-kustomized/bazarr/deploy.yaml b/apps-kustomized/bazarr/deploy.yaml new file mode 100644 index 0000000..c789323 --- /dev/null +++ b/apps-kustomized/bazarr/deploy.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: bazarr + name: bazarr +spec: + replicas: 1 + selector: + matchLabels: + app: bazarr + template: + metadata: + creationTimestamp: null + labels: + app: bazarr + spec: + containers: + - image: hotio/bazarr:release + name: bazarr + ports: + - name: http + containerPort: 6767 + protocol: TCP + volumeMounts: + - name: config + mountPath: /config + - name: series + mountPath: /series + - name: oldseries + mountPath: /oldseries + - name: films + mountPath: /films + volumes: + - name: config + persistentVolumeClaim: + claimName: bazarr-config-data + - name: series + persistentVolumeClaim: + claimName: smb-series + - name: oldseries + persistentVolumeClaim: + claimName: smb-oldseries + - name: films + persistentVolumeClaim: + claimName: smb-films + diff --git a/apps-kustomized/bazarr/pvc-smb.yaml b/apps-kustomized/bazarr/pvc-smb.yaml new file mode 100644 index 0000000..b4044af --- /dev/null +++ b/apps-kustomized/bazarr/pvc-smb.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-series +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-series +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-oldseries +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-oldseries +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: smb-films +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: smb-films \ No newline at end of file diff --git a/apps-kustomized/bazarr/pvc.yaml b/apps-kustomized/bazarr/pvc.yaml new file mode 100644 index 0000000..094b906 --- /dev/null +++ b/apps-kustomized/bazarr/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: bazarr-config-data +spec: + storageClassName: rook-ceph-block-ssd + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/apps-kustomized/bazarr/service.yaml b/apps-kustomized/bazarr/service.yaml new file mode 100644 index 0000000..68594e9 --- /dev/null +++ b/apps-kustomized/bazarr/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: bazarr + name: bazarr + annotations: + external-dns.alpha.kubernetes.io/hostname: bazarr.martyn.berlin +spec: + type: LoadBalancer + ports: + - port: 80 + targetPort: 6767 + selector: + app: bazarr diff --git a/apps-kustomized/cryptpad/deploy.yaml b/apps-kustomized/cryptpad/deploy.yaml new file mode 100644 index 0000000..2fef773 --- /dev/null +++ b/apps-kustomized/cryptpad/deploy.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cryptpad + template: + metadata: + labels: + app.kubernetes.io/name: cryptpad + spec: + containers: + - image: cryptpad/cryptpad:version-5.5.0 + command: + - /usr/local/bin/npm + - start + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 10 + name: cryptpad + ports: + - containerPort: 3000 + name: http + protocol: TCP + - containerPort: 3001 + name: http-safe + protocol: TCP + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 10 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /cryptpad/blob + name: blob + - mountPath: /cryptpad/block + name: block + - mountPath: /cryptpad/config + name: config + - mountPath: /cryptpad/customize + name: customize + - mountPath: /cryptpad/data + name: data + - mountPath: /cryptpad/datasource + name: datasource + - mountPath: /cryptpad/datastore + name: datastore + volumes: + - name: blob + persistentVolumeClaim: + claimName: cryptpad-blob + - name: block + persistentVolumeClaim: + claimName: cryptpad-block + - name: config + persistentVolumeClaim: + claimName: cryptpad-config + - name: customize + persistentVolumeClaim: + claimName: cryptpad-customize + - name: data + persistentVolumeClaim: + claimName: cryptpad-data + - name: datasource + persistentVolumeClaim: + claimName: cryptpad-datasource + - name: datastore + persistentVolumeClaim: + claimName: cryptpad-datastore diff --git a/apps-kustomized/cryptpad/ingress.yaml b/apps-kustomized/cryptpad/ingress.yaml new file mode 100644 index 0000000..a518c2c --- /dev/null +++ b/apps-kustomized/cryptpad/ingress.yaml @@ -0,0 +1,63 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "cross-origin-resource-policy: cross-origin"; + more_set_headers "cross-origin-embedder-policy: require-corp"; + nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin + nginx.ingress.kubernetes.io/enable-cors: "true" + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + rules: + - host: cryptpad.martyn.berlin + http: + paths: + - backend: + service: + name: cryptpad + port: + number: 3000 + path: / + pathType: Prefix + tls: + - hosts: + - cryptpad.martyn.berlin + secretName: cryptpad-tls +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt + external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "cross-origin-resource-policy: cross-origin"; + more_set_headers "cross-origin-embedder-policy: require-corp"; + nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin + nginx.ingress.kubernetes.io/enable-cors: "true" + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-0 +spec: + rules: + - host: cryptpad-safe.martyn.berlin + http: + paths: + - backend: + service: + name: cryptpad + port: + number: 3000 + path: / + pathType: Prefix + tls: + - hosts: + - cryptpad-safe.martyn.berlin + secretName: cryptpad-safe-tls diff --git a/apps-kustomized/cryptpad/pvc.yaml b/apps-kustomized/cryptpad/pvc.yaml new file mode 100644 index 0000000..8a8c4d3 --- /dev/null +++ b/apps-kustomized/cryptpad/pvc.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-blob +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-block +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-config +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-customize + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-data + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2500Mi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-datasource + namespace: cryptpad +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-datastore +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: rook-ceph-block-ssd diff --git a/apps-kustomized/cryptpad/service.yaml b/apps-kustomized/cryptpad/service.yaml new file mode 100644 index 0000000..1a017e8 --- /dev/null +++ b/apps-kustomized/cryptpad/service.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad +spec: + ports: + - name: http + port: 3000 + targetPort: http + selector: + app.kubernetes.io/name: cryptpad +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: cryptpad + name: cryptpad-safe +spec: + ports: + - name: http-safe + port: 3001 + selector: + app.kubernetes.io/name: cryptpad diff --git a/everything-app/app-cilium.yaml b/everything-app/app-cilium.yaml index 3cbf98e..d7bb8f9 100644 --- a/everything-app/app-cilium.yaml +++ b/everything-app/app-cilium.yaml @@ -33,9 +33,9 @@ spec: - name: l2announcements.enabled value: "true" - name: k8sClientRateLimit.qps - value: "30" - - name: k8sClientRateLimit.burst value: "50" + - name: k8sClientRateLimit.burst + value: "100" syncPolicy: automated: selfHeal: true diff --git a/everything-app/app-ingress-nginx.yaml b/everything-app/app-ingress-nginx.yaml index 2dd1ba2..87e6844 100644 --- a/everything-app/app-ingress-nginx.yaml +++ b/everything-app/app-ingress-nginx.yaml @@ -16,6 +16,8 @@ spec: parameters: - name: controller.service.type value: LoadBalancer + - name: controller.allowSnippetAnnotations + value: "true" syncPolicy: automated: selfHeal: true diff --git a/everything-app/bazarr.yaml b/everything-app/bazarr.yaml new file mode 100644 index 0000000..f5369d5 --- /dev/null +++ b/everything-app/bazarr.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bazarr + namespace: argocd +spec: + destination: + namespace: bazarr + server: https://kubernetes.default.svc + project: default + source: + path: apps-kustomized/bazarr + repoURL: https://git.martyn.berlin/martyn/infra4talos.git + targetRevision: HEAD + syncPolicy: + automated: + selfHeal: true diff --git a/everything-app/cryptpad.yaml b/everything-app/cryptpad.yaml new file mode 100644 index 0000000..8694846 --- /dev/null +++ b/everything-app/cryptpad.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cryptpad + namespace: argocd +spec: + destination: + namespace: cryptpad + server: https://kubernetes.default.svc + project: apps + source: + path: apps-kustomized/cryptpad + repoURL: https://git.martyn.berlin/martyn/infra4talos + targetRevision: HEAD + syncPolicy: + automated: + selfHeal: true \ No newline at end of file diff --git a/everything-app/wg-access-server.yaml b/everything-app/wg-access-server.yaml new file mode 100644 index 0000000..c0ff238 --- /dev/null +++ b/everything-app/wg-access-server.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: wg-access-server + namespace: argocd +spec: + destination: + namespace: wg-access + server: https://kubernetes.default.svc + project: infra + source: + helm: + parameters: + - name: web.service.type + value: LoadBalancer + - name: wireguard.service.type + value: LoadBalancer + values: |- + config: + csiSecretsStore: + providerName: 1password + resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/idkjj6oyua2fq6df4fkjzmh4ne/config.yaml + path: apps-helm/wg-access-server + repoURL: https://git.martyn.berlin/martyn/infra4talos + targetRevision: HEAD