feat: external-dns & cert-manager
All checks were successful
Renovate / renovate (push) Successful in 58s

This commit is contained in:
Peter 2024-02-14 21:45:58 +01:00
parent b21eeffd70
commit 21258a04b2
Signed by: prskr
GPG key ID: F56BED6903BC5E37
31 changed files with 5068 additions and 14 deletions

1
cert-manager/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: acme-dns-cloudflare
type: Opaque
stringData:
api-token: ENC[AES256_GCM,data:9PerD+nitxWGlaVCrvwrzSq4n6OXOWdoxwuvmgNCo5dwKby5MmWzgA==,iv:+IKQIFlB0wmfAXAeqVS21zXTdQgQW1382UdsV//QNc0=,tag:ET99pjX/39bZhmHRCnAzFw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK25WeGYzZVdFOUluczNa
YXdnZklod2RxZUo5UkJvcUJNVWIvQ0pSbUhZCnpJQVF0MEUwWG51RHUvOVFFMkg3
QmI3T2VDQ0k5L1p6dSt4b1dlczA1TmsKLS0tIC9OMlIyQjNHQU90TjdlSm9CWkIv
ODQ3b05TMENqZnU1NC8xUkx2YU5vRjAKAaRgVOWFkA8qmTPAwb5zsQqpZce+QOan
RaJAf/52GB83bk8iajcJMjpPsQLNc8Bc1BUeXZeJ8Q1eDpj/Ez4pLg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbjNobXZVOEM0b09CQ1p5
c2RpUDNWTTVIVXh0aVRBTzNyOUxuVUNwUFVFCjQ0K0pvdlhlWTNqV2Vxa0Jjclc2
cDI3Z3JlV3hxaXptYlZrN1RROHBwM2cKLS0tIEJCZjRuSjVMcTlIUmhiSWk5NmRz
LzVyWGZ0em5RKytCWndjbjh6eWhNc1kK+2g/VLNIs2B62l5kZmkj561Fq0hpnvf0
L5p+Dyxlh8VjFVKXct6PzJ2Bg+mx+/MDFSZ2PXw9QUI+eNdznCutZg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-13T20:21:29Z"
mac: ENC[AES256_GCM,data:phMqQQ+gs0q2AZrnwzM7qybxcdaErWk5Q3bjXE1chekJQ5IsHoaDj7orzG0CAb1GD+Qa+/3QV9n2ggsT9w3zZGSjiMTttes3L3CVfJjOXC6WpzjxHnIM7xFA2uZsziIOXbU6nqZ8OtFfFfjbio8lt0OZj7W6HIdAnom6zIwUAbI=,iv:ueToOo0V+IBScXDTJnHPVKvx9O3/NHeTBDs344FseQ0=,tag:JNc9tr1LZx6LRRpcqNwJOA==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,22 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- crds/cert-manager.crds.yaml
- resources/letsencrypt-staging.yaml
- resources/letsencrypt-production.yaml
helmCharts:
- name: cert-manager
repo: https://charts.jetstack.io
version: "1.14.2"
releaseName: cert-manager
namespace: kube-system
valuesFile: config/values.cert-manager.yaml
apiVersions:
- "cert-manager.io/v1"
generators:
- ./secret-generator.yaml

View file

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: peter.kurfer@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
ingressClassName: traefik

View file

@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: peter.kurfer@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
ingressClassName: traefik

View file

@ -0,0 +1,10 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: cert-manager-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./config/acme-cloudflare-dns.yaml

View file

@ -10,6 +10,11 @@ coder:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: coder.png gethomepage.dev/icon: coder.png
gethomepage.dev/name: Coder gethomepage.dev/name: Coder
cert-manager.io/cluster-issuer: letsencrypt-production
tls:
enable: true
secretName: coder-ingress-tls
wildcardSecretName: coder-wildcard-ingress-tls
env: env:
- name: CODER_WILDCARD_ACCESS_URL - name: CODER_WILDCARD_ACCESS_URL
value: '*.ide.icb4dc0.de' value: '*.ide.icb4dc0.de'

View file

@ -11,7 +11,7 @@ helmCharts:
repo: https://helm.coder.com/v2 repo: https://helm.coder.com/v2
releaseName: coder releaseName: coder
namespace: coder namespace: coder
version: "2.7.1" version: "2.8.2"
valuesFile: config/values.coder.yml valuesFile: config/values.coder.yml
skipTests: true skipTests: true

View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: external-dns-secrets
type: Opaque
stringData:
CF_API_TOKEN: ENC[AES256_GCM,data:zN3eidkDiRiSRx5neWjBh6H//IcDEi00Up3kKpghzUHAHHin+np3cQ==,iv:yWWzvUJyi6Go3lhtPzvlvzFJKQ9+DU4BbjxO2R43It0=,tag:hXS+HtGKmPFsGsqgQg444w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYjg0Rnd1L0tXeThlZVNu
OE1qY0VWVXE2R1VzUnU5UGhFR1hpZEdaTEVNCkN5TEtBQkMrcnJINUcwcC9ZbmpQ
ZXVCSVUxNzdyN0lSZlI2QVpzUXUzbFkKLS0tIGVja1kxWGpnS2NuTnhobmMwazBl
d1V2K3NTMkVNSjlORkdqWnlucDVpcEEKpWV8NyV+CCuzNpEO+68fPQN7y6udc7VS
qw59UYYFlZSo6tV9U3okupDFoNQibMKYqo67yNOuhQNot/ka72PAjw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtL2tKRXdzZ3ExdFRSdDJi
TUMvOVNORzdkVkk5TW9ISkpkZy9nbC84M1VRCkJyMzV1bzBCbnBoT2dLQzJXcGJS
cVdHaElpd3A3ZnBNRDYrS1JKK3ZaaGcKLS0tIG9nWXRpTjNLc3hIYWovSHNDWGFX
K1pycWpFQ0t1ZDlJQnh1YVJ5WFVRNDgKy8P9W8EBGrsd36lcMpaAsAAp93RLnOHQ
BroVhhdcfxhS/9H9crSZAw6nSROLjySvgJc46jj255FwE2j0biLQCw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-13T18:56:54Z"
mac: ENC[AES256_GCM,data:feslQ6tRE3ngW9WBsdQGtVCBKw7TCPdrsfbjEkRCoEybgs6eyVh6c9tjq1JmocKQ7a5KHzIvr9dM2x4Kia/6hpocaztWVP3RO+Rw5CWqOmsl6WyWjzFFuktKU8vEqwOLIvgs4v6V+4fnhBUEHtLsSxbCCG9hbsibYguWiPnnFaE=,iv:JOvnroj06nBENOwhqdnF0AQ8qP4lxdhnx+QGg1Q0qNY=,tag:Pmj7zfwHUoOf9MUYp8RPyw==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -0,0 +1,24 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/part-of: external-dns
images:
- name: external-dns
newName: registry.k8s.io/external-dns/external-dns
newTag: v0.14.0
resources:
- resources/rbac/service_account.yaml
- resources/rbac/cluster_role.yaml
- resources/rbac/cluster_role_binding.yaml
- resources/deployment.yaml
generators:
- ./secret-generator.yaml

View file

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: external-dns
args:
- --source=ingress
- --domain-filter=icb4dc0.de
- --zone-id-filter=ee5cd581559fcf20384856ed5b1b2f0b
- --provider=cloudflare
- --cloudflare-dns-records-per-page=5000
- --exclude-target-net=172.23.2.0/24
env:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
name: external-dns-secrets
key: CF_API_TOKEN
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi

View file

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list", "watch"]

View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns

View file

@ -0,0 +1,10 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: external-dns-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./config/external-dns-secrets.enc.yaml

View file

@ -6,6 +6,9 @@ service:
type: NodePort type: NodePort
nodePort: 32022 nodePort: 32022
strategy:
type: Recreate
ingress: ingress:
enabled: true enabled: true
annotations: annotations:
@ -14,11 +17,16 @@ ingress:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: forgejo.png gethomepage.dev/icon: forgejo.png
gethomepage.dev/name: Forgejo gethomepage.dev/name: Forgejo
cert-manager.io/cluster-issuer: letsencrypt-production
hosts: hosts:
- host: code.icb4dc0.de - host: code.icb4dc0.de
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
tls:
- hosts:
- code.icb4dc0.de
secretName: forgejo-ingress-tls
resources: resources:
limits: limits:

View file

@ -35,7 +35,7 @@ helmCharts:
repo: oci://codeberg.org/forgejo-contrib repo: oci://codeberg.org/forgejo-contrib
releaseName: forgejo releaseName: forgejo
namespace: forgejo namespace: forgejo
version: "1.1.1" version: "3.0.1"
valuesFile: config/values.forgejo.yaml valuesFile: config/values.forgejo.yaml
skipTests: true skipTests: true
apiVersions: apiVersions:

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png
gethomepage.dev/name: HedgeDoc gethomepage.dev/name: HedgeDoc
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: md.icb4dc0.de - host: md.icb4dc0.de
@ -21,3 +22,7 @@ spec:
name: hedgedoc name: hedgedoc
port: port:
number: 3000 number: 3000
tls:
- hosts:
- md.icb4dc0.de
secretName: hedgedoc-ingress-tls

View file

@ -6,10 +6,10 @@ namespace: homepage
images: images:
- name: homepage - name: homepage
newName: ghcr.io/gethomepage/homepage newName: ghcr.io/gethomepage/homepage
newTag: "v0.8.6" newTag: "v0.8.8"
- name: oauth2-proxy - name: oauth2-proxy
newName: quay.io/oauth2-proxy/oauth2-proxy newName: quay.io/oauth2-proxy/oauth2-proxy
newTag: v7.5.1 newTag: v7.6.0
labels: labels:
- includeSelectors: true - includeSelectors: true

View file

@ -11,6 +11,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: homepage.png gethomepage.dev/icon: homepage.png
gethomepage.dev/name: Homepage gethomepage.dev/name: Homepage
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: "home.icb4dc0.de" - host: "home.icb4dc0.de"
@ -23,3 +24,7 @@ spec:
name: homepage name: homepage
port: port:
number: 3000 number: 3000
tls:
- hosts:
- "home.icb4dc0.de"
secretName: homepage-ingress-tls

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: linkwarden.png gethomepage.dev/icon: linkwarden.png
gethomepage.dev/name: Linkwarden gethomepage.dev/name: Linkwarden
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: links.icb4dc0.de - host: links.icb4dc0.de
@ -21,3 +22,7 @@ spec:
name: linkwarden name: linkwarden
port: port:
number: 3000 number: 3000
tls:
- hosts:
- links.icb4dc0.de
secretName: linkwarden-ingress-tls

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: nocodb.png gethomepage.dev/icon: nocodb.png
gethomepage.dev/name: NocoDB gethomepage.dev/name: NocoDB
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: noco.icb4dc0.de - host: noco.icb4dc0.de
@ -21,3 +22,7 @@ spec:
name: nocodb name: nocodb
port: port:
number: 8080 number: 8080
tls:
- hosts:
- noco.icb4dc0.de
secretName: nocodb-ingress-tls

View file

@ -5,7 +5,6 @@ metadata:
name: default-cluster name: default-cluster
namespace: postgres namespace: postgres
spec: spec:
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.5-0
postgresVersion: 15 postgresVersion: 15
users: users:
- name: postgres - name: postgres
@ -68,15 +67,24 @@ spec:
backups: backups:
pgbackrest: pgbackrest:
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2 manual:
repoName: repo1
options:
- --type=full
configuration: configuration:
- secret: - secret:
name: pgo-s3-creds name: pgo-s3-creds
global: global:
repo1-retention-full: "14"
repo1-retention-full-type: time
repo1-retention-diff: "6"
repo1-path: /pgbackrest/default-cluster/repo1 repo1-path: /pgbackrest/default-cluster/repo1
repo1-s3-uri-style: path repo1-s3-uri-style: path
repos: repos:
- name: repo1 - name: repo1
schedules:
full: "0 1 * * 0"
differential: "0 1 * * 1-6"
s3: s3:
bucket: backup bucket: backup
endpoint: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com endpoint: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com

View file

@ -12,3 +12,4 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: pgo name: pgo
namespace: postgres-system

51
traefik/values.yaml Normal file
View file

@ -0,0 +1,51 @@
experimental:
kubernetesGateway:
enabled: true
global:
systemDefaultRegistry: ""
image:
repository: rancher/mirrored-library-traefik
tag: 2.10.5
metrics:
prometheus:
service:
enabled: true
serviceMonitor:
additionalLabels:
prometheus: default
interval: 30s
scrapeTimeout: 5s
podAnnotations:
prometheus.io/port: "8082"
prometheus.io/scrape: "true"
ports:
traefik:
expose: false
port: 9000
web:
forwardedHeaders:
insecure: true
websecure:
expose: true
priorityClassName: system-cluster-critical
providers:
kubernetesIngress:
publishedService:
enabled: true
allowExternalNameServices: true
kubernetesCRD:
enabled: true
allowExternalNameServices: true
service:
type: LoadBalancer
annotations:
load-balancer.hetzner.cloud/location: "hel1"
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists

View file

@ -12,7 +12,7 @@ labels:
images: images:
- name: vaultwarden - name: vaultwarden
newName: ghcr.io/dani-garcia/vaultwarden newName: ghcr.io/dani-garcia/vaultwarden
newTag: "1.30.1-alpine" newTag: "1.30.3-alpine"
resources: resources:
- "resources/namespace.yaml" - "resources/namespace.yaml"

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: vaultwarden.png gethomepage.dev/icon: vaultwarden.png
gethomepage.dev/name: Vaultwarden gethomepage.dev/name: Vaultwarden
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: pw.icb4dc0.de - host: pw.icb4dc0.de
@ -21,3 +22,7 @@ spec:
name: vaultwarden name: vaultwarden
port: port:
number: 8080 number: 8080
tls:
- hosts:
- pw.icb4dc0.de
secretName: vaultwarden-ingress-tls

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: vikunja.png gethomepage.dev/icon: vikunja.png
gethomepage.dev/name: Vikunja gethomepage.dev/name: Vikunja
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: todo.icb4dc0.de - host: todo.icb4dc0.de
@ -28,3 +29,7 @@ spec:
name: vikunja-api name: vikunja-api
port: port:
number: 3456 number: 3456
tls:
- hosts:
- todo.icb4dc0.de
secretName: vikunja-ingress-tls

View file

@ -9,6 +9,7 @@ metadata:
gethomepage.dev/group: Apps gethomepage.dev/group: Apps
gethomepage.dev/icon: zipline.png gethomepage.dev/icon: zipline.png
gethomepage.dev/name: Zipline gethomepage.dev/name: Zipline
cert-manager.io/cluster-issuer: letsencrypt-production
spec: spec:
rules: rules:
- host: share.icb4dc0.de - host: share.icb4dc0.de
@ -21,3 +22,7 @@ spec:
name: zipline name: zipline
port: port:
number: 3000 number: 3000
tls:
- hosts:
- share.icb4dc0.de
secretName: zipline-ingress-tls